HHS today published the long-awaited HIPAA/HITECH omnibus final rule. A pre-publication version of the Rule was released on January 17. The Rule is effective March 26, 2013, but covered entities and business associates have until September 23, 2013 to comply. While Latham & Watkins is still engaged in a comprehensive review of the entire final rule, some of the more notable changes and clarifications in the final rule, as compared to the interim final rule, are:
- Business associates are now directly liable for compliance with certain HIPAA Privacy and Security Rule obligations: impermissible uses and disclosures; failure to provide breach notification to a covered entity; failure to provide access to a copy of electronic protected health information (ePHI) to a covered entity, the individual, or the individual’s designee; failure to disclose PHI when required by the Secretary to investigate or determine the business associate’s compliance with HIPAA; failure to provide an accounting of disclosures; and failure to comply with the requirements of the Security Rule.
- The definition of business associate has been modified to clarify that a business associate includes an entity that “creates, receives, maintains, or transmits” PHI on behalf of a covered entity. This change was made specifically “to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information.”
- Covered entities can no longer choose not to report a breach if they determine that it does not pose “a significant risk of financial, reputational, or other harm to the individual.” Instead, an unauthorized use, access, or disclosure of PHI “is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (ii) The unauthorized person who used the protected health information or to whom the disclosure was made; (iii) Whether the protected health information was actually acquired or viewed; and (iv) The extent to which the risk to the protected health information has been mitigated” (emphasis added). This presumption substantially increases reporting obligations for covered entities and business associates alike, and will likely result in many more reported breaches.
- The number of individuals affected, the time period during which the violations occurred, and the organization’s history of compliance or non-compliance will be considered when assessing Civil Monetary Penalties (CMPs). The Secretary “may move directly to a civil monetary penalty without exhausting informal resolution efforts at her discretion, particularly in cases involving willful neglect violations.” Willful neglect is defined by the Rule as “conscious, intentional failure or reckless indifference to the obligation to comply.” The tiered penalty structure set forth in the HITECH Act has been expressly incorporated, with penalties increased based on the level of negligence and a $1.5 million maximum penalty per violation.
- The definition of “marketing” has been expanded to encompass all communications subsidized by the manufacturer of a product or service. The only exception is for communications about drugs and biologics that a patient is being treated with, including generics. A covered entity must obtain individual authorization prior to sending marketing communications. A covered entity must also obtain express written individual authorization before selling PHI, subject to certain exceptions.
- Changes to covered entities’ Notices of Privacy Practices to reflect the changes in the Rule are required.
- Breaches affecting fewer than 500 individuals must be reported within 60 days after the end of the calendar year in which they were discovered, not occurred.
- Notification to the Secretary must occur contemporaneously with notification to individuals for breaches affecting more than 500 individuals.
- Enhanced privacy protections for genetic information have been incorporated as required by the Genetic Information Non-Discrimination Act of 2008 (GINA).
In HHS’s press release, Director of the Office for Civil Rights Leon Rodriquez commented that the final omnibus rule “marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The above are some highlights that may be most relevant to covered entities and business associates in assessing how best to adjust their practices in order to comply with the changes in the Rule. Please watch for further details and a more in-depth analysis to come in a Latham & Watkins Client Alert.