On July 14, 2010 the U.S. Department of Health and Human Services (HHS) published formal notice of its long-awaited proposed rule under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The proposed rule includes important provisions that, when final, will require action by HIPAA covered entities (such as health providers and health plans), their business associates, and their subcontractors. Significant changes include revisions to HIPAA policies and procedures, business associate agreements (BAAs), and updates to HIPAA notice of privacy practices. It clarifies the duties and obligations of business associates and will require additional action steps for business associates such as certain IT vendors, billing companies, consultants, attorneys, and accountants to comply with HIPAA and HITECH. Comments to the proposed rule will be accepted until Sept. 13, 2010.

Status and Effective Date of the Proposed Rule

The proposed rule is open for public comments until Sept. 13, 2010. After that date, HHS will issue a final rule. The proposed rule provides some relief to covered entities and business associates who are concerned about how quickly they may be able to implement changes to policies and practices. The proposed rule would gives business associates and covered entities a grace period of 180 days following the effective date of a final rule to come into compliance with the new rule. This grace period would potentially apply to other future rulemakings.

HIPAA Expanded to Include Business Associates and Their Subcontractors

One of the most significant provisions of the HITECH Act made business associates directly subject to the HIPAA privacy and security rules and HIPAA's enforcement provisions, fines, and penalties. The proposed rule would implement this change and further extend the scope of HIPAA by making subcontractors of business associates also directly subject to HIPAA. As a result, any subcontractor (defined as a person who performs functions for or provides services to a business associate other than as a member of the business associate's workforce), would be subject to HIPAA if the subcontractor has access to protected health information (PHI). The proposed rule would include patient safety organizations, e-prescribing gateways, health information organizations, and vendors of personal health records as business associates who are directly subject to HIPAA.

Changes to Business Associate Agreements

The proposed rule includes widely anticipated changes that would be required to be incorporated into business associate agreements (BAAs) between covered entities and business associates. Under the proposed rule, BAAs can be streamlined with respect to the business associate's responsibilities to comply with the HIPAA privacy and security rules. The BAA would also need to make specific reference to the business associate's responsibility to report breaches in accordance with the breach notification rules promulgated under HITECH. In addition, business associates would be required to enter into a BAA with all subcontractors. HHS clarified in its comments to the proposed rule that a covered entity would not be required to enter into BAAs with a business associate's subcontractors. The proposed rule includes a transition provision that would give covered entities and business associates a maximum of one year from the effective date of the rule to come into compliance with new BAA requirements.

"Minimum Necessary" Rules Left Unchanged

HITECH directed HHS to issue guidance on the "minimum necessary rule," which generally requires that covered entities and business associates must use or disclose only the minimum amount of PHI necessary to perform the task at hand. In the proposed rule HHS stated that until such guidance is issued, any use or disclosure of PHI should be limited to a limited data set, if practicable. HHS is seeking comments from the public about what further guidance HHS can provide to assist covered entities and business associates in determining how to comply with the minimum necessary rule.

Restriction of PHI Disclosure to Health Plan

The HITECH Act provided a new right for patients to restrict covered entities from disclosing their PHI to a health plan if the patient pays for the care out of pocket in full. The proposed rule implements that requirement. Under the proposed rule, a covered entity would be required to agree to such restrictions. In comments to the rule, HHS clarifies that patients can make this type of restriction only for certain types of health care information but not for others. For example, a patient can require their physician not to disclose health information related to their diabetes treatment (if the patient paid out of pocked in full) but direct the physician to submit PHI related to other health services to the patient's insurer. Under the proposed rule, the physician would be required to comply with this request and would need to find a way to segregate such information in health and payment records. HHS is specifically seeking comments on this part of the proposed rule, given the practical challenges that some covered entities may face in complying with this provision.

Material Changes to Notice of Privacy Practices

The proposed rule makes several changes to the statements required in the Notice of Privacy Practices (Notice). For example, the Notice would need to be revised to include a statement about the new rule that requires a Covered Entity to agree to an individual's request for a restriction of disclosure of PHI to a health plan if the individual has paid for the item or service in full and out of pocket. A covered entity's Notice would also need to be revised to specify that most uses and disclosures of psychotherapy notes and for marketing purposes require an authorization. In addition, HHS is seeking comments on whether a statement about the HITECH breach notification rules should be included in the Notice.

In the proposed rule, HHS states that these modifications represent material changes to the Notice. Current HIPAA regulations require that covered entities must promptly revise and distribute Notices when there is a material change to the Notice. In addition, health plans must provide notice of the material changes to individuals covered by the plan within 60 days of the material revisions. HHS recognizes that revising and redistributing the Notice will be costly and time consuming for covered entities, and is therefore seeking public comment on ways to communicate the changes in the Notice without placing an undue burden on health plans.

Other Changes

Other changes in the proposed rule include:

  • Less stringent restrictions on disclosure of PHI related to deceased individuals
  • A revised definition of marketing
  • Allowing combined authorizations for research
  • Allowing certain disclosures of student immunizations to schools

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.