Omnibus Final Rule Summary: The Impact on Business Associates (BA’s)
Effective date: March 26, 2013
CE’s and BA’s must comply by September 23, 2013
(180 day compliance date, from the effective date will be the standard for all changes).
This summary contains only the information pertaining to business associates. The Omnibus
Rule contains 4 Final Rules, which have been combined to reduce the impact and number of
times certain compliance activities need to be undertaken by the regulated entities. The rule
also strengthens the government’s ability to enforce the laws. The Final Rule modifies the
Privacy, Security, and Enforcement Rules contained in HITECH.
The modifications that may impact BA’s are:
1) Make business associates of covered entities directly liable for compliance with certain
aspects of the HIPAA Privacy and Security Rules’ requirements.
2) Final rule on Breach Notification for Unsecured Protected Health Information under the
HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more
objective standard and supplants an interim final rule published on August 24, 2009.
3) Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously
adopted in the October 30, 2009, interim final rule, such as the provisions addressing
enforcement of noncompliance with the HIPAA Rules due to willful neglect.
4) Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the
increased and tiered civil money penalty structure provided by the HITECH Act,
originally published as an interim final rule on October 30, 2009.
5) Breach definition change.
Projected cost to BA’s to become compliant with the Security Rule changes? $22.6 MIL-$113
MIL
Covered entities that engage business associates to work on their behalf must have contracts or
other arrangements in place with their business associates to ensure that the business
associates safeguard protected health information, and use and disclose the information only as
permitted or required by the Privacy Rule. Like the Privacy Rule, covered entities must have
contracts or other arrangements in place with their business associates that provide satisfactory
assurances that the business associates will appropriately safeguard the electronic protected
health information they create, receive, maintain, or transmit on behalf of the covered entities.
HITECH ACT:
The HITECH Act is designed to promote the widespread adoption and interoperability of health
information technology. Subtitle D of title XIII, entitled “Privacy,” supports this goal by adopting
amendments designed to strengthen the privacy and security protections for health information
established by HIPAA. These provisions include extending the applicability of certain of the
Privacy and Security Rules’ requirements to the business associates of covered entities;
requiring that Health Information Exchange Organizations and similar organizations, as well as
personal health record vendors that provide services to covered entities, shall be treated as
business associates; requiring HIPAA covered entities and business associates to provide for
Notification of breaches of “unsecured protected health information”; establishing new
limitations on the use and disclosure of protected health information for marketing and
fundraising purposes; prohibiting the sale of protected health information; and expanding
individuals’ rights to access their protected health information, and to obtain restrictions on
certain disclosures of PHI to health plans. In addition, Subtitle D adopts provisions designed to
strengthen and expand HIPAA’s enforcement provisions.
Item 1): Effective September 24, subcontractors of business associates (BAs) who use and
disclose PHI on behalf of the BA (or the direct subcontractor of the BA) are now BAs by
definition and will be subject to civil penalties, compliance requirements, etc. In other words, if a
record center uses a third party shredding company or scanning company, these organizations
now become BA’s. Also note that BAs, covered entities and now those subcontractors of BAs
who use and disclose PHI on behalf of BAs must update business associate contracts within
180 days from the date the rule is published in the Federal Register (January 25). Before the
HIPAA mega rule, if a healthcare provider contracted with a BA who handled their PHI, and that
BA in turn hired a subcontractor who also used or disclosed PHI, that subcontractor would not
be subject to HIPAA rules. However, previous provisions allowed “privacy and security
protections for protected health information (PHI) to lapse once a subcontractor is enlisted to
assist in performing a function, activity, or service for the covered entity, while at the same time
potentially allowing certain primary business associates to avoid liability altogether for the
protection of the information the covered entity has entrusted to the business associate,”
according to the final rule. As you are aware, in the trainings I have been encouraging everyone
(for more than 2 years now) to obtain reasonable assurances that their subcontractors know
and understand HIPAA, HITECH, and the consequences if they fail.
HHS noted in its press release this week that some of the largest breaches reported to HHS
have involved BAs. In fact, the top three all included BAs:
1. TRICARE Management Activity and BA Science Application International Corporation,
4.9 million patients, September 13, 2011
2. Health Net, Inc. and BA IBM, 1.9 million patients, January 21, 2011
3. New York City Health & Hospitals Corporation’s North Bronx Healthcare Network and
BA GRM Information Management Systems, 1.7 million patients, December 23, 2010
Item 2): In HHS’ interim final rule (IFR) on breach notification, covered entities and BAs could
get off the hook and not have to notify patients of a breach if they themselves determined a use
or disclosure in question did not pose significant harm to the individual. However, in the final
rule released this week, HHS calls for covered entities and BAs to assess the probability that
the PHI has been compromised instead of assessing the risk of harm to the individual. In
determining a breach, entities must conduct a risk assessment that considers at least the
following factors:




The nature and extent of PHI involved, including the types of identifiers and the
likelihood of re-identification
The unauthorized person who used the PHI or to whom the disclosure was made
Whether the PHI was actually acquired or viewed
The extent to which the risk to the PHI has been mitigated
“We believe that the use of these factors … will result in a more objective evaluation of the risk
to the protected health information and a more uniform application of the rule,” according to the
final rule.
Item 3): Willful Neglect. The government will be required to formally investigate a complaint if a
preliminary investigation of the facts of the complaint indicates a possible violation due to willful
neglect. Also, they will be required to impose civil money penalties for a violation due to willful
neglect. The term “may” has been removed in the final rule. Their discretionary power has been
removed.
Item 4): The changing of the tiered penalties. In Section 160.402, the exception for BA’s has
been removed. Provided the relevant contract (business associate agreement) requirements
have been met and the CE didn’t know of a pattern or practice of the BA was in violation of the
contract, the BA will be responsible, and liable. Under 160.402(c), it will state that the BA and
the CE are liable for the acts of their BA’s (or subcontractors). This is why it is critical to have an
agreement with them, which clearly spells out both your responsibilities, and theirs.
New civil money penalty tiers are as follows:
Violation CategorySection 1176(a)(1)
Each violation
All such violations of an identical provision
in a calendar year (annual maximum)
(A)-Did Not Know
$100-$50,000
(A) used to be $100 for each-$25,000 annual
$1,500,000
(B)-Reasonable Cause*
$1,000-$50,000
(B) used to be $1,000 for each-$100,000 annual
$1,500,000
(C)-Willful Neglect but
Corrected
$10,000-$50,000
$1,500,000
(C) used to be $10,000 for each-$250,000 annual
(D)-Willful Neglect and
Not corrected
$50,000
$1,500,000
(D) used to be $50,000 for each-$1,500,000 annual
*Please note that Reasonable Cause has also be re-defined. It now includes “mens rea” (state
of mind). Thus, the proposed definition would now include violations due both to circumstances
that would make it unreasonable for the covered entity or business associate, despite the
exercise of ordinary business care and prudence, to comply with the administrative
simplification provision violated, as well as to other circumstances in which a covered
entity or business associate has knowledge of a violation but lacks the conscious intent or
reckless indifference associated with the willful neglect category of violations.
As you can see, some of the ‘each violation’ fines actually decreased. However, the annual
maximum amount for each tier is now $1,500,000. Fines that will be will imposed will all be
examined case by case. Business financials may be used to set the fine amounts. In other
words, smaller operations may not be subject to the same fines as larger operations. This will
be discretionary, but be aware that any imposed penalty will have a negative impact on the
business.
Item 5) Breach Definition: Language added to modify the definition. It clarifies that an
impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA, as
applicable, demonstrates that there is a low probability that the PHI has been compromised. As
a result, a Breach Notification is necessary in all situations except those in which the CE or BA,
as applicable, demonstrates the low probability that the PHI has been compromised. This was
changed to create uniformity regarding which situations require notification. CE’s and BA’s have
the burden of proof to demonstrate that all notifications were provided or that an impermissible
use or disclosure did not constitute a breach (through the completion of a risk assessment after
each event) and must maintain documentation sufficient to meet that burden of proof.