On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced important modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules. These changes are known as the “Omnibus Rule.” The new HIPAA Omnibus Rule became effective on March 26, 2013, and healthcare providers have until September 23, 2013, to comply with the new requirements. Now is the time to examine your organization’s insurance portfolio to determine whether new HIPAA-related exposures may be covered by insurance.
Overview of the New HIPAA Omnibus Rule
Under the new HIPAA Omnibus Rule, what constitutes a “breach” has been more broadly defined, penalties associated with claimed breaches have been increased, and, critically, covered entities may now be liable for violations by business associates and subcontractors. These changes—which could increase healthcare providers’ potential liability under HIPAA—are as follows:
New Regulations On The Treatment of Protected Health Information. The Omnibus Rule added a number of important new regulations as to how healthcare providers must treat protected health information. The new regulations limit the use and disclosure of protected health information for marketing and fundraising purposes. They also prohibit the sale of protected health information without individual authorization. A significant development in the Omnibus Rule is its change in the definition of what constitutes a “breach.” Previously, breach required a finding that the access, use or disclosure of protected health information posed “a significant risk of financial, reputational or other harm to an individual.” The Omnibus Rule replaces the “harm threshold,” and now there is a rebuttable presumption that a breach occurs whenever protected health information is acquired, accessed, used or disclosed in a way that violates HIPAA’s stringent standards.
Penalties For HIPAA Violations Have Increased. The maximum penalty is now $1.5 million for each violation. At the same time that the penalty amount for HIPAA violations has expanded, affirmative defenses for these violations have narrowed. The Omnibus Rule removes the previous affirmative defense to the imposition of penalties if (1) the covered entity did not know and with the exercise of reasonable diligence would not have known of a violation, and (2) a violation was timely corrected.
Healthcare Providers Liable for Violations By Business Associates and Subcontractors. The new Omnibus Rule could increase the likelihood that healthcare providers will face liability for conduct by “business associates” and “subcontractors.” The Omnibus Rule defines “business associate” as a person or entity “‘who creates, receives, maintains, or transmits’ (emphasis added) protected health information on behalf of a covered entity.” “Subcontractors” are defined as persons “to whom a business associate delegates a function, activity, or service.” This new possible “vicarious” exposure for health care providers can be significant, as by some estimates these business partners, rather than the healthcare providers themselves, are responsible for more than 60% of HIPAA violations.
Previously, healthcare providers were excepted from liability for the acts of agents where the agent was a business associate, the relevant contract requirements had been met, the covered entity did not know of a pattern or practice of the business associate in violation of the contract, and the covered entity did not fail to act as required by the Privacy or Security Rule with respect to such violations. The new Omnibus Rule appears to eliminate these exceptions. The Omnibus Rule also applies the Federal common law of agency. Whether a business associate is an agent for purposes of imposing vicarious HIPAA liability will be a fact-specific inquiry, turning largely on the right or authority of the healthcare provider to control the business associate’s conduct in the course of performing a service on its behalf.
HHS has warned that a
“business associate can be an agent of a covered entity: (1) Despite the fact that a covered entity does not retain the right or authority to control every aspect of its business associate’s activities; (2) even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right; and (3) even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries).”
In the interest of caution, HHS has provided the following rule-of-thumb:
“if the only avenue of control is for a covered entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a business associate is not acting as an agent.”
Insurance Coverage for HIPAA Violations
Given the new regulations under HIPAA, an increase in the financial risk associated with claimed violations, and the possibility of broader liability for the acts of business partners under the new Omnibus Rule, for potentially impacted organizations now is not the time for insurance policies to gather dust. Health Care Organizations should immediately (1) audit existing insurance policies to determine the extent of existing coverage to pay for HIPAA exposures, and (2) consider purchasing specific HIPAA policies or coverage. Federal enforcement of HIPAA claims against health care providers may be on the rise. Insurance can provide important financial assistance in responding to such events.
Traditional Directors & Officers (D&O) and Errors & Omissions (E&O) policies sold to healthcare organizations may provide coverage for HIPAA violations unless explicitly excluded. For example, even under policies that do not include express “penalty” coverage, HIPAA-related penalties still may be covered, as constituting a form of “liquidated damages.” Visa Inc. v. Certain Underwriters at Lloyd’s, London, Case No. CGC- 11-509839 (Jan. 6, 2012).
Moreover, it may be possible to obtain coverage for exposures to your organization regarding claimed breaches by certain business associates and subcontractors under “independent contractor” coverage contained in many typical healthcare D&O and E&O policies. At least one court this year rejected an insurer’s attempt to narrowly construe “independent contractor” language in a healthcare D&O policy, finding that the policy definition of the term was ambiguous. Cottage Health System v. Travelers Cas. & Sur. Co., Case No. 13821220 (Jan. 15, 2013). Healthcare providers also should seek to audit their business partners’ insurance policies to determine the extent of “additional insured” coverage under those policies should the healthcare provider be held responsible for any violations by that business partner of the new regulations. Going forward, given the possible new vicarious exposure for health care providers, they also should be careful to ensure broad additional insured protection under newly formed business associate relationships.
Finally, certain insurers now sell health care policies that provide specific coverage for HIPAA investigations and claimed HIPAA violations. Those coverages can specifically apply to failures “to comply with the privacy provisions of HIPAA,” and pay for “civil money penalties imposed upon an Insured for violation of the privacy provisions of” HIPAA. Some policies also expressly cover expenses associated with notifying patients of a breach that compromised their protected health information. Given that the standard for when breach notification is mandatory has been lowered, and that the U.S. Department of Health and Human Services has estimated that the costs of notification may run into the millions of dollars per year, this coverage may provide an important benefit. Before purchasing specialty coverage, providers should review their existing policies to determine whether they already may have protection for these expenditures, even if the coverage does not expressly speak in terms of “HIPAA”. Additionally, many insurance policies have specific deadlines in which to file notice of a claim, after which time an insurer might argue that coverage is lost. Moreover, at some point during the claims process, healthcare providers may need to litigate or arbitrate with an insurer.
Insurance coverage professionals, including coverage counsel, can be helpful in maximizing the available insurance protection for potential violations, and ensuring that healthcare providers receive all the coverage to which they may be entitled.
Healthcare providers should act now to reduce the risk of loss associated with potential HIPAA violations by them or their business associates. Strategic focus today can help to reduce exposure in the future.