On Jan. 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued an omnibus Final Rule implementing various provisions of the Health Information Technology for Economic and Clinical Health, or HITECH, Act. The Final Rule revises the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the interim final Breach Notification Rule.
The HITECH Act, which took effect as part of the American Recovery and Reinvestment Act of 2009, expanded the obligations of covered entities and business associates to protect the confidentiality and security of protected health information (PHI).
Under HIPAA, “covered entities” may disclose PHI to “business associates,” and permit business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business-associate agreement between the parties. A “covered entity” is defined as a health plan, healthcare clearinghouse, or healthcare provider (e.g. physician practice or hospital) that transmits health information electronically. In general, the HIPAA regulations have traditionally defined a “business associate” as a person (other than a member of the covered entity’s workforce) or entity who, on behalf of a covered entity, performs a function or activity involving the use or disclosure of PHI, such as the performance of financial, legal, actuarial, accounting, consulting, data aggregation, management, administrative, or accreditation services to or for a covered entity.
Prior to the HITECH Act, business associates were contractually obligated to maintain the privacy and security of PHI but could not be sanctioned for failing to comply with HIPAA. The HITECH Act expands those obligations and exposure of business associates by:
- Applying many of the privacy and security standards to business associates;
- Subjecting business associates to the breach-notification requirements; and
- Imposing civil and criminal penalties on business associates for HIPAA violations.
In addition, the HITECH Act strengthened the penalties and enforcement mechanisms under HIPAA and required periodic audits to ensure that covered entities and business associates are compliant.
Expansion of Breach-Notification Requirements
The Final Rule expands the breach-notification obligations of covered entities and business associates by revising the definition of “breach” and the risk-assessment process for determining whether notification is required. A use or disclosure of unsecured PHI that is not permitted under the Privacy Rule is presumed to be a breach (and therefore requires notification to the individual, OCR, and possibly the media) unless the incident satisfies an exception, or the covered entity or business associate demonstrates a low probability that PHI has been compromised.1 This risk analysis is based on at least the following four factors:
- The nature and extent of the PHI, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used or accessed the PHI;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk is mitigated (e.g. by obtaining reliable assurances by a recipient of PHI that the information will be destroyed or will not be used or disclosed).
Expansion of Business-Associate Obligations
The Final Rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Privacy and Security Rules directly to business associates and by imposing civil and criminal penalties on business associates for HIPAA violations. It also extends obligations and potential penalties to subcontractors of business associates if a business associate delegates a function, activity, or service to the subcontractor, and the subcontractor creates, receives, maintains, or transmits PHI on behalf of the business associate. Any business associate that delegates a function involving the use or disclosure of PHI to a subcontractor will be required to enter into a business-associate agreement with the subcontractor.
The Final Rule addresses the following additional issues by:
- Requiring covered entities to modify their Notices of Privacy Practices;
- Allowing individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record;
- Restricting marketing activities;
- Allowing covered entities to disclose relevant PHI of a deceased person to a family member, close friend, or other person designated by the deceased, unless the disclosure is inconsistent with the deceased person’s known prior expressed preference;
- Requiring covered entities to agree to an individual’s request to restrict disclosure of PHI to a health plan when the individual (or someone other than the health plan) pays for the healthcare item or service in full;
- Revising the definition of PHI to exclude information about a person who has been deceased for more than 50 years;
- Prohibiting the sale of PHI without authorization from the individual, and adding a requirement of authorization in order for a covered entity to receive remuneration for disclosing PHI;
- Clarifying OCR’s view that covered entities are allowed to send electronic PHI to individuals in unencrypted e-mails only after notifying the individual of the risk;
- Prohibiting health plans from using or disclosing genetic information for underwriting, as required by the Genetic Information Nondiscrimination Act of 2008 (GINA);
- Allowing disclosure of proof of immunization to schools if agreed by the parent, guardian, or individual;
- Permitting compound authorizations for clinical-research studies; and
- Revising the Enforcement Rule (which was previously revised in 2009 as an interim Final Rule), which:
- Requires the secretary of HHS to investigate a HIPAA complaint if a preliminary investigation indicates a possible violation due to willful neglect;
- Permits HHS to disclose PHI to other government agencies (including state attorneys general) for civil or criminal law-enforcement purposes; and
- Revises standards for determining the levels of civil money penalties.
Effective Date, Compliance Date
Although most provisions of the Final Rule became effective on March 26, many provisions impacting covered entities and business associates (including subcontractors) required compliance by Sept. 23. However, if certain conditions are met, the Final Rule allows additional time to revise business associate agreements to make them compliant. In particular, transition provisions will allow covered entities and business associates to continue to operate under existing business-associate agreements for up to one year beyond the compliance date (until Sept. 22, 2014) if the business-associate agreement:
- Is in writing;
- Is in place prior to Jan. 25, 2013 (the publication date of the Final Rule);
- Is compliant with the Privacy and Security Rules, in effect immediately prior to Jan. 25, 2013; and
- Is not modified or renewed.
This additional time for grandfathered business-associate agreements applies only to the written-documentation requirement. Covered entities, business associates and subcontractors will be required to comply with all other HIPAA requirements beginning on the compliance date, even if the business-associate agreement qualifies for grandfathered status
Steven M. Harris, Esq., is a nationally recognized healthcare attorney and a member of the law firm McDonald Hopkins LLC in Chicago. Write to him at firstname.lastname@example.org.
The exceptions relate to (i) unintentional, good-faith access, acquisition or use by members of the covered entity’s or business associate’s workforce, (ii) inadvertent disclosure limited to persons with authorized access and not resulting in further unpermitted use or disclosure, and (iii) good-faith belief that the unauthorized recipient would be unable to retain the PHI.