Earlier this year, the HIPAA privacy and security regulations were revamped and consolidated into an “Omnibus Rule.” Under this rule, employers must:
  • Revise and electronically post notices of privacy practices by September 23, 2013;
  • Distribute notices of privacy practices by November 22, 2013;
  • Revise HIPAA policies and procedures to incorporate new standards for breach notifications, restrictions on the use of genetic information, restrictions on the use of protected health information for marketing purposes and other changes by September 23, 2013;
  • Incorporate required provisions into new business associate contracts entered into on and after September 23, 2013; and
  • Amend existing business associate contracts by September 23, 2014 (provided that they were in existence before January 25, 2013 and were not renewed or modified from March 26, 2013 until September 23, 2013).
Before you run off and start executing these items, you should understand that there are other important changes, which are discussed below. While they may not mandate specific actions, they do greatly increase your plans’ enforcement risk.
Vicarious Liability for Business Associates’ Violations
Under the Omnibus Rule, a plan can be held liable for civil money penalties for HIPAA violations based on the acts or omissions of their business associates. A business associate merely has to be acting within the scope of its agency for the plan. In this regard, a plan’s right to control the business associate’s conduct is the essential factor in determining whether an agency relationship exists.
While the agency theory of liability existed in prior regulations, the rule has been broadened in that it now explicitly refers to business associates. When amending business associate contracts as described below, plan administrators should consider whether to seek additional assurances and protections. Because plans may be held liable for the acts of their business associates, indemnification provisions should be carefully reviewed. Also, business associate contracts can be revised to minimize the risk that the business associates will be found to be plans’ agents. For example, contracts that go into great detail about the types of security measures that business associates will put in place may appeal to employers, but this type of detail may support a finding that a business associate is acting as an agent of a plan.
Breach Notices Will Be Required More Frequently
In the event of a breach of unsecured protected health information, plans must notify affected individuals,the Department of Health and Human Services (HHS) and, in some cases, even the media. Previously, notice was required only if there was a “significant risk of financial, reputational, or other harm” to the affected individuals. Now there is a presumption of such harm unless a plan can demonstrate that there is low probability that protected health information has been compromised based on a risk assessment taking enumerated factors into account.
This revised standard will result in significantly more breach notices being given to affected individuals, HHS and the media. As a practical matter, it will be difficult or impossible for plans to demonstrate a low probability that protected health information has been compromised if an improper disclosure is made (or was potentially made) to a broad group of people. Unless plans can identify the entire universe of individuals who may have had access to improperly disclosed information and get comfortable that each such individual did not redisclose and destroyed any vestiges of that information in a manner that prevents further disclosures, it will be an uphill battle to overcome the presumption of harm.
Enforcement - Less Kind and Gentle
You could easily miss what may be the most important change in the regulations. In the enforcement provisions, the word “will” has been changed to “may.” As a result, if an investigation or audit indicates noncompliance with the regulations, HHS is no longer required to attempt to resolve the matter through informal means.
For more than decade, HHS compliance enforcement has been based upon principles of self-correction and the use of negotiated corrective action plans. Now HHS agents and investigators can take a rigid adversarial posture and proceed straight to the imposition of civil money penalties. Consequently, it is more important than ever for plans to have comprehensive policies and procedures and workforce training regimens so that privacy and security-related issues do not arise in the first place. If they do arise, plan administrators should make every effort to resolve them before complaints are filed with HHS. If that is not possible, plan administrators should try to stay on the good side of HHS investigators and auditors.
For a violation resulting from willful neglect, penalties are capped at $50,000 and at $1.5 million for identical violations during a calendar year. However, plans should not take much solace in these limits. In the preamble to the Omnibus Rule, HHS has expansively interpreted the term “violation,” so that, for example, each day that a required safeguard is missing can be counted as a separate violation.
Genetic Information
The Omnibus Rule broadly defines the term “genetic information” (consistent with the Genetic Information Nondiscrimination Act of 2008) and incorporates it into the definition of “protected health information.” This change will require modifications to policies and procedures. In addition, this change raises the stakes if plans offer incentives such as reduced premiums in exchange for the provision of genetic information (e.g., family medical history) in health risk assessments. That practice was already circumscribed by GINA; now it can result in imposition of the HIPAA civil money penalties described above.
Notices of Privacy Practices
Under the Omnibus Rule, among other things, notices of privacy practices must expressly state that plans cannot use genetic information for underwriting purposes and that participants are entitled to notices if there is a breach of their unsecured protected health information. Because these new disclosures are material changes, the notices must be posted on any benefits-related websites and distributed to plan participants.
Business Associate Contracts
Business associate contracts must expressly provide that business associates will: (1) comply, where applicable, with the security regulations with respect to electronic protected health information; (2) report to the plan any breaches of unsecured protected health information; (3) ensure that their subcontractors agree to the same restrictions and conditions that apply to them with respect to protected health information; and (4) if they will carry out plans’ obligations under the HIPAA regulations, comply with those regulations as if it were the covered entities.
Access to Electronic Protected Health Information
Under the Omnibus Rule, plans must allow individuals to access electronic protected health information in electronic form. Previously, plans were only required to allow access to E-PHI in electronic form if it was part of an electronic health record. This rule had little impact on group health plans because they would rarely have electronic health records.
Miscellaneous Changes
Many other changes are not principally directed toward group health plans. For example, they further tighten the marketing, research and fundraising rules and generally prohibit the sale of protected health information. Also, the definition of “protected health information” excludes individually identifiable health information about individuals who have been dead for more than 50 years.