New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office for Civil Rights ( OCR ) recently released a final rule amending the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. Most of these modifications implement provisions of the HITECH Act, but the rule also makes changes required by the Genetic Information Nondiscrimination Act of 2008 ( GINA ). The complete rule was published in the Federal Register on January 25, 2013. 1 The final rule will require substantial revisions to organization policies and practices, business associate agreements (BAAs), and Notices of Privacy Practices. This memo summarizes the major changes that will impact hospitals and other health care facilities, including changes relating to: Breach notification Business associate compliance and BAAs Withholding protected health information (PHI) from health plans upon patient request, if the patient pays in full for the care A new prohibition against the sale of PHI A new individual right to access PHI in electronic format Marketing Fundraising Notices of Privacy Practices Authorizations for research Decedents PHI The Genetic Information Nondiscrimination Act of 2008 ( GINA ) Revisions to the HIPAA enforcement standards The new regulations are effective on March 26, 2013. The revisions to the enforcement rule generally are in force as of that date. But covered entities and business associates will have until September 23, 2013 to comply with the main body of new requirements. This memorandum is provided for informational purposes only and is not legal advice to AzHHA members or anyone else. AzHHA members should confer with their attorneys for legal advice related to the matters discussed herein. Coppersmith Schermer & Brockelman PLC February 22, 2013 1 78 Fed. Reg. 5566 (Jan. 25, 2013).
THE NEW HIPAA RULES: A DETAILED LOOK I. Changes to the HIPAA Privacy Rule A. Business Associates ( BAs ) 2 1. Requirements for BAs Before the HITECH Act, the HIPAA Rules did not apply to BAs directly. A BA s only legal obligation was to follow the business associate agreements ( BAAs ) they had in place with covered entities ( CEs ). A BA could be found liable to a CE for breaching the BAA, but that was the worst case scenario BAs were not subject to direct regulation by the OCR or any other governmental agency. The HITECH Act changed the playing field for BAs by requiring them to comply with certain provisions of the Privacy and Security Rules, and creating direct liability for noncompliance. 3 To implement the newly created privacy obligations of the HITECH Act, the final rule adds a provision stating that [w]here provided, the standards, requirements, and implementation specifications adopted under [the Privacy Rule] apply to a business associate with respect to the [PHI] of a covered entity. 4 This means that the Privacy Rule provisions apply directly to BAs, though only where expressly provided in the rule. 5 The final rule also sets forth the general compliance requirements for BAs. The rule states that a BA may use or disclose PHI only as permitted or required by its BAA or as required by law, and that the BA may not use or disclose PHI in a manner that would violate the requirements of the Privacy Rule if done by the covered entity, other than in limited circumstances. 6 The rule also requires a BA to provide PHI to the OCR to investigate the BA s HIPAA compliance, and to provide PHI to the CE or the individual as necessary to satisfy the CE s obligations to provide information upon request to an individual (including in electronic format). 7 The rule also applies the minimum necessary rule directly to BAs. 8 The regulations continue to place the burden to obtain a BAA on the CE. 9 However, a BA now has an affirmative obligation under the Privacy Rule to obtain a BAA with its downstream subcontractors. This subcontractor BAA must comply with the same regulatory requirements as the primary BAA. 10 The Preamble also explains that a person or entity that 2 Those of us who have spent time with HIPAA over the years are used to all these acronyms; still, we apologize for them! 3 See 78 Fed. Reg. at 5597. 4 See new 45 C.F.R. 164.500(c). 5 See 78 Fed. Reg. at 5591. 6 See new 45 C.F.R. 164.502. 7 See new 45 C.F.R. 164.502(a)(4). 8 See new 45 C.F.R. 164.502(b)(1); 78 Fed. Reg. at 5599. 9 See new 45 C.F.R. 164.502(e). 10 See new 45 C.F.R. 164.502(e); 78 Fed. Reg. at 5599-5601. Note that a CE is not required to have a direct contract in place with the business associate s subcontractors. Id. at 5573. 2
meets the definition of business associate under the regulations would be required to follow the regulations, whether or not there is a BAA in place. 11 2. Changes to the Definition of Business Associate The final rule revises the definition of business associate to make clear that certain types of entities will be considered BAs. Two items are particularly noteworthy. A. Data Storage Providers are BAs The revised rule provides that a Health Information Organization ( HIO ), e-prescribing gateway, or other entity that provides data transmission services to CEs is considered a BA if it transmits PHI to a CE and requires access to that PHI on a routine basis. 12 The Preamble to the final rule explains that an entity does not have access on a routine basis if it is a mere conduit of information and accesses the information only on a random or infrequent basis, such as an internet service provider. However, the OCR has clarified that the conduit exception does not apply to an entity that stores data. As a result, a data storage provider would be a BA by definition, regardless of whether the data storage provider actually ever accesses the information. To make this point clearer, the OCR changed the definition of business associate to include a person who maintains information on behalf of a covered entity. This change likely will mean that many more entities will be considered BAs, such as those that operate server farms to store electronic PHI for CEs in the cloud, even if the company does not actually access the PHI (or even if the PHI has been encrypted and is not accessible at all). 13 B. BA Subcontractors are Themselves BAs The revised rule provides that a subcontractor of a BA which creates, receives, maintains, or transmits PHI on behalf of the BA is itself a BA. 14 A subcontractor is a person to whom a BA delegates a function, activity, or service that the BA has agreed to perform for a CE. 15 This change establishes the OCR s ability to enforce the BA requirements downstream directly against the BA s subcontractors, and it applies even if the BA did not enter into a BAA with its subcontractor. The Preamble explains that this requirement applies no matter how far down the chain the covered entity s information flows; in other words, there may be several levels of subcontractors to whom the rule will apply. 16 The result is that many businesses in the United States which until now have not been directly affected by HIPAA will now be required to understand it and agree to BAA obligations. 11 See 78 Fed. Reg. at 5598. 12 See new 45 C.F.R. 160.103 (definition of business associate ). 13 See 78 Fed. Reg. at 5571-72. 14 See new 45 C.F.R. 160.103 (definition of business associate ). 15 See new 45 C.F.R. 160.103 (definition of subcontractor ); 78 Fed. Reg. at 5573. 16 78 Fed. Reg. at 5574. 3
3. Required Revisions for Business Associate Agreements The final rule requires revisions to existing BAAs, including the addition of new terms and provisions: BAs must now explicitly agree to comply, where applicable, with the HIPAA Security Rule with regard to electronic PHI. BAs must agree to report breaches of unsecured PHI to CEs in compliance with 164.410 (in addition to the current requirement to report any use or disclosure of PHI that violates the BAA). BAs must ensure that their subcontractors which create or receive PHI on behalf of the business associate comply with the BAA requirements, in accordance with 164.502(e)(1)(ii). To the extent a BA is intended to carry out a CE s obligations under the HIPAA Privacy Rule, the BA must comply with the requirements that are applicable to the CE in the performance of those obligations. However, note that this requirement would not apply if the BA does not carry out a covered entity s obligations, such as the obligation to provide access to PHI to individuals. 17 The OCR set up a transition period that will allow CEs and BAs a substantial time period to get their BAAs into compliance with the new requirements. Specifically: CEs and BAs may continue until September 22, 2014 to operate under valid BAAs in place before January 25, 2013. 18 However, if such a BAA is renewed or modified after March 26, 2013, the modified or renewed agreement must be amended to comply with the new requirements by September 23, 2013. It is not eligible for the transition period. 19 The OCR says that evergreen contracts which automatically renew without any change in terms are not renewals or modifications, so these evergreen contracts do not need to be revised until the September 22, 2014 deadline. 20 New BAAs must comply with the revised rules by the regular compliance date (September 23, 2013). Here are some examples of how these transition provisions work: 17 See new 45 C.F.R. 164.504(e). 18 See new 45 C.F.R. 164.532(e). 19 See new 45 C.F.R. 164.532(e). 20 See 78 Fed. Reg. at 5603. 4
A BAA in place on January 25, 2013 would be in compliance until September 22, 2014, as long as that BAA complies with the old HIPAA BAA requirements. If the BAA is amended on March 1, 2013, the amended BAA would be in compliance until September 22, 2014, as long as the amended BAA complies with the old HIPAA BAA requirements. If the BAA is amended on April 1, 2013, the BAA must be amended to comply with the new HIPAA BAA requirements by September 23, 2013. It is not eligible for the transition period. If the term of the BAA expires but the agreement automatically renews for another term without amendment, it must comply with the new HIPAA BAA requirements by September 22, 2014. If a brand-new BAA is signed on March 1, 2013, it may follow the old HIPAA BAA requirements until September 23, 2013. However, it must be amended by September 23, 2013 to comply with the new BAA requirements. It is not eligible for the transition period. As a practical matter, covered entities entering into new BAAs will want to apply the amended rules. These transition provisions only apply to the requirement to amend BAAs. Even if a BAA has not been amended, compliance obligations still kick in. For example, beginning on September 23, 2013, a BA may not use or disclose PHI in a manner that is contrary to the Privacy Rule, even if its BAA has not been amended to include this provision yet. 21 4. Elimination of the Rat Rule The current HIPAA Privacy Rule provides that a CE is not in compliance if it knew of a pattern of activity or practice of the BA that constitutes a material breach or violation of the BAA, unless the CE takes reasonable steps to cure the breach or end the violation. If such steps are unsuccessful, the covered entity must terminate the contract, and if termination is not feasible, the CE must report the problem to HHS. The final rule removes the requirement that CEs make a report to HHS when termination of a BA contract is not feasible (sometimes called the rat rule ). 22 This is because CEs are required to report BA breaches to HHS under the breach notification regulations, and the BAs are now subject to direct enforcement. 23 B. Withholding PHI from Health Plans The HIPAA Privacy Rule currently permits an individual to ask a CE to restrict the usual manner in which the CE makes disclosures of PHI for treatment, payment, and health care operations. However, the CE is not required to agree to the request. To implement a section of the HITECH Act, the final rule requires CEs to agree to requests for restricting information 21 See 78 Fed. Reg. at 5603. 22 See new 45 C.F.R. 164.504(e)(1)(ii). 23 See 78 Fed. Reg. at 5600-01. 5
disclosed to health plans if the patient has paid out of pocket for the service. 24 The OCR noted that a CE could not require individuals to choose an all-or-nothing approach to this restriction; the CE must honor the request to withhold information related to the specific treatment for which an individual has paid in full, and may not require the individual to pay out-of-pocket for all care in order to have specific information withheld from a health plan. The OCR recognized that this new rule would create implementation challenges, and in the Preamble to the final rule, it offers guidance on several operational issues it had raised in its July 2010 notice of proposed rulemaking. 25 Notably, it clarified that health care providers will not be responsible for notifying a patient s subsequent providers of the fact that the patient has requested a restriction. 26 C. Sale of PHI 1. More Restrictive Rule The HIPAA Privacy Rule currently permits a CE to receive payment for a disclosure of PHI if the regulations permit that disclosure (such as for the entity s health care operations, permitted research, or other permitted activities). However, to implement a section of the HITECH Act, the final rule creates a broader prohibition on the sale of PHI without patient authorization, subject to certain exceptions. The rule provides that a CE must obtain an authorization for any sale of PHI, and that the authorization must explain that the CE would receive remuneration for the disclosure. 27 It defines sale of protected health information as a disclosure of [PHI] by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the [PHI] in exchange for the [PHI], unless an exception applies. 28 2. Exceptions to the New, More Restrictive Rule The exceptions to the revised rule are as follows: Disclosures of PHI for public health purposes under 164.512(b) (the general rule on disclosures to public health authorities and for other public health purposes) or 164.514(e) (disclosures of a Limited Data Set for public health activities). 29 24 See new 45 C.F.R. 164.522 ( A covered entity must agree to the request of an individual to restrict disclosure of [PHI] about the individual to a health plan if: (A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full. ). 25 See 78 Fed. Reg. at 5626-30. 26 See 78 Fed. Reg. at 5629. 27 See new 45 C.F.R. 164.508(a)(4); see also new 45 C.F.R. 164.502(a)(5)(ii)(A) ( Except pursuant to and in compliance with 164.508(a)(4), a covered entity or business associate may not sell protected health information. ). 28 See new 45 C.F.R. 164.502(a)(5)(ii)(B). 29 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 6
Disclosures of PHI for research under 164.512(i) (the general rule on research disclosures) or 164.514(e) (disclosures of a Limited Data Set for research), if the only remuneration received by the CE or BA is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes. 30 The OCR clarified that this may include direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the PHI and capital and overhead costs, but may not include fees charged to earn a profit from the disclosure of PHI. 31 Disclosure of PHI for treatment or payment. 32 Disclosure of PHI for the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to 164.506(a). (This references the underlying standards in 164.506 for when this type of disclosure is permissible.) Disclosures [t]o or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to 164.502(e) and 164.504(e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities. 33 Disclosures to an individual for access or accounting (when requested under 164.524 or 164.528). 34 Any fee must be a reasonable cost-based fee, as required in the underlying rules on individual rights. 35 Disclosures required by law. 36 Disclosures for any other purpose permitted by the Privacy Rule, if the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI, or is a fee otherwise expressly permitted by other law. 37 3. Non-Financial Remuneration The proposed rule had created some confusion about whether non-financial remuneration would be considered remuneration under the rule. The Preamble to the final rule clarifies that it is. Thus, a CE or BA may not disclose PHI in exchange for either financial benefits or in-kind benefits (such as, for example, computer equipment). 38 30 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 31 78 Fed. Reg. at 5607. 32 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 33 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 34 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 35 See Fed. Reg. at 5605. 36 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 37 See new 45 C.F.R. 164.502(a)(5)(ii)(B)(2). 38 See 78 Fed. Reg. at 5607. 7
4. Circumstances Not Constituting a Sale of PHI The Preamble clarifies that certain types of situations would not constitute a sale of PHI, because a sale of PHI occurs only when the CE is being compensated primarily to supply data. Thus, the Preamble clarifies that, for example, payments a CE may receive from a research sponsor to conduct a research study are not considered a sale of PHI, because providing PHI to the payer is just a byproduct of the service that is being provided. In other words, those types of payments are payments for the services the covered CE, not for the PHI, even though PHI might need to be disclosed to the payer as part of that service. 39 Similarly, the OCR clarified that the exchange of PHI through a health information exchange is not the sale of PHI, even if the HIE participants pay fees, because the payment in that case would be for the services provided by the HIE, not for the data itself. 40 D. Individuals Access to Their PHI The HIPAA Privacy Rule currently requires CEs to allow individuals to access their PHI kept in a designated record set, with some exceptions, in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the CE and the individual. To implement a provision of the HITECH Act, the final rule amends this provision to require that, if PHI is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access in the electronic form and format requested by the individual if it is readily producible in that form or format; if not, the covered entity must provide the information in a readable electronic form and format as agreed between the covered entity and individual. 41 The final rule also permits a covered entity to charge an individual for the costs of labor in producing a paper or electronic copy, as well as supplies for the electronic media if the individual wants the electronic copy provided on portable media (such as a flash drive or CD). 42 Additionally, the final rule requires the CE to provide PHI to another person designated by the individual (whether the PHI is in electronic or paper form), if the request is in writing, is signed by the individual, and clearly identifies the recipient and where to send a copy of the PHI. 43 An electronic signature would qualify, as long as such signature is valid under applicable law, and the entity has procedures to verify the identity of the individual. 44 CEs currently have 30 days to act on a request for access, or 60 days if the PHI requested is not maintained or accessible to the covered entity on-site. The final rule removes the provision that permits 60 days for action if the PHI is not accessible on-site. The rule continues to permit one 30-day extension. 45 39 See 78 Fed. Reg. at 5606. 40 See 78 Fed. Reg. at 5606. 41 See new 45 C.F.R. 164.524(c)(2)(ii). 42 See new 45 C.F.R. 164.524(c)(4); 78 Fed. Reg. at 5636. 43 See new 45 C.F.R. 164.524(c)(3)(ii). 44 See 78 Fed. Reg. at 5634. 45 See new 45 C.F.R. 164.524(b). 8
E. Marketing The current HIPAA Privacy Rule requires an individual s authorization to use PHI for marketing for most purposes. Marketing is defined as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, but the current rule broadly exempts the following types of communications from the definition of marketing : Communications to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication; Communications for treatment of the individual; or Communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. The rule also exempts face-to-face communications to an individual about products or services, and promotional gifts of a nominal value from the CE from the requirement to obtain authorization for the release of PHI. The final rule amends the marketing rule in a few ways. Importantly: An authorization will now be required for most communications regarding treatment or health care operations if the CE receives financial remuneration from a third party vendor for making the communication. 46 The Preamble explains that the financial remuneration must be in exchange for making the communication for the marketing rule to apply, and the communication must encourage individuals to purchase or use the third party s product or service. So, for example, if a third party provides financial remuneration to a CE to implement a disease management program, the CE could use patient PHI to send information about the program as long as it is the covered entity s program, not the third party vendor s. 47 Marketing, however, does not include providing refill reminders or otherwise communicating about a drug or biologic that is currently being prescribed for a person, as long as any financial remuneration received by the CE in exchange for making the communication is reasonably related to the CE s cost of making the communication. 48 The Preamble suggests that the OCR considers communications about generic drug equivalents or adherence communications encouraging people to take their prescribed medication to fall within this exception and not be considered marketing, even if the CE is paid for the cost of the communication. 49 46 See new 45 C.F.R. 164.501 (definition of marketing at (2)(ii)). 47 See 78 Fed. Reg. at 5596. 48 See new 45 C.F.R. 164.501 (definition of marketing at (2)(i)). 49 See Fed. Reg. at 5596. 9
The marketing rule continues to exempt face-to-face communications about products or services, and promotional gifts of a nominal value, from the requirement to obtain an authorization. 50 The rule also retains the requirement that for any marketing communications that involve financial remuneration, the authorization must state that such remuneration is involved. 51 F. Fundraising The HIPAA Privacy Rule currently permits CEs to use limited types of PHI about individuals demographic information and dates of service for fundraising purposes. If a CE does use PHI for fundraising, it must inform patients in its Notice of Privacy Practices, must include a description of how the individual may opt out of receiving any further fundraising communications in all fundraising materials, and must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications. The final rule expands the types of information a CE may use to target fundraising communications to particular individuals. In addition to demographic information and dates of service, CEs may also now use department of service information, treating physician, outcome information, and health insurance status. 52 This increased flexibility should be helpful to CEs, as they will now be able to target fundraising communications more precisely. The final rule also contains some new requirements, including: CEs must include in each fundraising communication a clear and conspicuous notice to allow individuals to elect not to receive any further fundraising communications. The method for opting out may not result in undue burden to the individual or more than a nominal cost. 53 The OCR considers requiring a written letter to be an undue burden and instead encourages CEs to establish toll-free numbers, email addresses, or other simple, quick, and inexpensive ways to opt out. 54 CEs may not condition treatment or payment on receiving fundraising communications. 55 CEs are prohibited from sending fundraising communications to individuals who have opted out. 56 This strengthens the existing requirements that covered entities 50 See 45 C.F.R. 164.508(a)(3)(i). 51 See new 45 C.F.R. 164.508(a)(3)(ii). 52 See new 45 C.F.R. 164.514(f)(1). 53 See new 45 C.F.R. 164.514(f)(2). 54 See Fed. Reg. at 5621. 55 See new 45 C.F.R. 164.514(f)(2). 56 See new 45 C.F.R. 164.514(f)(2). 10
make reasonable efforts to ensure that fundraising communications are not sent after an opt-out. CEs are allowed to provide an individual with a method to opt back in, such as including as part of a newsletter sent to all patients a phone number individuals can call to be put on a fundraising list. 57 A CE s Notice of Privacy Practices must tell individuals that they have a right to opt out of fundraising communications. 58 G. Required Updates to the Notice of Privacy Practices ( NPPs ) The final rule requires CEs to update their NPPs in a variety of ways: The NPP must describe the uses and disclosures of PHI that require an authorization under 164.508(a)(2)-(a)(4). Under the current rule, the NPP only has to say that disclosures not described in the NPP will be made only with the individual s written authorization, and that the individual may revoke such authorization. The NPP must tell the individual if the CE may contact the individual to raise funds for the CE, and that the individual has a right to opt out of receiving such communications. Under the current rule, the NPP does not need to tell the individual about the right to opt out. The NPP must inform individuals of the right to request restrictions on certain uses and disclosures of PHI as provided by 164.522(a), including a statement that the CE is not required to agree to a requested restriction, except in the case of a disclosure restricted under 164.522(a)(1)(vi) (the new right to request withholding PHI from a health plan). The NPP must inform individuals of the right of affected individuals to be notified following a breach of unsecured PHI. 59 The Preamble makes very clear that CEs will need to revise their current notices to comply with these changes. 60 The final rule did not modify the current requirements to distribute revisions to the NPP, so CEs that have direct treatment relationships with individuals must make the revised NPP available upon request on or after the effective date of the revision and, if the CE maintains a physical location, must have the notice available at the site for individuals to request a copy, and must post the notice in a clear and prominent location. 61 Providers will not be required to print and hand out a revised NPP to their existing patients. 62 We do note, 57 See new 45 C.F.R. 164.514(f)(2); 78 Fed. Reg. at 5621. 58 See new 45 C.F.R. 164.520(b)(1)(iii)(A). 59 See new 45 C.F.R. 164.520. 60 See 78 Fed. Reg. at 5625; 45 C.F.R. 164.520(b)(3). 61 See 45 C.F.R. 164.520(c)(2); 78 Fed. Reg. at 5625. 62 See 78 Fed. Reg. at 5625. 11
however, that the final rule makes some changes to the requirements for health plans to distribute revised NPPs. 63 H. Authorizations for Research The final rule fixes two problems that currently exist for research involving the storage of PHI (such as in biospecimen or data repositories). First, if a research participant is participating in a clinical trial and a research repository, under the existing rule the HIPAA authorizations for those activities must be separate. 64 This is because the HIPAA Privacy Rule permits a HIPAA covered entity to require an individual to sign a HIPAA authorization as a condition of receiving treatment in a clinical trial, 65 but a covered entity may not condition treatment received in a clinical trial on signing a HIPAA authorization to include PHI in a research repository if that PHI will be used for purposes other than the specific clinical trial. 66 Having to separate these HIPAA authorizations often causes confusion among research participants (and researchers, and perhaps even the readers of this memo). The final rule fixes this duplicative authorization problem by permitting a CE to combine conditioned and unconditioned authorizations for research, as long as the authorization clearly differentiates between the conditioned and unconditioned research components. 67 This new requirement could be implemented in a variety of ways, including by using a separate check box for the unconditioned research (e.g., the repository) or by using different signature lines for the two different research components. 68 The second HIPAA authorization problem for research repositories under the current rule is the OCR s interpretation of the rule to require a HIPAA authorization to be specific to each study. 69 This interpretation conflicts with the Common Rule, which permits researchers to seek subjects informed consent to future research as long as the future research uses are described in sufficient detail to allow informed consent. 70 This has caused a disconnect between the content of the informed consent document and HIPAA authorization form, again causing confusion in the research industry. In the Preamble to the final rule, the OCR announced that it was modifying its prior interpretation that research authorizations must be study specific. Instead, in order to satisfy the purpose requirement for authorizations, an authorization for uses and disclosures of PHI for future research purposes must adequately describe such purposes sufficiently so that it would be 63 See 78 Fed. Reg. at 5625. 64 See HHS, Research Repositories, Databases, and the HIPAA Privacy Rule (NIH July 2004), available at http://privacyruleandresearch.nih.gov/pdf/research_repositories_final.pdf, at 6. 65 See 45 C.F.R. 164.508(b)(4) (permitting a covered entity to condition participation in a clinical trial on signing an authorization to use or disclose the individual s PHI for the clinical trial). 66 See HHS, Research Repositories, Databases, and the HIPAA Privacy Rule (NIH July 2004). The HIPAA problem is created because the current Privacy Rule prohibits combining separate research activities into a compound authorization, where the individual is required to sign the authorization to use the PHI in the clinical trial, but cannot be required to sign the authorization to include the subject s PHI in the repository. 67 See new 45 C.F.R. 164.508(b)(3); 78 Fed. Reg. at 5609-10. 68 See 78 Fed. Reg. at 5611. 69 45 C.F.R. 164.508; 67 Fed. Reg. at 53226 (Aug. 14, 2002). 70 See 78 Fed. Reg. at 5611-12. 12
reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research. 71 I. Decedents PHI The current Privacy Rule generally protects the PHI of decedents in much the same manner as live individuals (with an exception for research involving the use of decedents information). However, the final rule time limits 45 C.F.R. 164.502(f) so that the Privacy Rule will apply for only 50 years following the date of death. In addition, the final rule permits CEs to disclose a decedent s PHI to family members and others who were involved in the care or payment for care prior to death, to the extent the PHI was relevant to the person s involvement in the care, unless disclosure would be inconsistent with an expressed preference of the decedent. 72 This is a permitted (not required) disclosure, and does not change the authority of the decedent s personal representative to act on behalf of the decedent with regard to PHI. 73 J. The Genetic Information Nondiscrimination Act of 2008 (GINA) The final rule makes amendments to the HIPAA Privacy Rule to implement certain requirements of the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA prohibits discrimination in health coverage decisions and employment based on an individual s genetic information and creates new privacy protections for genetic information. Most of the amendments affect health plans more than other CEs. 74 However, with regard to health care providers, the final rule amends the definitions of health information to clarify that it includes genetic information, and adds new definitions of genetic information and several related terms, such as genetic test and genetic services. 75 K. Accounting of Disclosures No New News The OCR had published a proposed rule on May 31, 2011 that proposed amendments to the accounting of disclosures provision in the Privacy Rule. The OCR did not address the accounting requirements in the final rule, so we still await the final accounting regulations. II. Changes to the HIPAA Security Rule The final rule explicitly requires BAs to comply with the entire HIPAA Security Rule. 76 The rule also adds new BAA requirements to the Security Rule, including the following: 71 See 78 Fed. Reg. at 5612. 72 See new 45 C.F.R. 164.510(b). 73 See 78 Fed. Reg. at 5615. 74 See 78 Fed. Reg. at 5658-69. 75 See new 45 C.F.R. 160.103; 78 Fed. Reg. at 5661-64. 76 See new 45 C.F.R. 164.302 ( A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart [Subpart C, the Security Rule] with respect to electronic protected health information of a covered entity. ) The OCR added business associates to each section of the Security Rule (see 78 Fed. Reg. at 5693-95). 13
BAs must agree to comply with the applicable requirements of the Security Rule; BAs must ensure that their subcontractors that create or receive electronic PHI on behalf of the BA agree to comply with the Security Rule by entering into a contract that complies with this section; and BAs must report breaches of unsecured PHI to CEs in compliance with 164.410 (in addition to the current requirement to report security incidents). 77 III. Changes to the HIPAA Enforcement Rule A. Interim Final Rule The HITECH Act contained numerous provisions regarding enforcement of the HIPAA Rules. On October 30, 2009, the OCR issued an interim final enforcement rule to implement these provisions. 78 Most significantly, the interim final rule implemented a new tiered penalty structure to reflect the level of culpability of the covered entity, which had been included in the HITECH Act. As the OCR explained: The [interim final rule] revised 160.404 to provide, for violations occurring on or after February 18, 2009, the new HITECH penalty scheme, as follows: (1) For violations in which it is established that the covered entity did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation; (2) for a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation; (3) for a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation; and (4) for a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation; except that a penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year. 79 In the Preamble to the interim final rule, the OCR included the following table illustrating the categories of violations and respective penalty amounts: 80 77 See new 45 C.F.R. 164.314(a). 78 See 74 Fed. Reg. 56123. 79 78 Fed. Reg. at 5582-83 (describing interim final rule). 80 See 78 Fed. Reg. at 5582-83 (describing interim final rule). 14
Violation category Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year (A) Did Not Know $100-$50,000 $1,5000,000 (B) Reasonable Cause $1,000-$50,000 $1,5000,000 (C)(i)Willful Neglect, $10,000-$50,000 $1,5000,000 Corrected (C)(ii)Willful Neglect, Not Corrected $50,000 $1,5000,000 The interim final rule also made other changes, including revising 45 C.F.R. 160.410 to remove a CE s lack of knowledge as an affirmative defense, and to provide an affirmative defense when any violations not due to willful neglect are corrected within 30 days. 81 B. Final Rule The omnibus final rule makes several amendments to the interim final enforcement rule, including the following: Penalties Mandatory Under Some Circumstances: The HITECH Act requires the OCR to impose a penalty for violations due to willful neglect. The OCR thus amended 160.304, the provision stating that the OCR will seek cooperation in achieving compliance, to state consistent with the provisions of this subpart. In other words, where there has been willful neglect, the OCR will not have the authority to resolve a violation solely through voluntary compliance. 82 Investigations Mandatory Under Some Circumstances: The OCR now must investigate a complaint if a preliminary investigation of the facts indicates a possible violation due to willful neglect. 83 The OCR also must conduct a compliance review to determine whether a CE or BA is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect (whether or not initiated by a complaint). 84 No More Requirement to Seek Informal Resolution: The OCR may now proceed directly with issuing a notice of proposed determination without being required to attempt to resolve a matter informally first. 85 Liability Exception Deleted: 45 C.F.R. 160.402 currently contains an exception for a CE s liability for its BAs actions, where the relevant BAA requirements are met and the covered entity did not know of a pattern or practice of the BA that was in 81 See 74 Fed. Reg. at 56128. 82 See new 45 C.F.R. 160.304. 83 See new 45 C.F.R. 160.306. 84 See new 45 C.F.R. 160.308. 85 See new 45 C.F.R. 160.312. 15
violation of the agreement and fail to act as required by the rules (i.e., if the CE knew of a pattern or practice, it must have attempted to cure the violation or terminated the contract). 86 The OCR amended this provision to remove this exception and instead provide that a CE is liable for a violation of any BA that is an agent under the federal common law of agency and was acting within the scope of the agency, regardless of whether the covered entity had a compliant BAA in place. 87 This does not mean that CEs are always liable for BA violations; if BAs are not agents under federal common law, the CE will not be liable for their actions. BA Subcontractor Liability Added: The OCR amended 160.402 to include a parallel provision for BAs, stating that a BA is liable in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency. 88 In other words, BAs can be held liable for the acts of their subcontractors if those subcontractors are agents of the BA. Penalty Factors Expanded: The OCR amended 164.408, which sets forth the factors considered in setting the amount of a civil money penalty, to set out the following general factors to consider: the nature and extent of the violation (including the time period during which the violation occurred and the number of individuals affected), the nature and extent of the harm resulting from the violation (including reputational harm), the history of prior indications of noncompliance, and the financial condition of the CE or BA. 89 Some of these factors are present in the current enforcement rule, but the OCR re-organized the rule and added some general and specific factors to consider. 90 OCR May Release PHI to Other Agencies for Further Enforcement: The OCR may now disclose PHI it receives during an investigation in compliance with the federal Privacy Act. 91 This would permit the OCR to release PHI to State Attorneys General, the Federal Trade Commission, or other federal or state agencies pursuing remedies on behalf of the individuals. 92 IV. Changes to the HIPAA Breach Notification Rule The final rule makes two significant changes to the HIPAA Breach Notification Rule. For background, the HITECH Act created a new federal breach reporting requirement for HIPAA CEs and their BAs, which generally required CEs to notify individuals and HHS (and 86 45 C.F.R. 160.402(c). 87 See 78 Fed. Reg. at 5580-81; new 45 C.F.R. 160.402(c). 88 See new 45 C.F.R. 160.402(c). 89 See new 45 C.F.R. 160.408. 90 See 78 Fed. Reg. at 5584-85. 91 See new 45 C.F.R. 160.310. 92 See Fed. Reg. at 5579. 16
sometimes the media) of breaches of individuals PHI under certain circumstances. In 2009, the OCR published an interim final rule to implement the Act s requirements. The omnibus final rule amends the Breach Notification Rule in two significant ways. First, the rule changes the standard for determining whether an impermissible use or disclosure of PHI is a breach for purposes of notification. Under the current rule, there is a breach of PHI only if an impermissible use or disclosure poses a significant risk of financial, reputational, or other harm to the individual. 93 In contrast, the final rule does not focus on harm to the individual; instead, it states that an impermissible use or disclosure is not considered a breach only if a covered entity or business associate can demonstrate that there is a low probability that the PHI has been compromised, following a risk assessment using at least the four factors listed in the rule: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the PHI was disclosed; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated. 94 The OCR explains in the Preamble that it removed the harm to the individual standard because it agreed with commenters who thought the standard was too subjective, and that it modified the risk assessment to focus more objectively on the risk that the PHI has been compromised. However, as a practical matter, the four factors in the rule seem to continue to focus on the threat of harm to individuals. Thus, the changes in the final rule may do little to help covered entities and business associates clarify the question of when a breach has occurred. Second, the final rule also creates a presumption that an impermissible use or disclosure of PHI is a breach, unless the CE or BA can demonstrate that there is a low probability that the PHI has been compromised (unless one of the limited exceptions applies). 95 Thus, the default rule will be that a covered entity will have to make a breach notification in most instances. The OCR explained in the Preamble that it added the express statement of this presumption to the rule in response to comments stating that the default function of the rule had been unclear before. 96 In light of this change, CEs and BAs might decide to err on the side of caution when deciding whether to report a breach. In fact, the OCR made clear that a CE or BA is permitted to choose to simply provide notification instead of performing a risk assessment. 97 93 See current 45 C.F.R. 164.402 (definition of breach at (1)(i)). 94 See new 45 C.F.R. 164.402 (definition of breach at (2)). 95 See new 45 C.F.R. 164.402 (definition of breach at (2)). 96 78 Fed. Reg. at 5641. 97 See 78 Fed. Reg. at 5643. 17
V. Conclusion The final rule makes major changes to the HIPAA rules for covered entities and their business associates. Hospitals will need to devote substantial time to renewing their HIPAA compliance efforts, including revising their policies and practices, business associate agreements (BAAs), and Notices of Privacy Practices. 18