On January 17, 2013, the Department of Health and Human Services issued a final rule amending the Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations and implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act (the “Omnibus Rule”). Below is a summary of significant provisions and changes.

The compliance date is September 23, 2013

Covered entities (health plans, health care providers, and health care clearinghouses) and their business associates have until September 23, 2013, to become compliant with the Omnibus Rule.

Breach notification provisions have changed

An impermissible acquisition, access, use or disclosure of unsecured protected health information (PHI) will be presumed to be a reportable breach (to the individual, government, and in some cases, the media), unless the covered entity demonstrates there is a low probability that the PHI has been compromised. Under the current rule, a breach is reportable only if the use or disclosure poses a “significant risk of financial, reputational or other harm to the individual.” To demonstrate a low probability of harm, the covered entity must do a risk assessment and evaluate these factors:

1. Nature and extent of PHI involved;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.

A covered entity can choose to automatically report without doing a risk assessment.

Encryption is still golden

If PHI data is encrypted, it is considered secure. If a security breach occurs involving encrypted PHI, the breach is NOT reportable.

Substantial changes related to business associates and subcontractors

• Business associates are separately and directly liable for violations of HIPAA. Business associates must comply with certain provisions of the HIPAA privacy and security rules.
• Business associates will now include any party that creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA on behalf of a covered entity (or organized health care arrangement), in addition to parties that provide legal, accounting, consulting, actuarial and certain other identified services to or for the covered entity.
• Business associates expanded to include health information organizations, e-prescribing gateways, other providers of data transmission services, vendors of personal health records, and subcontractors.
• If a business associate discloses PHI to a subcontractor, the business associate must have a business associate agreement with the subcontractor satisfying the requirements under the Omnibus Rule.
• All downstream subcontractors who use or disclose PHI are also business associates and must have business associate agreements in place.
• Current business associate agreements will likely require revision to include additional provisions related to: reporting breaches to the covered entity; directly complying with HIPAA provisions applicable to duties; and complying with the HIPAA security rule with respect to electronic PHI.
• Currently compliant business associate agreements are grandfathered for an additional year, unless renewed or modified. Covered entities and business associates may continue to operate under an existing business associate agreement until September 22, 2014, as long as
  1. The current agreement is fully compliant under the current HIPAA regulations, and
  2. The agreement is not amended or renewed between March 26, 2013, and September 22, 2013.

If it is amended during that time, the new or amended agreement must comply with the Omnibus Rule provisions. If the existing agreement automatically renews without any changes, it qualifies for grandfathering.

Additional rights for individuals

If an individual requests a copy of his/her PHI, the Omnibus Rule requires a covered entity to provide it in the form or format requested. If not readily producible and maintained electronically, a covered entity must provide it to the individual in electronic format. Under the current rule, if not readily producible, a covered entity may provide it in hard copy format.

Also, an individual may request a covered entity provide an electronic copy of his/her PHI to a third party as long as the request is in writing (email is okay) and identifies the contact name and address of the third party. As long as the individual is making a request related to his/her own PHI (under the right to access), written authorization is not required.

Right to restrict PHI for out-of-pocket paid health care

A covered entity must agree to an individual’s request to restrict disclosures to a health plan for payment or health care operation purposes if the individual paid for the item or service out-of-pocket and in full.

Changes to the Notice of Privacy Practices

The covered entity’s Notice of Privacy Practices must include a statement that the covered entity has a duty to notify affected individuals of a breach of unsecured PHI and a statement that the covered entity cannot refuse a request to withhold information from a health plan when the individual pays in full for the item or service. If applicable, these statements must be included as well:

1. The covered entity may contact individuals for fundraising and the individual’s right to opt out of receiving fundraising communications; and
2. Health plans are prohibited from using and disclosing genetic information for underwriting purposes (except for long-term care insurance).

Increased enforcement by the Office for Civil Rights

Under the Omnibus Rule, the Office for Civil Rights (OCR) will investigate a complaint if a preliminary investigation indicates a possible violation due to “willful neglect,” and will impose penalties on all violations due to willful neglect. “Willful neglect” is conscious, intentional failure or reckless indifference to an obligation under HIPAA. Under the current rule, the OCR has discretion to conduct an investigation under these circumstances. Further, the Omnibus Rule requires the OCR to conduct a compliance review of a covered entity if a HIPAA violation is brought to its attention from “other than a formal complaint,” which includes a report from the media, state agency or other federal agency. Currently, the OCR attempts to informally resolve violations (such as allowing the covered entity to demonstrate compliance or implement a corrective action plan) prior to imposing penalties; the Omnibus Rule leaves it to the OCR’s discretion on whether to resolve a complaint informally. The OCR may move directly to a civil monetary penalty without exhausting informal resolution efforts.

Expansion of “marketing” and requirement for authorizations

If the marketing activity involves direct or indirect payment to the covered entity from a third party whose product or service is being marketed, authorization is required even for certain treatment and health care operation purposes currently within the definition of “marketing.”>

The sale of PHI requires a covered entity to obtain an individual’s written authorization

The Omnibus Rule tightens the definition of the sale of PHI, but does provide several exceptions, including sale of a covered entity and related due diligence, business associate activities, and treatment and payment purposes.

Clarification that genetic information is health information and subject to HIPAA

Additionally, health plans (other than long-term care plans) may not use or disclose genetic information for underwriting purposes.

Covered entities may release immunization records

Covered entities may release student immunization records to schools without a signed authorization if state law requires the school to have the immunization record and the student (or parent or guardian) agrees orally or in writing (email is sufficient). 

Easier access to a decedent’s PHI

If an individual is deceased, a covered entity may disclose PHI to a family member or other persons involved in the individual’s care or payment for health care prior to death, as long as the PHI is relevant to such person’s involvement and provided that it is not inconsistent with known preferences of the individual. Under the current rule, only a personal representative (as determined by state law) may obtain a decedent’s PHI. Also, a decedent’s health information is not PHI if the death occurred over 50 years ago.

Recommendations

• Begin a HIPAA compliance review now
• Evaluate all HIPAA privacy and security policies and revise as necessary, in particular policies related to:
  • Breach risk assessment and notification
  • Business associates
  • Notice of Privacy Practices
  • Marketing and fundraising
  • Sale of PHI
  • Individual’s right to access
  • Individual’s right to restrict uses and disclosures
  • Decedent’s PHI
  • Workforce sanctions for non-compliance
• Update current business associate agreements
• Consider whether new definition of “business associate” requires agreements with other third parties (including subcontractors)
• Update Notice of Privacy Practices; post and distribute new Notice
• Encrypt PHI in accordance with government guidelines to the extent possible
• For health plans:  address the restriction on use of genetic information for underwriting
• Educate and train staff
• Enforce sanctions against members of your workforce who fail to comply with policies and procedures