August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

HIPAA Bulletin: Key Effects of the Newly Published Final Omnibus Rule

On January 25, 2013, the Department of Health and Human Services (HHS) published its much-anticipated final omnibus rule, which modifies several parts of the privacy, security and enforcement rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The final rule implements changes under the Health Information Technology for Economic and Clinical Health Act (HITECH), modifies the previously released Interim Final Rule on Breach Notification for Unsecured Protected Health Information and implements elements of the Genetic Information Nondiscrimination Act of 2008 (GINA). The final rule is effective March 26, 2013, but the compliance date for most aspects of the final rule is September 23, 2013.

This bulletin is the first in a series of publications that will address certain aspects of the final rule of particular importance to our clients. Below are highlights of the material changes to HIPAA under the final rule that will most significantly affect our clients, whether they are deemed “covered entities” or “business associates” under HIPAA.

New Obligations and Direct Liability for Business Associates

Business associates must comply with many aspects of the HIPAA privacy and security rules, and may be subject to civil monetary penalties for violations of HIPAA. Historically, business associates were expected to comply with the terms of their business associate agreements (BAAs), but were not subject directly to HIPAA or any of the accompanying regulations.

Obligations and Liabilities of Business Associates Applied to Subcontractors

Subcontractors of business associates will be considered business associates and must comply with HIPAA as described above. Furthermore, BAAs between business associates and their subcontractors must comply with the same standards as BAAs between business associates and covered entities.

Language to Be Added to Notice of Privacy Practices

The notice of privacy practices (NPP) must now include a description of the types of uses and disclosures that require written authorization. Covered entities may be required to update their NPPs in other ways and to redistribute the revised NPPs, depending on the type of covered entity and its current practices.

Liability for Acts of Agents

The final rule eliminated the safe harbor that previously protected covered entities from liability for acts of business associates when proper precautions were in place. Covered entities and business associates may now be held liable for the acts of their agents, including business associates and subcontractors of business associates.

Revised Definition of “Breach” and Effect on Breach Notification

The final rule revised the definition of “breach” such that any impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the responsible covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised. To determine the probability that the PHI has been compromised and whether breach notification is required, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following four factors:

  • the nature and extent of the PHI involved;
  • the unauthorized person who used the PHI or to whom the disclosure was made;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.

Most notably, the four-factor risk assessment replaces the previous “harm” standard, which required analysis of the risk of financial, reputational or other harm to an individual. As a result, breach notification now may be required in a broader number of circumstances unless the covered entity or business associate determines, based on its risk assessment, that a particular impermissible use or disclosure of unsecured PHI was not a breach.

New Authorizations Required for Marketing Activities and Sales of PHI

Covered entities are now obligated to obtain separate written authorizations from individuals before using PHI for marketing if a third party whose products or services are marketed provides remuneration to the covered entity, unless a specified exception applies. Authorizations are also required for the “sale of protected health information” as defined in the final rule.

Prohibition on Use of Genetic Information for Underwriting

The final rule prohibits health plans from using genetic information for underwriting purposes and requires each health plan’s NPP to contain an acknowledgment of such prohibition.

Expanded Enforcement

In lieu of the HHS Secretary’s historical discretion to investigate a complaint or perform a compliance review, mandatory investigations or compliance reviews will be launched where a preliminary review of the facts indicates the alleged violation occurred due to willful neglect. Civil monetary penalty amounts and annual limits on penalties for identical violations will be imposed depending on the covered entity’s or business associate’s culpability and knowledge. Affirmative defenses to the imposition of civil monetary penalties have been restricted. However, correction of the violation within 30 days can either ease or eliminate the imposition of civil monetary penalties, depending on the circumstances of the violation.

Action Items to Consider

  • Update Policies and Procedures to Reflect the Final Rule Changes
  • Update Subcontractor Business Associate Agreements as Necessary
  • Create or Update Risk Assessment Procedures for Determining Necessity of Breach Notifications
  • Identify Marketing Plans or Agreements That May Require Authorization
  • Update and Redistribute Notice of Privacy Practices
© 2020 Vedder PriceNational Law Review, Volume III, Number 31


About this Author

Kathryn L. Stevens, Vedder Price Law Firm, Corporate Attorney, Chair, Health Law Group in Chicago IL

Kathryn L. Stevens joined the Chicago office of Vedder Price in 1999. 

She is a Shareholder and a member of the firm's Corporate practice area. She concentrates her practice in commercial finance, representing major lenders in loan transactions exclusively in the health care industry. She structures, negotiates and documents asset-based, cash-flow and real estate loan transactions with borrowers across the spectrum of health care sub-industries including senior, second lien and mezzanine financings.

Ms. Stevens advises health care clients on a wide range of corporate, tax,...

Christopher T. Collins, Vedder Price law Firm, Labor Employment Attorney

Christopher T. Collins is a member of the Employee Benefits Group.  He assists employers on all aspects of employee benefits, focusing on retirement and welfare plan design, qualification and compliance.  He frequently advises employers regarding benefit issues in connection with mergers and acquisitions and Department of Labor and Internal Revenue Service correction programs.  Mr. Collins also represents companies and executives in the design and negotiation of executive compensation arrangements, such as nonqualified deferred compensation plans and equity compensation plans.

Paul F. Russell, Vedder Price Law firm, Labor Employment Attorney

Paul F. Russell has worked in the Employee Benefits Group since joining Vedder Price in 1973. He has extensive experience in virtually all aspects of employee benefits, including the design, drafting, implementation and termination of qualified pension, profit sharing, 401(k), cash balance and ESOP plans for employers of all sizes. He frequently advises employers regarding fiduciary issues under ERISA and serves as benefits counsel in connection with merger and acquisition transactions. He also has significant experience with the Internal Revenue Service and Department of Labor voluntary...