The HIPAA Omnibus Rule of 2013: Expanding Requirements to Business Associates
Introduction
The HIPAA Omnibus Rule, enacted in 2013, marked a significant expansion of the Health Insurance Portability and Accountability Act (HIPAA). This rule implemented a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009. One of the most impactful changes was the expansion of HIPAA requirements to business associates and their subcontractors.
Key Changes Introduced by the Omnibus Rule
- Direct liability for business associates and their subcontractors
- Modifications to the Breach Notification Rule
- Changes to the enforcement rule, including increased penalty amounts
- Modifications to the Privacy Rule, including changes to marketing and fundraising communications
- Modifications to the HIPAA Privacy Rule to strengthen privacy protections for genetic information
Business Associates: Expanded Definition and Responsibilities
Expanded Definition
The Omnibus Rule broadened the definition of a business associate to include:
- Health Information Organizations
- E-prescribing Gateways
- Other persons that provide data transmission services with respect to protected health information (PHI) to a covered entity and that require routine access to such PHI
- Personal Health Record vendors that provide these services to covered entities
Direct Liability
Prior to the Omnibus Rule, business associates were only contractually liable to covered entities through their Business Associate Agreements (BAAs). The Omnibus Rule made business associates directly liable for compliance with certain HIPAA Privacy and Security Rules, as well as the Breach Notification Rule.
Key Responsibilities of Business Associates
- Implementing appropriate administrative, physical, and technical safeguards to protect electronic PHI
- Reporting security incidents and breaches to the covered entity
- Ensuring that any subcontractors that create, receive, maintain, or transmit electronic PHI agree to comply with the same restrictions and conditions
- Providing individuals with access to their PHI when required
- Maintaining an accounting of disclosures of PHI
- Limiting uses and disclosures of PHI to those permitted by the Privacy Rule or the BAA
Subcontractors: A New Layer of Responsibility
Definition
A subcontractor is any person or entity to whom a business associate delegates a function, activity, or service that involves the creation, receipt, maintenance, or transmission of PHI.
Key Points
- Subcontractors are now treated as business associates, regardless of whether they have a direct relationship with a covered entity
- Business associates are responsible for ensuring that their subcontractors comply with HIPAA rules
- A chain of BAAs is required from the covered entity down through all levels of subcontractors
Impact on Business Associate Agreements (BAAs)
The Omnibus Rule necessitated changes to BAAs:
- BAAs must establish the permitted and required uses and disclosures of PHI by the business associate
- They must provide that the business associate will comply with applicable HIPAA Security Rule requirements
- BAAs must require business associates to report breaches of unsecured PHI to the covered entity
- They must ensure that any subcontractors agree to the same restrictions and conditions that apply to the business associate
Breach Notification Changes
The Omnibus Rule also modified the Breach Notification Rule, affecting both covered entities and business associates:
- Replaced the "risk of harm" standard with a presumption that any unauthorized use or disclosure of PHI is a breach
- Established factors to consider when performing a risk assessment to determine if notification is necessary
- Required business associates to notify covered entities of breaches at or by a subcontractor
Enforcement and Penalties
The Omnibus Rule strengthened HIPAA enforcement:
- Increased the maximum penalty for a single violation to $1.5 million per year
- Established a tiered penalty structure based on the level of culpability
- Required the Department of Health and Human Services (HHS) to conduct periodic audits of covered entities and business associates
Implementation Timeline
- The Omnibus Rule was published on January 25, 2013
- It became effective on March 26, 2013
- Covered entities and business associates were required to comply by September 23, 2013
- Existing BAAs had to be modified by September 22, 2014
Challenges and Considerations
- Increased Complexity: The expansion of HIPAA requirements to business associates and subcontractors significantly increased the complexity of compliance.
- Chain of Trust: Covered entities needed to ensure a "chain of trust" through multiple layers of business associates and subcontractors.
- Risk Assessment: Business associates had to implement formal risk assessment processes, often requiring significant resource investment.
- Technology Updates: Many business associates needed to update their technology infrastructure to meet HIPAA Security Rule requirements.
- Training: Extensive training programs were necessary to ensure staff understood new responsibilities under HIPAA.
Here are some key points to consider:
- Expanded Scope: The rule significantly broadened the definition of business associates and made them directly liable for HIPAA compliance.
- Direct Liability: Business associates became directly responsible for implementing safeguards, reporting breaches, and ensuring subcontractor compliance.
- Subcontractor Inclusion: The rule created a chain of responsibility, with subcontractors also being treated as business associates.
- BAA Changes: Business Associate Agreements needed to be updated to reflect new responsibilities and ensure compliance throughout the chain of subcontractors.
- Breach Notification: The rule modified the breach notification requirements, affecting both covered entities and business associates.
- Enforcement: The rule strengthened enforcement measures, including increased penalties and mandated audits.
- Implementation Timeline: The overview provides the key dates for the rule's implementation, which is useful for understanding the historical context.
When considering the implications of this rule, healthcare organizations and their business associates should:
- Review and update all Business Associate Agreements to ensure they meet the requirements of the Omnibus Rule.
- Implement or enhance risk assessment processes, particularly for business associates who may not have had such processes before.
- Ensure that there's a clear understanding of the chain of responsibility when it comes to subcontractors.
- Develop or update breach notification procedures to align with the new requirements.
- Invest in training programs to ensure all staff understand their responsibilities under HIPAA.
- Regularly audit their own compliance and that of their business associates and subcontractors.
Conclusion
The HIPAA Omnibus Rule of 2013 represented a significant expansion of HIPAA's scope, particularly in its application to business associates and their subcontractors. This change recognized the increasingly complex ecosystem of healthcare data handling and sought to ensure consistent protection of PHI across all entities involved in its processing.
For covered entities, business associates, and subcontractors, the rule underscored the importance of robust data protection practices, clear contractual agreements, and ongoing vigilance in safeguarding patient information. As the healthcare industry continues to evolve, particularly with the growth of digital health technologies and data-driven care models, the principles established by the Omnibus Rule remain crucial in protecting patient privacy and maintaining the security of health information.