Health Law News

HIPAA OMNIBUS COMPLIANCE – COVERED ENTITIES AND BUSINESS ASSOCIATES

Sweeping changes to the HIPAA/HITECH (Health Insurance Portability and Accountability Act “HIPAA” and Health Information Technology for Economic and Clinical Health Law “HITECH”) changes came into play September 23, 2013. This long anticipated final omnibus rule greatly expands the reach of those directly liable under HIPAA. Under the new rules, healthcare providers who are “Covered Entities” (covered healthcare providers, health plans and others defined in the rule) must update their Business Associate Agreements (See Note 3 below). “Business Associates” are now directly liable for any breach of protected patient health information (PHI) and must comply with the rule changes concerning sub-contractors and their own obligations to protect PHI.

Entities with compliant Business Associate Agreements in place before the rule change have until September 23rd of 2014 to update agreements to bring them in line with the new requirements. Business Associates must also enter into Business Associate Agreements with sub-contractors and should exercise great care in vetting new hires and compliance by their sub-contractors. Other professionals such as attorneys and financial advisors working with regulated entities, who are not directly characterized as Covered Entities or Business Associates must exercise care in accessing, using or transmitting any confidential, protected information so as not to expose themselves or clients to potential violations. Periodic training to those handling PHI and conducting regular audits of all systems and processes involving PHI will help minimize any accidental violation of the rules.

In large part, the new omnibus rulemaking was driven by the massive amount of patient health information (PHI) shared by healthcare providers and their vendors through open networks, e-transmissions, digital media, mobile devises, and e-health exchanges, therefore, leaving the door open to additional vulnerabilities to PHI during use or transmission.

Key changes to the HIPAA rules include:

  1. Expanding Privacy, Security and Breach Notification Policies and Procedures (with new form and work flow requirements for some providers). Breaches are now presumed reportable unless after completing the mandated risk analysis (defined by 4 factors) the entity has determined that there is a “low probability of PHI compromise”. The rules do not modify the actual reporting requirements. Covered Entities and Business Associates must still adhere to providing individual notifications, HHS notifications and where applicable media posting of the breach.
  2. Notices of Privacy Practices (NPPs) must be amended to reflect major changes in the rules concerning breach notification, disclosures to health plans, and marketing and sale of PHI. Updates to NPP policies should be posted to a healthcare provider’s website and adhere to other requirements of the privacy rules.
  3. Business Associate Agreements (BAA’s). The new rules greatly expand the universe of individuals and entities that will now be treated as “Business Associates”, including health information exchanges, e-gateways, personal health record vendors and others. Covered Entities have until September 23, 2014 to bring all of their existing BAAs into conformance with the new rules. (The September 23, 2013 compliance deadline affected Business Associates not yet under contract as of that date.) Those characterized as “Business Associates” under HIPAA will now be directly liability for any compromise of PHI and must comply with all of the privacy, security and breach policy amendments of the rules or suffer the consequences.

Next Steps: Some of the most sweeping changes to HIPAA privacy and security rules expand the obligations of Business Associates making them directly liability for any compromise of PHI. Covered Entities and Business Associates should immediately take steps to ensure that their Business Associate Agreements (including those with sub-contractors) are fully compliant with the new rules. Additional care should be taken to ensure that updates to privacy practices and work flows are actually being carried out. Those covered by the final omnibus rule must conduct periodic audits and training to ensure that all systems, processes and devises accessing, using, transmitting or storing PHI fully comply with the new HIPAA/HITECH standards. With the potential for $1.5 million in fines, not to mention serious damage to a provider’s reputation, these new rules must be taken seriously.

Note: This commentary is not intended to and should not be construed as legal advice and is provided only as a summary of key changes to HIPAA/HITECH.

Last Updated (Tuesday, 18 February 2014 09:14)