Federal Omnibus Rule Offers the Final Word on Privacy, Security, Breach Notification & Enforcement
On Jan. 25, the Federal Register published the final rule from the Department of Health and Human Services’ Office for Civil Rights (OCR) modifying the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The rule broadly impacts HIPAA and components of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Genetic Information Nondiscrimination Act (GINA) of 2008.
The final rule — which is actually comprised of four final rules modifying privacy, security, enforcement and breach notification regulations — is referred to as the HIPAA Omnibus Rule. The effective date of the final rule is March 26 with a compliance date for covered entities and business associates set for Sept. 23.
In unveiling the changes, OCR Director Leon Rodriguez, JD, said, “These changes not only greatly enhance a patient's privacy rights and protections but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.”
Alisa Chestler, JD, of counsel in the Washington, D.C. office of Baker Donelson, is one of many attorneys around the nation who will be helping clients navigate the numerous regulatory changes. Prior to joining Baker Donelson five years ago, Chestler served as in-house counsel for a number of healthcare companies. She began her road to HIPAA expertise when she volunteered, on behalf of her health plan employer, to work through the first set of rules published in 2000. “I had no idea it was going to become my entire career. It’s the gift that keeps on giving,” she said with a laugh.
Indeed OCR has gifted covered entities and business associates with quite a checklist to implement in the coming months. Although similar to the proposed rule released in July 2010, the final rule includes key differences that must be addressed. One of the major changes is with breach notifications and the move from a ‘no harm’ standard to a ‘probability the data was compromised’ criterion.
“There is an affirmative responsibility on the part of covered entities to let you know when your information has been compromised,” Chestler said, adding that was part of the original HITECH legislation. “However,” she continued, “covered entities used to be allowed to do a ‘risk of harm’ analysis.” That review gave covered entities some room to determine if the compromised information “posed significant risk of financial, reputational or other harm to the (affected) individual.”
After all, she pointed out, there is a difference in a security breach that provides access to a patient’s name, date of birth, Social Security number and financial data as opposed to only a patient’s name and date of birth. Then again, she continued, what if the latter list was for a psychiatrist or infectious disease specialist. Might that cause reputational harm?
“There was a weighing of issues … and there’s something to be said for that. If we all started getting these notices every five minutes, would we become immune to them and fail to recognize when we should actually be alarmed?” she questioned.
The final rule replaces the ‘harm’ threshold with a purportedly more objective standard that is anticipated to lead to an increase in breach notifications. In the amended standard, Chestler continued, “Now everything is presumed a breach unless the entity can demonstrate there is a low probability the information has been compromised based on a risk assessment of four factors.”
- What was the nature and extent of the protected health information (PHI) involved, including the types of identifiers in the information and the likelihood of re-identification?
- To whom was the unauthorized information disclosed? Did it accidently get sent to Dr. John James instead of Dr. John Jones, or was the breach more public?
- Was the PHI actually acquired or viewed? If an entity posted information online for 15 minutes before pulling it down and can tell no one accessed that page or viewed it during the critical time, was that actually a breach?
- What was the extent to which the risk to PHI has been mitigated?
It’s a seemingly subtle difference, but now the presumption is that every improper use or disclosure of PHI should trigger an official notification unless the covered entity can demonstrate otherwise.
Another major change impacts many subcontractors and business associates of covered entities, making more of them directly liable for compliance with specific HIPAA privacy and security requirements. For those deemed agents of the covered entity, they can expect to face greater accountability.
“The issue of agency is a way of categorizing responsibility, which requires care on the part of a covered entity to determine what their liability and responsibility is with respect to that vendor, subcontractor, associate,” said Chestler. In other words, business agreements need to be carefully reviewed and potentially rewritten before September. Chestler said covered entities need to analyze how their business associates, vendors and subcontractors are viewed under federal common law and make sure those partners affected by recent changes are aware of the stricter standards and realize they need to take HIPAA as seriously as the covered entities with which they do business.
The final rule also requires modifications to a covered entity’s notice of privacy practices and a redistribution of the modified policy. “Now there are new standard items that must be added,” she said of the checklist.
Chestler’s advice is not to take these changes to business agreements and privacy practices lightly. “The change in the law should not be an opportunity to just quickly update sections. I would not advise a client to just think about it and say, ‘We’re fine,’ and move on.”
For every covered entity and business associate, she added, “If they have not had a really good re-analysis of what they are doing … how they are doing it … and why they are doing it … they need to take a step back and look at it. People need to ask, ‘Does this really reflect what I’m doing? Does this really reflect what is happening on the ground?”
If the answer is ‘no,’ the entities or business associates need to revise not only their written policies but make sure the actions of every employee are in compliance with the law by the September deadline. “The government is incredibly active in pursuing HIPAA violations now,” Chestler said.
She noted there has been a false sense of security that federal enforcement agents have only worried about large-scale breach cases. However, Chestler said one recent enforcement penalty was levied against a small hospice company in northern Idaho with a breach impacting less than 500 patients. On top of federal enforcement, covered entities also have to contend with more localized interest. “Under HITECH, state attorney generals now have enforcement authority so there’s a lot of activity on a state level.”
Other changes in the omnibus rule include:
- Tighter rules regarding the use of PHI for marketing or fundraising purposes and the prohibition of the sale of PHI without individual authorization;
- Expanded rights for individuals to receive electronic copies of their health information;
- Restrictions regarding the disclosure of information to health plans concerning treatment for which an individual paid out-of-pocket in full;
- Clarification that genetic information is health information and to prohibit insurers from using or disclosing genetic information for underwriting purposes;
- Modification of the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools; and
- Modification to enable access to decedent information by family members or others. The new standard presumes the right that PHI should be held private for 50 years. It should be noted this doesn’t mean records have to be kept for 50 years … just that the rights to privacy afforded during life continue for five decades after death.
Ultimately, Chestler said, “There is no ‘one size fits all’ HIPAA policy.” Instead she continued, enforcement agents are looking “for proof that it is a living document and that it’s not just a manual that sits on the shelf. Everybody is going to need to contact their HIPAA attorney. I think it’s highly unlikely any provider can do this themself.”