The HITECH Act strengthened and expanded the scope of the HIPAA Privacy and Security Rules, enhanced the HIPAA penalty provisions, provided for HIPAA enforcement by state attorneys general, and established a federal data breach notification law. On 14 July 2010, HHS published a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy, Security, and Enforcement Rules to align with the HITECH Act's statutory changes. There is a 60 day public comment period. These changes will require substantial operational changes for HIPAA covered entities and their business associates.

The proposed regulations would:

  • subject business associates and their sub-contractors to direct liability under the Privacy Rule;
  • provide for new requirements for business associate agreements and a transition period for compliance;
  • set new limits on the use and disclosure of health information for marketing and fundraising
  • prohibit the sale of protected health information without patient authorization;
  • enhance individuals' rights to obtain electronic copies of their medical records and restrict the disclosure of certain information.
  • add new requirements for Notices of Privacy Practices;
  • modify restrictions on authorizations for the use of health information for research; and
  • implement new changes to the Enforcement Rule

Business Associate Agreements Need to Be Modified

In the proposed regulations, HHS modifies the current definition of business associates to specifically include several new entities, including those that provide data transmission of PHI to a covered entity or its business associate, such as health information exchanges, e-prescribing gateways, and personal health record vendors acting for covered entities. Moreover, subcontractors who create, receive, or transmit protected health information (PHI) on behalf of business associates will now be considered business associates themselves, and would be subject to direct liability under the HIPAA Rules. For the first time, business associates will be required to obtain full-blown written business associate contracts from their subcontractors and to take reasonable steps to cure the breach or terminate the contract (if feasible) in the event of a material breach by the subcontractor.

Under the proposed regulations, business associates will be required to comply with the HIPAA Security Rule, including the provisions related to physical, administrative, and technical safeguards and related documentation requirements. Business associates are required to perform a HIPAA risk assessment and to put in place HIPAA security policies; the more general security safeguards historically required through business associate contracts are no longer sufficient.

The proposed rule would require a number of modifications to existing business associate agreements (BAA), some of which were not anticipated under the HITECH statute. New contractual requirements include that the business associate must report breaches of unsecured PHI to covered entities. Also, even though only selected Privacy Rule requirements are imposed directly on business associates by HITECH, the BAA must require that business associates comply with all Privacy Rule requirements that apply to the covered entity with respect to the services provided under the BAA. The proposed rule, acknowledging the costs and burdens associated with revising the agreements, includes an additional one year transition period for amending existing BAAs, unless the parties amend or renew the existing contract during the one-year transition period.

Business associates will be directly subject to criminal and civil penalties for any use or disclosure of PHI that is not in compliance with the provisions of the Privacy Rule applicable to business associates or that is not a permitted use or disclosure under the applicable BAA.

HIPAA Notices of Privacy Practices Need to Be Revised

The NPRM would require several changes to the HIPAA notice of privacy practices. The proposed rule would require inclusion of a statement describing an individual's right to opt-out of receiving certain types of communications including marketing, fundraising, and treatment related communications that are subsidized or paid for by third parties. Additionally, the notice of privacy practices must describe certain uses and disclosures of PHI that require patient authorization, such as those related to psychotherapy notes, marketing, and the sale of PHI. In addition, the privacy notice must inform individuals that the covered entities may not refuse a request to restrict the disclosure of health information to health plans where the individual pays in full out of pocket for the services to which that information relates.

These modifications to a privacy notice would involve material changes that would require covered entities to provide new notices to individuals. Under the HIPAA Privacy Rule, health plans currently have only sixty days following a material revision to mail revised hard copy notices to members, an expensive proposition. HHS is soliciting comments regarding ways to lessen this burden by extending the timeframe or allowing health plans to distribute the revised notice in their next annual mailing.

The Marketing Prohibition is Expanded to Include Healthcare Operations Communications Paid for by a Third Party

HITECH expanded the definition of "marketing" to include healthcare operations communications for which a covered entity receives payment. Individual authorization would not be required for programs where a communication (for example, a refill reminder) describes only a drug or biologic that is currently being prescribed for the individual, provided that the payment is reasonably related to the covered entity's cost of making the communication. HHS indicates in the preamble that the proposed regulation is intended to distinguish between communications for treatment purposes and those for healthcare operations, stating that communications paid for by a third party that are specifically tailored to an individual's health needs should be considered treatment-related communications that do not require individual authorization. HHS proposes to permit such communications provided that notice is provided to the individual that their information will be used in this way and that each communication reflects that it involves remuneration and provides a quick and inexpensive method (e.g. toll-free number or e-mail address) for opting opt-out of future communications. HHS has asked for comments regarding whether the opt-out must cover all future subsidized treatment communications or just those concerning the particular product or service described. The NPRM contains other marketing-related provisions, including changing the HITECH's use of "direct or indirect payment" to "financial remuneration" and narrowing the scope of payments that will be considered to be financial remuneration.

Additional Privacy Requirements and Individual Protections

Minimum Neccessary

The HIPAA Privacy rule's minimum necessary standard requires covered entities to limit uses and disclosures of PHI to the minimum necessary. The minimum necessary standard is considered by many to be vague and difficult to implement. The HITECH Act requires the HHS Secretary to issue guidance on what is the "minimum necessary" information for a permitted use, disclosure, or request, and until such time as the guidance is issued, a "limited data set" as defined in existing regulations serves as a legal safe harbor. HHS is seeking comment regarding what aspects of the "minimum necessary" standard HHS should address in the guidance and what types of questions covered entities have regarding how to make minimum necessary determinations.

Individual Right to Request Restrictions on Disclosure of PHI

The HIPAA Privacy Rule provides individuals with a right to request restrictions on the use or disclosure of their PHI, but in most cases a covered entity is not legally required to agree to the request. HITECH provides individuals with enhanced rights in this area by requiring covered entities to honor restriction requests if the disclosure is to a health plan for purposes of carrying out payment or healthcare operations and is not otherwise required by law and the PHI relates solely to a healthcare item or service for which the individual has paid the covered entity out of pocket and in full. HHS is requesting comment on the extent to which the rule should impose downstream restriction notification requirements on providers and in particular how e-prescribing physicians can notify pharmacies of a restriction so that claims are not submitted to a health plan for drugs related to the restricted service before an individual has an opportunity to pay for the prescription in full and request that the pharmacy restrict health plan access to the information.

Right to Electronic Copies of Records

Individuals currently have a right to request a copy of their records. The new regulations provide a new right to consumers to obtain a copy of their records in electronic form when such information is maintained by the covered entity or business associate in electronic form in a designated record set. In addition, the individual has a right to direct the covered entity or business associate to transmit an electronic copy of the record directly to a person or entity designated by the individual. The covered entity may charge a fee, but the fee must not be greater than the covered entity's labor and material costs. The NPRM also would extend to paper records the right of an individual to direct a covered entity to send a copy of the records to a third party.

Prohibition on Sale of PHI

The proposed regulations prohibit a covered entity from directly or indirectly receiving remuneration in exchange for protected health information without an authorization by the individual that specifically addresses exchanges for remuneration. There are limited exceptions that include treatment, limited healthcare operations, public health activities, research where the payment reflects the cost of preparation and transmission of data, and for other disclosures either required by law or otherwise permitted under HIPAA.

Fundraising

The proposed regulations require that a covered entity provide a recipient of a fundraising communication with a "clear and conspicuous opportunity to opt-out" of further fundraising communications. If an individual opts-out, the covered entity must not send fundraising communications. Covered entities must include a statement of this right to opt-out in their notice of privacy practices. Additionally, the opt-out mechanism must not require the individual who is opting-out to incur an undue burden. A toll-free number or an e-mail would be acceptable; requiring an individual to send a letter would not. HHS is requesting comments on: (1) whether the opt-out should apply to all future fundraising communications, or only to the campaign at issue and (2) whether the information that can be used for fundraising should be broadened to include the department in which the individual received services and other information.

Research

In the Proposed Rule, HHS considers two revisions to the current requirements for research authorizations. First, the agency is proposing to allow covered entities to combine conditioned and unconditioned authorizations for research (e.g., authorization for research activities where treatment is conditioned on signing the authorization and activities where treatment is not conditioned on signing the authorization), provided that certain conditions are met. The authorization must clearly allow an individual the option of opting into the unconditioned research activities. Second, HHS is considering modifying its interpretation that an authorization for the use or disclosure of PHI for research be study specific. In the Proposed Rule, HHS proposes several options and specifically requests comments on each of the options.

Decedents

The proposed rule would remove HIPAA privacy protections for PHI of persons who have been deceased for more than 50 years and allow covered entities to disclose PHI to a family member or other individual involved in the care of a decedent, unless this disclosure is inconsistent with a prior expressed preference of the decedent.

Enforcement Provisions are Expanded and Enhanced

HHS is required by the HITECH statute to move toward a penalty-based system and away from the voluntary compliance framework used in the past. Civil and criminal penalties can now be applied directly to business associates and the proposed rule would amend the Enforcement Rule to make that clear. In addition, the proposed rule would require HHS to investigate any complaint and conduct compliance reviews in all cases where a preliminary review of the facts indicates a possible violation due to willful neglect.

The various "tiers" of penalties based on different levels of knowledge and/or willfulness have been modified and increased through both HITECH and subsequent HHS regulations. Penalties now range from $100 to $1.5 million, depending on the level of knowledge/willfulness and the number of violations in a calendar year, and apply to business associates as well as covered entities. Funds collected under civil penalties and related settlements are to be provided to the HHS Office for Civil Rights (OCR) within HHS for purposes of further HIPAA enforcement.

The proposed rule also revises the definition of "reasonable cause" and deletes a provision that protected covered entities from enforcement liability for a violation by their business associates so long as certain conditions were met.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.