By Julia Romero Peter, Esq.
Enforcement of the new Health Insurance Portability and Accountability Act (HIPAA) omnibus rule will begin soon on September 23, 2013. The new rule broadens the HIPAA’s Privacy and Security Rules to include not only “covered entities” — health care providers, health plans and health care clearinghouses — and their “business associates,” but subcontractors of business associates, as well. The new rule modifies “business associates” to include anyone who “‘creates, receives, maintains, or transmits’ protected health information [PHI] on behalf of a covered entity.” This includes data storage companies and potentially eDiscovery service providers.
Under the new rule, business associates and subcontractors are directly liable for failure to adhere to the HIPAA Security Rule in addition to certain sections of the Privacy and Breach Notification Rules. Among other things, business associates and subcontractors may face liability for:
using or disclosing PHI in such a way that it violates the applicable business associate agreement or HIPAA rules;
not notifying the covered entity of a breach of unsecured PHI;
not providing an electronic copy of the PHI to the covered entity, individual or his or her designee as designated by the business associate agreement;
not making “reasonable efforts to limit” PHI to “the minimum necessary to accomplish the intended purpose of the use, disclosure or request”;
not entering into business associate agreements with subcontractors who create, receive, maintain or transmit PHI; and
not disclosing PHI required by the Secretary of the Department of Health and Human Services (DHHS) to ascertain whether a business associate is in compliance with the HIPAA rules.
The new rule not only broadens liability to include business associates and subcontractors, but also increases the amount of fines and makes violations to the HITECH Act punishable by civil monetary penalties. The new rule sets forth the following monetary penalties based on culpability:
Violation category — Section 1176(a)(1)
All such violations of
an identical provision
in a calendar year
(A) Did Not Know
$100 – $50,000
(B) Reasonable Cause
$1,000 – $50,000
(C)(i) Willful Neglect-Corrected
$10,000 – $50,000
(C)(ii) Wilful Neglect-Not Corrected
The DHHS emphasized that it will not necessarily impose the highest penalty. Rather, the DHHS will “determine the amount of the penalty on a case-by-case basis, depending on the nature and extent of the violation and the nature and extent of the resulting harm”, including the “financial condition and size of the covered entity or business associate”, time period of the violation and the number of people affected.