A key amendment to the Health Insurance Portability and Accountability Act (“HIPAA”) called the “Omnibus Rule” took effect on March 26, 2013. The Omnibus Rule impacts both companies that directly collect protected health information (“PHI”) about individuals (“Covered Entities”) and subcontractors and downstream subcontractors that provide services relating to PHI collected by Covered Entities (unless they fall into one of the narrow exceptions described in more detail below) (“Business Associates”). Covered Entities and Business Associates must comply with HIPAA (as it is modified by the Omnibus Rule) by September 23, 2013 unless they are subject to the grandfather clause, (i.e., entered into a contract prior to January 25, 2013 that is not modified or renewed before October 23, 2013), in which case, they do not have to comply until September 22, 2014.
This article will help you assess whether your company needs to comply with HIPAA (including the new Omnibus Rule) and, if so, what steps your company should take to become compliant.
How does the Omnibus Rule change HIPAA?
The Omnibus Rule changes HIPAA’s privacy and security rules in several key ways:
1. Increased Number of Companies that Must Comply With HIPAA and the Omnibus Rule because of Broader Definition of “Business Associate”
The Omnibus Rule expanded the definition of Business Associate to include all downstream subcontractors that create, receive, maintain or transmit PHI on behalf of subcontractors that contract directly with Covered Entities. In other words, HIPAA now applies to subcontractors irrespective of how far downstream the subcontractor is from the Covered Entity. Companies that maintain or store PHI (such as data storage companies) are now considered Business Associates regardless of whether the company actually accesses the PHI. There are a few narrow exceptions to the definition of Business Associate, including: (a) entities that act as “mere conduits for the transportation of PHI” but do not access the PHI other than on a random or infrequent basis, such as Internet service providers (ISPs) and telecommunications companies; (b) a health care provider that receives PHI from a Covered Entity for treatment purposes; (c) a Covered Entity participating in an Organized Health Care Arrangement; (d) a government agency if the government agency is determining government health plan eligibility in a plan administered by another government agency; and (e) a plan sponsor with respect to disclosures by a group health plans if group health plan requirements are met.
2. Application of HIPAA Security Rule and Certain Requirements of the Privacy Rule to Business Associates
Prior to the passage of the Omnibus Rule, only Covered Entities had to comply with HIPAA. The security rule and certain portions of the privacy rule now directly apply to all Business Associates, including without limitation, downstream subcontractors. Under the privacy rule, Business Associates must, among other things: (a) only disclose PHI as permitted by their business associate agreements or as required by law; (b) request, use and disclose the minimum amount of PHI necessary; (c) take reasonable steps to cure a subcontractor’s breach of PHI and terminate the contract if this is not effective; and (d) use and disclose PHI subject to the same restrictions placed upon Covered Entities by HIPAA and the Omnibus Rule.
3. Business Associates Providing Services to Covered Entities Must Enter Into Business Associate Agreements with Downstream Subcontractors
Prior to the enactment of the Omnibus Rule, only Covered Entities were required to have their direct subcontractors enter into written Business Associate Agreements that contractually required such subcontractors to safeguard PHI. Under the Omnibus Rule, this requirement now applies to all Business Associates. In other words, both direct subcontractors and downstream contractors must enter into Business Associate Agreements with any third party that provides services relating to the PHI unless the company falls into one of the narrow exceptions described above.
The Omnibus Rule also specifies that the Business Associate Agreement must contain certain terms requiring Business Associates to do, without limitation, the following: (a) comply with the security rule; (b) report breaches of PHI to the Covered Entity; (c) ensure that downstream subcontractors adhere to terms identical to that of the direct subcontractor; and (d) comply with applicable privacy rule requirements.
4. Consent Required to Sell PHI and to Use and Disclose PHI for Marketing Purposes
Under the Omnibus Rule, Covered Entities and Business Associates may not directly or indirectly sell PHI without obtaining individuals’ express consent that the company may receive remuneration from the sale of the individual’s PHI. There are a few exceptions to this requirement, including without limitation: (a) public health purposes; (b) treatment and payment purposes; (c) certain research purposes; and (d) legal requirements.
Covered Entities and Business Associates are still required to obtain individuals’ authorization to disclose their PHI for marketing purposes under the Omnibus Rule, but the Omnibus Rule narrowed the definition of ‘marketing,’ so that it does not include the following as long as no payment is received from or on behalf of a third party whose products or services are being described: (a) refill reminders; and (b) communications for treatment and health care operations purposes.
5. More stringent data breach notification requirements
Prior to enactment of the Omnibus Rule, a breach of PHI was defined as a use or disclosure that caused a “significant risk of financial, reputational, or other harm.” This definition permitted companies to contemplate whether a data breach caused harm to the impacted individual. (For example, disclosing that a patient has the flu does not likely pose significant harm and therefore not require notification, but disclosing a patient’s HIV status may pose significant harm and therefore require notification.). Now, a breach of PHI is defined to be an impermissible use of disclosure of PHI unless the Covered Entity or Business Associate can demonstrate there is a low probability that PHI has been compromised (which is difficult to establish). This change means that if a Covered Entity or Business Associate has a breach, it is more likely that the company will have to send out a breach notice.
6. Application of Enforcement Provisions to Business Associates
The Omnibus Rule specifies all Business Associates are now subject to compliance and enforcement by HHS. This means: (a) HHS may now directly receive and investigate complaints relating to Business Associates’ compliance with HIPAA and the Omnibus Rule; and (b) HHS may impose monetary penalties against Business Associates.
7. Updated Factors for Imposing Civil Monetary Penalties; Amount of Penalties Remains the Same
The Omnibus Rule updates the factors HHS considers when determining the amount of a civil monetary penalty. The penalties are tiered and are dependent upon the Covered Entity or Business Associate’s knowledge and the willfulness of the breach. Generally, the factors HHS considers include without limitation: (a) the nature and extent of the violation; (b) the harm resulting from the violation (i.e., whether the violation caused physical, financial or reputational harm, prevented an individual from obtaining health care and past history of compliance); (c) the number of impacted individuals; and (d) the time period during which the violation occurred.
The Omnibus Rule does not modify civil monetary penalties. Tiered penalties still range from $100 for each violation, not to exceed $25,000 to $50,000 for each violation, not to exceed $1,500,000.
Does your Company Have to Comply with HIPAA and the Omnibus Rule?
Covered Entities and Business Associates that complied with HIPAA prior to March 26, 2013 must comply with the Omnibus Rule, and they should review their policies and practices to confirm they comply with the new Omnibus Rule. Downstream service providers that must comply with HIPAA and the Omnibus Rule as a result of the expanded definition of Business Associate under the Omnibus Rule must come into compliance by the dates set forth above.
What do Covered Entities and Business Associates have to do to comply with HIPAA and the Omnibus Rule?
Below is a list of steps to take to become compliant with HIPAA and the Omnibus Rule. This list is not all-inclusive, and the steps a Covered Entity or Business Associate must take to become compliant will differ depending on each company’s business practices and goals.
1. Review and Revise / Establish Policies and Procedures to Comply with the Security Rule — Establishing and Implementing Administrative, Physical and Technical Safeguards
Covered Entities and Business Associates (including both direct and downstream sub-contractors) must have appropriate administrative, physical and technical safeguards, in place, including without limitation: (a) establishing and implementing required security policies and procedures; (b) implementing technical security measures and facility access controls; (c) conducting regular audits and risk analyses; and (d) designating a security official and conducting company-wide training programs.
2. Review and Revise / Establish Policies and Procedures to Comply with the Privacy Rule
a. Restrict Access to PHI
Covered Entities and Business Associates (including both direct and downstream sub-contractors) must comply with HIPAA’s privacy rule which requires, without limitation: (i) limiting disclosure and use of PHI to the minimum number of third parties; (ii) requiring third parties receiving PHI and their subcontractors to enter legally-compliant business associate agreements (as applicable); (iii) maintaining compliance records; (iv) submitting reports to government regulatory authorities (as required); and (v) providing access to its covered entity or to the individual who is the subject of the PHI.
b. Review and Revise/Develop Form Business Associate Agreement
Review and revise or create Business Associate Agreements that comply with HIPAA and the new requirements of the Omnibus Rule, including without limitation, breach notification requirements. Confirm that the indemnification provisions adequately protect your company.
c. Review and Revise/Develop Authorization Forms
Review and revise or develop authorization forms that comply with the Omnibus Rule, including without limitation, authorization for the sale of PHI and the use and disclosure of PHI for marketing purposes.
d. Update/Create a HIPAA-Compliant Privacy Notice
Review your privacy notice or develop a privacy notice that complies with HIPAA and the Omnibus Rule, and distribute this revised or new notice as required by law. The privacy notice must, among other things, specify that any uses or disclosures of PHI other than those expressly permitted by the privacy rule will be made only with the written authorization of an individual, and addresses, without limitation, the following: (i) an individual’s right to restrict disclosures of their PHI; (ii) the types of uses and disclosures of PHI that require individual authorization; (iii) an individual’s right to opt out of certain disclosures of PHI; (iv) rights to notice in the event of a breach; (v) rights with respect to the use of their genetic information (if applicable); (vi) inform individuals they may opt out of receiving fundraising communications (if applicable); and (vii) specify that individuals must give written authorization for the covered entity to disclose uses and disclosures of PHI for marketing purposes and sale of PHI.
e. Send a Security Breach Notice if PHI is Breached
When a breach occurs, Covered Entities and Business Associates must notify HHS within certain time parameters. For breaches involving 500 or more people, the breach must be reported to HHS, and notice must be simultaneously provided to the impacted individuals. For breaches involving less than 500 people, the breach must be reported to HHS within sixty (60) days of the last day of the preceding calendar year in which the breach was discovered.
3. Provide training sessions for employees
Conduct training sessions for your employees to inform them of your corporate policies and practices and what they must do to help your company be compliant.
4. Consider State Law Issues
HIPAA states that state law preempts HIPAA to the extent state law is more restrictive than HIPAA. Consider what state laws may apply to your company and whether they may preempt HIPAA’s requirements.