On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released its final omnibus rule to increase HIPAA privacy and security protections by implementing provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and Genetic Information Nondiscrimination Act of 2008 (GINA). Among these changes is an expansion of liability under the HIPAA Privacy and Security Rules to business associates of covered entities and to subcontractors of business associates. The final omnibus rule also increases penalties for noncompliance based on levels of negligence, with a maximum annual cap of $1.5 million for violations of identical standards. The final omnibus rule also changes the standard under HITECH Breach Notification requirements for determining whether there has been a breach of unsecured protected health information. The new standard will make it harder to rationalize that no breach has occurred. The final omnibus rule also expands certain individual rights under HIPAA.
• Expansion of the Privacy and Security Rules with regard to Business Associates
One of the more significant changes in the final omnibus rule is the modification of the definition of business associate to include subcontractors. Previously, if a business associate engaged a subcontractor to assist in the performance of the business associate’s services, then the business associate merely had to “ensure” that the subcontractor would comply with the terms of the business associate’s business associate agreement with the covered entity. The final omnibus rule expanded the definition of business associate to include directly such subcontractors. The definition of business associate was also revised to include health information organizations, e-prescribing gateways, and other entities that provide data transmission services and that require access to protected health information (PHI) on a routine basis, as well as entities that offer a personal health record product.
In addition to expanding the definition of business associate, the rule also made directly applicable to business associates many of the requirements of the privacy and security regulations. Whereas before, business associates were bound only by the terms of their business associate agreements, now business associates (the definition of which now includes subcontractors) must comply with parts of the regulations in their own right, and are subject to enforcement along with covered entities. This will require business associates to implement HIPAA compliance initiatives and measures.
• Other Modifications to the Privacy and Security Rules
The final omnibus rule included several other noteworthy changes to the privacy and security regulations, including:
Sale of PHI. Under the final rule, a covered entity or business associate must obtain an authorization for any disclosure of PHI that would be considered a “sale” of PHI, and the authorization must expressly state that the disclosure is part of a sale. The “sale” of PHI means a disclosure of PHI by a covered entity or business associate in exchange for direct or indirect remuneration. There are a number of exceptions to this rule.
Individual Right to Limit Certain Disclosures of PHI to Health Plans. Previously, HIPAA permitted an individual to request restrictions on the disclosure of the individual’s PHI, but the covered entity was not required to agree to implement the restriction. However, the final omnibus rule now requires a covered entity healthcare provider to agree to an individual’s request to restrict disclosure of PHI to health plans under the following circumstances: (1) the request is to restrict disclosures to a health plan for payment or health care operations purposes; (2) the disclosure is not otherwise required by law; and (3) the PHI relates solely to a health care item or service for which payment has been made in full by the individual or a third party other than the health plan (e.g., the patient paid out of pocket.
Changes to the Notice of Privacy Practice. The final omnibus rule requires a number of changes to the Notice of Privacy Practices (Notice) published by covered entities. Notices must now include a general statement that the covered entity is required by law to notify affected individuals following a breach of unsecured PHI. The Notice must be revised to describe certain types of uses and disclosures that require an authorization, including disclosures of psychotherapy notes, marketing communications and the sale of PHI. The Notice must state that other uses and disclosures not described in the Notice will be made only with the individual’s authorization. The Notice must make individuals aware that they can restrict certain disclosures to health plans (described above).
Please click the link below to read the full alert.