In January, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) released its final omnibus rule (“Final Rule”), which modifies certain aspects of the privacy rule (“Privacy Rule”), security rule (“Security Rule”), enforcement and breach notification obligations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including implementation of many provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Covered entities and business associates generally are required to comply with the applicable requirements of the Final Rule by September 23, 2013. This newsletter describes modifications made by the Final Rule, including: changes affecting business associates and their subcontractors (as well as business associate agreements); security breaches; Notices of Privacy Practices (“NPPs”); individual right to access electronic protected health information (“PHI”); use of genetic information; and increased enforcement.

Business Associates and Subcontractors

One major change in the Final Rule is the treatment of third parties that perform functions that require access to PHI, known as “business associates.” First, the definition of “business associate” has been broadened to include “subcontractors,” which are defined under the Final Rule as "a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate" that involves creating, receiving, maintaining, or transmitting PHI. Importantly, this new treatment of subcontractors as business associates means that business associates must enter into agreements with subcontractors, which provide that the subcontractor is subject to the same HIPAA requirements for access and use of PHI as the business associate.

A second important change regarding business associates is that the Final Rule makes some of the obligations of the HIPAA Privacy Rule and all of the obligations of the Security Rule directly applicable to business associates and subcontractors. Predictably, this places an enhanced responsibility on business associates and increases their potential liability. As discussed below, in addition to liability for its own actions, business associates may be held liable under the federal common law of agency for the acts and omissions of their subcontractors.

A third change related to business associates actually is more concerning for covered entities- the Final Rule enhances the responsibility of covered entities who rely on business associates. The Final Rule removes a special rule that had shielded a covered entity from liability for civil penalties for violations by its business associate if the covered entity had a compliant business associate contract in place, did not know of a pattern or practice of violations by the business associate, and, upon discovery of a pattern or practice of violations of the business associate, took reasonable steps to cure or end the violation. Now, if a covered entity knows of a pattern of activity or practice of a downstream contractor that constitutes a material breach or violation of the downstream contract, under the Final Rule the covered entity must take steps to cure the breach or end the violation. If those steps are not successful, the covered entity must terminate the contract. And while a covered entity is not required to monitor the activity of its downstream contractors, it will be liable under the federal common law of agency for violations committed by its agents (including a workforce member) acting within the scope of the agent's authority. The previous exception to such liability now has been eliminated where sufficient control is present to create an agency relationship. The preamble of the Final Rule does provide a number of examples of situations where these agency principles will not apply, however, this a fact specific analysis.

The combination of these rule changes presents a stark shift in the treatment of all entities handling PHI, whether it is a covered entity engaging a business associate, or a business associate delegating work to a subcontractor, and this represents a significant expansion of the enforcement authority of HHS. Covered entities and business associates should give careful consideration to decisions regarding the delegation of responsibility for tasks involving PHI and must focus on how certain tasks will affect their exposure to liability. As noted above, covered entities, business associates and subcontractors, as applicable, will be required to come into full compliance with this piece of the Final Rule by September 23, 2013. One important caveat: the Final Rule provides that business associate agreements that were effective prior to January 25, 2013 need not be amended or restated to meet the requirements under the Final Rule until September 22, 2014 (unless they are amended or renewed within one year before that date).

Security Breach

Under the Final Rule, a breach is now defined as the “acquisition, access, use or disclosure” of PHI in a manner not permitted under the privacy rule, which “compromises the security or privacy” of the PHI. Under prior guidance, a “significant risk of harm” standard was applied, which generally meant that if a covered entity determined that a significant risk of harm had not occurred, a security breach was not deemed to have transpired. However, under the Final Rule’s new definition of breach, an impermissible use or disclosure of unsecured PHI is “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.”[1] This is a dramatic shift, creating a presumption that a security breach has occurred until shown otherwise.

The Final Rule also modifies the factors that covered entities and business associates must consider when performing a risk assessment with respect to a potential breach. These factors include: (1) the nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification); (2) the unauthorized person(s) who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

If a security breach is deemed to have occurred, the covered entity should notify the affected individuals. If the breach involves more than 500 individuals, the covered entity must notify HHS concurrently with the affected individuals; and for breaches of less than 500 individuals, the covered entity should keep a log of such information to file annually with HHS. If the breach involves more than 500 individuals in a particular state, the covered entity should also inform the local media. Required notification must be provided to the individual without unreasonable delay and in no case later than 60 calendar days after the date the breach was discovered by the covered entity. If a business associate discovers a security breach, it must notify the covered entity within 60 days of discovery, and the covered entity should notify the affected individuals within an additional 60-day period. If, however, the business associate is deemed an “agent” of the covered entity, then the business associate's discovery of the breach is imputed to the covered entity and the two 60-day periods are collapsed into one 60-day period beginning on the date the business associate discovered the breach. Ultimately, responsibility for risk assessment, breach determination and notification of individuals rests with the covered entity.

Notices of Privacy Practices

The Final Rule requires covered entities to modify certain elements of their NPPs and redistribute those revised forms to each individual who is the subject of PHI. The notice must describe (1) the uses and disclosures of PHI that may be made by the covered entity; (2) the individual's rights; and (3) the covered entity's legal duties with respect to the PHI. The revisions to the rules governing NPPs specify the following: (1) the sale of PHI and the use of such information for paid marketing require authorization from the patient; (2) other uses and disclosures not described in the NPP will be made only with authorization; (3) individuals have the right to opt-out of fundraising communications; and (4) covered entities must notify affected individuals of breaches of their PHI.

The preamble to the Final Rule states that the changes to the required content of the notice of privacy practices are material, triggering a redistribution requirement. Health plans that post their NPPs on a website must post material changes by the effective date of the change, and must also provide information about such change in their next mailing to covered individuals. Health plans that do not post their NPPs on a website must provide information about any material change to their NPP to covered individuals within 60 days of the material revision to the NPP. Health care providers are not required to mail NPPs; however, the preamble to the Final Rule provides guidance as to how health care providers should distribute and display NPPs (e.g., post a summary of the NPP “in a clear and prominent location at the delivery site” if the full NPP is “immediately available” to patients).

Individual Right to Access Electronic PHI

Under existing law, patients have a right to access their PHI that is in a designated record set, which includes “the enrollment, payment, claims adjudication, and case or medical management records,” and any other records used “to make decisions about individuals.” A health plan must allow access to the patient within 30 days of the patient’s request (with a permissible 30-day extension when information is stored offsite). However, the Final Rule expands a patient’s right to receive copies of his or her PHI by requiring that (as of September 23, 2013), if the information is stored electronically, the individual has the right to request and receive such PHI in electronic form. If an individual requests PHI in a specific form or format, such as Word or HTML, and the information is “readily producible,” the health plan must provide information in the requested form as links or attachments. If the PHI is not “readily producible,”[2] it must be provided in another readable electronic form. The patient may be charged the reasonable cost of labor and supplies to produce the PHI in electronic form, and a patient is allowed to designate in writing that another individual (e.g., a family member) is to receive the PHI.

Genetic Information Nondiscrimination Act

The definition of health information has been clarified in the Final Rule to include genetic information. The Final Rule modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (“GINA”) to restrict health plans from using or disclosing genetic information (including family history information) for underwriting purposes. This restricts offering any reward or benefit for providing genetic information. Except for long-term care insurers, all group health plans (including dental, vision and supplemental coverages) which are covered by the Privacy Rule are subject to this requirement.

Increased Enforcement

In addition to the new rules discussed herein, it is also important to note the increased enforcement and liability for violations. The Final Rule adopts the HITECH Act's tiered system of penalties for violations based on the degree of knowledge that the covered entity or business associate had or should have had regarding the violation. Penalty amounts for each violation range between $100 and $50,000, with a maximum penalty for a given year of $1,500,000 for multiple violations of the same requirement or prohibition. The Final Rule provides a list of factors that HHS will consider when determining culpability for purposes of levying penalties, including: (1) the nature and extent of the violation, as well as the number of affected individuals; (2) the nature and extent of the harm caused; (3) the history of prior compliance with HIPAA; (4) the financial condition of the covered entity or business associate; and (5) such other matters as justice may require.

Conclusion

In light of the many sweeping changes in rules and enforcement found in the Final Rule, covered entities and business associates must consider the actions they will take to comply with this new guidance. Specifically, covered entities should consider the following actions: (1) review current business associate agreements, especially considering the changing scope of liability, and consider how they will approach future business associate agreements; (2) review policies and procedures, particularly regarding breach notification; (3) update Notices of Privacy Practices; (4) review policies concerning participant requests to access electronic PHI; and (5) review policies concerning the use or disclosure of genetic information for underwriting purposes. Moreover, because business associates are brought under the ambit of the Final Rule, they, too, should draft appropriate business associate agreements for purposes of their contractual relationships with subcontractors, and they should also review (and/or further develop) their own policies and procedures, considering the enhanced liability that is placed upon them under the Final Rule.

[1] Federal Register, Volume 78, No. 17, Page 5641, January 25, 2013.

[2] Federal Register, Volume 78, No. 17, Page 5631, January 25, 2013.