New HIPAA Omnibus Rule Modifies Privacy and Breach Notification Requirements for Health Care Providers

“The Final Rule represents the most significant development in healthcare privacy law since the issuance of the final Privacy Rule and Security Rule a decade ago.” (Morgan Lewis)

On January 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) released its final omnibus rule, strengthening the privacy and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

The final rule becomes effective on March 26, 2013, and covered entities and business associates will need to comply by September 23, 2013. To note: an extension of the deadline is possible if certain conditions are met, write Adam Greene and Rebecca Williams of law firm Davis Wright Tremaine:

“While the new rule establishes a compliance date of Sept. 23, 2013, it includes up to a one-year extension for covered entities and business associates to revise their business associate agreements if such agreements were entered into and compliant with HIPAA as of Jan. 25, 2013, the expected date of formal publication of the new rule in the Federal Register.”

The broad, sweeping changes in the 563-page rule – more than two and a half years in the making – significantly increase the privacy and reporting obligations of covered entities and their businesses associates (as well as their subcontractors) For your reference, here’s a look at five key takeaways:

1. Liability of business associates has gone up:

“[Business Associates] are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements: impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual’s designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.” (BakerHostetler)

2. More entities are now considered to be business associates:

“The definition of ‘business associate’ has been expanded to include subcontractors of business associates, any person who ‘creates, receives, maintains, or transmits’ protected health information on behalf of a covered entity, and certain identified categories of data transmission services that require routine access to protected health information, among others.” (Dinsmore & Shohl)

3. Thresholds for federal investigations have been lowered:

“Under the new rules, the agency is required (no discretion) to conduct compliance reviews when ‘a preliminary review of the facts’ suggests a violation due to willful neglect. Any reported breach that suggests willful neglect would then appear to require agency follow-up. And they are of course free to investigate any breach reported to them. HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews? Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.” (Poyner Spruill)

4. Breach notification requirements have been tightened:

“Until now, an impermissible use or disclosure of Protected Health Information (‘PHI’) was a Breach only if there was a significant risk of harm. Now, an impermissible use or disclosure of PHI is presumed to be a Breach unless the Covered Entity or Business Associate can demonstrate that there is a low probability that the PHI has been compromised.” (Womble Carlyle)

5. Marketing rules are more clearly defined:

“The Final Rule modifies the Proposed Rule’s approach to marketing, requiring authorization for all treatment and healthcare operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. HHS notes the difficulty in distinguishing between ‘treatment’ and ‘health care operations’ communications, as the Proposed Rule required, and therefore HHS will treat as marketing communications ‘all subsidized communications that market a health-related product or service.’” (Morgan Lewis)

The updates:

Further reading:

Find related law news at JD Supra>>