On Jan. 25, 2013, the Department of Health and Human Services (HHS) published the “HIPAA Omnibus Rule,” a set of final regulations modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement various provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. These rules are complex, and a detailed review of all of the changes is beyond the scope of this article, which focuses on frequently asked questions from AAOS members.
What does the Omnibus Rule include?
In broad terms, the Omnibus Rule addresses the following three specific areas that have a bearing on physicians as either covered entities or business associates:
- Modifies the HIPAA Privacy, Security, and Enforcement regulations in the following ways:
- Makes business associates and subcontractors of business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rule requirements
- Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization
- Expands an individual’s rights to receive electronic copies of his or her health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full
- Requires modifications to a covered entity’s Notice of Privacy Practices
- Adopts the additional HITECH Act enhancements to the Enforcement Rule, particularly regarding privacy breaches and penalties
- Creates an increased and tiered civil money penalty structure for security breaches under the HITECH Act.
- Modifies and clarifies the definition of what constitutes a reportable privacy breach and the factors covered entities and business associates must consider when determining whether a reportable breach has occurred.
What are the penalties for security breaches?
The Omnibus Rule formally adopts the following penalty scheme for violations of the HITECH Act occurring on or after Feb. 18, 2009:
- For violations where a covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, a penalty of not less than $100 or more than $50,000 for each violation
- For a violation due to reasonable cause and not to willful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation
- For a violation due to willful neglect that was timely corrected, a penalty of not less than $10,000 or more than $50,000 for each violation
- For a violation due to willful neglect that was not timely corrected, a penalty of not less than $50,000 for each violation; the penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year.
What constitutes a reportable breach?
Any impermissible use or disclosure of PHI is presumed to be a breach, with a subsequent requirement to provide a breach notification, unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Importantly, the covered entity or business associate, as applicable, has the burden of demonstrating that all notifications were provided or that an impermissible use or disclosure did not constitute a breach, and they must maintain documentation sufficient to meet that burden of proof.
What determines whether PHI has been compromised?
In determining whether notice of a breach is required, a covered entity or business associate must consider at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
- The unauthorized person who used the PHI or to whom the disclosure was made
- Whether the PHI was actually acquired or viewed
- The extent to which the risk to the PHI has been mitigated
What do I have to do to remain HIPAA-compliant under the new rules?
Most physician practices are “Covered Entities” under HIPAA and may also be “Business Associates” to other providers. Generally, a covered entity is a healthcare provider who transmits any health information in electronic form, and a business associate is a person who creates, receives, maintains, or transmits PHI on behalf of a covered entity; business associates may also include subcontractors of an entity.
In a nutshell, physicians (whether as covered entities or business associates) must update their business associate agreements and notices of privacy practices; they must also review and update HIPAA policies and procedures, particularly those regarding privacy breaches and reporting.
Does the rule change the definition of business associates?
Yes—business associates now include any of the following types of entities:
- A health information organization, e-prescribing gateway, or any other entity that provides data transmission services to a covered entity and requires access on a routine basis to PHI.
- An entity that offers a personal health record on behalf of a covered entity. However, if the personal health record is not offered on behalf of a covered entity, then the personal health record vendor is not a business associate.
- A subcontractor of a covered entity as well as any subcontractor of a business associate, if the subcontractor accesses PHI of the covered entity.
- An individual who creates, receives, maintains, or transmits PHI on behalf of a covered entity.
So, if you work with any organizations that fall within the above definitions and don’t have a valid Business Associate Agreement (BAA) in place with them, you need to implement one. For more information on the Omnibus Rule and business associates, see the links at the end of the article.
Do I need to update my BAAs?
Under the Omnibus Rule, BAAs must include the following new provisions:
- Business associates must comply, where applicable, with the Security Rule with regard to electronic PHI.
- Business associates must report breaches of unsecured PHI to covered entities.
- Business associates must ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information.
- To the extent that the business associate carries out a covered entity’s obligations under the Privacy Rule, the business associate must comply with the same requirements of the Privacy Rule that apply to the covered entity in the performance of such obligations.
- Business associates are required to enter into Business Associate Agreements or other arrangements that comply with the Privacy and Security Rules with their business associate subcontractors, in the same manner that covered entities are required to enter into contracts or other arrangements with their business associates.
What changes do I have to make to my Notice of Privacy Practices (NPP)?
The Omnibus Rule requires that NPPs include the following:
- A statement indicating that authorization is required for uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI. If the Covered Entity records or maintains psychotherapy notes, it must also include a statement indicating that authorization is required for most uses and disclosures of those notes.
- A statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual to whom the PHI relates.
- A statement regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a Covered Entity intends to contact an individual to raise funds for the Covered Entity.
- A statement that individuals who pay out-of-pocket in full for a healthcare item or service have the right to restrict disclosures of PHI to their health plan.
- A statement that individuals will be notified following a breach of unsecured PHI.
Because these changes constitute “material changes” under the HIPAA regulations, the revised NPP must be provided to all new patients and made available to existing patients upon request, posted to the office website, and prominently posted in the offices.
When do the new rules take effect?
The Omnibus Rule took effect on March 26, 2013. However, you have until Sept. 23, 2013, to revise your BAAs and NPPs to comply with the Omnibus Rule.
What are the penalties for noncompliance?
Failure to comply with the HIPAA rules is subject to civil penalties of between $100 (per violation) and $25,000 for identical violations during a calendar year. However, privacy breaches are subject to penalties of up to $1.5 million.
How can I learn more?
One of the best places to start is the Health Information Privacy webpage of the Office of Civil Rights of the HHS (www.hhs.gov/ocr/privacy/index.html)
This article covers only the broad categories of changes to the HIPAA rules. Orthopaedic practices are encouraged to review existing HIPAA compliance policies and procedures to ensure they are up-to-date. If a suspected privacy breach occurs, work with knowledgeable legal counsel to assess the breach and any notification requirements because both the assessment and notice requirements are complex and the penalties for noncompliance can be significant.
Todd A. Rodriguez, Esq., is a partner in the Exton, Pa., office of Fox Rothschild LLP. He can be reached at firstname.lastname@example.org
Disclaimer: This article is intended for general information purposes only. It does not constitute legal advice. The reader should consult with knowledgeable legal counsel to determine how applicable laws apply to specific facts and situations. This article is based on the most current information at the time it was written. Because the laws or other circumstances may have changed since publication, the reader should consult with knowledgeable legal counsel to discuss any action he or she may be considering as a result of reading this article.