New Omnibus Rule Catches More Entities in Health Insurance Portability and Accountability Act of 1996 (HIPAA) Compliance Net
Last month's changes to rules under HIPAA — the Health Insurance Portability and Accountability Act of 1996 — require many more businesses to comply with privacy and security obligations. If you directly or indirectly perform services for a health care provider or a health plan, it is imperative that you understand your obligations related to the use, disclosure, maintenance, and destruction of Protected Health Information ("PHI").
On January 17, 2013, U.S. Department of Health and Human Services released Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. This new "Omnibus Rule" expands requirements for business associates, enhances consumer privacy protections, bolsters enforcement, and strengthens breach notification requirements.
Are you now or have you ever been a HIPAA business associate?
If your answer is "no," think again.
The Omnibus Rule expands the definition of "business associate" to include all persons or entities, other than members of the health care provider's workforce, that create, receive, maintain, or transmit protected health information on behalf of a "covered entity", including: claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; and repricing.
According to Diane Welsh, formerly Chief Legal Counsel for the Wisconsin Department of Health Services, and now a health law attorney at von Briesen & Roper in Madison, Wisconsin, the biggest change is the expanded reach of the regulations. "The Omnibus Rule expands liability for HIPAA civil and criminal penalties to business associates and, for the first time, subcontractors of business associates, whether or not they have signed a Business Associate Agreement. Prior to the Omnibus Rule, business associate liability was generally limited to contractual remedies for failure to comply with business associate agreement terms, and subcontractors were not required to comply with HITECH. Now, business associates and subcontractors at all levels must comply with the technical, administrative, and physical safeguard requirements in the Security Rule and the use and disclosure requirements in the Privacy Rule."
Most important to the IT industry, the addition of "maintain" to the old definition means that physical and electronic (e.g., cloud) storage facilities may now be business associates, and the Omnibus Rule also expands the definition of business associate to expressly include subcontractors of business associates and entities that transmit PHI, even if the subcontractors do not access or view the PHI. Only entities that act as "mere conduits" are excluded.
In order to comply, business associates must now have written agreements with all subcontractors. The agreements must contain assurances required by the HIPAA Privacy and Security Rules and require subcontractors to notify the business associate of any security incidents or breaches.
According to a detailed summary of the Omnibus Rule co-authored by Diane Welsh and fellow health law attorney Meghan O'Connor, "the expansion of HIPAA liability to subcontractors also expands the vicarious liability for business associates with regard to their subcontractors. Business associates are now liable for violations resulting from the acts or omissions of subcontractors that are agents of the business associate acting within the scope of agency."http://www.vonbriesen.com/resourcelibrary/articles/hipaa_omnibus_final_rule_1-13.html
"Business associate" also includes those who provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity. This can result in entities whose business stands far from the needle tip of health care services having HIPAA compliance duties. For example, banks who provide accounting, data processing, or loans for medical care could now be regulated business associates.
Modification of the Breach Notification Rule
The Omnibus Rule reversed prior law concerning when notification of a data breach is required. Under the revised HITECH Breach Notification Rule, an impermissible use or disclosure of PHI is nowpresumed to be a breach and notification is required, unless an entity can demonstrate that there is a low probability that the PHI has been compromised.
The Omnibus Rule adopts a specific risk assessment standard to determine the probability that PHI has been compromised. If the risk assessment fails to demonstrate that there is a low probability that PHI has been compromised, breach notification is required.
Expansion of Consumer Protections
The Omnibus Rule expands consumer rights to obtain their data. To the extent possible, access must be provided in the format requested by the individual. If an individual requests a copy of PHI that is maintained electronically, the covered entity must provide access in electronic form.
The Omnibus Rule also now allows an individual to restrict the disclosure of PHI to a health plan if the individual has paid the covered entity in full for the item or service.
Health care providers and business associates must develop methods of flagging restricted PHI so that the records are not available to the patient's health plan. This likely will require new operational policies for "paid in cash" transactions in order to address bundled services and HMO prohibitions on accepting payment above individual cost sharing amounts.
Steps to Take Now
Health care providers, business associates, and subcontractors should develop plans for coming into compliance with the Omnibus Rule. Business associates should review their operations, IT systems, HIPAA policies and procedures, and training to ensure they are operating in compliance with HIPAA privacy and security standards. Business associates should also review vendor assessment practices to incorporate the heightened risk of contracting with vendors that are now subject to HIPAA requirements.
Business associates will need to update existing business associate agreements or draft new agreements consistent with the recent changes. This includes revising upstream agreements with covered entities to document the specifically permitted uses and disclosures, and also includes downstream agreements with subcontractors that are now subject to Health and Human Services enforcement authority.
Covered entities and subcontractors should work with legal counsel to update existing business associate agreements and draft new ones for compliance with Omnibus Rule provisions. Existing business associate agreements must be updated and compliant with Omnibus Rule provisions by September 22, 2014. Covered entities should aim to have updated business associate agreements in place with enough time for business associates to secure agreements with their subcontractors prior to the compliance date, September 22, 2013.