On July 14, 2010 the US Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) proposed significant changes to the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification rules (the Proposed Rule). Many of these changes are required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted in early 2009 as part of the federal stimulus bill. Other changes are of a “technical and conforming nature” and are designed to improve the overall “workability and effectiveness” of the HIPAA Privacy and Security Rules.
In addition to creating mandatory federal breach reporting requirements, the HITECH Act created new privacy requirements and applied provisions of the HIPAA Privacy and Security Rules directly to business associates. Previously, business associates were bound by the terms of their written agreements with covered entities, but they were not directly subject to HIPAA or its penalties. Together with several new penalty and enforcement provisions, the HITECH Act - and the Proposed Rule - indicate the federal government’s continued concern with identity theft and individual privacy rights in an era of increased use of electronic health records, health information exchanges and other health information technology.
After the Proposed Rule is finalized - which we expect will occur later this year - covered entities and business associates alike will need to review their HIPAA policies and procedures to ensure compliance with these new rules. These groups will also need to review and perhaps modify their existing business associate agreements. Further, as described below, business associates will need to ensure they have in place agreements with subcontractors that receive, create or transmit “downstream” protected health information (PHI).
Public comments are due to HHS by September 13, 2010. Following is a brief summary of key changes in the Proposed Rule. As noted, several of these changes will be discussed in greater detail in future Squire Sanders Health Care Alerts.
Key Changes Under the Proposed Rule
- Changes impacting business associates. OCR proposes to modify the definition of “business associate” to include health information organizations, vendors of personal health records and patient safety organizations. As required by the HITECH Act, the Proposed Rule would also extend to business associates a number of Privacy and Security Rule obligations and new criminal and civil penalty provisions.
- Inclusion of subcontractors. OCR proposes to expand the definition of “business associate” to include “subcontractors” that create, receive, maintain or transmit PHI on behalf of a business associate. This would mean that business associates would be required to enter into HIPAA-compliant agreements with their subcontractors (to the same extent a covered entity must have a written agreement with its business associate). In addition, subcontractors hired by business associates to perform activities that involve PHI would be directly required, by law, to comply with HIPAA rules.
- Revised marketing rules. The Privacy Rule definition of “marketing” would be revised to better distinguish the exception for treatment communications from those made for health care operations. In addition, the Rule would be revised to require specific notice and “opt out” provisions for communications about products or services sent by a health care provider to an individual in exchange for financial remuneration from the party whose product or service is being described. These changes will be discussed in greater detail in an upcoming Health Care Alert.
- Restrictions on disclosures of PHI in exchange for remuneration. The HITECH Act prohibits the sale of PHI, unless the covered entity or business associate obtains a valid authorization from the individual. The Proposed Rule sets forth this prohibition as well as several exceptions to the authorization requirement, including exceptions for public health activities, research purposes (if the price charged for the information reflects the costs of preparation and transmission of the data) and treatment of the individual. OCR is specifically seeking comment on various aspects of this new provision.
- Changes impacting clinical research. Although not addressed by the HITECH Act, the Proposed Rule would clarify that an authorization that conditions the provision of research-related treatment on the individual’s permission may be combined with an unconditioned authorization, such as patient permission to use PHI for a research database or repository. The Proposed Rule would also permit authorization for future research uses and disclosures. These changes will also be discussed in greater detail in an upcoming Health Care Alert.
- Other changes to individual rights under HIPAA. In accordance with the HITECH Act, the Proposed Rule changes several aspects of individual rights with respect to PHI. For instance, a covered entity is required to restrict its disclosure of PHI to a health plan for a product or service for which the patient has paid in full out of pocket. The modified Privacy Rule would also strengthen patients’ rights to access their information maintained by a covered entity in electronic format. Among other things, these changes would require a covered entity to make corresponding changes to its Notice of Privacy Practices.
Although many of the provisions under the HITECH Act took effect on February 18, 2010, OCR has recognized that it would be difficult for covered entities and business associates to comply with the Act until final rules are issued. OCR therefore intends to allow 180 days after the effective date of the final rule for such parties to comply with the new or modified standards and implementation specifications.
Additional time will also be available to revise business associate agreements so that they comply with the HITECH Act requirements. Specifically, covered entities and business associates would be allowed to continue to operate under existing business associate agreements for up to one year beyond the compliance date (i.e., until 18 months after the effective date of the final rule). This grandfathered status would apply to business associate agreements that are in place prior to the publication of the final rule if those agreements comply with the HIPAA Privacy and Security Rules.
In the meantime, there are steps covered entities and business associates can take to prepare for these anticipated changes. As noted above, both groups will eventually need to review and revise their HIPAA policies and procedures and business associate agreements. If your organization is a covered entity or a business associate, you can begin to create a strategy for these updates. If your organization is a covered entity, that strategy should also include a plan to update your Notice of Privacy Practices to accommodate the changes to individual rights.
Finally, as part of increased enforcement of HIPAA requirements, and in concert with revised penalty provisions under the HITECH Act, the federal government has indicated it will expand its HIPAA oversight through compliance reviews and audits. Therefore, both covered entities and business associates should consider conducting internal HIPAA audits and assessments to help identify and address any areas of concern.
Squire Sanders lawyers have significant experience in HIPAA compliance efforts, including privacy and security assessments. We routinely advise clients on matters related to HIPAA policies and procedures and business associate agreements. We continue to monitor the proposed changes to HIPAA and are available to assist clients in structuring their privacy and security practices to comply with these changes. For more information on how we can help you, please contact your principal Squire Sanders lawyer or one of the lawyers listed in this Alert.