On January 25, 2013, the Department of Health and Human Services (“HHS”) published the Omnibus Rule consisting of 563 pages of both minor and significant changes to HIPAA. The Omnibus Rule is an important reminder to providers to review and update their HIPAA compliance policies.
Timeline for Compliance
The enforcement provisions which finalize the 2009 Interim Final Rule’s increased civil monetary penalties as well as made some procedural changes in investigations by the Office of Civil Rights (“OCR”) will be effective upon the effective date of March 26, 2013. HHS is delaying enforcement until September 23, 2013, for the revisions to the Security Rule, Privacy Rule, and the Breach Notification Rule. Even though HHS has delayed the enforcement of these new changes, covered entities need to review, assess, revise, and train on the new policies and procedures now in order to be compliant by the compliance date of September 23.
Covered entities should not delay in beginning this process because recently OCR has increased enforcement actions against covered entities stemming from either complaint or through the audit program. This trend will continue in the coming years. The Civil Monetary Penalties (“CMPs”) assessed against covered entities are just a small percentage of total costs incurred by a covered entity in the case of an enforcement action by the OCR. Additional costs of the investigation, monitoring, and reputational costs will also be incurred, in addition to the CMPs, if a covered entity becomes the subject of an OCR enforcement action.
Covered entities need to update their policies and then train the staff to incorporate the new changes in the HIPAA Rules. For those covered entities that have not reviewed or updated their HIPAA policies for a number of years, this process will likely take more time to implement.
Presumption of Breach
The Omnibus Rule clarified the definition of “Breach” to take some of the perceived subjectivity out of the determination of whether an event is a “breach”. Previously, in determining whether access, use, or disclosure of unsecured Protected Health Information (“PHI”) was a “breach” that required notification pursuant to the Breach Notification Rule procedures, the covered entity assessed whether the unauthorized acquisition, access, use, or disclosure posed a significant risk of financial, reputation or other harm to the individual. The Omnibus Rule provides that covered entities must presume that an unauthorized acquisition, access, use, or disclosure of unsecured PHI is a breach unless the covered entity can demonstrate (through documentation) that there is a low probability that PHI has been compromised. The probability that the PHI has been compromised is determined based on a risk assessment of at least the following factors:
- The nature and extent of PHI involved, including the types of identifiers and likelihood of re-identification;
- The unauthorized person(s) who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to PHI has been mitigated.
Depending on the nature of the covered entity’s functions, additional factors may be considered. A covered entity must increase their documentation to support a determination of a “breach” and show that each breach is handled in a consistent manner. With the presumption in place, it is advisable for the covered entity to perform and document a thorough risk assessment and implement encryption depending on the results of the risk assessment.
Also, the need to have current procedures and policies in place is strengthened in the HHS’s clarification that if there are undeliverable notifications returned following an attempt to notify individuals, any substitute notice must be provided within the 60-day timeframe for notifications. Covered entities must be in a position to act fast, if but more likely when a breach occurs.
New Patient Rights
Additionally, the Omnibus Rule provides for new and strengthened patient rights including the a patient’s right to an electronic copy of his or her electronic health record; the right to have her or his designated record set sent to a third party; the right to access within 30 days with one 30-day extension if the PHI is stored off-site; the explicit prohibition on the sale of PHI without authorization; the requirement to obtain an authorization for marketing communications paid for by third parties; the right to easily opt-out of fundraising communications; and the right to restrict disclosures to health plans for treatment or services paid in full by the patient. The right to obtain an electronic copy of a patient’s EHR presents additional challenges when a patient requests such an e-copy to be delivered by unencrypted means, such as by email.
The new right to restrict disclosures to health plans will likely be a challenge for a covered entity to implement. HHS expects that a covered entity be able to “flag” such treatment/services so that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits. The provider may require the patient to pay for the services upfront. Procedural challenges remain as to: how will follow-up care be billed; can services be unbundled; what happens if the original form of payment is dishonored, does the use of electronic prescriptions automatically submit the claim to the health plan? HHS has stated that the covered entity cannot require a patient to restrict all or none of the healthcare services. HHS has advised that they expect the covered entities to explain the request for restriction to the patient. Thus, a thorough review of the covered entity’s current practices is required to implement this new patient right.
The Omnibus Rule revisions also provide covered entities some additional flexibility. The Omnibus Rule permits a covered entity to disclose a decedent’s PHI to family and friends involved in the care or payment of the decedent’s healthcare prior to death as long as the decedent did not express an intention not to share such information prior to death. The Omnibus Rule allows greater flexibility for a covered entity to disclose student immunization records to schools. The Omnibus Rule also allows combining authorizations for research that previously had been prohibited by HIPAA.
The Omnibus Rule also provides clarification of who are business associates. The Omnibus Rule expressly included within the definition of business associate the following entities: Health Information Organizations; Data transmission entities that maintain PHI; E-prescribing Gateways, Personal Health Record (PHR) Vendors; and other data transmission entities that require access to PHI on a routine basis. For data transmission entities, HHS clarified that it does not matter whether an entity that maintains PHI on behalf of a covered entity or business associate actually accesses the PHI. The data transmission entities that have the opportunity to access PHI are business associates. Thus, cloud models are implicated and should enter into business associate agreements with covered entities.
In accordance with the HITECH Act and Interim Final Rule, business associates as well as subcontractors of business associates may be directly liable for violations of HIPAA. As an additional consideration, the Omnibus Rule also clarified that a covered entity may be held vicariously liable for the acts or omissions of its business associate if the business associate is the covered entity’s agent under the federal common law of agency. The covered entity could be held liable for the civil monetary penalties or have a business associate’s knowledge of a breach imputed arising from the actions or inaction of its business associate. Mere words in the business associate agreement claiming an independent contractor status will not control. Rather it will be a fact-specific analysis to determine if the covered entity controlled the manner and method of the business associate’s work. Care must be taken in drafting the business associate agreements to guard against the creation of an agency relationship.
Preparing for Compliance
The changes to HIPAA Rules will pose procedural challenges in their implementation. Covered entities must: assess the current state of their HIPAA policies and procedures; confirm previous HIPAA requirements are addressed; develop a business associate agreement implementation strategy; revise policies and procedures to incorporate new patient rights and increased flexibilities; revise breach notification policies and procedures; revise notice of privacy practices (“NPP”); create additional templates for documentation of these rights; post the revised NPP on the covered entity’s website, and develop and implement a training strategy. There are many steps to compliance and covered entities should not delay in beginning this process. The compliance date of September 23, 2013, is fast approaching.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.