The Brave New World of HIPAA Breaches: Omnibus Rule Changes the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Health Information Technology for Economic and Clinical Health Act ("HITECH") Landscape
Monday, July 1, 2013

Now, more than ever, the health care industry must work diligently to protect privacy and security of health information. The scope of regulation has expanded, the enforcement authority and resources of the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") has grown, and the financial penalties have increased. According to a recent Advisory Board survey, general counsel and compliance professionals indicated that compliance with HIPAA was an area where they had the greatest need for legal guidance or support.

On January 25, 2013, OCR published the omnibus final rule ("Omnibus Rule") to implement changes to privacy, security, and breach notification requirements under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Health Information Technology for Economic and Clinical Health Act ("HITECH").i The long-awaited Omnibus Rule makes significant changes to the privacy and security landscape.ii Providers, insurers, and entities that support the health care industry should be aware of these changes in order to appropriately update business practices to comply with new requirements.

Overview of Omnibus Rule Changes
The Omnibus Rule is composed of four rules that finalize and implement a comprehensive set of changes to regulations based on interim rules and requirements under HITECH and the Genetic Information Nondiscrimination Act ("GINA"), including:

  • New requirements regarding the use and disclosure of protected health information ("health information");

  • Enhanced and newly created consumer protections, including an individual's right to an electronic copy of medical records; a right to restrict disclosures of health information to health plans when the individual has paid for items or services out-of-pocket; and revised requirements for marketing, fundraising, and sale of health information;

  • Required updates to entities' Notice of Privacy Practices, business associate agreements, and HIPAA policies and procedures;

  • New prohibitions required under GINA regarding health plans' use of genetic information for underwriting purposes;

  • Expansion of the definition – and liability – of a "business associate" to contractors and subcontractors that create, receive, maintain, or transmit health information; and

  • Clarification of OCR's direct enforcement authority over business associates and subcontractors.

New Breach Analysis Standard
In addition to these changes, the Omnibus Rule modified the process by which alleged and known breaches are investigated. The Omnibus Rule made two significant changes to the Breach Notification Rule.

First, it flipped the presumption as to when notification of a breach is required. An impermissible use or disclosure of health information is presumed to be a breach, and notification is required, unless an entity can demonstrate that there is "low probability" that the health information has been compromised based on a risk assessment.iii

Second, the risk of harm standard has been replaced with a specific risk assessment standard.iv To demonstrate a low probability of compromise, the entity must conduct a risk assessment based on a minimum of four factors:

  1. The nature and extent of the health information involved, including types of identifiers and likelihood of reidentification;
  2. The unauthorized person to whom the disclosure was made;
  3. Whether health information was actually acquired or viewed; and
  4. The extent to which the risk to the health information has been mitigated.

If the risk assessment fails to demonstrate a low probability that health information has been compromised, the entity must provide breach notification. The Omnibus Rule preamble explains that this new standard is a more objective standard than the interim rule standard and should lead to more consistent interpretation and reporting.v

Consistent with the language of HITECH, a breach shall be treated as "discovered" on the first day the breach is known, or by exercising reasonable diligence, would have been known.viFurthermore, because every breach of unsecured health information has an underlying impermissible use or disclosure, OCR has the authority to impose a penalty for the underlying violation, even in cases where breach notifications were properly provided. The new presumption standard is effective as of September 23, 2013, and entities must update policies and procedures, train staff, and prepare to go live with the new analysis before this compliance date.vii

Stepped up OCR Investigation, Enforcement, and Penalties
In addition to the new breach standard, the Omnibus Rule expanded OCR's ability and obligation to investigate alleged violations and enforce HIPAA requirements. Where OCR previously had permissive authority to investigate, they now must formally investigate any complaint if a preliminary investigation of the facts indicates a possible violation.viii

OCR is permitted to resolve investigations or compliance reviews by informal means. However, under the Omnibus Rule, OCR is now permitted to move directly to a formal process, including the issuance of civil money penalties without first exhausting informal resolution efforts, which was previously required.ix

The Omnibus Rule finalized the HITECH penalty structure and clarified definitions of culpability for each violation category. Under the new structure, penalties for individual violations range between $100 and $50,000, and multiple violations of an identical violation category can range up to $1,500,000 in a calendar year.x Although we have not seen significant penalties assessed under this structure, OCR has authority to assess aggregate penalties up to $6,000,000 per calendar year.xi

Unlike the breach notification rule, there is no transition period for the new penalty structure. The OCR's expanded investigation and enforcement authority and increased penalties became effective in March 2013.xii OCR has been hiring additional staff to assist with its expanded obligations.

Implications for the Health Care Industry
The new breach presumption standard coupled with OCR's increased enforcement options makes breaches more likely to be investigated and easier for OCR to prosecute. There are some measures that every provider should take to help reduce the risk of a breach or enforcement action:

  • Conduct a risk assessment to evaluate HIPAA compliance and identify areas of needed improvement;

  • Review workforce training and policies related to identifying and investigating alleged breaches;

  • Update business associate agreements to ensure that business associates and subcontractors that access health information understand breach reporting obligations; and

  • Review breach risk-of-harm analysis to determine if it includes the four required factors. Arguably, the analysis is changing more in form rather than function. The transition timeframe to the new standard allows entities the opportunity to beta test the updated analysis before the September compliance date.

Notably, these are basic actions that would be beneficial for all covered entities to take now. This is not, however, a comprehensive list of actions required for HIPAA compliance.

 

Reprinted from the Advisory Board Company, "General Counsel Agenda: A Quarterly Legal Perspective on Today's Top-Of-Mind Issues," June, 2013

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins