August 4, 2010
Summary of Proposed Changes to Privacy, Security and Enforcement Rules
On July 14, 2010, the Department of Health and Human Services (HHS) published
proposed regulations pursuant to the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the Health Information Technology for
Economic and Clinical Health Act (HITECH Act). Except as otherwise noted, HHS
generally intends to provide covered entities and business associates with a
compliance period of 180 days following the release and effective date of the
final rule.
The key provisions of the proposed regulations are as follows:
- The Privacy Rule:
- New Requirements for a Notice of Privacy Practices
- Direct Liability for Business Associates and New Requirements for
Business Associate Agreements
- Privacy Protections and Individual Rights with Respect to Protected
Health Information (PHI)
- The Minimum Necessary Standard
- The Security Rule: Extension of Security Rule Requirements to
Business Associates
- The Enforcement Rule: Compliance and Investigations, Imposition
of Civil Money Penalties, and Procedures for Hearings
This article is part of a series regarding the HITECH Act. Please see our
previous alerts:
1. Privacy Rule
a. Notice of Privacy Practices
The Privacy Rule requires covered entities to issue a Notice of Privacy
Practice (NPP) to patients or beneficiaries. An NPP describes the permissible
uses and disclosures of PHI by the covered entity, the legal duties and privacy
practices associated with the covered entity’s possession and use of PHI, and an
individual’s rights concerning his or her own PHI.
Under the proposed regulations, in addition to existing regulatory
requirements, the NPP must also contain separate statements if a covered entity
intends to: (i) contact the individual to provide any health-related benefits or
services, (ii) contact the individual to fundraise for the covered entity, or
(iii) with respect to a group health plan, disclose PHI to the plan sponsor.
HHS requests comment as to whether the NPP should include a statement
notifying recipients of the covered entity’s legal duty under the HITECH Act to
provide notification to certain affected individuals, the media and HHS
following a breach of PHI.
Generally, if there is a material change to the NPP, covered entities are
required to provide a revised notice within 60 days of the change; however,
because of the additional costs related to revising and redistributing NPPs as a
result of the changes required by HITECH, the proposed regulations outline
alternatives to delay or extend the application of the 60-day rule, which HHS
may choose to adopt after it has received comments from NPP issuers.
b. Business Associates
i. Direct Liability for Business Associates
Under the HITECH Act, specific provisions of the Privacy Rule are now
applicable to business associates. Business associates will face direct
liability for noncompliance with Privacy Rule requirements. A business
associate, like a covered entity, may not use or disclose PHI except as
permitted or required by the Privacy Rule or the Enforcement Rule. If a covered
entity and a business associate do not enter into a contract (or “business
associate agreement”), the business associate may use or disclose PHI only as
necessary to perform its obligations for the covered entity or as required by
law; any other use or disclosure violates the Privacy Rule.
ii. Business-Associate Subcontractors
The proposed regulations change the Privacy Rule with respect to business
associates’ arrangements with subcontractors. Pursuant to the HITECH Act,
business associates must obtain satisfactory assurances, through a written
contract or other arrangement, that the subcontractor will comply with the
applicable requirements of the Privacy and Security Rules, and will
appropriately safeguard all PHI that is either created or received.
Accordingly, business associates must now enter into a business associate
agreement with any subcontractor. Under the proposed regulations, however,
direct liability under HIPAA attaches to business associates and subcontractors
regardless of whether the business associate and the business associate
subcontractor have entered into a business associate agreement. Further, a
business associate that is aware of noncompliance by its subcontractor must
respond to the situation in an identical manner as a covered entity that is
aware of noncompliance by its business associate.
iii. Time Frames for Compliance
The proposed regulations address the time frame within which covered entities
and business associates must comply with the necessary business associate
agreement updates. HHS recognizes that the 180-day compliance period may not be
enough time to renegotiate all existing business associate agreements, and has
provided that covered entities and business associates may, under certain
circumstances, continue to operate under existing agreements for up to one year
beyond the compliance date of the revisions to the Privacy, Security and
Enforcement Rules.
c. Privacy Protections and Individual Rights with Respect to PHI
i. Sale of PHI
The proposed regulations seek to implement Section 13405(d) of the HITECH Act
regarding restrictions on the sale of PHI. In addition, if the covered entity or
business associate intends to receive direct or indirect remuneration in
exchange for the PHI, that fact must be disclosed to the individual on the PHI
authorization form. Similarly, each covered entity or business associate
receiving PHI must obtain its own authorization in order to receive any
remuneration in exchange for PHI. A single authorization for the sale of PHI
does not travel downstream with the PHI as it is sold. HHS also proposes to
clarify that Section 13405(d) of the HITECH Act exempts disclosures of PHI for
research or public health activities in limited data set form from the
authorization requirement, and has requested comments on the types of costs that
should be permitted under the remuneration exception for research.
HHS has also suggested adding two additional exceptions to the prohibition on
the sale of PHI: (i) for disclosures that are required by law, and (ii) for any
other purpose permitted by and in accordance with subpart E of the Privacy Rule,
provided that the remuneration received is a reasonable, cost-based fee designed
to cover the expense of preparing and transmitting PHI for such purpose or is a
fee otherwise expressly authorized by other law, including state law.
ii. Research
The proposed regulations amend the Privacy Rule to allow a covered entity to
obtain compound authorizations for research activities. The proposed amendment
permits covered entities to combine conditioned and unconditioned authorizations
for research, provided that the authorization clearly differentiates between the
research components and allows the individual to opt-in to the unconditioned
research activities. HHS is also reconsidering its position that an
authorization for the use or disclosure of PHI for research is research-study
specific.
This potential change in HHS’ interpretation of the Privacy Rule is premised
on the fact that effective clinical research often requires future research
activities that were unforeseen and unaccounted for at the time of the
individual’s initial authorization. HHS has not, however, modified its position
that an individual may revoke his or her authorization for the use or disclosure
of PHI for future research at any time; rather, HHS has requested comments on
how a revocation would operate with respect to future downstream research
studies.
iii. PHI about Decedents
HHS has also proposed to amend the Privacy Rule’s general rules regarding
uses and disclosures of PHI of deceased individuals. Under the current
regulatory scheme, the PHI of deceased individuals is treated the same as that
of living individuals, requiring the personal representative of the decedent to
authorize the use or disclosure of the decedent’s PHI where an authorization is
required. The proposed regulations amend the Privacy Rule to require a covered
entity to comply with the requirements pertaining to PHI of a deceased
individual for a period of 50 years following the date of death. After 50 years,
the individually identifiable health information of the decedent is no longer
considered PHI under the Privacy Rule.
The proposed regulations also permit greater access to the PHI of a decedent
by the decedent’s family and/or others that were involved in the decedent’s
care. Unless the decedent previously expressed a preference that his or her PHI
not be released to such individuals at any time, a covered entity will be
allowed (but not required) to disclose PHI to the decedent’s family members and
others involved in his or her care.
iv. Disclosure of Student Immunizations to Schools
In the proposed regulations, HHS acknowledges that the Privacy Rule has made
it difficult for parents to provide (and for schools to obtain) the necessary
immunization documentation required for school entry in most states.
Accordingly, HHS proposes to amend the Privacy Rule to permit covered entities
to disclose proof of immunization to schools in states with such school entry
laws upon oral agreement from the parent, guardian, or other person authorized
to provide a disclosure authorization.
v. Fundraising - Opportunity to Opt Out
The proposed regulations seek to strengthen an individual’s ability to
prevent a covered entity from using or disclosing PHI to a business associate,
or an institutionally related foundation, for fundraising purposes. Under the
Privacy Rule, a covered entity is required to include a description of how the
individual may opt out of receiving any further fundraising communications. The
covered entity must make reasonable efforts to ensure that individuals who
decide to opt out of receiving future fundraising communications are not sent
such communications in any fundraising materials it sends to an individual.
The HITECH Act strengthens the “opt out” by requiring that a covered entity
provide, with each fundraising communication sent to an individual, a clear and
conspicuous opportunity for the individual to elect not to receive further
fundraising communications. In the proposed regulations, HHS suggests the use of
toll-free numbers and e-mail addresses as simple, quick and inexpensive ways for
individuals to opt out of future fundraising. The proposed regulations also
provide that a covered entity may not condition treatment or payment on an
individual’s choice with respect to receiving fundraising communications.
vi. Right to Require Non-Disclosure for Out-of-Pocket Services
The proposed regulations implement the HITECH Act mandate that healthcare
providers must comply with an individual’s request that PHI regarding a specific
healthcare item or service not be disclosed to a health plan for purposes of
payment or healthcare operations if the individual paid out-of-pocket, in full,
for an item or service. This requirement became effective Feb. 18, 2010. HHS
provides that it does not believe that a covered entity could require an
individual to pay a provider out-of-pocket for all services that the
individual receives in order to take advantage of the right to require
non-disclosure, regardless of the particular healthcare items or service about
which the individual requested the restriction.
HHS notes that due to the myriad of treatment interactions between covered
entities and individuals, the regulations regarding the right of an individual
to require non-disclosure for out-of-pocket services may be difficult to
implement in some circumstances. HHS has requested comment on the types of
interactions that would make requesting or implementing a restriction more
difficult. HHS also requests comments on how this provision will function with
respect to HMOs where the HMO pays a contracted provider based on the number of
patients seen, where the HMO provider may not receive payment directly from a
patient for the services provided. Finally, HHS requests comments regarding the
termination of restrictions, such as when a patient’s subsequent care for a
particular issue is paid by insurance after originally being paid out-of-pocket.
vii. Access by Individuals to PHI
Pursuant to the HITECH Act, a covered entity or business associate that
maintains an electronic health record with respect to PHI must provide
individuals with an electronic copy of such information. HHS proposes that if
PHI is maintained electronically in one or more designated record sets, the
covered entity must provide the individual with access to the electronic
information in the electronic form and format requested by the individual, if it
is readily producible, or, if not, in a readable format as agreed to by the
covered entity and the individual.
HHS also recommends that if requested by an individual, a covered entity must
transmit the requested copy of PHI directly to another person designated by the
individual. In such a circumstance, the individual’s request must be in writing,
signed by the individual, and clearly identify the designated person and where
to send the copy of the PHI. In addition, HHS proposes to use its broad
statutory authority under HIPAA to expand the HITECH Act prescribed right of an
individual to direct a covered entity to send a copy of records to a third
party, to paper records as well as electronic records.
HHS requests comments on its presumption that covered entities have the
capability of providing an electronic copy of PHI. In addition, HHS requests
comments on the appropriate timeliness standards for provision of access by
covered entities with electronic designated record sets.
d. Minimum Necessary
Under current law, a covered entity must generally make reasonable efforts to
limit disclosure of PHI to the minimum necessary to accomplish the intended
purpose of the use or disclosure. HHS is requesting public comment on the
minimum necessary standard, including which aspects of the standard need further
clarification or attention by HHS and the proper methods of determining the
minimum necessary standard for purposes of Privacy Rule compliance. HHS proposes
to leave existing regulatory provisions regarding the minimum necessary standard
unchanged.
2. Security Rule
If finalized, the proposed regulations will update the Security Rule to
reflect that all requirements imposed on covered entities, with respect to
implementation of security standards, administrative safeguards, and
organizational requirements, are extended to business associates.
3. Enforcement Rule
The HITECH Act requires HHS to investigate any complaint of a violation if
the facts of the complaint after preliminary investigation indicate a possible
violation due to willful neglect. The proposed regulations incorporate this
change, and also mandate formal investigation based upon facts derived from
complaints, as well as from HHS-initiated compliance reviews that suggest
possible violation due to willful neglect. The new regulations propose to revise
the Enforcement Rule to mandate the assessment of penalties for violations due
to willful neglect, as required under the HITECH Act. Additionally, the proposed
regulations allow HHS to share PHI acquired during an investigation, where
permissible under the Privacy Rule, to aid cooperation with other law
enforcement agencies.
The HITECH Act set new civil penalty tiers for violations of the act and
other HIPAA-related mandates, and extended application of the Enforcement Rule
to business associates. HHS issued interim final regulations last year which
revised the Enforcement Rule to incorporate certain HITECH Act provisions. These
new proposed regulations further revise the Enforcement Rule by including
substantive changes with respect to compliance, investigations and the
assessment of monetary penalties. HHS proposes to revise the list of factors
that the Secretary must now consider when assessing monetary penalties.
Additionally, the proposed regulations incorporate the extension of civil
liability to business associates (and their agents) for violations, as required
by the HITECH Act.