The long-awaited final omnibus rule (now found at 78 Fed. Reg. 5566 (Jan. 25, 2013)) implements modifications to the HIPAA regulations promulgated by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) in 2009. The final rule becomes effective on March 26, 2013, and compliance with the final rule is required by September 23, 2013 -- unless a longer compliance period is otherwise indicated. What does that mean for HIPAA Covered Entities and Business Associates?
An in-depth summary of key modifications will be the subject of future e-alerts; however, the purpose of this e-alert is to provide a brief overview of key modifications to HIPAA made by the final rule and a list of suggested action items that HIPAA Covered Entities and Business Associates should take to comply with the final rule. This e-alert also discusses the changes to the Enforcement Rule, which sets forth the possible consequences a Covered Entity or Business Associate may face if they do not comply with the HIPAA regulations, as modified by the final rule.
I. Brief Overview of Key Modifications in the Final Rule
The final rule, among other things:
- Extended certain provisions of the HIPAA Privacy Rule, the HIPAA Security Rule and the Breach Notification Rule (collectively, the HIPAA Rules) to Business Associates such that a Business Associate must not nly comply with such requirements but is also legally accountable to the United States Department of Health and Human Services (HHS) for its compliance therewith;
- Expanded the definition of “Business Associate” to include: (i) entities that maintain but do not access protected health information; and (ii) subcontractors of Business Associates;
- Revised the Breach Notification Rule such that an impermissible use or disclosure of protected health information is presumed to be a breach, unless the Covered Entity can prove otherwise using a four-factor objective standard (effectively replacing the current “reasonable likelihood of harm” standard found in the interim final rule);
- Modified the HIPAA Privacy Rule, including: (i) changing the definition of “marketing” related to communications subsidized by a third-party; (ii) placing restrictions on the sale of protected health information; (iii) changing the requirements related to research; (iv) placing restrictions on using protected health information for fundraising activities; (v) permitting the disclosure of child immunization information to schools; and (vi) expanding the permissible disclosures of a decedent’s protected health information;
- Modified certain provisions in the HIPAA Privacy Rule related to individuals’ rights, including: (i) requiring new statements to be in a Covered Entity’s Notice of Privacy Practices; (ii) providing an individual with access to an electronic copy of his or her protected health information; and (iii) requiring a Covered Entity (or Business Associate) to agree to a request for the restriction on the use or disclosure of protected health information to a health plan when an individual has paid for services related to the information out of pocket in full; and
- Implemented the tiered civil money penalties created by the HITECH Act for a violation of the HIPAA Rules and provided clarifications related to the penalties’ application and government enforcement actions.
II. Suggested Action Items for Compliance with the Final Rule
- Revisions to Notice of Privacy Practices
A Covered Entity should revise its Notice of Privacy Practices (NPP) to comply with the final rule. For example, the final rule requires certain statements to be contained in the NPP, including:
- A statement that (i) most uses and disclosures of psychotherapy notes (when the Covered Entity records or maintains psychotherapy notes); (ii) uses and disclosures of protected health information for marketing purposes; and (iii) disclosures that constitute a sale of protected health information require an individual’s authorization and will be made only in accordance with the individual’s authorization.
- If a Covered Entity intends to contact an individual to raise funds for the Covered Entity, a statement regarding the individual’s right to opt-out of receiving such fundraising communications. (Note: The NPP is not required to describe the mechanism for the opt-out process.)
- If the Covered Entity is a health plan that performs underwriting activities (other than for long term care policies), a statement that the health plan is prohibited from using or disclosing genetic information for underwriting purposes.
- A statement regarding the right of an individual to receive a notice following a breach of such individual’s unsecured protected health information. (Note: The statement in the NPP is not required to include a description of the Covered Entity’s risk assessment process or the definitions for “breach” or “unsecured protected health information.” Merely providing an individual with notice of his or her right to receive a notification of a breach is sufficient.)
- A statement regarding the right of an individual to restrict disclosures of protected health information to a health plan with respect to health care for which the individual has paid out of pocket in full.
The revised NPP should also include statements addressing any other modifications made to an individual’s rights under the final rule, e.g., the right to receive electronic copies of health information, or any changes made to how the Covered Entity uses or discloses the individual’s protected health information.
The final rule confirms that the inclusion of the statements in the NPP, as required by the final rule, and any other changes made to reflect the final rule are material in nature. Therefore, after revising its NPP, a Covered Entity will need to make its revised NPP available to its patients/members as described below:
- Health Plans: Under the final rule: (i) if the health plan posts the NPP on its website, the health plan must prominently post the material changes or the revised NPP on its website by the effective date of the material changes; and (ii) the health plan must provide the revised NPP, or information about the material changes and how to obtain a full copy of the revised NPP, in its next annual mailing to individuals covered by the plan. If a health plan does not maintain a website on which the revised NPP can be posted, the health plan is required to provide the revised NPP, or information about the material changes, to individuals covered by the plan within 60 days of the material revisions.
- Health Care Providers: In accordance with the HIPAA Privacy Rule, a health care provider must make the revised NPP available to individuals upon the individual’s request or after the revised NPP’s effective date. A health care provider is also required to have the revised NPP available and posted in a clear and prominent location at the care delivery site (if applicable). These requirements were not modified by the final rule.
Even if a Covered Entity updated its NPP after the passage of the HITECH Act or in response to the notice of proposed rulemaking which preceded the final rule, the Covered Entity’s NPP may still need to be revised because the final rule made additional changes to the NPP requirements. All NPPs should be individually reviewed and analyzed for compliance with the final rule requirements and the Covered Entity’s practices with respect to its uses and disclosures of PHI.
- Identify Business Associates and Review Business Associate Agreements for Compliance
A Covered Entity will need to review its arrangements with any third-party person or entity that creates, receives, maintains, or transmits protected health information on its behalf to determine if the person/entity meets the new definition of “Business Associate.” As noted above, the new definition includes: (i) entities that maintain but do not access protected health information; and (ii) subcontractors of Business Associates. The new definition will be described in greater detail in a future e-alert entitled “Changes Affecting Who is a Business Associate and New Business Associate Obligation,” which we will circulate on February 5, 2013 (Business Associate Alert).
Once a Covered Entity has identified all of its Business Associates, the Covered Entity should determine whether or not it has entered into a Business Associate Agreement (BAA) with those Business Associates.
To the extent a Covered Entity already has a BAA with a Business Associate, the existing BAA (as long as it complies with the “old” (i.e., pre-final rule) BAA requirements) is grandfathered for a period of one (1) year after the required compliance date (or until September 23, 2014). At that point, the BAA must be amended to comply with the final rule.
If the Covered Entity has not entered into a BAA with a Business Associate (or its current BAA does not comply with the “old” BAA requirements), then it must enter into a BAA that meets all of the requirements set forth in the final rule by September 23, 2013; however, delaying entering into a BAA with a Business Associate until that date is not advised. Provisions that must be contained in a BAA now include: (i) requiring the Business Associate to comply with certain provisions of the HIPAA Security Rule; (ii) requiring the Business Associate to enter into a written BAA with any of its subcontractors that may have access to protected health information; and (iii) requiring the Business Associate to notify the Covered Entity if there is a breach of unsecured protected health information. These provisions (and other provisions) will be described more fully in the Business Associate Alert.
- Review Relationships with Third Parties Which Involve the Promotion of a Service or Product or Payment for Protected Health Information
The final rule modified the legal parameters surrounding “marketing” communications, particularly if the Covered Entity or its Business Associate receives financial remuneration for making the communication. The final rule also modified and/or placed restrictions on the “sale” of protected health information. These modifications will be fully described in the e-alert entitled “Changes to the Privacy Rule Related to Marketing, Fundraising, Research, and the Sale of Protected Health Information,” which we will circulate on February 12, 2013. As an example of these modifications, prior to the final rule, if a particular communication fit within the definition of a health care operation activity of a Covered Entity, remuneration was permitted; however, under the final rule, specific limitations and requirements are placed on this type of communication. Covered Entities need to review these types of relationships to ensure full compliance with the final rule.
- Revise HIPAA Policies and Procedures
Covered Entities should also review and revise their HIPAA policies and procedures (P&Ps) to comport with the final rule. Such revisions should address all modifications to the final rule so that the P&Ps accurately reflect what is permitted, required and prohibited by the HIPAA Rules, as modified by the final rule. This is an important action item as a Covered Entity’s workforce members typically refer to the P&Ps rather than the text of statutes and regulations when determining whether or not a use or disclosure of protected health information is permissible or when granting an individual certain rights related to his or her protected health information.
Even if a Covered Entity updated its P&Ps in accordance with the HITECH Act, the proposed rule, and the interim final breach notification rule, the P&Ps will still need to be reviewed and most likely revised because of additional modifications contained in the final rule and changes which were made to the proposed rule and interim final rule in response to public comment.
- Training and Education
A Covered Entity should train and educate its workforce members on the modifications to the HIPAA Rules made by the final rule and any resulting changes which are made to the Covered Entity’s P&Ps.
- Business Associates2
The final rule extended certain provisions of the HIPAA Privacy Rule, the HIPAA Security Rule and the Breach Notification Rule directly to Business Associates. This means that Business Associates are now bound by statute and regulation to protect the privacy and security of protected health information, whereas previously, such obligations were merely contractual in nature. A detailed discussion of the obligations of a Business Associate under the final rule will be included in the Business Associate Alert; however, preliminary steps a Business Associate should take as a result of the final rule include:
- Understand Privacy Obligations and Restrictions
Business Associates must understand their HIPAA Privacy Rule obligations pursuant to the final rule, including identifying its permissible uses and disclosures of protected health information and its obligations to the individuals who are the subject of the protected health information. This also includes understanding the Business Associate’s obligations and restrictions pursuant to its BAA. (Note: The final rule made clear that a Business Associate is not obligated to designate a privacy official, unless the Covered Entity has chosen to delegate such a responsibility to the Business Associate in its BAA, which would make it a contractual requirement. However, even if it is not a contractual requirement, we advise Business Associates to identify a member of its workforce as a privacy contact for the Covered Entity and to oversee compliance with the HIPAA Rules that are applicable to Business Associates.)
- Ensure Compliance with Security Obligations
Business Associates must ensure that they are complying with all applicable requirements of the HIPAA Security Rule, including implementing all appropriate physical, technical, and administrative safeguards. These safeguards will be described in more detail in the Business Associate Alert.
- Implement Policies and Procedures
Business Associates must implement P&Ps, which address the Business Associate’s obligations pursuant to the HIPAA Rules. Such P&Ps should include the Business Associate’s obligations related to breach notification.
- Training and Education
Similar to a Covered Entity, a Business Associate should train and educate its workforce members on their obligations pursuant to the HIPAA Rules, as modified by the final rule, as well as the resulting changes to the Business Associate’s P&Ps.
III. Consequences of Noncompliance Under the Modified Enforcement Rule
The potential consequences for not complying with the HIPAA Rules are severe. The HITECH Act increased the criminal and civil penalties for Covered Entities and Business Associates who violate the HIPAA Rules – particularly for noncompliance based on willful neglect.
The final rule implemented the following tiered penalties to reflect the level of the entity’s culpability:
Click here to view table.
The final rule clarified that HHS will not impose the maximum penalty amount in all cases but will instead determine the penalty based on (i) the nature and extent of the violation; (ii) the resulting harm (e.g., the number of individuals affected, reputational harm, etc.); (iii) the entity’s history of prior offenses or compliance; (iv) the financial condition of the entity; and (v) any other factor that justice may require be considered. HHS also retains the ability to waive a civil money penalty (CMP), in whole or in part, and to settle any issue or case or to compromise the amount of a CMP.
The final rule also included some much needed clarification regarding how HHS will count the number of violations and apply the tiered penalties (and the tiered penalty caps):
- Where multiple individuals are affected by an impermissible use or disclosure (such as in the case of a breach of unsecured protected health information) for purposes of levying penalties, the number of violations of the HIPAA Rules will be based on the number of individuals affected. For example, if a breach involves the protected health information of 1,000 individuals, the breach will be viewed as 1,000 violations of the same provision.
- When a violation is continuous over a period of time (for instance, if a Covered Entity has inadequate technical safeguards in place over a period of time) for purposes of levying penalties, the number of identical violations will be based on the number of days in which the entity did not have adequate safeguards in place. For example, if an entity’s technical safeguards are inadequate for 60 days, there will be 60 violations of the same provision.
- If an event involves violations of two provisions of the HIPAA Rules (e.g., there is an impermissible use or disclosure of protected health information and there are inadequate safeguards in place), HHS may calculate a separate CMP for each provision. This means that the annual penalty cap for such an event would be $3 million -- $1.5 million cap for the impermissible use or disclosure of protected health information plus the $1.5 million cap for inadequate safeguards.
Additional noncompliance modifications made pursuant to the HITECH Act and implemented by the final rule, include:
- HHS will investigate any complaint alleging a violation of the HIPAA Rules when a preliminary review of the facts indicates possible violation due to “willful neglect.” Moreover, HHS is required to impose a penalty for any violation due to willful neglect. Identifying actions that are due to “reasonable cause” versus “willful neglect” is a critical distinction. The final rule modified the definition of “reasonable cause” to mean “an act or omission in which a Covered Entity or Business Associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the Covered Entity or Business Associate did not act with willful neglect.”
- Increased CMP amounts may be levied if the violation due to willful neglect is not corrected within 30 days (i.e., $10,000 to $50,000 per violation versus $50,000). Under the final rule, the 30 day cure period begins to run when the Covered Entity first had actual or constructive knowledge of a violation due to willful neglect based on evidence gathered during the Covered Entity’s investigation -- not when HHS notifies the Covered Entity of a complaint.
- Clarification of the federal common law theory of agency as it applies to CMPs imposed on Business Associates who are agents of Covered Entities. A principal Covered Entity is liable for the CMPs of its Business Associates who are its agents that violate the HIPAA Rules. Such “agency” relationships are identified on a fact-specific basis, but generally the following factors are considered: (i) the terms of the BAA; (ii) the right or authority of the Covered Entity to control the Business Associate’s conduct; (iii) the time, place, and purpose of the Business Associate’s conduct; (iv) whether the Business Associate’s conduct is commonly done by a Business Associate to accomplish the service performed on behalf of a Covered Entity; and (v) whether or not the Covered Entity reasonably expects that a Business Associate would engage in the conduct in question. (Note: Generally, a Business Associate would not be an agent of the Covered Entity if it enters into a BAA that sets forth terms and conditions that create contractual obligations between the parties such that the only avenue of Covered Entity control is through amendment to the agreement or to sue for breach of contract. A Business Associate would be considered an agent of the Covered Entity, however, if the Covered Entity contracts out or delegates one of its particular obligations under the HIPAA Rules to the Business Associate, such as the provision of the NPP to individuals.)
In conclusion, the final rule is here – and Covered Entities and Business Associates need to take the necessary steps to ensure compliance by September 23, 2013. It is not too early to get started reviewing internal forms and P&Ps and making the necessary changes to comport with the final rule. We are here to help.