On January 25, 2013, the US Department of Health and Human Services issued a comprehensive set of regulations under the Health Insurance Portability and Accountability Act (HIPAA), commonly known as the Omnibus Rule, which updates and modifies existing regulations under HIPAA and incorporates various changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). The Omnibus Rule makes some important changes that will require prompt action by most employers to ensure their group health plans that are covered entities under HIPAA remain compliant. (For purposes of this e-alert, the term "covered entity" refers only to a group health plan that is a covered entity under HIPAA.)

Covered entities and business associates must be in compliance with the Omnibus Rule no later than September 23, 2013. (Note the transition rule for business associate agreements, addressed later in this notice.)

What's Changed?

The Omnibus Rule contains a variety of changes to the predecessor HIPAA regulations, some significant and some more subtle. Some of the key changes include:

  • Modification of the required content of notices of privacy practices, including the addition of information regarding participants' right to be notified of breaches of their protected health information, and regarding marketing or sale of protected health information, if applicable.
  • Changes to the timing of distribution of a revised notice of privacy practices for covered entities that post their notices on their websites. Under the Omnibus Rule, if there is a material change to a notice, a covered entity is required to prominently post the change or the revised notice on its websites by the effective date of the revision and to distribute the revised notice in its next annual mailing to participants. (Covered entities that do not post their notices on their websites continue to be subject to the requirement that the revised notice be distributed to participants within 60 days of the effective date of the revision.)
  • Expansion of participant rights with respect to access to protected health information held electronically. Under the Omnibus Rule, participants may request an electronic copy of such information and the covered entity generally must provide it in the requested electronic form.
  • Prohibiting the use of protected health information that is genetic information for underwriting purposes.
  • Modification of the definition of "breach" for purposes of HITECH's breach reporting requirements. Prior to the Omnibus Rule, a "breach" meant an access or disclosure of protected health information that poses a significant risk of financial, reputational or other harm to the individual. The Omnibus Rule modified this to provide that an access or disclosure is presumed to be a breach unless the covered entity demonstrates there is a low probability that the protected health information has been compromised, based on a risk assessment of factors including:
  • The nature and extent of the protected health information involved
  • The unauthorized person to whom the disclosure was made
  • Whether the protected health information was actually acquired or viewed
  • The extent to which the risk has been mitigated
  • Implementing certain limitations with respect to the sale or marketing of protected health information. While this generally is not an issue for covered entities that are group health plans, it must be considered.
  • Expansion of the legal exposure of business associates, by making many privacy and security rules directly applicable to business associates and narrowing exceptions to the definition of "business associate." The Omnibus Rule also requires that business associates enter into business associate agreements with their subcontractors.

What Should Employers Do?

In light of the impending September 23 compliance date for the Omnibus Rule, employers with group health plans that are covered entities should immediately:

  • Update their notices of privacy practices. While extensive revisions likely are not required, some modifications will be necessary. Covered entities that post their notices on their websites must post the revised notice by September 23, 2013, and include it in the next mailing to participants. Covered entities that do not post their notices on their websites must distribute the notice by November 23, 2013.
  • Review and update business associate agreements as necessary. The Omnibus Rule provides a transition period for certain existing agreements. With respect to business associate agreements entered into before January 25, 2013, and not renewed or modified between March 23, 2013, and September 23, 2013, the Omnibus Rule provides that such agreements are not required to be in compliance with the Omnibus Rule until the earlier of a) the next renewal date after September 23, 2013, or b) September 23, 2014. Despite this extension, there may be legal and contractual reasons to update business associate agreements earlier.
  • Review and update HIPAA policies and procedures to integrate the new changes. For instance, HIPAA manuals should include procedures relating to breach reporting and access to electronic protected health information.
  • Review and revise HIPAA training materials. HIPAA requires employees to be trained within a reasonable period of time after a material change in the policies and procedures which may impact their functions.  

Why is this Important?

Compliance with the Omnibus Rule is vital given the increase in penalties imposed by HITECH. Civil penalties were increased from $100 per violation (up to $25,000 per identical violation per calendar year) to the following tiered structure:

  • If the covered entity did not know of the violation (and if, by exercising reasonable diligence, would not have known of the violation): $100 – $50,000 per violation.
  • If the violation was due to reasonable cause and not to willful neglect: $1,000 – $50,000 per violation.
  • If the violation was due to willful neglect and is corrected within 30 days of the date the covered entity should have known of the violation: $10,000 – $50,000 per violation.
  • If the violation was due to willful neglect and is not corrected within 30 days of the date the covered entity should have known of the violation: at least $50,000 per violation.

The penalty for all identical violations during any calendar year may not exceed $1,500,000.