Final HIPAA Omnibus Rule expands law’s impact on firms

The final rule extends the scope of the privacy and security portions of HIPAA to business associates and their subcontractors

Health care companies have long been required to protect private health information of patients from disclosure. But now companies working with health care companies have those obligations too.

On March 26, the final HIPAA Omnibus Rule became effective, implementing sweeping changes to the Health Insurance Portability and Accountability Act. Leon Rodriguez, director of the U.S. Department of Health and Human Services Office for Civil Rights – who called the final rule “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented” – said the changes “enhance a patient’s privacy rights” and strengthen the ability of his office “to vigorously enforce” HIPAA.

Significantly, the final rule now extends the scope of portions of the HIPAA Privacy Rule and all of the HIPAA Security Rule to business associates and subcontractors of business associates.

Business associates must have business associate agreements with subcontractors, who must then comply with the Privacy Rule and provide business associates with satisfactory assurances that it will implement appropriate safeguards for protected health information, or PHI.

The revisions add the following entities to the definition of a business associate:

 • Patient safety organizations

 • Health information organizations

 • e-prescribing gateways

 • vendors of personal health records

 • Any other person who “provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI”

The final rule also explains that if the entity is merely a “conduit” of the covered entity, then that access to PHI is not considered routine.

The final rule also prohibits health plans (except long-term care policies) from using and disclosing genetic information for underwriting purposes.

Security and enforcement

Since the final rule requires business associates to enter into contractual agreements with subcontractors that have access to PHI, business associates must implement policies and procedures and enter into contractual relationships with subcontractors in order to comply with the final rule.

This means that any subcontractor that has routine access to PHI must implement a full complement of privacy and security policies in order to comply.

The rule also indicates that HHS will increase cooperation with other law enforcement agencies to refer cases involving possible criminal HIPAA violations. In addition, the final rule increases the penalties for HIPAA violations, and increases the limit of penalties in one calendar year to $1.5 million based on the degree of knowledge.

The factors for determining the amount of the civil penalty include:

 • The nature of the claims and the circumstances under which they were presented

 • The degree of culpability

 • History of prior offenses

 • Financial condition of the person presenting the claims

 • “Such other matters as justice may require”

The final rule also significantly modifies the definition of a “breach” of unsecured PHI, and clarifies covered entity and business associate obligations with respect to notifying an individual of a breach.

Under the final rule a breach is an acquisition, access, use, or disclosure of PHI in a manner not permitted under [the Privacy Rule] unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

 • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

 • The unauthorized person who used the PHI or to whom the disclosure was made

 • Whether the PHI was actually acquired or viewed

 • The extent to which the risk to the PHI has been mitigated

The final rule removed the previous “significant harm standard” due to its subjective nature, which, according to HHS, had the potential to lead to inconsistent interpretations and results. This means that risk assessments will need to be copiously documented to justify why the entity did not notify the individual in the event of a complaint of audit. In addition, breach notification policies will need to be revised to reflect the four factors.

Compliance tips

The effective date of compliance with the Omnibus Rule is Sept. 23. HHS estimates that these new regulations will cost covered entities and business associates between $114 million and $225.4 million during the first year of implementation and approximately $14.5 million each year thereafter.

September will be here before you know it, so it is wise to think about and plan for compliance now. This means that all covered entities and business associates should review, revise and implement privacy and security policies, forms, HIPAA compliance plans, business associate agreements and breach notification compliance programs.

Employees should be trained, and the training should be acknowledged and documented. Business associate agreements should be in place with all vendors and subcontractors that have access to PHI. Business associates must contractually agree to ensure that all of their vendors and subcontractors will agree in writing to keep any PHI private and secure in accordance with the final rule.

For a helpful HIPAA compliance checklist, visit

Attorney Linn Foster Freedman is leader of Nixon Peabody LLP’s Privacy & Data Protection Group and chairs its HIPAA Compliance Group. Attorney W. Scott O’Connell is deputy chair of Nixon Peabody’s Litigation Department as well as practice group leader of its Commercial Litigation Team and the Class Action & Aggregate Litigation Team.

Categories: Legal Advice