September 11, 2018
Author: W. Bradley Gilmer
Organization: The Hardison Law Firm
Under the Omnibus Rule, business associates are required to notify the covered entity within 60 days following the discovery of a breach of unsecured PHI. A breach is treated as discovered “the first day on which such breach is known or should reasonably have been known.” Failing to take reasonable steps to detect a breach may have devastating consequences for firm and client alike.
The 2013 Omnibus Rule also creates even tougher breach notification requirements by assigning the burden of proof to covered entities and their business associates. Previously, a breach was defined as a use or disclosure that caused a “significant risk of financial, reputational or other harm” to an affected individual. Under the Omnibus Rule, any impermissible acquisition, access, use or disclosure of PHI — including violations of the minimum necessary standard — is presumed to be a breach unless a firm can demonstrate, through a documented assessment, low probability that the information has been compromised. The risk assessment requires consideration of:
the nature and extent of PHI involved; report of the unauthorized person who used the PHI or to whom the disclosure was made; documentation of whether PHI was actually acquired or viewed; and assurances that the risk to PHI has been mitigated. Entities should therefore constantly monitor and log information access to prepare defenses to rebut the presumption of a breach should a question arise.
2. Methods of Notice
(1) Individual Notice.—Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:
(A) Written notification by first?class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.
(B) In the case in which there is insufficient, or out?of? date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out?of?date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll?free phone number where an individual can learn whether or not the individual’s unsecured protected health information is possibly included in the
(C) In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate.
(2) Media Notice.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.
(3) Notice to Secretary.—Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.
(4) Posting on HHS Public Website.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.
The Department of Health and Human Services, Office for Civil Rights is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews.
The Omnibus Rule eliminates DHHS’s discretion in choosing whether to investigate complaints or potential violations in cases where DHHS’s preliminary review reveals a possible violation due to willful neglect. DHHS is required to initiate a formal investigation when a party appears to have exhibited willful neglect.
1. Civil Penalties
Under the new Omnibus Rule, the OCR may impose tiered civil monetary penalties for privacy and security Rule violations ranging from $100 to more than $50,000 with a $1.5 million annual cap for multiple violations. It appears that the $1.5 million annual cap is not a “total cap” to an entity…but rather a cap on fines for a specific repeated allegation. As such, there may not really be a hard cap on total civil penalties for an organization who commits repeated violations of these rules in multiple and distinct categories.
2. Criminal Penalties
Willful noncompliance or neglect can result in criminal fines and penalties of up to 10 years in jail under the new Omnibus Rule.
3. Private Cause of Action
No private cause of action against for an individual whose HIPAA rights are violated; however, at least one US District Court found that a plaintiff may proceed on a state claim for negligence per se for HIPAA violations. I.S. v. Wash. Univ., 2011 U.S. Dist. LEXIS 66043 (E.D. Mo. June 14, 2011).
F. Omnibus Rule To Do List
HIPAA covered entities and business associates should act now to take the following measures:
• Revise business associate agreement template forms;
• Gather all existing business associate agreements;
• Identify if any business associate is missing an agreement;
• Determine the applicable compliance date for each business associate agreement;
• Evaluate existing contractor arrangements to determine whether modifications or new agreement provisions are necessary, including to existing Business Associate Agreements;
• Revise HIPAA Policies and Procedures, including modifications to address response to potential breaches involving unsecured PHI;
• Update and redistribute Notices of Privacy Practices;
• Analyze current arrangements for compliance with restrictions on the sale of PHI, and marketing and fundraising restrictions; and
• Train employees on updated obligations.