HIPAA and HITECH Proposed Regulations Released

August 4, 2010

Summary of Proposed Changes to Privacy, Security and Enforcement Rules

On July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Except as otherwise noted, HHS generally intends to provide covered entities and business associates with a compliance period of 180 days following the release and effective date of the final rule.

The key provisions of the proposed regulations are as follows:

  1. The Privacy Rule:
    1. New Requirements for a Notice of Privacy Practices
    2. Direct Liability for Business Associates and New Requirements for Business Associate Agreements
    3. Privacy Protections and Individual Rights with Respect to Protected Health Information (PHI)
    4. The Minimum Necessary Standard
  2. The Security Rule: Extension of Security Rule Requirements to Business Associates
  3. The Enforcement Rule: Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings

This article is part of a series regarding the HITECH Act. Please see our previous alerts:

  • HHS Announces Notice of Proposed Rulemaking Modifying HIPAA Privacy, Security and Enforcement Rules under the HITECH Act (7/12/10)
  • Many HIPAA Changes under the HITECH Act Now Effective (2/18/10)
  • HIPAA Breach Notification Under HITECH: What Employers Should Do Now (9/8/2009)
  • HHS Issues Regulations Regarding Notification of Breaches of Unsecured Protected Health Information (8/24/2009)
  • HIPAA Guidance and Request for Comments: Securing Protected Health Information and Breach Notification (5/7/2009)
  • Federal Stimulus Bill Significantly Expands the Scope of HIPAA’s Privacy and Security Requirements (2/23/2009)

1. Privacy Rule

a. Notice of Privacy Practices

The Privacy Rule requires covered entities to issue a Notice of Privacy Practice (NPP) to patients or beneficiaries. An NPP describes the permissible uses and disclosures of PHI by the covered entity, the legal duties and privacy practices associated with the covered entity’s possession and use of PHI, and an individual’s rights concerning his or her own PHI.

Under the proposed regulations, in addition to existing regulatory requirements, the NPP must also contain separate statements if a covered entity intends to: (i) contact the individual to provide any health-related benefits or services, (ii) contact the individual to fundraise for the covered entity, or (iii) with respect to a group health plan, disclose PHI to the plan sponsor.

HHS requests comment as to whether the NPP should include a statement notifying recipients of the covered entity’s legal duty under the HITECH Act to provide notification to certain affected individuals, the media and HHS following a breach of PHI.

Generally, if there is a material change to the NPP, covered entities are required to provide a revised notice within 60 days of the change; however, because of the additional costs related to revising and redistributing NPPs as a result of the changes required by HITECH, the proposed regulations outline alternatives to delay or extend the application of the 60-day rule, which HHS may choose to adopt after it has received comments from NPP issuers.

b. Business Associates

i. Direct Liability for Business Associates

Under the HITECH Act, specific provisions of the Privacy Rule are now applicable to business associates. Business associates will face direct liability for noncompliance with Privacy Rule requirements. A business associate, like a covered entity, may not use or disclose PHI except as permitted or required by the Privacy Rule or the Enforcement Rule. If a covered entity and a business associate do not enter into a contract (or “business associate agreement”), the business associate may use or disclose PHI only as necessary to perform its obligations for the covered entity or as required by law; any other use or disclosure violates the Privacy Rule.

ii. Business-Associate Subcontractors

The proposed regulations change the Privacy Rule with respect to business associates’ arrangements with subcontractors. Pursuant to the HITECH Act, business associates must obtain satisfactory assurances, through a written contract or other arrangement, that the subcontractor will comply with the applicable requirements of the Privacy and Security Rules, and will appropriately safeguard all PHI that is either created or received.

Accordingly, business associates must now enter into a business associate agreement with any subcontractor. Under the proposed regulations, however, direct liability under HIPAA attaches to business associates and subcontractors regardless of whether the business associate and the business associate subcontractor have entered into a business associate agreement. Further, a business associate that is aware of noncompliance by its subcontractor must respond to the situation in an identical manner as a covered entity that is aware of noncompliance by its business associate.

iii. Time Frames for Compliance

The proposed regulations address the time frame within which covered entities and business associates must comply with the necessary business associate agreement updates. HHS recognizes that the 180-day compliance period may not be enough time to renegotiate all existing business associate agreements, and has provided that covered entities and business associates may, under certain circumstances, continue to operate under existing agreements for up to one year beyond the compliance date of the revisions to the Privacy, Security and Enforcement Rules.

c. Privacy Protections and Individual Rights with Respect to PHI

i. Sale of PHI

The proposed regulations seek to implement Section 13405(d) of the HITECH Act regarding restrictions on the sale of PHI. In addition, if the covered entity or business associate intends to receive direct or indirect remuneration in exchange for the PHI, that fact must be disclosed to the individual on the PHI authorization form. Similarly, each covered entity or business associate receiving PHI must obtain its own authorization in order to receive any remuneration in exchange for PHI. A single authorization for the sale of PHI does not travel downstream with the PHI as it is sold. HHS also proposes to clarify that Section 13405(d) of the HITECH Act exempts disclosures of PHI for research or public health activities in limited data set form from the authorization requirement, and has requested comments on the types of costs that should be permitted under the remuneration exception for research.

HHS has also suggested adding two additional exceptions to the prohibition on the sale of PHI: (i) for disclosures that are required by law, and (ii) for any other purpose permitted by and in accordance with subpart E of the Privacy Rule, provided that the remuneration received is a reasonable, cost-based fee designed to cover the expense of preparing and transmitting PHI for such purpose or is a fee otherwise expressly authorized by other law, including state law.

ii. Research

The proposed regulations amend the Privacy Rule to allow a covered entity to obtain compound authorizations for research activities. The proposed amendment permits covered entities to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the research components and allows the individual to opt-in to the unconditioned research activities. HHS is also reconsidering its position that an authorization for the use or disclosure of PHI for research is research-study specific.

This potential change in HHS’ interpretation of the Privacy Rule is premised on the fact that effective clinical research often requires future research activities that were unforeseen and unaccounted for at the time of the individual’s initial authorization. HHS has not, however, modified its position that an individual may revoke his or her authorization for the use or disclosure of PHI for future research at any time; rather, HHS has requested comments on how a revocation would operate with respect to future downstream research studies.

iii. PHI about Decedents

HHS has also proposed to amend the Privacy Rule’s general rules regarding uses and disclosures of PHI of deceased individuals. Under the current regulatory scheme, the PHI of deceased individuals is treated the same as that of living individuals, requiring the personal representative of the decedent to authorize the use or disclosure of the decedent’s PHI where an authorization is required. The proposed regulations amend the Privacy Rule to require a covered entity to comply with the requirements pertaining to PHI of a deceased individual for a period of 50 years following the date of death. After 50 years, the individually identifiable health information of the decedent is no longer considered PHI under the Privacy Rule.

The proposed regulations also permit greater access to the PHI of a decedent by the decedent’s family and/or others that were involved in the decedent’s care. Unless the decedent previously expressed a preference that his or her PHI not be released to such individuals at any time, a covered entity will be allowed (but not required) to disclose PHI to the decedent’s family members and others involved in his or her care.

iv. Disclosure of Student Immunizations to Schools

In the proposed regulations, HHS acknowledges that the Privacy Rule has made it difficult for parents to provide (and for schools to obtain) the necessary immunization documentation required for school entry in most states. Accordingly, HHS proposes to amend the Privacy Rule to permit covered entities to disclose proof of immunization to schools in states with such school entry laws upon oral agreement from the parent, guardian, or other person authorized to provide a disclosure authorization.

v. Fundraising – Opportunity to Opt Out

The proposed regulations seek to strengthen an individual’s ability to prevent a covered entity from using or disclosing PHI to a business associate, or an institutionally related foundation, for fundraising purposes. Under the Privacy Rule, a covered entity is required to include a description of how the individual may opt out of receiving any further fundraising communications. The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications in any fundraising materials it sends to an individual.

The HITECH Act strengthens the “opt out” by requiring that a covered entity provide, with each fundraising communication sent to an individual, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. In the proposed regulations, HHS suggests the use of toll-free numbers and e-mail addresses as simple, quick and inexpensive ways for individuals to opt out of future fundraising. The proposed regulations also provide that a covered entity may not condition treatment or payment on an individual’s choice with respect to receiving fundraising communications.

vi. Right to Require Non-Disclosure for Out-of-Pocket Services

The proposed regulations implement the HITECH Act mandate that healthcare providers must comply with an individual’s request that PHI regarding a specific healthcare item or service not be disclosed to a health plan for purposes of payment or healthcare operations if the individual paid out-of-pocket, in full, for an item or service. This requirement became effective Feb. 18, 2010. HHS provides that it does not believe that a covered entity could require an individual to pay a provider out-of-pocket for all services that the individual receives in order to take advantage of the right to require non-disclosure, regardless of the particular healthcare items or service about which the individual requested the restriction.

HHS notes that due to the myriad of treatment interactions between covered entities and individuals, the regulations regarding the right of an individual to require non-disclosure for out-of-pocket services may be difficult to implement in some circumstances. HHS has requested comment on the types of interactions that would make requesting or implementing a restriction more difficult. HHS also requests comments on how this provision will function with respect to HMOs where the HMO pays a contracted provider based on the number of patients seen, where the HMO provider may not receive payment directly from a patient for the services provided. Finally, HHS requests comments regarding the termination of restrictions, such as when a patient’s subsequent care for a particular issue is paid by insurance after originally being paid out-of-pocket.

vii. Access by Individuals to PHI

Pursuant to the HITECH Act, a covered entity or business associate that maintains an electronic health record with respect to PHI must provide individuals with an electronic copy of such information. HHS proposes that if PHI is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable format as agreed to by the covered entity and the individual.

HHS also recommends that if requested by an individual, a covered entity must transmit the requested copy of PHI directly to another person designated by the individual. In such a circumstance, the individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI. In addition, HHS proposes to use its broad statutory authority under HIPAA to expand the HITECH Act prescribed right of an individual to direct a covered entity to send a copy of records to a third party, to paper records as well as electronic records.

HHS requests comments on its presumption that covered entities have the capability of providing an electronic copy of PHI. In addition, HHS requests comments on the appropriate timeliness standards for provision of access by covered entities with electronic designated record sets.

d. Minimum Necessary

Under current law, a covered entity must generally make reasonable efforts to limit disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. HHS is requesting public comment on the minimum necessary standard, including which aspects of the standard need further clarification or attention by HHS and the proper methods of determining the minimum necessary standard for purposes of Privacy Rule compliance. HHS proposes to leave existing regulatory provisions regarding the minimum necessary standard unchanged.

2. Security Rule

If finalized, the proposed regulations will update the Security Rule to reflect that all requirements imposed on covered entities, with respect to implementation of security standards, administrative safeguards, and organizational requirements, are extended to business associates.

3. Enforcement Rule

The HITECH Act requires HHS to investigate any complaint of a violation if the facts of the complaint after preliminary investigation indicate a possible violation due to willful neglect. The proposed regulations incorporate this change, and also mandate formal investigation based upon facts derived from complaints, as well as from HHS-initiated compliance reviews that suggest possible violation due to willful neglect. The new regulations propose to revise the Enforcement Rule to mandate the assessment of penalties for violations due to willful neglect, as required under the HITECH Act. Additionally, the proposed regulations allow HHS to share PHI acquired during an investigation, where permissible under the Privacy Rule, to aid cooperation with other law enforcement agencies.

The HITECH Act set new civil penalty tiers for violations of the act and other HIPAA-related mandates, and extended application of the Enforcement Rule to business associates. HHS issued interim final regulations last year which revised the Enforcement Rule to incorporate certain HITECH Act provisions. These new proposed regulations further revise the Enforcement Rule by including substantive changes with respect to compliance, investigations and the assessment of monetary penalties. HHS proposes to revise the list of factors that the Secretary must now consider when assessing monetary penalties. Additionally, the proposed regulations incorporate the extension of civil liability to business associates (and their agents) for violations, as required by the HITECH Act.