On July 14, 2010, the Department of Health and Human Services (HHS) published notice of proposed rulemaking to modify the HIPAA privacy, security, and enforcement rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act made a number of significant changes to HIPAA, including adding a new notification requirement for breaches of unsecured protected health information, extending the application of certain HIPAA requirements to business associates, modifying a number of HIPAA privacy standards, and enhancing the penalties for violations.
The notice proposes regulations to implement several HITECH changes and proposes other revisions to the existing HIPAA rules. Public comments on the proposed rule are due 60 days after publication.
Effective and Compliance Dates
Many HITECH changes became effective on February 18, 2010. Recognizing that covered entities and business associates cannot readily comply with the changes prior to the adoption of final rules, and that after the final rule is published organizations will need time to come into compliance, HHS has stated that for most provisions, covered entities and business associates will have 180 days after the publication of the final rule to comply. In addition, HHS proposed an additional one-year transition period to modify certain business associate agreements. Covered entities and business associates should note that the enforcement changes and security breach notification requirements are not subject to these delayed implementation dates and are already in effect.
Business Associates
Some of the proposed rule's most significant changes impact business associates. First, consistent with HITECH, certain definitions would be updated. For example, the definition of a business associate would include health information organizations, a category that includes health information exchange organizations, e-prescribing gateways, regional health information organizations, and other data transmission organizations that access protected health information on a routine basis. In addition, the definition of a business associate activity would include patient safety activities.
Second, the rule would address the application of the Privacy Rule to business associates by providing expressly that business associates could use or disclose protected health information (PHI) only as permitted or required by their business associate agreements or as required by law. If there is no business associate agreement in place, the business associate's use of protected health information would be limited to uses and disclosures required to perform its obligations under the underlying services agreement or as required by law. The proposed rule would also extend the application of the minimum necessary standard to business associates.
Third, the rule would expand the provisions of the HIPAA Security Rule that apply to business associates under HITECH to include the general implementation provisions found in 45 CFR 164.306. This section sets out general rules that apply to all the HIPAA security standards and their implementation.
Fourth, the rule would expand the reach of HIPAA's business associate requirements by imposing on subcontractors of a business associate, the same HIPAA obligations that apply to the business associate. The effect would be to make a business associate's subcontractor a business associate of the covered entity if the subcontractor creates, receives maintains or transmits PHI. Among other things, this would require subcontractors to comply with the Security Rule and report breaches of unsecured protected health information and security incidents to the business associate. The proposed rule would not require covered entities to enter into business associate agreements with their business associate's subcontractors, but the business associate would need such an agreement with the subcontractor. Subcontractors would also be subject to direct enforcement by HHS of the provisions of the HIPAA privacy and Security Rules that apply to business associates.
Finally, the proposed rule includes transition provisions for the business associate changes. These provisions would allow covered entities, business associates and subcontractors to continue to operate under existing business associate agreements for up to one year beyond the compliance date for the final rule if the parties had an agreement in place that complied with the prior provisions of the HIPAA rules and the contract was not renewed or modified between the effective date and the compliance date of the modifications to the HIPAA rules.
Changes to the Notice of Privacy Practices
Due to the HITECH Act's changes to HIPAA, HHS is amending the Privacy Rule to require covered entities to modify their notice of privacy practices (NPP) and distribute them to affected individuals to advise them of several now-strengthened privacy protections, including: (1) the addition of the sale of PHI as a use or disclosure that requires the express written authorization of the individual; (2) a separate statement that provides advance notice to the patient if a health care provider receives payment from a third party to send treatment communications to the patient about that party's products or services; and (3) the right of the patient to restrict disclosures of PHI to a health plan with respect to treatment services for which the patient has paid out of pocket in full.
In one of the more entertaining parts of the proposed rulemaking notice, HHS estimates that these changes will cost more than 700,000 providers nationwide $46 million and assumes that each provider can read, understand, and assimilate these changes into a newly drafted and printed NPP in less than 20 minutes.
Access Right Changes
Under the proposed regulations, if a covered entity maintains PHI electronically (not just in an electronic health record, as proposed by HITECH) and a patient requests his or her PHI in electronic format, the covered entity or business associate must provide the information in the electronic format requested by the patient if readily producible in that format, or, if not, in a different electronic format agreed to by the covered entity and the patient.
If the covered entity provides a patient with electronic access to PHI, the rule would only allow the covered entity to charge the costs of labor associated with the preparation of the request. The proposed rule clarifies the labor and supply costs applicable to preparation of electronic requests vs. paper requests.
Labor costs to produce an electronic copy involve the cost of reviewing and preparing the copy. Standard 'retrieval fees' that do not reflect actual labor costs are or that incorporate the costs of technical problems experienced by the covered entity are not acceptable. Supplies for an electronic copy apply only to the cost of the media, if applicable, for providing the information to the patient. If the patient provides the media (e.g., a CD or flash drive), there would be no cost for the media. Similarly, HHS expects that covered entities will not charge patients for e-mailing their PHI to them. Finally, HHS is seeking comments on whether the 30-day timely response deadline should be shortened with respect to providing access to electronic PHI.
Requests for Restrictions
The HITECH Act requires that when a patient requests a restriction on disclosure of his or her PHI, the covered entity must agree to the requested restriction if it pertains to disclosures of PHI to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to PHI that pertains solely to a health care item or service for which the provider has been paid out of pocket in full.
This was a change from previous privacy rule provisions that said that a covered entity was not required to agree to requested restrictions. To implement this change, HHS proposes to add conforming language to the section of the Privacy Rule setting forth the right to request restrictions, and reflecting the mandatory nature of the restriction required by the HITECH Act.
HHS also clarifies in its preamble discussion that a provider cannot require the patient to apply the restriction to all care given by the provider, nor can a provider require that the patient pay out of pocket for all types of care given by the provider--even though doubtless this would be administratively simpler for the provider. It is unclear how this provision will function with respect to HMOs and other global payment systems where, for example, a patient may pay a flat co-payment for every visit regardless of the treatment or service provided. Such patients may need to use an out-of-network provider if they wish to ensure that certain PHI is not disclosed by their HMO or other system providers.
Marketing
Under HITECH, certain communications to encourage the use of a product or service that were previously excluded from the definition of marketing are treated as marketing communications (and therefore subject to an authorization requirement) if the covered entity receives remuneration for making them. The proposed rule adds to the complexity by distinguishing communications made for treatment purpose from those made for health care operations. No patient authorization would be required for treatment communications, even if the covered entity receives remuneration for making individual treatment communications, however, the covered entity would have to give the individual notice and the opportunity to opt out of receiving such communications. Authorizations would be required for health care operations communications for which the covered entity received remuneration. The proposed rule also would add a definition of financial remuneration that includes only payments made in exchange for making a marketing communication by the person whose product or service is being described. There is a limited exception for certain prescription refill programs.
Sales of PHI
The HITECH Act bars certain sales of protected health information without express authorization. To implement this, the rule would require covered entities to get authorizations for any disclosure of PHI in exchange for direct or indirect remuneration unless an exception applied. The authorization would have to state expressly that the covered entity would receive remuneration for the communication. There are numerous exceptions, including for public health activities, treatment and payment, sales of a covered entity, business associate arrangements, providing information to individuals such as accountings, disclosures required by law and disclosures otherwise permitted by HIPAA for which the covered entity receives a reasonable cost-based fee.
Fundraising
Under HITECH, covered entities that use individuals' names and treatment dates to raise funds are required to provide a clear and conspicuous opportunity to opt out of future fundraising communications. In addition to requiring the clear and conspicuous opt out, the proposed rule states that the methods individuals use to opt out cannot impose an undue burden on the individual. Requiring an individual to send a letter is deemed to be an undue burden. HHS encourages the use of toll-free telephone numbers or email addresses instead.
The proposed rule also states that covered entities may not condition future treatment or payment on an individual's choice regarding fundraising communications. The covered entity's notice of privacy practices would be required to explain these fundraising provisions.
Minimum Necessary
The proposed rule does not include specific minimum necessary provisions, but does request comments from the public on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to address. HHS will issue separate guidance regarding minimum necessary.
Research
The notice of proposed rulemaking requests comments on two potential changes to the authorization requirements for research. Specifically, HHS has asked whether compound authorizations should be permitted in for studies that have a corollary research activity, such as the creation of a research database or repository using study data. In addition, HHS is considering modifying the authorization standard to permit an individual to consent to future research if the future research use is described in sufficient detail to permit an informed consent.
Enforcement Rule Changes
The HITECH Act for the first time imposed direct civil monetary penalty liability on to business associates for violations of certain privacy and security provisions. To implement these changes, HHS proposes to revise numerous provisions in both the Privacy and Security Rules by adding the phrase 'business associate' following references to covered entities. Among its other proposed enforcement changes, the rule would:
clarify that the Secretary will investigate any complaint filed and further conduct a compliance review when its preliminary view of the facts indicates a possible violation due to willful neglect. Prior rule language had suggested such investigations and compliance reviews might be purely discretionary.
allow the Secretary to share information regarding such investigations, including PHI, to other federal and state governmental agencies to facilitate cooperation with their civil or criminal enforcement activity.
back-peddle from prior rule language requiring the Secretary to attempt to resolve situations by informal means, especially with respect to noncompliance due to suspected willful neglect.
amend the definition of 'reasonable cause' to clarify the scope of violations fitting within that definition.
One significant change not highlighted by HHS but of great concern to covered entities is HHS' proposal to make covered entities liable for the acts of their business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. The current rule states just the opposite, honoring a (heretofore) long-standing commitment by HHS that covered entities would not be punished for the sins of their business associates absent their knowledge of the business associate's violations and failure to act reasonably to mitigate such violations--including by terminating its agreement with the business associate if necessary.
HHS attempts to draw a distinction between those business associates who are agents of their covered entity and those that are not ('e.g., independent contractors'), but this distinction is far from clear. If this aspect of the proposed rule is finalized, covered entities would be well advised to expressly declare in their business associate agreements that their business associates are not their agents when the facts and circumstances support such a position.
Not Included in the Proposed Rule
The notice of proposed rulemaking does not address security breach notification or the modified civil money penalties under HIPAA, which were the subject of prior rulemaking. In addition, the notice does not address the new requirements for accountings of disclosures for treatment, payment, and healthcare operations, the distribution of penalties to individuals, enforcement by state attorneys general, or the studies, reports, guidance, or audit efforts HHS is required to undertake by the HITECH Act.
Submitting Comments
Covered entities should review these proposed rules and, if they wish to make comments, arrange to prepare and submit them within 60 days.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Ms Gina Kastel
Faegre & Benson LLP
2200 Wells Fargo Center
90 South Seventh Street
Minneapolis
MN 55402 3901
UNITED STATES
Tel: 612766-7000
Fax: 612766-1600
E-mail: info@faegre.com
URL: www.faegre.com
Click Here for related articles
(c) Mondaq Ltd, 2010 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com
