On January 17, 2013, the U.S. Department of Health and Human Services (HHS) announced important modifications to the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, Enforcement, and Breach Notification Rules. These changes are known as the “Omnibus Rule.” The new HIPAA Omnibus Rule became effective on March 26, 2013, and healthcare providers have until September 23, 2013, to comply with the new requirements. Now is the time to examine your organization’s insurance portfolio to determine whether new HIPAA-related exposures may be covered by insurance.
Overview of the New HIPAA Omnibus Rule
Under the new HIPAA Omnibus Rule, what constitutes a “breach” has been more broadly defined, penalties associated with claimed breaches have been increased, and, critically, covered entities may now be liable for violations by business associates and subcontractors. These changes—which could increase healthcare providers’ potential liability under HIPAA—are as follows:
New Regulations On The Treatment of Protected Health Information. The Omnibus Rule added a number of important new regulations as to how healthcare providers must treat protected health information. The new regulations limit the use and disclosure of protected health information for marketing and fundraising purposes. They also prohibit the sale of protected health information without individual authorization. A significant development in the Omnibus Rule is its change in the definition of what constitutes a “breach.” Previously, breach required a finding that the access, use or disclosure of protected health information posed “a significant risk of financial, reputational or other harm to an individual.” The Omnibus Rule replaces the “harm threshold,” and now there is a rebuttable presumption that a breach occurs whenever protected health information is acquired, accessed, used or disclosed in a way that violates HIPAA’s stringent standards.
Penalties For HIPAA Violations Have Increased. The maximum penalty is now $1.5 million for each violation. At the same time that the penalty amount for HIPAA violations has expanded, affirmative defenses for these violations have narrowed. The Omnibus Rule removes the previous affirmative defense to the imposition of penalties if (1) the covered entity did not know and with the exercise of reasonable diligence would not have known of a violation, and (2) a violation was timely corrected.
Healthcare Providers Liable for Violations By Business Associates and Subcontractors; Definition of Business Associate Greatly Expanded. The new Omnibus Rule could increase the likelihood that healthcare providers will face liability for conduct by “business associates” and “subcontractors.” The Omnibus Rule defines “business associate” as a person or entity “‘who creates, receives, maintains, or transmits’ (emphasis added) protected health information on behalf of a covered entity.” “Subcontractors” are defined as persons “to whom a business associate delegates a function, activity, or service.” This new possible “vicarious” exposure for health care providers can be significant, as by some estimates these business partners, rather than the healthcare providers themselves, are responsible for more than 60% of HIPAA violations. This expanded definition of business associate aligns the Omnibus Rule with the HITECH Act definition of business associate (with certain modifications). The addition of the word “maintains” also incorporates cloud service providers (even if they do not access the protected health information), e-health records vendors and other service providers acting on behalf of the covered entity.
Business associates (including the newly-included groups) are required to comply with the HIPAA Security Rule, will need to perform a HIPAA security risk assessment, and must put in place both HIPAA security policies, and physical, administrative and technical safeguards and related document requirements. Also of critical note, business associates (and their subcontractors) are now directly liable for violations including impermissible uses and disclosures of protected health information and the failure to report a breach to their covered entity customers.
As a result, business associate agreements will need to be modified to meet these additional requirements.
Previously, healthcare providers were excepted from liability for the acts of agents where the agent was a business associate, the relevant contract requirements had been met, the covered entity did not know of a pattern or practice of the business associate in violation of the contract, and the covered entity did not fail to act as required by the Privacy or Security Rule with respect to such violations. The Omnibus Rule also applies the Federal common law of agency. Whether a business associate is an agent for purposes of imposing vicarious HIPAA liability will be a factspecific inquiry, turning largely on the right or authority of the healthcare provider to control the business associate’s conduct in the course of performing a service on its behalf.
HHS has warned that a
“business associate can be an agent of a covered entity: (1) Despite the fact that a covered entity does not retain the right or authority to control every aspect of its business associate’s activities; (2) even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right; and (3) even if a covered entity and its business associate are separated by physical distance (e.g., if a covered entity and business associate are located in different countries).”
In the interest of caution, HHS has provided the following rule-of-thumb:
“if the only avenue of control is for a covered entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a business associate is not acting as an agent.”
Insurance Coverage for HIPAA Violations
Given the new regulations under HIPAA, an increase in the financial risk associated with claimed violations, the possibility of broader “vicarious” liability for the acts of business associates under the new Omnibus Rule, and new direct exposures for “business associates,” for potentially impacted organizations now is not the time for insurance policies to gather dust. Health Care Organizations and their business associates should immediately (1) audit existing insurance policies to determine the extent of existing coverage to pay for HIPAA exposures, and (2) consider purchasing specific HIPAA policies or coverage. Federal enforcement of HIPAA claims against health care providers or their business associates may be on the rise. Insurance can provide important financial assistance in responding to such events.
Traditional Directors & Officers (D&O) and Errors & Omissions (E&O) policies, including those sold to healthcare organizations may provide coverage for HIPAA violations unless explicitly excluded. For example, even under policies that do not include express “penalty” coverage, HIPAA-related penalties still may be covered, as constituting a form of “liquidated damages.” Visa Inc. v. Certain Underwriters at Lloyd’s, London, Case No. CGC-11- 509839 (Jan. 6, 2012).
Moreover, it may be possible to obtain coverage for exposures to your organization regarding claimed breaches by certain business associates and subcontractors under “independent contractor” coverage contained in many typical healthcare D&O and E&O policies. At least one court this year rejected an insurer’s attempt to narrowly construe “independent contractor” language in a healthcare D&O policy, finding that the policy definition of the term was ambiguous. Cottage Health System v. Travelers Cas. & Sur. Co., Case No. 13821220 (Jan. 15, 2013). Healthcare providers and their business associates also should seek to audit the business associates’ insurance policies to determine the extent of “additional insured” coverage under those policies, should the entity be held responsible for any violations by that business partner of the new regulations. Going forward, given the possible new vicarious exposure for health care providers, they also should be careful to ensure broad additional insured protection under newly formed business associate relationships.
Finally, certain insurers now sell health care policies that provide specific coverage for HIPAA investigations and claimed HIPAA violations. Those coverages can specifically apply to failures “to comply with the privacy provisions of HIPAA,” and pay for “civil money penalties imposed upon an Insured for violation of the privacy provisions of” HIPAA. Some policies also expressly cover expenses associated with notifying patients of a breach that compromised their protected health information. Given that the standard for when breach notification is mandatory has been lowered, and that the U.S. Department of Health and Human Services has estimated that the costs of notification may run into the millions of dollars per year, this coverage may provide an important benefit. Before purchasing specialty coverage, potentially impacted entities should review their existing policies to determine whether they already may have protection for these expenditures, even if the coverage does not expressly speak in terms of “HIPAA”. Additionally, many insurance policies have specific deadlines in which to file notice of a claim, after which time an insurer might argue that coverage is lost. Moreover, at some point during the claims process, healthcare providers may need to litigate or arbitrate with an insurer.
Insurance coverage professionals, including coverage counsel, can be helpful in maximizing the available insurance protection for potential violations, and ensuring that entities that may be impacted by the new HIPAA regulations receive all the coverage to which they may be entitled.
Healthcare organizations and their business associates have until September 23, 2013, to conform to the new regulations. Those entities should act now to reduce the risk of loss associated with potential HIPAA violations by them or their business associates. Strategic focus today on possible risk transfer methods, including through careful use of insurance, can help to reduce exposure in the future.