July 18, 2013 Articles

HIPAA Rule Updated for the First Time since Inception

Patients gain control while negligent providers get stiffer penalties.

By Sachin Shah

On January 25, 2013, the new 563-page Omnibus Final Rule for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was released by the Department for Human and Health Services (HHS). The rule, which makes a number of modifications to HIPAA, is designed to enhance the ability of patients to control their medical records while also stiffening penalties for providers who fail to properly safeguard patient information.

The rule spreads potential liability stemming from a HIPAA violation not only to covered entities but also to business associates of the covered entities. Business associates generally include anyone who works with a provider in a capacity that requires them to access the protected information. Examples of business associates in this provision include cloud providers and HIPAA-secure messaging companies. The standard emphasized for the enforcement of this rule is "willful neglect," which is otherwise defined as "conscious violation or reckless indifference to the law." The fines for these violations can be quite substantial and covered entities and business associates can be fined $50,000 per violation for cases where risk assessments fail to be completed or where safeguards protecting data are absent.

Another significant aspect of the rule is the expansion of what constitutes a breach. The breach-notification threshold is the mechanism by which all parties determine whether a breach is substantial enough to mandate that the covered entity or business associate report the breach to HHS. The rule expands the breach notification from "a significant risk of harm" to "a low probability of compromise." Understandably, this change has caused significant concern throughout the health-care industry because "a low probability of compromise" leaves much more room for interpretation as to whether a breach occurred because patients can be unaware of whether their health information has been compromised. Essentially, covered entities now are presumed to have harmed patients when a breach occurred, where in the past, harm to the patient arising from the breach needed to be established for a violation. The rule also increases penalties for noncompliance to $1.5 million per violation, which further highlights the importance, for covered entities and business associates, of ensuring HIPAA compliance.

Under the rule, patients have the ability to request that insurers are barred from being notified about treatments that are paid for out of pocket. Covered entities must adjust and ensure that physicians and health-care entities are trained to recognize the importance of such requests and protect such information accordingly. The rule also expands the patient's right to request and receive electronic copies of his or her information from providers. Therefore, the rule allows for greater flexibility of patients’ use of their own information. The rule went into effect on March 26, 2013, and all physicians and covered entities must comply with it by September 26, 2013. Accordingly, all physicians and health-care entities must establish policies and training to ensure compliance with the rule by September 26, 2013.

Keywords: litigation, health law, HIPAA, Omnibus Final Rule, compliance, health care

Sachin Shah is a partner at the Agrawal Firm, LLC, in Chicago, Illinois.

Copyright © 2013, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).