Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the longawaited omnibus final rule (Final Rule) pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non- Discrimination Act of 2008 (GINA). The Final Rule, published in the Federal Register on Jan. 25, 2013 (78 Fed. Reg. 5566), settles some of the questions that remained open after the publication of the proposed regulations on July 14, 2010. The Final Rule became effective on Mar. 26, 2013, and covered entities and business associates must comply with the applicable requirements of the Final Rule by September 23, 2013. Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the Final Rule. Among other things, the Final Rule addresses the following key topics: 1. Privacy Rule and Security Rule: a. Direct liability of business associates and subcontractors of business associates for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule. b. Activities that render an entity a business associate, including the mere storage or maintenance of protected health information (PHI). c. Required modifications to a covered entity s notice of privacy practices. d. Expansion of the rights of individuals to receive electronic copies of their health information and restriction of disclosures to a health plan for treatment for which the individual has paid out-of-pocket in full. e. Expansion of the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibition of the sale of protected health information without individual authorization. 2. The Breach Notification Rule: Replacement of the harm threshold in the Breach Notification Interim Final Rule with a more objective standard and replacement of the Interim Final Rule in its entirety with the relevant provisions of the omnibus Final Rule. 3. The Enforcement Rule: Incorporation of the tiered civil money penalty structure set forth in the HITECH Act, originally published as an interim Final Rule on October 30, 2009. Penalties are increased for non-compliance based upon the level of negligence, with a maximum penalty of $1.5 million per violation.
4. Protections for Genetic Information: Enhanced privacy protections for genetic information as required by GINA, which was published as a proposed rule on October 7, 2009. In a press release accompanying the release of the Final Rule, Leon Rodriquez, the director of the Office for Civil Rights of HHS stated that the final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates. Breach Notification Standard Changed by HIPAA Omnibus Final Rule In the Final Rule, HHS modified the standard that HIPAA-covered entities, including healthcare providers and health plans, and their business associates must use to determine if a breach of PHI has occurred. Specifically, HHS replaced the previous standard, which required analysis of the risk of financial, reputational or other harm to an individual, with a standard that presumes that a breach has occurred unless, through the analysis of a series of specific factors, it is determined that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. In the Final Rule, HHS reaffirms that it is the obligation of the covered entity or the business associate to reach this determination, to document the basis for the determination, and to provide all required notifications if a determination is made that a breach has occurred. Risk of Harm Standard Replaced with More Objective Test The HITECH Act requires notice to affected individuals, HHS, and, in certain circumstances, the media when HIPAA-covered entities and their business associates discover a breach of unsecured PHI. HHS defines breach as the acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI. In the Breach Notification for Unsecured Protected Health Information Interim Final Rule, effective Sept. 23, 2009, HHS defined the phrase compromises the security or privacy of the PHI to mean that the acquisition, access, use, or disclosure poses a significant risk of financial, reputational, or other harm to the individual. The inclusion of this second level of analysis, the so-called risk of harm standard, created a subjective aspect to an entity s evaluation of whether an unauthorized acquisition, access, use, or disclosure of PHI rises to the level of a breach. After considering public comments to the Interim Final Rule, HHS determined that the risk of harm standard could be construed and implemented in a manner it had not intended. Accordingly, in the Final Rule, HHS revised the definition of a breach to state that unless an exception applies, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised. Further, to determine whether there is a low
probability that the PHI has been compromised and whether breach notification is necessary, the covered entity or business associate, as applicable, must conduct a risk assessment that considers, at a minimum, each of the following factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3. Whether the protected health information was actually acquired or viewed; and 4. The extent to which the risk to the protected health information has been mitigated. Following analysis of each of the factors above, covered entities and business associates must evaluate the overall possibility that the PHI has been compromised by considering all the above, and any other relevant factors, in combination. HHS expects that risk assessments will be thorough and completed in good faith and, further, that the conclusions will be reasonable. Safe Harbor and Certain Other Exceptions Still Apply The Final Rule retained a critical safe harbor initially established by the Interim Final Rule. Specifically, an unauthorized disclosure only rises to the level of a breach and only triggers the notification requirements of the HITECH Act if the PHI disclosed is unsecured. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of the technology or methodology specified by the secretary through published guidance. The secretary issued guidance on Apr. 17, 2009, and later published in the Federal Register on Apr. 27, 2009 (74 FR 19006), specifying two methods for rendering PHI unusable, unreadable or indecipherable: (1) encryption and (2) destruction effectuated in accordance with certain industry best practices. The other regulatory exceptions to the definition breach that were implemented through the Interim Final Rule remain unchanged. These include: (1) acquisition, access or use of PHI by a workforce member, in good faith, and without further use or disclosure not permitted by the Privacy Rule; (2) inadvertent disclosure to a person authorized to access PHI, without further use or disclosure not permitted by the Privacy Rule; and (3) where there is a good faith belief that the unauthorized person would not be able to retain the information. Limited Data Set Exception Removed The Final Rule eliminated the exception to the definition of breach where the PHI used or disclosed constitutes a limited data set that does not contain any dates of birth or ZIP Codes. Accordingly, breaches of limited data sets, regardless of their content, must be handled like all other breaches of PHI. Notification Requirements Remain Unchanged
Under both the Interim Final Rule and the Final Rule, if a covered entity determines that a breach has occurred, the following breach notification obligations apply: Notice to Individuals: Affected individuals must be notified without unreasonable delay, but in no case later than 60 calendar days after discovery. The notices must be written in plain language and include basic information that is detailed in the Interim Final Rule. Under certain circumstances, a substitute notice may be used. Notice to Media: If a breach affects more than 500 residents of a state or smaller jurisdiction (such as a county, city or town), the covered entity or business associate must also notify a prominent media outlet that is appropriate for the size of the location with affected individuals. Notice to HHS: Information regarding breaches involving 500 or more individuals (regardless of location) must be submitted to HHS at the same time that notices to individuals are issued. If a particular breach involves 500 or fewer individuals, the covered entity is required to report the breach to HHS within 60 days after the end of the calendar year in which the breach occurs via the HHS web portal. Notice by Business Associates to Covered Entities: A business associate of a covered entity must notify the covered entity if the business associate discovers a breach of unsecured PHI. Notice must be provided without unreasonable delay and in no case later than 60 days after discovery of the breach. Burden of Proof Rests with Covered Entities and Business Associates The Final Rule reaffirms that, in the case of an impermissible use or disclosure of PHI, it is the covered entity or the business associate, as applicable, that has the burden of demonstrating that all notifications were provided or, in the alternative, that an impermissible use or disclosure did not constitute a breach, and of maintaining documentation as necessary to meet this burden. It is critically important that covered entities and business associates have appropriate policies and procedures in place to detect and respond to a potential breach. Following a breach, covered entities and business associates should conduct employee training to prevent recurrence. HHS Adopts a Broad Interpretation of Entities that Qualify as Business Associates under HIPAA in the Omnibus Final Rule In the Final Rule, HHS (i) clarifies that data storage providers that maintain PHI on behalf of covered entities or business associates on a long-term basis qualify as business associates under HIPAA; (ii) expands the definition of business associate to include subcontractors of business associates; and (iii) provides specific guidance regarding the dates by which covered entities and business associates must enter into HIPAA-compliant business associate agreements. HHS s decision to define a business associate in an expansive manner is significant because, pursuant to the HITECH Act, business associates are directly liable to the federal government for noncompliance with certain provisions of the Privacy Rule and with the Security Rule and are
subject to the Breach Notification and Enforcement Rules (collectively, the HIPAA Rules ). Prior to the HITECH Act, business associates were contractually liable to covered entities pursuant to an executed business associate agreement but did not have direct liability to the federal government under HIPAA and the accompanying regulations. The application of HIPAA to business associates through the HITECH Act and the broad definition of these entities adopted in the Final Rule impose compliance obligations, and the risk of substantial penalties for noncompliance, upon a wide swath of entities supporting the healthcare industry. Clarifying the Definition of Business Associate In what it described as a clarification, HHS modified one component of the definition of business associate. Specifically, HHS altered the definition to provide, in relevant part, that a business associate is an entity that, on behalf of [a] covered entity or of an organized health care arrangement (as defined in [45 C.F.R. 160.103]) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by [the] subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing. (45 C.F.R. 160.103) (emphasis added). In the discussion preceding the revised regulation, HHS states that this change is intended to make the definition more consistent with language at [Section] 164.308(b) of the Security Rule and [Section] 164.502(e) of the Privacy Rule, as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information. HHS also distinguishes between a mere conduit of PHI, such as the U.S. Postal Service, and an entity engaged in the long-term storage of PHI. According to HHS, the former transmits PHI and holds it on a transient basis, with no real opportunity to access PHI, and, thus, does not constitute a business associate. In contrast, a data storage provider that maintains PHI on behalf of a covered entity or business associate on a more permanent basis has the opportunity to access PHI and, thus, qualifies as a business associate under HIPAA. HHS does not distinguish between bulk storage providers of hard copy data, cloud storage providers, and other providers of electronic data storage services, suggesting that its analysis of who qualifies as a business associate applies in the same manner to each of these entities. Liability of Subcontractors of Business Associates In addition to reframing the definition of business associate, HHS provided a short list of the types of entities that, by definition, constitute business associates. Among these is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. (45 C.F.R. 160.103). Thus, subcontractors of a business associate who use or disclose PHI on behalf of the business associate are now directly subject to HIPAA. In the Final Rule, HHS noted that it included subcontractors in the definition of business
associate to avoid having privacy and security protections for PHI lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity. HHS clarifies that disclosures by a business associate to a third-party entity for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside the entity s role as a business associate. (However, such disclosure must otherwise be made in accordance with Section 164.504 of the Privacy Rule, including the requirement for assurances that the PHI will be appropriately safeguarded.) In response to concerns from the public that the inclusion of subcontractors in the definition of business associate would require a covered entity to identify and enter into business associate agreements with all downstream contractors of each of its business associates, HHS modified the HIPAA Rules. Specifically, HHS modified the HIPAA Rules to provide that a covered entity is not required to directly contract with downstream subcontractors. (45 C.F.R. 164.502(e)(1); 45 C.F.R. 164.308(b)(1)). Instead, a business associate who discloses PHI to a subcontractor must enter into a business associate agreement with the subcontractor that provides assurances that the subcontractor will appropriately safeguard the information. (See 45 C.F.R. 164.308(b)(2). Liability Attaches upon the Performance of a Business Associate Activity The discussion preceding the Final Rule notes that the Final Rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate. Thus, an individual or entity that qualifies as a business associate under the HIPAA Rules is liable for compliance with HIPAA regardless of whether a business associate agreement is in effect. Compliance Dates The Final Rule requires that covered entities and business associates (and, if applicable, subcontractors) achieve compliance with the HIPAA Rules within 180 days of the effective date of any new or modified standards. (45 C.F.R. 160.105). The effective date of the Final Rule was Mar. 26, 2013, and covered entities and business associates must be in compliance with the requirements by Sept. 23, 2013. Notwithstanding this general compliance deadline, in the Final Rule, HHS provides a transition provision that allows a covered entity and a business associate (or a business associate and subcontractor) to continue operating under an existing business associate agreement for up to one year beyond the compliance date of the Final Rule, so long as certain requirements are satisfied. (45 C.F.R. 164.532(d)). An existing business associate agreement may continue to operate beyond the compliance deadline if (i) the agreement is effective prior to Jan. 25, 2013, and it
contains all the elements required by the regulations as of that date; and (ii) the agreement will not be modified or renewed from March 26, 2013 (the Final Rule effective date) until Sept. 23, 2013 (the Final Rule compliance date). (45 C.F.R. 164.532(e)(1)). An existing business associate agreement that meets such specifications will be deemed compliant until the earlier of the date the agreement is modified or renewed on or after September 23, 2013, or Sept.r 22, 2014. HIPAA Omnibus Final Rule Modifies Notice of Privacy Practices Requirements The Final Rule modifies and expands the statements that covered entities must include in the Notice of Privacy Practices, which is the HIPAA-mandated notice that apprises patients of their rights with regard to PHI and the limits imposed upon a covered entity s uses and disclosures of PHI. Notice of Privacy Practices The Privacy Rule requires covered entities to maintain and distribute a notice of privacy practices (NPP), which must provide that any uses or disclosures other than those expressly permitted by the Privacy Rule will be made only with the written authorization of an individual (45 C.F.R. 164.520). The Final Rule expands the requirements to provide individuals with a better understanding of (i) a patient s right to restrict disclosures; (ii) the types of uses and disclosures that require individual authorization; (iii) a patient s right to opt out of certain disclosures (45 C.F.R. 164.520(b)(1)); (iv) rights to notice in the event of a breach; and (v) rights with respect to the use of their genetic information for health plan underwriting purposes. The Final Rule modifies 164.520(b)(1)(ii)(E) to expand the statements in the NPP regarding uses and disclosures that require authorization. Although the Final Rule does not require the NPP to include a list of all situations requiring authorization, the NPP must contain a statement indicating that the following uses and disclosures will be made only with authorization from the individual: (i) most uses and disclosures of psychotherapy notes (if recorded by a covered entity); (ii) uses and disclosures of PHI for marketing purposes, including subsidized treatment communications; (iii) disclosures that constitute a sale of PHI; and (iv) other uses and disclosures not described in the NPP. The Final Rule adopts, as proposed, the requirement that if a covered entity intends to send fundraising communications to an individual, the NPP must also inform the individual of this intent and that the individual has the right to opt out of such fundraising communications with each solicitation (45 C.F.R. 64.520(b)(1)(iii)(B)). Finally, the Final Rule requires that the NPP contain a simple statement indicating that the covered entity is required to notify the patient of any breach of his or her unsecured PHI. Healthcare providers must state in the NPP that if an individual has paid for services out-ofpocket, in full, and the individual requests that the healthcare provider not disclose PHI related solely to those services to a health plan, the healthcare provider must accommodate the
individual s request, except where the healthcare provider is required by law to make a disclosure (45 C.F.R. 164.520(b)(1)(iv)(A)). The Final Rule does not require covered entities to inform other downstream covered entities of an individual s request not to disclose PHI to a health plan; however, the commentary to the Final Rule does suggest that covered entities should consider providing notification where feasible. Additionally, consistent with GINA, health plans are required to include a statement in their NPPs that they are prohibited from using or disclosing genetic information of an individual for underwriting purposes (45 CFR 164.520(b)(1)(iii)(C)). The Final Rule included a limited exception to this requirement for certain issuers of long-term care policies. The Final Rule requires a health plan that currently posts its NPP on its website in accordance with 164.520(c)(3)(i) to: (i) prominently post the material change or its revised notice on its website by the effective date of the material change to the notice (i.e., the compliance date); and (ii) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during open enrollment. If a health plan does not have a customer services website, then the health plan must provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice. The Final Rule does not modify the current requirement, applicable to all covered entities, to distribute revisions to the NPP (45 C.F.R. 164.520(c)(2)(iv)). Therefore, when a healthcare provider revises an NPP, the healthcare provider must make the NPP readily available upon request on or after the effective date of the revisions at the delivery site to existing patients who request a copy, must post the revised notice on its website, if applicable, and must post the notice in a prominent location on its premises. Providers may even post a summary of the notice, provided that the full notice is immediately available. New patients who receive services for the first time after modification of an NPP should be provided with a copy of the revised NPP. Consistent with the existing rules, providers should retain copies of previous versions of their NPPs and of any written acknowledgements by patients of receipt of NPPs. HIPAA Omnibus Final Rule Implements Tiered Penalty Structure for HIPAA Violations The HITECH Act required HHS to modify HIPAA s Enforcement Rule and HHS s approach to imposing civil money penalties (CMPs) for violations. Specifically, the HITECH Act significantly increased the amount of CMPs, reduced the number of available affirmative defenses to CMPs, and required imposition of CMPs for all violations due to willful neglect. Additionally, the HITECH Act applied all the above directly to business associates. HHS issued an Interim Final Rule along with a request for comments on Oct. 30, 2009. The Final Rule responds to public comments regarding the Interim Final Rule and makes a variety of revisions
to the Interim Final Rule. However, the core provisions regarding penalties remain substantially the same. Determining the Amount of a CMP The Final Rule implements the penalty structure mandated by the HITECH Act for violations occurring after Feb. 18, 2009, in which the amount of the penalty increases with the level of culpability, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Prior to the enactment of the HITECH Act, the imposition of CMPs under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. The prior penalty structure is still applicable to violations occurring on or before Feb. 18, 2009. The tiered structure for imposition of CMPs under the HITECH Act and Final Rule distinguishes the level of culpability as follows: Unknowing. The covered entity or business associate did not know and reasonably should not have known of the violation. Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect. Willful Neglect Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery. Willful Neglect Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery. The corresponding tiers of CMP relating to each level of culpability are as follows: Violation Category Each Violation Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 $50,000 $1,500,000 Reasonable Cause $1,000 $50,000 $1,500,000 Willful Neglect Corrected $10,000 $50,000 $1,500,000 Willful Neglect Not Corrected At least $50,000 $1,500,000
Under the Final Rule, HHS does not have the authority to automatically impose the maximum CMP for any given violation. Rather, in determining the amount of a CMP, HHS must consider the following: The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred; The nature and extent of the harms resulting from the violation, including whether the violation caused physical harm, whether the violation resulted in financial harm, whether there was harm to an individual s reputation and whether the violation hindered an individual s ability to obtain healthcare; The history of prior compliance, including previous violations; and The financial condition of the covered entity or business associate, including whether financial difficulties affected the ability to comply and whether the imposition of the CMP would jeopardize the ability of the covered entity to continue to provide or pay for healthcare. Defenses to CMPs The Final Rule limits the ability of the Secretary to impose CMPs for certain violations of HIPAA occurring after Feb. 18, 2009. Specifically, the Secretary may not impose CMPs for a violation that is not due to willful neglect and that is corrected within 30 days of actual or constructive knowledge of the violation, or during an additional period, as determined by the Secretary to be appropriate based on the nature and extent of the failure to comply. This defense, however, is not available for violations due to willful neglect. Thus, to the extent possible, a covered entity or business associate that discovers a violation of HIPAA that is not due to willful neglect should endeavor to (i) correct the violation within 30 days of the discovery; (ii) document the date on which it discovered the violations; and (iii) document the date on which it implemented the correction in order to establish a basis for asserting the affirmative defense to the imposition of CMPs for the violation. The Final Rule also bars the imposition of CMPs for violations of HIPAA when a criminal penalty has previously been imposed for the same conduct. Waiver and Discretion While the Final Rule includes many provisions that amplify the penalties associated with a violation of HIPAA, as discussed above, there is some flexibility built into the Final Rule with respect to imposition of such penalties. The Final Rule gives HHS discretion to waive a CMP for violations that are not due to willful neglect, in whole or in part, to the extent that the penalty is excessive relative to the violation. The waiver power mirrors the tiered CMP structure by providing a mechanism to ensure that the amount of CMP reflects the level of culpability. Further, CMPs are not the exclusive remedy for violations of HIPAA. Rather, HHS has discretion to use other measures to address HIPAA violations, such as providing direct technical assistance or resolving possible noncompliance through informal means. Prior to the Final Rule,
HHS was required to seek resolution through these informal means for all violations, while the Final Rule provides that informal resolution may be attempted. Finally, the Final Rule does not allow violations due to willful neglect to be resolved through these informal means without also imposing a CMP. Applicability of CMPs for Acts of Business Associate Agents The Final Rule makes a covered entity liable for the violations of its business associates that are its agents, and adds a parallel provision providing for the liability of business associates for the acts of their agents. To avoid state-by-state variations in the law of agency, the Final Rule specifies that whether an agency relationship exists will be established under the federal law of agency. In general, an agency relationship will be found where the potential agent s actions can be directed or controlled during the course of performance of its duties, regardless of whether actual direction or control occurs. Prior to the HITECH Act, covered entities were not subject to CMPs for violations by an agent who was also a business associate acting under a compliant business associate agreement. Marketing and Sale of PHI Marketing of PHI The Final Rule requires an individual s authorization for a communication when a covered entity receives financial remuneration from a third party in exchange for marketing the third party s product or service. Exceptions apply for certain costs related to refill reminders and other communications about currently prescribed drugs. Promotions of health in general and the promotion of government-sponsored programs are also permitted without authorization. The Privacy Rule requires a covered entity to obtain a valid authorization from an individual before using or disclosing PHI to market a product or service to such individual. 164.508(a)(3). Section 164.501 of the Privacy Rule defines marketing as making a communication that encourages the recipient to purchase or use a certain product or service. The Final Rule implements Section 13406(a) of the HITECH Act, which limits the communications that may be considered health care operations and are, therefore, excepted from the definition of marketing and which includes an exception for communications that describe only a drug or biologic currently prescribed to the individual, as long as any remuneration received in exchange for making the communication is reasonable in amount. Sale of PHI Consistent with Section 13405(d) of the HITECH Act, the Final Rule generally prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the covered entity or business associate has obtained authorization from the individual. The Final Rule defines sale of PHI to mean a disclosure of PHI by a covered entity or business associate, if applicable, where the covered entity or business
associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Notably, this definition makes the sale provisions applicable to all disclosures in exchange for remuneration even if the sale transaction does not involve the transfer of ownership of PHI such as in the context of a license or lease agreement. However, the sale of PHI does not encompass certain funding arrangements, such as grants or incentive payments from a government agency for programs that require the reporting of PHI as a condition of funding, or the exchange of PHI through a health information exchange (HIE) that is paid for through fees assessed on HIE participants. GINA GINA prohibits employers and health insurance plans from discrimination on the basis of genetic information. To implement the requirements of GINA, the Final Rule adds genetic information to the definition of health information and prohibits the use or disclosure of genetic information for underwriting purposes. A plan may still use genetic information to determine medical appropriateness when a participant or dependent seeks a benefit under the plan. Finally, health plans are required to revise their NPPs to include an appropriate statement regarding their GINA restrictions. Conclusion The Final Rule will require covered entities and business associates to engage in a variety of activities to update policies, procedures, forms, NPPs, and actual practices to comply with the new requirements. In addition, to ensure HIPAA compliance, covered entities and business associates should train their workforce regarding the various updates. Additionally, to complement these efforts, and as required by the Security Rule, covered entities and business associates should take this opportunity revisit their security risk assessments, address any identified vulnerabilities, and document their analysis. Although it is not written in the regulations themselves or the Federal Register, it is likely that the release of the Final Rule will trigger a new era of HIPAA enforcement. Indeed, HIPAA enforcement already increased considerably following the issuance of the HITECH Act, and the OCR has made numerous statements over the last several years indicating that it takes its enforcement role very seriously. Accordingly, covered entities and business associates should act swiftly and comprehensively in their efforts to update applicable HIPAA programs and to ensure ongoing compliance Authors Ms. Kannensohn and Mr. Kottkamp are each Partners in the Health Care Group of McGuireWoods LLP. The authors would like to thank Holly Carnell, Mary DeBartolo, Vincent Dongarra, Amanda Enyeart, Allison
Harms, Drew McCormick, and Lindzi Timberlake for their assistance with this article.