Highlights from the New HIPAA Omnibus Rule

This article summarizes a few of the sweeping HIPAA revisions implemented by the final omnibus rule that was published by the Department of Health and Human Services (DHHS) on January 25, 2013. This article is organized in a “frequently asked question” format (FAQ) to allow the reader to jump to a particular topic of interest or a question of concern. To provide a few quick examples of how HIPAA may affect you or your employees, however, we start off with two real-life scenarios.

A Tale of Two HIPAA Violations

Part One: Personal Accountability for Wandering Eyes

According to the Bennington Banner, an online newspaper for Bennington, Vermont, a licensed practical nurse pled guilty to four counts of unauthorized access to her husband’s ex-wife’s medical records in November 2012. The nurse was employed by a regional hospital and used that opportunity to inappropriately access the hospital’s medical records to view information related to her husband’s ex-wife and the ex-wife’s children, allegedly over the course of several years. The court gave the nurse a six-to-twelve-month suspended sentence, 160 hours of community service, two years of probation, and ordered her to pay a $2,000 fine.1

  • Bottom Line: Individual employees may be investigated and subjected to criminal sentences and fines for HIPAA violations. HIPAA does not apply to the employer alone.

Part Two: You Will Pay for Your Employees’ Wandering Eyes

Although it does not appear that the Vermont hospital in Part One of this tale was ever subjected to corporate liability for the nurse’s actions, it is safe to say that is the exception and not the rule. Just ask the University of California at Los Angeles Health System (UCLAHS). According to the Department of Health and Human Services (DHHS) website, several of the hospital’s employees improperly and repeatedly accessed celebrity medical records. UCLAHS settled these HIPAA violations for $865,500 and entered into a corrective action plan that included an independent monitor to assess the hospital’s compliance over a three-year period.2

  • Bottom Line: A corporation can be held liable for its employees’ violations of HIPAA.

Question: What is HIPAA?

Answer: The Health Insurance Portability and Accountability Act of 19963 (HIPAA) governs the way in which healthcare providers, health plans, and healthcare clearinghouses (collectively, “Covered Entities”) use and disclose individually identifiable health information (known as “protected health information” or “PHI”). HIPAA is broken down into broad rules that set forth obligations of Covered Entities and those entities that create, maintain, or transmit PHI on behalf of the Covered Entity for functions regulated by HIPAA. These broad rules include the Security Rule, which protects electronic PHI; the Privacy Rule, which protects the confidentiality and integrity of all PHI in any form (including discussions); the Breach Notification Rule, which requires Covered Entities to notify patients if there is a “breach” of their unsecured PHI; and the Enforcement Rule, which contains provisions related to compliance and investigations and the imposition of civil monetary penalties up to $50,000 for a single violation, and criminal penalties up to $250,000 and 10 years in prison for violations of the other HIPAA rules. Further, State Attorneys General may bring civil actions seeking either injunction or damages in response to violations of HIPAA privacy and security regulations that threaten the privacy of state residents.

  • Fast Fact: In 2009, the Health Information and Technology for Economic and Clinical Health Act4 (HITECH) was passed as part of the American Recovery and Reinvestment Act. Among other healthcare information technology provisions, HITECH also provided several sweeping revisions to the HIPAA Security, Privacy, and Enforcement Rules and created a new section to HIPAA in the Breach Notification Rule.

Question: What is the final HIPAA Omnibus Rule, published January 25, 2013?

Answer: On January 25, 2013, DHHS published the final HIPAA omnibus rule (the “Final Rule” or the “Rule”), implementing much of the statutory changes to HIPAA brought about by HITECH.5 These changes include multiple revisions to the HIPAA Privacy Rule, such as revising marketing requirements and provisions affecting certain patient rights; creating direct liability for Business Associates under certain provisions of the HIPAA Security, Privacy, and Breach Notification Rules; expanding the definition of Business Associate to include subcontractors; revising the Breach Notification Rule to broaden situations in which Covered Entities must report a breach of PHI; and implementing HITECH’s tiered civil monetary penalties scheme for HIPAA violations.

  • Fast Fact: The Final Rule became effective March 26, 2013, and Covered Entities and Business Associates are required to be in full compliance with the Rule by September 23, 2013, unless the Rule sets forth alternate compliance periods.

Question: What Changes Does the Final Rule Make for Business Associates?

Answer:

Revisions to Extend Direct Liability to Business Associates. The Final Rule also extended certain provisions of the HIPAA Security Rule, Privacy Rule, and Breach Notification to Business Associates (and now, by definition, to Business Associates’ subcontractors). Prior to the Final Rule, Business Associates were only liable to their Covered Entities through a contractual rela­tionship created by the Business Associate Agreement. Under the Final Rule, Business Associates are now directly liable under statute and regulation for violations of these HIPAA provisions and may face civil monetary penalties in accordance with the HIPAA Enforcement Rule. For example, Business Associates are now directly liable for:

  • An unauthorized use or disclosure of PHI or a use or disclosure of PHI that includes more than the minimum necessary to accomplish the intended purpose of the use or disclosure.
  • Failing to enter into Business Associate Agreements with the Business Associate’s subcontractors.
  • Failing to notify the appropriate contact of a breach of a patient’s PHI.
  • Failure to comply with the applicable provisions of the HIPAA Security Rule.

Revisions to the Definition of Business Associate. The Final Rule modified the HIPAA definition of Business Associate to clarify that a Business Associate is any entity, other than a workforce member of the Covered Entity, that “creates, receives, maintains, or transmits protected health information for a function or activity” regulated by the Privacy Rule. The Final Rule further set forth a list of entities that are deemed Business Associates: health information organizations, e-prescribing gateways, and subcontractors that create, receive, maintain, or transmit PHI on behalf of a Business Associate. However, the Final Rule also explained that a Business Associate’s disclosures of PHI to an entity for the Business Associate’s own management and administration or to carry out a legal duty on behalf of a Business Associate do not create a subcontractor relationship for purposes of implementing the revised HIPAA regulations.

Question: How May Business Associates Implement the Final Rule Changes on a Practical Basis?

Answer: Here are a few ways Business Associates (and their subcontractors) must implement the Final Rule by September 23, 2013:

  • Conduct a Risk Assessment.
  • Implement formal, written policies and procedures to address applicable provisions of the Security Rule, Privacy Rule, and Breach Notification Rule.
  • Name a Security Officer.
  • Review existing Business Associate Agreements and update for compliance with the revised HIPAA regulations.
  • Put in place Business Associate Agreements for downstream subcontractors.
  • Fast Fact: Business Associate Agreements that were in place before or on January 25, 2013, and that complied with the HIPAA regulations for Business Associate Agreements prior to the Final Rule have an additional one-year transition period during which Covered Entities and Business Associates may revise the agreement to bring it into compliance with the Final Rule. Accordingly, the parties will have until September 23, 2014, to bring the agreement into compliance. However, if the Business Associate Agreement is set to expire or renew between March 26, 2013, and September 23, 2013, the parties must bring the agreement into compliance with the Final Rule by September 23, 2013; this deadline does not apply to agreements with evergreen provisions — which must be brought into compliance within the one-year transition period.

Question: How Did the Final Rule Affect the Breach Notification Rule?

Answer:

Revisions to the “breach” definition. The final rule defines a “breach” as an unauthorized acquisition, access, use, or disclosure of PHI which “compromises the security or privacy” of the PHI. Prior to the Final Rule, entities were required to undergo a risk analysis to determine if the compromising activity resulted in a significant risk of financial, reputational, or other harm to the individual. DHHS removed this risk analysis and has decided to keep the definition of “breach” to any unauthorized activity that compromises the PHI’s security or privacy. Although DHHS stated this change was to create a more objective test, in practice, this change means that virtually any unauthorized use or disclosure of PHI that does not meet one of the specified exceptions will be a breach for purposes of the Breach Notification Rule. The Final Rule also removes the provision that exempts any unauthorized use or disclosure of a limited data set from the breach definition.

Revisions to the risk analysis process. Under the Final Rule, DHHS created a risk assessment process that includes four factors that a Covered Entity or Business Associate must address when determining whether the unauthorized use or disclosure “compromises” the security or privacy of the PHI, i.e., whether the activity rises to the level of a “breach” requiring notification to affected patients. These four factors are:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
  2. The unauthorized person who used the PHI or to whom the disclosure was made.
  3. Whether the PHI was actually acquired or viewed.
  4. The extent to which the risk to the PHI has been mitigated.

The Covered Entity or Business Associate must document its assessment, addressing each of the above factors (unless a decision is made to proceed to breach notification without performing a risk analysis).

  • Fast Fact: The Final Rule did not make any significant changes to the notification provisions of the Breach Notification Rule. Covered Entities, or Business Associates, as applicable, must notify each patient whose “unsecured” PHI is the subject of a breach. Unsecured PHI is PHI only rendered unreadable or indecipherable through encryption or destruction.

Question: How Did the Final Rule Affect Marketing Activities?

Question: How Did the Final Rule Affect the Sale of PHI?

Answer: The Final Rule changed the definition of marketing. Prior to the Final Rule, treatment or healthcare operation communications related to a health product or service was not considered marketing, even if the Covered Entity received remuneration in exchange for making the communication. Under the Final Rule, however, if the Covered Entity receives any financial remuneration from the product manufacturer or service provider in exchange for making these types of communications, the Covered Entity is deemed to be making “marketing” communications and must obtain the patient’s authorization prior to making the communication. Further, the authorization must specifically state the Covered Entity is receiving remuneration in exchange for making the communication. Notably, DHHS included several specific exemptions from the marketing definition, including refill reminders or communications about a drug or biologic that is currently being prescribed to the individual, so long as any remuneration received by the Covered Entity in exchange for making the communication is reasonably related to the Covered Entity’s costs for making the communication (labor, supplies, postage, etc.). The Final Rule also retains the face-to-face exception that allows Covered Entities to provide face-to-face communications that may otherwise constitute marketing communications without first obtaining the patient’s authorization.

Answer: The Final Rule requires Covered entities or Business Associates to obtain the patient’s authorization prior to disclosing the patient’s PHI in exchange for remuneration. The authorization must specifically state the Covered Entity or Business Associate is receiving remuneration in exchange for the PHI. The Final Rule provides several exceptions to this provision: 1) disclosures of PHI for public health activities; 2) disclosures for research purposes where the only remuneration received is reasonable cost-based fees to prepare and transmit the PHI; 3) disclosures for treatment of the individual or for payment purposes; 4) disclosures made pursuant to the sale, transfer, merger, or consolidation of the Covered Entity; 5) disclosures to or by a Business Associate for activities the Business Associate undertakes on behalf of the Covered Entity, or those activities a subcontractor undertakes on behalf of the Business Associate, where the only remuneration is for the performance of such activities; 6) for disclosures to an individual; 7) for disclosures required by law; or 8) for other purposes in accordance with the HIPAA regulations where the remuneration received is limited to a cost-based fee to prepare and transmit the PHI or any fee otherwise expressly permitted by law.

Question: How Did the Final Rule Affect Patients?

Answer:

Access to PHI. The Final Rule allows patients to obtain copies of their PHI electronically if the Covered Entity maintains the PHI in an electronic health record. This ability to acquire records does not mean that a Covered Entity must allow a patient access to the Covered Entity’s electronic health systems. However, the Covered Entity must provide the information in a format as requested by the patient, or if the format is not available, in a reasonable electronic format agreed to by both parties.

Requests to Restrict Disclosures of PHI. The Final Rule implemented the HITECH amendment requiring Covered Entities to comply with a patient’s request to restrict disclosures of PHI, if the disclosure is for the purpose of payment or healthcare operations and if the patient has paid for the item of healthcare or service out-of-pocket, in full.

Question: What Should Covered Enti­ties Do to Implement These Changes?

Answer: Covered Entities must review and update their HIPAA compliance program to incorporate the above noted changes and to update their procedures where applicable. Similar to the suggested updates for Business Associates, Covered Entities should take the following steps:

  • Review and update Policies & Procedures.
  • Review and update Business Associates Agreements, and review existing relationships that may fall under the revised HIPAA Business Associate definition to determine if the Covered Entity is required to execute a Business Associate Agreement.
  • Review and update Notice of Privacy Practices (and provide the updated notice to all patients).
  • Review and update Breach Notification Policies and Procedures.
  • Implement updated training.

[1] Whitcomb, Keith, “Former Hospital Technician from Bennington Gets Suspended Sentence,” Bennington Banner, Nov. 14, 2012. Available at <http://www.benning­tonbanner.com/local/ci_21991260/former-hospital-technician-from-bennington-gets-suspended-sentence>. Last accessed Mar. 31, 2013.

[2] U.S. Department of Health and Human Services, “Reso­lution Agreement: UCLA Health System Settle Potential Violations of the HIPAA Privacy and Security Rules.” Available at <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uclaagreement.html>. Last accessed Mar. 31, 2013.

[3] 45 CFR Parts 160, 162, and 164.

[4] Pub. L. 111-5 (Feb. 17, 2009).

[5] 78 Fed. Reg. 5566 (Jan. 25, 2013).

Finis

Citations

  1. Whitcomb, Keith, “Former Hospital Technician from Bennington Gets Suspended Sentence,” Bennington Banner, Nov. 14, 2012. Available at <http://www.benning­tonbanner.com/local/ci_21991260/former-hospital-technician-from-bennington-gets-suspended-sentence>. Last accessed Mar. 31, 2013. Jump back to footnote 1 in the text
  2. U.S. Department of Health and Human Services, “Reso­lution Agreement: UCLA Health System Settle Potential Violations of the HIPAA Privacy and Security Rules.” Available at <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uclaagreement.html>. Last accessed Mar. 31, 2013. Jump back to footnote 2 in the text
  3. 45 CFR Parts 160, 162, and 164. Jump back to footnote 3 in the text
  4. Pub. L. 111-5 (Feb. 17, 2009). Jump back to footnote 4 in the text
  5. 78 Fed. Reg. 5566 (Jan. 25, 2013). Jump back to footnote 5 in the text