JANUARY 23, 2013
HHS announces sweeping changes to the HIPAA Privacy
and Security Rules in the final HIPAA Omnibus Rule
By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. LaneOn January 17, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited Final HIPAA Omnibus Rule, encompassing its modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Director of HHS’s Office for Civil Rights Leon Rodriguez said, “The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented” and that the changes “enhance a patient’s privacy rights” and strengthen “the ability of my office to vigorously enforce” HIPAA.
The modifications implemented by the Final Rule include:
Expansion of the types of entities subject to the HIPAA Privacy Rule regulations to now include business associates, subcontractors of business associates (if the subcontractor routinely handles protected health information (PHI)), patient-safety organizations, health information exchange organizations (HIO), and e-prescribing gateways;
Increases patients’ rights by allowing a decedent’s family or close family friends to access the decedent’s PHI, the ability to request an electronic copy of their medical records, the opportunity to provide authorization for use of their medical records for research purposes, and share their children’s immunization records with schools;
Restricts the use of PHI for marketing and fundraising activities;
Prohibits the sale of PHI without patient authorization with certain exceptions;
Increases the penalties for violations of HIPAA to a maximum of $1.5 million in one calendar year;
Clarifies that genetic information qualifies as health information;
Alters the breach notification requirement so that unauthorized use or disclosure of PHI is presumed to be a reportable breach, unless the covered entity can conclude, through a documented assessment, that there is a “low probability” that the information has been compromised. “Low probability” is determined by:
o Then nature, extent, and identifiers of the PHI involved, (such as it involved mental health treatment or substance abuse treatment records);
o The unauthorized person who used the PHI or to whom the disclosure was made;
o Whether the PHI actually was acquired or viewed; and
o To the extent to which the risk to the PHI has been mitigated.
Modifications to the HIPAA Privacy Rule
The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires that covered entities institute safeguards that protect the privacy of protected health information (PHI), and requires that covered entities who engage business associates to handle PHI have contracts in place to ensure that the business associate also protects the PHI with the same security measures. The Final Rule now extends the scope of the Privacy Rule to business associates and subcontractors of business associates. Subcontractors include any entity or person “to whom a business associate has delegated a function, activity, or service other than in the capacity of a member of the workforce of the business associate.” Business associates must have business associate agreements with subcontractors who must then comply with the Privacy Rule and provide business associates with satisfactory assurances that it will implement appropriate safeguards for PHI.
A “business associate” is defined as an entity that “performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI.” The revisions add the following entities to the definition of a business associate:
Patient Safety Organizations
Health Information Organizations (HIO)
E-Prescribing Gateways
Vendors of Personal Health Records
Any other person that “provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI”
To clarify, the Final Rule explains that the determination of whether a person has “routine access” to PHI is “fact specific” and will be “based on the nature of the services provided.” If the entity is merely a “conduit” of the covered entity, then that access to PHI is not considered routine. Entities such as the U.S. Postal Service or other similar courier, and electronic equivalents such as Internet service providers are not considered entities with routine access under the Final Rule, and therefore, not a business associate.
Additionally, other exceptions to the “business associate” definition include a health care provider for treatment, plan sponsors, government agencies, and covered entities participating in an organized health care arrangement.
The Final Rule also alters the definition of “protected health information” to not include the PHI of an individual who has been deceased for over 50 years. Further, the Final Rule amends the Privacy Rule to allow covered entities to disclose a decedent’s PHI to family members, or other close family friends who were involved in that decedent’s care or payment for care prior to death, unless such disclosure is inconsistent with the decedent’s expressed preferences prior to death.
Moreover, the Final Rule adds to patients’ rights by providing more access to their PHI. The new Privacy Rule permits patients to ask for an electronic copy of their medical records, and the covered entity must provide access in electronic form if it is readily producible. If the electronic records are not readily producible, then a readable electronic form, as agreed between the patient and the covered entity, will satisfy this new access requirement. This new requirement does not require that a covered entity purchase new software or systems to accommodate the patient’s format request.
The Final Rule also makes it easier for individuals to authorize the use of their information for research purposes by permitting combined and unconditioned authorizations for research as long as the authorization clearly allows the individual the ability to opt-in to the unconditioned research activities. Authorizations for research do not need to be study specific.
Likewise, the Final Rule permits covered entities to share children’s immunization records with schools when state or other laws require a school to have such information prior to admitting a student. Written authorization is no longer required, but covered entities will need to obtain oral agreement from a parent, guardian, or other person acting in loco parentis, or by the adult or emancipated minor.
The Final Rule will also allow a patient who pays in cash to keep information about their treatment from their health plan if such a request is made to the covered entity.
The definition of “marketing” now requires that there be patient authorization “for all treatment and health care operations communications where the covered entity received financial remuneration for making the communications from a third party whose product or service is being marketed.” The HIPAA Privacy Rule will treat all subsidized treatment communications as marketing communications. However, the Privacy Rule will continue to allow covered entities to use or disclose PHI without a patient authorization for refill or health care service information, for case management or care coordination, or to describe a health-related product.
The Final Rule prohibits the use or disclosure of PHI for fundraising purposes and such must be included in the covered entity’s Notice of Privacy Practices. The Rule specifies that each
fundraising communication must include an opt-out for the individual to elect not to receive further fundraising communications with no more than a minimal cost to the individual, but the covered entity may provide a method for opting back in.
However, the Final Rule requires patient authorization for the sale of PHI. The Final Rule defines “sale of protected health information” as “a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for protected health information.” “Remuneration” may include non-financial benefits, but does not include payments received in the form of grants or research studies “because any provision of the protected health information to the payer is a byproduct of the service being provided.” Other exceptions include for public health purposes; for treatment and payment purposes; or for due diligence for the sale, transfer, merger, or consolidation of all or part of the covered entity.
The Final Rule also prohibits health plans (except for issuers of long-term care policies) from using and disclosing genetic information for underwriting purposes, which includes determination of eligibility (including enrollment and continued eligibility) or benefits under the plan; the computation of premium or contribution amounts under the plan (including discounts, rebates, etc. for participating in a health risk assessment or a wellness program); and the application of any pre-existing condition exclusion under the plan.
Modifications to the HIPAA Security Rule
The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, protects electronic PHI and applies to covered entities. The Final Rule now requires all business associates to comply with the security standards set forth in the Security Rule. It also requires business associates to enter into contractual agreements with its subcontractors that have access to PHI that the subcontractor will appropriately safeguard the PHI. Business associates must implement policies and procedures and enter into contractual relationships with its subcontractors quickly if they have not done so in order to comply with the Final Rule. Significantly, the Final Rule states that covered entities and business associates will be in compliance with 45 CFR §§ 164.308(b), 164.314(a), 164.502(e), and 164.504(e) if business associate agreements are in place by January 25, 2013. Accordingly, covered entities should immediately review vendor and subcontractor relationships to determine whether or not compliant business associate agreements are in place or need to be in place to meet the January 25, 2013, deadline.
Finally, the Final Rule does not make a single change to the accounting of disclosures rule as previously proposed, no doubt in response to the many comments by covered entities that the proposed changes would be unduly burdensome.
Modifications to the Enforcement Rule
The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C through E, establishes rules regarding enforcement processes, such as the establishment of an amount of the penalty for a violation. The Final Rule clarifies that the HHS Secretary will investigate any complaint where a “preliminary review of the facts indicates a possible violation due to willful neglect” and also conduct a compliance review with discretion to investigate any other complaints. HHS will increase cooperation with other law enforcement agencies to refer cases involving possible criminal HIPAA violations.
The Final Rule increases the penalties for HIPAA violations, and increases the limit of penalties in one calendar year to $1.5 million based on the degree of knowledge:
“Did not know” $100–$50,000 per violation
“Reasonable cause” defined as “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated” $1,000–$50,000 per violation
“Willful Neglect—Corrected” $10,000–$50,000 per violation
“Willful Neglect—Not Corrected” $50,000 per violation
The factors for determining the amount of the civil penalty include:
The nature of the claims and the circumstances under which they were presented,
The degree of culpability,
History of prior offenses,
Financial condition of the person presenting the claims, and
“Such other matters as justice may require.”
Modifications to the Breach Notification Rule
The Final Rule significantly modifies the definition of a “breach” of unsecured PHI, and clarifies covered entity’s and business associates’ obligations with respect to notifying an individual of a breach.
Previously, a “breach” was defined as:
[T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information.
For purposes of this definition, “compromises the security or privacy of the protected health information” meant that the unauthorized use or disclosure posed a “significant risk of financial, reputational, or other harm to the individual [emphasis added].”1
Built into the definition was a requirement known as the “significant harm standard,” which required covered entities to determine whether the impermissible disclosure put the individual at a significant risk of harm. The “significant harm standard” was intended to ensure that consumers were not flooded with breach notifications for inconsequential events, which could potentially cause unnecessary anxiety and eventual apathy among consumers.
The Final Rule removes the “significant harm standard” from the definition and replaces it with the following language:
[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors [emphasis added]:
The nature and extent of the protected health information involved, including the types of identifiers, and the likelihood of re-identification;
The unauthorized person who used the protected health information or to whom the disclosure was made;
Whether the protected health information was actually acquired or viewed; and
The extent to which the risk to the protected health information has been mitigated.2
The Final Rule removed the “significant harm standard” due to its subjective nature, which, according to HHS, had the potential to lead to inconsistent interpretations and results. The four factor risk assessment set forth in the Final Rule focuses more objectively on the risk that the PHI was compromised, rather than on the subjective harm to the individual. Breach notification policies will need to be revised to reflect the four factors and other considerations from the Final Rule.
The Final Rule also clarifies other aspects of the covered entity’s responsibilities with respect to a breach, including:
Encryption Safe Harbor: No breach notification is required if the PHI that is
improperly disclosed is encrypted pursuant to “Guidance Specifying the 1 45 CFR 164.402
2 https://www.federalregister.gov/articles/2013/01/25/2013-01073/hipaa-privacy-security-enforcement-and-breach-notification-rules
Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.”3
60 Day Timeframe for Notifying Individuals: The Final Rule clarifies that the
time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule.
Limited Data Set Exception Removed: Previously, a breach exception existed for
an impermissible use or disclosure of PHI that qualified as a “limited data set” which excluded dates of birth and zip codes (both identifiers that may otherwise be included in a limited data set). This was a narrow exception based on the belief that it would be very difficult to re-identify a limited data set that excludes dates of birth and zip codes. The Final Rule removes this exception, and a Covered Entity or Business Associate must now perform a risk assessment following an impermissible use or disclosure of any limited data set.
Breaches Treated as Discovered: Commentary to the Final Rule states that when
determining whether a covered entity acted with reasonable diligence with respect to the discovery of a breach, covered entities and business associates may wish to observe the standards of practice of other covered entities and/or business associates under similar circumstances.
Notification by Business Associate: Commentary to the Final Rule points out that
the covered entity is ultimately responsible for providing individuals with notification of a breach, and the clock for notifying individuals of a breach begins upon knowledge of the incident, even if it is not yet clear whether the incident actually qualifies as a reportable breach.
For more information on the revisions to the breach notification requirements, clickhere.
Effective date of compliance
The official publication of the new Rule will be released January 25, 2013, and will go into effect on March 26, 2013, with September 23, 2013 as the compliance deadline. HHS estimates that these new regulations will cost covered entities and business associates between $114 million and $225.4 million during the first year of implementation, and approximately $14.5 million each year thereafter.
Compliance actions
Here are some suggested compliance actions in response to the Final Rule:
Identify subcontractors and vendors who have access to PHI to determine whether a business associate agreement is in place or needs to be implemented by January 25, 2013;
Review and revise the Notice of Privacy Practices as applicable and post it on your website;
Review and implement Privacy and Security Policies for compliance;
Review, revise, and implement Breach Notification Compliance Program;
Ensure compliance with the Genetic Information Discrimination Act in conjunction with HIPAA; and
Ensure compliance with marketing and fundraising requirements.
Nixon Peabody, LLP will be hosting a webinar on the Final Rule on February 5, 2013, at 2:00 p.m. (EST). You will receive a separate invitation to that event.
If you have any questions concerning compliance with the HIPAA Privacy and Security Rule in the final HIPAA Omnibus Rule, or need assistance with compliance, please contact:
Linn Foster Freedman, Privacy & Data Protection Group Leader and Chair of the HIPAA Compliance Team, at lfreedman@nixonpeabody.com or (401) 454-1108 Kathryn Sylvia at ksylvia@nixonpeabody.com or (401) 454-1029
Lindsay Maleson at lmaleson@nixonpeabody.com or (516) 832-7627 Brooke Lane at balane@nixonpeabody.com or (516) 832-7572
