*Updated September 2013
The following summary provides an overview of the steps providers will need to take in each of these areas to meet the new requirements under the HIPAA Omnibus Rule.
Breach Notification Policies and Procedures
The HIPAA Omnibus Rule lowers the standard for breach notification. Under the previous rule, breaches were not required to be reported to the Department of Health and Human Services (“HHS”) unless they posed a “significant risk of reputational, financial or other harm” to individuals. The new standard presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that the protected health information (“PHI”) has been compromised by the unauthorized use or disclosure.
To demonstrate that there is a low probability that a breach compromised PHI, a provider must perform a risk assessment that addresses the following minimum standards:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made, and whether the PHI was actually acquired or viewed;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
A provider must be able to quickly perform a risk assessment that will: (1) review a potential breach; (2) identify whether it is reportable and how to mitigate the harm; and (3) remediate the problem. Providers should revise their breach notification policies and procedures prior to September 23, 2013 to reflect this new breach analysis process.
Notice of Privacy Practices
As a result of the changes in the HIPAA Omnibus Rule, providers will be required to revise their Notice of Privacy Practices and post their NPP in a clear and prominent location. If the provider maintains a website, the NPP also must be posted there. NPPs now must include the following provisions:
- Authorizations: A statement that the following uses and disclosures will be made only with authorization from the individual:
- uses and disclosures for marketing purposes; and
- uses and disclosures that constitute the sale of PHI.
- Breach notification statement: A statement that the provider must notify an affected individual of a breach of unsecured PHI;
- Fundraising disclosures: A statement that the recipient of fundraising materials may opt out of future fundraising communications (if the provider conducts fundraising); and
- Restrict disclosure to health plans: A description of an individual’s right to restrict disclosures of protected health information to health plans if an individual has paid for services completely out of pocket.
The HIPAA Omnibus Rule also eliminates requirements to include information in NPPs concerning appointment reminders, treatment alternatives, and health-related benefits or services, but the rule does not require that such information be removed either.
Business Associate Agreements
The definition of the term “business associate” has been expanded to include: health information organizations, personal health vendors, subcontractors of the business associate, and individuals or entities that create, receive, maintain, or transmit PHI for a covered entity. It is significant that this definition now includes subcontractors of business associates and entities that maintain PHI. By adding this language, HHS clarified that you can have a “business associate of a business associate” and that business associates who use subcontractors for functions involving PHI will need to enter into business agreements with those subcontractors. Further, based on the addition of the word “maintain” to the definition, covered entities should require off-site records storage facilities or cloud storage providers, who maintain PHI, to sign business associate agreements.
The OCR has published a form business associate agreement on its website, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html, incorporating the new HIPAA Omnibus Rule. A sample business associate agreement is also attached to this memo. Providers should compare their existing templates to these new forms, or adopt one of the forms as their new agreement. Business associates should require applicable subcontractors to sign business associate agreements that track the new form and in addition to addressing the terms of the business associate agreement with the covered entity.
Liability for Business Associates
One of the important clarifications under the HIPAA Omnibus Rule relates to covered entities’ liability for the conduct of their business associates. Prior to the promulgation of the HIPAA Omnibus Rule, it was unclear whether covered entities could be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and took reasonable steps to address breaches. The HIPAA Omnibus Rule clarified that a covered entity can indeed be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency. This agent liability also extends to a business associate for the actions or omissions of its subcontractors.
Whether an agency relationship exists under federal common is a fact specific inquiry. While there are many factors to consider, HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.
HIPAA Privacy Policies and Procedures
Providers must update privacy policies and procedures to address changes made by the HIPAA Omnibus Rule in the following areas:
Individual rights: If an individual requests a digital copy of certain electronic PHI or directs a provider in writing to transmit a copy to another person, the provider generally must produce the information in the format requested if readily producible within 30 days or negotiate an alternative format. Further, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then a provider is permitted to do so, as long as the covered entity has advised the individual of the risks and the individual still prefers the unencrypted email.
Patient’s Right to Request Restrictions: A provider must comply with an individual’s request for restrictions on disclosures made to health plans for payment or health care operations purposes if the PHI pertains to an item or service for which the individual paid completely out-of-pocket.
Marketing: A provider must obtain written authorization to use and disclose PHI for marketing purposes, including most non-face-to-face communications when the provider receives payment to make the communication. If payment is involved, the marketing authorization must disclose the fact. However, a provider may inform a patient about a third party’s product or service without the patient’s written authorization when the provider receives no compensation for the communication; the communication is face-to-face; the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication; and the communication involves general health promotion. A provider is also still permitted to give patients promotional gifts of nominal value (e.g., pamphlet).
Fundraising: A provider now may disclose more information to institutionally-related foundations for fundraising, but they must explain how the recipient may opt out of receiving future fundraising communications. If an individual opts-out, the provider must not make any further communications to the individual.
Research: If a provider engages in research, the provider should review the new standards applicable to research.
Sale of PHI: A provider must obtain authorization if the provider receives direct or indirect remuneration (including nonfinancial) in exchange for the disclosure of or access to PHI. The authorization must state the provider is receiving remuneration in exchange for the PHI. There are several exceptions that apply (e.g., public health activities, treatment, and payment).
Deceased Persons: A provider may make relevant disclosures to the deceased’s family and friends under essentially the same circumstances that such disclosures were permitted when the patient was alive; that is, when these individuals were involved in providing care or payment for care and the provider is unaware of any expressed preference to the contrary. The HIPAA Omnibus Rule also eliminates any HIPAA protection for PHI 50 years after a patient’s death.