On July 8, 2010, the U.S. Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking on Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic Clinical Health Act ("HITECH Act") (the "Proposed Rule"). Through the Proposed Rule, HHS seeks to implement statutory amendments under the HITECH Act, strengthen privacy and security protection of health information, and improve the workability and effectiveness of the HIPAA rules.
Although many of the proposed modifications in the Proposed Rule are rooted in the HITECH Act itself, HHS proposes several changes that are unrelated to the HITECH Act and that attempt to address issues that have been the source of industry confusion or concern for many years, including, for example, the handling of downstream business associates or subcontractors. In addition, HHS sets forth at the outset that there are a number of HIPAA issues that HHS has not addressed in the Proposed Rule, but that may be the source of future proposed rules and/or guidance, including, for example, accounting for disclosures of protected health information ("PHI"), the authority of the State Attorneys General to enforce the HIPAA rules, and the minimum necessary standard.
HHS also seeks comments on a number of other significant issues related to the HIPAA rules, including (1) the use of PHI for targeted fundraising, (2) issues HHS should address in its forthcoming minimum necessary guidance, and (3) authorizations for the use and disclosure of PHI for future research studies.
We highlight below a number of the salient issues addressed in the Proposed Rule.
Business Associates — Definition Expanded and Increased Duties and Penalties
The Proposed Rule would modify the definition of a business associate in a number of ways:
- Patient Safety. The Proposed Rule proposes to add
patient safety activities to the list of functions and activities
that would give rise to a business associate relationship, thereby
clarifying that Patient Safety Organizations ("PSOs") are
business associates.
- Data Transmission. As required by the HITECH Act, the
Proposed Rule explicitly designates — as business
associates — Health Information Organizations,
E-prescribing Gateways, or other persons that provide data
transmission services with respect to PHI that require routine
access to PHI, and personal health record ("PHR") vendors
who offer PHRs on behalf of a covered entity. Significantly, HHS
reiterates its earlier guidance that entities that act as
"mere conduits" for the transport of PHI, but do not
access the PHI, except randomly or infrequently, are not business
associates.
- Subcontractors. The Proposed Rule expands the definition of business associate to include subcontractors of business associates. According to HHS, these subcontractors, commonly referred to in the industry as "downstream business associates," would be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and would incur the same liability for noncompliance. Significantly, in the preamble, HHS also states that its proposed modifications would clarify that a person is a business associate if he/she/it meets the definition of a business associate, even if there is no required business associate agreement in place, and direct liability under the Privacy and Security Rules would attach regardless of the existence of such an agreement.
In addition to modifying the business associate definition, the Proposed Rule would create additional obligations and liability on business associates. Prior to the enactment of the HITECH Act, HIPAA applied to business associates only indirectly by way of the business associate's contractual obligations to the covered entity. Similarly, the penalty for a violation of these obligations was merely damages that resulted from any contractual breach (unless the business associate also happened to be a covered entity). The HITECH Act, and now the Proposed Rule, however, expand both the application of certain HIPAA requirements and penalties to business associates.
- Privacy Rule Obligations. The Proposed Rule would
require a business associate to use or disclose PHI only as
permitted by the Privacy Rule or Enforcement Rule and only
consistent with its obligations under its business associate
agreement with a covered entity (the provisions of which are
dictated by the Privacy Rule). The Proposed Rule also would require
business associates to (1) disclose PHI to HHS for compliance
purposes (2) disclose PHI in an electronic format to a covered
entity, individual, or individual's designee in order for the
covered entity to comply with its obligations to provide electronic
access to PHI (3) comply with the minimum necessary standard, (4)
take reasonable steps to cure a material breach of a subcontractor
or terminate the agreement with the subcontractor, and (5) to the
extent it carries out a covered entity's obligations under the
HIPAA rules, comply with the requirements of the Privacy
Rule.
- Security Rule Obligations. The Proposed Rule would
require business associates to comply with the Security Rule's
administrative, technical and physical safeguard requirements and
to implement security policies and procedures in the same manner as
a covered entity. HHS clarifies that although the HITECH Act
limited which sections of the Security Rule would apply, other
related provisions also apply to business associates where needed
to effectuate the applicability of those provisions set forth in
the HITECH Act. For example, although the HITECH Act did not
specify that 45 C.F.R. § 164.306 ("Security standards:
General rules") applies to business associates, the Proposed
Rule would make this provision applicable to business associates
because HHS believes that this section informs and governs those
sections of the Security Rule the HITECH Act made applicable to
business associates.
- Subcontractor Business Associate Agreements. The
Proposed Rule would clarify that covered entities are required to
enter into business associate agreements with their business
associates, but not directly with subcontractors. Rather, the
business associate who engages the subcontractor would be
responsible for entering into a business associate agreement with
that subcontractor. The subcontractor business associate agreement
would need to comply with the same Privacy and Security Rule
requirements as the original business associate agreement.
- Amendment of Business Associate Agreements. In
addition to the existing business associate agreement provisions
that are required under the Privacy Rule, under the Proposed Rule,
a business associate agreement would need to require that the
business associate (1) comply, where applicable, with the HIPAA
Security Rule with respect to electronic PHI, (2) report breaches
of unsecured PHI to covered entities as required by the HHS Breach
Notification Rule, and (3) ensure that any subcontractors agree to
the same restrictions.
- Compliance Date for Business Associate Agreement Amendments. To "prevent rushed and hasty changes to thousands of on-going existing business associate agreements," HHS proposes a transition period to modify business associate agreements. Under the Proposed Rule, if a then-HIPAA compliant agreement is in place prior to the publication of the final rule and the contract is not renewed or modified between the time period that is 60 days to 240 days after the publication of the final rule, the agreement will be deemed compliant until the earlier of (1) the date the agreement is renewed or modified on or after that 240 day post-publication date, or (2) the date that is one year and 240 days after that date of publication of the final rule.
Limitations on the Use and Disclosure of PHI
- Marketing.
-
- Similar to almost all other HHS modifications to the Privacy
Rule, the Proposed Rule further restricts the ways in which a
covered entity may use or disclose PHI for marketing
purposes.
- For example, the Proposed Rule would modify the exceptions
within the definition of marketing and certain notice and opt out
requirements where remuneration is received for making certain
communications. Under the Proposed Rule, communications by a
covered entity about a product or service that encourages the
recipient of the communication to purchase or use the product or
service would not be a marketing communication if that
communication is:
-
- for treatment by a health care provider (including for case
management, care coordination or to recommend alternative
treatments, therapies, health care providers, or settings of care
to the individual), provided that if the communication is in
writing and the covered entity receives remuneration for making the
communication, certain notice and opt out requirements are
met;
- to provide refill reminders or communicate about a drug or
biologic currently prescribed to the individual, provided any
remuneration received for making the communication is reasonably
related to the cost of making the communication; or
- for the following health care operations purposes, unless the
covered entity receives remuneration for making the communication:
(1) to describe a health-related product or service (or payment for
such product or service) that is provided by, or included in a plan
of benefits of, the covered entity making the communication; or (2)
for case management or care coordination, contacting individuals
with information about treatment alternatives, and related
functions, to the extent these activities do not fall within the
definition of treatment.
- for treatment by a health care provider (including for case
management, care coordination or to recommend alternative
treatments, therapies, health care providers, or settings of care
to the individual), provided that if the communication is in
writing and the covered entity receives remuneration for making the
communication, certain notice and opt out requirements are
met;
- HHS is seeking comments on its proposed marketing modifications, including on whether, prior to making a treatment related communication that involves remuneration, the covered entity should provide an individual with an opportunity to opt out.
- Similar to almost all other HHS modifications to the Privacy
Rule, the Proposed Rule further restricts the ways in which a
covered entity may use or disclose PHI for marketing
purposes.
- Fundraising.
-
- The HITECH Act required HHS to issue a rule that requires all
written fundraising communications to provide the recipient with an
opportunity to opt out of any future fundraising communications.
Thus, the Proposed Rule would make a number of modifications to the
Privacy Rule with respect to fundraising. The Proposed Rule
would:
-
- require each fundraising communication to include a clear and
conspicuous opportunity for the individual to elect not to receive
further fundraising communications (HHS suggests a toll-free
number, email address, or "other simple, quick an inexpensive
way to opt out");
- provide that treatment or payment cannot be conditioned on an
individual's choice to receive fundraising
communications;
- provide that fundraising communication may not be sent to
someone who has opted out of such communications; and
- require a covered entity to include a statement in the notice
of privacy practices that the entity may use and disclose PHI for
fundraising but that individuals have the right to opt out of
receiving these communications.
- require each fundraising communication to include a clear and
conspicuous opportunity for the individual to elect not to receive
further fundraising communications (HHS suggests a toll-free
number, email address, or "other simple, quick an inexpensive
way to opt out");
- Significantly, HHS is seeking comments on two important topics
related to fundraising. First, HHS is seeking comments about the
fundraising communications to which an opt out should apply
(e.g., all future fundraising or particular fundraising
campaigns described in the letter). Second, HHS is seeking comments
on whether and how the Privacy Rule should be modified to allow
covered entities to conduct targeted fundraising campaigns.
- The HITECH Act required HHS to issue a rule that requires all
written fundraising communications to provide the recipient with an
opportunity to opt out of any future fundraising communications.
Thus, the Proposed Rule would make a number of modifications to the
Privacy Rule with respect to fundraising. The Proposed Rule
would:
- Sale of PHI. To implement the HITECH Act prohibition
against the sale of PHI, the Proposed Rule would modify that
provision of the Privacy Rule addressing authorizations for the use
and disclosure of PHI. The Proposed Rule would require a covered
entity to obtain the individual's authorization prior to
disclosing PHI in exchange for direct or indirect remuneration. As
was the case in the HITECH Act, the Proposed Rule would exclude
several disclosures of PHI made in exchange for remuneration.
Significantly, disclosures for the sale, transfer, merger, or
consolidation of all or part of a covered entity with another
covered entity, and related due diligence, would be excluded from
this authorization requirement.
- Research. The Proposed Rule would modify the
prohibition against compound authorizations in the research context
to permit a covered entity to combine the authorization for
research (which is a conditioned authorization) with an
unconditioned authorization, such as an authorization for specimen
collection for a central repository. In addition, in the Proposed
Rule, HHS specifically seeks comments on whether to modify the
requirement that a research authorization be research-study
specific. Modifications to this requirement could result in the
ability of covered entities obtaining an authorization for future
research purposes.
- Decedents' PHI. In an effort to respond to
concerns raised regarding the difficulty of protecting
decedents' PHI indefinitely, the Proposed Rule would modify the
Privacy Rule to require covered entities to protect a deceased
individual's PHI for 50 years following the date of death. The
Proposed Rule also would modify the definition of PHI to clarify
that PHI does not include information of a person who has been
deceased for more than 50 years. In addition, the Proposed Rule
would modify the provision that relates to disclosure to
individuals involved in a person's care or payment for that
care to permit a covered entity to disclose PHI to such a person
after the individual has died even when that person may not qualify
as a personal representative under applicable law.
- Student Immunization Records. The Proposed Rule would permit covered entities to disclose proof of immunizations to schools in states that have school entry or similar laws. However, HHS still is requiring covered entities to obtain an agreement, which may be oral, from the parent prior to making the disclosure. HHS is seeking comments on this agreement requirement.
Individual Rights
- Revisions to Notice of Privacy Practices. The Proposed
Rule would require covered entities to make revisions to their
notices of privacy practices to include certain specific
disclosures (e.g., disclosures for marketing and
fundraising and disclosures of psychotherapy notes). The Proposed
Rule also would modify the notice requirements regarding an
individual's right to request restrictions on the use and
disclosure of PHI and the covered entity's obligation with
respect to such request.
- Restrictions on Disclosures of PHI. The Privacy Rule
currently provides individuals with a right to request a
restriction on a covered entity's use or disclosure of PHI for
purposes of treatment, payment or health care operations purposes.
Covered entities, however, had no corresponding obligation to agree
to that request. The Proposed Rule, however, would require covered
entities to agree to a requested restriction if the disclosure is
to a health plan for purposes of payment or health care operations
and the PHI relates to a health care item or service for
which the health care provider has been paid out of pocket in
full.
- Access to PHI. The HITECH Act requires that in order to fulfill its obligation to provide access to PHI under the Privacy Rule, any covered entity who uses or maintains an electronic health record ("EHR") must provide an individual with a copy of such information in electronic format or, at the individual's request, transmit the information directly to a person or entity designated by the individual. The Proposed Rule would implement and expand this obligation by requiring that if PHI is maintained electronically in a designated record set, regardless of whether it is part of an EHR, the covered entity must provide the individual with access to the electronic information in the electronic form or format requested, if it is readily producible. In addition, if an individual requests that the PHI to which he is requesting access be sent to a third party, the covered entity must send the PHI directly to that third party.
Increased Enforcement and Penalties
The HITECH Act sought to put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations. HHS' proposed changes to the HIPAA Enforcement Rule are in line with that goal.
- Enforcement.
-
- Currently the Enforcement Rule says that HHS may
investigate privacy complaints or conduct compliance reviews. The
Proposed Rule would clarify that HHS will investigate
complaints or conduct compliance reviews when a review of the facts
indicates a potential violation due to willful neglect.
- Currently the Enforcement Rule says that HHS may
investigate privacy complaints or conduct compliance reviews. The
Proposed Rule would clarify that HHS will investigate
complaints or conduct compliance reviews when a review of the facts
indicates a potential violation due to willful neglect.
- Penalties.
-
- The new tiered-approach to civil monetary penalties required
under the HITECH Act previously was incorporated into the HIPAA
Enforcement Rule on October 30, 2009. In the Proposed Rule,
however, HHS proposes a modified definition of "reasonable
cause," which relates to violations in the second tier of the
four-tiered structure for assessing penalties. The proposed
definition includes circumstances that would make it unreasonable
for a covered entity or business associate, despite ordinary
business care and prudence, to comply with a HIPAA rule requirement
and those circumstances where a covered entity or business
associate knows of the violation but such knowledge does not rise
to the level of willful neglect.
- The Proposed Rule would add references to business associates
in the Enforcement Rule to impose liability directly on business
associates for violations of the HITECH Act and applicable
provisions of the HIPAA Privacy and Security Rules.
- The Proposed Rule would modify language in the Enforcement Rule
so that covered entities remain liable for the acts of their
business associate agents, regardless of whether the
covered entity and agent have business associate agreement in
place. In practice, this means that a covered entity remains liable
for the failure of a business associate to perform HIPAA
obligations on its behalf. In contrast, as HHS notes, this would
not impose liability on covered entities with respect to business
associates that are not agents (e.g., independent
contractors).
- The Proposed Rule also would modify the factors that it will take into account when considering the civil monetary penalties to impose and the affirmative defenses that exist with respect to civil monetary penalties.
- The new tiered-approach to civil monetary penalties required
under the HITECH Act previously was incorporated into the HIPAA
Enforcement Rule on October 30, 2009. In the Proposed Rule,
however, HHS proposes a modified definition of "reasonable
cause," which relates to violations in the second tier of the
four-tiered structure for assessing penalties. The proposed
definition includes circumstances that would make it unreasonable
for a covered entity or business associate, despite ordinary
business care and prudence, to comply with a HIPAA rule requirement
and those circumstances where a covered entity or business
associate knows of the violation but such knowledge does not rise
to the level of willful neglect.
The Proposed Rule is scheduled to be published in the Federal Register on July 14. Comments to the Proposed Rule must be submitted within 60 days of publication in the Federal Register. If you are interested in filing comments, either on your own behalf or as part of a larger group of entities, please contact us.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.