The HIPAA/HITECH Omnibus Final Rule: Compliance and Enforcement

Editor's Note: Part I of this article can be viewed here.

The Omnibus Final Rule (Final Rule) entitled “Modifications of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the HITECH Act” became effective on March 26, 2013.

The Final Rule has created major modifications with compliance and enforcement implications which will affect stakeholders involved in transactions for the use and disclosure of protected health information (PHI) and the conduct of clinical research.

Here are some of the modifications which are subject to enforcement by the Office of Civil Rights (OCR) and requiring compliance by September 23, 2013.

Modifications

Business Associates are directly impacted by the modifications to the Privacy and Security Rules, and both Covered Entities and Business Associates are directly impacted by the modifications to the Breach Notification Rule.

Covered Entities are directly impacted by the modifications to the Privacy Rule relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI.

OCR can enforce any breach under the modified HIPAA Rules.

Privacy and Security Rules: Transactions involving PHI

• The Privacy and Security Rules are unchanged with respect to a Covered Entity. A Covered Entity is a catch-all definition for any health plans, health clearing houses, and health care providers whether they are solely involved in PHI transactions or are involved in PHI transactions and clinical research.

• A Business Associate now includes patient organizations, health information organizations, health information entities, e-prescribing gateway, other persons that provide data transmission services or facilitate access to health records, and vendors of personal health records provided on behalf of a Covered Entity.

• A subcontractor (or agent) which performs services for a Business Associate is now considered a Business Associate.

• A Business Associate is now allowed to disclose PHI to a subcontractor and to allow the subcontractor to create or receive PHI on its behalf.

• A Business Associate has increased accountability under their business associate agreements (BAAs) with a Covered Entity, for its own compliance and the compliance of a subcontractor.

Privacy Rule: Clinical Research

• A Covered Entity involved in PHI transactions and clinical research is impacted.

• Researchers and institutional review boards are impacted.

• Business Associates are not impacted.

Breach Notification Rule

• A breach is now an impermissible acquisition, access, use, or disclosure of PHI.

• Breach notification is not required if a Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

• Breach notification is not required following an impermissible use or disclosure of PHI if the PHI is encrypted according to HHS guidance.

• A Covered Entity is ultimately responsible for notifying affected individuals of a breach.

• A Covered Entity is allowed to delegate the responsibility to the Business Associate that caused the breach

Enforcement Rule

• OCR will now investigate all complaints relating to the HIPAA Rules.

• OCR can now proceed directly to impose civil monetary penalties (CMPs).

• CMPs are assessed based on culpability category based on a “reasonable cause” standard rather than willful neglect.

• CMPs are assessed following a tiered penalty scheme in a range from $100 to $50,000 per violation, with the maximum penalty set at $1,500,000.

Compliance

Covered Entities and Business Associates must amend their BAAs by the September date. Existing BAAs have the benefit of a transition period until September 22, 2014.

To successfully come into compliance, Covered Entities considers it as a joint effort with Business Associates. “The Covered Entity and Business Associate must work together to ensure that privacy is seamless throughout the process,” states Raymond Braeunig, Chief Compliance and Privacy Officer, Rowan University School of Osteopathic Medicine.

“Not only does the Business Associate has more responsibilities but the Covered Entity must ensure those responsibilities are understood and the Covered Entity must verify the Business Associate has the security measures in place in accordance with the rules.”

To reflect this increase in responsibilities, each BAA must be modified to:

• require a Business Associate to comply with the applicable Security Rule provisions if it handles electronic PHI

• report breaches of unsecured PHI to the Covered Entity

• ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the Business Associate.

• obtain assurances from Business Associates that are subcontractors to use or disclose PHI in a manner that would be impermissible if done by the Business Associate. 

In addition to modifying the BAAs, “the next step is for the Covered Entity to outline a risk assessment for the Business Associate and perform a walkthrough of the Business Associate’s operation(s) as well as any Business Associate subcontractor to ensure the privacy and security measures are in place, as the Covered Entity will be ultimately responsible as well to ensure compliance with the rules,” concludes Braeunig.

Covered Entities must also amend their policies and procedures by the September date “in order to take advantage of the enhanced efficiency in research initiatives that the Final Rule provides and to come into compliance with the requirements of the Final Rule,” states Elan Czeisler, Director, Institutional Review Board (IRB) and Human Research Protection Program, NYU Langone Medical Center.

“In collaboration with the Office of Research Compliance and Office of Legal Counsel, we are in the process of amending our policies and procedures to be compliant with the Final Rule and reflect changes relating to compound authorizations, authorization for future research use and the use of a deceased person’s PHI."

In addition to these amendments, training is key to sensitize the workforce to the requirements of the Final Rule and Covered Entities need to ensure that their workforce understands the new HIPAA Rules. “We plan to conduct training for all of our clinical personnel to sensitize them to the new requirements and the increased level of scrutiny and potential enforcement by OCR,” states Braeunig.

Going Forward

The changes to the HIPAA Rules are likely to have an impact on the conduct of clinical research and transactions involving PHI. The relationships between Covered Entities, Business Associates and OCR are also likely to be redefined requiring continuous monitoring.
The territory is uncharted and future regulatory developments may come into play.

“We plan to remain on the lookout for future regulatory developments and guidance on these and other issues,” concludes Czeisler.

Future regulatory developments and guidance may be found on http://www.hhs.gov/ocr/office/index.html.

View the related blog here.

Lina Genovesi, PhD, JD www.linagenovesi.com