On July 8, 2010, the U.S. Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking on Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic Clinical Health Act ("HITECH Act") (the "Proposed Rule"). Through the Proposed Rule, HHS seeks to implement statutory amendments under the HITECH Act, strengthen privacy and security protection of health information, and improve the workability and effectiveness of the HIPAA rules.

Although many of the proposed modifications in the Proposed Rule are rooted in the HITECH Act itself, HHS proposes several changes that are unrelated to the HITECH Act and that attempt to address issues that have been the source of industry confusion or concern for many years, including, for example, the handling of downstream business associates or subcontractors. In addition, HHS sets forth at the outset that there are a number of HIPAA issues that HHS has not addressed in the Proposed Rule, but that may be the source of future proposed rules and/or guidance, including, for example, accounting for disclosures of protected health information ("PHI"), the authority of the State Attorneys General to enforce the HIPAA rules, and the minimum necessary standard.

HHS also seeks comments on a number of other significant issues related to the HIPAA rules, including (1) the use of PHI for targeted fundraising, (2) issues HHS should address in its forthcoming minimum necessary guidance, and (3) authorizations for the use and disclosure of PHI for future research studies.

We highlight below a number of the salient issues addressed in the Proposed Rule.

Business Associates — Definition Expanded and Increased Duties and Penalties

The Proposed Rule would modify the definition of a business associate in a number of ways:

  • Patient Safety. The Proposed Rule proposes to add patient safety activities to the list of functions and activities that would give rise to a business associate relationship, thereby clarifying that Patient Safety Organizations ("PSOs") are business associates.
  • Data Transmission. As required by the HITECH Act, the Proposed Rule explicitly designates — as business associates — Health Information Organizations, E-prescribing Gateways, or other persons that provide data transmission services with respect to PHI that require routine access to PHI, and personal health record ("PHR") vendors who offer PHRs on behalf of a covered entity. Significantly, HHS reiterates its earlier guidance that entities that act as "mere conduits" for the transport of PHI, but do not access the PHI, except randomly or infrequently, are not business associates.
  • Subcontractors. The Proposed Rule expands the definition of business associate to include subcontractors of business associates. According to HHS, these subcontractors, commonly referred to in the industry as "downstream business associates," would be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and would incur the same liability for noncompliance. Significantly, in the preamble, HHS also states that its proposed modifications would clarify that a person is a business associate if he/she/it meets the definition of a business associate, even if there is no required business associate agreement in place, and direct liability under the Privacy and Security Rules would attach regardless of the existence of such an agreement.

In addition to modifying the business associate definition, the Proposed Rule would create additional obligations and liability on business associates. Prior to the enactment of the HITECH Act, HIPAA applied to business associates only indirectly by way of the business associate's contractual obligations to the covered entity. Similarly, the penalty for a violation of these obligations was merely damages that resulted from any contractual breach (unless the business associate also happened to be a covered entity). The HITECH Act, and now the Proposed Rule, however, expand both the application of certain HIPAA requirements and penalties to business associates.

  • Privacy Rule Obligations. The Proposed Rule would require a business associate to use or disclose PHI only as permitted by the Privacy Rule or Enforcement Rule and only consistent with its obligations under its business associate agreement with a covered entity (the provisions of which are dictated by the Privacy Rule). The Proposed Rule also would require business associates to (1) disclose PHI to HHS for compliance purposes (2) disclose PHI in an electronic format to a covered entity, individual, or individual's designee in order for the covered entity to comply with its obligations to provide electronic access to PHI (3) comply with the minimum necessary standard, (4) take reasonable steps to cure a material breach of a subcontractor or terminate the agreement with the subcontractor, and (5) to the extent it carries out a covered entity's obligations under the HIPAA rules, comply with the requirements of the Privacy Rule.
  • Security Rule Obligations. The Proposed Rule would require business associates to comply with the Security Rule's administrative, technical and physical safeguard requirements and to implement security policies and procedures in the same manner as a covered entity. HHS clarifies that although the HITECH Act limited which sections of the Security Rule would apply, other related provisions also apply to business associates where needed to effectuate the applicability of those provisions set forth in the HITECH Act. For example, although the HITECH Act did not specify that 45 C.F.R. § 164.306 ("Security standards: General rules") applies to business associates, the Proposed Rule would make this provision applicable to business associates because HHS believes that this section informs and governs those sections of the Security Rule the HITECH Act made applicable to business associates.
  • Subcontractor Business Associate Agreements. The Proposed Rule would clarify that covered entities are required to enter into business associate agreements with their business associates, but not directly with subcontractors. Rather, the business associate who engages the subcontractor would be responsible for entering into a business associate agreement with that subcontractor. The subcontractor business associate agreement would need to comply with the same Privacy and Security Rule requirements as the original business associate agreement.
  • Amendment of Business Associate Agreements. In addition to the existing business associate agreement provisions that are required under the Privacy Rule, under the Proposed Rule, a business associate agreement would need to require that the business associate (1) comply, where applicable, with the HIPAA Security Rule with respect to electronic PHI, (2) report breaches of unsecured PHI to covered entities as required by the HHS Breach Notification Rule, and (3) ensure that any subcontractors agree to the same restrictions.
  • Compliance Date for Business Associate Agreement Amendments. To "prevent rushed and hasty changes to thousands of on-going existing business associate agreements," HHS proposes a transition period to modify business associate agreements. Under the Proposed Rule, if a then-HIPAA compliant agreement is in place prior to the publication of the final rule and the contract is not renewed or modified between the time period that is 60 days to 240 days after the publication of the final rule, the agreement will be deemed compliant until the earlier of (1) the date the agreement is renewed or modified on or after that 240 day post-publication date, or (2) the date that is one year and 240 days after that date of publication of the final rule.

Limitations on the Use and Disclosure of PHI

  • Marketing.
    • Similar to almost all other HHS modifications to the Privacy Rule, the Proposed Rule further restricts the ways in which a covered entity may use or disclose PHI for marketing purposes.
    • For example, the Proposed Rule would modify the exceptions within the definition of marketing and certain notice and opt out requirements where remuneration is received for making certain communications. Under the Proposed Rule, communications by a covered entity about a product or service that encourages the recipient of the communication to purchase or use the product or service would not be a marketing communication if that communication is:
      • for treatment by a health care provider (including for case management, care coordination or to recommend alternative treatments, therapies, health care providers, or settings of care to the individual), provided that if the communication is in writing and the covered entity receives remuneration for making the communication, certain notice and opt out requirements are met;
      • to provide refill reminders or communicate about a drug or biologic currently prescribed to the individual, provided any remuneration received for making the communication is reasonably related to the cost of making the communication; or
      • for the following health care operations purposes, unless the covered entity receives remuneration for making the communication: (1) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication; or (2) for case management or care coordination, contacting individuals with information about treatment alternatives, and related functions, to the extent these activities do not fall within the definition of treatment.
    • HHS is seeking comments on its proposed marketing modifications, including on whether, prior to making a treatment related communication that involves remuneration, the covered entity should provide an individual with an opportunity to opt out.
  • Fundraising.
    • The HITECH Act required HHS to issue a rule that requires all written fundraising communications to provide the recipient with an opportunity to opt out of any future fundraising communications. Thus, the Proposed Rule would make a number of modifications to the Privacy Rule with respect to fundraising. The Proposed Rule would:
      • require each fundraising communication to include a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications (HHS suggests a toll-free number, email address, or "other simple, quick an inexpensive way to opt out");
      • provide that treatment or payment cannot be conditioned on an individual's choice to receive fundraising communications;
      • provide that fundraising communication may not be sent to someone who has opted out of such communications; and
      • require a covered entity to include a statement in the notice of privacy practices that the entity may use and disclose PHI for fundraising but that individuals have the right to opt out of receiving these communications.
    • Significantly, HHS is seeking comments on two important topics related to fundraising. First, HHS is seeking comments about the fundraising communications to which an opt out should apply (e.g., all future fundraising or particular fundraising campaigns described in the letter). Second, HHS is seeking comments on whether and how the Privacy Rule should be modified to allow covered entities to conduct targeted fundraising campaigns.
  • Sale of PHI. To implement the HITECH Act prohibition against the sale of PHI, the Proposed Rule would modify that provision of the Privacy Rule addressing authorizations for the use and disclosure of PHI. The Proposed Rule would require a covered entity to obtain the individual's authorization prior to disclosing PHI in exchange for direct or indirect remuneration. As was the case in the HITECH Act, the Proposed Rule would exclude several disclosures of PHI made in exchange for remuneration. Significantly, disclosures for the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, and related due diligence, would be excluded from this authorization requirement.
  • Research. The Proposed Rule would modify the prohibition against compound authorizations in the research context to permit a covered entity to combine the authorization for research (which is a conditioned authorization) with an unconditioned authorization, such as an authorization for specimen collection for a central repository. In addition, in the Proposed Rule, HHS specifically seeks comments on whether to modify the requirement that a research authorization be research-study specific. Modifications to this requirement could result in the ability of covered entities obtaining an authorization for future research purposes.
  • Decedents' PHI. In an effort to respond to concerns raised regarding the difficulty of protecting decedents' PHI indefinitely, the Proposed Rule would modify the Privacy Rule to require covered entities to protect a deceased individual's PHI for 50 years following the date of death. The Proposed Rule also would modify the definition of PHI to clarify that PHI does not include information of a person who has been deceased for more than 50 years. In addition, the Proposed Rule would modify the provision that relates to disclosure to individuals involved in a person's care or payment for that care to permit a covered entity to disclose PHI to such a person after the individual has died even when that person may not qualify as a personal representative under applicable law.
  • Student Immunization Records. The Proposed Rule would permit covered entities to disclose proof of immunizations to schools in states that have school entry or similar laws. However, HHS still is requiring covered entities to obtain an agreement, which may be oral, from the parent prior to making the disclosure. HHS is seeking comments on this agreement requirement.

Individual Rights

  • Revisions to Notice of Privacy Practices. The Proposed Rule would require covered entities to make revisions to their notices of privacy practices to include certain specific disclosures (e.g., disclosures for marketing and fundraising and disclosures of psychotherapy notes). The Proposed Rule also would modify the notice requirements regarding an individual's right to request restrictions on the use and disclosure of PHI and the covered entity's obligation with respect to such request.
  • Restrictions on Disclosures of PHI. The Privacy Rule currently provides individuals with a right to request a restriction on a covered entity's use or disclosure of PHI for purposes of treatment, payment or health care operations purposes. Covered entities, however, had no corresponding obligation to agree to that request. The Proposed Rule, however, would require covered entities to agree to a requested restriction if the disclosure is to a health plan for purposes of payment or health care operations and the PHI relates to a health care item or service for which the health care provider has been paid out of pocket in full.
  • Access to PHI. The HITECH Act requires that in order to fulfill its obligation to provide access to PHI under the Privacy Rule, any covered entity who uses or maintains an electronic health record ("EHR") must provide an individual with a copy of such information in electronic format or, at the individual's request, transmit the information directly to a person or entity designated by the individual. The Proposed Rule would implement and expand this obligation by requiring that if PHI is maintained electronically in a designated record set, regardless of whether it is part of an EHR, the covered entity must provide the individual with access to the electronic information in the electronic form or format requested, if it is readily producible. In addition, if an individual requests that the PHI to which he is requesting access be sent to a third party, the covered entity must send the PHI directly to that third party.

Increased Enforcement and Penalties

The HITECH Act sought to put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations. HHS' proposed changes to the HIPAA Enforcement Rule are in line with that goal.

  • Enforcement.
    • Currently the Enforcement Rule says that HHS may investigate privacy complaints or conduct compliance reviews. The Proposed Rule would clarify that HHS will investigate complaints or conduct compliance reviews when a review of the facts indicates a potential violation due to willful neglect.

  • Penalties.
    • The new tiered-approach to civil monetary penalties required under the HITECH Act previously was incorporated into the HIPAA Enforcement Rule on October 30, 2009. In the Proposed Rule, however, HHS proposes a modified definition of "reasonable cause," which relates to violations in the second tier of the four-tiered structure for assessing penalties. The proposed definition includes circumstances that would make it unreasonable for a covered entity or business associate, despite ordinary business care and prudence, to comply with a HIPAA rule requirement and those circumstances where a covered entity or business associate knows of the violation but such knowledge does not rise to the level of willful neglect.
    • The Proposed Rule would add references to business associates in the Enforcement Rule to impose liability directly on business associates for violations of the HITECH Act and applicable provisions of the HIPAA Privacy and Security Rules.
    • The Proposed Rule would modify language in the Enforcement Rule so that covered entities remain liable for the acts of their business associate agents, regardless of whether the covered entity and agent have business associate agreement in place. In practice, this means that a covered entity remains liable for the failure of a business associate to perform HIPAA obligations on its behalf. In contrast, as HHS notes, this would not impose liability on covered entities with respect to business associates that are not agents (e.g., independent contractors).
    • The Proposed Rule also would modify the factors that it will take into account when considering the civil monetary penalties to impose and the affirmative defenses that exist with respect to civil monetary penalties.

The Proposed Rule is scheduled to be published in the Federal Register on July 14. Comments to the Proposed Rule must be submitted within 60 days of publication in the Federal Register. If you are interested in filing comments, either on your own behalf or as part of a larger group of entities, please contact us.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.