HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

Transcription

1 Health Care ADVISORY July 16, 2010 HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors On July 8, 2010, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS or the Secretary ) issued its Proposed Rule 1 setting forth modifications to the Privacy, Security and Enforcement Rules (collectively referred to as the HIPAA Rules ) issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Health Information Technology for Economic and Clinical Health Act ( the HITECH Act or the Act ), enacted on February 17, 2009, made significant changes to the HIPAA Rules, many of which became effective on February 18, Additionally, as OCR notes, the HIPAA Rules have gone largely untouched for a number of years. As such, OCR is taking this opportunity to implement the proposed policies mandated by the HITECH Act and to address other modifications and technical corrections to the HIPAA Rules. Notably, the Proposed Rule expands the definition of business associates and makes considerable changes to various provisions relating to the use and disclosure of protected health information (PHI) by covered entities and business associates. Comments on the Proposed Rule will be accepted until September 13, This advisory provides a section-by-section summary of the key changes to the HIPAA Rules. COMPLIANCE PERIOD At the outset of the Proposed Rule, OCR notes that the final rule will not take effect until long after many of the HITECH Act changes became effective on February 18, 2010, and that it will be difficult for covered entities and business associates to comply with the statutory provisions until the changes to the HIPAA Rules are finalized. Accordingly, OCR proposes a 180-day period beyond the effective date of the final rule by which covered entities and business associates are expected to be in compliance with the Proposed Rule, unless otherwise specified. For example, as discussed herein, there will be an additional one-year transition period for covered entities and business associates to comply with changes to their existing business associate contracts or other arrangements. As proposed, the 180-day compliance period would apply to any future new standards or implementation specifications, or modifications to standards or implementation specifications, in the HIPAA Rules going forward, unless otherwise provided. However, because the provisions of the HIPAA Enforcement Rule are not standards or implementation specifications, the compliance period would not apply to the Enforcement Rule. The Enforcement Rule provisions would become effective at the time the final rule is given effect or as otherwise specifically provided. OCR is seeking comments on this 180-day compliance period Fed. Reg (July 14, 2010). This advisory is published by Alston & Bird LLP to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.

2 AMENDMENTS TO SUBPARTS A AND B OF PART 160 OCR is proposing a number of changes to Subparts A and B of Part 160. Subpart A contains general provisions relating to all of the HIPAA Rules. Subpart B contains the provisions relating to HIPAA preemption. The key changes to these Subparts are outlined below. Subpart A Definition of Business Associate OCR proposes modifications to the definition of a business associate to conform to the statutory provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA) and the HITECH Act. Inclusion of Patient Safety Organizations: Adds patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship, thereby making Patient Safety Organizations (PSOs) business associates under the HIPAA Rules as required by PSQIA. Inclusion of Health Information Organizations (HIO), E-Prescribing Gateways, Other Persons that Facilitate Data Transmission and Vendors of Personal Health Records: Modifies the definition of a business associate to include (1) an HIO, E-prescribing Gateway or other person who provides data transmission services with respect to PHI; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity. OCR notes that the terms Health Information Organization and E-prescribing Gateway are merely illustrative of the types of organizations that provide data transmission of PHI to a covered entity and require access on a routine basis to such PHI. Data transmission organizations that do not require access to PHI on a routine basis would not be treated as business associates. Inclusion of Subcontractors: Includes in the definition of business associate subcontractors of a covered entity that create, receive, maintain or transmit PHI on behalf of a business associate. In other words, subcontractors who perform functions for or provide services to a business associate, other than as a member of the business associate s workforce, would be business associates to the extent they require access to PHI. Subcontractors, therefore, would be subject to the portions of the HIPAA Privacy and Security Rules applicable to business associates, and would be subject to enforcement liability for compliance failures. 2 The proposed definition of subcontractor would apply even if there is not a business associate contract between the business associate and subcontractor an obligation that would remain the responsibility of the business associate, and not the covered entity. Exceptions to the Definition of Business Associate : Moves the exceptions for certain relationships that do not give rise to a business associate relationship, such as where a covered entity discloses electronic PHI to a health care provider concerning the treatment of an individual, to the definition of a business associate. 2 The extension of HITECH requirements to subcontractors of business associates would be a major change in the way that the HIPAA Rules apply. While this inclusion of subcontractors within the definition of business associate was not set forth explicitly in HITECH, OCR bases its proposal on its interpretation of the intent of Congress in extending the applicability of HIPAA rules to business associates. See 75 Fed. Reg. at

3 Definition of PHI OCR proposes to amend the definition of PHI to provide that the Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years. Definition of Workforce The definition of workforce would be amended to clarify that this term includes employees, volunteers, trainees and other persons whose conduct in the performance of work for a business associate is under the direct control of the business associate. Subpart B Definitions of Contrary and More Stringent The HIPAA Rules provide that federal preemption applies where state law is contrary unless certain exceptions apply. One exception provides that contrary state law is not preempted if state law is more stringent than HIPAA. As part of the regulatory provisions relating to the preemption of state law, OCR proposes to amend the definitions of contrary and more stringent. The definition of contrary and more stringent would be expanded to include references to business associates to ensure that the preemption provisions apply similarly to covered entities and business associates. Additionally, the definition of contrary would be amended to encompass all sections of the HITECH Act that relate to HIPAA. AMENDMENTS TO THE ENFORCEMENT RULE SUBPARTS C AND D OF PART 160 Subpart C Section of the HITECH Act made a number of changes to the Enforcement Rule, many of which were promulgated by OCR in an interim final rule on October 30, In the Proposed Rule, OCR proposes additional revisions to Subparts C and D of the Enforcement Rule to ensure that the HITECH Act and certain provisions of the Privacy and Security Rules apply to business associates in the same manner as they apply to covered entities. OCR s additional proposals have been described below. Complaints to the Secretary ( (c)): Makes clear its intention to pursue investigations where a preliminary review of the facts of a complaint indicates a possible violation due to willful neglect. Compliance Reviews ( ): Provides that the Secretary will conduct compliance reviews to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions of HIPAA when a preliminary review of the facts indicates a possible violation due to willful neglect. However, if an investigation is initiated because a preliminary review of the facts indicates a possible violation due to willful neglect, OCR would not also be required to initiate a compliance review because it would be duplicative to do so. 3 See 74 Fed. Reg (Oct. 30, 2009). -3-

4 Responsibilities of Covered Entities ( ): Permits the Secretary to disclose PHI as necessary for determining and enforcing compliance with the HIPAA Rules if permitted under the Privacy Act at 5 U.S.C. 552a(b)(7). Definition of Reasonable Cause ( ): Revises the definition of reasonable cause as an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision of HIPAA, but in which the covered entity or business associate did not act with willful neglect. Basis for Civil Money Penalty ( ): Adds references to business associate where appropriate to effectuate the HITECH Act provisions imposing liability on business associates for violations of the HITECH Act and certain Privacy and Security provisions. Adds a new provision to provide that a business associate is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency. Removes the exception to principal liability for the covered entity so that the covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. AMENDMENTS TO SUBPART A OF PART 164 AND THE SECURITY RULE IN SUBPART C OF PART 164 OCR proposes the implementation of a number of modifications as well as various technical and conforming changes to the Security Rule. The key changes are summarized below. Technical Changes to Subpart A Applicability ( ): Makes clear that, where provided, the standards, requirements and implementation specifications of the HIPAA Privacy, Security and Breach Notification Rules apply to business associates. Organizational Requirements ( ): Makes clear that the organizational requirements and implementation specifications for health care components of covered entities and affiliated covered entities would apply to the Breach Notification Rule. Modifications to the HIPAA Security Rule in Subpart C Section of the HITECH Act provides that the administrative, physical and technical safeguard requirements in sections , and of the Security Rule, as well as the policies, procedures and documentation requirements in section , must apply to business associates in the same manner as such requirements apply to covered entities. The Act also provided that business associates are to be civilly -4-

5 and criminally liable for violations of these provisions. In implementing these changes, OCR proposes to include references to a business associate, where appropriate, following references to a covered entity. In addition, OCR proposes the following changes: Security Standards General Rules ( ): Applies section to business associates in the same manner as the other administrative, physical and technical safeguard provisions would apply to business associates pursuant to the HITECH Act. Administrative Safeguards ( ): Makes clear that it would be the business associate s responsibility to obtain the required satisfactory assurances from the subcontractor to protect the security of electronic PHI. Requires documentation of the required satisfactory assurances through a written contract or other arrangement between the business associate and their subcontractors. Organizational Requirements ( ): Revises section to make clear that this section also applies to agreements between business associates and subcontractors that create, receive, maintain or transmit electronic PHI. Removes certain provisions from section relating to business associate agreements that are already included in parallel provisions of the Privacy Rule. Makes clear that the business associate contract must provide that the business associate will report to the covered entity breaches of unsecured PHI as required by the Breach Notification Rule. Provides that the requirements of this section for contracts or other arrangements between a covered entity and business associate would apply in the same manner to contracts or other arrangements between business associates and subcontractors. This would include notification by the subcontractor to the business associate of any breaches of unsecured PHI in order for the business associate then to notify the covered entity. AMENDMENTS TO THE PRIVACY RULE In the Proposed Rule, OCR proposes the implementation of various HITECH Act changes to the Privacy Rule. The key changes are summarized below. Definition of Health Care Operations OCR proposes to amend the definition of health care operations to include a reference to patient safety activities, as defined in the PSQIA implementing regulations. Definition of Marketing The Privacy Rule requires covered entities to obtain a valid authorization from individuals for using or disclosing PHI to market a product or service to them. However, the definition of marketing includes a number of exceptions for certain health-related communications. Section 13406(a) of the HITECH Act limited the health-related communications that may be excluded from the definition of marketing under the Privacy Rule to the extent that the covered entity receives direct or indirect payment in exchange for making -5-

6 the communication. In these instances, the covered entity would need to obtain valid authorization prior to making the communication, or if applicable, prior to its business associate making the communication on its behalf. There was also a limited exception relating to communications that describe only a drug or biologic that is currently being prescribed to the individual, so long as any payment received by the covered entity in exchange for making the communication is reasonable in amount. In implementing these changes, OCR proposes three exceptions to the definition of marketing to encompass certain treatment and health care operations communications about health-related products or services. First, OCR proposes to exclude certain health care operations communications, except where the covered entity receives financial remuneration in exchange for making the communication. OCR proposes to define the term financial remuneration as direct or indirect payment from or on behalf of a third party whose product or service is being described. Financial remuneration would not include any direct or indirect payment for the treatment of an individual. Second, OCR proposes to exclude communications regarding refill reminders or otherwise about a drug or biologic that is currently being prescribed for the individual, provided any financial remuneration received by the covered entity for making the communication is reasonably related to the covered entity s cost of making the communication. Third, OCR proposes to exclude treatment communications about health-related products or services by a health provider to an individual, including communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual. However, if the communications are in writing and financial remuneration is received in exchange for making the communications, certain notice and opt-out requirements would need to be satisfied. Specifically, OCR proposes that there be a statement in the provider s notice of privacy practices if a provider intends to send subsidized communications to an individual, as well as notice of the opportunity for the individual to opt-out of receiving any further communications. In addition, the written treatment communication must disclose the fact that the communication is subsidized and include a clear and conspicuous opportunity for the individual to choose not to receive such communications in the future. Business Associates OCR proposes to amend section (a) containing the general rules for uses and disclosures of PHI to address the permitted and required uses and disclosures of PHI by business associates. Importantly, business associates, like covered entities, may not use or disclose PHI, except as permitted or required by the Privacy Rule or the Enforcement Rule. Sections (a)(1) and (2) would be revised to apply only to covered entities, and sections (a)(4) and (5) would be added to address the permitted and required uses and disclosures of PHI specific to business associates. As required under the HITECH Act, the new section (4) would permit business associates to use or disclose PHI only as permitted or required by their business associate contracts or other arrangements, or as required by law. If the parties have failed to enter into a business associate contract or other arrangement, the business associate may use or disclose PHI only as necessary to perform its obligations for the covered entity (pursuant to an agreement that sets forth the general terms of the relationship). Any other use or disclosure would violate the Privacy Rule. Additionally, this section makes clear that a business associate would not be -6-

7 permitted to use or disclose PHI in a manner that would violate the requirements of the Privacy Rule if done by the covered entity, except for uses and disclosures for the proper management and administration of the business associate and the provision of data aggregation services for the covered entity if such uses and disclosures are permitted by its business associate contract or other arrangement. The new section (5) would require business associates to disclose PHI either when required by the Secretary to investigate or determine the business associate s compliance with the Privacy Rule, or to the covered entity, individual or individual s designee as necessary to satisfy the covered entity s obligations with respect to an individual s request for access, including an electronic copy of their PHI. In addition, this section would modify the minimum necessary standard to require that when a business associate uses, discloses, or requests PHI, the PHI be limited to the minimum necessary amount of information to accomplish the intended purpose of the use, disclosure or request. Business Associate Agreements The HITECH Act places direct liability for uses and disclosures of PHI on business associates. According to OCR, beyond such direct liability, a business associate would be contractually liable not only for improper uses and disclosures of PHI, but also for compliance with all other requirements of the Privacy Rule as they pertain to the performance of the business associate s contract. OCR is proposing the following changes to section , which contains the specific requirements for business associate contracts and other arrangements. Removes the requirement that covered entities report to the Secretary when termination of a business associate contract is not feasible in light of a business associate s direct liability for civil money penalties for violations of the HIPAA Rules. Adds a new provision applicable to business associates and subcontractors that would be parallel to the requirements for covered entities requiring a business associate, if it knew of a pattern or practice of activity of its business associate subcontractor that constituted a material breach or violation of the subcontractor s contract or other arrangement, to take reasonable steps to cure the breach of the subcontractor or to terminate the contract, if feasible. Amends business associate contract requirements to provide that business associates would (1) comply, where applicable, with the Security Rule with respect to electronic PHI; (2) report breaches of unsecured PHI to covered entities; (3) ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information; and (4) comply with the requirements of the Privacy Rule that apply to the covered entity, to the extent that the business associate is required to carry out the covered entity s obligations pursuant to the business contract or other arrangement. Transition Provisions OCR acknowledges the concerns of covered entities and business associates regarding the potential administrative burdens and costs associated with the revisions of their business associate contracts. In light of these concerns, OCR proposes a one-year transition period for compliance with the business associate contract changes. This one-year period would be in addition to the 180-day compliance period discussed earlier. For business associate contracts in effect prior to the date of publication of the final rule, OCR would -7-

8 deem contracts to be in compliance with the modifications of the HIPAA Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications (i.e., 180 days after the effective date of the final rule), or until the date that is one year after the compliance date, whichever is sooner. In other words, covered entities and business associates would have one year past the compliance date to renew or modify their existing contracts to meet the new requirements. However, if contracts are renewed or modified following the compliance date, but prior to the end of the one-year period, contracts would need to be compliant as of the time of the renewal or modification. OCR notes that for contracts that renew automatically without any change in terms or action by the parties, it intends that such contracts still will be eligible for the one-year extension and that deemed compliance would not terminate when these contracts automatically roll over. Finally, the transition provisions would only apply to the requirement to amend contracts, and not to other compliance obligations under the HIPAA Rules. Therefore, beginning on the compliance date of the final rule, a business associate may not use or disclose PHI in a manner that is contrary to the Privacy Rule, even if the business associate s contract has not been amended as such. Sale of PHI Section 13405(d) of the HITECH Act prohibits a covered entity or business associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI unless the covered entity has obtained a valid authorization from the individual or one of the enumerated exceptions applies. OCR proposes to implement this prohibition at a new section (a)(4), which would apply to both covered entities and business associates. The valid authorization would be required to include a statement that the covered entity or business associate is receiving direct or indirect remuneration in exchange for the PHI. The prohibition on the sale of PHI would not apply to disclosures (1) for public health purposes; (2) for research purposes, where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes; (3) for treatment and payment purposes; (4) for the sale, transfer, merger or consolidation of all or part of the covered entity and for related due diligence as described in the health care operations definition; (5) to or by a business associate for activities that the business associate undertakes on behalf of a covered entity where the only remuneration provided is by the covered entity to the business associate for the performance of such activities; (6) to an individual; (7) required by law; and (8) permitted by and in accordance with the applicable requirements of Subpart E of the Privacy Rule, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law. PHI About Decedents OCR proposes to amend section (f) to require a covered entity to comply with the requirements of the Privacy Rule with regard to the PHI of a deceased individual only for a period of 50 years following the date of death. As noted earlier, OCR also proposes to modify the definition of protected health information to make clear that individually identifiable health information of a person who has been deceased for more than 50 years would not be considered PHI under the Privacy Rule. -8-

9 In addition, OCR proposes to amend section (b) to add a new section that would permit covered entities to disclose a decedent s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. Minimum Necessary OCR is seeking comments on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to have HHS address in its forthcoming guidance, and the types of questions entities may have about how to determine the minimum necessary amount of information for different uses and disclosures of PHI for purposes of complying with the Privacy Rule. OCR proposes not to make any regulatory changes at this time in light of the required guidance from the agency. Fundraising The Proposed Rule contains the following changes to the fundraising provisions of the Privacy Rule. Strengthens the opt-out requirement for fundraising communications by requiring that a covered entity provide, with each fundraising communication sent to an individual, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. Provides that a covered entity may not condition treatment or payment on an individual s choice with respect to receiving fundraising communications. Provides that a covered entity may not send fundraising communications to an individual who has elected not to receive such communications. Retains the requirement that a covered entity that intends to contact individuals to raise funds under these provisions must include a statement to that effect in its notice of privacy practices. However, OCR proposes to modify the required statement by requiring that the notice also inform individuals that they have a right to opt out of receiving such communications. Notice of Privacy Practices for PHI The Privacy Rule outlines a number of requirements for a covered entity s notice of privacy practices. OCR proposes to make material changes to these requirements to require that a notice of privacy practices include the following: A statement that describes the uses and disclosures of PHI that require an authorization (i.e., use and disclosure of psychotherapy notes, use or disclosure of PHI for marketing purposes, and the sale of PHI), to provide that other uses and disclosures not described in the notice will be made only with the individual s authorization, and a statement that the individual may revoke an authorization. To the extent the covered entity intends to do so, a statement notifying the individual that the covered entity may send subsidized treatment communications to the individual or contact the individual to raise funds, as well as the opportunity to opt out of such communications. -9-

10 A statement that provides that an individual s right to request restrictions on certain uses and disclosures of PHI may be denied, except where the PHI pertains solely to a health care item or service for which the individual, or person other than a health plan on behalf of the individual, has paid the covered entity in full. Right to Request Restriction of Uses and Disclosures As required under section 13405(a) of the HITECH Act, OCR proposes that a covered entity would be required to agree to a restriction on the disclosure of PHI (1) to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. OCR makes clear that this restriction would also extend to disclosures to the business associate of the health plan. Access of Individuals to PHI Section 13405(e) of the HITECH Act provided that individuals have a right to obtain access to a copy of their PHI in an electronic format to the extent that the covered entity uses or maintains such PHI in an electronic health record. OCR proposes to implement and expand on this requirement. First, OCR proposes that if the PHI requested is maintained electronically in one or more designated record sets (as defined in the Privacy Rule), the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or if not, in a readable electronic form and format as agreed to by the covered entity and the individual. According to OCR, nothing under the current HIPAA Privacy Rule or the proposed modifications would require a covered entity to comply with this requirement if the covered entity determines it is not reasonable or appropriate. Second, OCR proposes that, if requested by an individual, a covered entity would be required to transmit the copy of PHI directly to another person designated by the individual. In doing so, the individual s choice must be clear, conspicuous, in writing, signed by the individual and clearly identify the designated person and where to send the copy of the PHI. Third, as currently permitted, a covered entity may impose a reasonable, cost-based fee for a copy of PHI. OCR proposes to amend this fee provision to identify separately the labor for copying PHI, whether in paper or electronic form, and for the cost of supplies for creating the paper copy or electronic media (e.g., physical media, such as a compact disc (CD) or universal serial bus (USB) flash drive), if the individual requested that the electronic copy be provided on portable media. Lastly, OCR is requesting comments regarding the timeliness of the access requirement, which is currently a 30-day window unless an additional 30 days is necessary. OCR is interested in whether there is a common timeliness standard for the provision of access by covered entities to accommodate a variety of electronic systems, including certified electronic health records. Alternatively, OCR requests comments on whether the current standard could be amended to apply to all systems, paper and electronic, such that all requests for access could be responded to without unreasonable delay and not later than 30 days. OCR is also seeking comments relating to the time necessary for covered entities to review access requests and make necessary determinations. -10-

11 If you would like to receive future Health Care Advisories electronically, please forward your contact information including address to Be sure to put subscribe in the subject line. For further guidance please contact one of the attorneys or advisors listed below: Alston & Bird Health Information Technology (HIT) Task Force ATLANTA One Atlantic Center 1201 West Peachtree Street Atlanta, GA Angela T. Burnette Jennifer L. Butler Martin J. Elgison Laura E. Holland Robert C. Jones Peter M. Kazon David C. Keating Robert C. Lower D Andrea J. Morning Colin T. Roskey Tiffani V. Williams Marilyn Yager Senior Public Policy Advisor CHARLOTTE Bank of America Plaza Suite South Tryon Street Charlotte, NC DALLAS Chase Tower Suite Ross Avenue Dallas, TX LOS ANGELES 333 South Hope Street 16th Floor Los Angeles, CA NEW YORK 90 Park Avenue New York, NY RESEARCH TRIANGLE Suite Beechleaf Court Raleigh, NC SILICON VALLEY 275 Middlefield Road Suite 150 Menlo Park, CA VENTURA COUNTY Suite Townsgate Road Westlake Village, CA WASHINGTON, D.C. The Atlantic Building 950 F Street, NW Washington, DC Alston & Bird llp 2010