HHS Issues HIPAA Omnibus Rule
On January 17, 2013, HHS released the HIPAA Omnibus Rule. The final rule has important consequences for healthcare covered entities, business associates, and subcontractors. It combines the interim and proposed rules of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the Genetic Information Nondiscrimination Act (GINA), and the HIPAA Privacy & Security Rule. The new rules are effective March 23, 2013, but covered entities and business associates will generally have until September 23, 2013 to comply. Primary provisions include:
Modification to Notice of Privacy Practices
The Final Rule requires new provisions to be added to providers’ Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient’s right to receive notice of HIPAA breaches.
Definition of "Business Associate"
The definition is expanded to include subcontractors (defined as a ‘person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate, even if there is no contract’), Patient Safety Organizations (PSOs), Health Information Organizations (HIOs), vendors of private health records, and data transmission companies that routinely access PHI (not merely ‘acting as a conduit’).
Liability of Business Associates
Business Associates are also subject to direct liability for failure to comply with certain requirements of the HIPAA Privacy and Security Rule, including:
- Requirements to make reasonable efforts to limit the use and disclosure of PHI and requests for PHI to the minimum necessary by using certain physical, administrative and technical safeguards;
- Liability for a failure to provide breach notification to the covered entity;
- Liability for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
- Liability for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules;
- Liability for a failure to provide an accounting of disclosures.
Business Associate Agreements
Covered entities are responsible for updating and/or executing new business associate contracts to provide greater obligations for electronic PHI, reporting breaches of unsecured PHI within 60 days, and obligations under the Security and Privacy Rule by September 23, 2013. Business Associates must also enter into written agreements with subcontractors with similar obligations by September 2013. Notably, covered entities existing compliant contracts do not need to be modified until September 23, 2014.
Electronic Access to Records
If an individual requests an electronic copy of PHI that is maintained electronically, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. The fees for this access may only account for supplies for, and labor of, copying the protected health information. Further, if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.
Modified Authorization for Specific Records
The Final Rule modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and eliminates the need for an authorization to provide access to decedent information by family members or others 50 years after the decedent’s death.
Adoption of HITECH Act "Willful Neglect" Framework for Civil Monetary Penalties
As described in the HIPAA Administrative Simplification Enforcement interim final rule released on October 30, 2009, the Final Rule establishes four categories of violations that reflect increasing levels of culpability, but introduces four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation, with a maximum penalty amount of $1.5 million annually for all violations of an identical provision.
The process is initiated by HHS receiving a complaint by a patient, becoming aware of a media report, or being informed by another agency of a non-compliant event by a covered entity or business associate and conducting a preliminary review. If there is "possible" willful neglect of the requirements for use and disclosure of PHI on the part of the entity, HHS will proceed with an investigation, called either a complaint investigation (if deriving from a patient complaint) or a compliance review (if deriving from media report or other external source). Following that investigation, HHS "may" either impose a penalty or seek an informal resolution, depending on intent or reasonable cause. The four categories of violations include:
- Covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of a violation.
- Reasonable cause and not due to willful neglect. Reasonable caused is defined as ‘an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect’
- Willful neglect that is corrected within a certain time period (30 days from when entity actually or constructively acquired knowledge of improper use or disclosure)
- Willful neglect that is not corrected
Adoption of HITECH Breach Notification
The Final Rule adopts, with one major caveat, the breach notification requirements promulgated in the Breach Notification for Unsecured PHI interim final rule released on August 24, 2009. A breach is defined as "unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Impermissible use or disclosure of protected health information should be presumed to be a breach unless the covered entity or business associate demonstrates that there is a "low probability that the protected health information has been compromised."
This more objective language replaces the harm threshold used by the interim final rule, but once a breach occurs a risk assessment must be done that mirrors many of the harm threshold requirements, including the consideration of financial and reputational risk and the amount of information involved, as well as to whom the information was impermissibly disclosed and whether the PHI was actually acquired or viewed. The covered entity or business associate must notify the individual within reasonable time, or within 60 days, and take steps to mitigate the damage. Notification to the Secretary of HHS must also be given, either immediately or annually, depending on the size of the breach (greater or less than 500 patients).
*Keep in mind however, that if PHI is encrypted no breach notification is required following an impermissible use or disclosure of the information.
Marketing and Sale of PHI
The Final Rule strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.
Adoption of Genetic Information Nondiscrimination Act Privacy Requirements
The Final Rule adopts the October 7, 2009 proposed rule guidance modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
These are only highlights of the major changes included in the sweeping new rule. Healthcare provider, other covered entities, and their business associates should carefully review these provisions and immediately begin evaluating what adjustments and are required to remain in compliance.