On January 25, 2013, the Department of Health and Human Services (“HHS”) issued the final “omnibus” Health Insurance Portability and Accountability Act (“HIPAA”) rule which made changes to the HIPAA Security Rule, Breach Notification Rule and certain provisions of the Privacy Rule. The omnibus rule implements changes under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and affects nearly every business in the healthcare industry as well as those businesses providing services to such businesses in the healthcare industry.
Recall that in general, a “covered entity” under HIPAA is a health care provider that transmits any health information in electronic form, a health plan or a health care clearinghouse. A “business associate” under HIPAA, in turn, is generally a person who: (1) on behalf of a covered entity (other than as an employee of such covered entity) creates, receives, maintains, or transmits protected health information (“PHI”) for a function or activity regulated by HIPAA; or (2) provides (other than as an employee of such covered entity) legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, where the provision of the service involves the disclosure of PHI from such covered entity or from another business associate of such covered entity, to the person.
Put simply, the omnibus rule now formally extends the application of the HIPAA Security Rule, Breach Notification Rule and certain provisions of the Privacy Rule (previously only imposed on covered entities) directly to business associates, including their subcontractors (or “downstream” business associates), with the potential for enforcement by HHS now directly against the business associate. For example, the HIPAA Security Rule provisions now applicable to business associates generally include: (1) the implementation of administrative, physical, and technical safeguards to protect PHI; (2) the implementation of policies and procedures to comply with HIPAA; and (3) the maintenance of documentation of this compliance. In addition, HIPAA Privacy Rule obligations include: (1) limiting uses or disclosures of PHI to only those provided for within a business associate agreement (“BAA”) or permitted or required under HIPAA; (2) limiting permissible disclosures or requests for disclosures of PHI to the minimum necessary; (3) providing PHI to HHS to demonstrate compliance during investigations; and (4) entering into business associate agreements with subcontractors that comply with the provisions governing business associate agreements between covered entities and business associates. The omnibus rule also incorporates the increased and tiered civil money penalty structure provided by HITECH, with penalties based on the level of negligence and with a maximum penalty of $1.5 million per violation.
The omnibus rule became effective on March 26, 2013, with enforcement of the omnibus rule changes beginning on September 23, 2013. One significant exception to the September 23, 2013, enforcement date is that HHS has indicated that “grandfathered” BAAs do not need to be updated to reflect the changes in the omnibus rule until September 23, 2014. Grandfathered BAAs are those BAAs in place before January 25, 2013, and not otherwise amended after March 25, 2013.
We are recommending that our clients acting as business associates of covered entities and/or subcontractor business associates, take the following initial steps to address the changes implemented by the omnibus rule.
- Investigate/confirm status as a business associate of a covered entity, or a subcontractor business associate of a business associate;
- Conduct a HIPAA Security Rule risk assessment;
- Draft/update appropriate HIPAA Security Rule, Breach Notification Rule and Privacy Rule policies and procedures;
- Enter into, or amend, as appropriate, business associate agreements to reflect the omnibus rule changes;
- Educate subcontractor business associates about their responsibility (and the responsibility of their subcontractors) to safeguard PHI so as to mitigate the chance of agents causing upstream liability; and
- Conduct HIPAA training on the updated policies.
To assist our clients in this endeavor, McGrath North has developed a comprehensive Business Associate HIPAA Security Rule Risk Assessment Guidance document as well as comprehensive HIPAA Business Associate Policies and Procedures which can be tailored to address the findings of the HIPAA Security Rule Risk Assessment and the related requirements of the HIPAA Breach Notification Rule and Privacy Rule.
If you would like the firm’s assistance in addressing the requirements imposed by the changes in the HIPAA omnibus rule, please contact Tom Kelley at 402-633-9549 or firstname.lastname@example.org.