On July 8, 2010, HHS proposed overdue regulations amending the HIPAA privacy, security, and enforcement rules to comply with last year’s HITECH Act. (75 FR 40868) The proposed rules would implement and, in some cases clarify, several HITECH provisions that became effective February 18, 2010. With a few notable exceptions, the proposed rules follow the path blazed by HITECH. The proposed rules are subject to a 60-day comment period; final rules will issue sometime thereafter. Highlights of the proposed rules include the following:
Enforcement and Penalties. HITECH dramatically increased the fines for HIPAA violations up to $50,000 per violation or $1.5 million per year for the same violation, depending on whether the covered entity or business associate (1) knew or should have known of the violation; (2) had reasonable cause for the violation; (3) acted with willful neglect but corrected the problem; or (4) acted with willful neglect but failed to correct the problem. (45 CFR § 160.404) A covered entity or business associate may avoid penalties if they do not act with willful neglect and correct the problem within 30 days, e.g., by correcting non-conforming policies. (Id. at § 160.410) The proposed rules and accompanying commentary clarify these culpability standards. Among other things, HHS stressed that failing to have required policies or act promptly to correct violations evidences “willful neglect,” exposing covered entities and business associates to maximum penalties. Those penalties can multiply rapidly since a separate violation occurs each day a covered entity or business associate fails to comply. (Id. at § 160.406) The net effect: covered entities and business associates must ensure they have the required policies in place to both avoid violations and minimize their exposure if a violation occurs.
Business Associates. HITECH dramatically expanded HIPAA by requiring business associates to comply with the privacy and security rules and subjecting them to HIPAA penalties for violations. (45 CFR § 164.104) Business associates are entities that, on behalf of a covered entity, perform a function or activity involving the use of protected health information (“PHI”). The proposed rules expand the definition in two significant ways. First, health information organizations, e-prescribing gateways, or other data transmission services that require access to PHI on a routine basis are now “business associates.” In contrast, transmission entities that merely provide a conduit for transmission, but that do not routinely access the PHI, are not “business associates.” Second, subcontractors of business associates are themselves “business associates” and, as such, must comply with HIPAA or face HIPAA penalties. In contrast, workforce members of covered entities or their business associates are not “business associates.” Workforce members are those over whom the covered entity or business associate have direct control, whether or not they are paid by the covered entity. (Id. at § 160.103)
The proposed rules still require covered entities to execute “business associate agreements” with business associates before disclosing or allowing the business associate to access PHI. In addition, the proposed rules require business associates to execute such agreements with any subcontractors that may have access to PHI. The business associate–not the covered entity–is responsible for ensuring that subcontracted business associate agreements are in place. (Id. at § 164.314) Business associate agreements must contain the elements generally required by the prior rules, e.g., they must establish permissible uses and disclosures of PHI, and require business associates to take certain actions to implement safeguards, comply with the security rule, report contract violations and privacy breaches, and provide information necessary to enable the covered entity to comply with HIPAA rules. In addition, to the extent that a business associate is obligated to carry out a covered entity’s duty under HIPAA, the contract must require the business associate to comply with HIPAA in carrying out that duty. (Id. at §§ 164.314 and 164.504(e)) Business associate agreements may seem superfluous now that business associates are directly subject to HIPAA, but the contracts still serve at least two purposes: (1) they educate business associates and subcontractors about their HIPAA duties; and (2) they give covered entities or principal business associates contractual remedies against their business associates or subcontractors for violations. To ease the burden of revising existing business associate agreements, HHS proposed a one-year transition period: if a covered entity or business associate has a written contract that complies with currently existing rules, the contract will be deemed compliant under the proposed rules until the sooner of (1) the renewal or modification of the contract, or (2) one year after the effective compliance date. (Id. at § 164.532)
The proposed changes to the privacy rule confirm that business associates may only use or disclose protected information as permitted by their business associate agreements or as required to comply with applicable law. If the covered entity and business associate fail to execute a business associate agreement, the business associate may only use or disclose PHI to the extent necessary to perform their duties to the covered entity or as required by law. Regardless, business associates may not use or disclose PHI in a manner that would violate the privacy rule if done by the covered entity. The business associate’s duties under the proposed security rule are broader. Under the proposed rule, business associates must comply with the security rule to the same extent as covered entities, including implementing the administrative, technical, and physical safeguards that meet security rule standards. (Id. at § 164.302) This places a significant burden on business associates.
In the past, covered entities were liable for HIPAA violations if they knew that their business associate was violating the business associate agreement and failed to take reasonable steps to cure the breach, end the violation, or terminate the contract. (Id. at § 164.504) In a surprising and troubling twist, the proposed rules also make a covered entity or business associate vicariously liable for their business associate’s violations if the business associate or subcontractor was acting as the agent of the covered entity or principal business associate under common law agency principles. (Id. at § 160.402) To avoid vicarious liability going forward, covered entities should confirm in their business associate agreements that the business associate is acting as an independent contractor, not an agent, of the covered entity.
The proposed rules clarify some issues re PHI of deceased persons. The rules would expressly allow covered entities to disclose PHI about a decedent to family members and others who were involved in the decedent’s care or payment for care prior to the decedent’s death unless such disclosure would be contrary to the decedent’s prior expressed wishes. (45 CFR § 164.510) In addition, HIPAA no longer applies to PHI concerning a person who has been dead for 50 years. (Id. at §§ 160.103, 160.402)
Restricting Disclosures for Certain Payment Purposes
HIPAA generally allows covered entities to use or disclose PHI for treatment, payment or health care operations without the patient’s authorization. Consistent with HITECH, the proposed rules would give patients the right to prohibit covered entities from disclosing PHI to a health plan for payment purposes if (1) the patient requests the restriction; and (2) the patient (or another person on the patient’s behalf) paid the entire cost of the care to which the PHI pertains. (45 CFR § 164.522) In its commentary, HHS acknowledges that covered entities may have a difficult time complying with this new limitation, and requests comments on the proposed rules.
Accessing and Transmitting Electronic Copies of PHI
HITECH allows patients to not only obtain a copy but also to have any PHI maintained in an electronic health record (“EHR”) transmitted to entities identified by the patient. The proposed rules broaden the requirement to all PHI maintained in electronic format, not just those maintained in an EHR. Under the proposed rule, the covered entity must provide the electronic PHI in the form or format requested by the individual if readily producible; if not, the rules contemplate that the parties will agree to an alternative format or means of transmission. In addition, the covered entity must transmit the PHI directly to another person identified by the patient if the direction is clear, conspicuous and specific. The covered entity may require that such requests be in writing signed by the patient As with paper copies, the covered entity may charge a reasonable, cost-based fee for labor and supplies (e.g., an encrypted USB or a CD) in responding to the request. (45 CFR § 164.524)
Covered entities must generally obtain the patient’s authorization to use or disclose PHI for purposes of “marketing,” which is defined as making communications about a good or service to encourage the purchase or use of the product or service. HIPAA excludes the following activities from the definition of “marketing” and no authorization is needed unless the covered entity is paid by a third party to make the communication: (1) communicating about treatment of a person by a health care provider; (2) providing refill reminders or otherwise communicating about a drug or biologic prescribed to the individual; (3) describing a health-related product or service that is provided by the covered entity; or (4) contacting the individual about treatment alternatives for case management or care coordination. Under the proposed rules, if the covered entity receives remuneration for such activities, the activities are deemed to be “marketing” and HIPAA generally requires the individual’s authorization and, in some cases, certain notices to the individual. (45 CFR §§ 164.501 and 164.514)
Covered entities may use or disclose certain demographic PHI to institutionally-related foundations for fundraising purposes if the individual is given a chance to opt out of receiving fundraising solicitations. Under the proposed rules, each fundraising communication must explain how the individual may opt out of receiving such solicitations. Furthermore, the means for opting out may not impose on the individual an undue burden or more than a nominal cost. In its commentary, HHS stated that providing a toll-free number or e-mail address is permissible; requiring the individual to send a letter is not. Covered entities may not send fundraising materials to an individual who has opted out. (45 CFR § 164.514)
Sale of PHI
As required by HITECH, covered entities must generally obtain the patient’s authorization prior to disclosing PHI in exchange for direct or indirect remuneration. Per the proposed rules, the authorization must state that the covered entity will receive remuneration for the disclosure. The authorization requirement does not apply to disclosures (1) for public health purposes; (2) for research purposes where the covered entity is only paid a cost-based fee to cover the cost of the disclosure; (3) for treatment or payment purposes; (4) for the sale, transfer or merger of the covered entity; (5) to or by a business associate as payment for the business associate’s services; (6) to the patient when the patient requests records per 164.524; or (7) as required or permitted by law or the HIPAA rules. (45 CFR § 164.508) As proposed, the new rules would apply to disclosures that take place six months after the final rule is promulgated.
The proposed rules create a new exception that allows covered entities to disclose immunization information to schools if state laws require proof of immunization before the student may be admitted. Before disclosing the information, the covered entity must obtain oral agreement from the student (if legally authorized to consent to their own care) or from the student’s personal representative. (45 CFR § 164.512)
The proposed rules ease some of the requirements for clinical research. For example, HIPAA generally prohibits combining an authorization for use or disclosure of information with any other document, such as a consent form. Under the proposed rules, covered entities may combine research authorizations with other documents. (45 CFR § 164.508)
Notice of Privacy Practices
The proposed rules would require certain amendments to covered entities’ notices of privacy practices to incorporate the new requirements, including those related to required authorizations if the covered entity receives remuneration for disclosure of PHI; limitations on using or disclosing PHI for marketing or fundraising activities; the right to restrict certain disclosures for payment purposes; etc. (45 CFR § 164.520) According to HHS, these amendments would constitute a material change in the notice of privacy practices, thereby triggering covered entities’ duties to make a new copy of the notice available to individuals.
Effective Date. Unless otherwise specified in the rules or by statute, the new HIPAA rules take effect 180 days after the final rule is published. Thus, covered entities will generally have 180 days to bring their practices into compliance following publication of the final rule. (45 CFR § 160.105)
Although not enforceable, the proposed rules dispel speculation of major HIPAA upheavals. The proposed changes generally track HITECH requirements; the additional changes are relatively minor. While it may be too early to revise policies to comply with the future final rules, it is certainly time to ensure that covered entities have required policies in place to protect against current violations and minimize exposure to HIPAA penalties. Those penalties are in effect now.
If you have questions about these or other health law issues, please contact a member of our Health Law Group at 208.344.6000.