On January 25, 2013, the Department of Health and Human Services (HHS) published the highly anticipated Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule (the “Final Rule”). The Final Rule represents a material development in the area of health care privacy, and has important operational consequences for covered entities and business associates. Major changes include the following:
180-Day Compliance Deadline for Implementing Most Changes. The Final Rule goes into effect on March 26, 2013, and has a general compliance deadline of September 23, 2013. As noted below, business associate agreements in existence prior to January 25, 2013, generally qualify for a longer transition period for modifications. HHS estimates total implementation costs for affected entities at $114 million to $225.4 million for the first year of implementation, and approximately $14.5 million each year thereafter.
Compliance Action Steps
Covered entities and business associates will need to act now to ensure compliance by the compliance deadline. Recommended steps include:
A detailed summary of key changes follows. Due to the length of the Final Rule (almost 600 pages), these changes are divided by major topic, to allow the reader to readily find those of most interest.
I. Key Breach Notification Changes
Removal of Harm Standard and Modification of Risk Assessment. The Final Rule makes a number of significant changes that are likely to increase breach notification, thereby placing a premium on encrypting PHI as a means of avoiding costly HIPAA breach notification altogether. Under current rules, a breach of unsecured PHI must be reported only if it poses “a significant risk of financial, reputational, or other harm to an individual.” The Final Rule eliminates the “significant risk of harm” threshold. Under the Final Rule, any impermissible use or disclosure of PHI is presumed to be a breach requiring notification, unless the covered entity or business associate demonstrates through a risk assessment that there is a “low probability that the PHI has been compromised” or that one of the Rule’s narrow exceptions applies. Under the Final Rule, a risk assessment must consider at least the following four “objective” factors. However, HHS notes that it may also be appropriate to consider other factors, depending on the circumstances.
1. Nature and Extent of PHI. The first factor requires covered entities and business associates to evaluate the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
2. Nature of the Recipient. The second factor requires covered entities and business associates to consider the unauthorized person who used the PHI or to whom the disclosure was made.
3. Was PHI Actually Acquired/Viewed? The third factor requires covered entities and business associates to investigate whether the PHI was actually acquired or viewed, or, alternatively, if only the opportunity existed for the information to be acquired or viewed.
4. Mitigation. The final factor requires covered entities and business associates to consider the extent to which the risk to the PHI has been mitigated.
5. Other Factors. A risk assessment will be fact-specific. In a given case, other factors may also need to be considered.
Documentation of Risk Assessments. As under the interim final breach notification rule, covered entities and business associates have the burden of proving that all notices were provided as required, or that the situation was not a breach, and need to maintain relevant documentation (e.g., a thorough risk assessment).
Removal of Limited Data Set Exception to Breach Notification. HHS removed the exception for limited data sets that do not contain any dates of birth and zip codes. Under the Final Rule, an impermissible use or disclosure of a limited data set, even one that does not contain dates of birth and zip codes, will be subject to the same risk assessment process as other breaches. HHS anticipates that this modification will not necessarily affect the outcome in most cases.
II. Key Changes: Business Associates
The Final Rule expands the definition of business associates, articulates the increased compliance obligations that apply directly to business associates under the HIPAA Rules, and extends direct liability for HIPAA violations to business associates. It also describes the required changes to business associate agreements. Covered entities and business associates generally will need to modify existing business associate agreements. Business associates will also need to ensure they have compliant business associate agreements in place with subcontractors. To the extent they have not already done so, business associates need to ensure they have adopted appropriate HIPAA compliance programs, policies and procedures.
A. An Expanded Definition of “Business Associate”
The Final Rule expands the definition of business associate to generally include a person that creates, receives, maintains or transmits PHI on behalf of a covered entity. In addition, the definition of business associate now includes: (1) subcontractors (as described below); (2) health information organizations, e-prescribing gateways and other persons that “provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI”; and (3) persons who offer a personal health record to one or more individuals “on behalf of” a covered entity. HHS also adds patient safety activities to the list of functions and activities that gives rise to a business associate relationship in light of the creation of patient safety organizations under the Patient Safety and Quality Improvement Act of 2005.
Inclusion of Subcontractors. Under the Final Rule, a subcontractor is itself a business associate, subject to the same compliance obligations and direct liability under HIPAA as a first-tier business associate. Generally, a subcontractor is defined as a person (other than a business associate workforce member) to whom a business associate delegates a function, activity or service, where the delegated function involves the creation, receipt, maintenance or transmission of PHI.
Business Associate Versus Conduit; Entities That “Maintain” PHI. HHS elaborates in commentary on what it means for a data transmission service to have “access on a routine basis,” noting that the “conduit exception" is narrow, and is intended for mere “courier” services. It also notes that the conduit exception is limited to transmission services, including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains PHI (whether digital or hard copy) on behalf of a covered entity is a business associate, and not a conduit, even if it does not actually view the information. In HHS’s view, the distinguishing factor is the transient versus persistent nature of the entity’s opportunity to access PHI. To clarify this point, HHS revised the definition of business associate to include a person who “maintains” PHI on behalf of a covered entity.
More Guidance for Personal Health Record Vendors. HHS commentary provides several additional examples and clarifications regarding when a personal health record vendor is a business associate. Personal health record vendors and covered entities working with such vendors will want to closely review the commentary to the Final Rule.
Business Associate’s Disclosure for Own Management and Administration. Disclosures by a business associate for its own management and administration or legal responsibilities do not create a business associate relationship with the recipient. However, where such disclosures are not required by law, the Final Rule requires that the business associate obtain reasonable assurances the information will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the person notifies the business associate of any breaches.
B. Business Associate Liability Issues
Direct Liability of Business Associate for Privacy Rule Violations. The HITECH Act did not create direct liability for business associates for compliance with all requirements of the HIPAA Privacy Rule. The Final Rule articulates that business associates are directly liable under the HIPAA Rules for the following:
Contractual Liability. Business associates remain contractually liable for all other HIPAA Privacy Rule obligations that are included in their contracts or arrangements.
Vicarious Liability for Agent. The Final Rule adopts modifications to provide that a covered entity or business associate is liable for penalties for the failure of its business associate “agent” to perform an obligation on the covered entity’s or business associate’s behalf. The Final Rule suggests that whether a particular business associate is an “agent” depends on an analysis of the totality of the circumstances, including:
Affected entities will want to carefully review the potentially significant impact of this change.
Non-Compliance by Subcontractors. Furthermore, like in the context of a covered entity’s knowledge of non-compliance on the part of its business associate, under the new provisions a business associate that is aware of non-compliance by its subcontractor would be required to take reasonable steps to cure the breach or end the violation and, if such steps were unsuccessful, terminate the contract or arrangement or face liability for non-compliance with the business associate requirements.
C. Business Associate Agreements
The Final Rule continues to require the parties to have in place a written business associate agreement for compliance. The Final Rule also modified the required content of business associate agreements. Specifically, each business associate agreement must require business associates (and subcontractors) to:
HHS has posted a sample revised business associate agreement on its website, which may be accessed here. Note that covered entities and business associates will likely wish to incorporate additional protections that are not included in the HHS form.
Whether a person is a business associate is definitional, and is not dependent on the existence of a business associate agreement.
Business Associate Agreements with Subcontractors. A covered entity is not required to enter into a written agreement with the subcontractor of the business associate. Rather, this is the obligation of the business associate making the delegation. This requirement to obtain a written business associate agreement extends down the chain indefinitely.
Grandfathering. Recognizing covered entities’ and business associates’ concerns about the anticipated administrative burden and cost to implement the revised business associate agreement provisions, the Final Rule provides a longer transition period for certain existing agreements, as follows:
D. Business Associate Security Rule Compliance
To implement the HITECH Act’s provisions extending direct liability to business associates for compliance with the Security Rule, the Final Rule made various changes consistent with the proposed rule.
III. Key Modifications to the Privacy Rule
A. Stronger Limits on Marketing
Subsidized Treatment Communications Require Authorization. The Final Rule makes a significant change by requiring authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communication from a third party whose product or service is being marketed. The Final Rule opts for a bright line approach of requiring an authorization for all subsidized communications that market a health-related product or service, compared to the previously proposed approach that would have allowed a notice-and-opt-out for certain subsidized treatment communications. HHS also eliminated the requirement that existed prior to the Final Rule that a covered entity include in its NPP a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to the individual. While this still continues to be accurate for non-subsidized communications, if the communication is subsidized, the individual will be notified via the authorization process.
Financial Remuneration for Marketing: What Counts? For purposes of the marketing provisions, “financial remuneration” means direct or indirect payment and does not include in-kind or other non-financial benefits. Furthermore, financial remuneration a covered entity receives must be for the purpose of making a communication that encourages individuals to purchase or use the third party’s product or service. If the financial remuneration is for another purpose, the marketing provision does not apply. Thus, where a third party pays a covered entity to implement a disease management program as part of the covered entity’s services, the covered entity could make communications about the program without an authorization, because such communications are not to market the third party’s product or service.
Contents of Authorizations. Authorizations must disclose the fact that the covered entity receives remuneration. However, an authorization may cover subsidized communications generally (e.g., need not be limited to subsidized communications about a single product or a product of one third party), as long as it adequately describes the intended purposes of the use or disclosure and contains all other required elements.
Face-to-Face/Nominal Gifts. Existing exceptions for “face-to-face” communications and nominal gifts continue to apply.
Refill Reminders/Communications About Currently Prescribed Drugs. The Final Rule adopts the exception for refill reminders and communications about drugs/biologics currently prescribed as proposed. HHS clarifies that costs for which a covered entity may receive remuneration under this exception are costs of necessary labor, supplies and postage. Financial incentives beyond cost are not within the scope of the exception.
Communications Promoting Health in General or About Government Programs. Communications promoting health generally (e.g., promoting annual mammograms), and that do not promote a product or service from a particular provider, do not constitute marketing and thus do not require individual authorization. Also, communications about government-sponsored programs do not fall within the definition of marketing.
B. Sale of PHI
HHS adopts the HITECH Act’s prohibition on the sale of protected PHI unless the covered entity or business associate has obtained a valid authorization. HHS defines “sale of protected health information” as “a disclosure of PHI by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”
Exceptions. Several exceptions to the authorization requirement exist. The authorization requirement does not apply to disclosures of PHI:
HHS provides a number of clarifications about these exceptions, including examples as to the scope of costs that can be included.
“Sale.” HHS clarifies that “sale” is not limited to transactions where there is a transfer of ownership of PHI. Thus, sale provisions apply to disclosures in exchange for remuneration including those that result from access, license or lease arrangements.
Effect on Research Grants and Payments. HHS does not consider a sale of PHI to encompass payments to a covered entity in the form of grants, contracts or other arrangements to perform programs or activities, such as a research study. In that case, any payment is a byproduct of the service provided. Thus, the payment by a research sponsor to a covered entity to conduct a research study is not considered a sale of PHI even if the research results that may include PHI are disclosed to the sponsor in the course of the study. Furthermore, receipt of a grant or funding from a government agency to conduct a program is not a sale of PHI even if, as a condition of receiving funding, the covered entity is required to report PHI to the agency for program oversight or other purposes.
Effect on Health Information Exchanges. HHS also clarified that exchange of PHI through a health information exchange (HIE) that is paid for through fees assessed on HIE participants is not a sale of PHI because the remuneration is for the services provided by the HIE and not for the data itself. In contrast, a sale of PHI occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). Thus, such disclosures require an authorization unless they meet an exception.
Broad Definition of Remuneration. “Remuneration” for purposes of the sale provisions is not limited to financial payment as it is in the marketing provisions. Rather, it includes in-kind benefits unless another exception is met.
Compound Authorizations. The Final Rule allows a covered entity to combine conditioned and unconditioned authorizations for research, provided the authorization clearly differentiates between the conditioned and unconditioned research components and allows the individual the option to opt in to the unconditioned research activities. HHS clarifies that it intends this provision to allow for the use of compound authorizations for any type of research activities, except to the extent the research includes use or disclosure of psychotherapy notes.
Authorizing Future Research Use or Disclosure. In a significant change, HHS modified its prior interpretation that research authorizations must be study specific. Under the revised interpretation, HHS permits an authorization for future research, to the extent the authorization adequately describes such purposes, such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research. HHS commentary indicates that this could include specific statements with respect to sensitive research to the extent such research is contemplated (subject to applicable state law). HHS also makes a number of other clarifications relevant to research authorizations in the commentary. An authorization must contain all other required elements.
Privacy Rule Protections Expire 50 Years After Death. The HIPAA Privacy Rule was amended to provide that covered entities need only comply with the requirements of the HIPAA Privacy Rule with regard to PHI of a deceased individual for a period of 50 years following the date of death. Other laws (such as state sensitive information laws) may continue to protect such information beyond that point.
More Flexibility Re: Disclosures to Decedent’s Family Members and Others Involved in Care. The Final Rule expressly permits covered entities to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. Depending on the circumstances, this could include disclosures to spouses, parents, children, domestic partners, other relatives or friends of a decedent. Such disclosures must be limited to the PHI relevant to the particular family member’s or other person’s involvement in the individual’s health care or payment for health care.
E. Disclosure of School Immunizations to Schools
Recognizing that schools play an important role in preventing the spread of communicable diseases among students, many states have “school entry laws” that prohibit a child from attending school unless the school has proof that the child has been appropriately immunized. The Final Rule recognizes that the HIPAA Privacy Rule as currently written may be hindering schools’ achievements in such a role. To provide added flexibility, the Final Rule permits a covered entity to disclose proof of immunization to a school where (i) state or other law requires the school to have such information prior to admitting the student and (ii) the covered entity obtains agreement, which may be oral or written, from a parent or guardian or other person acting in loco parentis for the individual, or from the individual if the individual is an adult or an emancipated minor. Covered entities must document the agreement obtained. For example, if a parent requests over the phone that his child’s immunization records be disclosed to the school, a notation in the child’s medical record or elsewhere of this phone call would suffice for documentation of the agreement.
The Final Rule brings additional clarification and flexibility to the use and disclosure of PHI in a covered entity’s fundraising activities. Highlights include:
Expanded PHI Available for Fundraising. The Final Rule clarifies and expands the scope of PHI a covered entity may use or disclose for fundraising. Currently, only “demographic information relating to an individual,” health insurance status and dates of health care provided may be used. The Final Rule clarifies that “demographic information relating to an individual” includes name, addresses, other contact information, age, gender and dates of birth. It continues to allow use of health insurance status and dates of health care provided, but also now permits covered entities to use and disclose general department of service information (e.g., cardiology, oncology, etc.), treating physician information and outcome information (e.g., information regarding the death of the patient or any sub-optimal result of treatment or services) for fundraising purposes. As with any use or disclosure under the HIPAA Privacy Rule, a covered entity must use and disclose only the minimum amount of PHI necessary.
Flexibility on Fundraising Opt-Outs. Under the Final Rule, covered entities are required to include an opt-out mechanism with all fundraising communications (which includes any communication, written or oral, where there is an ask for a gift). However, the Final Rule allows flexibility as to the mechanism (such as toll-free number, email address or pre-paid, pre-printed postcard). It also allows covered entities to decide whether the opt-out applies to all future fundraising campaigns or to a specific campaign. Whatever opt-out process is selected, it cannot cause the individual undue burden or more than a nominal cost.
Need to Track Opt-Outs; Need for Affirmative Opt-In. Once an individual has opted out of fundraising communications, the covered entity must timely track and flag these individuals, and is prohibited from sending further fundraising communications to the individual unless the individual affirmatively opts back in.
G. Notices of Privacy Practices
A number of provisions under the Final Rule impact a covered entity’s NPP. As a result, covered entities will need to evaluate their NPP, modify as necessary and redistribute consistent with the provisions of the Final Rule. Key areas of impact and redistribution requirements are noted below.
H. Redistribution of Revised Notices of Privacy Practices
Health Plans. Under the Final Rule:
Health Care Providers. A health care provider with a direct treatment relationship with an individual must (i) make the NPP available upon request on or after the effective date of the revision, (ii) have the NPP available at the delivery site, and (iii) post the NPP (or summary with the full NPP “immediately available”) in a clear and prominent position. HHS notes that providers are only required to give copies of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients.
I. Right to Request a Restriction of Disclosures
In General. Under the Final Rule, a covered entity is required to permit individuals to restrict the disclosure of PHI about the individual to a health plan if: (A) the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law; and (B) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full.
Operational Questions. HHS commentary goes into great detail on operational questions, including the following:
J. Access of Individuals to Protected Health Information
The Final Rule amends a patient’s right of access to require that if an individual requests an electronic copy of PHI that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
Flexibility in Business Associate’s Role. HHS clarifies that the business associate’s role in fulfilling access rights of the individual depends on the terms of the business associate agreement. There is no separate obligation for business associates to provide individuals with direct access to their health records, unless the business associate agreement so provides.
Requirements for Transmission to Third Parties Designated by the Individual. The Final Rule provides that, if requested by an individual, a covered entity must transmit an electronic copy of PHI directly to another person designated by the individual. In contrast to other requests under § 164.524, when an individual directs the covered entity to send the copy of PHI to another designated person, the request must be made in writing, signed by the individual (including valid electronic signature), and clearly identify the designated person and where to send the copy of the PHI. Also, HHS clarifies that if the request comes from the individual, it is not subject to the authorization provisions. Covered entities will want to make sure their access request procedures and forms reflect these requirements for transmission to third parties.
Clarification of Fees. HHS also provides a number of comments and clarifications regarding the charging of reasonable, cost-based fees for copies of PHI.
Timeliness. A covered entity must now provide an individual with access to off-site records within 30 days of the individual’s request when possible, with a 30-day extension available (for a total of 60 days, in contrast to the current law that permits up to 90 days to provide the individual with access to such records).
IV. Modifications to the HIPAA Privacy Rule Under GINA
Citing an individual’s strong interest in the way his or her genetic information is used for underwriting purposes, the Final Rule generally prohibits health plans that are covered entities under HIPAA from using or disclosing PHI that is genetic information for underwriting purposes. The Final Rule extends such prohibition to covered entities that are not expressly covered by GINA, except with regard to issuers of long-term care policies.
In issuing the Final Rule, HHS notes that while issuers of long-term care policies are exempt from the Final Rule’s prohibition on using or disclosing genetic information for underwriting purposes at this time, it is looking further into how genetic information is used by such issuers and may issue additional guidance in the future.
The Final Rule makes clear that all covered entity health plans, including long-term care plans, continue to be bound by the HIPAA Privacy Rule as it relates to genetic information.
Covered entity health plans that are subject to the Final Rule’s underwriting prohibition for genetic information will need to revise their NPPs accordingly.
To implement the HITECH Act, HHS issued an interim final enforcement rule establishing four categories of violations, with increasing penalty amounts reflecting increasing levels of culpability, and a maximum penalty amount of $1.5 million annually for all violations of an identical provision. It is important to note that one covered entity or business associate may be subject to multiple violations of multiple requirements, resulting in a total penalty above $1.5 million. In general, the categories are:
The above penalties apply to both covered entities and business associates (including subcontractors). The Final Rule retains this penalty structure. Also, the Final Rule confirms and/or clarifies:
Factors Considered in Determining the Amount of a Civil Money Penalty. The Secretary must consider the following factors in determining the amount of any civil money penalty:
The Final Rule does not modify the Secretary’s discretion in how to apply the above-listed factors (i.e., as either mitigating or aggravating).
Now that the Final Rule has provided long-awaited definitive guidance to the industry on key HITECH Act changes, covered entities and business associates can expect to see enhanced enforcement.