Final Omnibus Rule: What You Need to do to Ensure Continued HIPAA Compliance

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) published its final modifications to the HIPAA Privacy, Security, and Enforcement Rules as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These final rules have been called the Final Omnibus Rule. The compliance deadline for the Final Omnibus Rule is September 23, 2013 (the "Compliance Deadline"). This bulletin will provide a short summary of the regulatory changes instituted by the Final Omnibus Rule.

Definition of a Business Associate
The Final Omnibus Rule expands the definition of a Business Associate to include a person or entity who:

(i) on behalf of a Covered Entity[1] performs, or assists in the performance of, a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(ii) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such Covered Entity.

As a result of the HITECH Act all Business Associates are now directly liable to the Department of Health and Human Services for civil money penalties and criminal penalties for violations of HIPAA. In addition, the Final Omnibus Rule provides that Business Associates are responsible for ensuring their downstream contractors, subcontractors, and agents are also in compliance with the HIPAA Privacy and Security Rules.

By signing a Business Associate Agreement, Business Associates are taking on more than the contractual obligations set forth in the Business Associate Agreement – they are obligating themselves to implementing and complying with their own HIPAA Privacy and Security policies. Therefore, it is in an entity’s best interest to determine, before entering into a contractual relationship, whether the business arrangement actually requires a Business Associate Agreement.

Changes to Breach Notification Rules
The Interim Final Breach Notification Rule, which has been in effect since 2009, provided that a violation of HIPAA only rose to the level of a "breach" where the unauthorized access to Protected Health Information posed a significant risk of financial, reputational or other harm to the affected individual. Pursuant to the Final Omnibus Rule, a breach is now presumed to have occurred, unless the Covered Entity or Business Associate can demonstrate only a "low probability" that the information has been compromised. Specifically, in accordance with the Final Omnibus Rule, any acquisition, access, use and/or disclosure of Protected Health Information that is not permitted under the Privacy Rule is deemed to be a breach unless the Covered Entity or Business Associate can demonstrate, using a four factor assessment, that there is a low probability the affected Protected Health Information has been compromised.

Changes to Business Associate Agreements
Business Associate Agreements must be revised to incorporate the changes to the definition of a Business Associate, including the Business Associate’s liability for the actions of its downstream contractors, subcontractors and agents. Business Associates Agreements must also be revised to reflect the parties understanding of how breaches will be discovered and reported. As of the compliance deadline, all new Business Associate Agreements must reflect these revisions. Covered entities and Business Associates will have one year from the compliance deadline to revise any currently existing Business Associate Agreements.

Changes to Notice of Privacy Practices
The Final Omnibus Rule will require covered entities to revise their Notice of Privacy Practices. Among these required revisions is the inclusion of a statement that an Authorization will be required for:

(i) most uses and disclosures of psychotherapy notes (where appropriate);
(ii) marketing purposes; and
(iii) any sale of Protected Health Information; and
(iv) a statement informing patients of their right to be notified in the event of a breach of the patients’ Protected Health Information.

Covered entities will need to prominently display the new Notice of Privacy Practices in its practice locations and must also have a paper copy of the new Notice of Privacy Practices available for any patient who requests a copy.

Changes to Privacy Policies
The Final Omnibus Rule includes many clarifications and revisions that must be incorporated into a Covered Entity’s or Business Associate’s Privacy Policies and Procedures. Among these changes are:

(i) a prohibition against receiving payment for marketing communications on behalf of a third party’s products or service;
(ii) flexibility in the use of compound authorizations in connection with research studies;
(iii) where patients pay for services in full, in cash, such patients may require providers to restrict disclosures to the patient’s health insurer about those services; and
(iv) a decedent’s Protected Health Information may now be disclosed to those individuals who were involved in the care or payment for care prior to the decedent’s death.

In response to these rules, both covered entities and Business Associates will be required to update their HIPAA policies and procedures, as well as their Business Associate Agreements. In addition, covered entities will need to update their Notice of Privacy Practices.

Houston Harbaugh has published manuals which have been updated to reflect the Final Omnibus Rule. These manuals are available for purchase at $500 each. In addition to these manuals, your Houston Harbaugh attorneys are available to provide on-site training to assist you in familiarizing your staff with these new HIPAA rules.


[1] Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers.