Looking at the HIPAA Final Omnibus Rule: An Attorney's Perspective

The stringent requirements embedded in what is being called the “HIPAA Final Omnibus Rule”—a set of regulations published by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) on Jan. 25—are changing the ground rules for healthcare provider organizations across the U.S. when it comes to safeguarding protected health information (PHI). Those requirements extend the privacy, security, enforcement, and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for economic and Clinical Health (HITECH) Act.

With compliance with the “Omnibus Rule” required by September 23, healthcare leaders have no time to waste when it comes to understanding and addressing the new requirements.

Recently, Kathryn Coburn, who is of counsel with the Los Altos, Calif.-based law firm of Cooke, Kobrick & Wu, LLP, spoke with HCI Editor-in-Chief Mark Hagland regarding this important topic. The Santa Monica-based Coburn has spent 30 years in healthcare law. Below are excerpts from that interview.

Let’s talk about patient privacy and security under the Omnibus Rule, and what provider executives need to do.

Yes, let’s talk about how covered entities can help their business associates implement what are called these “flow-down requirements.”

Kathryn Coburn

What do you think most CIOs don’t understand about the Final Omnibus Rule?

I hope they are aware of this, but they really need to be aware that when they contract or delegate or outsource to another company, and that company further outsources, that company will now have to have a written contract with their subcontractor. Theoretically, this was always the case. But CIOs may not understand that their subcontractors may be liable for up to $1.5 million for willfully ignoring the requirements, if the subcontractor just deliberately ignored the fact that they were required to secure that information and distributed information without HIPAA security. What the government is doing is actually protecting the information. And anybody who could be audited, would be liable. There aren’t any civil lawsuits under HIPAA, but if the government does an audit, and finds out the information isn’t being protected, they will levy penalties.

Another thing that I think is poorly understood is that if CIOs use templates for business associate agreements, they have to see what’s being added into the agreement, and see whether that business associate will be liable for notice of breach costs, or whether that business associate’s subcontractor is liable, or whether your won covered entity is liable; because over $2 billion was spent on notice of breach in 2012. In other words, the average cost of a breach notification is very high. I believe that the Ponemon Institute cited something like $250,000 per individual patient record breach. So when I’m talking about the $2 billion, I’m talking about what was spent last year on reported breaches.

So the first thing they should do is to take a look at whether or not they want to encrypt, and whether or not it’s worth it. Because with these large penalties from the government… the purpose was to encourage CIOs and CFOs to look at whether or not they were going to be able to encrypt, and to encourage them to encrypt, protected health information. In particular, I think they don’t understand how prevalent breaches are and how easy it is to lose a laptop, and to have breaches based on unencrypted health information on mobile devices.

So I would recommend that they first look at the cost of insurance for breaches, and at the cost of encryption. And they should also examine their business associate agreements to determine whether they are liable, their business associate organization is liable, or whether the subcontractor to their business associate, is liable. In other words, they need to know who is liable for providing notice of breach for unencrypted health information.