Omnibus Final Rule Summary: The Impact on Business Associates (BA’s) Effective date: March 26, 2013 CE’s and BA’s must comply by September 23, 2013 (180 day compliance date, from the effective date will be the standard for all changes). This summary contains only the information pertaining to business associates. The Omnibus Rule contains 4 Final Rules, which have been combined to reduce the impact and number of times certain compliance activities need to be undertaken by the regulated entities. The rule also strengthens the government’s ability to enforce the laws. The Final Rule modifies the Privacy, Security, and Enforcement Rules contained in HITECH. The modifications that may impact BA’s are: 1) Make business associates of covered entities directly liable for compliance with certain aspects of the HIPAA Privacy and Security Rules’ requirements. 2) Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009. 3) Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule, such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. 4) Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009. 5) Breach definition change. Projected cost to BA’s to become compliant with the Security Rule changes? $22.6 MIL-$113 MIL Covered entities that engage business associates to work on their behalf must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. Like the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities. HITECH ACT: The HITECH Act is designed to promote the widespread adoption and interoperability of health information technology. Subtitle D of title XIII, entitled “Privacy,” supports this goal by adopting amendments designed to strengthen the privacy and security protections for health information established by HIPAA. These provisions include extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities; requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for Notification of breaches of “unsecured protected health information”; establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes; prohibiting the sale of protected health information; and expanding individuals’ rights to access their protected health information, and to obtain restrictions on certain disclosures of PHI to health plans. In addition, Subtitle D adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions. Item 1): Effective September 24, subcontractors of business associates (BAs) who use and disclose PHI on behalf of the BA (or the direct subcontractor of the BA) are now BAs by definition and will be subject to civil penalties, compliance requirements, etc. In other words, if a record center uses a third party shredding company or scanning company, these organizations now become BA’s. Also note that BAs, covered entities and now those subcontractors of BAs who use and disclose PHI on behalf of BAs must update business associate contracts within 180 days from the date the rule is published in the Federal Register (January 25). Before the HIPAA mega rule, if a healthcare provider contracted with a BA who handled their PHI, and that BA in turn hired a subcontractor who also used or disclosed PHI, that subcontractor would not be subject to HIPAA rules. However, previous provisions allowed “privacy and security protections for protected health information (PHI) to lapse once a subcontractor is enlisted to assist in performing a function, activity, or service for the covered entity, while at the same time potentially allowing certain primary business associates to avoid liability altogether for the protection of the information the covered entity has entrusted to the business associate,” according to the final rule. As you are aware, in the trainings I have been encouraging everyone (for more than 2 years now) to obtain reasonable assurances that their subcontractors know and understand HIPAA, HITECH, and the consequences if they fail. HHS noted in its press release this week that some of the largest breaches reported to HHS have involved BAs. In fact, the top three all included BAs: 1. TRICARE Management Activity and BA Science Application International Corporation, 4.9 million patients, September 13, 2011 2. Health Net, Inc. and BA IBM, 1.9 million patients, January 21, 2011 3. New York City Health & Hospitals Corporation’s North Bronx Healthcare Network and BA GRM Information Management Systems, 1.7 million patients, December 23, 2010 Item 2): In HHS’ interim final rule (IFR) on breach notification, covered entities and BAs could get off the hook and not have to notify patients of a breach if they themselves determined a use or disclosure in question did not pose significant harm to the individual. However, in the final rule released this week, HHS calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual. In determining a breach, entities must conduct a risk assessment that considers at least the following factors: The nature and extent of PHI involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated “We believe that the use of these factors … will result in a more objective evaluation of the risk to the protected health information and a more uniform application of the rule,” according to the final rule. Item 3): Willful Neglect. The government will be required to formally investigate a complaint if a preliminary investigation of the facts of the complaint indicates a possible violation due to willful neglect. Also, they will be required to impose civil money penalties for a violation due to willful neglect. The term “may” has been removed in the final rule. Their discretionary power has been removed. Item 4): The changing of the tiered penalties. In Section 160.402, the exception for BA’s has been removed. Provided the relevant contract (business associate agreement) requirements have been met and the CE didn’t know of a pattern or practice of the BA was in violation of the contract, the BA will be responsible, and liable. Under 160.402(c), it will state that the BA and the CE are liable for the acts of their BA’s (or subcontractors). This is why it is critical to have an agreement with them, which clearly spells out both your responsibilities, and theirs. New civil money penalty tiers are as follows: Violation CategorySection 1176(a)(1) Each violation All such violations of an identical provision in a calendar year (annual maximum) (A)-Did Not Know $100-$50,000 (A) used to be $100 for each-$25,000 annual $1,500,000 (B)-Reasonable Cause* $1,000-$50,000 (B) used to be $1,000 for each-$100,000 annual $1,500,000 (C)-Willful Neglect but Corrected $10,000-$50,000 $1,500,000 (C) used to be $10,000 for each-$250,000 annual (D)-Willful Neglect and Not corrected $50,000 $1,500,000 (D) used to be $50,000 for each-$1,500,000 annual *Please note that Reasonable Cause has also be re-defined. It now includes “mens rea” (state of mind). Thus, the proposed definition would now include violations due both to circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated, as well as to other circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations. As you can see, some of the ‘each violation’ fines actually decreased. However, the annual maximum amount for each tier is now $1,500,000. Fines that will be will imposed will all be examined case by case. Business financials may be used to set the fine amounts. In other words, smaller operations may not be subject to the same fines as larger operations. This will be discretionary, but be aware that any imposed penalty will have a negative impact on the business. Item 5) Breach Definition: Language added to modify the definition. It clarifies that an impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised. As a result, a Breach Notification is necessary in all situations except those in which the CE or BA, as applicable, demonstrates the low probability that the PHI has been compromised. This was changed to create uniformity regarding which situations require notification. CE’s and BA’s have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach (through the completion of a risk assessment after each event) and must maintain documentation sufficient to meet that burden of proof.