The Omnibus HIPAA Rulemaking: HIPAA's New Normal
The Federal Office of Civil Rights (OCR) has issued the revised HIPAA Security, Privacy, Enforcement, and Data Breach rules. The so-called "Omnibus Rule" extends HIPAA's reach and demands. Most changes require compliance by September 23, 2013. Business Associate Agreements and Notices of Privacy Practices must be rewritten; new notices must be provided by September, while new agreements will be necessary at different times depending on their term and renewal. A new data breach standard presumes the security of protected health information (PHI) is compromised, even if kept within an organization, if the PHI is misused. OCR enforcement will become more aggressive and the use of civil monetary penalties more frequent.
Business Associates and Subcontractors
Since February 2010, business associates of covered entities have been directly subject to HIPAA's Security Rule and much of the Privacy Rule. The new rules also apply HIPAA directly to the subcontractors of business associates who render services using PHI. Indeed, the subcontractor's subcontractors receiving PHI are subject to HIPAA too, and so forth on down the line. All must be connected by a chain of business associate agreements, each as stringent as the last. And if a business associate or subcontractor is legally an "agent" - meaning subject to another's right of control – then the agent's principal may be sanctioned for the agent's violations of HIPAA and charged with the agent's knowledge.
The impermissible use, acquisition, access, or disclosure of unencrypted PHI, even within an organization, now gives rise to a presumption that a data breach has occurred. That presumption may be overcome only by demonstrating a low probability that the PHI has been "compromised." This demonstration requires a documented "risk assessment" using prescribed factors. Unless notice is provided, failure to perform such an assessment is a HIPAA violation in itself, as much so as an impermissible disclosure of PHI.
Enforcement and Sanctions
The changes to OCR's enforcement standards and procedures are as important as the changes to HIPAA's substantive rules. OCR now must investigate any matter in which there is a possibility of a violation is due to "willful neglect" of compliance obligations. Moreover, in such cases, OCR may proceed directly to formal enforcement action and sanctions without first attempting an informal resolution, an attempt previously required. The minimum penalty for a violation due to willful neglect is $10,000 per violation. If such violation is not corrected within 30 days of discovery, then the minimum penalty is $50,000. A violation impacting multiple persons constitutes multiple violations, and a continuing violation of a HIPAA standard represents a violation of the standard each day. Total penalties for violations of each HIPAA standard are capped at $1.5M per year; however, a typical data breach or compliance failure will involve the violation of multiple standards.
All told, the new normal feels decidedly abnormal. But the reality is that HIPAA covered entities, their business associates and the subcontractors of business associates, have a host of new liability exposures and compliance obligations to contend with. Review and revision of HIPAA compliance programs is mandatory, and serious consideration should be given to insuring against these new risks.
For further information or questions regarding the HIPAA Security, Privacy, Enforcement, and Data Breach rules, please contact the Schwabe attorney with whom you work or Kelly Hagan at 503-796-2423 or firstname.lastname@example.org.