On Jan. 17, 2013, the U.S. Dept. of Health and Human Services released the long-awaited omnibus final rule designed to strengthen the privacy and security protections for health information afforded under the Health Insurance Portability and Accountability Act (HIPAA). Such changes marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. The omnibus final rule is comprised of four final rules, discussed below. Please note this article is intended only to provide an overview of several of the notable provisions within the omnibus final rule; however, it is not an exhaustive explanation of the rule.
HIPAA Privacy, Security and Enforcement Rules
The final rule provides modifications to HIPAA’s Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as other modifications to improve the rules. Amongst the major changes, the modifications make clear that certain HIPAA Privacy and Security Rules apply directly to business associates (BAs), in the same manner that the requirements apply to covered entities, and that BAs are civilly and criminally liable for violations of such provisions. The final rule also expands the definition of “business associate” to include certain personal health record vendors and subcontractors under HIPAA’s umbrella. Notably, the new rule fails to define the “minimum necessary standard,” rather HHS stated that how a BA will apply the minimum necessary standard will vary based on circumstances, and that BA agreements should limit the BA’s use and disclosure of protected health information (PHI) in accordance with the covered entity’s minimum necessary policies and procedures. HHS noted that it intends to issue further guidance on the minimum necessary standard. The rule also expands individuals’ rights by permitting patients to request electronic copies of health information. Additionally, patients may instruct a provider not to share treatment information with their health plan when the individual pays for such service out of pocket, in full. The rule also strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and generally prohibits the sale of PHI for remuneration without the individual’s authorization. Under the rule, covered entities are required to make modifications to privacy notices and redistribute the revised notices. The rule also attempts to streamline individuals’ ability to authorize the use of their health information for research purposes and make it easier for parents and others to provide proof of child immunization to schools.
Civil Money Penalty Structure
The final rule adopts the HITECH Act’s tiered structure of increasing penalty amounts that correspond to the levels of culpability associated with a violation. The first category (lowest penalty tier) covers situations where the covered entity or BA did not know, and by exercising due diligence would not have known, of a violation. The second category (next highest penalty tier) applies to violations due to reasonable cause. The final rule clarifies that “reasonable cause” means “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.” The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time frame (second highest penalty tier) and willful neglect that is not corrected (highest penalty tier). While HHS has discretion to determine the amount of penalty to impose within each tier, HHS reiterated that the Department would not impose the maximum penalty amount in all cases. Instead, the penalty amount would be determined on a case-by-case basis, depending on the nature and extent of the violation and resulting harm, as well as the financial condition and size of the covered entity or BA. Further, the final rule clarifies that a covered entity may be held liable for the acts of its agents. The rule states that whether a BA is considered an agent of a covered entity will be fact specific, taking into account the terms of the BA agreement and the totality of the circumstances involved in the relationship between the parties.
Breach Notification for Unsecured Protected Health Information
The final rule modifies the definition of “breach” and the risk assessment factors for determining whether a breach has occurred. Under the revised definition of “breach,” an impermissible use or disclosure of PHI is “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” This low-probability standard replaces the “significant risk of harm” standard set forth in the interim final rule published on Aug. 24, 2009. HHS clarified that breach notification is not required if a covered entity or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. The final rule outlines the factors that covered entities and BAs must consider when performing a risk assessment. Such factors include, at minimum, (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. HHS recommends that covered entities and BAs examine their policies to ensure that all required factors are considered when conducting a risk assessment to determine whether a breach has occurred.
Genetic Information Nondiscrimination Act (GINA)
The final rules also modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
The new rule is effective March 26, 2013, with a compliance date of Sept. 23, 2013. The final rule may be viewed in the Federal Register at www.federalregister.gov/a/2013-01073.