The HIPAA omnibus rule: A checklist for compliance

After months of waiting, the federal Department of Health and Human Services Office of Civil Rights posted the final rules regarding many of the provisions created in the HITECH Act of 2009. Two primary provisions of HITECH include the expansion of HIPAA compliance to business associates (BAs) and subcontractors of BAs, as well as the Notice of Breach rules.

The final rules are published in the Jan. 25, 2013 Federal Register, but compliance with the new documentation and contract requirements does not take effect until, at the earliest, March 26. After that date, HIPAA-related documents or contracts that are modified or renewed should incorporate the new provisions. However, all HIPAA-related documents and contracts, regardless of renewal or modification, must be in compliance with the new rules no later than Sept. 22, 2014.

The term “covered entities” in the rules is defined to basically apply to all persons or entities who receive, possess, or generate protected health information (PHI) as defined at law.

Here are some highlights of what the rules document does:

  • Expands the definition of BA. BAs now include entities that “maintain” PHI, in addition to those that create, receive, or transmit PHI for a function or activity such as claims processing or administration, data analysis, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing. The definition extends fully to subcontractors of BAs who perform these functions. The rules additionally expand the definition to include health information organizations, e-prescribing gateways, or other persons who provide data transmission services with respect to PHI to a covered entity. BAs also include persons who offer personal health records on behalf of covered entities.
  • Clarifies the definition of BA. The rules clarify that health care providers are not BAs to other covered entities when communicating about the treatment of an individual. In addition, plan sponsors are not BAs to group health plans or health insurance issuers as long as the HIPAA requirements for group health plans under 45 CFR § 164.504(f) are met. Government agencies are not BAs to government health plans when communicating about eligibility or enrollment in the plan. Finally, covered entities in organized health care arrangements (OCHA) that perform BA functions for the OHCA, such as quality assurance or patient safety activities, are not BAs.
  • Creates a definition of “family member.” The definition is very broad and includes up to fourth-degree relatives as well as relatives by affinity and not just biological relatives. This definition is important for implementing the rule relating to disclosures when an individual who is the subject of the PHI is, for example, unavailable or deceased.
  • Prohibits health plans from using or disclosing genetic information for underwriting purposes. With the exception of long-term care plans, the final rule prohibits most health plans from using or disclosing genetic information for purposes of underwriting, which the rule defines to include requests for genetic tests. This restriction should work in tandem with the Affordable Care Act’s prohibition against excluding individuals with pre-existing conditions from obtaining health coverage.
  • Solidifies that BAs are directly liable for compliance with HIPAA. Under the new rules, BAs are statutorily liable for violations of the HIPAA security rules. They are also subject to the same HIPAA privacy restrictions as covered entities. This includes requirements that BAs create and implement HIPAA privacy and security policies and procedures in relation to the handling of PHI of a covered entity. BAs may be subject to compliance reviews by the federal Department of Health and Human Services (HHS).
  • Adds factors for HHS to consider in determining the amount of a civil money penalty for HIPAA violations. These additional factors include the number of individuals affected by a HIPAA violation as well as whether the violation resulted in harm to an individual’s reputation.
  • Requires BAs to enter into BA agreements with subcontractors. BAs who subcontract with entities that create, receive, maintain, or transmit PHI from a covered entity on behalf of a BA must enter into HIPAA-compliant BA agreements.
  • Cements the notice rules for breaches of unsecured PHI. The final rule creates a rebuttable presumption that a breach of PHI has occurred if that PHI is acquired, accessed, used, or disclosed in a manner that violates the HIPAA privacy rule. A covered entity or BA may rebut this presumption if it demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of the following factors:

    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
    • The unauthorized person who used the PHI or to whom the disclosure was made
    • Whether the PHI was actually acquired or viewed
    • The extent to which the risk to the PHI has been mitigated

The final rules now also require BAs to report to the covered entities breaches of unsecured PHI.

  • Addresses use of PHI in sales, marketing, and fundraising efforts. The final rule prohibits the sale of PHI unless a sale falls under an exception in the rules, such as to disclose for purposes of public health, research, treatment, or merger/corporate sales. The final rule excludes from the more strict rules regarding use of PHI for marketing purposes those communications that involve refill reminders, health-related products or services provided by the covered entity, case management, and care coordination, for example. This revised definition will help the development of medical homes and accountable care organizations where care coordination and case management are key. Finally, the rules allow covered entities to use or disclose PHI for fundraising purposes if certain requirements, such as opt-out provisions and notices of fundraising activities in the covered entity’s Notice of Privacy Practices, are met.
  • Tackles PHI relating to “deceased” individuals. The final rule requires compliance with HIPAA when handling the PHI of a deceased individual for a period of 50 years following the individual’s death.
  • Expands disclosures when authorization is not required. A HIPAA authorization is not required for disclosures to schools about proof of students’ immunization if certain conditions outlined in the rule are met.
  • Settles on most of the new patient rights under HITECH. Except for the changes to the accounting of disclosure requirements, the final omnibus rule addresses the request for restriction on disclosure and access to electronic PHI changes under HITECH. Covered entities must agree to an individual’s request to restrict disclosure of PHI to a health plan if the PHI relates to a health care item or service that has been paid in full to the covered entity by someone other than the health plan. Also, covered entities must provide individuals with access to PHI in electronic form if requested by the individual and such PHI is readily producible in such a format. Finally, covered entities must, if requested in writing by an individual, provide a copy of PHI directly to another person designated by the requesting individual.

What should covered entities do now?

Covered entities should do at least the following four things:

  • Review and update HIPAA policies and procedures. A review should pay particular attention to those policies and procedures that relate to marketing, sale of PHI, fundraising, notices of breach, disclosures to schools, disclosures involving deceased individuals, disclosures to family members, and use of genetic information.
  • Revise and disseminate a Notice of Privacy Practices (NPP). The NPP should account for changes to uses and disclosures under the new rules. This is especially important for health plans that must notify members that the plan is now prohibited from using or disclosing genetic information for underwriting purposes.
  • Evaluate and update a covered entity’s BA agreements. Determine whether the inventory of BA agreements captures all the BA relationships now that the definition of BAs has changed and been clarified. Furthermore, given the new clarifications, covered entities may determine that some BA agreements are no longer necessary, such as between providers involved with the treatment of an individual or in an OHCA.
  • Discuss with BAs the need for BA agreements with BA subcontractors. It would not hurt to gently remind BAs about their obligations under the final rules.

What should BAs do now?

BAs should do the following two things right away:

  • Create, revise, and/or implement HIPAA policies and procedures. Depending upon where a BA is on the compliance continuum, it should be diligently pursuing HIPAA-compliant policies and procedures as they relate to HIPAA security and privacy requirements.
  • Ensure that it has BA agreements. The BA should have updated BA agreements with covered entity clients, as well as with subcontractors to whom it delegates BA functions.

Barbara Zabawa is a health care law attorney with Whyte Hirschboeck Dudek. She can be contacted at 608-234-6075 or

Sign up for the free IB Update – your weekly resource for local business news, analysis, voices, and the names you need to know. Click hereIf you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.