By Carols Leyva
Published: February 3, 2013
HIPAA Omnibus Rule Summary
I have argued before that the HHS HIPAA Omnibus Rule ("the Rule") is neither a "Tweak" nor "Sweeping Reform." There is far too much substantive law included in the HIPAA Omnibus Rule for it to be characterized as the former. It also cannot be characterized as the latter. However, the HITECH Act was sweeping and, for the most part, the Omnibus Rule is simply HITECH-izing (read impacting) the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Enforcement Rule.
Sure there are some "odds and ends" that deal with something other than these four Rules, but that is a very small part. What is "sweeping" however, is the clarification and commentary that HHS has provided as part of the Final Omnibus Rule. For the foreseeable future the PDF Version of the Omnibus Rule will remain the “go to” place for HHS guidance on any number of issues. Although this article attempts to summarize the Omnibus Rule's changes to the various HIPAA Rules, there is simply no substitute for going to the source itself. That being said, on with the summary...
Give us 15 minutes... 800-516-7903...
and we'll show you just how far out of HIPAA Compliance you are.
Call 800-516-7903 to inquire about our FREE 15 DAY TRIAL
HHS's Summary of the HIPAA Omnibus Rule
HHS summarized the over 500 pages of Omnibus Rule as follows:
"This omnibus final rule is comprised of the following four final rules:
- Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010. These modifications:
- Make Business Associates of Covered Entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a Covered Entity's notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
- Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
- Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule's "harm" threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
- Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009."
The HIPAA Survival Guide's Take on the HIPAA Omnibus Final Rule
Although HHS presents an excellent summary at 100K feet, we will attempt a more detailed summary to give you a look at the prominent changes under each rule. In addition the Full HIPAA Omnibus Rule Text, as reflected in the updated Rules, is now available on the HIPAA Survival Guide. It is safe to say that "we aren't in Kansas anymore and this is not your daddy's HIPAA."
Before diving into a detailed review, we need to emphasize that much of the Omnibus Rule is not new rule making, but rather the finalization of HHS Interim Final Rules ("IFRs") and proposed rule making that was already available for public review. In short, there is very little new in the Omnibus Rule that hasn't been covered before. However, if you are unfamiliar with the HITECH Act and the HHS rule making that followed, the Omnibus Rule is likely to appear daunting and somewhat overwhelming.
It is our goal, as always, to simplify without losing any substance, and to help you see both the forest and the trees.
HHS' Prior Rule Making and Proposed Rules
Since enactment of the HITECH Act, a number of steps have been taken to implement the strengthened privacy, security, and enforcement provisions through rulemakings and related actions.
On August 24, 2009, the Department published interim final regulations to implement the breach notification provisions at section 13402 of the HITECH Act (74 FR 42740), which were effective September 23, 2009.
Similarly, the Federal Trade Commission (FTC) published final regulations implementing the breach notification provisions at section 13407 for personal health record vendors and their third party service providers on August 25, 2009 (74 FR 42962), effective September 24, 2009.
For purposes of determining what information the HHS FTC breach notification regulations apply, the Department also issued, first on April 17, 2009 (published on April 27, 2009, 74 FR 19006), and then later with its interim final rule, the guidance required by the HITECH Act under 13402(h) specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Additionally, to conform the provisions of the Enforcement Rule to the HITECH Act’s tiered and increased civil money penalty structure, which became effective on February 18, 2009, the Department published an interim final rule on October 30, 2009 (74 FR 56123), effective November 30, 2009.
The Department published a notice of proposed rulemaking (NPRM) on July 14, 2010, (75 FR 40868) to implement many of the remaining privacy, security, and enforcement provisions of the HITECH Act. The public was invited to comment on the proposed rule for 60 days following publication. The comment period closed on September 13, 2010. The Department received about 300 comments on the NPRM.
Comment: with the exception of the Genetic Information Nondiscrimination Act (i.e. the inclusion of genetic information as Protected Health Information) very little (if anything) in the Omnibus Rule comes from "outside" the Interim Final Rules or the NPRM of July 14, 2010. However, HHS clearly made modifications to the NPRM in the Omnibus Rule and made other modifications to conform the HIPAA regulations to the HITECH Act. These are best understood on a rule-by-rule basis as discussed below.
The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA. However, there are some key exceptions and extensions that you will want to pay attention to as discussed below.
The Interim Final Rules previously promulgated are "good law" (i.e. already in effect). Therefore, during the 180 day period before compliance with this Final Rule is required, Covered Entities and Business Associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the Interim Final Rule(s). Again, as indicated, much of what is contained in the Omnibus Rule simply should not come as a surprise.
Modifications to Key Definitions
Part of the key to understanding the HITECH/HIPAA regulations is to become intimately acquainted with core concepts as reflected in key definitions. Some of these key definitions were changed by the Omnibus Rule as described below.
The Omnibus Rule ("the Rule" or "Rule" or "Final Rule") contains a significant amount of discussion related to the changed definition of Business Associate. HHS goes into great length (see pp. 18-36 in the PDF) in discussing who is, and who is not, considered a Business Associate.
- The Rule adopts as Business Associates those identified as such in HITECH Act Section 13408, with slight modifications intended for clarity.
- The "conduit exception" still applies but is limited to an organization that merely transmits Protected Health Information (e.g. an ISP) as opposed to those that "maintain and store it" (e.g. a record storage company). The former is NOT a Business Associate but the latter is. Further, if a Covered Entity ("CE") or Business Associate ("BA") used a tool like Google Apps to maintain Protected Health Information related to its compliance initiative then Google would be a Business Associate and a contract is required. Comment: it is unlikely that a company like Google would enter into such a contract. Covered Entities and Business Associates, especially as organizations move to the cloud, should be mindful of this provision relating to "storage vendors".
- A subcontractor(s) who "creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate, is a HIPAA Business Associate" and therefore "on the hook" for compliance with applicable rules (e.g. in general: Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.). Comment: the "downstream" impact of this modification is SO SIGNIFICANT that it warrants its own follow-up newsletter article.
- Covered Entities are required to obtain "satisfactory assurances" (i.e. that their Protected Health Information will be protected as required by the rules) from their Business Associates, and Business Associates are required to get the same from their sub-contractors (now Business Associates). Comment: this "chain of assurances" (and liability) follow the Protected Health Information wherever it leads and has widespread ramifications including those related to breach notification.
- Exceptions: in general, a person or entity is a Business Associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a Covered Entity, such as payment or healthcare operations; therefore a researcher is NOT automatically a Business Associate of a Covered Entity despite the fact that it may be using the Covered Entity's Protected Health Information.
Protected Health Information
HHS decided to change the definition of Protected Health Information because the Privacy and Security Rules do not now protect the individually identifiable health information of persons who have been deceased for fifty (50) years.
The definition of Workforce was changed to make clear that the term includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Business Associate, is under the direct control of the Business Associate, because some provisions of the Act and the Privacy and Security Rules place obligations on the Business Associate with respect to workforce members. In short, the term now applies to both Covered Eentities and Business Associates.
Section 13410 of the HITECH Act made several amendments to the Social Security Act to strengthen the HIPAA Enforcement Rule, which applies to the Secretary’s enforcement of all of the HIPAA Administrative Simplification Rules, as well as the Breach Notification Rule.
On October 30, 2009, the Department issued an interim final rule (IFR) revising the Enforcement Rule to incorporate the provisions of section 13410(d) of the HITECH Act that took effect immediately to apply to violations of the HIPAA Rules occurring after the enactment date of February 18, 2009. See 74 FR 56123. In general, section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act to establish four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation, with a maximum penalty amount of $1.5 million annually for all violations of an identical provision.
Comment: what has been misunderstood by many is that the $1.5 million is not a comprehensive maximum fine for a given category/year, but rather a maximum for all identical violations. The commentary by HHS in the Omnibus Rule makes this clear. Therefore, there is no theoretical maximum fine per year. The maximum will ultimately be at the discretion of HHS and is dependent on how many different kinds of violations are found (see the Rule pp. 47-89).
HHS provides over forty (40) pages of commentary regarding the Enforcement Rule and there is no way we can do the full discussion justice. Therefore we will summarize what we believe to be the most salient points.
- Enforcement Rule (like all HIPAA rules) continues to preempt any State law that is contrary to it; however is does not preempt a State law that is "more stringent."
- The Secretary must formally investigate complaints indicating violations due to willful neglect, and impose civil penalties upon finding said violations. The investigation is triggered if the initial facts show the "possibility" of willful neglect (i.e. no finding of probability is required).
- The definition under 160.312 allows the Secretary to move directly to a civil penalty without exhausting informal resolution efforts, particularly in cases involving willful neglect.
- HHS, on a case-by-case basis, may expand any preliminary review and conduct additional inquiries for purposes of identifying a possible violation due to willful neglect.
- The HHS Secretary can coordinate with other law enforcement agencies on actions (e.g. State Attorney Generals and the FTC).
- Covered Entities and Business Associates are liable for the acts of their Business Associate agents. Comment: the Federal Common Law of Agency is controlling AND Covered Entities and Business Associates need to pay close attention to the amount of control they exercise over a third party with which they have a Business Associate contract. What the parties call each other is not dispositive; exercise of control is key.
- The Secretary retains the power to waive a civil penalty in whole or in part.
- How violations are counted for purposes of calculating a civil money penalty vary depending on the circumstances surrounding the noncompliance.
- Generally speaking, where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured protected health information, it is anticipated that the number of identical violations of the HIPAA Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. Comment: You don't need to be a rocket scientist to understand the impact of this one aspect of the Enforcement Rule. Counting the kinds, and numbers, of violations encountered is "tricky business," but HHS drops this bomb regarding how counting is likely to be handled in the event of a breach.
- An organization's history of HIPAA compliance is relevant to the determination of the civil money penalty.
- The 30-day cure period for violations due to willful neglect (and other violations) begins on the date that an entity first acquires actual or constructive knowledge of the violation and will be determined based on evidence that HHS gathers during its investigation.
The Omnibus Rule modifications to the HIPAA Security Rule (and its definitions) tend to be more "conforming and procedural" than the modifications to the HIPAA Privacy Rule or the Breach Notification Rule (see the Rule pp. 89-103). If you are looking for the real "meat and potatoes" changes imposed by the Omnibus Rule then the place to start is with the latter two rules. That said, the HIPAA Security Rule ("SR") does not escape unscathed.
- Organizations may designate a "health care component" ("HCC") by documenting components of its organization that perform Covered Entity functions. However, a disclosure of Protected Health Information from the HCC to any other division that is not part of the HCC, including a Business Associate division, is treated the same as a disclosure outside the Covered Entity (see sections 164.105(a)(2)(ii)(C)-(E)).
- Business Associates and subcontractors of Business Associates (also now Business Associates) should already have in place security practices that either comply with the HIPAA Security Rule, or that only require modest improvements to come into compliance with the HIPAA Security Rule (see 164.314(a)). Comment: HHS is saying that compliance with the HIPAA Security Rule was required (to a degree) even before the HITECH Act and the Omnibus Rule. Therefore, the new HIPAA Security Rule requirements should just necessitate incremental adjustments. Although that may be true under the "letter of the law," as a practical matter nothing could be further from the truth. Prior to the HITECH Act HIPAA was an unenforced paper tiger. Business Associates have a lot of catching up to do, and for that matter, so do most Covered Entities.
- Section 164.306(c) now more clearly indicates that Covered Entities and Business Associates must review and modify security measures as needed to ensure the continued provision of "reasonable and appropriate" protection of Electronic Protected Health Information.
- Section 164.308(b)(1) has been modified to clarify that Covered Entities are NOT required to obtain "satisfactory assurances" with a Business Associate that is a subcontractor, but rather it is the Business Associate that must obtain these assurances.
- Section 164.314 (although not required by the HITECH Act) is now applicable to agreements between Business Associates and their subcontractors.
- A subcontractor of a Business Associate must report security incidents, including breaches, to its respective Business Associate (see 164.308(b)(3)).
The Omnibus Rule's changes to the HIPAA Privacy Rule ("PR"), and commentary related to same, are extensive (see the Rule pp. 103-294). These modifications contain both substantive and technical (i.e. conforming/cleanup) changes which include, but are not limited to, the following subject matter areas: 1) Marketing Communications; 2) Business Associates; 3) Authorizations; 4) Fundraising; and 5) Notice of Privacy Practices ("NOPP").
Comment: although of late, the HIPAA Security Rule has gotten the most attention because of Meaningful Use attestations, the HIPAA Privacy Rule is real 800-pound gorilla that encompasses the essence of the HIPAA Rules from a public policy perspective.
Here's our summary of the changes to the HIPAA Privacy Rule:
- As per section of 13410 of the HITECH Act, a Business Associate is directly liable under the HIPAA Privacy Rule for uses and disclosures of Protected Health Information that are not in accord with its Business Associate agreement or the HIPAA Privacy Rule itself.
- As was the case under the HIPAA Privacy Rule before HITECH, Business Associates remain contractually liable for all other HIPAA Privacy Rule obligations that are included in Business Associate contracts or other arrangements.
- Patient Safety Organizations ("PSOs") are to be treated as Business Associates of Covered Entity health care providers; and patient safety activity is deemed to be "health care operations" of Covered Entity healthcare providers.
- HITECH Act section 13406(a) limits the health-related communications that may be considered health care operations and thus, that are excepted from the definition of "Marketing" under the HIPAA Privacy Rule, to the extent that a Covered Entity has received direct or indirect payment in exchange for making the communication.
- In cases where a Covered Entity would receive payment the HITECH Act requires a Covered Entity to obtain authorization prior to making the communication (applies to a Business Associate as well).
- The general concept under the proposed rule that marketing means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service" has been maintained with some exceptions.
- The proposed rule included three (3) exceptions to the general rule as follows: (1) certain health care operations ("HCOs") are excluded except where the Covered Entity receives financial remuneration for the communication such as: (a) describing a health-related product or service that is provided by the Covered Entity; (b) case management and coordination; (c) contacting persons about alternatives; and (d) similar functions (i.e. to the extent that these activities are not considered treatment); (2) communications regarding refill reminders or a biologic that is currently prescribed; and (3) removal of the language defining as marketing an arrangement between a Covered Entity and any other entity in which the Covered Entity discloses Protected Health Information to the other entity, in exchange for remuneration, to make a communication about its own product or services that encourages a purchase, because such an activity, under HITECH Act 13405(d) would now be considered a prohibied "sale" of Protected Health Information.
- The FINAL Rule significantly modifies the proposed rule's approach to marketing by requiring authorization for ALL treatment and HCOs communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed.
- A stand alone exception for refill reminders remains in place under the HITECH Act.
- Comment: needless to say, if you are a Covered Entity and are marketing to your patients, it would be wise to seek advice of counsel and also update your Notice of Privacy Practices (see the Rule itself for further clarification on NOPP updates).
- Business Associates
- Business Associates are directly liable under HITECH 13404(a) for uses and disclosure that violate the HIPAA Privacy Rule or are in breach of the Business Associate contract.
- Business Associates are not permitted to use or disclose Protected Health Information if it would be a HIPAA Privacy Rule violation for a Covered Entity to do so, except that a Business Associate may use Protected Health Information for its own management and administration.
- A person/entity ("Person") becomes a Business Associate by definition, and NOT because there happens to be a Business Associate contract in place; therefore liability attaches immediately when a Person "creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity.
- Business Associates are now directly liable under the HIPAA rules: (1) for impermissible uses and disclosures; (2) for failure to provide breach notification to the Covered Entity; (3) for failure to provide access of Electronic Protected Health Information either to the individual or the Covered Entity; (4) for failure to disclose Protected Health Information to the Secretary; (5) for failure to provide an accounting of disclosures; AND (6) for failure to comply with the requirements of the HIPAA Security Rule. Comment: Business Associates and Covered Entities should clearly recognize that we are definitely "not in Kansas anymore." The implications of these changes have yet to be fully realized by the healthcare industry (understatement).
- Business Associates must comply with the "Minimum Necessary" principle.
- Business Associates are required to have Business Associate Agreements with their sub-contractors that use Protected Health Information on their behalf.
- Business Associates must monitor their Business Associate Agreements with their sub-contractors.
- Requirements in Business Associate Agreements "cascade down" to sub-contractors and sub-contractors of sub-contractors (i.e. to ALL downstream sub-contractors).
- Covered Entities and Business Associates will be allowed to operate under existing agreements for one year beyond the compliance date of these revisions, if said agreement was already HITECH compliant.
- There are now three instances where an Authorization is required from an individual: (1) most uses and disclosures of psychotherapy notes; (2) uses and disclosures for marketing purposes; and (3) uses and disclosures that involve the sale of Protected Health Information.
- Section 13405(d) contains several exceptions for the authorization requirements where the exchange of Protected Health Information is for: (1) public health activities; (2) research purposes; (3) treatment of the individual; (4) the sale, transfer, merger or consolidation of all or part of a Covered Entity and for related due diligence; (5) services rendered by a Business Associate pursuant to a Business Associate contract and at the specific request of the Covered Entity; (6) providing an individual with access to his/her Protected Health Information; and (7) other purposes that the Secretary deems necessary and appropriate.
- Prohibition on the sale of Protected Health Information applies six months after the promulgation of the Final Rule (see 13405(d)(4)).
- Disclosures for treatment and payment purposes do NOT require an Authorization.
- The Final Rule adopts the proposal to amend 164.508(b)(3)(i) and (iii) to allow a Covered Entity to combine conditioned and unconditioned Authorizations for research, provided the Authorization clearly differentiates between the conditioned an unconditioned research components and clearly allows the individual to opt-in to the unconditioned research activities.
- The Final Rule amends 164.502(f) to require a Covered Entity to comply with the requirements of the HIPAA Privacy Rule with regard to Protected Health Information of a deceased individual for a period of 50 years following the date of death.
- The Final Rule amends the definition of Protected Health Information in 160.103 to make clear that the individually identifiable health information of a person who has been deceased for more than 50 years is NOT Protected Health Information under the HIPAA Privacy Rule.
- Covered Entities can still disclose Protected Health Information of decedents for research purposes under 164.512(i)(1)(iii).
- The Final Rule amends 164.510(b) to permit Covered Entities to disclose a decedent's Protected Health Information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior express preference of the individual that is known to the Covered Entity.
- The Final Rule includes a definition of "family member" at 160.103.
- Student Disclosures
- The Final Rule amends 164.512(b)(1) by adding a new paragraph that permits a Covered Entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. Written authorization is no longer required to permit this disclosure.
- Covered Entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person in loco parentis for the individual, or from the individual himself or herself if the individual is an adult or an emancipated minor.
- Covered Entities must document the agreement obtained.
- The agreement obtained is effective until revoked.
- Section 13406(b) of the HITECH Act requires the Secretary to provide by rule that a Covered Entity provide the recipient of any fund raising communication with a clear and conspicuous opportunity to opt out of receiving further fundraising communications.
- If an individual does opt out then the individual's choice to opt out must be treated as a revocation of authorization under 164.508 of the HIPAA Privacy Rule.
- The opt out method for an individual may not cause the individual to incur an undue burden or more than minimal cost (e.g. writing a letter would be considered an undue burden).
- A Covered Entity may not condition treatment based on an individual opting out of fundraising communications.
- A Covered Entity that intends to contact an individual to raise funds must include a statement to that effect in its Notice of Privacy Practices.
- Once opted out, a Covered Entity must take "reasonable measures" to ensure that no further fundraising communication is provided to the individual.
- Notice of Privacy Practices (NOPP)
- The Final Rule adopts the modification to 164.520(b)(1)(ii)(E), which requires certain statements in the Notice of Privacy Practices regarding uses and disclosures that require Authorization. However, it is not necessary to list ALL possible instances wherein an authorization is required.
- The Notice of Privacy Practices must contain a statement indicating that an Authorization is required for: (1) most uses and disclosures of psychotherapy notes (where appropriate); (2) uses and disclosures of Protected Health Information for marketing purposes; and (3) disclosures that constitute a sale of Protected Health Information; as well as a statement that other uses and disclosures not described in the Notice of Privacy Practices will be made only with authorization from the individual.
- If a Covered Entity does not record or maintain psychotherapy notes, it need not include the requisite statement in its Notice of Privacy Practices.
- The Final Rule requires a statement in the Notice of Privacy Practices that an individual has a right to opt out of fundraising communications (i.e. if the Covered Entity intends to contact the individual regarding fundraising).
- The Final Rule requires a statement in the Notice of Privacy Practices indicating the individual's new right to restrict certain disclosures of Protected Health Information to a health plan where the individual pays out of pocket in full for the healthcare item or service. Only healthcare providers are required to include such a statement in the Notice of Privacy Practices; other Covered Entities may retain the existing language indicating that a Covered Entity is NOT required to agree to a requested restriction.
- The Final Rule also requires that Covered Entities include in their Notice of Privacy Practices a statement of the right of an affected individual to be notified following a breach of unsecured Protected Health Information.
- HHS states that these are "material changes" to the Notice of Privacy Practices that require re-distribution.
- Covered Entities that are healthcare providers are only required to distribute the modified Notice of Privacy Practices to "new patients."
- Covered Entities that are health plans have specific Notice of Privacy Practices re-distribution requirements (see Rule pp. 238-239).
- Right to Request a Restriction
- The Final Rule modifies 164.522 as per HITECH Act Section 13405(a) indicating that individuals have a new right to restrict certain disclosures of Protected Health Information to a health plan where the individual pays out of pocket in full for the healthcare item or service.
- Covered Entities (i.e. that are healthcare providers) will need to employ some method to flag, or make a notation in the medical record, with respect to Protected Health Information that has been restricted so that the information is not sent to a health plan.
- Disclosures that are otherwise required by law are still permitted.
- In the case of an individual who wants to restrict disclosures to a health plan concerning a prescribed medication, the prescribing provider could provide the patient with a paper prescription to allow the individual an opportunity to request a restriction and pay for the prescription with the pharmacy BEFORE the pharmacy has submitted a bill to the health plan.
- The individual, and not the Covered Entity, is required to notify a downstream Health Information Exchange(s) of the restriction. Comment: it remains unclear how an individual may actually accomplish this task, however what is clear is that the healthcare provider is NOT required to do so.
- A family member could make the payment on behalf of an individual and the restriction would still be triggered.
- The restriction does not apply for the purpose of the Covered Entity collecting payment (i.e. presumably from the individual, or a family member or a collection agency) and no authorization is required.
- This restriction ONLY applies to Covered Entities that are healthcare providers.
- Access of Individuals to Protected Health Information
- Section 13405(e) of the HITECH Act strengthens the HIPAA Privacy Rule's right of access as contained in 164.524, with respect to Covered Entities that use or maintain an Electronic Health Record ("EHR").
- Section 13405(e) provides that when a Covered Entity uses or maintains an EHR with respect to Protected Health Information of an individual, the individual shall have a right to obtain from the Covered Entity a copy of such information in an electronic format and the individual may direct the Covered Entity to transmit such copy directly to the individual's designee, provided that any such choice is clear, conspicuous, and specific.
- This section provides that any fee imposed by the Covered Entity shall not be greater than the Covered Entity's labor costs in responding to the request for the copy.
- HHS has used its rule making authority to logically extend this right to Protected Health Information that is stored electronically whether or not it is used and maintained as part of an EHR.
- For example, the requirement above would extend to Protected Health Information contained in MS Word, Excel, plain text, HTML, PDF and other electronic formats.
- A Covered Entity is NOT required to purchase new software or systems in order to accommodate an electronic copy request for a specific form that is not readily produced by the Covered Entity at the time of the request, provided that the Covered Entity is able to provide some form of electronic copy.
- Covered Entities may still require that an individual make this request in writing.
- The Covered Entity must provide ALL Protected Health Information contained in an electronically maintained designated record set, except as otherwise provided for in 164.524(a).
- Whether the process is electronic or paper based, a Covered Entity must implement reasonable policies and procedures under 164.514(h) to verify the identity of any person who requests Protected Health Information, as well as implement reasonable safeguards under 164.530(c) regarding the information that is used or disclosed.
- The Final Rule modifies the requirements for right to access and to obtain a copy of Protected Health Information at 164.524(b). The provision that permits 60 days for timely action when Protected Health Information is not maintained or accessible to the Covered Entity on site is removed. The 30 day provision is maintained.
- The time period for the request is triggered at the time that the request is made.
The HIPAA Breach Notification Rule ("BNR") did not exist prior to the HITECH Act. Section 13402 of the HITECH Act requires a Covered Entity to provide notification to affected individuals and to the Secretary of HHS following a discovery of a breach of unsecured Protected Health Information. In some cases, the Act requires Covered Entities to also provide notification of a breach to the media. In the case of a breach of unsecured Protected Health Information at a Business Associate of a Covered Entity, the Act requires the Business Associate to notify the Covered Entity.
This is nothing new; it has been the law for a couple of years now. The Final Rule simply finalizes the Breach Notification Interim Final Rule which has been in effect since August 24, 2009. Here's our summary of the changes to the HIPAA Breach Notification Rule (see pp. 294-375 of the Rule):
- For Covered Entities and Business Associates, HHS is the enforcement agent for the HIPAA Breach Notification Rule (i.e. not the FTC).
- The Final Rule amends the definition of "breach" at 164.402.
- The impermissible use or disclosure of Protected Health Information (i.e. a violation of the HIPAA Privacy Rule) is presumed to be a breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the Protected Health Information has been comprised. Comment: This is a radical departure from the Interim Final Rule which included a subjective "Risk of Harm" analysis in the definition of "breach."
- As discussed, the "Risk of Harm" analysis has been removed and replaced with a more objective "Risk Assessment or RA" approach. Therefore, breach notification is NOT required under the Final Rule if a Covered Entity or Business Associate demonstrates through the RA, that there is a low probability that the Protected Health Information has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided for in the Interim Final Rule.
- The RA should consider the following factors: (1) the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the Protected Health Information or to whom the Protected Health Information was disclosed; (3) whether the Protected Health Information was actually acquired or viewed; and (4) the extent to which the risk to the Protected Health Information has been mitigated.
- As a business strategy, nothing prevents Covered Entities and Business Associates from providing notification for each breach without performing the RA. The RA analysis is only required if the Covered Entity or Business Associate, based on the facts, wants to demonstrate that no notification is required.
- The Final Rule eliminates the exception that limited data sets that did not include dates of birth and zip codes were exempted from breach notification. Now the four-factor analysis must be performed with respect to the Protected Health Information in question.
- The Notice of Privacy Practices need not include a description of how the RA will be conducted.
- Covered Entities and Business Associates have the burden of proof, pursuant to 164.414, to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g. RA demonstrating that there was a low probability that the Protected Health Information had been compromised or that the impermissible use or disclosure fell within one of the other exceptions in the definition of breach).
- Uses or disclosures that violate the "Minimum Necessary" principle may qualify as breaches. Such incidents must be evaluated like any other security incident.
- The Covered Entity ultimately maintains the obligation to notify affected individuals of the breach under 164.404, although a Covered Entity is free to delegate the responsibility to the Business Associate that suffered the breach, or to another of its Business Associates.
- The Final Rule retains 164.408(c) with one modification. The modification clarifies that Covered Entities are required to notify the Secretary of all breaches of unsecured Protected Health Information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were "discovered," not in which the breaches "occurred."
Comment: Do not be misled by the brevity of this section as compared to that of the HIPAA Privacy Rule. The Final Rule adopted much of the Interim Final Rule and therefore not as much commentary was necessary.
HIPAA Omnibus Rule Summary
We have attempted to distill the essence of the HHS HIPAA Omnibus Rule into far fewer than the 500 plus pages of the original source. However, in order to do so, we have eliminated many of the examples and hypotheticals that HHS responded to as it walked readers through the changes to each rule. Those responses provide invaluable guidance and we encourage readers to refer to the source for a much deeper understanding.
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.