On January 25, 2013, the Office of Civil Rights of the federal Department of Health and Human Services published the rules implementing the Health Information Technology and Clinical Health Act. The so-called HIPAA Omnibus Rulemaking makes sweeping changes to HIPAA's privacy, security, enforcement, and data breach rules.
The take away is this: HIPAA is finished teething. The rules are tougher, broader in scope, more demanding, and more focused on enforcement and sanctions than on seeking informal resolution and compliance.
The Enforcement and Data Breach Rules became effective on March 26. Compliance with nearly all of the remaining changes must be achieved by September 23. All business associate agreements, or BAAs, in effect on January 24, 2013, must be compliant with the new rules not later than September 23, 2014, unless they are amended or renewed by affirmative action. All new agreements begun on or after January 25 must be in compliance by September 23, 2013.
Business associates - contractors or vendors providing services that involve protected health information - are now directly subject to the Security Rule and much of the Privacy Rule. Business associates are subject to nearly all the same privacy and security requirements as physicians, and must have business associate agreements with their subcontractors who receive, create, maintain or transmit PHI on their behalf. These subcontractors are considered "business associates" for purposes of HIPAA and are therefore also directly subject to federal regulation. Everyone from the initial business associate on down must have an agreement at least as stringent as the one up the chain, and they must develop appropriate policies and procedures, documentation and training, just like covered entities. Physicians need not directly contract with these subcontractors.
A data breach occurs whenever "unsecured" or unencrypted PHI is used, disclosed, or transmitted in violation of the Privacy Rule. While the interim Data Breach Rule focused on the likelihood of individual harm, the final rule is more procedural: the wrongful use, disclosure or transmission of PHI creates a presumption that a data breach has occurred. This presumption may be overcome only by a documented risk assessment demonstrating a "low probability that PHI has been compromised." Neither "low probability" nor "compromised" is defined, but the rule's commentary suggests a very low risk tolerance. The consequence is that a physician either must notify affected individuals in response to a security incident or must document a risk assessment demonstrating a low probability of compromise.
The OCR's amended Enforcement Rule gives the substantive rules their bite. The OCR cannot pursue informal resolution of violations if there is even a possibility that the violation is due to purposeful ignorance or reckless disregard of the rules. Such violations must be formally investigated and, if "willful neglect" is found, the OCR may proceed directly to formal proceedings for the assessment of a Civil Monetary Penalty. The minimum penalty for violations involving willful neglect will be $10,000 per violation, if corrected in 30 days, and $50,000 per violation if uncorrected. OCR also will count violations in the most prolific way possible: by individual affected and, in the case of continuing violations, a violation per day. While the total annual penalty for violation of a single HIPAA standard is $1.5M, incidents typically violate multiple standards.
As published, Medicine in Oregon, Spring 2013.