CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS ) published its final privacy and security regulations (the Final Rule ) under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). The Final Rule implements the changes required by the Health Information Technology for Economic and Clinical Health ( HITECH ) Act of 2009. In addition, the Final Rule addresses HIPAA s Enforcement and Breach Notification Rules as well as modifications made to HIPAA s Privacy Rule as required by the Genetic Information Nondiscrimination Act. The Final Rule becomes effective March 26, 2013 and compliance is required by September 23, 2013. This Client Alert addresses the following topics: Impact of the Final Rule on Business Associates and Subcontractors; Amendments to the Breach Notification Rule; Changes to Notices of Privacy Practices; and Next Steps for Covered Entities, Business Associates and Subcontractors. Impact of the Final Rule on Business Associates and Subcontractors A significant aspect of the Final Rule is that business associates and their subcontractors are now directly liable for certain violations of the HIPAA Privacy, Security and Breach Notification Rules. In addition, the Final Rule expands the definition of business associate to include any entity (or individual) that creates, receives, maintains, or transmits protected health information ( PHI ) or electronic PHI ( ephi ) on behalf of a covered entity. This change has particular importance for entities such as document storage and shredding companies that maintain PHI or ephi. These entities are now considered business associates even if they never access the PHI they maintain. In addition, data transmission providers that require routine access to ephi are also considered business associates under the Final Rule. Which violations will subject Business Associates and Subcontractors to direct liability? Under the Final Rule, business associates and subcontractors will be directly liable for the following violations: Impermissible uses and disclosures of PHI;
Failure to provide a covered entity with notification of a breach; Failure to provide access to ephi to the covered entity, the individual, or the individual s designee as specified in the business associate agreement; Failure to disclose PHI to the Secretary of the DHHS for purposes of determining the business associates (or the subcontractor s) compliance with HIPAA; Failure to provide an accounting of disclosures; and Failure to comply with the HIPAA Security Rule. What is the Impact on Covered Entities? Covered entities should confirm Business Associate Agreements ( BAAs ) are in place with all entities that create, receive, maintain or transmit PHI or ephi on their behalf. For example, if a document storage company maintains PHI on behalf of the covered entity, a BAA is now required. Covered entities should also review their current BAAs to determine whether amendments are required in order to comply with the Final Rule. What BAA provisions are required under the Final Rule? Covered entities (and as applicable, business associates) should review their current BAAs to ensure they address the following: Compliance with the HIPAA Security Rule; Compliance with the HIPAA Privacy Rule (as applicable to business associates); Reporting breaches of unsecured PHI; Business associate s subcontractors must agree to the same restrictions and conditions that apply to the business associate; Impermissible uses and disclosures; Access to ephi; Required disclosures to DHHS for the purpose of determining business associate s compliance with HIPAA; and Limiting disclosures to the minimum necessary. When must BAAs be in compliance with the Final Rule? For all BAAs in effect as of January 25, 2013, covered entities have until September 23, 2014 to amend those BAAs if amendments are required. This transitional relief is applicable only to BAAs, as the parties must comply with requirements of the Final Rule by September 23, 2013. New BAAs entered into after January 25, 2013 should reflect the provisions above and should be in place by September 23, 2013. 2
Amendments to the HIPAA Breach Notification Rule Amendments to the HIPAA Breach Notification Rule adopted as part of the Final Rule further clarify the duties that have been imposed on covered entities and their business associates since 2009 with regard to breaches of unsecured PHI. What were the Breach Notification Requirements before the Final Rule? The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, required DHHS to enact a rule for Breach Notification for Unsecured Protected Health Information (the Breach Notification Rule ). Consistent with HITECH, DHHS in August of 2009 published an interim final Breach Notification Rule, which has been in force since September of 2009. The Breach Notification Rule requires covered entities that discover a breach of unsecured PHI to notify the affected individuals, the Secretary of DHHS, and for breaches involving more than 500 residents of a state or jurisdiction the media. Business associates that discover a breach of unsecured PHI are required to notify the covered entity without unreasonable delay, and in no event later than sixty (60) calendar days after discovery of the breach. Also in 2009, DHHS released guidance specifying encryption and destruction as the two technologies or methodologies recognized as rendering protected health information unusable, unreadable, or indecipherable (i.e., secured) and thus exempt from these breach notification obligations. (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalregisterbreachrfi.pdf) What are the Key Changes to the Breach Notification Rule? Definition of Breach. Previously, a breach was defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that posed a significant risk of financial, reputational, or other harm to the individual. Under the Final Rule, significant risk of harm is no longer the standard. Rather, the Final Rule presumes that any non-permitted acquisition, access, use, or disclosure constitutes a breach, unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI as actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. DHHS agreed with commenters who expressed concern that the harm standard in the interim rule was too subjective, but rejected a bright line approach: [W]e believe that a risk assessment [to determine whether information has been compromised] is necessary, DHHS said, because there are situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification. Notification to the Secretary of DHHS. The Final Rule contains a clarifying change concerning the timing of the required notification to the Secretary of DHHS regarding breaches affecting less than 500 3
individuals. Whereas the interim rule required notification to the Secretary not later than sixty (60) days after the end of the calendar year in which a breach occurred, the Final Rule recognizes that there may be a delay between the occurrence and the discovery of breaches, and now provides that notification to the Secretary is required not later than sixty (60) days after the end of the calendar year in which a breach is discovered. The remaining changes to the interim rule made by the final Breach Notification Rule are technical and non-substantive. How does the Breach Notification Rule Interplay With other HIPAA Rules? In the Federal Register Notice accompanying the final omnibus HIPAA Rules revisions, DHHS clarified several points of intersection between the Breach Notification Rule and other elements of HIPAA. For example, DHHS stated that a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate, including with respect to personal health record functions, is a HIPAA business associate and thus, is subject to the HIPAA Breach Notification Rule DHHS also clarified that a business associate that shares information with a third party in furtherance of the business associate s management and administration or legal responsibilities (as permitted under the rule governing contracts between business associates and covered entities) need not enter into a business associate contract with the third party but must obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. With regard to the increased penalty provision imposed by HITECH for HIPAA violations, including data breaches, DHHS notes that where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured PHI, it is anticipated that the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. Furthermore, in many breach cases, there will be both an impermissible use or disclosure, as well as a safeguards violation, for each of which [DHHS] may calculate a separate civil money penalty. Therefore, one covered entity or business associate may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million. The Costs of Breaches Are High And They Are Rising: DHHS estimates that 19,000 covered entities annually will incur breach notification costs under the new rule, for a total cost of $14.5 million per year, and that 6.71 million patients annually will be affected by these breaches. This estimate is based on breach notifications received by DHHS during calendar years 2010 and 2011. Recent industry statistics, however, suggest that breaches of PHI are on the rise, and that far more covered entities may be affected by the final Breach Notification Rule than DHHS has estimated. The Third Annual Benchmark Study on Patient Privacy & Data Security by the respected Ponemon Institute (see: http://www.ponemon.org/news-2/45), released in December of 2012, determined that ninety- 4
four percent (94%) of the eighty (80) healthcare organizations that participated in the benchmark study had experienced at least one data breach in the past two years, with forty-five percent (45%) of respondents reporting more than five (5) such incidents. Based on costs reported by the study respondents, Ponemon states that the average cost to deal with these breaches was $2.4 million per organization over a two-year period. These breach rates and costs were noted as having increased dramatically since 2010. Ponemon estimates that the total annual cost to the healthcare industry of patient data breaches could easily reach into the billions of dollars. Perhaps ironically, the study concludes that breach rates in the healthcare sector are high due, at least in part, to lack of funding. Only twenty-seven percent (27%) of respondents indicated having sufficient resources to combat data breaches, and only thirty-four percent (34%) reported having a sufficient security budget. These figures, together with the more stringent requirements now imposed by the Breach Notification Rule, may induce some healthcare organizations to consider increasing their investment in preventing data breaches from occurring and in developing effective protocols for responding, should the worst occur. Kutak Rock s HIPAA team is available to assist our healthcare clients in assessing and managing their data breach risks. Changes to Notice of Privacy Practices Most covered entities are required to distribute a Notice of Privacy Practices ( NPP ). The NPP describes the uses and disclosures of PHI permitted to be made by a covered entity, the covered entity s duties and privacy practices with respect to PHI and the individual s rights with respect to their PHI. What modifications to the NPP does the Final Rule require? The Final Rule requires covered entities to make certain modifications to their NPPs. These modifications are described in the table below. NPP MODIFICATION TABLE Modification Category Uses and disclosures requiring authorization Description of Modification The NPP must be revised to include a statement that the following requires an authorization: (i) most uses and disclosures of psychotherapy notes, 1 (ii) uses and disclosures of PHI for marketing purposes, and (iii) disclosures that constitute a sale of PHI. 1 If a covered entity does not record or maintain psychotherapy notes, it need not include a statement in its NPP about the psychotherapy note authorization requirement. Additionally, covered entities are not required to include a description of their recordkeeping practice with respect to psychotherapy notes, though they may do so. 5
Fundraising Genetic information Restriction on uses and disclosures Unsecured PHI Breaches If a covered entity intends to contact an individual for fundraising purposes, the NPP must include a statement notifying the individual of that fact and that the individual has a right to opt out of receiving such communications. 2 If a health plan covered entity (other than certain issuers of long-term care policies) intends to use or disclose PHI for underwriting purposes, the NPP must include a statement that the health plan is prohibited from using or disclosing PHI that is genetic information of an individual for such purposes. The NPP of health care providers 3 must inform individuals of their right to restrict certain disclosures of PHI to a health plan in instances when an individual pays out-of-pocket in full for the health care item or service. The NPP must include a statement that the covered entity is required by law to notify individuals following a breach of Unsecured PHI. 4 When do revised NPPs need to be distributed? The Final Rule requires covered entities to distribute revised NPPs, or notice of the material changes, as follows: For a health plan that posts its notice on its web site, the plan must prominently post the material changes to the NPP, or the revised NPP, on its web site by the effective date of the revised notice (which will be September 23, 2013 in most cases) and provide the revised NPP, or information about the material changes and how to receive the revised NPP, in its next annual mailing to individuals then covered by the plan. For a health plan that does not post its notice on its web site, the plan must provide the revised NPP, or information about the material changes and how to receive the revised NPP, to individuals then covered by the plan within 60 days of the material revision to the notice. For health care provider covered entities with a direct treatment relationship with an individual, the health care provider must make the revised NPP available upon request on or after the effective date of the revision and have the revised NPP available at the delivery site and post the notice in a clear and prominent location. In addition, such providers would be required to give a copy of the revised NPP to, and obtain a good faith acknowledgement of receipt from, new patients. 2 Because individuals will be provided the opportunity to opt out of fundraising communications with each solicitation, the Final Rule does not require the NPP to include the mechanism for individuals to opt out of receiving fundraising communications, although covered entities may do so if they so choose. 3 Other covered entities may retain language indicating that the covered entity is not required to agree to a requested restriction. 4 The Final Rule states that the NPP s Unsecured PHI Breach language is not intended to add undue complexity or length to the NPP and that the statement need not (i) describe how the covered entity will conduct a risk assessment, (ii) include the descriptions of breach or unsecured PHI or (iii) describe the types of information to be included in the actual breach notification. However, covered entities may include this type of information if they wish. 6
As under existing law, covered entities also have the option to distribute their revised NPPs or notices of material changes by email, provided the individual has agreed to receive an electronic copy of the revised NPPs or material change notices. What special requirements apply to the revised NPPs? Finally, in general, covered entities are required to take steps necessary to ensure effective communication with individuals with disabilities with respect to the revised NPPs. This could include making the revised NPP available in alternative formats, such as Braille, large print or audio. Some covered entities may also be required to take reasonable steps to ensure meaningful access for Limited English Proficient persons, which could mean that the covered entity is required to translate the NPP into frequently encountered languages. Next Steps for Covered Entities, Business Associates and Subcontractors Generally, covered entities, business associates, and subcontractors (as applicable) should take the steps outlined below to comply with the changes contained in the Final Rule. If you have any questions or if we can assist you in taking these steps, please contact any of the attorneys listed below. What are the Next Steps for Covered Entities? A covered entity should: Review and revise its HIPAA policies and procedures as necessary to comply with the Final Rule, placing particular emphasis on the changes to the rules relating to research, fundraising, marketing, and the sale of PHI. Review and revise its policies and procedures relating to breaches of unsecured PHI. Review and revise its NPP and plan for the distribution of its revised NPP. Review and revise its BAA templates to comply with the Final Rule. Inventory its existing BAAs, use the revised BAA templates for any new relationships entered between now and September 23, 2013, and implement a process to amend BAAs in effect as of January 25, 2013 by September 23, 2014. Update its HIPAA authorizations and other forms as necessary to comply with the Final Rule. Modify its HIPAA training programs to include the changes made by the Final Rule and begin training its workforce with respect to these changes. What are the Next Steps for Business Associates? A business associate should: Develop and/or update its HIPAA privacy and security policies and procedures, including its policies and procedures relating to breaches of unsecured PHI. Conduct a security risk assessment. 7
Review and revise its BAA templates to comply with the Final Rule. Inventory its existing BAAs entered with covered entities, use the revised BAA templates for any new relationships with covered entities entered between now and September 23, 2013, and implement a process to amend BAAs in effect as of January 25, 2013 by September 23, 2014 Inventory its existing relationships with subcontractors, inventory and review existing subcontractor BAAs, develop and/or revise subcontractor BAA templates to comply with the Final Rule and use the BAA templates for any new subcontractor relationships entered between now and September 23, 2013, and implement a process to amend subcontractor BAAs in effect as of January 25, 2013 by September 23, 2014. Develop and/or update its HIPAA training programs to address the business associate s HIPAA compliance program and related policies and procedures. What are the Next Steps for Subcontractors? Subcontractors are now directly liable for certain HIPAA violations. Entities or individuals that may be considered a subcontractor under HIPAA should: Review the definition of subcontractor to determine if you qualify as a subcontractor. Develop and/or update its HIPAA privacy and security policies and procedures, including policies and procedures relating to Unsecured PHI Breaches. Conduct a security risk assessment. Review and revise its BAA templates to comply with the Final Rule. Inventory its existing relationships with business associates and subcontractors, inventory and review existing business associate and/or subcontractor BAAs, develop and/or revise business associate and/or subcontractor BAA templates to comply with the Final Rule, use the BAA templates for any new business associate and/or subcontractor relationships entered between now and September 23, 2013, and implement a process to amend subcontractor BAAs in effect as of January 25, 2013 by September 23, 2014. Develop and/or update its HIPAA training programs to address the subcontractor s HIPAA compliance program and related policies and procedures. Additional Information If you wish to visit with us about the Final Rule or any other HIPAA compliance issues, please contact your Kutak Rock LLP attorney or a member of our HIPAA compliance team listed below. Juliana Reno Juliana.Reno@KutakRock.com Bryan G. Looney Bryan.Looney@KutakRock.com G. Mark Sappington Mark.Sappington@KutakRock.com Kathryn M. Magli Kathryn.Magli@KutakRock.com 8
L. Elise Dieterich Elise.Dieterich@KutakRock.com Mike Fowler Mike.Fowler@KutakRock.com Diane Stewart-Ferro Diane.Stewart-Ferro @KutakRock.com Sara J.B. English Sara.English@KutakRock.com Kutak Rock LLP The Omaha Building 1650 Farnam Street Omaha, NE 68102 (402) 346-6000 This Client Alert is a publication of Kutak Rock LLP. It is intended to notify our clients and friends of current events and provide general information about employee benefits issues. This Client Alert is not intended, nor should it be used, as legal advice, and it does not create an attorney-client relationship. Kutak Rock LLP 2013. All Rights Reserved. This communication may be considered advertising in some jurisdictions. 9