The Omnibus Final Rule (Final Rule) entitled "Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act" became effective on March 26, 2013.
Editor's Note: Part I of this article can be viewed here.
The Omnibus Final Rule (Final Rule) entitled “Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act” became effective on March 26, 2013.
The Final Rule has created major modifications with compliance and enforcement implications which will affect stakeholders involved in transactions for the use and disclosure of protected health information (PHI) and the conduct of clinical research.
Here are some of the modifications which are subject to enforcement by the Office of Civil Rights (OCR) and requiring compliance by September 23, 2013.
Modifications
Business Associates are directly impacted by the modifications to the Privacy and Security Rules, and both Covered Entities and Business Associates are directly impacted by the modifications to the Breach Notification Rule.
Covered Entities are directly impacted by the modifications to the Privacy Rule relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI.
OCR can enforce any breach under the modified HIPAA Rules.
Privacy and Security Rules: Transactions involving PHI
Privacy Rule: Clinical Research
Breach Notification Rule
Enforcement Rule
Compliance
Covered Entities and Business Associates must amend their BAAs by the September date. Existing BAAs have the benefit of a transition period until September 22, 2014.
To successfully come into compliance, Covered Entities considers it as a joint effort with Business Associates. “The Covered Entity and Business Associate must work together to ensure that privacy is seamless throughout the process,” states Raymond Braeunig, Chief Compliance and Privacy Officer, Rowan University School of Osteopathic Medicine.
“Not only does the Business Associate has more responsibilities but the Covered Entity must ensure those responsibilities are understood and the Covered Entity must verify the Business Associate has the security measures in place in accordance with the rules.”
To reflect this increase in responsibilities, each BAA must be modified to:
In addition to modifying the BAAs, “the next step is for the Covered Entity to outline a risk assessment for the Business Associate and perform a walkthrough of the Business Associate’s operation(s) as well as any Business Associate subcontractor to ensure the privacy and security measures are in place, as the Covered Entity will be ultimately responsible as well to ensure compliance with the rules,” concludes Braeunig.
Covered Entities must also amend their policies and procedures by the September date “in order to take advantage of the enhanced efficiency in research initiatives that the Final Rule provides and to come into compliance with the requirements of the Final Rule,” states Elan Czeisler, Director, Institutional Review Board (IRB) and Human Research Protection Program, NYU Langone Medical Center.
“In collaboration with the Office of Research Compliance and Office of Legal Counsel, we are in the process of amending our policies and procedures to be compliant with the Final Rule and reflect changes relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI."
In addition to these amendments, training is key to sensitize the workforce to the requirements of the Final Rule and Covered Entities need to ensure that their workforce understands the new HIPAA Rules. “We plan to conduct training for all of our clinical personnel to sensitize them to the new requirements and the increased level of scrutiny and potential enforcement by OCR,” states Braeunig.
Going Forward
The changes to the HIPAA Rules are likely to have an impact on the conduct of clinical research and transactions involving PHI. The relationships between Covered Entities, Business Associates and OCR are also likely to be redefined requiring continuous monitoring.
The territory is uncharted and future regulatory developments may come into play.
“We plan to remain on the lookout for future regulatory developments and guidance on these and other issues,” concludes Czeisler.
Future regulatory developments and guidance may be found on http://www.hhs.gov/ocr/office/index.html.
View the related blog here.
Lina Genovesi, PhD, JD www.linagenovesi.com
Improving Relationships and Diversifying the Site Selection Process
April 17th 2025In this episode of the Applied Clinical Trials Podcast, Liz Beatty, co-founder and chief strategy officer, Inato, discusses a number of topics around site engagement including community-based sites, the role of technology in improving site/sponsor relationships, how increased operational costs are impacting the industry, and more.
Unlock Commercial Growth through Data-Driven Patient and HCP Insights
May 2nd 2025Leveraging data-driven patient and healthcare provider (HCP) insights, including social drivers of health (SDOH), is essential for life sciences companies to continuously improve patient engagement and commercial success. Mark Rodgers, AVP of Commercial Analytics at Inovalon, discusses how identifying treatment milestones, assessing HCP performance, and segmenting patient populations using SDOH data can drive targeted strategies that improve healthcare outcomes and market access