Earlier this year, the Department of Health and Human Services ("HHS") issued final omnibus regulations under the Health Insurance Portability and Accountability Act ("HIPAA") (see the EmployNews article dated January 25, 2013, which may be accessed here). The final regulations (the "Omnibus Rule") include significant changes that affect covered entities, including group health plans and the employers that sponsor such plans, as well as business associates. Covered entities and business associates generally should be prepared to implement and comply with the new rules beginning September 23, 2013.
The Omnibus Rule modified many aspects of the HIPAA regulations, including several provisions that impact plan sponsors and group health plans. Under the Omnibus Rule, for example, business associates are now directly liable for the failure to comply with certain HIPAA privacy and security requirements and the definition of business associate generally has been expanded to include vendors and subcontractors of business associates that create, receive, maintain or transmit Protected Health Information ("PHI"). The Omnibus Rule also modified the definition of "breach," which essentially imposes heightened breach notification requirements. Under the heightened breach notification requirements, a group health plan is obligated to notify affected individuals of any breach, unless a risk assessment demonstrates a "low probability" that the PHI has been compromised. In addition, certain provisions of business associate agreements ("BAAs"), breach notifications and notices of privacy practices must be modified to comply with several new content requirements set forth in the Omnibus Rule. Moreover, there is a stricter enforcement scheme that requires HHS to investigate any complaint when a review of the facts indicates a possible violation due to willful neglect. Similarly, HHS is no longer required to attempt informal resolution of noncompliance and instead may proceed directly to civil monetary penalties, which are tiered based on culpability and may be significant.
In addition to the items noted above, the Omnibus Rule made many other changes to the HIPAA regulations concerning privacy, security, enforcement and breach notification. The key action items to address before the September 23, 2013 deadline include:
• Revise notice of privacy practices to include, among other items, information about: (i) an individual's right to receive a security breach notification upon such occurrence, (ii) HIPAA's prohibition of the use of genetic information for underwriting purposes, and (iii) the requirement that covered entities obtain authorization before using PHI for marketing purposes or before selling PHI. These modifications also will trigger distribution obligations.
• Update and amend existing BAAs with service providers who receive PHI. Note that for BAAs in place before January 25, 2013 that are compliant with the HIPAA regulations, as long as the BAA is not modified or renewed between March 26, 2013 and September 23, 2013, the deadline for making the required changes is the earlier of September 22, 2014 or the date the BAA is modified or renewed. This means that if a plan switches vendors or adds a new vendor, the BAA must include the new provisions required under the Omnibus Rule.
• Revise HIPAA privacy policies and procedures and conduct any necessary workforce training to educate those individuals with access to PHI on the new rules and updated obligations.
• Update breach notification policies and procedures with the new definition of breach and the new requirements and procedures for performing a risk assessment.