HIPAA Regulations: General Provisions: Compliance Dates for Implementation of New or Modified Standards and Implementation Specifications -- § 160.105
As Contained in the HHS HIPAA Rules
HHS Regulations as Added January 2013 |
Except as otherwise provided, with respect to rules that adopt new standards and implementation specifications or modifications to standards and implementation specifications in this subchapter in accordance with § 160.104 that become effective after January 25, 2013, covered entities and business associates must comply with the applicable new standards and implementation specifications, or modifications to standards and implementation specifications, no later than 180 days from the effective date of any such standards or implementation specifications.
HHS Description and Commentary From the January 2013 Amendments General Provisions: Compliance Dates for Implementation of New or Modified Standards and Implementation Specifications |
With respect to the HITECH Act requirements, section 13423 of the Act provides that the provisions in subtitle D took effect one year after enactment, i.e., on February 18, 2010, except as specified otherwise. However, there are a number of exceptions to this general rule. For example, the tiered and increased civil money penalty provisions of section 13410(d) were effective for violations occurring after the date of enactment, and sections 13402 and 13407 of the Act regarding breach notification required interim final rules within 180 days of enactment, with effective dates 30 days after the publication of such rules. Other provisions of the Act have later effective dates. For example, the provision at section 13410(a)(1) of the Act providing that the Secretary’s authority to impose a civil money penalty will only be barred to the extent a criminal penalty has been imposed, rather than in cases in which the offense in question merely constitutes an offense that is criminally punishable, became effective for violations occurring on or after February 18, 2011. The discussion below generally pertains to the statutory provisions that became effective on February 18, 2010, or, in a few cases, on a later date.
Proposed Rule
We proposed that covered entities and business associates would have 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s provisions. We believed that a 180-day compliance period would suffice for future modifications to the HIPAA Rules, and we proposed to add a provision at § 160.105 to address the compliance date generally for implementation of new or modified standards in the HIPAA Rules.
We proposed that § 160.105 would provide that with respect to new standards or implementation specifications or modifications to standards or implementation specifications in the HIPAA Rules, except as otherwise provided, covered entities and business associates would be required to comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. For future modifications to the HIPAA Rules necessitating a longer compliance period, we would specify a longer period in the regulatory text. Finally, we proposed to retain the compliance date provisions at §§ 164.534 and 164.318, which provide the compliance dates of April 14, 2003, and April 20, 2005, for initial implementation of the HIPAA Privacy and Security Rules, respectively, for historical purposes only.
Overview of Public Comments
Most of the comments addressing the proposed compliance periods as outlined above fell into three categories. First, several commenters supported the proposed compliance timelines and agreed that 180 days is sufficient time for covered entities, business associates, and subcontractors of all sizes to come into compliance with the final rule. Second, a few commenters supported the proposed 180-day compliance period, but expressed concern that the Department may wish to extend the 180-day compliance period in the future, if it issues modifications or new provisions that require a longer compliance period. Third, several commenters requested that the Department extend the 180-day compliance period both with regard to the modifications contained in this final rule and with regard to the more general proposed compliance deadline, as they believe 180 days is an insufficient amount of time for covered entities, business associates, and subcontractors to come into compliance with the modified rules, particularly with regard to changes in technology.
Final Rule
The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. We understand that some covered entities, business associates, and subcontractors remain concerned that a 180-day period does not provide sufficient time to come into compliance with the modifications. However, we believe not only that providing a 180-day compliance period best comports with section 1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d–4, and our implementing provision at § 160.104(c)(1), which require the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules, but also that providing a 180-day compliance period best protects the privacy and security of patient information, in accordance with the goals of the HITECH Act.
In addition, to make clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules, we adopt the provision we proposed at § 160.105, which provides that with respect to new or modified standards or implementation specifications in the HIPAA Rules, except as otherwise provided, covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. In cases where a future modification necessitates a longer compliance period, the Department will expressly provide for one, as it has done in this rulemaking with respect to the time permitted for business associate agreements to be modified.
For the reasons proposed, the final rule also retains the compliance date provisions at §§ 164.534 and 164.318, which provide the compliance dates of April 14, 2003, and April 20, 2005, for initial implementation of the HIPAA Privacy and Security Rules, respectively. We note that § 160.105 regarding the compliance date of new or modified standards or implementation specifications does not apply to modifications to the provisions of the HIPAA Enforcement Rule, because such provisions are not standards or implementation specifications (as the terms are defined at § 160.103). Such provisions are in effect and apply at the time the final rule becomes effective or as otherwise specifically provided. In addition, as explained above, our general rule for a 180-day compliance period for new or modified standards would not apply where we expressly provide a different compliance period in the regulation for one or more provisions. For purposes of this rule, the 180-day compliance period would not govern the time period required to modify those business associate agreements that qualify for the longer transition period in § 164.532, as we discuss further below.
Finally, the provisions of section 13402(j) of the HITECH Act apply to breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule. Thus, during the 180 day period before compliance with this final rule is required, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. We believe that this transition period provides covered entities and business associates with adequate time to come into compliance with the revisions in this final rule and at the same time to continue to fulfill their breach notification obligations under the HITECH Act.