On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a 563-page final omnibus rule comprised of four final rules, the purpose of which is to strengthen the privacy and security protections for health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).1 HHS combined the final rules into one omnibus rule to reduce the impact and number of times compliance activities need to be undertaken by regulated entities.
In a press release announcing the new rules, HHS stated, "This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," and explained that the changes set forth in the final rule greatly enhance a patient's privacy rights, provide individuals new rights to their health information and strengthen the government's ability to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health care provider or one of their business associates.
Some of the most significant changes applicable to health care providers include:
- Making business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
- Creating a presumption that all breaches are reportable unless the covered entity or business associate, through performance of a risk assessment, determines there is a "low probability" that protected health information (PHI) has been compromised, a standard that likely will result in an increase in the number of reportable breaches.
- Increasing the amount of civil money penalties for violations of the HIPAA rules based on the level of negligence, with a maximum penalty of $1.5 million per violation per year.
- Strengthening the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibiting the sale of PHI without individual authorization.
- Expanding individuals' rights to receive electronic copies of their health information and restricting disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Requiring modifications to a covered entity's notice of privacy practices.
- Modifying the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools.
- Enabling access to decedent information by family members and others.
The rule becomes effective on March 26, 2013, with compliance required by September 23, 2013.
The final rule is extensive and covers many different aspects of the HIPAA rules. The following provides a summary of various sections of the final rule that apply to health care providers.
The rule makes significant changes to business associate relationships and liability. Under the final rule, a business associate is an entity that creates, receives, maintains or transmits PHI on behalf of a covered entity. The final rules expressly include the following persons and organizations as business associates:
- Entities that maintain PHI on behalf of a covered entity, such as physical storage facilities or companies that store electronic PHI, even if they do not access or view the PHI.
- Health information organizations or other persons that provide data transmission services with respect to PHI to a covered entity and that require routine access to such information. E-prescribing gateways and personal health record vendors that provide services to covered entities are business associates.
- Subcontractors of business associates. Under the final rule, business associate liability flows to all subcontractors to which a business associate delegates a function, activity or service the business associate has agreed to perform for a covered entity, and the function, activity or service involves the creation, receipt, maintenance or transmission of PHI.
For example, if a business associate, such as a billing company, hires a company to handle document and media shredding to securely dispose of paper and electronic PHI, the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of PHI in accordance with its contract with the business associate) and would be subject to criminal and civil liabilities for violations of the HIPAA rules.
In this case, there must be a written agreement in place between the business associate and subcontractor that contains the elements required to be included in a business associate agreement, and which describes the subcontractor's permitted uses and disclosures of PHI. The covered entity is not required to enter into a contract or arrangement with a business associate that is a subcontractor, but the business associate that contracts with the subcontractor must obtain satisfactory assurances from the subcontractor that it will safeguard the information, and that it will notify the business associate of any breach of the confidentiality of the information.
Business associates and their subcontractors that meet the definition of business associates are directly liable for violations of the Security Rule (including the technical, administrative and physical safeguard requirements), for uses and disclosures of PHI in violation of the Privacy Rule and their business associate agreements, and for violations of the breach notification rules. Criminal and civil liabilities attach to violations of these rules.
In addition, business associates have the following responsibilities:
- Keep records and submit compliance reports to HHS, when HHS requires such disclosure to investigate the business associate's compliance with HIPAA and to cooperate with complaint investigations and compliance reviews.
- Disclose PHI as needed by a covered entity to respond to an individual's request for an electronic copy of his/her PHI.
- Notify the covered entity of a breach of unsecured PHI.
- Make reasonable efforts to limit use and disclosure of and requests for PHI to the minimum necessary.
- Provide an accounting of disclosures.
- Enter into agreements with subcontractors that comply with the Privacy and Security Rules.
If covered entities and business associates have business associate agreements currently in effect, the existing agreements are grandfathered until the earlier of the date the contract is renewed or modified on or after September 23, 2013, or September 22, 2014.
Breach Notification Rule
In the final rule, HHS adds language to the definition of "breach" to clarify that an acquisition, access, use or disclosure of unsecured PHI in a manner not permitted under the Privacy Rules is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification (i.e., whether the information was sensitive information such as financial information or clinical information).
- The unauthorized person who used the PHI or to whom the disclosure was made (i.e., another covered entity that is obligated to protect the privacy and security of the information or someone who is not).
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated (i.e., obtaining satisfactory assurances from the recipient that the information will not be further used or disclosed).
Covered entities and business associates must then evaluate the overall probability the PHI has been compromised by considering all the factors in combination. If an evaluation of the factors fails to demonstrate there is a low probability the PHI has been compromised, breach notification is required.
In contrast to the final rule, under the interim rules currently in effect, covered entities are required to notify individuals their PHI has been breached only if they determine through a risk assessment there is a significant risk individuals could suffer financial, reputational or other harm (the so-called "risk of significant harm" standard). In the final rule, HHS clarified its position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates there is a low probability the PHI has been compromised, or one of the other exceptions to the definition of breach applies. This likely will result in a greater number of breach notifications.
Covered entities and business associates should review their policies to ensure they consider all the required factors when evaluating the risk of an impermissible use or disclosure. HHS indicated it will issue additional guidance in the future to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios.
If, based on a risk assessment, a determination is made that there is a notifiable breach, covered entities must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The notice must contain certain elements and be given in the manner set forth in the final rule.
For a breach of unsecured PHI involving more than 500 residents of a state or jurisdiction, a covered entity must notify prominent media outlets serving the state or jurisdiction. In addition, regardless of the size of the breach, covered entities must notify HHS. For large breaches impacting 500 or more individuals, a covered entity must notify HHS at the same time it notifies affected individuals by submitting a report that will be posted to the HHS website. For breaches involving fewer than 500 individuals, an entity must submit the report to HHS within 60 days after the end of the calendar year in which the breach was discovered.
If a breach occurs while the PHI is in the possession of a business associate, the business associate must notify the covered entity following discovery of the breach. In turn, the covered entity typically will notify the affected individuals, HHS and the media, although it is permissible for a covered entity to have its business associate provide the requisite notice. In its comments, however, HHS reaffirmed that a covered entity ultimately maintains the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate and even if the responsibility to notify has been delegated to a business associate.
A person who believes a covered entity or business associate is not complying with the HIPAA rules may file a complaint with the Secretary of HHS (Secretary). Under the final rule, the Secretary will investigate any complaint when a preliminary review of the facts indicates a possible violation due to willful neglect, and may investigate any other complaint. An investigation by the Secretary may include a review of the pertinent policies, procedures or practices of the covered entity or business associate. In addition, the Secretary will conduct reviews to determine whether a covered entity or business associate is complying with the rules when a preliminary review of the facts indicates a possible violation due to willful neglect, and may conduct a compliance review in any other circumstance.
Covered entities and business associates must keep records and submit compliance reports to the Secretary to ascertain whether the covered entity or business associate has complied with the rules, cooperate in any investigations and compliance reviews by the Secretary, and permit the Secretary access to information.
Civil Money Penalties
The Secretary will impose a civil money penalty upon a covered entity or business associate if the Secretary determines the covered entity or business associate has violated a HIPAA rule. In accordance with the federal common law of agency, a covered entity is liable for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of agency.2 Under the same law, a business associate is liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of agency. HHS removed the covered entity defense, which applied when the covered entity had a compliant business associate arrangement in place, did not know of a pattern of activity or practice by the business associate that was noncompliant with the HIPAA rules and failed to act to terminate the relationship.
For violations occurring on or after February 18, 2009, the HITECH Act created four tiers of violations, with penalties increasing for violations based on increasing levels of culpability associated with each tier (i.e., covered entity did not know of the violation, violation was due to reasonable cause and not to willful neglect, violation was due to willful neglect but was corrected within 30 days, and violation was due to willful neglect but was not corrected within 30 days). The penalties range between $100 and $50,000 per violation depending on the applicable tier of culpability. In determining the amount of a civil money penalty, the Secretary must consider several factors including the nature of the violation (i.e., the number of individuals affected and the time period during which the violation occurred), the nature and extent of the harm resulting from the violation (i.e., physical or financial harm, harm to an individual's reputation or hindering an individual's ability to obtain health care), history of prior HIPAA compliance and financial condition of the covered entity or business associate.
HHS eliminated the affirmative defense to avoid a penalty, which applied when the covered entity or business associate did not know and with the exercise of reasonable diligence would not have known of the violation (as such violations are now punishable under the lowest tier of penalties). At the same time, the final rule prohibits the imposition of civil money penalties for HIPAA violations that are corrected within 30 days, unless the violations are due to willful neglect.
A covered entity must obtain patient authorizations prior to sending treatment and health care operations communications on behalf of a third party marketing products or services when the covered entity receives financial remuneration for sending the communications. However, covered entities still may receive financial remuneration for providing refill reminders or sending out other communications about current patient prescriptions. The financial remuneration received by the covered entity must be reasonably related to its costs associated with making the communication.
Sale of PHI
With certain exceptions, covered entities and business associates may not disclose PHI if the covered entity or business associate directly or indirectly receives remuneration (financial or nonfinancial) from the recipient of the PHI in exchange for the PHI, unless a patient authorization is obtained. The authorization must state that the disclosure will result in remuneration to the covered entity. The rule applies to disclosures in exchange for remuneration including those that are the result of access, license or lease agreements.
The final rule modifies the definition of PHI to provide that the Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years. HHS stated that a period of 50 years balances the privacy interests of living relatives or other affected individuals having a relationship with the decedent with the difficulty of obtaining authorizations from personal representatives as time passes.
Disclosing Decedent PHI to Family Members and Others Involved in Care
Covered entities may disclose a decedent's PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to the covered entity. This will allow family members and others to find out about the circumstances surrounding the deaths of their loved ones, unless the individual prior to his or her death objected to such communication. These disclosures are permitted but not required; a covered entity that questions the relationship of the person to the decedent or otherwise believes disclosure of the decedent's PHI would not be appropriate is not required to make the disclosure.
Disclosures of Student Immunizations to Schools
Covered entities may disclose proof of immunization to a school where state or other law requires the school to have such information prior to admitting the student. While written authorization is not required to permit this disclosure, covered entities still will be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself if the individual is an adult or emancipated minor. Covered entities must document the agreement obtained. The final rule does not prescribe the nature of the documentation and does not require signature by a parent, allowing covered entities the flexibility to determine what is appropriate for their purposes. The documentation must only make clear that agreement was obtained (i.e., a notation in the medical record). An agreement to permit the disclosure of immunization records is considered effective until revoked.
A covered entity may use or disclose to a business associate or an institutionally related foundation the following PHI for the purpose of raising funds for its own benefit without authorization:
- Demographic information relating to an individual, including name, address, other contact information, age, gender and date of birth
- Dates of health care provided to an individual
- Department of service information
- Treating physician
- Outcome information
- Health insurance status
The covered entity may not use or disclose PHI as described above unless it includes a statement in its notice of privacy practices that the individual has a right to opt out of fundraising communications. With each fundraising communication made to an individual, the covered entity must provide a clear and conspicuous opportunity to opt out of any further fundraising communications The method for an individual to opt out of further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications. A covered entity may not make fundraising communications to an individual who has opted out of such communications, but may provide an individual who has opted out with a method to opt back in to receive such communications.
Individual Right to Request Restriction of Disclosure
Normally, covered entities do not have to agree if an individual requests restrictions related to a use or disclosure of his or her PHI that is otherwise allowed under HIPAA. However, HITECH created an exception for certain health care services for which the patient pays out of pocket in full. Under the final rule, a covered entity must agree to an individual's request to restrict disclosure of PHI about the individual to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
Individual Right to Access Electronic PHI
Upon request, a covered entity must provide an individual with access to his or her PHI in electronic form, if it is readily producible in such form; or, if not, in a readable electronic form as agreed to by the covered entity and the individual. The covered entity may charge a reasonable, cost-based fee to cover the cost of supplies for creating electronic media if the individual requests the electronic copy be provided on portable media.
If an individual's request for access to PHI directs the covered entity to transmit the copy of PHI directly to another person designated by the individual, the covered entity must provide the copy to the person designated. The request must be in writing, signed by the individual and clearly identify the designated person and where to send the copy of PHI.
Timeliness for Individual Access to PHI
Under the final rule, covered entities have 30 days in all cases to provide individuals with access to their PHI with a one-time extension of 30 days if the covered entity is unable to take action within the initial 30-day period. The final rule eliminates a covered entity's ability to provide access to PHI that is not maintained or accessible to the covered entity on-site within 60 days of receipt of a request (with the ability to request a 30-day extension).
Changes to Notice of Privacy Practices
A covered entity must revise its notice of privacy practices to make several changes required by the final rule, including:
- Adding a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI require authorization, as well as a statement that other uses and disclosures not described in the notice of privacy practices will be made only with authorization from the individual.
- If the covered entity intends to engage in fundraising communications, adding a statement that the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications.
- Adding a statement that the covered entity is required to agree to a requested restriction on disclosure of PHI about the individual to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and the PHI pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full (i.e., out of pocket).
- Adding a statement that the covered entity is required to notify affected individuals following a breach of unsecured PHI.
HHS clarified that while the final rule requires updates to the notice of privacy practices, a provider is not required to prepare and redistribute paper notices. Rather, it must conspicuously post the revised notice and have copies available upon request at the delivery site.
Updating a HIPAA Compliance Program
- Covered entities must revise and post new notices of privacy practices that contain additional required elements under the final rule.
- Covered entities must revise their business associate agreements to reflect changes in the final rule. If covered entities and business associates have business associate agreements currently in effect, the existing agreements are grandfathered until the earlier of the date the contract is renewed or modified on or after September 23, 2013, or September 22, 2014.
- Business associates must revise their contracts with subcontractors that fit the definition of "business associates" to include the elements required in business associate agreements.
- Business associates must ensure they have a HIPAA compliance program in place that will ensure they can comply with the requirements of the Privacy Rule, Security Rule and Breach Notification Rule.
- Covered entities and business associates must revise their policies and procedures regarding risk assessments relating to breaches of unsecured PHI to include the factors required under the final rule.