New HIPAA Omnibus Rule Could be Very Costly

If you’re accustomed to marking your calendar for important dates or events, you might want to consider highlighting Sept. 23, 2013. That’s the compliance deadline for the new HIPAA Omnibus Rule, modifications aimed at enhancing patients’ protection of the privacy of their health records and providing them with new rights to their health information, while also supporting the government’s ability to enforce the law.

Adhering to these changes is essential. Alisa Chestler, a health care attorney in the Washington, D.C., office of Baker Donelson, points to the recent $1.7 million HIPAA penalty against WellPoint by the U.S. Department of Health and Human Services for inadequate protection of members’ information line as an indication to take these modifications seriously.

“Providers are making a huge mistake by looking at this and thinking, ‘Well, that’s a large company. They’ll never come after me. I’m just one small practice,’” Chestler says. “My message is that you are wrong. The government has and will continue to go after smaller entities.”

Increased liability

Under the new Omnibus Rule, medical practices, and any vendors that contract with them, could be vulnerable to the increased business associate liability. The new rule states that business associates — entities that create, receive, maintain or transmit public health information — can now be liable for HIPAA noncompliance.

“Anybody that handles protected health information for [a medical practice] is going to be on the hook,” says Eileen Elliott, a health care attorney with the Vermont firm Dunkiel Saunders. “Everyone is liable for everything. It’s up and down the stream.”

The updated requirements include contracting ramifications; security rule compliance; use and disclosure requirements of the privacy rule; providing copies of electronic public health information; maintaining accounting of disclosures; and providing HHS with public health information during reviews or audits.

“If HHS is going to increase its enforcement then there could be a lot more HIPAA enforcement actions than we have seen in the past,” Elliott cautions.

Enhanced fining authority

Incurring a HIPAA violation can be incredibly costly. The new rule enables HHS to fine any covered entity, business associate or responsible party for a violation, while retaining the authority to charge multiple violations related to a single event, such as a breach. Monetary penalties will be tallied on a per person and per day basis.

What that means, explains Chestler, is that the maximum annual penalty cap of $1.5 million is not an overall limitation on liability.

“It’s $1.5 million per violation per year,” she says. “You can [be penalized] more than $1.5 million if you have multiple violations.”

As an example, Elliott points to a recent breach when celebrity Kim Kardashian gave birth in a Los Angeles hospital that resulted in approximately 15 unauthorized viewings of her electronic health record. As such, the HHS could charge up to $1.5 million per violation, or per unauthorized viewing.

“Stanford University had a breach where some poor person put the public health information for all the patients at one of the hospitals up on a student website,” Elliot says. “There was something like 60,000 people.”

Penalties could be tallied on a per-person, or per-provision basis.

Stronger breach reporting

Strengthened breach reporting is also one of the major effects of the Omnibus Rule. While the prior rule stated that breaches did not need to be reported unless they posed a “significant risk of reputational, financial or other harm” to individuals, the determination is now based on the risk that public health information has been compromised. A risk assessment is not required to determine the probability that protected health information has been compromised.

“Now, an incident where there’s a breach is presumed to be a breach unless the risk analysis reveals that there’s a low probability that PHIs have been compromised,” Elliott says.

A risk assessment focuses on four elements: the nature and extent of the PHI that’s involved; the unauthorized person who used it or to who the disclosure was made; whether it was actually acquired or viewed; and the extent to which any mitigation has taken place.

“You have to document the risk analysis and retain it, because you have to report your breaches to HHS,” she says.

Focus for physicians

Elliott says the most important aspect of the Omnibus Rule for medical practices is to closely examine their business associate agreements. Sit down and determine whether the business associate agreements take into account all the new liabilities and responsibilities.

“Call in these associates and talk to them,” Elliott says. “Put the fear of God into those business associates. Make sure they understand that they have huge compliance obligations, and then make certain they are complying.”