Close X

Legal Alerts

HIPAA Omnibus Final Rule: Are You Compliant?

Posted by Roscoe J. Mutz | Mar 06, 2014 | 0 Comments

Recently, the Department of Health and Human Services (HHS) issued the HIPAA Omnibus Final Rule that carries potential penalties of up to 1.5 million dollars per calendar year. Many companies, even those outside of the healthcare industry, are impacted by this Final Rule and HIPAA regulations.   Farhang & Medcoff can help you with one New Year's resolution for you or your company:  ensuring compliance with all HIPAA privacy and security obligations.

Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect and secure health care information, while promoting the standardization of health information collection and exchange.  Later, in response to reports of lax enforcement of HIPAA rules, Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009.  HITECH requires audits, increases penalties, and makes sweeping changes to enforcement of HIPAA obligations that became effective with the Final Rule.

Expanded Applicability

On September 23, 2013, the Final Rule became effective.  As of this date, not only must all “covered entities” (health plans, health care clearinghouses, and medical providers) comply with HIPAA regulations, but liability for compliance also extends directly to all “business associates” of these covered entities (any person or business that performs services for or on behalf of a covered entity that may involve the use or disclosure of protected health information).

The “Chain” of Compliance

It is important for any business to determine if it falls within the “chain” of compliance.  The Final Rule requires that all business associates and subcontractors down the “chain” from a covered entity meet the multitude of complex HIPAA requirements.  Common examples of business associates and subcontractors down the “chain” from covered entities include:  businesses involved in claims processing, data analysis or billing services; and service providers, such as law firms, accounting firms, consultants, data storage or entry companies, shredding services, courier services, expert witnesses, and others if the work deals directly with the use or disclosure of protected health information.  A business may not claim lack of knowledge as to HIPAA applicability and requirements as a defense in order to avoid audit and penalties.

Business Associate Agreements and Documentation

The Final Rule establishes new and burdensome documentary obligations on various types of organizations.  All covered entities must also have a HIPAA-compliant business associate agreement in place with all business associates in the “chain” of compliance.  In turn, all business associates of covered entitles must also have a HIPAA-compliant business associate agreement in place with any subcontractor or service provider that may come into contact with protected health information.  Not all agreements are created equal, and businesses are well advised to ensure that the utilized business associate agreement satisfies HIPAA's complex requirements.

Direct Audits by Department of Health and Human Services

The Final Rule requires HHS to conduct periodic audits of covered entities and business associates.  In the past, business associates and subcontractors of covered entities were not subject to direct audit and penalties by HHS, but the Final Rule makes business associates directly subject to audit and potential penalties, independent from covered entities.

Increased Penalties

In addition to empowering HHS to audit business associates and subcontractors directly, the Final Rule also provides substantial increases to penalties for violations.  Depending on the severity of the violation, HHS may levy fines of up to $50,000 per violation (that's for each discrete protected health record—imagine a potential security breach affecting multiple patients and/or multiple health records!) with a maximum of 1.5 million dollars in penalties per calendar year.  In addition, in certain cases, criminal penalties of up to 10 years imprisonment and fines of up to $250,000 may be imposed upon individuals, such as directors, employees, or officers of covered entities.

Compliance Considerations

All entities are advised to contact a well-versed legal professional to review HIPAA compliance considerations if you or your business(es) are covered entities, business associates of a covered entity, or subcontractors down the chain from a covered entity.  Best practice is to hire an outside law firm and/or HIPAA consultant to conduct a full-service HIPAA review, including the following:

  • Risk analysis of existing privacy and security safeguards;
  • Evaluation of gaps in privacy or security;
  • Suggestions for implementing procedures to address any privacy or security gaps;
  • Examination of all required and addressable safeguards contained in the HIPAA Security and Privacy rules;
  • Draft or review comprehensive written company policies and procedures for HIPAA compliance;
  • HIPAA training for all employees (with written materials); and
  • (Perhaps most important) draft or review a business associate agreement for use with all business associates and subcontractors that may use or disclose protected health information.

Farhang & Medcoff has formed a team of knowledgeable attorneys and technical staff to help clients become or confirm compliance with the HIPAA Omnibus Final Rule.  Roscoe Mutz, an attorney in Farhang & Medcoff's Tucson office, is experienced in HIPAA-related matters and happy to help you.  Please contact Roscoe with any HIPAA concerns or to schedule a full-service HIPAA review.

About the Author

Roscoe J. Mutz

Roscoe Mutz is an attorney with a broad litigation background, including...


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Comments have been disabled.

About Our Firm

We are a minority owned, Tucson based law firm. We are frank and responsive in providing intelligent services which afford the best possible outcomes for our clients.