HIPAA Omnibus Final Rule:
Who? What? When?
Nicholas Heesters, JD, CHP, CHPSE
302.478.3600 x136
nheesters@wvmi.org
www.dehitrec.org
Legal Disclaimer
 The information included in this presentation
is for informational purposes only and is not a
substitute for legal advice.
 Please consult your attorney if you have any
particular questions regarding a legal issue.
Quotes
 OCR Director Leon Rodriguez regarding the
Omnibus Rules:
– “This final Omnibus Rule marks the most sweeping
changes to the HIPAA Privacy and Security Rules since
they were first implemented.”
– “These changes not only greatly enhance a patient’s
privacy rights and protections, but also strengthen the
ability of my office to vigorously enforce the HIPAA
privacy and security protections, regardless of whether
the information is being held by a health plan, a health
care provider, or one of their business associates.”
Who?
 The Omnibus Rules apply to:
– Covered Entities (providers,
hospitals, health plans)
– Business Associates
– Subcontractors to Business
Associates that handle PHI on
behalf of Business Associates
Who: Business Associates
 The HIPAA Rules define “business associate”
to mean a person who performs functions or
activities on behalf of, or certain services for, a
CE that involve the use or disclosure of PHI.
 Disclosure means the release, transfer,
provision of, access to, or divulging in any
manner outside the entity holding the
information.
 Access means the ability or means necessary
to read, write, modify or communicate
data/information or otherwise use any system
resource.
Who: Business Associates
 The Omnibus Rule expressly lists as BAs:
– Health Information Organizations, e-Prescribing
Gateways or other persons that provide data
transmission services of PHI to a CE and that
requires routine access to PHI
– Persons who offer a personal health record
(PHR) on behalf of a CE
– Patient Safety Organizations (PSOs)
Who: Business Associates
 The definition of “business associate”
was modified to include a person who
“creates, receives, maintains, or
transmits” PHI on behalf of a CE.
 An entity that maintains PHI on behalf of a CE
is a BA even if the entity does not actually view
the PHI.
 Example: A data storage company that has
access to PHI (whether digital or hard copy)
qualifies as a BA, even if the entity does not
view the information.
Who: Business Associates
 A person becomes a BA by definition, not by the
act of contracting with a CE or otherwise.
 Therefore, liability for impermissible uses and
disclosures attaches immediately when a
person creates, receives, maintains, or transmits
PHI on behalf of a CE or BA and otherwise
meets the definition of a BA.
Who: Subcontractors
 A subcontractor is a person who acts on
behalf of a BA, other than as a member of
the workforce of the BA.
 A subcontractor that creates, receives,
maintains, or transmits PHI on behalf of a
BA, including with respect to PHR
functions, is a HIPAA BA.
 A subcontractor is also a person to
whom a BA has delegated a function,
activity, or service the BA has agreed to
perform for a CE or BA.
Who: Subcontractors
 The term “subcontractor” applies to an agent or
other person who acts on behalf of the BA, even
if the BA has failed to enter into a BAA with
the person.
 CEs must ensure that they obtain
satisfactory assurances from their BAs,
and BAs must do the same with regard to
subcontractors, and so on, no matter how far
“down the chain” the information flows.
Who: Business Associates
 BAs must comply with the technical,
administrative, and physical safeguard
requirements, as well as the policies and
procedures and documentation requirements,
for ePHI under the HIPAA Security Rule.
 Direct liability for BAs under HIPAA
would attach regardless of whether a
BA, contractor and/or subcontractors
have entered into the required
business associate agreements.
What: Breach Notification
 An impermissible use or disclosure of PHI is
presumed to be a breach unless the CE or BA
demonstrates that there is a low probability that the
PHI has been compromised.
 Unless the PHI was unreadable or undecipherable, the
risk assessment must justify not disclosing a breach.
 Previously, CEs and BAs were required to perform a
risk assessment to determine if there was a significant
risk of harm to the individual as a result of the
impermissible use or disclosure. This was known as
the risk of harm standard.
What: Breach Notification
 The risk of harm standard was removed and the risk
assessment modified to focus more objectively on the
risk that PHI has been compromised.
 The risk of harm standard may have been interpreted
as setting a higher threshold for breach notification
than was intended.
 Breach notification is necessary in all situations except
those in which the CE or BA demonstrates that there is
a low probability that the PHI has been compromised.
What: Breach Notification
 CEs and BAs must assess the probability that the
PHI has been compromised based on a risk
assessment that considers at least the following
factors:
– the nature and extent of the PHI involved,
including types of identifiers and likelihood
of re-identification;
– the unauthorized person who used the PHI or
to whom the disclosure was made;
– whether the PHI was actually acquired or viewed; and
– the extent to which the risk to the PHI has been
mitigated
What: Breach Notification
 Omnibus Rule breach example:
– If a CE misdirects a fax containing PHI to the
wrong physician practice, and upon receipt,
the receiving physician calls the CE to say he
has received the fax in error and has
destroyed it, the CE may be able to
demonstrate, after performing a
risk assessment, that there is a
low risk that the PHI has been compromised.
What: Restriction of PHI Disclosure
 Old Rule:
– Individuals could request a CE to restrict uses or
disclosures of their PHI.
– But, CEs were not required to agree to such restrictions. If
the CE did agree, however, than they were required to
abide by the restriction.
 New Rule:
– Individuals can request a restriction on disclosure of PHI to
a health plan and the CE must agree if the restriction
applies to PHI that pertains solely to a health care item or
service for which the health care provider has been paid
out of pocket in full (unless such disclosure is otherwise
required by law).
What: Restriction of
PHI Disclosure
 CEs do not need to create separate medical records or
otherwise segregate PHI subject to a restricted health care
item or service.
 CEs will, however, need to flag or make a notation in the
record with respect to the PHI that has been restricted to
ensure that such information is not inadvertently sent to or
made accessible to the health plan for payment or health
care operations purposes, such as audits by the health
plan.
 CEs should already have in place minimum necessary
policies and procedures, which require limiting the PHI
disclosed to a health plan to the amount reasonably
necessary to achieve the purpose of the disclosure.
What: Marketing
 Authorization is required for communications
about health-related products and services to
individuals for which the CE receives financial
remuneration by a third party.
 Exceptions:
– Refill reminders
– Information concerning a currently
prescribed drug
– Face-to-face communications
What: Sale of PHI
 An authorization is required if PHI is disclosed in
exchange for remuneration.
– Includes direct and indirect remuneration
– Not limited to financial remuneration
 If an authorization is obtained, it must state that
disclosure will result in remuneration.
 Exceptions
–
–
–
–
Corporate transactions (due diligence)
Treatment and Payment
Required by law
Public health
What: Fundraising
 Additional PHI data may be used for
fundraising purposes:
– Department of service
– Treating physician
– Outcome
– Health insurance status
 Treatment cannot be conditioned on not
opting-out and opt-out provisions must be
clear and conspicuous.
What: GINA and Decedents
 Genetic Information Non-discrimination Act
– Genetic information is PHI
– Genetic discrimination for health insurance
and employment purposes is prohibited.
– Applicable mainly to health plans
 Decedents
– A CE must comply with the requirements of the
Privacy Rule with regard to the PHI of a
deceased individual for a period of 50 years
following the date of death.
What: Electronic Copy Requests
 If individual requests an electronic copy of PHI, the
CE must provide in the form requested, if readily
producible, otherwise in readable format agreed to
by CE and individual.
 If individual will not agree to a format, CE must
provide on paper.
 CE may only charge for labor for copying and cost of
media (CD, USB, etc.).
 CE has 30 days (with one 30-day extension) to
provide access.
What: Student Immunizations
 CEs are permitted to disclose proof of immunization to a
school where state or other law requires the school to
have such information prior to admitting the student.
 Written authorization is no longer required for this
disclosure, but CEs will still be required to obtain
agreement, which may be oral, from a parent, guardian
or other person acting in loco parentis, or from the
individual himself or herself, if the individual
is an adult or emancipated minor.
 The CE must document the agreement
obtained.
What: Enforcement
 OCR will investigate any compliant in which a
preliminary review indicates a possible violation due
to willful neglect.
 Willful neglects means “conscious, intentional failure
or reckless indifference.”
 Previously, OCR was required to attempt to resolve
possible HIPAA violations informally.
 Now, informal attempts at resolution are
discretionary (except in case of willful neglect which
requires an investigation).
What: Enforcement


Violation
Penalty
Max Calendar Year
Did Not Know
$100 - $50,000
$1,500,000
Reasonable Cause
$1,000 - $50,000
$1,500,000
Willful Neglect
(Corrected)
$10,000 - $50,000
$1,500,000
Willful Neglect
(Not Corrected)
$50,000
$1,500,000
A CE or BA may be liable for multiple violations of multiple requirements,
and a violation of each requirement may be counted separately.
A CE or BA may be subject to multiple violations of up to a $1.5 million cap
for each violation, which would result in a total penalty above $1.5 million.
What: Enforcement
 Largest HIPAA fine: $4.3M against Cignet
Health in MD in February 2011 ($3M was for
willful neglect).
 HIPAA jail time: In April 2010 Dr. Huping Zhou
of UCLA Health System was sentenced to 4
months in prison.
 Smallest provider enforcement:
In April 2012, a practice owned by
2 physicians paid $100,000 to settle
HIPAA violations.
What: Notice of Privacy Practices
 Notice that the use or disclosure of PHI for
marketing purposes requires an authorization.
 Notice that most uses or disclosures of an
individual’s psychotherapy notes requires
authorization (if applicable).
 Notice that disclosures that constitute a sale of
PHI requires an authorization.
 Notice that an individual has a right to opt out of
fundraising communications (if applicable).
What: Notice of Privacy Practices
 Notice that an individual can restrict certain
disclosures of PHI to a health plan where the
individual pays out of pocket in full for the health
care item or service.
 Notice that an individual has a right to notice if their
PHI has been breached.
 These changes to the NPP are
considered material changes which
require that CEs promptly revise and
make available their new and revised
NPPs.
What: Notice of Privacy Practices
 Providers must make the NPP available upon
request on or after the effective date.
 Providers are not required to print and hand out a
revised NPP to all individuals seeking treatment.
 Providers must post the revised NPP in a clear and
prominent location and have copies of the NPP at
the delivery site for individuals to request to take
with them.
 Providers are only required to give a copy of the
NPP to, and obtain a good faith acknowledgment of
receipt from, new patients.
When
 The Omnibus Rules are effective as of March
26, 2013.
– Effective Date: Date on which
a rule or regulation becomes law.
 All CEs and BAs need to be in full
compliance by September 23, 2013.
– Compliance Date: Date by which all affected
entities must comply.
Suggested Next Steps
 Update Notice of Privacy Practices
 Review and identify all Business
Associates
 Update Business Associate Agreements
 Update breach notification policies and procedures
 Develop and train employees on new policies
(patient requested PHI restrictions, patient
requested electronic copies of PHI, breach
notification, etc)
 Review and update authorization and other forms as
necessary
Questions?
 Additional Resources:
– Omnibus Press Release:
http://www.hhs.gov/news/press/2013pres/01/20130117b.html
– Omnibus Final Rule: http://www.gpo.gov/fdsys/pkg/FR-2013-0125/pdf/2013-01073.pdf
– BAA Sample Language:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/con
tractprov.html
– Breach Analysis Template: Pending
– NPP Template: Pending
 Regional Extension Center - Nick Heesters
– Office: 302.478.3600, Ext. 136
– E-mail: nheesters@wvmi.org
This project is made possible through a grant from the Office of the National Coordinator with Department of Health and Human Services
support. Grant No. 90RC0044/01. Publication No. DEREC-LF-032013-A. App. 3/13.