New HIPAA “Megarule” Broadenfs Enforcement
The U.S. Department of Health and Human Services (“HHS”) has published its long-awaited Final Rule, the so-called “Megarule,” to codify major changes in its health privacy and security rules. These changes fall under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and have been under rulemaking consideration since early 2009, when HITECH was enacted.
This update focuses on major changes to the enforcement provisions in 45 CFR Part 160. The three most substantial changes covered under the January 25, 2013 Megarule publication are:
- Extension of direct liability and civil money penalties to business associates
- Finalization of the penalty scheme previously announced by HHS in an Interim Final Rule in October 2009
- Clarification of aggravating and mitigating factors, and states of mind associated with greater or lesser degrees of culpability
These enforcement changes are only a small subset of the universe of regulatory changes affected by the Megarule. The enforcement changes discussed in this update go into effect March 26, 2013, although new substantive compliance obligations to be enforced are not effective until September 23, 2013.
Extension of Direct Liability to Business Associates
Current HIPAA rules impose direct compliance responsibility on “covered entities”: health plans, health care clearinghouses and health care providers. Covered entities are required to enter into contractual agreements with their “business associates”: third-party providers who create, receive, maintain or transmit protected health information (“PHI”) on the covered entity’s behalf. Under this structure, business associates’ liability exposure has been indirect and contractual. Subcontractors of business associates have been one step further removed from the process.
Under the Megarule, business associates now take on direct privacy and security compliance obligations and become directly subject to civil money penalties. Critically, a business associate’s subcontractor who creates, receives, maintains or transmits PHI is now also classified as a “business associate” with direct exposure to HIPAA penalties. As a result, service providers who were previously concerned only about their contractual responsibilities to their business partners can now be held accountable both by HHS and by state attorneys general (who were given HIPAA privacy and security enforcement powers by HITECH).
Moreover, both covered entities and business associates can be held liable when their “agents” (including subcontractors and other business associates who would be considered “agents” under the federal common law of agency) violate HIPAA regulations. HHS stated in the background document for the Megarule that its purpose in making this change was “to ensure, where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, that [it] would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.” HHS noted that a commenter had argued that this change would impose strict liability on covered entities for the actions of third parties not under their control. HHS countered that the Megarule “does not make a covered entity or business associate liable for the acts of third parties that are not under its control because such third parties are not its agents.”
Civil Money Penalties
The Megarule finalized interim rules defining four penalty tiers for HIPAA privacy and security violations occurring on or after February 18, 2009. HITECH and the October 2009 interim final rule had already boosted civil penalties significantly above previous levels. The tiers are:
- Violations in which the covered entity or business associate did not know the violation was occurring and could claim ignorance ($100 to $50,000 per violation)
- “Reasonable cause” violations (discussed below) ($1,000 to $50,000 per violation)
- Violations involving “willful neglect,” where the covered entity or business associate ultimately corrected the violation ($10,000 to $50,000 per violation)
- Violations involving willful neglect that the covered entity or business associate did not take action to correct ($50,000 per violation)
For all tiers of culpability, the maximum amount that can be imposed for violations of an identical provision within one calendar year is $1.5 million. However, HHS’s ability to charge multiple violations arising from the same incident could greatly multiply the $1.5 million cap. HHS retains discretion to modify penalties to make the punishment fit the violation.
Mitigating and Aggravating Factors
In addition to finalizing the tiered penalty scheme, the Megarule adds certain factors to be considered when determining the amount of a civil money penalty:
- The nature and extent of the violation, including the number of individuals affected
- The nature and extent of the harm caused, including reputational harm
- The history of prior compliance by the covered entity or business associate, including consideration of both prior violations and “indications of noncompliance”
- The financial condition of the covered entity or business associate
- Such other matters as justice may require
The Megarule also identifies “affirmative defenses.” Ignorance of a violation is no longer an excuse, but only grounds for being placed in the lowest penalty tier. Within the two lowest tiers (ignorance and “reasonable cause”), however, curing the violation within 30 days after the party knew or should have known of the violation avoids the penalty, and HHS has discretion to extend that cure period.
“Reasonable Cause” Tier
The modifications also change the definition of “reasonable cause,” the level of culpability required to impose a penalty in the second tier of the penalty scheme. HHS stated that it amended the definition in order to “clarify the mens rea (state of mind) associated with the reasonable cause category of violations and to clarify the full scope of violations that will come within the category.”
The current HIPAA regulations defined “reasonable cause” as “circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the … provision violated.” Under the Megarule, “reasonable care” is redefined to mean “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated [a] provision, but in which the covered entity or business associate did not act with willful neglect.” HHS noted in the background document for the Megarule that the modified definition “would now include violations due both to circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the…provision violated, as well as to other circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with” violations that would fall into a higher penalty tier.
The expansion of direct HIPAA liability to business associates and their subcontractors, with potential liability for acts and omissions of agents down the disclosure chain, dramatically changes the overall HIPAA compliance landscape. Service providers handling PHI must now pay attention for the first time not only to their contracts, but to the direct compliance obligations they now face, with the possibility of costly enforcement actions outside the control of friendly business partners. In turn, covered entities must be more vigilant than ever about how their business associates and their subcontractors are handling the entity’s PHI.
The modifications to penalty tiers and culpability standards help to tailor penalties more closely to circumstances, but also create additional potential for health care organizations and their service providers to be held liable for violations that would previously have been excused, with potentially significant economic consequences. For significant breaches affecting multiple individuals and categorizable as multiple violations, the true exposure may be many millions of dollars.