January 30, 2013

HHS Issues Long-Awaited Final HIPAA Omnibus Rule

With increased compliance obligations imposed upon Business Associates (and their subcontractors), and modification of breach reporting standards, among other significant changes, the new rule is likely to have a significant impact on technology companies that have access to Protected Health Information from HIPAA covered entities.

On January 17, 2013, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) released its much-anticipated final HIPAA omnibus rule (the “Final Rule”) modifying certain aspects of the Privacy Rule, the Security Rule and the Enforcement Rule under the Health Insurance Portability and Accountability Act (“HIPAA”), as well as the Breach Notification for Unsecured Protected Health Information Rule (“Breach Notification Rule”) under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

The Final Rule represents a significant development in healthcare privacy law. It introduces meaningful compliance obligations and liability risks for HIPAA Business Associates, including service providers and technology companies with access to Protected Health Information through their work for customers.  Although the Final Rule also has important implications for HIPAA Covered Entities, this Alert focuses on several of the most significant changes for HIPAA Business Associates.

Affirming Obligations of HIPAA Business Associates and Their Subcontractors

Aside from a number of clarifications and changes to the breach reporting standard (discussed below), the Final Rule otherwise maintains the approach established by the HITECH Act outlined in Goodwin Procter’s March 12, 2009 Client Alert. Under the HITECH Act, HIPAA Business Associates who merely provide services to health care providers or other HIPAA Covered Entities for the first time became subject to federal regulation themselves under HIPAA.  Most significantly, the Final Rule confirms that HIPAA Business Associates are subject to the same stringent HIPAA Security Rule requirements, as well as the same use and disclosure limitations of the Privacy Rule requirements, as HIPAA Covered Entities, and will be subject to audit and enforcement activity by HHS.

One of the Final Rule’s changes of particular note is the inclusion of “subcontractors” of HIPAA Business Associates within the definition of “Business Associate.”  Business Associates will need to enter into written agreements that are substantially similar to Business Associate Agreements with any subcontractor to whom the Business Associate provides access to Protected Health Information. In practice, this means that Business Associates will need to (i) implement and maintain information security policies that comply with the HIPAA Security Rule; (ii) enter into Business Associate Agreements with the Covered Entities with which they exchange Protected Health Information; (iii) enter into written agreements that are substantially similar to Business Associate Agreements with their subcontractors that have access to Protected Health Information and; (iv) prepare to respond to any possible breaches of Protected Health Information in accordance with HHS regulation.

Change to Risk-Based Assessment in Breach Notification Rule

One important change to note is that the breach notification risk of harm trigger has been changed from providing notice when there is a “significant risk” of harm to the individual to providing notice unless the Business Associate can demonstrate only a “low probability” that the information has been compromised.  As anticipated, the Final Rule modifies the definition of “breach” and the risk assessment approach set forth in the Breach Notification Interim Final Rule issued by HHS on August 24, 2009 (the “Interim Final Breach Notification Rule”). Under the Interim Final Breach Notification Rule, entities were required to provide notice of breaches resulting in unauthorized access to Protected Health Information where the breach posed a significant risk of financial, reputational or other harm to the affected individual.  Since the issuance of the Interim Final Breach Notification Rule, a number of commentators expressed concerns that the “risk of harm” standard was too subjective, thereby increasing the likelihood of inconsistent interpretations and reporting results.  Under the Final Rule, an acquisition, access, use and/or disclosure of Protected Health Information that is not permitted under the Privacy Rule is deemed to be a breach unless the Covered Entity or Business Associate can demonstrate, using a four factor assessment, that there is a low probability that Protected Health Information has been compromised. 


The Final Rule adopts the HITECH Act’s tiered system of increasing penalty amounts for violations based on increasing levels of culpability associated with each tier.  Under the Final Rule, penalties for non-compliance are based upon the level of negligence, with potential maximum fines of $1.5 million per violation. A little more than a year ago, on January 10, 2012, the Minnesota Attorney General brought the first formal enforcement action against a HIPAA Business Associate for a violation of HIPAA. That case ultimately resulted in a $2.5 million settlement and it seems likely that additional enforcement activity will follow now that the Final Rule has been released.

Compliance Deadlines

The Final Rule is effective on March 26, 2013, and HIPAA Covered Entities and Business Associates are required to comply with the applicable requirements of the Final Rule by September 23, 2013.  However, with respect to Business Associate Agreements that were in effect as of January 25, 2013, Covered Entities and Business Associates will have until September 22, 2014 to modify those agreements to conform to the Final Rule, provided that such Business Associate Agreement is not renewed or modified from March 26, 2013 until September 23, 2013.


Business Associates, including service providers and technology companies that have access to Protected Health Information through their performance of services for other business associates, should prepare for compliance with new HIPAA obligations by September 23, 2013.  To prepare for the rapidly approaching compliance deadlines, Business Associates should:

  • Review and implement a security program in compliance with the HIPAA Security Rule;
  • Develop and implement new Business Associate agreements that comply with the requirements of the Final Rule;
  • Evaluate all subcontractor relationships and execute Business Associate agreements with such subcontractors, where applicable; and
  • Implement a comprehensive breach response policy that will enable the Business Associate to respond in a HIPAA-compliant manner should there ever be a breach of Protected Health Information.