In 2013, the Office for Civil Rights ("OCR"), US Department of Health and Human Services ("HHS") issued the Final Omnibus Rule ("Final Rule") which made the most significant changes to the HIPAA Privacy, Security, and Enforcement Rules since they were first implemented. This Final Rule was comprised of four parts:
1. Final changes to the HIPAA Privacy, Security, and Enforcement Rules;
2. Final changes to the HIPAA Enforcement Rule for increased penalties;
3. Final rule on Breach Notification for Unsecured Protected Health Information ("PHI") under HITECH; and
4. Final Rule implemented certain provisions of the Genetic Information Nondiscrimination Act of 2008 ("GINA").
KEY DATES
The Final Rule took effect on March 26, 2013. Covered entities and their business associates have a compliance deadline 180 days subsequent to comply with the provisions of the Final Rule, making the final date to comply September 23, 2013.
The Enforcement Rule is effective and applied as of March 26, 2013, except for the exceptions noted in the Enforcement Rule. There are some other transition provisions allowing covered entities and their business associates up to one year beyond the compliance deadline (until September 22, 2014) to amend existing contracts if certain conditions are met.
OVERVIEW OF SOME KEY AREAS
Expanding Definition of Business Associates
The Final Rule expands the definition of business associate to include several additional types of entities including:
- Health Information Organizations, E-prescribing Gateways, or another person that provides data transmission services with respect to PHI to a covered entity and that requires routine access to such personal health information ("PHI");
- A person who offers a personal health record to one or more individuals on behalf of a covered entity;
- Patient Safety Organizations; and
- Subcontractors of business associates that create, receive, maintain or transmit PHI on behalf of a business associate.
It is important to note that entities that store or maintain electronic protected health information (ePHI) for covered entities will be considered business associates even if they don't view the PHI. The fact that they have continued ability to access PHI will in itself qualify them as a business associate. Thus, cloud providers may now qualify as business associates.
Business Associate Direct Liability
The Final Rule now makes business associates directly responsible for complying with the Security Rule. Under the Final Rule a business associate is required to:
- Use or disclose PHI only as permitted or required by the business associate agreement ("BAA") or required by law; any other use or disclosure of PHI would be a violation of the HIPAA Privacy Rule for which the business associate would be directly liable (such a violation would likely be deemed a breach subject to the requirement to notify affected individuals);
- Not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity;
- Disclose PHI when required by the HHS to investigate or determine the Business Associate's compliance with HIPAA/HITECH;
- Disclose PHI to the covered entity, or to the individual or individual's designee to facilitate compliance with the individual's request for his or her electronic PHI;
- Provide an individual or the individual's designee with a copy of their PHI in an electronic format, if the individual so chooses, to the extent the entity maintains PHI in an electronic health record;
- Limit the PHI that business associates use, disclose or request to the minimum necessary to accomplish the intended purposes of the use, disclosure or request; and
- Respond to known noncompliance with the Rules or BAA restrictions by their business associate subcontractors.
Business associates are now directly liable under the Rules for failures to fulfill the following responsibilities which include:
- Uses and disclosures of PHI that are inconsistent with the relevant BAA or with the Privacy Rule;
- Uses and disclosures of PHI that would violate the Privacy Rule if done by the covered entity;
- Failure to disclose PHI when required by the Secretary of the HHS to investigate and determine the Business Associate's compliance with the Rules;
- Failure to disclose PHI to the covered entity, or to the individual to whom the information pertains, or the individual's designee, as necessary to fulfill covered entity's obligations to provide the information to the individual;
- Failure to make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purposes of use or disclosure of, or request for, the PHI;
- Failure to enter into a BAA with subcontractors that access PHI on their behalf; and
- Failure to take reasonable action.
It is important to note that business associates are not required to provide Notice of Privacy Practices, having to designate a privacy official, etc. The Final Rule also explains that covered entities are not required to obtain assurances from business associates that are subcontractors. The business associates are now required to obtain that assurance from their subcontractors.
Breach Notifications
One of the most significant changes made by the Final Rule is in the area lowering the threshold of breach notification requirements. Under the new provisions, an impermissible use or disclosure of protected health information is presumed to be a reportable breach unless the covered entity or business associate, as applicable, demonstrates through a documented risk assessment that there is a low probability that PHI has been compromised. The risk assessment must be detailed and reach conclusions that are reasonable. The risk assessment must consider the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information;
- The type of unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made;
- Whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed; and
- The extent to which risk to the PHI has been mitigated.
The Rules provide detailed guidance on considering and weighing these factors. The HHS stated that it will issue further guidance on conducting risk assessments of frequently-occurring scenarios. The exception for beaches involving limited data sets is no longer valid. It should be noted that the Final Rule does not preempt most state breach reporting laws. In the case of stricter state laws the covered entity and business associate must be in compliance with both.
Privacy Restriction
The Final Rule requires covered entities to modify their Notice of Privacy Practices ("NPP") by adding clarification statements that:
- Authorization is required for most uses and disclosures of psychotherapy notes (where applicable), PHI for marketing purposes, and the sale of PHI;
- Individuals will be notified in the event of a breach of unsecured PHI; and
- To the extent the covered entity uses PHI for fundraising, the covered entity may contact the individual to raise funds and the individual has a right to opt out of receiving such communications.
The Final Rule also adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service. Only healthcare providers are required to include such a statement in their NPPs.
Access to ePHI
HITECH strengthens the Privacy Rule's right of access with respect to covered entities that use or maintain an electronic health record ("EHR") on an individual. OCR now expands individuals' access rights to receive electronic copies of their PHI that is maintained electronically.
OCR clarifies that the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
An individual can now request that the covered entity transmit a copy of the PHI directly to another person designated by the individual. The covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI. Some legacy systems may not be able to transmit the information causing the covered entity to incur additional investment to meet the basic requirement to provide some form of electronic file.
Enforcement
HITECH amended HIPAA to establish four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalties that significantly increased the minimum penalty amount for each violation. The Final Omnibus Rule incorporates the four categories of violations and corresponding four-tiered Civil Money Penalty ("CMP") structure provided by HITECH for violations occurring on or after February 18, 2009 and extends the penalty provisions to violations by business associates.
The new rules clarify the four tiers of penalties as follows:
* Lowest - cases in which the physician did not and reasonably could not know of the breach.
* Intermediate - cases in which the physician "knew, or by exercising reasonable diligence would have known" of the violation, but the physician did not act with willful neglect.
* Highest - cases in which the physician "acted with willful neglect" and either corrected the problem within the 30-day cure period, or failed to make a timely correction (not corrected).
The penalties associated with each tier are summarized in the following chart:
Violation Category
| Per Violation Penalty
| Annual Cap for all Violations of an Identical Provision
|
(A) Did Not Know
| $100 - $50,000
| $1,500.00
|
(B) Reasonable Cause
| $1,000 - $50,000
| $1,500.00
|
(C)(i) Willful Neglect-Corrected
| $10,000 - $50,000
| $1,500.00
|
(C)(ii) Willful Neglect-Not Corrected
| $50,000
| $1,500.00
|
Even though there is a $1.5 million cap for all violations of an identical provision in a calendar year, a covered entity or business associate may be liable for multiple violations of multiple provisions, and a violation of each provision may be counted separately. As such, one covered entity or business associate may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million.
Importantly, the Final Rule also provides for civil money penalty liability against covered entities and business associates for the acts of their agents regardless of whether a business associate agreement is in place.
Finally, the Final Rule includes a potential affirmative defense with respect to tier one and tier two violations occurring on or after February 18, 2009. Specifically, a covered entity or business associate may establish that an affirmative defense applies where the entity corrects the violation within 30 days from the date the entity had knowledge of the violation or with the exercise of reasonable diligence would have had knowledge of the violation, or during a period determined appropriate by the Secretary based upon the nature and extent of the entity's failure to comply.
Other Areas affected by Final Omnibus Rule
There are several other areas affected by the Final Rule. These areas include the following:
- Sale of PHI;
- PHI of Decedents;
- Notice of Privacy Restrictions;
- Marketing;
- Research;
- Disclosure of Student Immunization Records to Schools;
- Fundraising;
- Right of Individual to Request a Restriction;
- Hybrid Entities; and
- Genetic Information Nondiscrimination Act of 2008.
CONCLUSION
The Final Rule has made some of the most significant changes to HIPAA since the statue was enacted years ago. The Final Rule strengthens the HIPAA Privacy and Security Rules substantially and gives the OCR tools for enforcement of those rules.
Covered entities, business associates, and their subcontractors will need to develop plans to ensure that they are in compliance with the changes made by the Final Rule. The changes could require major modifications to policies, procedures and supporting documentation to ensure that the entity is in compliance.
For more information or questions on this topic, please contact a member of the firm's National Health Care Practice in Farmington Hills 248 355 1040 or Sterling Heights 586 254 1040 or visit us on the web at www.uhy-us.com.
Article written by Jeffrey Streif, Principal
National Health Care Practice
Jeffrey is a CPA, CISA, CFE and QSA. He is a leader of the firm's National Management and Technology Consulting Practice and a Certified Common Security Practitioner for HITRUST. Jeffrey is the Chair of the MSCPA Information Technology Committee and current Treasurer of the St. Louis Chapter of ISACA.
