On July 14, 2010, the Office for Civil Rights of the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (Proposed Rule) that proposes significant changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules. Most of the changes are required to implement modifications to HIPAA required by the Health Information Technology for Economic and Clinical Health Act (HITECH), which was enacted on February 17, 2009. However, the Proposed Rule also includes many other changes intended to address concerns that have arisen in implementing HIPAA over the past seven years; to strengthen the privacy and security of protected health information (PHI); and to improve the workability and effectiveness of the existing HIPAA rules.
HITECH expanded the direct reach of HIPAA to Business Associates, applying certain parts of the Privacy and Security Rules directly to them. It required both Covered Entities and Business Associates to provide notification of breaches of unsecured protected health information (PHI). It also changed provisions on marketing and fundraising, prohibited the sale of PHI, required the consideration of a limited data set as the minimum necessary amount of information, and expanded individuals’ rights with regard to their PHI. In addition, HITECH strengthened and expanded HIPAA’s enforcement provisions.
HHS is soliciting comments on the Proposed Rule, which may be submitted during a 60-day period after the Proposed Rule is published in the Federal Register. The Proposed Rule is expected to be published on July 14, 2010. Below, we summarize the most significant changes made in the Proposed Rule.
Business Associates
HITECH makes substantial changes to HIPAA as it applies to Business Associates, ranging from the definition of what constitutes a Business Associate to their legal obligations and liabilities.
Business Associate Definitions. The Proposed Rule would significantly expand the definition of Business Associate, to more broadly apply to entities that create or receive PHI for the Covered Entity. Consistent with the statutory provisions of HITECH, the definition of Business Associates would include (1) Health Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services with respect to PHI to a Covered Entity, and (2) vendors who offer personal health records to individuals on behalf of a Covered Entity. In addition, to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA), discussed further below, the proposed definition also adds patient safety activities to the list of functions and activities that give rise to a Business Associate relationship.
Further, the Proposed Rule provides that “subcontractors” of Business Associates, i.e., those persons who perform functions for or provide services to a Business Associate other than in the capacity of a workforce member (Subcontractors), also are defined as Business Associates. Even though the term “Subcontractor” is used, the Proposed Rule applies to any agent or other person who acts on behalf of a Business Associate in handling PHI, even if no contract between the parties exists.
The Proposed Rule also revises the definition of “workforce member” to make clear that the term applies to employees, volunteers, trainees, and other persons whose conduct in the performance of work for a Business Associate is under the direct control of the Business Associate. This revision emphasizes that a Business Associate’s liability for HIPAA violations extends to persons other than employees.
Application of the Privacy and Security Rule to Business Associates. Currently, Business Associates are required to comply with HIPAA only pursuant to their Business Associate Contracts with Covered Entities and are not directly liable to HHS for violations. HITECH makes Business Associates directly subject to the Privacy and Security Rules and creates direct liability on the part of Business Associates for violations.
With respect to the Security Rule, HITECH provides that the administrative, physical, and technical safeguards requirements in 45 C.F.R. §§ 164.308, 164.310, and 164.312 as well as its policies and procedures and documentation requirements in § 164.316 shall apply to Business Associates in the same manner as these requirements apply to Covered Entities, and that Business Associates shall be civilly and criminally liable for penalties for violations of these provisions. To implement these statutory requirements, the Proposed Rule incorporates references to Business Associates in the foregoing sections of the Security Rule. HHS also posits that Congress did not intend to apply enumerated Security Rule sections to Business Associates in a different manner than to Covered Entities, and therefore also adds Business Associate references to § 164.306, so that the general security requirements of the Security Rule also expressly apply to Business Associates.
Similarly, the Proposed Rule applies certain privacy requirements to Business Associates and creates direct liability for Business Associates for violations of the Privacy Rule. Among other obligations, the Proposed Rule would require Business Associates to (1) disclose PHI to HHS for compliance purposes; (2) disclose PHI in an electronic format to a Covered Entity, individual, or individual’s designee in order for the Covered Entity to comply with its obligations to provide electronic access to PHI; (3) comply with the minimum necessary standard; and (4) take reasonable steps to cure a material breach of a Subcontractor or terminate the agreement with the Subcontractor.
Failure to Enter Into Agreements. The Proposed Rule indicates that if a Covered Entity and Business Associate have failed to enter into a Business Associate contract or other arrangement, the Business Associate may only use or disclose PHI as necessary to perform its obligations to the Covered Entity or as required by law. Any other use or disclosure would violate the Privacy Rule.
Application to Subcontractors. One of the most significant revisions made by the Proposed Rule is to clarify that certain security and privacy requirements apply to Subcontractors of Business Associates. As discussed above, the proposed definition of Business Associate includes Subcontractors. Taken together, the new requirements impose direct and contractual liability for violations of the Privacy and Security Rules on Subcontractors of Business Associates. In addition, Business Associates are now required to have agreements with Subcontractors that apply the same contractual requirements to Subcontractors as Covered Entities apply to Business Associates. Likewise, they are responsible for obtaining adequate contractual assurances that a Subcontractor is protecting the security of electronic PHI. Subcontractors, in turn, would be required to obtain Business Associate agreements with the parties with which they contract for services that provide access to PHI. Although a Covered Entity could have liability for the acts of its Subcontractors, Covered Entities have no new obligation to enter into Business Associate agreements with Subcontractors.
Finally, HHS clarifies that direct liability attaches, regardless of whether the Business Associate and its Subcontractor have entered into a Business Associate agreement.
Business Associate Contracts. The Proposed Rule revises the Business Associate contract provisions to require that: (1) Business Associates comply, where applicable, with the Security Rule with regard to electronic PHI; (2) Business Associates report breaches of unsecured PHI to Covered Entities; and (3) Business Associates ensure that any Subcontractors that create or receive PHI on behalf of the Business Associate agree to the same restrictions and conditions that apply to the Business Associate with respect to such information.
The Proposed Rule removes the requirement that Covered Entities report to HHS when a Covered Entity is aware of noncompliance by a Business Associate and is unable to cure the breach, and termination of a Business Associate contract is not feasible. In light of a Business Associate’s direct liability for civil monetary penalties for violations of the HIPAA rules and both the Covered Entity’s and Business Associate’s obligations to report breaches of unsecured PHI, HHS notes that it has other mechanisms to learn of misuses by Business Associates. However, the Proposed Rule now requires that a Business Associate that is aware of noncompliance by its Subcontractor must respond to the situation in the same manner as a Covered Entity that is aware of noncompliance by a Business Associate — by taking reasonable steps to cure the breach and, if such steps are unsuccessful, terminating the contract, if feasible.
Finally, the Proposed Rule emphasizes that in addition to having direct liability for civil monetary penalties for impermissible uses and disclosures of PHI, Business Associates are still contractually liable to Covered Entities pursuant to their Business Associate contracts.
Transition Provisions. The Proposed Rule extends some relief of the burden of compliance with the revised Business Associate provisions by adding a transition provision to grandfather certain existing Business Associate contracts for a specified period of time. The Proposed Rule adds transition provisions to allow Covered Entities and Business Associates (including Subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the final rule that results from the Proposed Rule (Final Rule). HHS proposes to deem such contracts to be compliant with the modifications in the Final Rule until either the Covered Entity or Business Associate has renewed or modified the contract following the compliance date of the modifications, or until the date that is one year after the compliance date, whichever is sooner.
Privacy Rule
The Proposed Rule would make several changes to the Privacy Rule, including an expansion of the definition of health care operations and changes to the provisions governing marketing, fund raising, and other HIPAA-regulated activities.
Health Care Operations. Covered Entities are permitted to use PHI for health care operations without an authorization. Although patient safety activities are already included in the definition of the term “health care operations,” HHS responded in the Proposed Rule to public comments received during the rulemaking period on the PSQIA. The Proposed Rule conforms the Privacy Rule to PSQIA by amending the definition of health care operations to expressly include a reference to “patient safety activities,” as that term is defined in PSQIA. The definition of health care operations now includes quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines; population-based activities related to improving health or reducing health care costs; protocol development; case management and care coordination; contacting health care providers and patients with information about treatment alternatives; and related functions other than treatment.
Marketing. The Privacy Rule generally requires a Covered Entity to obtain an individual authorization in order to use or disclose PHI for marketing purposes. “Marketing” is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” subject to certain exceptions. The Proposed Rule would modify and further restrict the exceptions to the definition of marketing.
Under the Proposed Rule, marketing would not include a communication made:
- For treatment of an individual by a health care provider (including case management or care coordination, or the recommendation of alternative treatments, therapies, health care providers, or settings of care to the individual), provided that if the communication is in writing and the health care provider receives financial remuneration in exchange for making the communication, certain notice and opt-out requirements are met.
- To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, provided that any financial remuneration received by the Covered Entity in exchange for making the communication is reasonably related to the Covered Entity’s cost in making the communication
- For the following health care operations, unless the Covered Entity receives financial remuneration in exchange for making the communication: (1) to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication (including communications about the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits); or (2) for case management or care coordination, contacting individuals with information about treatment alternatives, and related functions to the extent that such activities do not fall within the definition of treatment
“Financial remuneration” for purposes of the foregoing is defined as “direct or indirect payment from or on behalf of a third party whose product or service is being described.” The Proposed Rule also clarifies that direct or indirect payment does not include any payment for treatment of an individual. Last, HHS states that only financial remuneration that is paid in exchange for making a communication is relevant to the definition of marketing.
Organizational Requirements for Hybrid Entities. The Proposed Rule clarifies certain issues relative to hybrid entities, as defined in the Privacy Rule. With respect to a hybrid entity, the Proposed Rule clarifies that the Covered Entity itself (i.e., the legal entity), and not merely the designated health care component, remains responsible for complying with the security rules regarding Business Associate arrangements and other organizational requirements. HHS requests comments on whether the Covered Entity should be required rather than permitted to include a component that performs business-associate activities within its health care component, so that such component is directly subject to the rules.
Saleof PHI. HITECH prohibited a Covered Entity or Business Associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI unless the Covered Entity or Business Associate had obtained a valid authorization from the individual. The Proposed Rule implements this provision of HITECH and requires that an authorization obtained by a Covered Entity for any such disclosure of PHI must state that the disclosure will result in remuneration to the Covered Entity.
The Proposed Rule contains several exceptions to this authorization requirement. The authorization requirement does not apply to disclosures of PHI:
- For public health purposes
- For research purposes where the only remuneration received by the Covered Entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes
- For treatment and payment purposes
- For the sale, transfer, merger, or consolidation of all or part of the Covered Entity and for related due diligence
- To or by a Business Associate for activities that the Business Associate undertakes on behalf of a Covered Entity, and the only remuneration provided is by the Covered Entity to the Business Associate for the performance of such activities
- To any individual, when requested under the access and accounting of disclosures provisions of the Privacy Rule required by law
- Permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only remuneration received by the Covered Entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law
Research. In the Proposed Rule, HHS recognizes that research often involves the provision of research-related treatment and the collection of PHI and/or biological specimens (with associated PHI) to create a research database or tissue repository. In order to address concerns raised by the research community, HHS proposes changes to current Privacy Rule provisions related to the use of compound authorizations, as defined below, for such research trials, and is seeking input regarding the use of authorizations for future research.
With regard to compound authorizations, under the current Privacy Rule, a Covered Entity may condition the provision of certain research-related treatment on the research subject’s agreement to execute a disclosure authorization. In such a circumstance, it is acceptable for a Covered Entity to utilize a “compound authorization” — a document that combines the subject’s consent to participate in the research trial with the subject’s authorization to disclose the subject’s PHI. However, when a research trial includes both research-related treatment and a corollary activity, such as the banking of tissue (and associated PHI), Covered Entities must obtain separate authorizations from a subject: one authorization for research-related treatment (which may be combined with the research consent) and a separate authorization for tissue banking.
HHS proposes to eliminate the requirement for separate documents, as long as certain conditions are met. The document used must: (1) clearly differentiate between the authorization associated with research-related treatment and the authorization associated with the corollary activity and (2) clearly permit the subject to approve or decline the authorization associated with the corollary activity. For example, Covered Entities could describe the non-treatment related corollary activity on a separate page and use a check-box or a distinct signature line to indicate whether a subject authorizes the disclosure of PHI for the non-treatment related corollary activity. HHS is requesting comments on additional methods that would clearly differentiate authorizations for treatment-related research activities and authorizations for corollary activities.
HHS recognizes that the collection of PHI or specimens (with associated PHI) in databases or repositories is often intended for future research. However, HHS has interpreted the current Privacy Rule to require that a disclosure authorization related to research be study specific, thereby limiting an individual’s ability to agree to the use or disclosure of their PHI for future research without having to be re-contacted to sign additional authorization forms in the future. Commentators have urged HHS to permit a Covered Entity to utilize a disclosure authorization in which an individual authorizes disclosure of PHI for future research, or to modify its current interpretation to allow the authorization to encompass certain future research uses, provided certain criteria are met. The Proposed Rule describes various options under consideration to address this issue. HHS is requesting comments on each of the proposed options, including their impact on the conduct of research and patient understanding of authorizations. In addition, HHS notes that any future modification in this area would not alter an individual’s right to revoke the authorization for future research at any time and requests comment on how such a revocation would work with respect to future research studies.
Decedents. The Privacy Rule currently requires Covered Entities to protect the privacy of a decedent’s PHI indefinitely, in generally the same manner as is required for the PHI of living individuals. The Proposed Rule suggests two significant changes involving the PHI of deceased individuals.
First, HHS proposes to revise the definition of PHI to exclude individually identifiable health information of a person who has been deceased for more than 50 years. This change responds to concerns expressed to HHS that it can be difficult to locate a personal representative to authorize the use or disclosure of decedent’s PHI after an extended period of time. HHS states that 50 years — roughly two generations — is a sufficient amount of time to protect the privacy interests of most, if not all, living relatives or other affected individuals.
Second, the Proposed Rule would address concerns that family members and others who have had access to PHI of a deceased individual prior to death often have difficulty obtaining such access following the individual’s death. This is because these individuals often do not fall within the definition of “personal representative” in the Privacy Rule. HHS proposes to modify the Privacy Rule to permit Covered Entities to disclose the decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the Covered Entity.
Minimum Necessary Rule. The Privacy Rule requires Covered Entities to limit PHI uses, disclosures, and requests to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The Privacy Rule does not define “minimum necessary” but provides that the minimum necessary standard does not apply in certain circumstances (e.g., disclosure for treatment, to the individual, pursuant to a valid authorization, and others). HITECH limits covered entities’ discretion in determining what constitutes minimum necessary. Until HHS issues additional guidance on what constitutes minimum necessary, a Covered Entity or Business Associate must limit the use, disclosure, or request of PHI to the limited data set, if practicable. A limited data set is PHI that excludes direct identifiers of the individual or the relatives, employers, or household members of the individual such as names, telephone numbers, and certain other identifiers. If the limited data set will not meet the need of the particular use, disclosure, or request, an entity may implement its traditional minimum necessary policies and procedures. The Proposed Rule did not provide additional guidance on this topic. However, HHS requests public comment on the particular aspects of the minimum necessary standard that it should address in future rulemaking or guidance on the subject.
Fundraising. The Proposed Rule changes a number of the Privacy Rule’s fundraising requirements to implement HITECH. First, the Proposed Rule strengthens the right of an individual to opt out by requiring that a Covered Entity provide, with each fundraising communication, a clear and conspicuous opportunity to opt out of receiving future fundraising communications. HHS suggests that this right should not cause an undue burden for the individual. (An example of an undue burden would be for the Covered Entity to require the individual to write and send a letter to the Covered Entity.) Second, the Proposed Rule also states that a Covered Entity cannot condition treatment or payment on an individual’s choice to receive or not to receive fundraising communications. Third, the Proposed Rule suggests that when an individual has opted out of receiving fundraising communications, the Covered Entity may not send such information to them, as opposed to the previous requirement to make reasonable efforts not to send such information.
HHS is seeking comments on several questions regarding the fundraising provisions, including (1) to which fundraising communications should an opt out apply (e.g., all future fundraising versus specific campaigns); and (2) whether and how the Privacy Rule should be modified to allow covered entities to conduct targeted fundraising campaigns.
Notice of Privacy Practices. The Privacy Rule currently requires most Covered Entities to have and distribute a notice of privacy practices (NPP) to individuals. The Proposed Rule would require a Covered Entity to make a number of material changes to its NPP.
First, the NPP would have to include a description of the uses and disclosures of PHI that require an authorization (uses and disclosures of psychotherapy notes, PHI for marketing purposes or for the sale of PHI); a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization; and a statement that the individual may revoke an authorization.
Second, the NPP’s description of disclosures of PHI for treatment, payment, and health care operations would have to include a separate statement informing the individual of any of the following activities if the Covered Entity intends to engage in any such activity: (1) the covered health care provider may send treatment communications to the individual concerning treatment alternatives or other health-related products or services where the provider receives financial remuneration in exchange for making the communications, and the individual has a right to opt out of receiving such communications; (2) the Covered Entity may contact the individual to raise funds for the Covered Entity, and the individual has a right to opt out of receiving such communications; or (3) the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose PHI to the sponsor of the plan.
Finally, the NPP would have to include a statement of the individual’s right to request restrictions on certain uses and disclosures of PHI, including a statement that the Covered Entity is not required to agree to a requested restriction, except in the case of a Health Plan Disclosure Restriction, as defined below.
Health Plan Disclosure Restrictions. The current Privacy Rule requires Covered Entities to permit individuals to request restrictions on the uses or disclosures of their PHI by the Covered Entity, but does not require the Covered Entity to agree to such requests. If the Covered Entity agrees to a restriction, the Covered Entity must document the restriction and abide by the restriction (except in emergencies). A Covered Entity may terminate its agreement to a restriction in certain circumstances.
Under the Proposed Rule, a Covered Entity, upon request from an individual, must agree to a restriction on the disclosure of PHI to a health plan if: (1) the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual (other than the health plan), has paid the Covered Entity in full (a Health Plan Disclosure Restriction).
According to HHS, if the individual intends to pay for the items or services, but does not do so, the Covered Entity may submit information to the health plan for payment purposes, but must first make some attempt to resolve the payment issue with the individual. HHS seeks comments regarding the extent to which the Covered Entity must make reasonable efforts to resolve payment issues.
HHS also proposes adding language to clarify that: (1) the current termination and documentation provisions related to restrictions apply to Health Plan Disclosure Restrictions; and (2) a Covered Entity may not unilaterally terminate a Health Plan Disclosure Restriction.
HHS notes that in the event an individual exercises his or her right to a Health Plan Disclosure Restriction, the Covered Entity also is prohibited from making disclosures to a Business Associate of the health plan. In addition, according to HHS, HITECH provides the individual with the right to determine which items or services the individual wishes to pay for out-of-pocket and restrict; therefore, a Covered Entity may not require an individual seeking a Health Plan Disclosure Restriction regarding a particular item or service to pay out-of-pocket for additional items or services.
HHS also states that if a patient requests a Health Plan Disclosure Restriction but then seeks additional follow-up care and asks the provider to bill the health plan, the provider may need to submit information about earlier visits to the health plan. HHS considers the lack of a restriction with respect to follow-up treatment to permit disclosure of any PHI necessary to effect payment for such follow-up treatment, even if such information includes PHI related to treatment subject to a prior Health Plan Disclosure Restriction.
HHS recognizes that there may be practical challenges to the implementation of this provision and seeks comments on the types of interactions that would make requesting or implementing a restriction more difficult. HHS also is seeking comments regarding: (1) whether Covered Entities should be obligated notify other health care providers of such restrictions and the feasibility of such notification; and (2) how the proposed restriction provision will function with respect to health maintenance organizations.
Access to PHI by Individuals. The Privacy Rule currently establishes the rights of individuals to review or obtain copies of their PHI, to the extent such information is maintained in the designated record set of a Covered Entity. An individual’s right of timely access exists regardless of whether the PHI is in electronic or paper format. HITECH strengthens the Privacy Rule’s right of access to PHI that is maintained in an electronic health record (EHR). To avoid creating disparate standards for access, HHS indicates that it proposes to apply these new requirements uniformly to all electronic PHI contained in a designated record set, regardless of whether the record is maintained in an EHR or another electronic format.
The Privacy Rule requires a Covered Entity to provide individuals with access to PHI in the form or format requested by the individual, if it is readily producible in such form or format, or, if not, in a readable hard-copy form or such other form or format as agreed to by the Covered Entity and the individual. HITECH explicitly requires a Covered Entity that uses or maintains an EHR to provide the individual with a copy of requested PHI in an electronic format. The Proposed Rule harmonizes these requirements by providing that Covered Entities must provide an individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible in such form or format, and if not, in an otherwise agreed upon electronic form and format.
HITECH also provides that, if requested by an individual, a Covered Entity must transmit the copy of PHI directly to another person designated by the individual. The Proposed Rule applies this requirement to information in both paper or electronic form, and specifies that the individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI.
The Privacy Rule currently permits a Covered Entity to impose a reasonable, cost-based fee for a copy of PHI, which may include the cost of the supplies for, and labor of, copying the PHI; the postage associated with mailing the PHI, if applicable; and the preparation of an explanation or summary of the PHI, if agreed to by the individual. HITECH, however, permits the Covered Entity to charge no more than its labor costs in responding to a request for a copy of electronic PHI. In the Proposed Rule, HHS again harmonizes these requirements by allowing a Covered Entity to charge for the labor of copying PHI; the cost of supplies, if the individual requests that the electronic copy be provided on portable media; and the cost of postage, if the individual requests that the portable media be sent by mail or courier. A standard retrieval fee that does not reflect the actual labor costs related to an individual’s request is not allowable.
The Proposed Rule would not modify the timeliness standards for an individual’s right to access, but HHS requests comments on appropriate timeliness standards for the provision of access to electronic records, including the aspects of existing systems that would create efficiencies in processing of requests for electronic information; whether the current standards should be altered for all systems, paper and electronic, so that access would be provided without unreasonable delay, and no later than 30 days; whether a variety of timeliness standards based on the type of electronic record is the preferred approach; the time necessary for Covered Entities to review access request and make necessary determinations; and whether the provision that gives Covered Entities another 30 days to respond if the information is off site should be eliminated. HHS also invites public comments on the types of activities related to managing electronic access requests that should be compensable aspects of labor.
Technical Changes to Security Rule
The Proposed Rule makes certain technical changes to the Security Rule; these changes apply to both Covered Entities and Business Associates. It clarifies that Covered Entities and Business Associates must review and modify security measures and update documentation to assure compliance with the Security Rule. In recognition of the fact that volunteers may be workforce members of a Covered Entity or Business Associate, the Proposed Rule requires that when the employment of, or other arrangement with, a workforce member ends, Covered Entities and Business Associates must apply the same procedures for terminating access to electronic PHI to employees, volunteers, and other workforce members.
Enforcement
HITECH mandated several changes to the HIPAA enforcement scheme. Some of theses changes were effective February 18, 2009 and were added to the HIPAA Enforcement Rule pursuant to an Interim Final Rule on October 30, 2009. The Proposed Rule builds on these prior revisions.
Business Associates. As noted above, the provisions of the Privacy Rule and the Security Rule as well as the Enforcement Rule will now apply to Business Associates. A number of the changes proposed to the Enforcement Rule would conform to that requirement. As discussed below, these include changes that delineate the liability of Business Associates for their agents, including Subcontractors.
Willful Neglect. Consistent with the statutory mandate in HITECH, the Proposed Rule would amend the Enforcement Rule to require the Secretary of HHS to investigate any complaint when a preliminary review of the facts indicates a possible violation due to “willful neglect.” HHS will retain discretion with respect to other complaints, although it indicates in the preamble that “as a practical matter, HHS currently conducts preliminary review of every complaint received and proceeds with the investigation in every eligible case where … the facts indicate a possible violation of the HIPAA rules.”
Culpability Tiers. The HITECH Act establishes four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation. The first category of violation (and lowest penalty tier) covers situations where the Covered Entity or Business Associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category of violation applies to violations due to “reasonable cause” and not willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect and is corrected within a certain time period and willful neglect that is not so corrected, respectively.
The Proposed Rule makes significant changes to the definition of “reasonable cause,” the second level of culpability, which should provide HHS with greater latitude in keeping certain violations outside of the more onerous willful neglect tiers. Reasonable cause is currently defined to mean “circumstances that make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated.” HHS proposes to replace this definition with the following definition of reasonable cause:
An act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.
Proposed Rule, page 40
This change is significant because it recognizes that knowledge of a violation does not automatically place a Covered Entity or Business Associate in the willful neglect category, which invokes mandatory civil monetary penalties as well as mandatory investigations.
The Proposed Rule also provides examples of hypothetical circumstances that would fall within the various tiers. The examples make it clear that, when determining into which of the four culpability levels a violation falls, HHS will take into account the extent to which a Covered Entity or Business Associate has effective policies and procedures in place, which evidence an intent to comply with HIPAA, and the steps that were taken to comply. This makes it imperative for Covered Entities and Business Associates to have robust policies in place and to fully document their steps to implement and comply with them.
Agency Relationships. Additionally, the Proposed Rule addresses the circumstances in which the acts of a Covered Entity’s or Business Associate’s agent will be imputed to the Covered Entity or Business Associate. Not surprisingly, the Proposed Rule would add a provision that makes Business Associates liable for the violations of their agents, including Subcontractors who are acting within the scope of an agency relationship under the federal common law of agency. However, HHS echoes statements from prior rules that the determination of whether a Business Associate is an agent of the Covered Entity or (under the Proposed Rule) whether a Subcontractor is an agent of a Business Associate, will be based on the facts of the relationship such as the level of control over the Business Associate’s or Subcontractor’s conduct.
Unfortunately, the Proposed Rule includes a change that broadens the liability of Covered Entities for the violations of their Business Associates who are agents. HIPAA regulations currently provide an exception to a Covered Entity’s liability for the acts of its agent in cases where the agent is a Business Associate; the relevant Business Associate requirements have been met; the Covered Entity did not know of a pattern or practice of the Business Associate in violation of the contract; and the Covered Entity did not fail to act as required by the Privacy Rule or Security Rule with respect to such violation. HHS proposes to remove this exception, so that the Covered Entity would remain liable for the acts of its Business Associate agents, regardless of whether the Covered Entity has a compliant Business Associate agreement in place. HHS states that this change is necessary to ensure, when the Covered Entity has contracted a particular obligation under the HIPAA rules, that the Covered Entity remains liable for the failure of its Business Associate to perform that obligation on the Covered Entity’s behalf.
Finally, the Proposed Rule clarifies the manner in which the Secretary of HHS will determine penalty amounts. Such determinations would involve consideration of, among other things, the nature and extent of the violation, the nature and extent of the harm that results from the violation, and the history of prior compliance by the Covered Entity or Business Associate in question. HHS elaborates on how these factors will be applied.
HITECH Provisions Not Included in the Proposed Rule
The Proposed Rule did not address all of the issues on which HITECH mandates regulations. For example, HHS states that accounting for disclosures of PHI, the authority of the state attorneys general to enforce the HIPAA rules, and the minimum necessary standard will all be the subject of future rules or guidance.
Conclusion
The Proposed Rule amends the HIPAA Privacy, Security and Enforcement Rules in a number of significant ways. Perhaps the most important change is to make Business Associates (including Subcontractors) directly subject to compliance obligations and enforcement actions by HHS. Once the Final Rule is issued, changes to the requirements for Business Associates and Business Associate Agreements will require amendments to those contracts. In addition, Business Associates will need to put Business Associate Subcontractor Agreements into place. Covered Entitles also will need to revise their NPPs and examine their marketing, research, and other practices to make sure they comply with the requirements of the Final Rule. Given the complexity of these requirements, Covered Entities, Business Associates, and Subcontractors should begin assessing their current HIPAA policies and plan for the changes ahead.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our health care clients and colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or any of the following individuals:
Shirley P. Morrigan
Los Angeles, California
213.972.4668
[email protected]
Jacqueline M. Saue
Washington, D.C.
202.672.5306
[email protected]
Michael Scarano
San Diego, California
858.847.6712
[email protected]
Andrew B. Serwin
San Diego, California
619.685.6428
[email protected]
M. Leeann Habte
Los Angeles, California
213.972.4679
[email protected]
Maureen Kwiecinski
Milwaukee, Wisconsin
414.319.7325
[email protected]