On January 25, 2013, the Department of Health and Human Services (“HHS”) published in the Federal Register the highly anticipated Omnibus Rule, which strengthens and amends existing regulations in the HIPAA Privacy and Security Rules. The rule will significantly affect health technology companies, including telehealth companies, data centers, and personal health record vendors, with an estimated total cost of compliance of 114 million to 225.4 million dollars. The rule will be effective on March 26, 2013, but affected parties have until September 26, 2013 to comply with most provisions.
As we have discussed on this blog, technology companies looking to provide health solutions must figure out early on whether they are regulated under HIPAA. While some provider-driven technology companies may qualify as HIPAA covered entities, most health technology companies that become subject to HIPAA do so because they engage in activities that make them business associates. Notably, the Omnibus Rule expands the definition of business associates to include the following:
- Entities, such as data centers, that maintain protected health information (“PHI”) on behalf of covered entities;
- Health information organizations, e-prescribing gateways, and other entities that provide data transmission services for PHI to a covered entity and that require access to PHI on a routine basis;
- Entities that offer personal health records to individuals on behalf of a covered entity; and
- Subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.
Additionally, the Omnibus Rule increases liability for business associates. Guidance from HHS in the preamble to the rule clarifies that business associates are now directly liable for:
- Impermissible uses and disclosures;
- Failure to provide breach notification to the covered entity;
- Failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);
- Failure to disclose PHI when required in an investigation of the business associate’s compliance with HIPAA;
- Failure to describe when an individual’s information is disclosed to others; and
- Failure to comply with the HIPAA Security Rule’s requirements, such as performing a risk analysis, establishing a risk management program, and designating a security official, among other administrative, physical, and technical safeguards.
Noncompliant business associates will be subject to civil monetary penalties ranging from $100 to $50,000 per violation, with the penalty for multiple violations of the same provision capped at $1.5 million. However, guidance from the preamble notes that with the way the Office of Civil Rights counts violations, one event could violate multiple HIPAA requirements, resulting in penalties exceeding $1.5 million. Noncompliant companies face other risks as well. Breach notification requirements (to upstream business associates, covered entities, the government, affected individuals, and the media) can cause significant reputational harm to an organization and result in the termination of contracts or business relationships.
The Omnibus Rule also amends requirements for business associate agreements, which must now include certain additional provisions. These changes will require many covered entities and business associates to update existing business associate agreements. Due to the administrative burden of implementing these new business associate agreement provisions, the Omnibus Rule provides for a one-year transition period, during which covered entities and business associates, as well as business associates and subcontractors, may continue to operate under contracts that were in effect as of January 25, 2013. HHS has provided a model business associate agreement online.