Just announced modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA) are intended to accomplish the following:
- Provide further clarity regarding the reporting of breaches
- Establish new rules on the use of patient-identifiable information for marketing and fundraising
- Expand the liability reach of hospital and physician “business associates” as well as other “HIPAA-covered entities”
Who will be impacted?
Covered entities and business associates of all sizes.
When will these changes go into effect?
The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.
What are the details of the new requirements?
The new rule referred to as the “Omnibus Privacy and Security Rule” strengthens the current HIPAA rule by enhancing privacy and security measures passed under the American Recovery and Reinvestment Act of 2009.
A. Under the “Omnibus” Rule the following modification provisions have been established:
- Finalizes modifications of Privacy, Security, and Enforcement Rules to strengthen privacy and security protections for health information
- Finalizes modifications to the Privacy Rule, proposed in July 2010
- Finalizes modifications to the Breach Notification Rule
- Revisions of the HIPAA Privacy Rule to increase privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA)
B. Administration Definitions Part 160 Subpart A-B
Business associate – Expansion of the definition of “business associate” to include patient safety organizations (PSOs), health information organizations (HIOs) and subcontractors.
- Patient safety organizations (PSOs) receive and analyze protected health information (PHI) on behalf of covered health care providers.
- Health information organizations (HIOs), include e-prescribing gateways, other persons that provide data transmission services or facilitate access to health records, and vendors of personal health records provided on behalf of covered entities.
- Subcontractors (or agents) that perform services for a business associate are also considered business associates to the extent their services require access to PHI.
Electronic media - The definition for electronic media has also been modified as follows:
- Replace the term “electronic storage media” with “electronic storage material.”
- Expand the definition to include intranets.
- Incorporate voice transmissions that were electronically stored prior to transmission. In addition, the preamble stated that devices that store PHI are subject to the Privacy and Security Rules regardless of whether such storage was intentional or not.
C. Rule Enforcement, Part 160, Subparts C-D
Enforcement Rule provisions are more severe than before. Below are examples of enforcement changes under the final rule:
- Health and Human Services (HHS) will (as opposed to “may”) investigate all complaints when evidence indicates a possible violation due to willful neglect.
- HHS can proceed directly to imposition of civil monetary penalties (CMPs) as opposed to the previous interim final rule that declared it must first attempt informal resolution of investigations or compliance reviews, making such efforts voluntary.
- HHS adopted changes to the Enforcement Rule, by interim final rule, to establish tiers of penalties based on the degree of culpability exhibited by the entity.
- The Omnibus Rule clarified the definition of “reasonable cause” as it pertains to the penalty tier for violations due to reasonable cause and not to willful neglect.
- Covered entities and business associates are liable for activities of their agents, regardless of their own compliance.
- The tiered format providing for monetary penalties based on culpability category has been adopted. Penalties range from $100 to $50,000 per occurrence and each category has the same maximum annual penalty of $1.5 million for all violations of a specific provision.
D. Privacy and Security, Subparts A and C
The Omnibus Rule made clear that, where indicated, the standards, requirements and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Rules apply to business associates.
Business associates are now directly liable for compliance with the Security Rule. This means they must comply with the Security Rule’s requirements for (1) administrative, physical and technical safeguards; (2) policies and procedures; and (3) documentation in the same manner as covered entities. Furthermore, business associates are civilly and criminally liable for violations of these provisions.
E. Breach Notification
Under the Omnibus Rule, HHS amended § 164.402 to modify significantly the definition of “breach” and the risk assessment approach. HHS stated that the definition in the Interim Final Rule and language in its preamble could be misconstrued and implemented incorrectly and therefore made the following changes:
- HHS added to the definition of “breach” that an impermissible acquisition, access, or use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate “demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.”
- HHS removed the harm standard and modified the risk assessment requirement to focus more objectively and uniformly, rather than subjectively, on the probability that PHI has been compromised.
Under the new language in the Omnibus Rule, breach notification is not required if a covered entity or business associate can demonstrate through a risk assessment that a low probability exists that the PHI has been compromised, rather than demonstrating that there is no significant risk of harm to the individual (as under the Interim Final Rule).
- HHS recognized that the risk assessment approach is necessary in determining whether notification is required. The following factors must be considered by covered entities or business associates as they assess the probability of whether PHI was compromised:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
- Under the Omnibus Rule modifications, a risk assessment must be performed after the impermissible use or disclosure of any PHI, including limited data sets, in order to determine if breach notification is required.
The Omnibus Rule has enhanced the requirements for breach notification to provide better guidance.
- Notification to individuals - Covered entities are ultimately responsible for notifying affected individuals of a breach, although covered entities are allowed to delegate the responsibility to the business associate that caused the breach or to another of its business associates. A covered entity and its business associate should evaluate which one is in the best position to provide the required notice to the affected individual.
- Notification to the media - HHS also provided clarifying guidance on three issues relating to notice to the media. First, a covered entity is not required to incur any cost to print or run a media notice. Second, prominent media outlets which receive the notification are not obligated to print or run information about the breach. Third, the posting of a press release on a covered entity’s website does not fulfill the requirements for media notification; the required notification must be provided directly to the media outlet where the affected individuals reside.
- Notification to the secretary of HHS - HHS modified the Breach Notification Rule to clarify that covered entities must notify the Secretary of all breaches of unsecured PHI affecting fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. On the issue of “immediately” reporting breaches involving 500 or more individuals, HHS noted that immediate reporting requires the covered entity to notify the Secretary contemporaneously with its notice to the affected individuals.
- Notification by a business associate - HHS noted that where a business associate is acting as an agent of a covered entity, under the federal common law of agency, the business associate’s discovery of the breach will be attributed to the covered entity.
In such case, the covered entity will be required to provide notification based on when the business associate discovered the breach, not when the business associate notifies the covered entity. However, if the business associate is not an agent, then the covered entity is required to provide notification based on the time when it is notified of the breach by the business associate.
F. Modifications to the Privacy Rule Under GINA
Section 105 of the Genetic Information Nondiscrimination Act of 2008 (GINA) requires HHS to amend the Privacy Rule to explicitly state that “genetic information” is PHI and to prohibit certain health plans from using genetic information for underwriting purposes.