On January 17, 2013, the United States Department of Health and Human Services released a Final Rule, commonly known as the “HIPAA Omnibus Rule,” which included significant changes to the HIPAA compliance requirements for healthcare covered entities, including private practice rehabilitation and medical providers. The compliance date for the vast majority of requirements under the Final Rule is September 23, 2013.
The Final Rule addresses a number of key issues, including the following:
1. Business Associates. The Final Rule expands the breadth of its enforcement to include downstream subcontractors of the business associate. For example, if a third party administrator serving as a business associate to a private healthcare practice utilizes the services of a document destruction company, the document destruction company would be a subcontractor of the third party administrator and therefore subject to the certain obligations under the Final Rule. Additionally, the definition of a business associate was itself broadened to include entities such as patient safety organizations and other persons that provide data transmission services with respect to protected health information to a covered entity and that require routine access to such protected health information. As to business associates, the Final Rule also requires business associates to disclose PHI when the Secretary of the Department of Health and Human Services investigates a business associate’s compliance with HIPAA. Further, the Final Rule makes amendments to the HIPAA Security Rule such that it applies to business associates and their subcontractors. Given these new obligations placed on business associates, business associates will need to assess their compliance obligations and plan accordingly for the September 23, 2013 compliance date.
2. Notice of Privacy Practices. The Final Rule changes the requirements for the content that must be included within a Notice of Privacy Practices. The Final Rule addresses issues related to marketing, the sale of protected health information, uses and disclosures other than those described in the notice, the right to notification following a breach of unsecured protected health information, as well as other mandatory requirements for inclusion in the notice.
3. Business Associate Agreements. Final Rule adds additional requirements for business associate agreements, including express references that the business associate must comply with the security rule, must report breaches of unsecured protected health information, and must comply with the HIPAA privacy rule to the extent the business associate is required to carry out the covered entities obligations under the privacy rule. The Final Rule provides that covered entities and business associates can continue to operate under current business associate agreements if certain timelines are satisfied; however, if business associate agreements are renewed, modified or otherwise do not meet the timing requirements, then new agreements must be entered into. Covered entities will need to assess their business associate relationships to determine the necessary compliance steps in accordance with the respective compliance dates. All business associate agreements must meet the Final Rules compliance requirements effective September 23, 2014.
4. Marketing. The Final Rule broadened the uses and disclosures of protected health information that are considered marketing and therefore require an individual’s prior authorization. To determine whether an authorization is required in connection with marketing, the factors that must be analyzed include whether the communication is face to face and whether it involves a promotional gift of nominal value.
5. Fundraising. The Final Rule strengthens the limitations on the use and disclosure of protected health information for fundraising purposes. Specifically, the Final Rule requires that a recipient of a fundraising communication must be provided with a clear and conspicuous opportunity to opt out of the fundraising communication. The opt-out method utilized by the covered entity must not impose an undo burden or more than nominal cost on the individual.
6. Breach Notification. The Final Rule revises the definition of “breach” in a manner that is more likely to result in an obligation to report a breach of unsecured unprotected health information. Specifically, the Final Rule revises the definition of breach in an effort to establish a more objective standard. Under the Final Rule, impermissible access, use, or disclosures are presumed to be a breach unless there is a demonstration of a low probability that the PHI was compromised or if an exception otherwise applies. The burden of proof is on the covered entity or the business associate, as the case may be, to demonstrate this low probability. The Final Rule provides a number of factors to consider in connection with a risk analysis.
7. Civil Money Penalties. The Final Rule provides for significantly increased penalties in comparison to historic amounts prior to the passing of the HITECH Act. Specifically, penalties now range from One Hundred ($100) to Fifty Thousand ($50,000) Dollars for each violation with a One Million Five Hundred Thousand ($1,500,000) Dollar maximumhttp://cms.jdsupra.com/docuploader/document/create penalty for all violations of an identical provision within the calendar year. The amount of the violation is determined based upon the degree of culpability. In determining the penalty amount, the Final Rule provides a number of factors that will be considered and may either mitigate or aggravate the penalty amounts.
Covered entities and business associates will both need to assess their current state of compliance with HIPAA in advance of the September 23, 2013 compliance date for the Final Rule.
