On July 14, 2010, the Office of Civil Rights of the Department of Health and Human Services (HHS) issued proposed regulations containing modifications and clarifications to the privacy standards, security standards, and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The following is a brief overview of certain items addressed in the proposed regulations:

  • Expanded Definition of Business Associate. The definition of who will be categorized as a business associate has been expanded. Business associates now include health information exchange organizations, e-prescribing gateways, regional health information organizations, and vendors that offer a personal health record to patients on behalf of a covered entity. Thus, the above entities that access protected health information on a routine basis are directly required to comply with the requirements of HIPAA. The proposed rule does clarify that entities which act as mere conduits for the transport of protected health information, but do not access such information other than on a random or infrequent basis, are not business associates.
  • Expanded Definition of Subcontractor. The definition of who will be categorized as a subcontractor has been expanded to include “any person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.” Thus, business associates must enter into business associate agreements with subcontractors who will have access to the covered entity’s protected health information. Subcontractors must comply fully with both the Privacy and Security Rules under HIPAA, including breach notification provisions.
  • Research and Compound Authorizations. Currently, HIPAA permits a covered entity to combine an authorization for the use or disclosure of protected health information for a research study with any other type of written permission for the same research study. Covered entities are not permitted to combine an authorization for a research study with another authorization when one authorization involves treatment or payment upon execution and the other does not, unless certain requirements are met. The proposed regulations expand the methods that may be used to meet such requirements and ask for comments on additional methods that would clearly differentiate the conditioned and unconditioned research activities on the compound authorization.

Minimum Necessary Standard. HIPAA requires that covered entities and business associates limit their use and disclosure of, and requests for, protected health information to “the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” Until the final rule is issued, the HITECH Act specifies that a covered entity will be in compliance with the minimum necessary standard if its use and disclosure of protected health information is limited to: (i) the limited data set; or (ii) if the limited data set does not meet the needs of the use, disclosure or request, to the minimum necessary in accordance with the entity’s polices and procedures. HHS seeks comment on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to have and the types of questions entities may have about how to appropriately determine the minimum necessary for purposes of complying with the Privacy Rule.

HHS has solicited and is accepting comments on the proposed regulations through September 13, 2010. The final rule will be issued sometime thereafter. The compliance date for the regulations will be 180 days after the date on which the final regulations are issued.

The full text of the proposed regulations can be found here.