On January 25, 2013, the Department of Health and Human Services (HHS) published final regulations that modify the Privacy, Security, Enforcement and Breach Notification Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations, referred to as “Omnibus Rules,” implement many of the changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009.

The Omnibus Rules are effective on March 26, 2013, and covered entities (i.e., health plans, health care providers and health care clearinghouses) and business associates generally have 180 days from then (i.e., September 23, 2013) to comply with the new requirements. Transition rules apply to business associate agreements in existence prior to January 25, 2013, providing covered entities and business associates an additional year to bring such agreements into compliance unless the agreement is renewed or modified prior to September 23, 2013.

Summary of Action Items for Employers That Sponsor Group Health Plans

Employers that sponsor group health plans that are subject to HIPAA’s Privacy and Security Rules have a short period of time to familiarize themselves with the changes made by the Omnibus Rules and make sure that they comply with the new requirements. Plan sponsors should consider taking the following steps:

  • Review and revise the group health plan’s HIPAA policies and procedures to comply with all of the changes required under the Omnibus Rules.
  • Review and revise the plan’s privacy notice to incorporate the new disclosure requirements and redistribute the notice in accordance with the new guidelines.
  • Revise forms utilized by individuals to exercise their privacy rights to address changes made by the Omnibus Rules.
  • Review whether the plan engages in any marketing practices that will be subject to prior authorization requirements.
  • Review whether the plan needs to enter into business associate agreements with service providers who provide data transmission of electronic protected health information (PHI) or store PHI, or vendors who allow the group health plan to offer personal health records.
  • Amend business associate agreements to comply with the changes under the Omnibus Rules.

The Omnibus Rules make a number of changes, some of the more significant changes that may impact group health plans are addressed below.

Changes to the Breach Notification Standard

The HITECH Act imposed new breach notification requirements on covered entities. Covered entities are now required to notify affected individuals, HHS and the media in certain circumstances if there is an unauthorized acquisition, access, use or disclosure of unsecured PHI, subject to certain limited exceptions.  PHI is considered unsecured unless it is encrypted or destroyed through the use of methodologies and technologies specifically approved in guidance previously issued by HHS.

A “breach” is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted under the Privacy Rule, which compromises the security or privacy of the individual.  The prior guidance allowed covered entities to determine whether PHI was compromised using a subjective harm standard that examined whether there was a significant risk of financial, reputational or other harm to the individual. 

The Omnibus Rules significantly change the standard in two ways.  First, the Omnibus Rules add a presumption that an impermissible acquisition, access, use or disclosure is a breach unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised.  Second, the Rules eliminate the subjective harm standard and modify the risk assessment to focus more objectively on whether PHI has been compromised by considering the following four factors:  (1) the nature and extent of PHI involved, including the types of identifiers and likelihood that an individual can be identified; (2) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

The Omnibus Rules also eliminate the exception from the breach notification requirements for limited data sets that do not contain any dates of birth and zip codes.  As a result, if a limited data set is impermissibly used or disclosed, the covered entity or business associate must perform a risk assessment to determine if there has been a breach.

HHS encourages covered entities to encrypt PHI pursuant to its guidance because any impermissible use or disclosure of such encrypted information would not constitute a breach of PHI.  Covered entities may want to consider the feasibility of this approach to lessen the risk that PHI will be breached.

Business Associate Changes

Expanded Definition of Business Associates - The Omnibus Rules expand the definition of “business associate” to include the following:

  • Organizations that provide data transmission of PHI to a covered entity or its business associate and that require access on a routine basis to PHI, including Health Information Organizations and e-prescribing Gateways.

    The preamble to the Omnibus Rules provides guidance on what it means to have “access on a routine basis” to PHI versus being a mere conduit, emphasizing that the determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to PHI. HHS cautions that the conduit exception only applies to entities providing transmission and not storage services. A telecommunications company providing mere transmission services may not be considered a business associate.  However, if the telecommunications company also provides digital storage services, it would be considered a business associate.
  • Vendors that contract with a covered entity to offer personal health records to individuals on behalf of the covered entity.
  • Subcontractors of business associates.  The business associate, not the covered entity, is required to enter into business associate agreements with its subcontractors, which must be at least as stringent as the agreement between the covered entity and the business associate.

Expanded Liability for the Acts of Agents Under current regulations, a covered entity is not liable for the acts of its agents when: (1) the agent is a business associate; (2) the covered entity and business associate have entered into a business associate agreement; (3) the covered entity did not know of a pattern or practice of the business associate that violated the contract; and (4) the covered entity did not fail to act as required by the Privacy or Security Rules with respect to the violations. 

The Omnibus Rules now make covered entities and business associates directly liable for the acts of their business associate agents in accordance with federal common law of agency.  The preamble notes that whether or not a business associate is an agent will be fact specific and will take into account both the terms of the business associate agreement and the totality of the circumstances involved in the ongoing relationship.  According to HHS, the essential factor is the right or authority to control the business associate’s conduct in the course of performing a service on behalf of the covered entity (or on behalf of the business associate when the agent is a business associate subcontractor). 

Business Associate Liability - Before the HITECH Act, the Privacy and Security Rules did not directly apply to business associates of covered entities.  The HITECH Act and the Omnibus Rules make the following changes:

  • Security Rule Requirements: The Omnibus Rules provide direct liability for business associates that fail to comply with the following requirements under the Security Rule: (1) implement administrative, physical and technical safeguards; (2) adopt security policies and procedures requirements; and (3) comply with documentation requirements.
  • Privacy Rule Requirements: The Omnibus Rules provide direct liability for business associates that fail to comply with the following requirements under the Privacy Rule:  (1) use and disclosure requirements in the Privacy Rule and the business associate agreement; (2) minimum necessary restrictions; (3) breach notification requirements; (4) enter into business associate agreements with their subcontractors; (5) disclose PHI when required by HHS; (6) disclose electronic PHI in response to an individual’s request for an electronic copy of PHI; and (7) provide an accounting of required disclosures.  Business associates remain contractually liable for all other Privacy Rule obligations that are included in their contracts with covered entities.
  • Eliminate Reporting Requirement to HHS:  The Omnibus Rules eliminate the requirement that covered entities (or business associates) report patterns or practices that constitute a material breach or violation under a business associate agreement when termination of a business associate agreement is not feasible.

Changes to Marketing and Fundraising and Prohibition on the Sale of PHI

Marketing Restrictions - Prior to the HITECH Act, a covered entity was required to obtain an authorization for any use or disclosure of PHI for marketing purposes and to inform the individual if the covered entity will receive direct or indirect remuneration.  Marketing was defined as a communication about a product or service that encouraged recipients of the communication to purchase or use the product or service, but excluded certain types of communications, including communications about treatment or certain health care operations. 

The Omnibus Rules now require that covered entities treat communications about treatment or certain health care operations as marketing if the covered entity or its business associate receives financial remuneration (i.e., direct or indirect payment) from a third party whose product or service is the subject of the communication in exchange for making such communication.  The covered entity must obtain an authorization that discloses that the covered entity is receiving financial remuneration before sending the communication.  Direct or indirect payment does not include non-financial benefits, such as in-kind benefits. 

Plan sponsors of group health plans may initially think that this change to the definition of marketing does not affect them. However, to the extent that the plan or its business associate receives payment from a third party in exchange for the following types of communications, the plan may be engaged in marketing and would need to obtain authorizations from plan participants prior to sending the communication:

  • Communications that describe a health-related product or service included in the group health plan, including communications about entities participating in the provider network, replacement of or enhancements to the health plan, and health-related products or services available only to a health plan participant that adds value to but are not part of the plan; and
  • Communications involving case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.

The HITECH Act and the Omnibus Rules provide an exception to marketing for refill reminders or other communications about a drug or biologic that is currently being prescribed for the individual, provided that any financial remuneration received by the covered entity or its business associate in exchange for making the communication is reasonably related to the covered entity’s labor, supplies and postage costs.  Other costs cannot be reimbursed, nor can the covered entity make a profit. The preamble further clarifies that communications about generic equivalents, encouraging individuals to take their prescribed medications, or regarding all aspects of a drug delivery system (e.g., insulin pump), fall within the scope of the exception.

Other exceptions to marketing for face-to-face communications and promotional gifts of nominal value remain unchanged.

Fundraising Restrictions – Prior to the HITECH Act, covered entities were permitted to use or disclose to a business associate or an institutionally related foundation demographic information and dates of health care provided to an individual for the covered entity’s fundraising.  The Omnibus Rules expand the type of information that can be used or disclosed for fundraising purposes to include the department of service, treating physician, outcome information and health insurance status.

Previously, covered entities that intended to use PHI for fundraising were required: (1) to include a statement in their privacy notices that they may contact individuals for fundraising purposes; (2) to describe in any fundraising materials how to opt out of receiving future fundraising communications; and (3) to make reasonable efforts to ensure that individuals who opted out of receiving fundraising communications were not sent future fundraising communications.

The Omnibus Rules strengthen the opt-out requirement by requiring that covered entities: (1) add to their privacy notices a statement that individuals have the right to opt out of receiving fundraising communications; (2) include in each fundraising communication a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications; (3) utilize an opt-out method that does not unduly burden the individual or cost more than a nominal amount; (4) ensure (and not just make reasonable efforts to ensure) that fundraising communications are not sent to an individual who has opted out of receiving such materials; and (5) not condition treatment or payment on an individual’s choice with respect to receiving fundraising communications. 

Covered entities may allow individuals to opt back in to receiving fundraising communications.  However, a donation to a covered entity should not be considered an election to opt back in to receiving fundraising communications.

Although the restrictions on fundraising apply to all covered entities, they will unlikely impact plan sponsors of group health plans.

Prohibition on the Sale of PHI – Consistent with the HITECH Act, the Omnibus Rules prohibit a covered entity or business associate from receiving direct or indirect remuneration (including nonfinancial benefits) in exchange for any PHI of an individual, unless the covered entity obtains a valid authorization from the affected individual. The authorization must state that the covered entity is receiving direct or indirect remuneration in exchange for PHI. 

The prohibition does not apply to exchanges where the purpose is for:

  • Public health activities;
  • Research purposes, provided that the covered entity or business associate receives only a reasonable, cost-based fee to cover the cost to prepare and transmit the information for research purposes;
  • Treatment and payment purposes;
  • Health care operations involving the sale, transfer, merger or consolidation of all or part of a covered entity and for related due diligence;
  • Payment that is provided by a covered entity to a business associate (or by a business associate to a subcontractor) for activities involving the exchange of PHI that the business associate undertakes on behalf of the covered entity (or the subcontractor undertakes on behalf of a business associate) and the only remuneration provided is for the performance of such activities;
  • Providing an individual with a copy of his/her PHI or an accounting of disclosures;
  • Disclosures required by law;
  • Disclosures of PHI for any other purpose permitted by and in accordance with the Privacy Rule, as long as the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or is a fee otherwise expressly permitted by other law; or
  • Any other exceptions allowed by HHS.

Changes to Individual Privacy Rights

Access to Electronic PHI Maintained in a Designated Record Set - The Privacy Rule currently provides that, subject to certain exceptions, an individual has a right to inspect and obtain a copy of the individual’s PHI.  If an individual requests a copy of his/her PHI, the covered entity may charge a reasonable fee for the cost of supplies, labor and postage.

The Omnibus Rules provide individuals with the right to access all electronic PHI maintained in a designated record set in an electronic format and to direct covered entities to send the information directly to a third party.  The preamble to the final regulations provide the following additional guidance:

  • Covered entities must provide individuals with an electronic copy of electronic PHI maintained in a designated record set.  Covered entities are not required to provide individuals with direct access to their administrative systems. 
  • HHS expects covered entities to provide the individual with a machine readable copy (e.g., MS Word or Excel, text, HTML or text-based PDF) of the individual’s electronic PHI in a designated record set.  If the individual declines any of the electronic formats offered by the covered entity, the covered entity may satisfy its obligation by sending a hard copy.
  • Covered entities are permitted to send PHI to individuals in unencrypted emails if they have advised the individual of the risk and the individual still prefers the unencrypted email. 
  • HHS expects that some covered entities may need to make some investment to comply with the requirement if they utilize systems that are not capable of providing any form of electronic copy (e.g., legacy systems). 

If requested by the individual, the covered entity must transmit the copy of electronic PHI maintained in a designated record set directly to another person designated by the individual, provided that the individual’s request is in writing, signed by the individual, and clearly identifies the designated person and where to send the copy of PHI.  Covered entities must implement reasonable policies and procedures to verify the identity of the individual making the request, as well as reasonable safeguards to protect information that is disclosed.

Covered entities may impose a reasonable, cost-based fee, provided that the fee includes only the cost of labor, supplies, and postage, and for preparing an explanation or summary, if agreed to by the individual.  The preamble clarifies that labor costs could include skilled technical staff time spent to create and copy the electronic file, but not retrieval fees.

The Omnibus Rules shorten the timeframe for responding to individual requests to access PHI.  Covered entities are required to approve or deny a request to access PHI within 30 days of the request.  The 60-day timeframe for responding to a request for access when PHI is not maintained onsite has been eliminated.  In extenuating circumstances where access cannot be provided within 30 days, the covered entity may have a one-time, 30-day extension if the individual is notified of the need for the extension within the original timeframe.

Right to Request Restrictions on Disclosures - The Privacy Rule currently provides that an individual can request restrictions concerning how the individual’s PHI can be used or disclosed for treatment, payment, and health care operations or to certain persons involved with the individual’s care. Covered entities are not required to agree to the restrictions requested. 

The Omnibus Rules require that covered entities agree to an individual’s request not to disclose PHI to a health plan for payment or health care operations if the individual has paid for the service out of his/her pocket in full and the disclosure is not otherwise required by law. The preamble clarifies that the requirement applies only to covered health care providers and not health plans.   

Privacy Notice Requirements

The Omnibus Rules require that covered entities update their privacy notices to include the following:

  • A description of the types of uses and disclosures that require an authorization (i.e., most uses and disclosures of psychotherapy notes if the covered entity records or maintains psychotherapy notes, uses and disclosures for marketing, and disclosures that constitute a sale of PHI).
  • If the privacy notice indicates that the covered entity may send fundraising communications, a statement that an individual has a right to opt out of fundraising communications.
  • If a health plan intends to use or disclose PHI for underwriting purposes, a statement that genetic information may not be used for underwriting purposes. 
  • A statement that the covered entity is required to notify affected individuals following a breach of unsecured PHI.
  • Covered providers must include a description of an individual’s right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for the health care item or service.  Health plan privacy notices need not include this statement.

Privacy notices no longer need to indicate that a covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services.

Under the current rules, health plans have to redistribute their privacy notices within 60 days of a material revision.  The Omnibus Rules revise the distribution requirements as follows:

  • If a health plan posts its notice on a website, the plan must: (1) post the change or its revised notice on its website by the effective date of the material change (e.g., by September 23, 2013 for the Omnibus Rules’ changes); and (2) provide the revised notice or information about the material change and how to obtain the revised notice in its next annual mailing to individuals covered under the plan, such as at the beginning of the plan year or during the open enrollment period.
  • If a health plan does not post its notice on a website, the plan must provide the notice, or information about the change and how to obtain the revised notice, to covered individuals within 60 days of the material revisions to the notice.

Modifications to the HIPAA Privacy Rule for GINA

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits discrimination based on an individual’s genetic information in both the health coverage (Title I) and employment (Title II) contexts.  Title I generally prohibits group health plans and health insurance issuers from: (1) discriminating on the basis of genetic information (which includes family medical history) with respect to eligibility, premiums and contributions; (2) requesting or requiring an individual to take a genetic test, except under limited circumstances; and (3) requesting, requiring, or purchasing genetic information for underwriting purposes or prior to or in connection with enrollment.

GINA also required that HHS revise the Privacy Rule to clarify that genetic information is health information and to prohibit group health plans and issuers from using or disclosing genetic information for underwriting purposes.  Therefore, the Omnibus Rules: (1) prohibit all health plans covered by the Privacy Rule, except long-term care policies (which is broader than the types of plans directly subject to GINA) from using or disclosing PHI that is genetic information for underwriting purposes; (2) require that health plans revise their privacy notices to state that if they use or disclose PHI for underwriting purposes, they will not use or disclose genetic information for underwriting purposes; and (3) make a number of conforming changes to definitions under the Privacy Rule, which may necessitate changes to covered entities’ policies and procedures.

New Enforcement Provisions

The HITECH Act significantly increased the civil penalties by establishing four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts.  The Omnibus Rules incorporate the increased and tiered civil money penalty structure originally published in an interim final rule.

Violation category
Each violation
All such violations of an identical provision in a calendar year
Did Not Know and by Exercising Reasonable Diligence, Would Not Have Known

$100–$50,000

$1,500,000

Reasonable Cause

$1,000–$50,000

$1,500,000

Willful Neglect, but Timely Corrected

$10,000–$50,000

$1,500,000

Willful Neglect, and Not Timely Corrected

$50,000 (no maximum)

$1,500,000

The Omnibus Rules also: (1) update the factors to be considered in determining the amount of a civil monetary penalty; (2) make corresponding changes to the affirmative defense and waiver provisions; and (3) clarify that HHS will formally investigate any complaint or conduct a compliance review when a preliminary review of the facts indicates a possible violation due to willful neglect.

Other Changes

The Omnibus Rules make a number of other changes including:

  • Limit the application of the Privacy and Security Rules to PHI of deceased individuals to a period of 50 years following the individual’s date of death.
  • Clarify that covered entities may disclose a decedent’s PHI to family members and others who were involved in the decedent’s care or payment for care, unless doing so is inconsistent with any prior expressed preference of the individual that is known by the covered entity.
  • Allow covered entities to disclose proof of immunization to a school where state or other law requires that the school have such information prior to admitting the student, provided that the covered entity obtains and documents that the individual, a parent, guardian or other person acting in loco parentis for the individual, agreed (even verbally) to the disclosure.
  • Allow combined authorizations for conditioned and unconditioned research components (except to the extent the research involves the use or disclosure of psychotherapy notes), provided that the authorization clearly differentiates between the conditioned and unconditioned research components and allows the individual the option to opt in to the unconditioned research activities.
  • Clarify in the preamble that an employer that operates an on-site clinic for the treatment of its employees may be a covered provider to the extent the clinic performs one or more covered transactions electronically, such as billing a health plan for the services provided.  It is important to also note that such clinics may also be considered group health plans, subject not only to HIPAA, but ERISA as well. 

More Changes Expected

Minimum Necessary Requirement - Subject to certain exceptions, a covered entity may only use or disclose PHI if it has made reasonable efforts to limit PHI to the minimum amount necessary to accomplish the intended purpose. The HITECH Act directs HHS to issue regulations regarding what is considered “minimum necessary.” The Omnibus Rules indicate that HHS intends to issue future guidance on the minimum necessary standard.  In the interim, covered entities should limit the use or disclosure of PHI to the limited data set, to the extent practicable. 

Right to an Accounting - The HITECH Act expanded an individual’s right to an accounting for disclosures of PHI involving treatment, payment and health care operations if electronic health records are used. HHS issued proposed regulations in 2011 that modified an individual’s right to an accounting and added a new right to an “access report” that provides certain information about every time the individual’s electronic PHI that is maintained in a designated record set is accessed.  The Omnibus Rules do not address the changes to an individual’s accounting rights.