HHS Issues New HIPAA Omnibus Rule
by Kim Stanger, Holland & Hart LLP
HHS issued the new HIPAA omnibus rule yesterday. The new rule contains important changes for health care providers and their business associates. For example, the new rule:
- Modifies the standard for reporting breaches to patients and HHS. HHS replaced the former “no harm, no foul” rule with a new standard: a breach is presumed unless the covered entity can demonstrate a low probability that the protected health information has not been compromised. This requires an assessment of specified factors and will likely increase the number of reportable breaches.
- Confirms HIPAA requirements for business associates and their subcontractors. Business associates are subject to HIPAA penalties if they fail to comply. The definition of “business associates” was expanded to include entities that provide data transmission services for protected health information and require routine access to the information.
- Confirms providers are liable for their business associate’s violations if the business associate is acting as the agent for the provider. The rule’s commentary contains a helpful analysis for determining whether an agency relationship exists.
- Makes it easier for family members to obtain information about decedents. The rule also confirms that HIPAA does not apply to information 50 years after the decedent’s death.
- Expands patients’ right to obtain electronic copies of their records.
- Prohibits providers from disclosing information to health insurers if the patient pays for the treatment and requests that the information not be disclosed to insurers. Implementation will create significant practical problems for practitioners.
- Prohibits the sale of protected health information unless certain conditions are satisfied.
- Imposes additional requirements for the use of protected health information for marketing or fundraising. Among other things, an authorization is required to disclose information for treatment purposes if the provider is receiving remuneration for the disclosure.
- Requires new provisions to be added to providers’ Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient’s right to receive notice of HIPAA breaches.
The new rules take effect March 23, 2013, but covered entities and business associates will have until September 23, 2013 to comply. Before then, providers will need to take certain actions to remain compliant, including:
- Modify their Notice of Privacy Practices.
- Update and/or execute new business associate contracts, including contracts for subcontractors and health information organizations. Existing compliant contracts do not need to be modified until September 2014.
- Revise privacy, security and breach notification policies to incorporate the new requirements.
- Modify authorizations and other forms as necessary to track the new rules.
- Ensure their electronic medical records programs have the functionality to address the new regulatory requirements.
- Take even greater care to protect patient information given the new standard for evaluating whether breaches are reportable.
Business associates will also need to implement HIPAA privacy and security policies and safeguards applicable to business associates. HHS estimates that complying with the new requirements will cost affected parties a total of $114 million to $225 million during the first year. The new rule can be accessed at: http://www.ofr.gov/OFRUpload/OFRData/2013-01073_PI.pdf. HHS’s press release can be accessed at www.hhs.gov/news/press/2013pres/01/20130117b.html.
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.