HHS Issues New HIPAA Omnibus Rule

/in

by Kim Stanger, Holland & Hart LLP

HHS issued the new HIPAA omnibus rule yesterday. The new rule contains important changes for health care providers and their business associates. For example, the new rule:

  • Modifies the standard for reporting breaches to patients and HHS. HHS replaced the former “no harm, no foul” rule with a new standard: a breach is presumed unless the covered entity can demonstrate a low probability that the protected health information has not been compromised. This requires an assessment of specified factors and will likely increase the number of reportable breaches.
  • Confirms HIPAA requirements for business associates and their subcontractors. Business associates are subject to HIPAA penalties if they fail to comply. The definition of “business associates” was expanded to include entities that provide data transmission services for protected health information and require routine access to the information.
  • Confirms providers are liable for their business associate’s violations if the business associate is acting as the agent for the provider. The rule’s commentary contains a helpful analysis for determining whether an agency relationship exists.
  • Makes it easier for family members to obtain information about decedents. The rule also confirms that HIPAA does not apply to information 50 years after the decedent’s death.
  • Expands patients’ right to obtain electronic copies of their records.
  • Prohibits providers from disclosing information to health insurers if the patient pays for the treatment and requests that the information not be disclosed to insurers. Implementation will create significant practical problems for practitioners.
  • Prohibits the sale of protected health information unless certain conditions are satisfied.
  • Imposes additional requirements for the use of protected health information for marketing or fundraising. Among other things, an authorization is required to disclose information for treatment purposes if the provider is receiving remuneration for the disclosure.
  • Requires new provisions to be added to providers’ Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient’s right to receive notice of HIPAA breaches.

The new rules take effect March 23, 2013, but covered entities and business associates will have until September 23, 2013 to comply. Before then, providers will need to take certain actions to remain compliant, including:

  • Modify their Notice of Privacy Practices.
  • Update and/or execute new business associate contracts, including contracts for subcontractors and health information organizations. Existing compliant contracts do not need to be modified until September 2014.
  • Revise privacy, security and breach notification policies to incorporate the new requirements.
  • Modify authorizations and other forms as necessary to track the new rules.
  • Ensure their electronic medical records programs have the functionality to address the new regulatory requirements.
  • Take even greater care to protect patient information given the new standard for evaluating whether breaches are reportable.

Business associates will also need to implement HIPAA privacy and security policies and safeguards applicable to business associates. HHS estimates that complying with the new requirements will cost affected parties a total of $114 million to $225 million during the first year. The new rule can be accessed at: http://www.ofr.gov/OFRUpload/OFRData/2013-01073_PI.pdf. HHS’s press release can be accessed at www.hhs.gov/news/press/2013pres/01/20130117b.html.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

HIPAA Compliance: Security Rule Enforcement on the Rise

/in

Most healthcare providers are acutely aware of and generally comply with the HIPAA Privacy Rule; however, they and their business associates may be less familiar with and likely fail to satisfy HIPAA Security Rule requirements. The Privacy Rule generally prohibits covered entities from using or disclosing a patient’s protected health information (“PHI”) without authorization. (45 C.F.R. § 164.500 et seq.). In contrast, the Security Rule applies to electronic health information (“e-PHI”). It requires covered entities and their business associates to implement specific administrative, technical, and physical safeguards to protect the integrity, availability, and confidentiality of e-PHI, e.g., by ensuring that computers and other electronic devices satisfy regulatory standards pertaining to passwords, firewalls, backups, transmission security, etc. (45 C.F.R. § 164.300 et seq.).

In the past, the Office of Civil Rights (“OCR”) seemed not to actively enforce the Security Rule, but that is changing:

  • In March, Blue Cross Blue Shield of Tennessee (“BCBS”) agreed to pay $1.5 million for security rule violations arising out of the theft of unencrypted laptops. Among other things, BCBS failed to conduct the required security assessment and implement access controls required by the Security Rule.
  • In April, a Phoenix cardiology group agreed to pay $100,000 for, among other things, failing to designate a security officer, conduct the required security assessment, implement safeguards required by the Security Rule, or execute business associate agreements with vendors who stored or accessed e-PHI.
  • In June, the Alaska Department of Health and Social Services (“DHSS”) agreed to pay $1.7 million after a USB hard drive was stolen. The OCR’s investigation showed that DHSS did not have adequate policies and procedures in place to safeguard ePHI, and had not completed the required risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the Security Rule.

These actions sound a wake up call to all providers and business associates—large, small, or public—who have ignored or become lax with Security Rule compliance. As OCR Director Rodriguez stated, “We hope that health care providers pay careful attention to [these] resolution agreement[s] and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The OCR is now required to impose mandatory penalties of $10,000 to $50,000 per violation if a provider is determined to have acted with willful neglect. Based on the recent cases, failing to implement safeguards required by the Security Rule may evidence willful neglect.

If they have not done so recently, providers and their business associates should review their Security Rule compliance. Among other things, they should conduct a security assessment to determine their system vulnerabilities, and implement the safeguards specified in the Security Rule regulations. To obtain a checklist for Security Rule compliance, please click here. In addition, the OCR has published several tools to help entities comply:

Putting in place the required policies and practices and documenting appropriate training will go a long way to avoiding Security Rule penalties. More importantly, they will help providers avoid potentially devastating consequences of a security failure, system crash, or the loss of electronic data which the Security Rule is designed to protect. In that regard, Security Rule compliance is not just a regulatory mandate; it is a prudent business practice.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Avoid New HIPAA Penalties

/in

Recent changes to the HIPAA privacy and security rules dramatically increase health care providers’ and their business associates’ potential liability for HIPAA violations.

HIPAA Civil Penalties Are Now Mandatory. In 2009, the penalties for HIPAA violations were increased 500 times their prior limits. Effective February 2011, the Office of Civil Rights (“OCR”) is required to impose HIPAA penalties if the covered entity or its business associate acted with willful neglect, i.e., with “conscious, intentional failure or reckless indifference to the obligation to comply” with HIPAA requirements. The following chart summarizes the penalty structure:

Conduct of covered entity or business associate Penalty
Did not know and, by exercising reasonable diligence, would not have known of the violation $100 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to reasonable cause and not willful neglect $1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation Mandatory fine of $10,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year
Violation due to willful neglect and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation Mandatory fine of not less than $50,000 per violation;
Up to $1,500,000 per identical violation per year

The federal government is serious about the new penalties: the OCR has imposed millions of dollars in penalties or settlements since the mandatory penalties took effect. State attorneys general may also sue for HIPAA violations and recover penalties of $25,000 per violation plus attorneys’ fees. When implemented, HITECH amendments will allow patients to recover a portion of any settlement or penalties related to a HIPAA violation, thereby increasing patients’ incentive to report HIPAA violations.

The good news is that if the covered entity or business associate does not act with willful neglect, the OCR may waive or reduce the penalties, depending on the circumstances. More importantly, if the covered entity or business associate does not act with willful neglect and corrects the violation within 30 days, the OCR may not impose any penalty; timely correction is an affirmative defense.

HIPAA Violations May Be A Crime. Federal law prohibits any individual from improperly obtaining or disclosing protected health information from a covered entity without authorization; violations may result in the following criminal penalties:

Prohibited Conduct Penalty
Knowingly obtaining or disclosing protected health information without authorization. Up to $50,000 fine and one year in prison
If done under false pretenses. Up to $100,000 fine and five years in prison
If done with intent to sell, transfer, or use the information for commercial advantage, personal gain or malicious harm. Up to $250,000 fine and ten years in prison

Physicians, hospital staff members, and others have been prosecuted for improperly accessing, using or disclosing protected health information.

Entities Must Self-Report HIPAA Breaches. The risk of penalties is compounded by the fact that covered entities and business associates must self-report HIPAA breaches that pose a significant risk of financial, reputational or other harm to the individual whose information was breached. If the business associate learns of such a breach, it must report the breach to the covered entity without unreasonable delay. The covered entity must report a breach to the affected individual or their personal representatives and the federal Department of Health and Human Services (“HHS”). If the breach involves more than 500 persons, the covered entity must also publish information about the breach through local media.

What You Need To Do To Avoid Penalties. Given this increased exposure, health care providers and their business associates should do the following to avoid HIPAA penalties:

1. Assign HIPAA responsibility. Covered entities must designate persons to serve as their HIPAA privacy and security officers, and document the designation in writing. The privacy and security officers are responsible for ensuring HIPAA compliance.

2. Know the use and disclosure rules. The basic privacy rules are simple: covered entities and business associates may not use, access or disclose protected health information without the patient’s valid, HIPAA-compliant authorization unless the use or disclosure fits within an exception. Covered entities and business associates may use or disclose protected health information for purposes of treatment, payment or certain health care operations without the patient’s consent; however, they may not use or disclose more than is minimally necessary for the permitted purpose. Additional exceptions apply to specific situations. The OCR maintains a very helpful website to aid covered entities’ compliance: http://www.hhs.gov/ocr/privacy/.

3. Know patients’ rights. HIPAA grants patients certain rights concerning their health information. Among others, patients generally have a right to obtain copies of their protected health information; request amendment to their information; and obtain an accounting of impermissible disclosures. Covered entities and business associates must know and allow patients to exercise their rights. Cignet Health was fined $4.3 million for, among other things, failing to timely respond to patient requests to access their health information.

4. Maintain written policies. HIPAA requires covered entities and business associates to develop and maintain written policies that implement the privacy and security rule requirements, including those dealing with confidentiality and patients’ rights. Having the required policies is a key to avoiding penalties. According to HHS, maintaining the required written policies is a significant factor in avoiding penalties imposed for “willful neglect.” Rite Aid paid $1,000,000 to settle HIPAA violations based in part on its failure to maintain required HIPAA policies. This week, a Phoenix cardiology group was fined $100,000 in part because it failed to have written policies required by HIPAA. To obtain a checklist of required policies, contact me at kcstanger@hollandhart.com.

5. Develop compliant forms. HIPAA requires that certain documents used by covered entities and business associates satisfy regulatory requirements. For example, HIPAA authorizations must contain certain elements to be valid. Covered entities must provide patients with a notice of privacy practices that contains certain statements. Other forms may be developed to ensure compliance with patient rights. Ensure your HIPAA forms satisfy the regulatory requirements.

6. Execute business associate agreements. Although HIPAA now applies directly to business associates, HIPAA still requires covered entities to execute “business associate agreements” with their business associates before disclosing protected health information to the business associate. Under proposed rules, business associates must execute similar agreements with subcontractors to whom the business associate discloses protected health information. The business associate agreements must contain certain elements. Breach of the business associate agreement exposes the business associate to contract claims by the covered entity in addition to civil or criminal penalties imposed by the government. Covered entities are generally not liable for the actions of their business associates unless the business associate is acting as the agent of the covered entity. Make sure your business associate agreements confirm that the business associate is an independent contractor, not your agent.

7. Train employees and agents. Having the policies and forms is only the first step; covered entities and business associates must train their employees to comply with the policies and document. HIPAA requires that new employees are trained within a reasonable period of time after hire, and as needed thereafter. Documented training is a second critical step to avoid HIPAA compliance. According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.

8. Use appropriate safeguards. The government recognizes that patient privacy cannot be absolutely protected. HIPAA does not impose liability for “incidental disclosures” so long as the covered entity or business associate implemented reasonable administrative, technical and physical safeguards designed to protect against improper disclosures. The security rule contains detailed regulations concerning safeguards that must be implemented to protect electronic health information. The privacy rule is less specific. The reasonableness of safeguards depends on the circumstances, but may include, e.g., not leaving protected health information where it may be lost or improperly accessed; checking e-mail addresses and fax numbers before sending messages; using fax cover sheets; etc.

9. Respond immediately to any breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate any privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA. It may also require covered entities to terminate an agreement with a business associate due to the business associate’s noncompliance. Second, an entity may be able to ameliorate or negate any risk of harm to the patient by taking swift action, thereby avoiding the obligation to self-report HIPAA violations to the individual and HHS. Third, a covered entity or business associate can avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.

10. Timely report breaches. If a breach of unsecured protected health information poses a risk of significant financial, reputational or other harm to the patient, business associates must promptly report the breach to covered entities, and covered entities must notify the patient within 60 days. If the breach involves less than 500 persons, the covered entity must notify HHS by filing an electronic report no later than 60 days after the end of the calendar year. If the breach involves 500 or more persons, the covered entity must file the electronic report when it notifies the patient. The written notice to the patient must satisfy regulatory requirements.

11. Document your actions. Documenting proper actions will help you defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

As I write this article, the Office of Management and Budget is reviewing new HIPAA regulations. Covered entities and business associates should watch for the new regulations and implement any additional changes as necessary.

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.