The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released final regulations1 containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (Omnibus Rule). Proposed regulations were previously released for public comment in the October 30, 2009 interim final enforcement rule detailing HITECH’s then-new tiered penalty structure, and the August 24, 2009 interim final breach notification rule published pursuant to HITECH proposed privacy, security, and enforcement standards.2 The proposed rules provided for major changes, such as direct liability for business associates and a tiered penalty structure for noncompliance. This advisory sets forth some of the most significant changes in the final rules, the impact of the final rules on group health plans, best practices for compliance with the rules, and how the final rules correspond with state privacy laws.
Some of the Biggest and Most Dramatic Changes
The final rules, effective on March 26, 2013, not only provide direct liability for business associates and their subcontractors, but also include increased liability for noncompliance. The final rules move HIPAA enforcement away from the previous voluntary compliance framework and toward a penalty-based system. The tiered penalty structure has penalties ranging from $100 to $50,000 per violation, depending on the level of culpability, with a $1.5 million cap per calendar year for multiple violations of identical provisions, and criminal penalties of up to 10 years’ imprisonment. Willful neglect is at the top of the scale, and even where there is merely a possibility of a violation due to willful neglect, HHS can impose civil monetary penalties without exhausting informal resolution options.
The Omnibus Rule also significantly changes the breach notification analysis, creating a presumption of reportable breach. This analysis is a significant change from the previous risk analysis and the proposed rules’ “harm standard,” which analyzed the risk of harm to an individual in determining whether a breach was reportable. In an attempt to obtain more consistency in breach reporting, the Omnibus Rule creates an objective, four-factor test to determine whether or not protected health information (PHI) has been compromised, requiring breach notification. This analysis focuses on: (1) the nature and extent of the PHI involved in the incident (e.g., whether the information is sensitive information like social security numbers or infectious disease test results); (2) the recipient of the PHI (e.g., whether another physician received the PHI); (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated following unauthorized disclosure (e.g., whether it was immediately sequestered and destroyed). For example, if PHI is faxed to the wrong physician and the receiving physician immediately contacts the covered entity to inform it of the error and confirms that the information was destroyed, there is a low probability that information was compromised, and disclosure would not be reportable to OCR, individuals, the media, or any other necessary parties. OCR commented that organizations’ policies and procedures should reflect this new risk assessment approach.
Another significant change in the Omnibus Rule relates to marketing and subsidized communications of PHI. The Privacy Rule initially defined marketing as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” Such a communication required a prior authorization from the intended recipient of the communication. Certain exceptions permitted marketing communications without an authorization, such as “health care operations” communications, face-to-face communications, and gifts of nominal value. The final rule requires authorization for all treatment and health care operations communications where the covered entity receives financial remuneration from the third party whose products or services are being marketed. There are still exceptions; for example, subsidized face-to-face communications and subsidized communications regarding a drug or biologic currently being prescribed to an individual and refill reminders are permissible without authorization. OCR was clear that within the scope of this exception are communications about generic equivalents and adherence types of communications. Third-party payments for purposes other than communications to a patient, such as third-party funded disease management programs, do not require authorization, provided that the communication encourages participation in the program and not the use of the sponsor’s particular product or service.
Omnibus Rule commentary provides a useful discussion of OCR’s “conduit” analysis. This analysis is relevant for determining whether or not a data transmission organization is a business associate, which carries much more weight now that business associates and their vendors have direct liability and new compliance obligations under the final rules. OCR’s longstanding position has been that entities acting as mere conduits for PHI that do not access PHI other than on a random basis are not business associates. An example is the United States Postal Service, which is merely a conduit through which PHI flows. The Omnibus Rule clarifies that the conduit analysis is narrow and limited to transmission organizations. Storage of PHI, even without access to PHI, triggers business associate obligations. OCR has made it clear that cloud vendors are business associates, even if they do not access PHI. This analysis is important as cloud-based solutions become more widespread in the health care industry.
The Omnibus Rule contains provisions that will permit broader fundraising communications. As originally implemented, the HIPAA Privacy Rule permitted only the use of demographic information and dates of care for fundraising purposes. The Omnibus Rule permits the use of demographic information, dates of service, department of service, treating physician, outcome information and health insurance status for fundraising purposes by fundraising entities and their business associates. There are still notice and opt-out requirements for fundraising communications, which must be included in the notice of privacy practices provided to an individual. Whether the opt-out provision is campaign-specific or allows for the individual to opt out of all fundraising communications is at the discretion of the covered entity.
Also included in the Omnibus Rule are streamlined authorization requirements for the use of individuals’ PHI for research purposes. Previously, a clinical trial participant was only permitted to authorize the use of PHI for one clinical trial per authorization. Additionally, authorizations for future, unspecified research were prohibited. Consistent with federal human subject protection rules, the final rule permits compound authorizations, or authorizations for more than one clinical trial, and authorizations for future, unspecified research. This change permits a single document to include consent and authorization for a clinical trial and a future study, as long as the authorization contains a general description of the types of research that may be conducted. These changes will facilitate tissue and data banking and outcomes research, and will simplify the administration of clinical trials.
Omnibus Rule Effect on Group Health Plans and Their Business Associates
When the HIPAA privacy and security rules were first enacted, and in the early rulemaking that followed, employer-sponsored and other “group health plans” were an afterthought. The law and rules were structured principally for provider and health insurance issuers (i.e., state-licensed insurance carriers). Group health plans faced many ambiguities and questions, but two stood out:
- Drawing on the ERISA civil scheme, HIPAA treats a group health plan as a legally distinct entity. This approach, while justified, is entirely at odds with the experience of most human resource managers and CFOs, who tend to view their company’s group health plan as a product or service that is “outsourced” to a vendor. In the case of an insured plan, the vendor is the carrier; in the case of a self-funded plan, the vendor is the third-party administrator.
- The regulators routinely refer to the security rules as “scalable” — i.e., small entities can comply by adopting approaches that are less complicated and costly. In practice, however, there is little truth to this claim. Base-line risk assessments and policies and procedures quickly get to a point below which they simply cannot be further simplified. Compliance with the security rules, therefore, will if done right prove costly, particularly to smaller entities.
The new administration and the enactment of the HITECH Act appear to have righted the balance vis-à-vis HIPAA and group health plans. Or perhaps it was the passage of time, coupled with a greater emphasis on compliance. Either way, the final HIPAA omnibus rules provide a robust template for compliance along with a penalty scheme and enforcement profile that strongly encourage compliance. The omnibus rules provide severe penalties where an employer fails to comply out of “willful neglect.” While willful neglect can take many forms, the most obvious is for an employee to simply do nothing. There is, as a result, a premium on making some, earnest effort to comply. Even if the effort falls short, it may be enough to avoid a bump up in penalties based on willful neglect. Similar rules and considerations apply to business associates.
Group health plans are “health plans” under HIPAA. They are therefore covered entities that are bound by the applicable HIPAA/HITECH requirements. A covered entity routinely relies on “business associates” to conduct covered functions. Business associates include entities that create, receive, maintain, or transmit PHI on behalf of a covered entity. (The final omnibus rule added the word “maintains” to this definition, thereby encompassing entities that store PHI for the covered entity.) While providers (particularly large integrated health care delivery systems) may have a multitude of business associates, group health plans typically have only a few. These tend to be brokers and consultants and third-party administrators. The final omnibus rule added to the list of business associates “Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI,” and persons that offer personal health records to one or more individuals on behalf of a covered entity.
State-licensed health insurance carriers are generally not business associates; they are rather themselves covered entities. The final rule makes clear, however, that carriers can be business associates when they undertake business associate functions. The most common example is where a carrier functions in the capacity of a third-party administrator for a self-funded group health plan.
Small group health plans in a community-rated arrangement generally do not receive PHI from the insurance carrier, so employers in that subset of health plans will likely have few HIPAA compliance obligations. Large, fully insured health plans routinely receive information from the insurance carrier that rise to the level of PHI, implicating the privacy and security rules. These plans routinely get help from carriers with the HIPAA compliance, although in too few cases is that help consciously integrated into a systematic compliance effort. Self-funded health plans are fully exposed to PHI and therefore have the responsibility to comply with all HIPAA requirements.
Unlike other provisions of the final omnibus rule, the rules governing group health plans, and in particular their relationship to their business associates, have changed only incrementally. It is now clear, for example, that business associates, including subcontractors such as brokers, consultants, and third-party administrators, are directly liable for compliance with portions of the privacy rule and the entire security rule. A “subcontractor” is defined for this purpose as a person (other than a business associate workforce member) to whom a business associate delegates a function, activity, or service, where the delegated function involves the creation, receipt, maintenance, or transmission of PHI.
The Privacy Rule imposes on covered entities a series of requirements designed to safeguard PHI. These include the following:
- Privacy Policies and Procedures. A covered entity must adopt written privacy policies and procedures that are consistent with the privacy rule.
- Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
- Workforce Training and Management. Workforce members include employees, volunteers, and trainees, and may also include other persons whose conduct is under the direct control of the covered entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must also have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
- Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
- Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
- Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals at the covered entity may submit complaints and advise that complaints also may be submitted to the Secretary of HHS.
- Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
- Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
The final rule clarified that, while business associates are not subject to each and every requirement of the Privacy Rule listed above, they must:
- Comply with the terms of a business associate agreement related to the use and disclosure of PHI;
- Provide PHI to the Secretary upon demand;
- Provide an electronic copy of PHI available to an individual (or covered entity) related to an individual’s request for an electronic copy of PHI;
- Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and
- Enter into business associate agreements with subcontractors that create or receive PHI on their behalf.
The Security Rule requires covered entities to conduct a risk assessment. For group health plans, threats can come from two sources: internal (from the workforce) or external (communications on behalf of the health plan and brokers, consultants, and vendors). Accordingly, group health plans should be able to easily identify potential risks and solutions to those risks. While the Security Rule does not expressly require encryption, data encryption is now the de facto standard.
Group health plans should request copies of privacy policies and procedures, risk assessments, and security policies and procedures from their business associates. (Although business associates are not required to have written policies and procedures, having policies and procedures is highly recommended and probably rises to the level of a “best practice.”) Group health plans will also need to update their business associate agreements accordingly. Each business associate and downstream entity also must have a business associate agreement in place. In instances where a valid business associate agreement in already in place, the parties must comply by the earlier of the date the existing agreement is renewed or modified, or September 22, 2014. Otherwise the relevant compliance date is September 23, 2013.
Best Practices for Covered Entities and Business Associates
Covered entities and business associates have until September 23, 2013 to comply with any applicable new rules. To avoid penalties for noncompliance, covered entities and business associates should have, at a minimum, evidence of a good-faith effort of compliance with the rules, including updated policies and procedures and a Security Rule risk assessment reflecting the new risk assessment approach.
Covered entities and business associates should conduct a gap analysis between their current policies and procedures and the new requirements in order to determine what changes are needed, and then they must implement those changes as soon as reasonably possible. Covered entities should identify and document their business associates under the new definition, and business associates should identify and document their subcontractors, to confirm business associate agreement obligations and exposure to liability for noncompliance. Now that business associates are bound by the rules governing impermissible uses and disclosures, breach notification policies, providing PHI upon request, and responding to requests by HHS in connection with investigations, accountings, and the Security Rule provisions, business associates must create a separate set of policies and procedures to comply with these rules. While business associates are not required to have their own privacy policies and procedures or train their workforce on privacy rules, it is strongly recommended.
Given the new presumption of reportable breach, organizations should revise their breach notification policies and procedures and breach response plans. If notification of a breach is required, the covered entity is required to notify all affected individuals within 60 calendar days of the discovery of the breach. However, 60 days is the outer limit, and covered entities are expected to make notifications as soon as possible. OCR has indicated that in some cases, waiting until the 60th day may be deemed an unreasonable delay and a violation of the rules, so covered entities should promptly make required notifications.
Significantly, OCR treats a breach as “discovered” when the entity becomes aware of the breach or it should have gained knowledge of the breach through due diligence. OCR rejected comments that a breach should only be treated as “discovered” when management is notified of the breach. Instead, the “discovery” standard applies to employees and agents of the covered entities, including business associates. As should be detailed in business associate agreements, business associates that discover a breach must report it to the covered entity, and a subcontractor must report a breach to a business associate. Ultimately, the covered entity has the obligation to notify affected individuals of a breach, even if the breach occurred under the business associate, and even if the responsibility to notify has been delegated to the business associate.
Covered entities must also support more training and awareness communications to personnel about the new requirements. They should provide an awareness communication to personnel about the upcoming changes and plan a training session with all personnel sometime in the near future, preferably before the March 26, 2013 effective date of the Omnibus Rule. Covered entities have always been responsible for monitoring personnel, but they are now responsible for monitoring compliance by their business associates. Covered entities must establish a way to monitor compliance and risks on an ongoing basis, to enable covered entities to quickly identify and mitigate problems when they arise.
In addition to updating their policies and procedures, covered entities and business associates must review and possibly amend their existing business associate agreements to comply with the new requirements, as discussed above. OCR recently posted sample business associate agreement provisions on its website that can be used when revising contracts to comply with the rules.3 OCR indicated that while the sample business associate agreement provisions are written for use in a contract between a covered entity and its business associate, the language may also be adapted for a contract between a business associate and its subcontractor. The template provisions are a helpful starting point, but additional revisions are advisable, such as detail regarding mitigation in the event of a breach. Indemnification has also become a common business associate provision in light of increased monetary penalties.
Covered entities must also revise and distribute new notices of privacy practices to individuals. The revised notices must inform recipients of the following:
- the new prohibition against health plans using or disclosing genetic information for underwriting purposes;
- the prohibition on the sale of protected health information without the express written authorization of the individual, and other uses and disclosures that expressly require the individual’s authorization (such as marketing and disclosure of psychotherapy notes);
- the duty of a covered entity to notify affected individuals of a breach;
- the individual’s right to opt out of receiving fundraising communications for entities that have stated their intent to fundraise in their notice of privacy practices; and
- the individual’s right to restrict disclosures of protected health information to a health plan where the individual paid out of pocket in full.
Covered entities must ensure that their notices of privacy practices comply with these new requirements by September 23, 2013. Covered entities generally have 60 days to mail revised hard copy notices of privacy practices to members. Health plans that post their notice on their website must conspicuously post any material change or the revised notice on their website by September 23, 2013, and provide the new notice or information about the material changes and how to obtain the revised notice, in their next annual mailing. Therefore, the new notice of privacy practices should be posted or mailed as soon as reasonably possible.
Don’t Forget State Requirements
Beyond HIPAA there exists another universe of breach notification requirements in the 46 states that have data breach notification laws. Risk assessments and gap analyses must therefore include not only HIPAA requirements, but also the requirements of an organization’s respective state laws.
A state’s breach notification assessment may differ from that required under HIPAA, and breach notification required under HIPAA may not trump state laws. The Omnibus Rule requires notification unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment. A number of states, including California and Texas, do not require the material risk of harm analysis that was set forth in the proposed rules. In such states, notice may be necessary even if there has been no access or a return of the information.
Under most state breach notification laws, personal information is indubitably a subset of PHI. In the event of a breach involving PHI, an entity may not only have to notify OCR and other necessary parties as required by HIPAA, but it also may have to provide notification under applicable state laws. The entity must analyze the population of affected individuals to determine whether health information is included in the relevant states’ breach notification laws. If so, additional breach notification will be necessary as required by state law. For example, California requires specific notice (within five days of the breach) to the state agency. Connecticut requires notice to the Insurance Commissioner if the breaching entity is licensed by the Department of Banking and Insurance. If the breached information contains more than PHI, such as financial account information, a Social Security number, or any other state-defined “personal information,” a much larger breach analysis is necessary.
The Omnibus Rule contains many changes that will have a significant impact on HIPAA compliance and liability, particularly for business associates. It is crucial to conduct a thorough analysis of the new requirements and to tailor privacy and security policies and procedures accordingly.
1 HHS Office of Civil Rights, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” 78 Fed. Reg. 5566, (Jan. 25, 2013), available at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
2 The following chart provides a section-by-section comparison of how the regulatory provisions published on January 17, 2013 as part of the Omnibus Rule modify provisions of the proposed rules: http://www.mintz.com/newsletter/2013/Advisories/2587-0113-NAT-HL/index.html.