Expanding the Reach of HIPAA Data Security and Privacy Requirements
In this information technology era, it is little wonder that the Obama Administration has made enforcement of data security and privacy protections a top priority. The enforcement emphasis reflects public opinion favoring strong privacy protections. People fear big government and they fear privacy intrusions through the internet and internet commerce.
Across all enforcement agencies, data security and privacy are high priorities. The FTC is leading the way on data security; the NLRB is pushing social media protections of privacy; and the CFPB is launching new privacy initiatives.
The healthcare industry is already familiar with data security and privacy restrictions. HIPAA has been on the books for just over 15 years and the industry is very familiar with its requirements.
Since its inception, the HIPAA requirements have not been aggressively enforced. That has all changed. The Office of Civil Rights in HHS, which is now headed by a former prosecutor, has made enforcement a top priority. OCR uses enforcement actions as an important tool in its overall mission to encourage compliance.
Last month, OCR issued the final “omnibus” rule modifying the HIPAA Privacy, Security, Breach Notification and Enforcement Rules. It took OCR two and half years to finalize the rules, which are now effective March 26, 2013.
Some of the highlights of the new rules:
Application to Business Associates – the rules directly apply security and privacy requirements to Business Associates. The definition of “Business Associates” has been expanded to include subcontractors of business associates, health information organizations, patient safety organizations and persons that offer personal health information (PHI) to individuals on behalf of a covered entity. OCR also modified the definition to apply to persons who possess or store PHI even if they never actually access or view the information.
Business associates now have to enter into agreements with subcontractors that handle PHI, and downstream agreements are required for each link in the subcontractor chain. Given the burden of this new requirement, business associates have one additional year to comply with this requirement.
Breach Definition – the OCR modified the definition of a breach to replace the proposed “harm” analysis with a four-factor test, focusing on the nature of the personal health information (“PHI”) whether the PHI was actually acquired or viewed; and the extent to which the risk has been mitigated. Under the rules, there is a presumption that the PHI breach requires notification unless the covered entity or business associate can demonstrate that there was a low probability that the PHI has been compromised.
The rules require a number of changes to notices of privacy practices, which must include (a) notification to affected individuals of a PHI breach; (b) authorizations of specific uses and disclosures (involving marketing or sale of PHI); (c) notifying individuals of right to restrict certain disclosures to health plans; (d) right of individual to opt-out of fundraising notifications; and the prohibition on the use of genetic information for underwriting purposes (if the health plan intends to use PHI for underwriting purposes.
Enforcement – The rules retain the tiered-penalty structure implemented through the interim final enforcement rule. OCR must investigate any complaint if a preliminary review indicates possible (not probable) noncompliance due to willful neglect; expansion of civil and criminal liability to business associates for violations of the HIPAA Rules; broad liability standards for acts or omissions by agents and business associates.