On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published omnibus final regulations modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act. While some of the rule changes are not surprising, others are very impactful and will markedly change the obligations imposed on covered entities, business associates and subcontractors. Some of the more significant provisions are described in summary below, and a comprehensive review of all the key changes is available at www.poynerspruill.com. Covered entities and business associates will find that a complete project plan is necessary to meet applicable deadlines, and that every day of the remaining six-month compliance window will be necessary to achieve timely compliance.
The compliance deadline for virtually every provision of these rules is September 23, 2013. A longer period is provided where updates to existing business associate and data use agreements are required; those agreements may not need to be updated until September 22, 2014 provided they are not modified or renewed prior to that date.
The current rule requires notice of a security breach if the breach poses a significant risk of harm to affected individuals. In the new rule, OCR eliminates that harm threshold and provides instead that any use or disclosure of protected health information (PHI) that is not permitted by the Privacy Rule will be presumed to be a reportable breach. Covered entities and business associates can defeat this presumption by conducting a risk analysis using factors articulated by HHS, but the agency has made clear its expectation that impermissible uses and disclosures of readily accessible PHI will likely be a reportable breach. This change will mean anincrease in the number of breaches reported.
Until the compliance date, the current breach notification rule with its “significant risk of harm” threshold is in effect. To prepare for compliance with the new rule, covered entities and business associates need to do the following:
- Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
- Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
- Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
- If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
- Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
- Consider strengthening and reissuing training. With every Privacy Rule violation now a potentially reportable breach, it’s more important han ever to avoid mistakes by your workforce. And if they appen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
- Update your policies The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.
Much of the Privacy Rule and all of the Security Rule now apply directly to business associates and their subcontractors. Business associate agreements are likely to require updates and, in light of breach requirements and increasing compliance reviews, covered entities should enhance their efforts to review business associate compliance and consider appropriate liability protections in their business associate agreements. It is increasingly common to find covered entities subjecting their business associates to more thorough, pre-engagement assessments, often based on a questionnaire, and both covered entities and business associates can expect business associate contracting to be more strategic and potentially adversarial due to the higher enforcement penalties and compliance risks.
The final rules address multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records. In addition, individuals have new rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI). Notices of privacy practices, research authorizations, internal policies, and training programs very likely all require updates to address the rule modifications. The modifications also will necessitate revisions to training. Since modifications to training and notices of privacy practices cannot be completed prior to policy modifications, and because implementation and execution of new training and new notices is inherently time consuming, covered entities and business associates are finding value in developing a complete project plan that accommodates interdependent tasks and includes internal deadlines.
Business associates and subcontractors now must comply with the Security Rule in full. Given the complexities of achieving Security Rule compliance, business associates and subcontractors should begin efforts now to meet the September 23 compliance deadline. Key among these concerns is completion of a comprehensive risk analysis and risk mitigation plan. A multidisciplinary team is often necessary to this process and because many other security decisions will be made based on the results of the analysis, it should be step one in a multi-part security compliance plan.
To implement the Genetic Information Nondiscrimination Act, HHS has included “genetic information” as a type of health information subject to HIPAA rules, and has imposed restrictions that will prohibit health plans from using genetic information for underwriting purposes. The revisions will affect policies, training and notices of privacy practices and, while a relatively small feature of the new rule, should be included in a compliance project plan.
Enforcement and Penalties
HHS has retained the high penalty structure currently in effect, meaning that penalties can range from $100 to $50,000 per violation depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. Business associates and subcontractors are directly liable for their violations, but covered entities also can be penalized for their violations. HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.
As with most regulations, the details matter, so we have provided a more comprehensive summary on our website of all the substantive requirements and described in brief how they will impact the regulated community from a practical standpoint. HHS retains discretion to review all other complaints, security breaches and events that suggest noncompliance.