HHS Issues Final Omnibus Rule under HIPAA
On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a press release announcing the modifications to the HIPAA Privacy and Security rules. The HHS issued the final rule to:
-modify the HIPAA Privacy, Security and Enforcement Rules to implement statutory amendments under HITECH to strengthen privacy and security protection for individuals’ health information (applying Security Rule standards, certain Privacy Rules directly to business associates);
-modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under HITECH Act (access/disclosure of PHI not permitted is presumed a breach);
-modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing GINA provision (Genetic Information Nondiscrimination Act of 2008);
-make certain other modifications to the HIPAA Rules in order to improve effectiveness, flexibility.
The final rule is effective March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by September 23, 2013.
The regulations transform the relationship between covered entities and business associates, and, for the first time, regulates a new type of HIPAA entity: “subcontractors.” The rule replaces the “harm” standard in breach notification rules with a four-step determination as to whether notification is required.
The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider’s healthcare data-miners and health information technology service providers.
Final modifications to the Privacy, Security and Enforcement Rules (per HITECH) include:
• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information without individual authorization.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009 interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
The final rule adopts the tiered civil money penalty structure. This included the modified “reasonable cause” definition, i.e., the second tier of the penalties (knew/should have known with reasonable diligence of violation but not willful neglect). The HITECH tiered penalty scheme is as follows:
(1) for violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation;
(2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation;
(3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and
(4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.
In applying these amounts, HHS says it will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts as required by the statute (i.e., based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors).
The final rule adopts the language that expressly designates as business associates: (1) a Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity.
HHS declined to provide a definition for Health Information Organization.
Data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates.
The official publication for the new rule is scheduled for January 25, 2013.