Looking at the HIPAA Final Omnibus Rule: An Attorney's Perspective
The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.
With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.
Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.
Let’s talk about patient privacy and security under the Omnibus Rule, and what provider executives need to do.
Yes, let’s talk about how covered entities can help their business associates implement what are called these “flow-down requirements.”
Kathryn Coburn
What do you think most CIOs don’t understand about the Final Omnibus Rule?
I hope they are aware of this, but they really need to be aware that when they contract or delegate or outsource to another company, and that company further outsources, that company will now have to have a written contract with their subcontractor. Theoretically, this was always the case. But CIOs may not understand that their subcontractors may be liable for up to $1.5 million for willfully ignoring the requirements, if the subcontractor just deliberately ignored the fact that they were required to secure that information and distributed information without HIPAA security. What the government is doing is actually protecting the information. And anybody who could be audited, would be liable. There aren’t any civil lawsuits under HIPAA, but if the government does an audit, and finds out the information isn’t being protected, they will levy penalties.
Another thing that I think is poorly understood is that if CIOs use templates for business associate agreements, they have to see what’s being added into the agreement, and see whether that business associate will be liable for notice of breach costs, or whether that business associate’s subcontractor is liable, or whether your won covered entity is liable; because over $2 billion was spent on notice of breach in 2012. In other words, the average cost of a breach notification is very high. I believe that the Ponemon Institute cited something like $250,000 per individual patient record breach. So when I’m talking about the $2 billion, I’m talking about what was spent last year on reported breaches.
So the first thing they should do is to take a look at whether or not they want to encrypt, and whether or not it’s worth it. Because with these large penalties from the government… the purpose was to encourage CIOs and CFOs to look at whether or not they were going to be able to encrypt, and to encourage them to encrypt, protected health information. In particular, I think they don’t understand how prevalent breaches are and how easy it is to lose a laptop, and to have breaches based on unencrypted health information on mobile devices.
So I would recommend that they first look at the cost of insurance for breaches, and at the cost of encryption. And they should also examine their business associate agreements to determine whether they are liable, their business associate organization is liable, or whether the subcontractor to their business associate, is liable. In other words, they need to know who is liable for providing notice of breach for unencrypted health information.
Next, let’s say that if they’re a hospital, hospitals and medical providers should be aware that one big change that came via the HITECH Act, and one that maybe most CIOs are not aware of, is that the individual has the right to request a restriction on the disclosure of any medical service for which they’ve paid out of pocket. And this can cause problems sometimes, because the hospital doesn’t really let the individual know that if they pay out of pocket, that the insurance company can probably still determine from additional tests that are made, what the diagnosis was. So they may have to pay for an entire panel of tests; and they may want to every test. They don’t realize it doesn’t apply to follow-up tests. And let’s say there’s an electronic prescription, that diagnosis could be released to the pharmacy, and they probably need to go to the pharmacy first and get it restricted there first. And if a patient asks for a restriction, that has to take place at the outset.
What is the most difficult element of this, when attorneys are called in to address a breach that has occurred?
Probably the most difficult element is the forensics of this. For instance, maybe you had 40 laptops that were stolen from a facility, and they all had protected health information on them. Let’s say you recover those laptops, but they’ve been in someone’s possession for a while. And maybe they didn’t yet get out of the building, but you have to figure out whether someone looked at the PHI. In many cases, you can prove that nobody looked at them, in many cases, and then you don’t have to give any notice of breach. So it’s worth engaging a computer forensics expert, in that case. Now, you must actually document this information. So the lack of documentation is the biggest problem from the legal point of view, I find. If the CIO wants to protect the hospital or provider, they need to have a process in place for documenting what has occurred. It’s easy to say the information wasn’t compromised, but if you can’t prove it, you’re still going to have to give notice of breach.
Another thing that is difficult sometimes, is that vendors of personal health records are now responsible for reporting security breaches; and I think a lot of CIOs may not know that. So the vendor of personal health records may not be a covered of entity; and since they’re not a covered entity, they’ll report any breach to the Federal Trade Commission; that is an element of the HITECH Act now in effect under the Final Omnibus Rule.
But you, the provider, would have to report it to HHS?
Here’s the thing these hospitals may have personal health records that are actually distributed to patients. So if they’ve outsourced that to a vendor, the vendor would have to report it to the FTC [Federal Trade Commission]; but if the vendor is a business associate of the hospital and is distributing it on behalf of the hospital, then the vendor is a business associate of the hospital, and the hospital would have to report to HHS, and the vendor would have to report it to the hospital or clearinghouse. But there is independent liability on the part of the vendor for notice of breach.
That’s why I think it’s very important when you draft these business associate agreements, that the CIO read them and see who will pay for these breaches, if they do occur.
It seems that the number of breaches is growing significantly.
Oh yes, it’s dreadful. That’s why encryption is so important. And federal officials are very open about the fact that these heavy penalties are intended to promote encryption. And they don’t refer to any specific type of encryption; they do refer to the NIST [National Institute of Standards and Technology] standard.