FEBRUARY 7, 2013 PRIVACY AND HEALTHCARE UPDATE The Omnibus HIPAA Rule: A New Era of Federal Privacy Regulation On January 17, 2013, the Office for Civil Rights ( OCR ), U.S. Department of Health and Human Services ( HHS ), released a highly anticipated final rule (the Final Omnibus Rule or Final Rule ) which makes sweeping changes to the privacy, security and enforcement regulations promulgated under the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act ( HIPAA ). The Final Rule is actually comprised of four rules: 1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health Act, P.L. 411-05 ( HITECH ) as well as certain other modifications to improve the rules; 2. Final modifications to the HIPAA Enforcement Rule, originally published on October 30, 2009 as an interim final rule, to incorporate increased and tiered monetary penalties pursuant to HITECH, among other changes; 3. Final rule on Breach Notification for Unsecured Protected Health Information ( PHI ) under HITECH, which supplants an interim final rule published on August 24, 2009; and 4. Final rule implementing certain provisions of the Genetic Information Nondiscrimination Act of 2008 ( GINA ) by revising the HIPAA Privacy Rule to provide for increased privacy protections for genetic information. With the Final Rule, OCR seeks to increase protections of PHI, improve workability and flexibility, decrease compliance burdens, and better harmonize privacy requirements with other HHS regulations, such as the Food and Drug Administration s regulations on research involving human subjects. Some of the more significant provisions of the Final Rule are summarized below. Effective and Compliance Dates The Final Rule takes effect on March 26, 2013. In general, covered entities and their business associates have 180 days beyond the effective date until September 23, 2013 to comply with the provisions of the Final Rule. The provisions of the Enforcement Rule, however, are effective and apply on March 26 except as otherwise specified in the Enforcement Rule. Additionally, there are transition provisions allowing covered entities and their business associates up to one year beyond the compliance date of the Final Rule to amend existing contracts if certain conditions that are discussed below are met. Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.
Page 2 Business Associate Definition The Final Omnibus Rule broadens the definition of business associate to include several entities, including: Health Information Organizations, E-prescribing Gateways, or another person that provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI; A person who offers a personal health record to one or more individuals on behalf of a covered entity; Patient Safety Organizations which are entities that undertake patient safety activities on behalf of a covered entity; and Subcontractors of business associates that create, receive, maintain or transmit PHI on behalf of a business associate, regardless of how far down the chain the entity is from the primary business associate. While acknowledging that there is an exception to the definition of business associate for data conduits, which are entities that provide mere data transmission services and have only random or infrequent access to electronic PHI ( ephi ), OCR emphasizes that the conduit exception is narrow. OCR makes clear that entities that store or maintain ephi for covered entities qualify as business associates because they have persistent access to PHI, even if they do not actually view the information or do so only on a random or infrequent basis. This suggests that cloud providers that store or maintain ephi on behalf of covered entities qualify as business associates. Other Business Associate Provisions The Final Omnibus Rule implements HITECH s provisions extending direct liability for compliance with the Security Rule to business associates. Accordingly, the Final Rule makes 164.308, 164.310, 164.312, 164.314, and 164.316 of the Security Rule applicable to business associates in the same manner as these requirements apply to covered entities. OCR clarifies that HITECH does not require business associates to comply with all requirements under HIPAA. Under the Final Rule, a business associate is required to abide by the following requirements and is directly liable under HIPAA for lack of compliance: Uses and disclosures of PHI that are not in accord with its business associate agreement or the Privacy Rule; Failing to disclose PHI when required by the HHS Secretary to enable the Secretary to investigate and determine the business associate s compliance with the HIPAA Rules; Failing to disclose PHI to the covered entity, individual, or individual s designee (whichever is specified in the business associate agreement ( BAA )), as necessary to satisfy a covered entity s obligations with respect to an individual s request for an electronic copy of PHI; Failing to provide breach notification to the covered entity; Failing to provide an accounting of disclosures; Failing to comply with the requirements of the Security Rule; Failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request; and Failing to enter into BAAs with subcontractors that create or receive PHI on their behalf. In contrast, business associates are not required to comply with provisions such as providing Notice of Privacy Practices ( NPPs ), designating a privacy official, or amending PHI in accordance with 45 C.F.R. 164.526.
Page 3 The Final Rule clarifies that covered entities are not required to obtain satisfactory assurances from business associates that are subcontractors. Rather, a business associate is required to obtain such assurances from a subcontractor. Direct liability under the HIPAA Rules attach regardless of whether the business associate and subcontractors have entered into the required business associate agreements. Required Amendments and Transition Provisions One of the more burdensome provisions of the Final Omnibus Rule is the requirement to amend business associate agreements to contain additional provisions, including provisions that require the business associate to: Comply with applicable provisions of the Security Rule; Ensure that any subcontractor that creates, receives, maintains, or transmits ephi on behalf of the business associate agrees to comply with applicable requirements of the Security Rule by entering into a contract or other arrangement that complies with the business associate provisions; Ensure that any subcontractor that creates, receives, maintains or transmits PHI on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information; Report to the covered entity breaches of unsecured PHI as required by the breach notification rules; and To the extent the business associate carries out a covered entity's obligation under the Privacy Rule, comply with the requirements of the Rule that apply to the covered entity in the performance of such obligation. The Final Rule adopts transition provisions that allow covered entities, business associates, and business associate subcontractors to continue to operate under existing contracts for up to one year beyond the compliance date of the revisions to the HIPAA Rules (i.e., September 22, 2014). The additional transition period is available to a covered entity or business associate if, prior to January 25, 2013, the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, respectively, that complies with the prior provisions of the HIPAA Rules and such contract or arrangement is not renewed or modified from March 26, 2013 until September 23, 2013. Marketing OCR significantly revises its prior proposals related to the definition of marketing. Overall, the Final Omnibus Rule greatly expands the types of product- and service-related communications to patients or enrollees that will require individual authorization by requiring individual authorization for all treatment and healthcare operations communications where the covered entity receives payment in exchange for the communication from or on behalf of a third party whose product or service is being described. OCR finalizes its proposal to allow, without individual authorization, refill reminders or other communications about a drug or biologic that is currently being prescribed to the individual, provided that any financial remuneration received by the covered entity is reasonably related to the covered entity s cost of making the communication. OCR clarifies that it considers communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed to fall within the scope of this exception. Additionally, OCR states that where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including for example, an insulin pump, fall under this exception. In response to comments questioning what types of costs fall within this reasonably related standard, OCR provides that a covered entity may only receive remuneration to cover the costs of labor, supplies, and postage to make the
Page 4 communication. Where the financial remuneration would generate a profit for the covered entity or include payment for other costs, however, individual authorization is required. OCR emphasizes that the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication and that such communication must encourage individuals to purchase or use the third party s product or service to trigger the prohibition. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, then the marketing provision does not apply. As an example, OCR describes a situation where a third party provides financial remuneration to a covered entity to implement a program, such as a disease management program. In such a situation, the covered entity could provide individuals with communications about the program without obtaining individual authorization as long as the communications are about the covered entity s program itself. The scope of this guidance is unclear and it remains to be seen whether it would permit communications related to products or services that would otherwise be prohibited as long as the products or services are offered in connection with the program described by the communication. OCR also clarifies that no authorization is required where a covered entity receives financial remuneration from a third party to make a treatment or healthcare operations communication (or other marketing communication), if the communication is made face-to-face by a covered entity to an individual or consists of a promotional gift of nominal value provided by the covered entity. Research In a big win for researchers and sponsors of research, the Final Omnibus Rule eases restrictions under the Privacy Rule on the use of compound authorizations. As a general matter, the Privacy Rule prohibits covered entities from conditioning treatment, payment, enrollment in a health plan, or eligibility for benefits, on an individual s agreeing to sign a HIPAA authorization for a use or disclosure of PHI not otherwise permitted or required by the Privacy Rule. This limitation was developed to ensure that authorization from an individual for a use or disclosure of PHI is voluntarily provided. An exception to this rule exists for the provision of research-related treatment in a clinical trial, which may be conditioned on the individual s signing an authorization to allow the covered entity to use and disclose PHI for the research. Nonetheless, the Privacy Rule also prohibits combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits (i.e., a conditioned authorization) with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be conditioned (i.e., an unconditioned authorization). Thus, prior to the Final Rule, a covered entity could not, for example, combine an authorization to use and disclose PHI for research in connection with a clinical trial, which is a conditioned authorization, with an authorization to create a central research repository or tissue bank for future research, which is an unconditioned authorization. In that case, the Privacy Rule required that separate authorizations had to be secured from an individual. Recognizing that separate authorizations could be confusing for individuals, the Final Omnibus Rule allows compound authorizations for research that includes both conditioned and unconditioned activities. Such authorization must clearly distinguish the conditioned and unconditioned activities, must have an opt-in option for the unconditioned research activity (such as tissue banking), and must not relate to psychotherapy notes, the disclosure of which is subject to stricter rules. Additionally, OCR reverses its prior interpretation that authorizations must be study specific, an interpretation that interfered with secondary research and corollary research activities, such as the creation of a research database or repository where information and specimens obtained from a research participant during the trial are transferred and maintained for future research. The Final Rule allows authorization for future research if the authorization includes sufficient clarity such that a reasonable individual would expect his or her PHI to be used or disclosed for future research.
Page 5 These changes are intended to simplify research authorizations, minimize patient confusion, and align HIPAA regulations with practices permitted under the Common Rule, while maintaining protections for the use or disclosure of PHI. Sale of PHI The Final Omnibus Rule adopts HITECH s prohibition against the sale of PHI. Because these provisions are so broad in scope, it will be critical for covered entities and their business associates to satisfy an exception in order for many disclosures of PHI that are commonplace today not to run afoul of HIPAA. If an exception cannot be met, individual authorizations will have to be secured which can be burdensome to obtain. Under the Final Rule, the sale of PHI requires individual authorization that states that the covered entity will receive such remuneration. The phrase sale of PHI means the disclosure of PHI by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI. Unlike the marketing provisions, remuneration is not limited to financial payment and includes receipt of nonfinancial benefits. Sale of PHI does not include disclosures: For public health activities permitted under applicable provisions of the Privacy Rule; For research to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes; For treatment and payment in accordance with applicable provisions of the Privacy Rule; To or by business associates where the remuneration is paid by a covered entity to a business associate for activities performed on behalf of a covered entity; To the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so are in accord with the Privacy Rule; For the transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity, and related due diligence; Required by law; and For any other purpose permitted by and in accordance with the Privacy Rule where the covered entity receives only a cost-based fee to cover the cost to prepare and transmit the PHI or a fee otherwise expressly permitted by other law. With respect to disclosures for research purposes, OCR clarifies that it does not consider the provisions of the sale of PHI to encompass payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities, such as a research study, because any provision of PHI to the entity making payment is a byproduct of the service being provided. It also clarifies that a reasonable, cost-based fee may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin. Compliance with these provisions is required by September 23, 2013, except where transition provisions apply, which allow covered entities to continue to rely on existing authorizations or other legal forms of permission as well as to rely on existing data use agreements if certain conditions are met. PHI About Decedents The Final Omnibus Rule requires compliance with the Privacy Rule for the PHI of decedents for 50 years following the date of death. After 50 years from the date of death, individually identifiable health information of a decedent would no longer qualify as PHI under the Privacy Rule. In OCR s view, this provision strikes the right balance between
Page 6 protecting the privacy of relatives and others connected to a decedent and the difficulty of obtaining authorizations from relatives or other representatives to conduct activities such as research that are valuable from a public policy perspective. Additionally, the Final Rule allows disclosure of PHI of a decedent to family members and others who, prior to the person s death, were involved in the care or payment for care provided to the person, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to the covered entity. Disclosure of Student Immunizations to Schools In order to facilitate the sharing of immunization records with schools, if certain conditions are met, the Final Omnibus Rule permits a covered entity to disclose proof of immunization to a school where state or other law requires the school to have such information prior to admitting the student. While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian, or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor. The Final Rule also requires that covered entities document the agreement obtained under this provision. Fundraising The Final Omnibus Rule permits a covered entity to use, or disclose to a business associate or to an institutionally related foundation, certain PHI for the purpose of fundraising, without individual authorization if certain conditions are met. Specifically, with each fundraising communication made to an individual, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications (i.e., an opt-out). Furthermore, the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. The Final Rule allows for the use or disclosure of demographic information (defined as name, address, other contact information, age, gender, and date of birth), dates of service to an individual, department of service information, treating physician information, outcome information, and health insurance status. The Final Rule prohibits the conditioning of treatment or payment on the individual s fundraising communication choice, and requires the covered entity s NPP to state that the entity may contact the individual to raise funds and that the individual has a right to opt out of receiving such communications. Breach Notification Besides the changes to the marketing provisions, the modifications that are arguably the most significant and difficult to interpret are the changes OCR makes to the breach notification requirements. Among other things, OCR abandons the significant risk of harm [to an individual] standard in favor of what it describes as a more objective test to evaluate whether a breach of unsecured PHI is reportable under the law. Under the new provisions, an impermissible use or disclosure of protected health information is presumed to be a reportable breach unless the covered entity or business associate, as applicable, demonstrates through a documented risk assessment that there is a low probability that PHI has been compromised. According to OCR, some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. Suggesting that the original standard did not set a high bar in spite of the plain meaning of the phrase significant risk, OCR characterizes the new standard as a clarification as opposed to what appears to be a reversal of its prior position.
Page 7 The Final Rule articulates four factors that a risk assessment must consider: 1. The nature and extent of the PHI (e.g., sensitivity of data, likelihood of re-identification); 2. The unauthorized person by whom/to whom the PHI was used/disclosed; 3. Whether the PHI was actually acquired or viewed; and 4. Mitigation efforts. Apparently, potential harm to the individual whose data is compromised is still relevant under the new breach notification standard in relation to the first factor (i.e., consideration of the nature of the PHI). As OCR explains, [c]onsidering the type of protected health information involved in the impermissible use or disclosure will help entities determine the probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual Notably, OCR indicates that a risk assessment must be conducted even in the case of impermissible uses (i.e., use within a covered entity or business associate that does not comply with the minimum necessary standard) and not simply for impermissible disclosures to third parties. It notes, however, that an impermissible use that occurs within an entity may result in a low probability that PHI has been compromised and thus not trigger a reporting obligation. The Final Rule also eliminates the former exception for breaches involving Limited Data Sets ( LDS ) that do not contain any dates of birth or zip codes and requires a risk assessment when any LDS is impermissibly used or disclosed to determine if a reportable breach has occurred. Like the current interim final rule on breach notification, which applies until compliance is required with the Final Rule on September 23, 2013, the Final Rule does not preempt most state breach reporting laws. Although the HIPAA Rules generally preempt conflicting state laws, there is no conflict if a covered entity or business associate is able to comply with both federal and state law. As a result and because there is no preemption of stricter state laws, covered entities and business associates will continue to face the difficulty of potentially having to comply with a disparate collection of breach reporting laws in the case of data breaches impacting individuals residing in numerous states. In light of the breadth and burdens of the Final Rule s provisions on breach notification, it is imperative that covered entities and business associates consider the safe harbor under HIPAA for encryption. In fact, encrypting data in accordance with the HIPAA safe harbor is arguably one of the smartest risk mitigation strategies an entity subject to HIPAA could employ. Right to Request a Restriction The Final Omnibus Rule requires covered entities to agree to an individual s request to restrict disclosure of PHI to a health plan: If the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and The PHI pertains solely to a healthcare item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. Notwithstanding this requirement, covered entities may still make disclosures of PHI that are otherwise required by law. OCR clarifies that these provisions do not require that covered healthcare providers create separate medical records or otherwise segregate protected health information subject to a restricted healthcare item or service. Nevertheless, they will need to employ some method to flag or make a notation in the record with respect to the PHI that has been restricted to ensure that such information is not inadvertently sent to or made accessible to a health plan for payment or healthcare operations purposes, such as audits by the health plan.
Page 8 Notice of Privacy Practices Rejecting comments to its proposed rule that certain revisions to NPPs are unnecessary, OCR adopts provisions in the Final Rule that require covered entities to modify their NPPs by adding statements which indicate that: Authorization is required for most uses and disclosures of psychotherapy notes (where applicable), PHI for marketing purposes, and the sale of PHI; Individuals will be notified following a breach of unsecured PHI; and To the extent the covered entity uses PHI for fundraising, the covered entity may contact the individual to raise funds and the individual has a right to opt out of receiving such communications. The Final Rule also adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the healthcare item or service. Only healthcare providers are required to include such a statement in their NPPs. Additionally, if a covered entity is a health plan, excluding certain issuers of long-term care policies, and intends to use or disclose PHI for underwriting purposes, the NPP must include a statement that the covered entity is prohibited from using or disclosing PHI that is genetic information of an individual for such purposes. Because, according to OCR, the changes mandated by the Final Rule are material, the Final Rule requires that a covered health plan that currently posts its NPP on its website must: (1) prominently post the material change or its revised notice on its website by the effective date of the material change to the notice (e.g., the compliance date of the Final Rule) and (2) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during the open enrollment period. Health plans that do not have customer service websites are required to provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice. Covered healthcare providers with a direct treatment relationship must make the notice available upon request on or after the effective date of the NPP revision and promptly comply with the requirements of the rule related to provision of notice at physical service delivery sites, if any. Access to ephi Section 13405(e) of HITECH strengthens the Privacy Rule s right of access with respect to covered entities that use or maintain an electronic health record ( EHR ) on an individual. OCR finalizes its proposal to expand individuals access rights to receive electronic copies of their PHI that is maintained electronically in one or more designated record sets, regardless of whether the designated record set qualifies as an EHR. OCR clarifies that the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. In such cases, OCR clarifies that it expects covered entities, if possible, to provide a machine readable copy (e.g., MS Word or Excel, text, HTML, or text-based PDF, among other formats). If an individual s request for access directs the covered entity to transmit the copy of PHI directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI.
Page 9 Significantly, OCR acknowledges that some legacy or other systems may not be capable of providing any form of electronic copy at present and [we] anticipate that some covered entities may need to make some investment in order to meet the basic requirement to provide some form of electronic copy. Hybrid Entities Many covered entities perform both covered (e.g., academic medical facility) and non-covered (e.g., university) functions as part of their business operations. Even though the entity may perform non-covered functions, the Privacy Rule applies to the entity as a whole to the extent it is a single legal entity. However, the hybrid entity provisions of the Privacy Rule permit the entity to limit the application of the Rules to the entity s components that perform functions that would make the component a covered entity if the component were a separate legal entity. This way, the provisions allow an entity to designate a healthcare component by documenting the components of its organization that perform covered entity functions. The effect of such a designation is that most of the requirements of the HIPAA Rules apply only to the designated healthcare component of the entity and not to the functions the entity performs that are not included in the healthcare component. The Final Omnibus Rule removes the discretion covered entities had under the prior version of the Privacy Rule and requires that the healthcare component of a hybrid entity include all business associate functions (e.g., billing or compliance departments). In OCR s view, this change was necessary to prevent hybrid entities from avoiding direct liability and compliance obligations for the business associate component by not including business associate functions within the healthcare component of a hybrid entity. GINA The Final Omnibus Rule implements provisions of the Genetic Information Nondiscrimination Act of 2008 ( GINA ), which prohibit health plans and employers from discriminating on the basis of genetic information. The Final Rule revises the Privacy Rule to expressly include genetic information within its definition of health information and prohibits health plans from using or disclosing genetic information for underwriting purposes. Notably, OCR extends GINA s applicability beyond the health plan types specified in the statute to include all health plans that are covered entities under the HIPAA Privacy Rule, except for issuers of long term care policies. Under the Final Rule, genetic information means, with respect to any individual, information about: Such individual s genetic tests; The genetic tests of family members of such individual; The manifestation of a disease or disorder in family members of such individual (i.e., family medical history); and Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by such individual or family member of such individual. Genetic information does not include information about the sex or age of an individual. Genetic information concerning an individual or family member of an individual includes the genetic information of: A fetus carried by the individual or family member who is a pregnant woman; and Any embryo legally held by an individual or family member utilizing an assisted reproductive technology. Family member means, with respect to an individual: A dependent of the individual; or Any other person who is a first-degree (e.g., parents, spouses, siblings and children), second-degree (e.g., grandparents, grandchildren, aunts, uncles, nephews, and nieces), third-degree (e.g., great-grandparents, great-
Page 10 grandchildren, great aunts, great uncles, and first cousins), or fourth-degree (e.g., great-great grandparents, greatgreat grandchildren, and children of first cousins) relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents). The term manifestation or manifested means, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a healthcare professional with appropriate training and expertise in the field of medicine involved. A disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information. The Final Rule defines underwriting purposes broadly as: Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy; The computation of premium or contribution amounts under the plan, coverage, or policy; The application of any pre-existing condition exclusion under the plan, coverage, or policy; and Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits. Significantly, the Final Rule provides an exception to the definition of underwriting purposes that allows health plans to use or disclose the minimum necessary genetic information to make determinations regarding the medical appropriateness of providing a requested benefit (e.g., requiring a genetic test or family history to demonstrate increased breast cancer risk as a prerequisite for authorizing annual mammograms for a woman under age 40). Unlike most uses and disclosures of PHI under HIPAA, covered health plans may not use authorizations to permit the use or disclosure of genetic information for underwriting purposes. Enforcement HITECH amended HIPAA to establish four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalties that significantly increased the minimum penalty amount for each violation. The Final Omnibus Rule incorporates the four categories of violations and corresponding four-tiered Civil Money Penalty ( CMP ) structure provided by HITECH for violations occurring on or after February 18, 2009 and extends the penalty provisions to violations by business associates. The first category of violation (and lowest penalty tier) covers situations where the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category of violation applies to violations due to reasonable cause and not to willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time period and willful neglect that is not corrected. The penalties associated with each tier are summarized in the following chart: Violation Category Per Violation Penalty Annual Cap for all Violations of an Identical Provision (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,000
Page 11 Violation Category Per Violation Penalty Annual Cap for all Violations of an Identical Provision (C)(i) Willful Neglect-Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect-Not Corrected $50,000 $1,500,000 Although there is a $1.5 million cap for all violations of an identical provision in a calendar year, a covered entity or business associate may be liable for multiple violations of multiple provisions, and a violation of each provision may be counted separately. As such, one covered entity or business associate may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty well above $1.5 million. The Final Rule also adopts the following: Provisions that require HHS to investigate a complaint or conduct a compliance review when a preliminary review of the facts indicates a possible violation due to willful neglect; and Provisions that define the mens rea standard associated with violations due to reasonable cause as an act or omission in which a Covered Entity or Business Associate knew, or by exercising reasonable diligence would have known, that the act or commission violates [a HIPAA provision], but in which the Covered Entity or Business Associate did not act with willful neglect. Under the Final Rule, HHS may share information gathered in any investigations or compliance reviews with other law enforcement agencies to the extent permitted by the Privacy Act. Importantly, the Final Rule also provides for civil money penalty liability against covered entities and business associates for the acts of their agents regardless of whether a business associate agreement is in place. OCR states that it will look to the Federal common law of agency in determining whether an entity is acting as an agent. Finally, the Final Rule includes a potential affirmative defense with respect to tier one and tier two violations occurring on or after February 18, 2009. Specifically, a covered entity or business associate may establish that an affirmative defense applies where the entity corrects the violation within 30 days from the date the entity had knowledge of the violation or with the exercise of reasonable diligence would have had knowledge of the violation, or during a period determined appropriate by the Secretary based upon the nature and extent of the entity's failure to comply. Future Rulemakings The Final Omnibus Rule does not implement several HITECH provisions and instead leaves them to future rulemakings. It does not address either the accounting of disclosure requirements under HITECH, which require covered entities to account for disclosures of PHI from EHRs for treatment, payment and healthcare operations, or the methodology under which an individual who is harmed by a HIPAA violation may receive a percentage of any CMP or monetary settlement collected with respect to the offense. Additionally, it does not provide guidance on the minimum necessary provisions of HIPAA. It will be important for covered entities and business associates to monitor developments related to these provisions, especially the whistleblower provisions, as they will likely have a significant impact on their compliance obligations and the enforcement of HIPAA. Conclusion The Final Rule implements the most significant changes to HIPAA since the statute was enacted. Driven in large part by a desire to build patient confidence in the security of EHRs, the development of which HHS has invested billions of dollars and which many policymakers see as a key pathway to major improvements in healthcare, the Final Rule
Page 12 strengthens the protections of PHI in the HIPAA Privacy and Security Rules. It also arms OCR with much stronger tools to enforce the HIPAA Rules. Clearly, OCR has laid the foundation in the provisions of the Final Rule for a new era of healthcare privacy regulation and enforcement at the federal level. In light of these new requirements and tools, healthcare companies and their contractors should assess their information practices and governance and devote sufficient resources to bringing their operations into compliance with the Final Rule. If you have any questions regarding this update, please contact Anna Spencer (aspencer@sidley.com; +1.202.736.8445), Jim Stansel (jstansel@sidley.com; +1.202.736.8092) or the Sidley lawyer with whom you usually work. The Privacy, Data Security & Information Law Practice of Sidley Austin LLP We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property, and criminal issues. Sidley provides services in the following areas: Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance Data Breach, Incident Response, and Cybersecurity Advice Global Data Protection, International Data Transfer Solutions and Cross-Border Issues Corporate Data Protection, Compliance Programs and Information Governance Assessments FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices Social Media, Cloud Computing, Online Advertising, E-Commerce and Internet Issues EU, China and Japan Data Protection and Compliance Counseling Gramm-Leach-Bliley and Financial Privacy HIPAA and Healthcare Privacy Communications Law and Data Protection Workplace Privacy and Employee Monitoring Website Policies Online Trademarks and Domain Name Protection Records Retention, Electronic Discovery, Government Access and National Security For further information on the Privacy, Data Security and Information Law Practice, please contact: John M. Casanova 65.6230.3907 jcasanova@sidley.com Edward R. McNicholas +1.202.736.8010 emcnicholas@sidley.com Alan Charles Raul +1.202.736.8477 araul@sidley.com Anna L. Spencer +1.202.736.8445 aspencer@sidley.com Healthcare Practice Our Healthcare Practice represents participants in all facets of the healthcare industry, including pharmaceutical, biotech and device companies, DME suppliers, hospitals, skilled nursing facilities, physician-owned companies, professional associations and research institutions. Our lawyers combine a strong background in the complexities of healthcare financing and delivery, including coding, reimbursement, and coverage issues, privacy and security, trade regulation, and competition. We have extensive experience representing clients on enforcement and regulatory matters before federal and state enforcement agencies. For further information on the Healthcare Practice, please contact: Paul E. Kalb, M.D. +1.202.736.8050 pkalb@sidley.com Richard Raskin +1.313.853.2170 rraskin@sidley.com To receive future copies of this and other Sidley updates via email, please sign up at www.sidley.com/subscribe www.sidley.com BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Sidley Austin refers to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.