Beginning September 23, 2013, compliance with the final rule amending regulations under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) is required by health care providers, health plans, other covered entities, subcontractors, and their business associates. Informally referred to as the “Omnibus Rule,” the new regulations address various changes to HIPAA, including rules relating to privacy, security, breach notification, security enforcement, and the interaction between Genetic Information Nondiscrimination Act (GINA). Notably, the new final rule, issued by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), widens the applicability of HIPAA.
According to the American Medical Association (AMA), the new rules expand the obligations of physicians and other health care providers to protect patients’ protected health information (PHI), and extend the obligations to other individuals and companies who, as “business associates,” have access to PHI. In addition, penalties for violations of these obligations will also be increased. While the new rules generally affect physicians and healthcare providers, numerous types of businesses, including IT training firms that work with healthcare clients, law firms, accounting firms, actuarial and financial companies will also be impacted by these changes. Changes also include new limitations on the sale of protected health information, marketing, and fundraising. While the Omnibus Rule brings many changes to HIPAA/HITECH, one of the most important changes to HIPAA is that the new rule expands the definition of individuals and companies that must be treated as business associates.
Extension to Business Associates
A business associate is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health care information on behalf of, or provides services to, a covered entity.” The rule not only clarifies that vendors that require “routine” or “more than random” access to PHI are Business Associates, but also deems any subcontractor a Business Associate to the extent that a subcontractor requires access to PHI.
Examples of vendors include: data storage vendors, providers of data transmission services, entities that provide oversight and governance for electronic health information exchanges. Among other things, Business Associates must execute Business Associate Agreements (BAA), in which they agree to comply with HIPAA Privacy and Security Rules. The new rule also imposes direct liability on Business Associates for compliance with certain HIPAA requirements. Specifically, with the passage of the Omnibus Rule, Business Associates are required to:
• Use or disclose PHI only as permitted or required by the BAA or the law;
• Limit the PHI that the Business Associates use, disclose or request to the minimum necessary for their intended purpose;
• Disclose PHI when required by the HHS to investigate the Business Associate’s compliance with HIPAA/HITECH.
• Give notice of such a security breach to the health plan or health care provider, and will need to identify each individual whose unsecured protected health information was illegally accessed, acquired, or disclosed.
Enforcement and Penalties
HHS must conduct a formal investigation and impose civil monetary penalties in cases involving willful neglect. Penalties are now increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The assessment of penalties will be based on five factors:
1) the nature and extent of the violation, including the number of individuals affected;
2) the nature and extent of the harm resulting from the violation, including reputational harm;
3) the history and extent of prior compliance;
4) the financial condition of the covered entity or business associate; and
5) other matters that justice requires.
Keeping in mind the increased penalties for failure to comply, taking proper steps to ensure compliance is especially important. If you have any questions and/or want to ensure your business is prepared to comply with the Omnibus Rule, our Northern California business attorneys can help. You can contact one of our lawyers using our online contact form, or by calling us at (925) 463-1073.
New rule protects patient privacy, secures health information, U.S. Department of Health & Human Services
The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule Summary, American Medical Association