HHS Proposes Changes to HIPAA Privacy, Security and Enforcement Regulations
Contained within the 2009 stimulus package known as the American Recovery and Reinvestment Act is the Health Information Technology for Economic and Clinical Health Act1 (HITECH). Among other things, HITECH supplemented and broadened a number of the privacy and security requirements under the Health Insurance Portability and Accountability Act of 19962 (HIPAA). On July 14, 2010, the Department of Health and Human Services, Office of Civil Rights (OCR), issued a notice of proposed rulemaking3 (NPRM) implementing certain provisions of HITECH.
The most notable of the proposed changes relate to business associates—their legal obligations, their relationships with covered entities and their own subcontractors, and the required components of business associate agreements. This Bulletin summarizes the most notable proposed changes affecting business associates and describes certain other noteworthy changes set forth in the NPRM.
Proposed Changes Affecting Business Associates
Definition of “Business Associate.” Under the NPRM, “Business Associates” would include patient safety organizations (PSOs), health information organizations (HIOs), e-prescribing gateways, and others. As a clarifying change, under the NPRM “business associate” expressly excludes health care providers, with respect to disclosures by a covered entity for the purpose of treatment, and sponsors of group health plans, with respect to disclosures by the group health plan (provided the disclosures satisfy certain requirements).
Legal Obligations of Business Associates. As required by Section 13404 of HITECH, the NPRM would apply to business associates the Privacy Rule’s general requirement that protected health information (PHI) not be used for any purpose except as expressly permitted by the Privacy Rule or as required by law.
Changes to Business Associate Agreements. With respect to business associate agreements, the NPRM would, among other things, require business associate agreements to expressly provide that the business associate will comply with the Security Rule with respect to electronic PHI and report breaches of unsecured PHI to the covered entity.
Subcontractors of Business Associates. The NPRM defines a business associate “subcontractor” as a person who acts on behalf of a business associate who is not an employee or other member of the business associate’s workforce. Under the NPRM, a business associate would be required to obtain a written agreement from its subcontractors, with provisions similar to business associate agreements.
Enforcement Rule Applicable to Business Associates. Pursuant to Section 13410 of HITECH, the NPRM would modify 45 C.F.R. Part 160, subpart D (the Enforcement Rule) to subject business associates to civil monetary penalties (CMPs) for violations by the business associate and/or its subcontractors.
- Modification of Existing Business Associate Agreements. The NPRM would require existing business associate agreements be modified to the extent necessary to comply with the modified requirements. Recognizing that covered entities and business associates will need time to modify all of their existing business associate agreements, the compliance deadline for such modifications would be one year following the effective date of the final rule.
Other Privacy Rule Changes
Marketing. In accordance with Section 14306 of HITECH, OCR proposes to modify the definition of “marketing” to exclude certain treatment communications from covered entities and business associates, provided that the communication includes, if applicable, a statement that financial remuneration was received by the covered entity or business associate in exchange for making the communication.
Sale of PHI. The NPRM would prohibit, with certain exceptions, the receipt of direct or indirect remuneration by a covered entity or business associate in exchange for the disclosure of PHI absent a valid authorization from the individual.
Fundraising. The proposed rules would require covered entities to include in any fundraising communication sent to an individual an opportunity to opt out of receiving future fundraising communications.
Notice of Privacy Practices. The NPRM would modify the required provisions of Notices of Privacy Practices (NPPs) to include, among other things, a description of the types of uses and disclosures that require an authorization, including certain uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and for the sale of PHI.
Right to Request Restrictions. The NPRM would require covered entities to agree to an individual’s request to restrict disclosures of PHI to health plans for the purpose of payment or health care operations, to the extent the PHI solely relates to health care items and services for which payment in full has been made by a person or entity other than the health plan.
- Access to PHI. The NPRM would require covered entities to provide an individual access to the individual’s PHI in electronic format, if the individual specifically requests such format and the covered entity maintains such PHI in electronic format.
Many of the modifications proposed under the NPRM will not become effective before the corresponding effective dates under HITECH. OCR recognized that covered entities and business associates will need a period of time following the publication of the final rulemaking to come into compliance with the new requirements. To that effect, OCR proposes that the compliance deadline of the modified requirements will be 180 days after the publication of the final rule. OCR further proposes to allow covered entities and business associates a period of up to one year following the compliance deadline to make the requisite modifications to existing business associate agreements.
OCR is accepting comments on the NPRM through September 14, 2010. The NPRM and public comments submitted to date are available on the Federal eRulemaking Program website, regulations.gov.
1 Division A, Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5 (Feb. 17, 2009) (to be codified at 42 U.S.C. §§ 17921-17940).
2 Pub. L. 104-191, 110 Stat. 2033 (1996).
3 Modifications to HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, 75 Fed. Reg. 40,868 (to be codified at 45 C.F.R. pt. 160 and pt. 164) (proposed July 14, 2010).