HIPAA Omnibus Rule – 2013


Department of Health and Human Services (http://www.hhs.gov/) , USA has brought in significant changes to HIPAA Security, Privacy, Enforcement and Breach in the form of HIPAA Omnibus Rule (also known as Final Rule). Listed below are some significant changes that would have an impact on the business associates. Typically all offshore BPO/KPO companies working for Health service providers are Business Associates.

Definitions

1. Covered Entity - Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.

2. Business Associates - A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.

Highlights of HIPAA Omnibus Rule

1. The final Omnibus Rule becomes effective on March 26, 2013. Covered entities and Business Associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance. This means compliance to Omnibus Rule should be not later than September 26, 2013

2.The "conduit exception" still applies but is limited to an organization that merely transmits Protected Health Information (e.g. an ISP) as opposed to those that "maintain and store it" (e.g. a record storage company). The former is NOT a Business Associate but the latter is. Further, if a Covered Entity ("CE") or Business Associate ("BA") used a tool like Google Apps to maintain Protected Health Information related to its compliance initiative then Google would be a Business Associate and a contract is required.
Implication for Business Associates – Should not store any ePHI with any cloud service provider such as Google Apps without a specific Business Associate agreement with the service provider.

3. A subcontractor(s) who "creates, receives, maintains, or transmits Protected Health Information on behalf of a Business Associate, is a HIPAA Business Associate" and therefore "on the hook" for compliance with applicable rules (e.g. in general: Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc.).
Impact for Business Associates – Sub contracting work to another service provider would require a Business Associate Agreement to be signed in prescribed format.

4. Covered Entities are required to obtain "satisfactory assurances" (i.e. that their Protected Health Information will be protected as required by the rules) from their Business Associates, and Business Associates are required to get the same from their sub-contractors (now Business Associates). Comment: this "chain of assurances" (and liability) follow the Protected Health Information wherever it leads and has widespread ramifications including those related to breach notification.

5.The definition of Workforce was changed to make clear that the term includes the employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Business Associate, is under the direct control of the Business Associate, because some provisions of the Act and the Privacy and Security Rules place obligations on the Business Associate with respect to workforce members. In short, the term now applies to both Covered Entities and Business Associates.
Impact for Business Associates – All employees, outsourced employees and trainees of a Business Associate would be covered by HIPAA Omnibus rule.

HIPAA Enforcement Rule

6. Establishes four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation, with a maximum penalty amount of $1.5 million annually for all violations of an identical provision. $1.5 million is not a comprehensive maximum fine for a given category/year, but rather a maximum for all identical violations. Therefore, there is no theoretical maximum fine per year. The maximum will ultimately be at the discretion of HHS and is dependent on how many different kinds of violations are found. 

7. Enforcement Rule (like all HIPAA rules) continues to pre-empt any State law that is contrary to it; however is does not pre-empt a State law that is "more stringent."

8. The Secretary must formally investigate complaints indicating violations due to wilful neglect, and impose civil penalties upon finding said violations. The investigation is triggered if the initial facts show the "possibility" of wilful neglect (i.e. no finding of probability is required). The definition under 160.312 allows the Secretary to move directly to a civil penalty without exhausting informal resolution efforts, particularly in cases involving wilful neglect.

9. An organization's history of HIPAA compliance is relevant to the determination of the civil money penalty.

10. The 30-day cure period for violations due to wilful neglect (and other violations) begins on the date that an entity first acquires actual or constructive knowledge of the violation and will be determined based on evidence that HHS gathers during its investigation.

HIPAA Security Rule

11. Section 164.306(c) now more clearly indicates that Covered Entities and Business Associates must review and modify security measures as needed to ensure the continued provision of "reasonable and appropriate" protection of Electronic Protected Health Information.

12.Section 164.308(b)(1) has been modified to clarify that Covered Entities are NOT required to obtain "satisfactory assurances" with a Business Associate that is a subcontractor, but rather it is the Business Associate that must obtain these assurances.

13. Section 164.314 (although not required by the HITECH Act) is now applicable to agreements between Business Associates and their subcontractors.

14. A subcontractor of a Business Associate must report security incidents, including breaches, to its respective Business Associate (see 164.308(b)(3)).

HIPAA Privacy Rule

15. A Business Associate is directly liable under the HIPAA Privacy Rule for uses and disclosures of Protected Health Information that are not in accord with its Business Associate agreement or the HIPAA Privacy Rule itself.

16. As was the case under the HIPAA Privacy Rule before HITECH, Business Associates remain contractually liable for all other HIPAA Privacy Rule obligations that are included in Business Associate contracts or other arrangements.

17. Business Associates are directly liable under HITECH 13404(a) for uses and disclosure that violate the HIPAA Privacy Rule or are in breach of the Business Associate contract.

19. A person/entity ("Person") becomes a Business Associate by definition, and NOT because there happens to be a Business Associate contract in place; therefore liability attaches immediately when a Person "creates, receives, maintains, or transmits Protected Health Information on behalf of a Covered Entity.

20. Business Associates are now directly liable under the HIPAA rules: (1) for impermissible uses and disclosures; (2) for failure to provide breach notification to the Covered Entity; (3) for failure to provide access of Electronic Protected Health Information either to the individual or the Covered Entity; (4) for failure to disclose Protected Health Information to the Secretary; (5) for failure to provide an accounting of disclosures; AND (6) for failure to comply with the requirements of the HIPAA Security Rule. Comment: Business Associates and Covered Entities should clearly recognize that we are definitely "not in Kansas anymore." The implications of these changes have yet to be fully realized by the healthcare industry (understatement).

21. Business Associates must comply with the "Minimum Necessary" principle.

22. Business Associates are required to have Business Associate Agreements with their sub-contractors that use Protected Health Information on their behalf.

23. Business Associates must monitor their Business Associate Agreements with their sub-contractors.

24. Requirements in Business Associate Agreements "cascade down" to sub-contractors and sub-contractors of sub-contractors (i.e. to ALL downstream sub-contractors).

25. Covered Entities and Business Associates will be allowed to operate under existing agreements for one year beyond the compliance date of these revisions, if said agreement was already HITECH compliant.

26. The Final Rule amends 164.502(f) to require a Covered Entity to comply with the requirements of the HIPAA Privacy Rule with regard to Protected Health Information of a deceased individual for a period of 50 years following the date of death.

27. The Final Rule amends the definition of Protected Health Information in 160.103 to make clear that the individually identifiable health information of a person who has been deceased for more than 50 years is NOT Protected Health Information under the HIPAA Privacy Rule.

HIPAA Breach Notification Rule

28. The impermissible use or disclosure of Protected Health Information (i.e. a violation of the HIPAA Privacy Rule) is presumed to be a breach unless the Covered Entity or Business Associate, as applicable, demonstrates that there is a low probability that the Protected Health Information has been comprised. Comment: This is a radical departure from the Interim Final Rule which included a subjective "Risk of Harm" analysis in the definition of "breach."

29. As discussed, the "Risk of Harm" analysis has been removed and replaced with a more objective "Risk Assessment or RA" approach. Therefore, breach notification is NOT required under the Final Rule if a Covered Entity or Business Associate demonstrates through the RA, that there is a low probability that the Protected Health Information has been compromised, rather than having to demonstrate that there is no significant risk of harm to the individual, as was provided for in the Interim Final Rule.

30. The RA should consider the following factors: (1) the nature and extent of the Protected Health Information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the Protected Health Information or to whom the Protected Health Information was disclosed; (3) whether the Protected Health Information was actually acquired or viewed; and (4) the extent to which the risk to the Protected Health Information has been mitigated.

31. As a business strategy, nothing prevents Covered Entities and Business Associates from providing notification for each breach without performing the RA. The RA analysis is only required if the Covered Entity or Business Associate, based on the facts, wants to demonstrate that no notification is required.

32. The Final Rule eliminates the exception that limited data sets that did not include dates of birth and zip codes were exempted from breach notification. Now the four-factor analysis must be performed with respect to the Protected Health Information in question.

Based on the new rule, the government uses four factors to determine the likelihood that PHI was inappropriately used or disclosed.

What is the nature of information involved?

The first factor is that you need to look at the nature and extent of the protected health information involved. Is it sensitive information? Is it financial? What type of information was inappropriately disclosed or used.

Who is the unauthorized person responsible?

The second factor is the unauthorized person who used or disclosed the PHI. Is it an employee? Is it a third party? Is it someone trustworthy or not? If it was an inadvertent or misfired fax, was the recipient also a covered entity in which case they’re obligated to follow the HIPAA rules and therefore that factor may weigh heavily toward a decision that the data wasn’t compromised or there was a low probability that it was?

What the information actually accessed?

The third factor is whether the PHI was actually acquired or viewed. If it’s a laptop that is stolen or lost and returned and it wasn’t actually looked at, then that’s going to be a factor in determining whether there was a probability that it was compromised.

How have the covered entities and business associates handled the risk?

The fourth factor is the extent to which the risk to the PHI has been mitigated. Were there corrective steps already taken to reduce further disclosure, use of the information?

33. The Notice of Privacy Practices need not include a description of how the RA will be conducted.

34. Covered Entities and Business Associates have the burden of proof, pursuant to 164.414, to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g. RA demonstrating that there was a low probability that the Protected Health Information had been compromised or that the impermissible use or disclosure fell within one of the other exceptions in the definition of breach).

35. Uses or disclosures that violate the "Minimum Necessary" principle may qualify as breaches. Such incidents must be evaluated like any other security incident.

36.The Covered Entity ultimately maintains the obligation to notify affected individuals of the breach under 164.404, although a Covered Entity is free to delegate the responsibility to the Business Associate that suffered the breach, or to another of its Business Associates.

37.The Final Rule retains 164.408(c) with one modification. The modification clarifies that Covered Entities are required to notify the Secretary of all breaches of unsecured Protected Health Information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were "discovered," not in which the breaches "occurred."


FutureCalls has strong capability and demonstrated expertise in HIPAA consulting and HIPAA assessments. Please send an email to sales@futurecalls.com for HIPAA GAP analysis, assessment and consulting.