HIPAA Rules Overhaul Ups Compliance Ante

by Pullman & Comley, LLC

Hartford Business Journal
February 11, 2013

Attention all medical providers, hospitals and any other covered entity or business associate under HIPAA. On Jan. 17, the U.S. Department of Health and Human Services (HHS) issued a press release announcing "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented" in the form of the HIPAA final omnibus rule.

This long awaited final rule will become effective on March 26 and compliance must be achieved by Sept. 23. If you are not inclined to read the full 563 pages of the published rule and preambles, I will attempt here to provide a high level outline of the significant changes.

As you may imagine, the interpretation and enforcement of privacy and security rules (HIPAA and others) tend to be driven by complicated and fact-specific analyses. Digesting this rule will be an evolving process.

Also, HIPAA enforcement actions appear to be on the rise. The recent $50,000 fine of a covered entity by HHS for the loss of less than 500 records suggests an increasingly lower threshold for triggering regulatory enforcement interest. Every covered entity and business associate (and now, subcontractor to business associates) — no matter how large or small — should have a reliable compliance program in place to meet these compliance obligations.

The omnibus rule provides changes primarily in the following areas (taken from the executive summary of the rule):

  • It makes final modifications to the HIPAA Privacy Security and Enforcement Rules mandated by the HITECH Act that:
  • Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements;
  • Strengthen the limitation on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibits the sale of such information without individual authorization;
  • Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full;
  • Require modifications to, and redistribution of, a covered entity's notice of privacy practices;
  • Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others;
  • Adopt the additional HITECH Act enhancements to the enforcement rule not previously adopted in the Oct. 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
  • It incorporates the increased and tiered civil money penalty structure (now up to a maximum of $1.5 million for violations due to uncorrected willful neglect) provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
  • The rule creates the final rule on Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule's "harm" threshold and supplants an interim final rule on this topic published on Aug. 24, 2009.
  • It creates the final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

While all of these changes are significant and each could comprise a lengthy article on the strategies and requirements for compliance, one of the most noteworthy from an enforcement perspective is the new analysis required when determining whether a security event rises to the level of a reportable data breach.

The final rule now presumes that any access to protected health information, which is not permitted by law, constitutes a breach unless the covered entity or business associate can demonstrate that there is a "low probability" that the protected health information has been compromised based on a risk assessment of at least the following factors:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed;
  • And the extent to which the risk to the protected health information has been mitigated.

Each of these factors can take quite a bit of time to evaluate and the standard for determining what reasonably could be considered "low" risk is best informed by professionals who routinely deal with data breach and security issues. The analysis is also not something that can be conveniently conclusory in that it is subject to hindsight analysis by HHS. In other words, be prepared to "show your math" when defending any conclusion that a security event is not a reportable breach in the form of your investigative action plan, your factual review and expert consultations and the potential impact on your consumers.

While many are pleased by the feeling of regulatory stasis that this rule creates, we know that nothing is ever "final" when it comes to this area of law — even though this final rule is here today, be prepared for even more changes in this space as technology continues to expand and communications and data mining capabilities increase the mobility of all kinds of personal data. One thing is clear, however — regardless of your business' size or location — HIPAA and privacy/security enforcement is here to stay, and the feds (and state attorneys general) mean business.

Steven J. Bonafonte is a partner in the Hartford office of Pullman & Comley, LLC. His practice includes providing general counsel services to corporate and government entities, privacy, information security, ethics and compliance, and anti-fraud and corporate internal investigations. He can be reached at sbonafonte@pullcom.com.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pullman & Comley, LLC | Attorney Advertising

Written by:

Pullman & Comley, LLC

Pullman & Comley, LLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.