Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Has Your Practice Implemented the Final HIPAA Omnibus Rule Requirements?

Has Your Practice Met its Final HIPAA Omnibus Rule Obligations?(September 23, 2013): The Health Insurance Portability and Accountability Act of 1996 imposed a wide variety of new privacy and security-related obligations on health care providers.  Since passed, these regulations, along with their associated penalties for breach, have greatly expanded. Many of these modifications and changes to HIPAA’s initial requirements are set out in the Office of Civil Rights’ (OCR’s) guidance issued in early 2013.  This article provides an overview of the Final HIPAA Omnibus Rule mandates that have been placed on health care providers (functioning as “Covered Entities”), their “Business Associates” and any “Subcontractors” that have handle or have access to Protected Health Information (PHI).

I.  Background:

On January 23, 2013, the Centers for Medicare and Medicaid Services (CMS) published a Final HIPAA Omnibus Rule which significantly revises (and in many instances, supplements) existing Health Information Portability and Accountability Act (HIPAA) privacy, enforcement, security and breach notification requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) and Genetic Information Nondiscrimination Act (GINA).  As OCR’s Director, Leon Rodriguez stated in a Press Release announcing these changes:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. . .These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”

An overview of these extensive changes is discussed in Section II, below.  Please keep in mind, the Final HIPAA Omnibus Rule is 138 pages long.  We strongly recommend that all Covered Entities and Business Associates carefully review these requirements.  Summaries of these modifications may not fully address specific points which apply to your organization.

II. Mandatory Actions to be Taken by September 23, 2013:

As a review of the Final HIPAA Omnibus Rule reflects, the effective date for the modified and supplemented privacy, enforcement, security and breach notification requirements was March 26, 2013.  Perhaps most importantly health care providers (almost all of which qualify as “covered entities”) and their “business associates” only have until TODAY, (September 23, 2013), to comply with a number of requirements.

Broadly speaking, there are a number of primary requirements which must immediately be implemented by physicians, group practices and other Covered Entities (if they have not already so).  Major changes to the Privacy, Security, and Breach Notification obligations of both Covered Entities and Business Associates.  These major changes include:

  • Notice of Privacy Practices (NPP): If you have not already done so, it is imperative that you immediately update the “Notice of Privacy Practices” (45 CFR 164.520) being used by your practice or organization. To their credit, OCR recently published several examples of what they consider to be a “clear, accessible notice that. . . patients. . .can understand.”  OCR has published the following examples that may be used by a Covered Entity to notify patients of their rights and the organization’s privacy practices.  These examples include:

NPP Booklet – HC Provider
NPP Layered – HC Provider
NPP Full Page – HC Provider
NPP HC Provider – Text Version

  • Business Associate Agreement (BAA):  While all Covered Entities should have already put a proper Business Associate Agreement into place, the Final Omnibus Rule includes a number of significant changes which must now be incorporated into your existing BAA. First and foremost, the revised requirements have expanded the term “Business Associate” to include:

  “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  [It also includes] . . . a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”[1]

Under the Final Omnibus Rule, this expanded definition will likely greatly increase the number of parties who qualify as Business Associates (and Subcontractors) which must comply with the Privacy Rules.  Moreover, it greatly increases the responsibilities and possible penalties faced by Business Associates.

III. Requirements to Include in a Revised BAA:

A Sample Business Associate Agreement which incorporates the January 2013 changes has been published on OCR’s website. There are ten basic requirements that must be included in your revised BAA.  These include:

(1)   Your revised BAA must establish the permitted and required uses and disclosures of PHI by your Business Associate.

(2)   Your revised BAA must require that a Business Associate not use or disclose any PHI unless such usage or disclosure is permitted or required by your contract and is permitted by  law.

(3)   Your revised BAA must mandate that all Business Associates implement appropriate safeguards to prevent the unauthorized use or disclosure of PHI. As part of this requirement, your Business Associate must implement applicable HIPAA Security Rule requirements which protect  electronic PHI.

(4)   Your revised BAA must require that all Business Associates report any use or disclosure of PHI to you (as Covered Entity) that is provided for under its contract or is allowed by law. This includes any incidents that constitute breaches of unsecured PHI.

(5)   Your revised BAA must require that any Business Associate disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments and an accounting.

(6)   Your revised BAA must specify if a Business Associate is required to carry out a Covered Entity’s obligation under the Privacy Rule.  If so, the revised BAA must specify how the Business Associate is to comply with the requirements applicable to the obligation.

(7)   Your revised BAA must require a Business Associate make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the Covered Entity available to HHS.  This is so that  HHS can determine a Covered Entity’s compliance with the HIPAA Privacy Rule.

(8)   Your revised BAA must specify if at the termination of the contract, a Business Associate is required to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the Covered Entity.

(9)   Your revised BAA must require that a Business Associate ensure that any Subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information.

(10)  Your revised BAA must authorize termination of the contract by the Covered Entity if a Business Associate violates a material term of the contract. Contracts between Business Associates and other Business Associates or Subcontractors must also be subject to these same requirements.

      • Usage and Disclosure of PHI for Marketing Purposes: Under the Final Omnibus Rule, both Covered Entities and Business Associates are prohibited from directly and / or indirectly selling PHI without first obtaining the express consent of any affected patients.  There are a number of new modifications under this requirement.  We recommend that you consult with a qualified health lawyer before engaging in this activity.
      • Breach Notification Requirements:  Importantly, under the Final Omnibus Rule, the definition of a “breach” changed FROM a use or disclosure that caused “the acquisition, access, use, or disclosure of protected health information in a manner not permitted [by the Privacy Rule] which compromises the security or privacy of the protected health information [and which] compromises the security or privacy of the protected health information.”

IV.  Definition of a Breach:  

Under §164.402, of the Final Omnibus Rule, the term “Breach” now means the acquisition, access, use or disclosure of PHI in a manner that is not permitted which compromises the security or privacy of the PHI. The term “Breach” specifically excludes:

  • Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if it was made in good faith and does not result in further use or disclosure in an unauthorized manner.
  • Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such a disclosure is not further used or disclosed in a manner not permitted under this rule.
  • A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
  • Except as provided by the items which are “excluded” from qualifying as a breach, an acquisition, access, use or disclosure of PHI in a manner that is not permitted, is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i)    The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
(ii)   The unauthorized person who used the PHI or to whom the disclosure was made.
(iii)  Whether the PHI information was actually acquired or viewed.
(iiii) The extent to which the risk to the PHI has been mitigated.

  • Business Associate Breach Discovery Date: A breach shall be treated as discovered by a Business Associate as of the first day on which such breach is known to the Business Associate or, by exercising reasonable diligence, would have been known to the Business Associate.  A Business Associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the Business Associate. (§164.410).
  • Amount of Penalties:  While the potential Civil Monetary Penalties facing a Covered Entity and / or Business Associate did not change, the amounts are so significant that it is worth again mentioning the potential penalties an organization can face. Breaching parties can be penalized (per violation):

Violations occurring after reasonable precautions:  Min. $100 / Max. $25,000

Violation resulted from reasonable cause:  Min. $1.000 / Max. $100,000

Willful neglect – corrected within 30 days:  Min. $10,000 / Max. $250,000

Willful neglect – uncorrected violation:  Min. $50,000 / Max. $1,500,000

V.   Steps You Should Immediately Take:

  • Covered entities must revise their current Business Associate Agreements to fully comply with the Final Omnibus Rule. The revised Rule effectively includes a “limited grandfather rule” and allows for any Business Associate Agreement in effect prior to January 25, 2013 to be considered “compliant” by OCR until September 22, 2014.  The Business Associate Agreement will then need to be updated.
  • Covered entities can no longer take their obligation to ensure that Business Associate Agreements are in place lightly.  With the publication of the HIPAA Omnibus Rule, OCR will likely add this requirement to their list of audited requirements.
  • Business associates have a lot of work in front of them.  They need to assess which organizations they deal with which qualify as a Subcontractor who receives, creates or transfers PHI on behalf of the business associate.  Once identified, Business Associate Agreements with each subcontractor need to be executed.
  • Business associates and Subcontractors are fully responsible for any breach caused by their actions.  As always, they may only disclose PHI as permitted by law and in accordance with the provisions set out in their Business Associate Agreement.
  • If a Business associate learns of a breach or other non-compliance by a subcontractor, the business associate must immediately take steps to address the breach.  It is also required to notify affected covered entities of the breach.
  • Business associates can be investigated by OCR for a breach and are liable for CMP that might flow from the breach.
  • Covered entities should not assume that these changes somehow “lighten” or “reduce” their potential level of culpability.  It is more important than ever that covered entities conduct proper due diligence reviews of business associates and any subcontractors who have access to PHI.
  • All parties (covered entities, business associates and subcontractors) need to understand the new breach notification requirements set out in the Final Omnibus Rule.
  • Patient rights to access have changed.  Covered entities need to understand the new rules governing a patient’s access to their electronic records.  Moreover, patients now have the right to restrict the release of data to health plans.
  • Notice of Privacy Practices given to patients need to cover a number of new sections.  Should you choose to draft your own version of an NPP rather than adopt one of the samples provided by OCR, make sure that it includes:
    • The sale of PHI – in most instances will be prohibited.
    • Patients can opt-out of fundraising.
    • Patients who choose to fully pay for a service out-of-pocket can restrict the covered entity from disclosure of the service to a health plan (unless disclosure is required by law).
    • Genetic information is protected (unless authorized by law).
  • Business associate agreements need to be inventoried and reviewed. Modifications must be made within a date certain, depending on whether a previously compliant agreement was already in place OR no agreement had yet been established.

Healthcare LawyerRobert W. Liles, J.D., M.B.A., M.S., serves as Managing Partner at Liles Parker PLLC, a boutique health law firm with offices in Washington, DC, Texas and Louisiana.  Liles Parker attorneys represent health care providers around the country in compliance, regulatory and peer review related actions.  Should you need assistance, feel free to give us a call.  Call Robert for complimentary initial consultation at:  1 (800) 475-1906.




  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.