HITECH Act and HIPAA Omnibus Rule
HIPAA was enacted in 1996, the ARRA HITECH Act in 2009, the HIPAA Omnibus Rule in 2013. In January 2020, a Federal Court ruled that a portion of the Omnibus Rule was invalid, but only with respect to fees that may be charged to individuals who request a copy of their medical records. This ruling does not impact privacy, security, or the right of individuals to receive their health care records. Below is a recap of important privacy Standards of each Rule and update on the determination of the United States District Court for the District of Columbia
HITECH Act Enforcement Interim Final Rule
The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, Subtitle D addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Section 13410(d) of the HITECH Act revised section 1176(a) of the Social Security Act (the Act) by setting forth:
- Four (4) categories of violations with increasing levels of liability;
- Four (4) corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation;
- A maximum penalty amount of $1.5 million for all violations of an identical provision.
- The enforcement final rule also amended section 1176(b) of the Act, which now prohibits penalties for violations that are corrected within a 30-day period, provided there was no willful neglect.
Four Tiers of Culpability
(1) The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
(2) the violation was due to reasonable cause, and not willful neglect;
(3) the violation was due to willful neglect that is timely corrected; and
(4) the violation was due to willful neglect that is not timely corrected.
One result of this final rule is that it aligns HIPAA enforcement to revisions under section 13410(d) of the HITECH Act.
HIPAA Omnibus Rule
The 2013 Omnibus Rule to the Health Insurance Portability and Accountability Act (“HIPAA”) commonly called the HIPAA Omnibus Rule, required compliance by September 23, 2013.[1] The HIPAA Omnibus Rule instantiated the modifications to the HIPAA Privacy, Security, and Enforcement Rules in compliance with the HITECH Act, including tiered civil money penalty structure provided by the HITECH Act.
Importantly, the Omnibus rule requires that the Breach Notification for unsecured PHI under the HITECH Act no longer requires proof that there was a breach. Instead, it is now a presumptive Standard, where a Covered Entity or Business Associate must presume that there is a breach and must rebut this presumption with proof that the data was not breached.[2]
The Omnibus Rule also provided modifications to the HIPAA Privacy Rule addressing the GINA (Genetic Information Nondiscrimination Act) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.[3]
The Omnibus Rule also enables patients may pay out of pocket in full and instruct their provider to refrain from sharing information about their treatment with their health plan, (i.e., not provide consent to disclose) [4]
Federal Common Law of Agency Standard means that Business Associates and Subcontractors are held to the same standards and fines as Covered Entities.[5]
Healthcare providers can share vaccination records (immunizations) with schools directly with a written or verbal release from the student’s parent or guardian [6]
The Omnibus Rule adopted the same ARRA HITECH Act prohibition against the marketing, fundraising, and sale of PHI without authorization.[7]
January 23, 2020 Ruling by Federal Court Regarding HIPAA Omnibus Rule
Federal Court of Appeals in the District of Columbia found that the HIPAA Omnibus Rule regarding 2016 guidance issued by United States Department of Health and Human Services Office (“HHS”) on the fees that may be assessed to patients for copies of medical records. [8]
Citations
[1] 2013. Beckers Hospital Review. 15 Things to Know About the HIPAA Omnibus Final Rule Before Sept. 23.
[2] The breach notification final rule amended the Standard and now requires a determination of the breach’s “risk of compromise” rather than harm. Therefore, a breach notification is always necessary except those in which the covered entity or business associate via its own breach investigation documents and demonstrates a low probability that the PHI was compromised.
[3] As provided in the Federal Register, “…modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy.” https://www.federalregister.gov/d/2013-01073/p-3
[4] The breach notification final rule amended the Standard and now requires a determination of the breach’s “risk of compromise” rather than harm. Therefore, a breach notification is always necessary except those in which the covered entity or business associate via its own breach investigation documents and demonstrates a low probability that the PHI was compromised.
[5] Agency liability – The Omnibus Rule not only reiterates that Covered Entities are liable, are also liable for the acts of their Business Associate that are agents, in accordance with the federal common law of agency. This requires greater vigilance by Covered Entities when the Business Associate is an agent. “Use and disclose on behalf of” would generally be considered ‘agency’ like language which is the fundamental definition of a Business Associate. The Omnibus Rule removes the exception for vicarious liability for agents that are business associates when a valid business associate contract is in place. See ‘New Omnibus Rule Released: HIPAA Puts on More Weight’ By Rebecca L. Williams, Adam H. Greene, Louisa Barash, Jane Eckels, Edwin D. Rauzi, Kent B. (Bernie) Thurber, and Kristen R. Blanchette 01.23.13 https://www.dwt.com/insights/2013/01/new-omnibus-rule-released-hipaa-puts-on-more-weight
[6] According to U.S. Health and Human Services (HHS), “Student Immunizations 45 CFR 164.512(b)(1)(vi) – Background : The HIPAA Privacy Rule strikes an important balance between protecting the privacy of individuals’ protected health information (PHI) and allowing the disclosure of PHI in a number of circumstances to those responsible for ensuring public health and safety. One circumstance involves the disclosure of student immunization information to schools. Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have received various immunizations. Most States have “school entry” laws, which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized. Some States allow a child to begin school provisionally for a certain period of time while the school waits for the necessary immunization information. Typically, schools ensure compliance with State requirements by requesting immunization records from parents, who then request them from their child’s health care provider. To ensure schools are able to receive the necessary documentation of immunization in a timely manner and admit children without undue delay, the HIPAA Privacy Rule permits a covered health care provider to disclose proof of immunization directly to a school that is required by law to have such proof prior to admitting a student, with the oral or written agreement of a parent or guardian.” See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/student-immunizations/index.html
[7] See Modifications to the HIPAA Privacy, Security Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules https://www.federalregister.gov/d/2013-01073/p-14
[8] When guidance was issued regarding fees that can be charged by Business Associates for producing patient records, HHS subsequently began investigating entities that charged higher fees. “…The U.S. District Court for the District of Columbia found that the Omnibus Rule’s The Court held that the guidance was issued without a public rulemaking process and therefore, the expansion of the third-party directives to electronic and paper records, to be arbitrary and capricious. Also, the court held that HHS’s 2016 Guidance that applying the “reasonable, cost-based” fee to third-party directives violated the Administrative Procedure Act (“APA”). The court did not, invalidate the 2016 HHS Guidance on what labor costs can be recovered under the “reasonable, cost-based fee.” See xx https://www.bakerdatacounsel.com/hipaahitech/federal-court-invalidates-2013-hipaa-omnibus-rule-regulations-and-hhs-guidance-on-fees-for-copies-of-medical-records/ By Sara Goldstein, Aleksandra Vold and Alexandra Royal
Related Posts