Skip to Content

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates

04.15.2013

After a very long wait, the Department of Health and Human Services (“HHS”) has issued a final HIPAA/HITECH Omnibus Rule (the “Rule”) implementing provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”).

Some aspects of the Rule mirror statutory requirements of HITECH that have been in effect since February 2010.  Many HIPAA covered entities and business associates already may have brought themselves into compliance with these requirements.  Other aspects of the Rule, however, make important changes that will affect covered entities, business associates and the downstream subcontractors of business associates.

Regulated entities generally have until September 23, 2013, to comply with the requirements of the Rule.  As discussed below, additional time is provided to bring certain existing business associate agreements into compliance and for health plans to circulate revised privacy notices.

This article discusses the aspects of the Rule likely to be of most interest to health plans and the business associates of health plans.

Subcontractors

One significant change made by the Rule involves downstream subcontractors of business associates.  Under the Rule, the subcontractor of a business associate is itself considered a business associate if it handles protected health information (“PHI”).

The Rule defines a subcontractor as any person to whom a business associate delegates a function, activity or service, other than as a member of the business associate’s workforce.  For example, a vendor providing data storage for a third party administrator would be considered a business associate of the administrator if the data is PHI. 

Deeming subcontractors to be business associates has two major consequences.  First, business associates will be required to have HIPAA compliant business associate agreements in place with their subcontractors that handle PHI.   Failure to do so will be considered a violation of law.  Second, subcontractors handling PHI will be subject to all HIPAA requirements that apply to business associates, including compliance with the HIPAA Security Rule.

Regulatory Duties of Business Associates

As required by HITECH, the Rule imposes certain regulatory duties on business associates and makes any violation of these duties subject to HIPAA’s civil and criminal penalties.  The regulatory duties applicable to business associates, including subcontractors that qualify as business associates, include the following:

  • Business associates must implement administrative, technical and physical safeguards to protect the security of electronic PHI as required by the HIPAA Security Rule.  Business associates also must comply with the Security Rule’s documentation requirements.
  • Business associates contracting directly with a covered entity must provide timely notice to the covered entity of any security breach involving unsecured PHI.  It appears subcontractors that are business associates must give notice of breach to the business associate with which they have a direct contractual relationship, although the Rule is not entirely clear on this point.
  • Business associates must use and disclose PHI only as permitted by their business associate agreement. 
  • Business associates must not use or disclose PHI in a way that would violate the Privacy Rule if done by the covered entity.
  • Business associates must execute business associate agreements with their subcontractors that handle PHI.  If a subcontractor engages in a pattern of conduct or practice in material breach of its business associate agreement, the business associate must take reasonable steps to cure the breach and, if such steps are unsuccessful, terminate the agreement if feasible.
  • Business associates must make reasonable efforts to limit uses and disclosures of, and requests for, PHI to the minimum necessary.  This requirement suggests that business associates should have reasonable written policies and procedures for limiting uses and disclosures of, and requests for, PHI to the minimum necessary and limiting the access of personnel to PHI necessary for their job function.
  • Business associates must disclose PHI to the covered entity, individual or the individual’s designee when required to provide an electronic copy of PHI.  Business associates also must disclose PHI to the Secretary of Health and Human Services when lawfully requested to do so.

Changes to Business Associate Agreements

The Rule requires covered entities to include certain new provisions in their business associate agreements.  Business associate agreements with their subcontractors also must include these provisions.

After HITECH was enacted, many covered entities added language to their business associate agreements reflecting the law’s statutory requirements, including a catch-all provision designed to incorporate by reference any regulatory changes that might occur.  Such catch-all provisions may comply with the Rule without further amendment, but it is advisable to include language in business associate agreements specifically reflecting the new requirements, at least for new agreements and renewals of existing agreements.  Including specific language helps ensure that business associates are on notice of their responsibilities.

In addition to the provisions previously required by the Privacy and Security Rules, business associate agreements must include the following new provisions.

  • The agreement must require the business associate to comply with the applicable provisions of the Security Rule.
  • The agreement must require the business associate to report any use or disclosure of PHI not in compliance with the agreement, specifically including breaches of unsecured PHI.  The same provision already is required for business associate agreements, except now the provision must specifically state the business associate’s duty to give notice of any breach involving unsecured PHI.
  • The agreement must require the business associate to execute a business associate agreement with any subcontractor that handles PHI.
  • The agreement must state that to the extent the business associate carries out the covered entities obligations under the Privacy Rule, the business associate will comply with the requirements of the Privacy Rule that apply to the covered entity.

In general, covered entities must have compliant business associate agreements in place with their business associates and business associates must have compliant business associate agreements in place with their subcontractors no later than September 23, 2013.  If, however, a covered entity or business associate had a written agreement in place prior to January 25, 2013, and the agreement complied with regulatory standards at that time, so long as the agreement is not renewed or modified between March 26 and September 23, 2013, the agreement will be deemed compliant until the earlier of (i) the date it is renewed or modified or (ii) September 22, 2014.  “Evergreen” contract renewals will not count as a renewal for this purpose and therefore will not end the deemed compliance period.

Liability for Conduct by Business Associates

The Rule makes an important change to the circumstances under which covered entities may be liable for a HIPAA violation based on the conduct of their business associates.  Previously, the HIPAA Enforcement Rule established a safe harbor under which a covered entity could not be found liable for a HIPAA violation based on misconduct by its business associate.   Under the safe harbor, a covered entity could not be found liable so long as the covered entity had a compliant business associate agreement in place and either did not know of any pattern of activity or practice by the business associate in material breach of the business associate agreement or, if it did know of such a pattern or practice, it took reasonable steps to cure the breach and, if unsuccessful, terminated the agreement or reported the problem to the Secretary of Health and Human Services if termination was not feasible.

The Rule eliminates the safe harbor so that a covered entity is liable for a violation arising from the conduct of any common law agent of the covered entity, as defined by the federal common law of agency, including a business associate acting as the covered entity’s agent.  The same liability attaches to a business associate for the conduct of any agent of the business associate, including a subcontractor.

Under the federal common law of agency, a business associate performing services for a covered entity generally would be considered an agent of the covered entity only if the covered entity has authority to control the business associate’s conduct in performing the services—for example, by giving interim instructions to the business associate concerning how to carry out its contractual obligations.  If, however, the only avenue of control over the business associate is to amend the contract between the covered entity and the business associate, the business associate would not be considered the covered entity’s agent.  The same principles apply to business associates and their subcontractors.

A covered entity or business associate also will be liable for a HIPAA violation if it knows of a pattern of activity or practice by a business associate in violation of the business associate agreement and it fails to take reasonable steps to cure the breach and if unsuccessful, terminate the contract if feasible.

Breach Notification

In another important change, the Rule eliminates the “significant risk of harm” standard for determining whether an impermissible use or disclosure of unsecured PHI constitutes a security breach requiring notification.  Instead, the Rule applies a new, more stringent standard.

Under the new standard, if PHI is subject to any acquisition, access, use or disclosure in violation of the Privacy Rule, and none of three existing exceptions applies, it is presumed that a breach has occurred unless the covered entity or business associate, as the case may be, demonstrates a low probability that the information has been compromised.  In every case, the burden is on the covered entity or business associate to demonstrate that a breach has not occurred.   

The determination of whether there is a low probability that PHI has been compromised must be based on a risk assessment involving at least the following factors:

  • The nature and extent of the PHI involved, including the types of personal identifiers and likelihood of re-identification if de-personalized information is involved;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

The new standard for breach shifts the balance towards a determination that a breach has occurred, making it more likely that notification will be required if unsecured PHI is involved.  Nevertheless, the factors that must be considered in determining whether there has been a breach are much the same as under the old standard.

For example, under the first required element of the risk assessment—the nature and extent of the PHI involved—HHS states in the preamble to the Rule that entities should consider whether the incident “involved information that is of a more sensitive nature…” such as credit card numbers, social security numbers or other information that increases the risk of identity theft or detailed clinical information such as treatment plans, diagnoses, medications or test results.  In addition, the preamble states that considering the type of information involved “will help entities determine the probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual or otherwise used to further the unauthorized recipient’s own interests.”

Clearly, then, determining whether PHI has been compromised includes an assessment of the risk of harm to affected individuals.  In the preamble, HHS suggests the determination of breach under the new standard is broader than merely assessing risk of harm, yet the factors identified in the preamble tend to focus on the risk that PHI might be used in a way that would harm the individual.  Nevertheless, other factors also may come into play—for example, the preamble states one factor to consider is whether the unauthorized recipient of PHI could use the information to further the recipient’s own interests. 

Covered entities and business associates should recognize that risk of harm is still an important consideration under the new standard for determining whether a breach has occurred.  Nevertheless, other factors that would compromise the privacy of PHI, even without doing tangible harm to affected individuals, should be considered.  In addition, it is important to keep in mind that the balance in determining whether a breach has occurred now weighs heavily in favor of breach. 

Changes to HIPAA Privacy Notice

The Rule requires covered entities to make several material changes to their HIPAA privacy notice to reflect new rights of individuals under the Rule.  The privacy notice must include the following new elements:

  • A description of the types of uses and disclosures of psychotherapy notes that require an authorization (covered entities that do not record or maintain psychotherapy notes are not required to include this statement);
    A statement that any use or disclosure of PHI for marketing that involves financial remuneration to the covered entity requires an authorization;
  • A statement that the covered entity must obtain an authorization to sell PHI;
  • If the covered entity intends to engage in any of the following activities, a separate statement as follows:
    • That the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications (this will likely apply only to healthcare providers);
    • If the covered entity is a health plan, other than a long term care insurer, and uses PHI to underwrite, a statement that it is prohibited from using or disclosing genetic information for underwriting purposes (genetic information includes family history); 
  • For healthcare providers only, a statement informing individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for a healthcare item or service; and
  • A statement that the covered entity is required to provide notice of any breach of the individual’s unsecured PHI.

A health plan that posts its HIPAA privacy notice on its website and makes material changes such as those required by the Rule must post the revised notice on its website no later than the effective date of the changes (September 23, 2013 for revisions reflecting the Rule) and provide the revised notice, or information about the changes and how to obtain the revised notice, in its next annual mailing to covered individuals.  Most health plans are required by the Privacy Rule to post their privacy notices on their websites.

If a health plan does not post its HIPAA privacy notice on a website, and it makes material changes to the notice, it must provide the revised notice, or information about the changes and how to obtain the revised notice, to covered individuals no later than 60 days following the effective date of the changes (November 22, 2013 for revisions reflecting the Rule).

Right of Access to Information

The Rule provides that if an individual requests an electronic copy of PHI, and the covered entity maintains the PHI in electronic form in a designated record set, the covered entity must provide a copy of the information in the electronic form and format requested, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and individual.  HHS states in the preamble to the Rule that it expects covered entities to provide a machine readable copy of electronic PHI to the extent possible.

A covered entity is not required purchase new software or systems to comply with this new requirement, so long as it can provide an electronic copy of PHI in some reasonable format.  If an individual refuses to accept any of the electronic formats in which electronic PHI is readily producible by the covered entity, the covered entity may provide a hard copy to fulfill the request.

The fee a covered entity charges for providing an electronic copy of PHI may include, among other allowable costs, the reasonable cost for skilled technical staff time spent copying an electronic file and the cost of the disk, flash drive or other medium on which the copy is provided.  Fees associated with maintaining systems or the capital expenditures to maintain data access, storage and infrastructure may not be charged.

The Rule also requires that, if requested by the individual, a covered entity must transmit a copy of PHI directly to a person designated by the individual.  This requirement applies to all requests for PHI, regardless of whether an electronic copy is requested.

The Rule eliminates the Privacy Rule provision that allowed 60 days for providing access to PHI when the information is not maintained or accessible to the covered entity on-site.  If PHI is not readily accessible, a covered entity still may rely on the provision of the Privacy Rule allowing a one-time extension of 30 days to the usual 30-day period for responding to a request for access.

Genetic Information

The Rule makes GINA’s prohibition against using genetic information for underwriting purposes apply to all health plans subject to the HIPAA Privacy Rule, except for long-term care plans.  Genetic information includes family history.  Previously, all HIPAA “excepted benefits” were exempt from this restriction under federal law.  Now, any excepted benefit, other than long-term care, that is subject to the HIPAA Privacy Rule will be prohibited from using family history or other genetic information for underwriting purposes.

Other Changes

Other changes made by the Rule include the following:

The Rule creates new standards for the investigation of complaints, initiation of compliance reviews and resolution of violations.  Consistent with HHS’s more aggressive approach to HIPAA enforcement, if a case of noncompliance involves willful neglect, regulators no longer are required the case by informal means, such as demonstrated compliance or a corrective action plan.  HHS retains discretion to resolve cases not involving willful neglect through informal means.  The Rule also clarifies how federal regulators will apply the four-tiered civil money penalty scheme implemented under HITECH. 

The Rule sets new limits on how covered entities may use or disclose protected health information for marketing and fundraising purposes and prohibits the sale of PHI without the individual’s authorization.

The Rule changes the standards that apply to the PHI of decedents and student immunization records.  The Rule also changes the standards for research authorizations.

Conclusion

Many of the requirements of the Rule reflect statutory requirements established by HITECH with which many covered entities and business associate already have complied.  Yet the Rule contains a number of significant new requirements that will require material changes to the policies and procedures, business associate contracts and HIPAA privacy notices of regulated entities.

Media Contact

If you have any media inquiries or would like additional information, please click here.

Featured Services

Featured Industries