The wait is over. The new HIPAA omnibus rule that the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued in January officially took effect on March 22, 2013. The deadline for compliance with most provisions is 180 days later on September 23, 2013. This means that covered entities, business associates, and subcontractors have limited time to ensure compliance. As discussed below, taking proper steps now is important, because the new rules implement a number of significant changes to HIPAA that expand the types of entities responsible for protecting patient data and reporting data breaches.
Extension to Business Associates
One of the biggest changes is that business associates are now directly responsible for complying with the Privacy Rule and Security Rule of HIPAA. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (“PHI”) on behalf of, or provides services to, a covered entity. These functions and activities include claims processing, data analysis, billing, benefit management, or services such as legal, actuarial, accounting, and financial.
In addition, the new rule adds “subcontractors” to the definition of “business associate,” which means that subcontractors that perform functions for or provide services to a business associate are also deemed business associates when they create, receive, maintain or transmit PHI on behalf of the business associate. This broad, new definition means that any subcontractor, no matter how far removed from the original contractor, is considered a HIPAA “business associate” if it handles PHI.
Because the new rule applies the HIPAA Privacy Rule directly to business associates, both business associates and their subcontractors must now make “reasonable efforts” to limit their use, disclosure, and request for PHI to the “minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” This will likely change the flow of PHI from business associates and subcontractors by making these organizations focus on the specific PHI they need to use, disclose, or request in order to perform their services.
The new rule also makes business associates and their subcontractors directly responsible for the HIPAA Security Rule. As a result, business associates and their subcontractors must develop comprehensive, written HIPAA security policies and procedures. They also must implement the specific administrative, physical, and technical safeguards of the data that is required by the Security Rule. In addition, business associates must now enter into written contracts with subcontractors that contain specific provisions required by the HIPAA Privacy and Security Rules, whereas they previously were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI.
The new rule also changes the requirements for breach notifications. Previously, the rules defined a “breach” as occurring only when the compromise of PHI presented a “significant risk of financial, reputational, or other harm to the individual.” This harm threshold will remain in effect until the interim compliance period ends on September 23, 2013. After that time, a new definition of breach will come into play.
Under the new rules, HHS eliminated the harm threshold and replaced it with a standard under which any use or disclosure of PHI that is not allowed by the Privacy Rule is presumed to be a reportable breach unless the covered entity or business associate can demonstrate, through a documented risk assessment, that there is a “low probability” that the PHI has been compromised. This risk assessment must include consideration of the following four factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.
Enforcement and Penalties
Under the new rule, HHS has retained the high penalty structure currently in effect, meaning that penalties can range anywhere from $100 to $50,000 per violation, depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. The difference is that business associates and subcontractors are now directly liable for their violations. Of course, covered entities still can be penalized for their violations as well. In addition, HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.
These are just a few of the changes made by the new HIPAA rule. In addition, the new rule includes “genetic information” as a new type of health information subject to HIPAA rules, and thus imposes restrictions prohibiting health plans from using genetic information for underwriting purposes. The new rule addresses multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records.