On January 17, 2013 HHS released an Omnibus Final Rule which modifies the HIPAA Privacy, Security and Enforcement Rules, and implements the HIPAA Breach Notification Rule.  The Final Rule contains over 600 pages, a full summary of which is beyond the scope of this post.  Taking a step back from the abundance of volume and detail, we have identified the following key provisions and changes that Covered Entities and their Business Associates should be aware of:

The Final Security Breach Notification Regulation:

• The HITECH amendment to HIPAA originally required notification to individuals in the event of specific kinds of security breaches involving protected health information (“PHI”) and specifically where there was a “significant risk of financial, reputational, or other harm.”  The Final Rule significantly modified this notice requirement.
• More specifically, the Final Rule abandoned the “risk of harm” standard and modified the “presumption” for breach reporting so that it is now clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”  In other words, instead of a “risk of harm” standard, the entity must perform a more objective “risk assessment” to determine if there is a low probability of a “compromise” of the PHI.  If the risk assessment reveals a low probability of compromise, notification is not required.  In other words, not every HIPAA violation is a security breach.
• The risk assessment should consider the nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification; the unauthorized person who used the protected health information or to whom the disclosure was made; whether the protected health information was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated.

 

For Business Associates (“BA”):

• BA must comply with the technical, administrative, and physical safeguard requirements under the Security Rule, and they are liable for Security Rule violations;
• BA must comply with use or disclosure limitations expressed in its contract and those in the Privacy Rule, and criminal and civil liabilities attach for violations;
• BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities;
• Subcontractors of a BA are now defined as a BA, which clarifies that BA liability flows to all subcontractors; and
• BA agreements will need to be reviewed and possibly modified because the Omnibus Final Rule modifies the minimum required contents.  In addition to previously required provisions, these agreements must now include provisions that require business associates to: (a) comply with the HIPAA Security Rule’s requirements, (b) report any security breach to the covered entity, (c) enter into a business associate agreement with any subcontractor that receives the covered entity’s PHI, and (d) comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI.

 

For Consumers:

• Right to electronic copy of electronic health record and/or the right to direct a copy to a designated third party;
• Prohibition on sale of PHI without authorization; and
• Right to restrict disclosures from being made to health plans for treatment and services paid for in cash.

 

Update to Genetic Information Nondiscrimination Act:

• Requires “Genetic Information” be treated as PHI;
• Prohibits Health Plans from using or disclosing genetic information for underwriting purposes; and
• Terms and definitions track regulations prohibiting discrimination in provision of health insurance based on genetic information

 

Important Dates:

• Public Display of Rule at Federal Register – January 17, 2013
• Rule Published in Federal Register – January 25, 2013
• Effective Date of Rule Changes  – March 26, 2013
• Required Rule Compliance Date – September 23, 2013
• Date by which BA contracts must conform to new Rule – September 22, 2014