The Expansion of Privacy, Security and Liability
 
Under the HIPAA Omnibus Rule
  
Written by Sigrid U. Zaehringer
As published in the Califf & Harper, P.C. May 2013 Newsletter
  
 
 
 
 
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") was established to provide federal protections for personal health information  ("PHI") and to vest individuals with rights concerning the use and disclosure of such information. HIPAA also sets forth a series of logistical safeguards covering the use and transmission of electronic health information. The types of businesses which are subject to HIPAA's privacy rules are health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically.
 
On January 17, 2013, the Department of Health and Human Services issued a final rule, referred to as the Omnibus Rule, which affects multiple aspects of HIPAA. The Omnibus Rule became effective on March 26, 2013, and covered entities and business associates must comply with its requirements by September 23, 2013. The Department of Health and Human Services has referred to the Omnibus Rule as the "most sweeping changes" to the HIPAA regulations since they were first implemented.  
 
Some of these major changes are as follows:
 
  • Prior to the revisions coming into effect, breach notification regulations contained a "harm threshold," meaning that only those breaches posing a significant risk of financial, reputational, or other harm were reportable to individuals and the Department of Health and Human Services. Now, the definition of a "breach" under HIPAA has been expanded, so that any improper acquisition, use, access or disclosure of PHI is presumed to be a breach unless the covered entity or business associates demonstrates that there is a low probability that the protected health information has been compromised.  This requires the covered entities or business associates to perform a four-part risk analysis to determine whether such a low probability exists. 
  • The Omnibus Rule emphasizes that violations of the minimum necessary standard, which requires the disclosure of the minimum amount of PHI necessary to accomplish the intended purpose of the action, may be construed as a breach of
    PHI. 
  • Covered entities were and continue to be required to distribute a Notice of Privacy Practices form which describes the rights of individuals concerning their PHI and the ways in which the covered entity could potentially disclose the PHI. The Omnibus Rule directs covered entities to add a number of provisions to their Notice of Privacy Practices, including sections on the use of PHI for fundraising, the right to notice in the event of a breach, and the right of individuals to restrict disclosure in certain situations. 
  • Greater emphasis is placed on business associate compliance with HIPAA requirements, as shown by an expanded definition of "business associate," additional requirements for business associate contracts, and enhanced liability for business associates.  
  • The Omnibus Rule also establishes an increased tiered civil money penalty structure for noncompliance.
 
The Omnibus Rule enacted a variety of additional modifications as well which touch upon disclosures made to schools, utilization of genetic data, and the use of information concerning deceased individuals. 
 
As entities subject to HIPAA know, the law already presents an incredible array of logistical, technological, and educational challenges due to its scope and complexity. Given the material changes enacted by the Omnibus Rule, it is an appropriate time for covered entities to undergo a comprehensive review of their written HIPAA policies, their practices for ensuring the safekeeping and proper transmission and use of such materials, and their procedures for the enforcement of internal rules and prohibitions. Now is also the time for companies who are business associates of covered entities to review their business associate contracts and all aspects of their relationships with covered entities.
 
Of course, each company's circumstances are unique and there are additional exceptions and requirements under federal and state law. If you are questioning the applicability of HIPAA and the Omnibus Rule to your business, or are planning to update your existing policies and procedures relating to HIPAA, we recommend you consult your legal counsel to discuss your individual circumstances.
For more information on this topic please contact Califf & Harper, P.C. by calling 309-764-8300 or 1-888-764-4999. This article is intended to provide general information regarding the topic discussed herein but is not intended to constitute individual legal advice.