HIPAA OMBINUS RULE

HIPAA OMBINUS RULE

 On January 17, 2013, the Department of Health and Human Services issued the long-awaited HIPAA Omnibus Rule with an effective date of March 26, 2013. The Final Rule made significant changes to HIPAA’s Privacy Rule, Security Rule and Enforcement Rule. It is expected to have lasting ramifications for covered entities (e.g., physicians and health facilities) and their business associates. In this article we will focus on two main issues arising out of the Final Rule: (1) the new liability of business associates; and (2) the changes to the rule on data breach notification.

First, as we discussed in the May 2012 issue of the Nutile Pitz newsletter, the amendments to HIPAA under the Health Information Technology for Economic and Clinical Health Act (HITECH) directly regulates business associates for the first time. The Final Rule clarified that Business Associates are required to comply with the terms of a business associate agreement, provide PHI to the Secretary upon demand, comply with minimum necessary requirements to limit the use of PHI, provide an electronic copy of PHI to an individual or covered entity upon and individual’s request and to enter into business associate agreements with subcontractors that create or receive PHI on the business associate’s behalf.

Second, one of the biggest departures of CMS from the Interim Final Rule to the Omnibus Final Rule was the treatment of reporting procedures under the Breach Notification Rule. Under the Interim Final Rule to determine whether a breach needed to be reported required an analysis of whether there was a “significant risk of financial, reputational or other harm to the individual”. Under the Final Rule an impermissible disclosure of PHI is presumed to be a breach unless there is a low probability that the PHI has been compromised. In an attempt to provide more objectivity and consistency in reporting, CMS referenced a four-part test which requires the analysis of: (i) the nature and extent of the PHI involved; (ii) the unauthorized person who used the PHI or to whom disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to PHI has been mitigated. Finally, covered entities must update their HIPAA policies, including changes to the Notice of Patient Privacy and Business Associate Agreements, to meet the new requirements under the Final Rule by September 23, 013. Call NPA today if you need assistance in understanding your new responsibilities under the HIPAA Omnibus Rule, including updating necessary policies and procedures related to arrangements with business associates or breach notification.