Advertisement

April 16, 2014

HIPAA Bulletin: Key Effects of the Newly Published Final Omnibus Rule

On January 25, 2013, the Department of Health and Human Services (HHS) published its much-anticipated final omnibus rule, which modifies several parts of the privacy, security and enforcement rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The final rule implements changes under the Health Information Technology for Economic and Clinical Health Act (HITECH), modifies the previously released Interim Final Rule on Breach Notification for Unsecured Protected Health Information and implements elements of the Genetic Information Nondiscrimination Act of 2008 (GINA). The final rule is effective March 26, 2013, but the compliance date for most aspects of the final rule is September 23, 2013.

This bulletin is the first in a series of publications that will address certain aspects of the final rule of particular importance to our clients. Below are highlights of the material changes to HIPAA under the final rule that will most significantly affect our clients, whether they are deemed “covered entities” or “business associates” under HIPAA.

New Obligations and Direct Liability for Business Associates

Business associates must comply with many aspects of the HIPAA privacy and security rules, and may be subject to civil monetary penalties for violations of HIPAA. Historically, business associates were expected to comply with the terms of their business associate agreements (BAAs), but were not subject directly to HIPAA or any of the accompanying regulations.

Obligations and Liabilities of Business Associates Applied to Subcontractors

Subcontractors of business associates will be considered business associates and must comply with HIPAA as described above. Furthermore, BAAs between business associates and their subcontractors must comply with the same standards as BAAs between business associates and covered entities.

Language to Be Added to Notice of Privacy Practices

The notice of privacy practices (NPP) must now include a description of the types of uses and disclosures that require written authorization. Covered entities may be required to update their NPPs in other ways and to redistribute the revised NPPs, depending on the type of covered entity and its current practices.

Liability for Acts of Agents

The final rule eliminated the safe harbor that previously protected covered entities from liability for acts of business associates when proper precautions were in place. Covered entities and business associates may now be held liable for the acts of their agents, including business associates and subcontractors of business associates.

Revised Definition of “Breach” and Effect on Breach Notification

The final rule revised the definition of “breach” such that any impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the responsible covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised. To determine the probability that the PHI has been compromised and whether breach notification is required, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following four factors:

  • the nature and extent of the PHI involved;
  • the unauthorized person who used the PHI or to whom the disclosure was made;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.

Most notably, the four-factor risk assessment replaces the previous “harm” standard, which required analysis of the risk of financial, reputational or other harm to an individual. As a result, breach notification now may be required in a broader number of circumstances unless the covered entity or business associate determines, based on its risk assessment, that a particular impermissible use or disclosure of unsecured PHI was not a breach.

New Authorizations Required for Marketing Activities and Sales of PHI

Covered entities are now obligated to obtain separate written authorizations from individuals before using PHI for marketing if a third party whose products or services are marketed provides remuneration to the covered entity, unless a specified exception applies. Authorizations are also required for the “sale of protected health information” as defined in the final rule.

Prohibition on Use of Genetic Information for Underwriting

The final rule prohibits health plans from using genetic information for underwriting purposes and requires each health plan’s NPP to contain an acknowledgment of such prohibition.

Expanded Enforcement

In lieu of the HHS Secretary’s historical discretion to investigate a complaint or perform a compliance review, mandatory investigations or compliance reviews will be launched where a preliminary review of the facts indicates the alleged violation occurred due to willful neglect. Civil monetary penalty amounts and annual limits on penalties for identical violations will be imposed depending on the covered entity’s or business associate’s culpability and knowledge. Affirmative defenses to the imposition of civil monetary penalties have been restricted. However, correction of the violation within 30 days can either ease or eliminate the imposition of civil monetary penalties, depending on the circumstances of the violation.

Action Items to Consider

  • Update Policies and Procedures to Reflect the Final Rule Changes
  • Update Subcontractor Business Associate Agreements as Necessary
  • Create or Update Risk Assessment Procedures for Determining Necessity of Breach Notifications
  • Identify Marketing Plans or Agreements That May Require Authorization
  • Update and Redistribute Notice of Privacy Practices
© 2014 Vedder Price

About the Author

Shareholder

Kathryn L. Stevens joined the Chicago office of Vedder Price in 1999. She is a Shareholder and a member of the firm's Corporate practice area. She concentrates her practice in commercial finance, representing major lenders in loan transactions exclusively in the health care industry. She structures, negotiates and documents asset-based, cash-flow and real estate loan transactions with borrowers across the spectrum of health care sub-industries including senior, second lien and mezzanine financings.

312-629-7803

About the Author

Chair, Records Management, eDiscovery and Data Privacy Group

Mr. Radke joined the Chicago office of Vedder Price in 1998.  He is a shareholder and a member of the firm’s Litigation Practice Area.  Mr. Radke is Chair of the firm’s Records Management and eDiscovery Practice Group.

Mr. Radke regularly counsels clients, including a Fortune 5 company, on all aspects of records management, including developing and implementing enterprise-wide records retention schedules and electronic communications policies.  He has written and spoken extensively...

312-609-7689
Christopher T. Collins, Vedder Price law Firm, Labor Employment Attorney
Shareholder

Christopher T. Collins is a member of the Employee Benefits Group.  He assists employers on all aspects of employee benefits, focusing on retirement and welfare plan design, qualification and compliance.  He frequently advises employers regarding benefit issues in connection with mergers and acquisitions and Department of Labor and Internal Revenue Service correction programs.  Mr. Collins also represents companies and executives in the design and negotiation of executive compensation arrangements, such as nonqualified deferred compensation plans and equity compensation...

312-609-7706

About the Author

Michael A. Chabraja, Vedder Price Law Firm, Litigation Attorney
Shareholder

Michael A. Chabraja joined Vedder Price in 2011 and is currently a Shareholder in the Litigation practice area and the Trade and Professional Association practice group.

312-609-7790

About the Author

Associates

Michael J. Waters is an Associate with Vedder Price and a member of the firm’s Litigation practice area. Mr. Waters has experience representing clients in a broad range of complex business and commercial disputes, including product liability, securities fraud, antitrust and trade regulation and contract disputes.

Mr. Waters also regularly works with the firm’s Intellectual Property group and has significant experience litigating matters of trademark, copyright and patent infringement, as well as trade secret misappropriation, unfair competition and restrictive...

+1 (312) 609 7726

About the Author

Paul F. Russell has worked in the Employee Benefits Group since joining Vedder Price in 1973. He has extensive experience in virtually all aspects of employee benefits, including the design, drafting, implementation and termination of qualified pension, profit sharing, 401(k), cash balance and ESOP plans for employers of all sizes. He frequently advises employers regarding fiduciary issues under ERISA and serves as benefits counsel in connection with merger and acquisition transactions. He also has significant experience with the Internal Revenue Service and Department of Labor...

312-609-7740

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review - National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.