On July 8, 2010, the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule on Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic Clinical Health Act (”HITECH Act”) (the “Proposed Rule”). HHS seeks to implement statutory amendments under the HITECH Act, strengthen privacy and security protection of health information, and improve the workability and effectiveness of the HIPAA rules.
Although many of the proposed modifications in the Proposed Rule are rooted in the HITECH Act itself, HHS proposes several changes that are unrelated to the HITECH Act and that attempt to address issues that have been the source of industry confusion or concern for many years, including, for example, the handling of downstream business associates or subcontractors.
We highlight below a number of the salient issues addressed in the Proposed Rule.
Business Associates - Definition Expanded and Increased Duties and Penalties
The Proposed Rule would modify the definition of a business associate in a number of ways:
-- Data Transmission. The Proposed Rule explicitly designates — as business associates — Health Information Organizations, E-prescribing Gateways, or other persons that provide data transmission services with respect to PHI that require routine access to PHI, and personal health record (“PHR”) vendors who offer PHRs on behalf of a covered entity. Significantly, HHS reiterates earlier guidance that entities that act as “mere conduits” for the transport of PHI, but do not access the PHI, except randomly or infrequently, are not business associates. -- Subcontractors. The Proposed Rule expands the definition of business associate to include subcontractors of business associates. According to HHS, these subcontractors, commonly referred to in the industry as “downstream business associates,” would be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and would incur the same liability for noncompliance. Significantly, in the preamble, HHS also states that a person is a business associate if he/she/it meets the definition of a business associate, even if no business associate agreement exists, and direct liability under HIPAA would attach regardless of the existence of such an agreement.
The Proposed Rule also would create additional obligations and liability on business associates. Prior to the enactment of the HITECH Act, HIPAA applied to business associates only indirectly by way of the business associate’s contractual obligations to the covered entity. Similarly, the penalty for a violation of these obligations was merely damages that resulted from any contractual breach. The HITECH Act, and now the Proposed Rule, however, expand both the application of certain HIPAA requirements and penalties to business associates.
-- Privacy Rule Obligations. The Proposed Rule would require a business associate to use or disclose PHI only as permitted by the Privacy Rule and only consistent with its obligations under its business associate agreement. The Proposed Rule also would require business associates to (1) disclose PHI to HHS for compliance purposes (2) upon request, disclose PHI in an electronic format to a covered entity, individual, or individual’s designee (3) comply with the minimum necessary standard, (4) take reasonable steps to cure a material breach of a subcontractor or terminate the agreement with the subcontractor, and (5) to the extent it carries out a covered entity’s obligations under the HIPAA rules, comply with the requirements of the Privacy Rule. -- Security Rule Obligations. The Proposed Rule would require business associates to comply with the Security Rule’s administrative, technical and physical safeguard requirements and to implement security policies and procedures in the same manner as a covered entity. -- Subcontractor Business Associate Agreements. The Proposed Rule would clarify that covered entities are not required to enter into business associate agreements with their business associates’ subcontractors. Rather, the business associate who engages the subcontractor would be responsible for entering into a business associate agreement with that subcontractor. The subcontractor business associate agreement would need to comply with the same Privacy and Security Rule requirements as the original business associate agreement. -- Amendment of Business Associate Agreements. In addition to the existing business associate agreement provisions, under the Proposed Rule, a business associate agreement would need to require that the business associate (1) comply with the HIPAA Security Rule, (2) report breaches of unsecured PHI to covered entities as required by the HHS Breach Notification Rule, and (3) ensure that any subcontractors agree to the same restrictions. -- Compliance Date for Business Associate Agreement Amendments. To “prevent rushed and hasty changes to thousands of on-going existing business associate agreements,” HHS proposes a transition period to modify business associate agreements. Under the Proposed Rule, if a then-HIPAA compliant agreement is in place prior to the publication of the final rule and the contract is not renewed or modified between the time period that is 60 days to 240 days after the publication of the final rule, the agreement will be deemed compliant until the earlier of (1) the date the agreement is renewed or modified on or after that 240 day post-publication date, or (2) the date that is one year and 240 days after that date of publication of the final rule.
Limitations on the Use and Disclosure of PHI -- Marketing.
- Similar to almost all other HHS modifications to the Privacy Rule, the Proposed Rule further restricts the ways in which a covered entity may use or disclose PHI for marketing purposes.
- Under the Proposed Rule, communications by a covered entity about a product or service that encourages the recipient of the communication to purchase or use the product or service would not be a marketing communication if that communication is:
o for treatment by a health care provider (including for case management, care coordination or to recommend alternative treatments, therapies, health care providers, or settings of care to the individual), provided that if the communication is in writing and the covered entity receives remuneration for making the communication, certain notice and opt out requirements are met;
o to provide refill reminders or communicate about a drug or biologic currently prescribed to the individual, provided any remuneration received for making the communication is reasonably related to the cost of making the communication; or,
o for the following health care operations purposes, unless the covered entity receives remuneration for making the communication: (1) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication; or (2) for case management or care coordination, contacting individuals with information about treatment alternatives, and related functions, to the extent these activities do not fall within the definition of treatment. -- Fundraising.
- The Proposed Rule would make a number of modifications to the Privacy Rule with respect to fundraising. The Proposed Rule would:
o require each fundraising communication to include a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications;
o provide that treatment or payment cannot be conditioned on an individual’s choice to receive fundraising communications;
o provide that fundraising communication may not be sent to someone who has opted out of such communications; and,
o require a covered entity to include a statement in the notice of privacy practices that the entity may use and disclose PHI for fundraising but that individuals have the right to opt out of receiving these communications. -- Sale of PHI. To implement the HITECH Act prohibition against the sale of PHI, the Proposed Rule would require a covered entity to obtain the individual’s authorization prior to disclosing PHI in exchange for direct or indirect remuneration. The Proposed Rule would exclude several disclosures of PHI made in exchange for remuneration, including, significantly, disclosures for the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, and related due diligence. -- Research. The Proposed Rule would modify the prohibition against compound authorizations in the research context to permit a covered entity to combine the authorization for research (a conditioned authorization) with an unconditioned authorization, such as an authorization for specimen collection for a central repository. In addition, in the Proposed Rule, HHS specifically seeks comments on whether to modify the requirement that a research authorization be research-study specific. Modifications to this requirement could result in the ability of covered entities obtaining an authorization for future research.
Individual Rights -- Revisions to Notice of Privacy Practices. The Proposed Rule would require covered entities to make revisions to their notices of privacy practices to include certain specific disclosures (e.g., disclosures for marketing and fundraising and disclosures of psychotherapy notes). The Proposed Rule also would modify the notice requirements regarding an individual’s right to request restrictions on the use and disclosure of PHI and the covered entity’s obligation with respect to such request. -- Restrictions on Disclosures of PHI. The Privacy Rule currently provides individuals with a right to request a restriction on a covered entity’s use or disclosure of PHI for purposes of treatment, payment or health care operations purposes, but there is no corresponding obligation to agree to that request. The Proposed Rule, however, would require covered entities to agree to a requested restriction if the disclosure is to a health plan for purposes of payment or health care operations and the PHI relates to a health care item or service for which the health care provider has been paid out of pocket in full. -- Access to PHI. The HITECH Act requires any covered entity that uses or maintains an electronic health record (“EHR") to provide an individual with a copy of such information in electronic format or, at the individual’s request, transmit the information directly to a person or entity designated by the individual. The Proposed Rule would implement and expand this obligation by requiring that if PHI is maintained electronically, regardless of whether it is part of an EHR, the covered entity must provide the individual with access to the electronic information in the electronic form or format requested, if it is readily producible. In addition, if an individual requests that the PHI to which he is requesting access is sent to a third party, the covered entity must send the PHI directly to that third party.
Increased Enforcement and Penalties
The HITECH Act sought to put more teeth in HIPAA enforcement efforts by increasing civil penalties for HIPAA violations and, in certain cases, requiring formal investigations. HHS’ proposed changes to the HIPAA Enforcement Rule are in line with that goal. -- Enforcement.
- Currently, HHS may investigate privacy complaints or conduct compliance reviews. The Proposed Rule would clarify that HHS will investigate complaints or conduct compliance reviews when a review of the facts indicates a potential violation due to willful neglect. -- Penalties.
- The new tiered-approach to civil monetary penalties required under the HITECH Act previously was incorporated into the HIPAA Enforcement Rule. In the Proposed Rule, HHS proposes a modified definition of “reasonable cause,” which relates to violations in the second tier of the four-tiered structure for assessing penalties. The proposed definition includes circumstances that would make it unreasonable for a covered entity or business associate, despite ordinary business care and prudence, to comply with a HIPAA rule requirement and those circumstances where a covered entity or business associate knows of the violation but such knowledge does not rise to the level of willful neglect.
- The Proposed Rule would add references to business associates to impose liability directly on business associates for violations of the HITECH Act and applicable provisions of the HIPAA Privacy and Security Rules.
- The Proposed Rule would modify regulatory language so that covered entities remain liable for the acts of their business associate agents, regardless of whether the covered entity and agent have business associate agreement in place. In contrast, as HHS notes, this would not impose liability on covered entities with respect to business associates that are not agents (e.g., independent contractors).
Rebecca Fayed is Counsel in the Healthcare Practice Group of Sonnenschein. Sonnenschein and Denton Wilde Sapte LLP, a UK-based law firm, will combine on September 30, 2010 to form SNR Denton, an international law firm with 33 offices in North America, Europe, Asia, and Africa.