HIPAA compliance update after the Omnibus Final Rule

By Kristen M. Whittle

In 2013, the U.S. Department of Health and Human Services (HHS) adopted sweeping changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that substantially altered rules on privacy, security, and breach notification and increased penalty amounts for violations.

This overhaul, known as the Omnibus Final Rule, heightened the requirements for covered entities in several areas, including breach notification and privacy practices. In light of these increased requirements, and in an effort to assist health care providers to comply with HIPAA, HHS recently released a new security risk assessment tool. In connection with enforcement, HHS is scheduled to begin a new HIPAA audit program in the near future.

Omnibus Final Rule Requirements

Under the Final Rule, health care providers were required to address the steps needed to comply with these sweeping changes, which went into effect on March 26, 2013 and required compliance by Sept. 23, 2013.

Among the areas addressed in the overhaul was an expanded definition of “business associate” such that a wide range of new entities – including document storage facilities or companies that store electronic Protected Health Information (PHI) – became subject to HIPAA provisions for the first time. This change raised potential liability issues for covered entities.

In addition, the Omnibus Final Rule greatly enhanced a patient’s privacy rights and protections. Under the Rule, covered entities were required to revise their “Notice of Privacy Practices” to include:

  • A statement that an individual has the right to opt out of fundraising communications;
  • A description of the types of uses and disclosures that require an authorization;
  • An explanation that the covered entity is required to restrict disclosures of PHI to a health plan if the disclosure is for the purpose of carrying out payment of health care operations, and the PHI pertains solely to a health care item or service for which the individual has paid in full; and
  • A provision regarding the covered entity’s breach notification obligations.

Moreover, under the Rule patients now have the right to obtain electronic copies of all of their electronic medical records upon request within 30 days. If the covered entity cannot produce the records in the format requested by the patient, the parties must agree on a workable compromise solution.

Furthermore, under the Omnibus Final Rule, any unauthorized use or disclosure of unencrypted PHI triggers a security breach notification obligation, unless the entity can prove a “low probability” that the PHI has been compromised based on a risk assessment that considers the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Once a covered entity determines that notice is not required, it must document its risk assessment supporting that conclusion, and, if that decision is questioned in a government investigation, prove a low probability of compromise.

The Omnibus Final Rule removes the exception to the breach definition related to limited data sets. Under the new rules, following a disclosure of even a limited data set, a covered entity must still engage in notification or risk assessment.

New Compliance Tool

Since the deadline for compliance under the Final Rule, HHS has released a new, interactive tool in order to assist covered entities to come into compliance with HIPAA.

HHS’s new security risk assessment (SRA) tool endeavors to help covered entities conduct risk assessments at their organizations. The SRA, primarily designed for small to medium-sized health care providers, is intended to assist practices in conducting and documenting a comprehensive risk assessment at their own pace.

By using the SRA, providers may assess the information security risks within their organizations with an end goal of achieving compliance with HIPAA, including the new requirements of the Final Rule. The SRA is available for download through the HHS website and also produces a report that practices may provide to their auditors.

By using the SRA to conduct regular risk assessments, health care providers can uncover potential weaknesses in their security policies, processes, and systems. In addition, periodic risk assessments may help providers address vulnerabilities in their operations and systems, and may prevent health data breaches or other adverse security events. We can help guide and assist clients in this process.

HIPAA Audit Program

HHS’s Office for Civil Rights (OCR) recently signaled that it intends to begin a new audit program, under which hospitals and medical practice groups could face audits of their electronic patient health information privacy policies.

In addition, OCR intends to conduct a random pre-audit survey of up to 1,200 covered entities and business associates, in order to determine the readiness of covered entities for a full-scale HIPAA audit. Specifically, OCR intends to examine the number of patient visits and insured lives, use of electronic information, revenue figures, business locations, and other information in order to assess the size, complexity, and fitness of a respondent for an audit.

A preliminary audit program conducted in 2012 revealed that nearly two-thirds of the 115 entities examined by OCR had failed to comply with HIPAA information security risks, including conducting sufficient risks assessments. Accordingly, the upcoming audit and pre-audit survey is expected to focus on covered entities’ independent risk assessments.

Compliance Best Practices

In light of the recently-implemented Final Rule and upcoming audit program, and with the assistance of the new SRA tool released by HHS, health care entities should take the following steps:

  • Audit Your Compliance Program: HIPAA requires that covered entities regularly review the administrative, physical and technical safeguards they have in place to protect the security of PHI. By conducting regular audits and risk assessments, providers can uncover potential weaknesses in their security policies, processes and systems.
  • Review and Revise Policies and Procedures: A key challenge for any health care provider is putting in place the appropriate operational mechanisms for carrying out these new changes, especially security incident risk assessments and documentation of the risk assessment results in order to meet the burden of proof in an audit or investigation.
  • Regularly Retrain Staff: Apprise your staff of all HIPAA changes as they arise. A well-informed staff will help to avoid HIPAA violations and related penalties.

We regularly partner with our clients in all of these areas, and will be happy to assist if the need arises.

Kristen’s practice includes professional liability defense, insurance coverage law, and employment law, and she represents clients of Barton Gilman throughout Rhode Island, Massachusetts, and Connecticut.