HIPAA Rules Overhaul Ups Compliance Ante
Attention all medical providers, hospitals and any other covered entity or business associate under HIPAA. On Jan. 17, the U.S. Department of Health and Human Services (HHS) issued a press release announcing "the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented" in the form of the HIPAA final omnibus rule.
This long awaited final rule will become effective on March 26 and compliance must be achieved by Sept. 23. If you are not inclined to read the full 563 pages of the published rule and preambles, I will attempt here to provide a high level outline of the significant changes.
As you may imagine, the interpretation and enforcement of privacy and security rules (HIPAA and others) tend to be driven by complicated and fact-specific analyses. Digesting this rule will be an evolving process.
Also, HIPAA enforcement actions appear to be on the rise. The recent $50,000 fine of a covered entity by HHS for the loss of less than 500 records suggests an increasingly lower threshold for triggering regulatory enforcement interest. Every covered entity and business associate (and now, subcontractor to business associates) — no matter how large or small — should have a reliable compliance program in place to meet these compliance obligations.
The omnibus rule provides changes primarily in the following areas (taken from the executive summary of the rule):
- It makes final modifications to the HIPAA Privacy Security and Enforcement Rules mandated by the HITECH Act that:
*Make business associates of covered entities directly liable for compliance
with certain of the HIPAA Privacy and Security Rules' requirements;
*Strengthen the limitation on the use and disclosure of protected health
information for marketing and fundraising purposes, and prohibits the sale
of such information without individual authorization;
*Expand individuals' rights to receive electronic copies of their health
information and to restrict disclosures to a health plan concerning
treatment for which the individual has paid out-of-pocket in full;
*Require modifications to, and redistribution of, a covered entity's notice of
*Modify the individual authorization and other requirements to facilitate
research and disclosure of child immunization proof to schools, and to
enable access to decedent information by family members or others;
*Adopt the additional HITECH Act enhancements to the enforcement rule
not previously adopted in the Oct. 30, 2009 interim final rule, such as the
provisions addressing enforcement of noncompliance with the HIPAA
Rules due to willful neglect.
- It incorporates the increased and tiered civil money penalty structure (now up to a maximum of $1.5 million for violations due to uncorrected willful neglect) provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
- The rule creates the final rule on Breach Notification for Unsecured PHI under the HITECH Act, which replaces the breach notification rule's "harm" threshold and supplants an interim final rule on this topic published on Aug. 24, 2009.
- It creates the final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
While all of these changes are significant and each could comprise a lengthy article on the strategies and requirements for compliance, one of the most noteworthy from an enforcement perspective is the new analysis required when determining whether a security event rises to the level of a reportable data breach.
The final rule now presumes that any access to protected health information, which is not permitted by law, constitutes a breach unless the covered entity or business associate can demonstrate that there is a "low probability" that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed;
- And the extent to which the risk to the protected health information has been mitigated.
Each of these factors can take quite a bit of time to evaluate and the standard for determining what reasonably could be considered "low" risk is best informed by professionals who routinely deal with data breach and security issues. The analysis is also not something that can be conveniently conclusory in that it is subject to hindsight analysis by HHS. In other words, be prepared to "show your math" when defending any conclusion that a security event is not a reportable breach in the form of your investigative action plan, your factual review and expert consultations and the potential impact on your consumers.
While many are pleased by the feeling of regulatory stasis that this rule creates, we know that nothing is ever "final" when it comes to this area of law — even though this final rule is here today, be prepared for even more changes in this space as technology continues to expand and communications and data mining capabilities increase the mobility of all kinds of personal data. One thing is clear, however — regardless of your business' size or location — HIPAA and privacy/security enforcement is here to stay, and the feds (and state attorneys general) mean business.
Steven J. Bonafonte is a partner in the Hartford office of Pullman & Comley, LLC. His practice includes providing general counsel services to corporate and government entities, privacy, information security, ethics and compliance, and anti-fraud and corporate internal investigations. He can be reached at firstname.lastname@example.org.