On January 25, 2013, the Department of Health and Human Services (HHS) published its much-anticipated final omnibus rule, which modifies several parts of the privacy, security and enforcement rules promulgated under the Health Insurance Portability and Accountability Act (HIPAA). The final rule implements changes under the Health Information Technology for Economic and Clinical Health Act (HITECH), modifies the previously released Interim Final Rule on Breach Notification for Unsecured Protected Health Information and implements elements of the Genetic Information Nondiscrimination Act of 2008 (GINA). The final rule is effective March 26, 2013, but the compliance date for most aspects of the final rule is September 23, 2013.
This bulletin is the first in a series of publications that will address certain aspects of the final rule of particular importance to our clients. Below are highlights of the material changes to HIPAA under the final rule that will most significantly affect our clients, whether they are deemed “covered entities” or “business associates” under HIPAA.
New Obligations and Direct Liability for Business Associates
Business associates must comply with many aspects of the HIPAA privacy and security rules, and may be subject to civil monetary penalties for violations of HIPAA. Historically, business associates were expected to comply with the terms of their business associate agreements (BAAs), but were not subject directly to HIPAA or any of the accompanying regulations.
Obligations and Liabilities of Business Associates Applied to Subcontractors
Subcontractors of business associates will be considered business associates and must comply with HIPAA as described above. Furthermore, BAAs between business associates and their subcontractors must comply with the same standards as BAAs between business associates and covered entities.
Language to Be Added to Notice of Privacy Practices
The notice of privacy practices (NPP) must now include a description of the types of uses and disclosures that require written authorization. Covered entities may be required to update their NPPs in other ways and to redistribute the revised NPPs, depending on the type of covered entity and its current practices.
Liability for Acts of Agents
The final rule eliminated the safe harbor that previously protected covered entities from liability for acts of business associates when proper precautions were in place. Covered entities and business associates may now be held liable for the acts of their agents, including business associates and subcontractors of business associates.
Revised Definition of “Breach” and Effect on Breach Notification
The final rule revised the definition of “breach” such that any impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the responsible covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised. To determine the probability that the PHI has been compromised and whether breach notification is required, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following four factors:
- the nature and extent of the PHI involved;
- the unauthorized person who used the PHI or to whom the disclosure was made;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated.
Most notably, the four-factor risk assessment replaces the previous “harm” standard, which required analysis of the risk of financial, reputational or other harm to an individual. As a result, breach notification now may be required in a broader number of circumstances unless the covered entity or business associate determines, based on its risk assessment, that a particular impermissible use or disclosure of unsecured PHI was not a breach.
New Authorizations Required for Marketing Activities and Sales of PHI
Covered entities are now obligated to obtain separate written authorizations from individuals before using PHI for marketing if a third party whose products or services are marketed provides remuneration to the covered entity, unless a specified exception applies. Authorizations are also required for the “sale of protected health information” as defined in the final rule.
Prohibition on Use of Genetic Information for Underwriting
The final rule prohibits health plans from using genetic information for underwriting purposes and requires each health plan’s NPP to contain an acknowledgment of such prohibition.
In lieu of the HHS Secretary’s historical discretion to investigate a complaint or perform a compliance review, mandatory investigations or compliance reviews will be launched where a preliminary review of the facts indicates the alleged violation occurred due to willful neglect. Civil monetary penalty amounts and annual limits on penalties for identical violations will be imposed depending on the covered entity’s or business associate’s culpability and knowledge. Affirmative defenses to the imposition of civil monetary penalties have been restricted. However, correction of the violation within 30 days can either ease or eliminate the imposition of civil monetary penalties, depending on the circumstances of the violation.
Action Items to Consider
- Update Policies and Procedures to Reflect the Final Rule Changes
- Update Subcontractor Business Associate Agreements as Necessary
- Create or Update Risk Assessment Procedures for Determining Necessity of Breach Notifications
- Identify Marketing Plans or Agreements That May Require Authorization
- Update and Redistribute Notice of Privacy Practices