The 2013 Omnibus HIPAA Rule: Privacy and Security May Create Financial Problems for the Healthcare Industry
The Business Advisor
January 28, 2013
The various health care statutory and regulatory reforms enacted or promulgated over the past two years have significant, potentially negative financial impacts on participants in the health industry. Below is a discussion of the recent enactment of the American Taxpayer Relief Act of 2012 (Pub. L. 112-240, H.R. 8, 126 Stat. 2313) (“Fiscal Cliff Act”) on January 2, 2013, and the long-awaited promulgation of the HIPAA Privacy, Security, Enforcement and Breach Notification: Final Omnibus Rule (“Omnibus HIPAA Rule”) by the U.S. Department of Health and Human Services (“HHS”) on January 17, 2013.
Fiscal Cliff Act
The Fiscal Cliff Act has the potential to negatively impact in the two following ways health care providers like hospitals and skilled nursing facilities dependent (as most are) on Medicare and/or Medicaid for revenues. First, the “doc fix” included in the Act avoided substantially reducing Medicare reimbursements for physicians, but only at the potential expense of hospitals and skilled nursing facilities. See Fiscal Cliff Act, § 601. Second, Congress increased the look-back for recovering Medicare and Medicaid overpayments from three to five years, thereby increasing providers’ overpayment liability exposure. See Fiscal Cliff Act, § 638.
Omnibus HIPAA Rule
The Omnibus HIPAA Rule revises the Breach Notification Rule (45 C.F.R. §§ 160.400 through 160.408) and amends the HIPAA Enforcement, Privacy and Security Rules to bring them into compliance with the Health Information Technology and Economic and Clinical Health Act (a/k/a “the HITECH Act”). Two provisions of the Omnibus HIPAA Rule have the potential to directly, and negatively, impact the financial health of participants in the health care industry. The revisions of the definition of “breach” for purposes of the Breach Notification Rule will facilitate determinations that an entity has violated that rule, increasing the entity’s exposure to civil monetary penalties. The Omnibus HIPAA Rule’s implementation of the HITECH Act’s expansion of HIPAA to impose statutory and regulatory obligations directly on business associates (“Business Associates”) retained by health care providers, health plans, and health care clearing houses (collectively, “Covered Entities”) to provide certain healthcare-related services potentially increases the cost to Business Associates of doing business.
A. The Breach Notification Rule
Under the prior interim Breach Notification Rule, Covered Entities enjoyed relatively broad discretion in determining whether the unauthorized acquisition, access, use, or disclosure of protected health information (PHI) constituted a “breach.” That discretion was widely criticized. In response, the Omnibus HIPAA Rule creates the presumption that any unauthorized acquisition, access, use, or disclosure of PHI constitutes a breach for purposes of the Breach Notification Rule.
The presumption imposes the burden on the Covered Entity (or the Business Associate of the Covered Entity) to demonstrate that there is a low probability that PHI was compromised by unauthorized access, use, disclosure, or acquisition. In meeting that burden, the Covered Entity or Business Associate must consider: (i) the nature and extent of the PHI involved; (ii) the identity of the person who used the PHI or to whom it was disclosed; (iii) whether the PHI was actually acquired or used; and (iv) the extent to which the risk to the PHI has been mitigated. 45 C.F.R. § 164.402.
The presumption contained in the Omnibus HIPAA Act facilitates determinations by HHS that an unauthorized acquisition, access, use, or disclosure of PHI triggered the notification requirements of the Breach Notification Rule. Complying with those provisions can be expensive, as HHS pointed out in its initial guidance on the Breach Notification Rule. See 74 Fed. Reg. 42740 (Aug. 24, 2009). Nevertheless, noncompliance is even more costly. See, e.g., 45 C.F.R. § 160.404(b) (authorizing civil monetary penalties of up to $1,500,000 for violations of the Breach Notification Rule). In sum, Covered Entities, their Business Associates, and their Business Associates’ subcontractors should familiarize themselves with the Breach Notification Rule and should endeavor to avoid breaches of PHI in the first place.
B. Business Associates and their Subcontractors
With the promulgation of Omnibus HIPAA Rule, there can be no question that Business Associates and their subcontractors who create, receive, maintain, or transmit PHI on behalf of the Business Associate are now directly subject to HIPAA (as, in fact, they have been since the October 30, 2009, effective date of the interim final rule extending the application of HIPAA). See, e.g., 45 C.F.R. §§ 160.102(b), 164.105(b) (generally subjecting Business Associates to HIPAA). Business Associates and their sub-contractors are expressly and directly subject to the HIPAA Enforcement Rule (45 C.F.R. § 160.300, et. seq.), including the obligation to provide HHS with compliance reports and cooperate with HHS’ investigations of potential HIPAA violations (45 C.F.R. § 160.310). They must comply with the HIPAA Security Rule (45 C.F.R. §§ 164.300, et seq.) and put in place the administrative, physical, and technical safeguards for the protection of PHI for which the rule provides. Business Associates and their subcontractors must also comply with those provisions of the HIPAA Privacy Rule governing the use and disclosure of PHI (45 C.F.R. §§ 164.500(c); 164.502.
Of most relevance to their financial and economic interests, however, Business Associates and their subcontractors are subject to civil monetary penalties for their violations of HIPAA or the HIPAA Privacy and Security and Breach Notification Rules in the same way Covered Entities are. Business Associates and their contractors now have significant statutory and regulatory obligations under the HIPAA Privacy and Security Rules and are potentially subject to substantial penalties for failing to meet those obligations. The cost of compliance, or, more importantly, of noncompliance, adds additional financial pressure to the already financially stressed health care industry.
For financial and economic reasons, Covered Entities, their Business Associates, and Business Associates’ sub-contractors cannot ignore the civil monetary penalties available under HIPAA and the HIPAA Enforcement Rule. It is no secret that HHS has been charged with the aggressive enforcement of health-related laws, including HIPAA, to assist in the funding of health care reform. Indeed, since the issuance of a prior interim rule on October 30, 2009, the HIPAA Enforcement Rule actually requires HHS to investigate complaints (45 C.F.R. § 160.306(c)(1)) and to conduct compliance reviews (45 C.F.R. § 308(a)) where a preliminary review of the facts indicates a possible HIPAA violation due to willful neglect.
After years of HIPAA functioning as a “toothless tiger,” the HHS Office of Civil Rights is now aggressively enforcing HIPAA. The $4.3 million fine imposed on Cignet Health is an example of HHS’s new approach to HIPAA. Moreover, HHS not merely focusing on egregious cases. In December 2012, HHS assessed its first penalty, against Hospice of North Idaho, on a data breach involving fewer than 500 patients. It behooves Covered Entities and their Business Associates to understand and comply with the Omnibus HIPAA Rule.
C. Effective Date
The Omnibus HIPAA Rule generally becomes effective on March 26, 2013. Covered Entities and their Business Associates must be in compliance with most provisions of the Omnibus HIPAA Rule by September 23, 2013. Compliance with the Breach Notification Rule as finalized by the Omnibus HIPAA Rule is required by September 23, 2013.
If you have any questions concerning the amendments to HIPAA, please contact David N. Crapo at email@example.com or (973) 596-4523.