On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") issued the highly anticipated omnibus final rule (the "Final Rule") to modify the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Following the enactment of HITECH, HHS issued interim final rules to implement the breach notification requirements and certain of the enforcement provisions of HITECH (collectively, the "Interim Rules"), and in July of 2010 HHS issued a proposed rule to implement modifications to the privacy and security provisions of HIPAA. Since that time, Covered Entities and their Business Associates and subcontractors have been awaiting the Final Rule to confirm the extent to which these modifications, which are aimed primarily at strengthening the privacy and security protections for protected health information ("PHI") and tightening the HIPAA enforcement provisions, will impact their operations, contractual relationships and potential exposure for HIPAA liability.
When does the Final Rule take effect?
Covered Entities and Business Associates have 180 days from the effective date of the Final Rule, or until September 23, 2013, to come into compliance with most of the Final Rule’s provisions. HHS specifies that Covered Entities and Business Associates must continue to comply with the breach notification provisions of the Interim Rule published on August 24, 2009, and as of September 23, 2013, must comply with the Final Rule. Further, HHS provides an extension of one year beyond the compliance date for Covered Entities and Business Associates to revise their Business Associate Agreements to comply with the Final Rule, provided that such existing agreements are compliant with the HIPAA Rules effective as of January 25, 2013, as discussed below.
What is covered in the Final Rule?
The Final Rule is composed of four parts. Part I finalizes certain modifications to the privacy and security provisions of HIPAA (the "Privacy and Security Rules"), including making Business Associates directly liable for violations of the HIPAA Rules, strengthening individual rights provisions such as allowing patients to receive electronic copies of their health information when requested, and placing additional limits on a Covered Entity’s ability to sell PHI and use or disclose PHI for marketing purposes. Further, it modifies provisions of the HIPAA enforcement rule that were not previously addressed by HHS in the Interim Rule, such as the requirement that HHS conduct a formal investigation if facts indicate a possible violation of HIPAA due to willful neglect. Part II adopts changes to the enforcement provisions of HIPAA that were previously addressed by HHS in the Interim Rule, such as the imposition of a new tiered penalty structure for HIPAA violations. Part III adopts most of the provisions of the Interim Rule regarding breach notification, but notably replaces the "harm" standard with a presumption that a breach has occurred unless the Covered Entity or Business Associate demonstrates a low probability that the PHI has been compromised. Part IV implements changes to the HIPAA Privacy Rule to conform to the Genetic Information Nondiscrimination Act by prohibiting most health plans from using or disclosing genetic information for underwriting purposes. The specific modifications addressed in each part are discussed in more detail below.
Part I: Modifications to the HIPAA Privacy, Security and Enforcement Rules
The Final Rule adopts the provisions that apply certain requirements of the Privacy and Security Rules directly to Business Associates in the same manner as they apply to Covered Entities. Moreover, Business Associates are separately and directly liable for violations of these requirements. HHS amends the definition of a "Business Associate" to include certain specific activities, as well as to include a "subcontractor that creates, receives, maintains or transmits PHI on behalf of a Business Associate." This provision makes subcontractors directly liable for a violation of the privacy and security requirements of HIPAA.
Further, a Business Associate is required to obtain satisfactory assurances (such as through a Business Associate Agreement) from any subcontractors that create, maintain, receive, or transmit PHI on behalf of the Business Associate that the subcontractor will appropriately safeguard the PHI. Each Business Associate is required to obtain such assurances from the subcontractor with whom that Business Associate contracts, and these obligations apply to all downstream arrangements, "no matter how 'down the chain' the information flows." In addition, the Final Rule adopts several changes to the requirements for a compliant Business Associate Agreement. First, Business Associate Agreements must require the Business Associate to report breaches to the Covered Entity. Second, Business Associate Agreements must include a provision requiring the Business Associate, if the Covered Entity has delegated any of its obligations under the Privacy Rule (such as the individual rights provisions) to the Business Associate, to comply with such provisions as they would apply to the Covered Entity. HHS clarifies that if the Covered Entity does not delegate any of its Privacy Rule obligations to the Business Associate, this provision may be omitted. Third, a Business Associate Agreement must provide that the Business Associate will comply, where applicable, with the Security Rule with regard to electronic PHI.
HHS provides a grandfathering provision for certain existing Business Associate Agreements. Under this provision, Covered Entities and Business Associates, as well as Business Associates and their subcontractors, may continue to operate under existing agreements for up to one year beyond the compliance date of the Final Rules, or until September 23, 2014, provided that: (i) the parties entered into a Business Associate Agreement prior to January 25, 2013 that complies with the applicable HIPAA Rules in effect at that time; and (ii) the contract is not renewed or modified between March 26, 2013 and September 23, 2013.
Limitations on Marketing Activities
The Final Rule makes changes to the definition of "marketing" under HIPAA, as well as to the circumstances under which a Covered Entity is required to obtain an individual authorization for the use or disclosure of PHI for marketing purposes. Notably, the Final Rule provides that if the marketing activity involves direct or indirect payment to the Covered Entity from the third party whose product or service is being marketed, an authorization is required, even for certain treatment or health care operations purposes that were previously carved out of the "marketing" definition. The Final Rule also adds a new exception to the definition of marketing for certain refill reminders and other communications about a drug that is currently prescribed for the individual. Further, the Final Rule strengthens ability of individuals to opt out of receiving fundraising communications from Covered Entities.
Sale of PHI
The Final Rule adds a requirement for Covered Entities to obtain an individual authorization for the sale of PHI. HHS clarifies that the sale of PHI excludes certain transactions, such as where a Covered Entity receives grants for certain programs or activities, or receives payment to perform a research study. Also, the payment of fees by a Covered Entity to participate in a Health Information Exchange does not constitute the sale of PHI. Notably, however, the sale of PHI is not limited to instances where the ownership of the data is transferred. For example, a license or access agreement under which a Covered Entity receives remuneration in exchange for disclosing the PHI would constitute the sale of PHI.
Authorizations for Research Activities
Certain modifications in the Final Rule will facilitate the process of obtaining individual authorization for research activities. First, the Final Rule allows a Covered Entity to combine conditioned and unconditioned authorizations for research into a compound authorization, provided that the conditioned and unconditioned research activities are clearly differentiated and the individual may choose to opt in to the unconditioned research activities. Second, while the HIPAA Rules have previously required that authorizations for research be study-specific, the Final Rule permits an individual to authorize the use or disclosure of PHI for future research, provided that the authorization adequately describes the purpose of the use or disclosure of PHI "such that it would be reasonable for the individual to expect that his or her PHI could be used or disclosed for such future research." Third, HHS adopts an exception to the definition of "individually identifiable health information" for information about an individual who has been deceased more than 50 years. Therefore, the privacy and security protections of HIPAA no longer will extend to such information (for research or any other reason).
Public Health Purposes
Consistent with the principle that a Covered Entity may disclose the minimum necessary PHI for certain public health purposes without an individual authorization, the Final Rule permits a Covered Entity to disclose proof of immunization to a school where state or other laws require the school to have such information prior to admitting the student. To fall within this new provision, the Covered Entity must obtain oral or written agreement from the parent or guardian of the child.
Individual Rights and Notices of Privacy Practices
The Final Rule strengthens the individual rights provisions of HIPAA. First, it expands the scope of an individual’s right to access his or her PHI by requiring a Covered Entity to provide an individual an electronic copy of his or her PHI in the electronic form or format requested by the individual if it is readily producible, or, if not, in a readable electronic format as agreed by the individual and the Covered Entity. HHS does not limit this right to PHI that is maintained in an electronic health record. Rather, a Covered Entity must comply with the electronic access requirement with respect to any PHI that is maintained electronically in one or more designated record sets. Further, HHS modifies the timeliness standard to provide that an access request must be granted within 30 days, even when the requested information is not maintained or accessible to the Covered Entity on-site. Previously, a 60-day timeframe was permitted for PHI stored offsite. Second, HHS adopts an exception to the provision that permits a Covered Entity to decline an individual’s request for a restriction on uses and disclosures of his or her PHI. Under the Final Rule, in instances where the individual has paid out of pocket and in full for the services provided, the Covered Entity is required to comply with such requests. HHS notes that providers should employ a method to allow them to identify in the medical record any PHI that has been restricted pursuant to a patient’s request to ensure that such information is not improperly disclosed. Third, the Final Rule mandates changes to both the content and distribution of a Covered Entity’s Notice of Privacy Practices ("NPP"). A Covered Entity must now include certain additional statements in its NPP, such as informing individuals of their right to be notified following a breach involving their PHI. Covered Entities must redistribute their revised NPPs in accordance with the current requirements under HIPAA, except that HHS provides some relief to health plans that currently post their NPPs on their websites. These health plans must meet the redistribution requirement by posting the revised NPP on their websites by the effective date of the revised NPP and must provide the revised NPP in the next annual mailing to individuals covered by such plans. Otherwise, health plans must distribute their revised NPPs to individuals covered by the plan within 60 days of revising their NPPs.
The Final Rule also adopts modifications to the enforcement provisions of HIPAA that were mandated by HITECH. First, HITECH requires HHS to formally investigate a complaint if a preliminary investigation of the facts indicates a possible violation of HIPAA due to willful neglect, whereas currently, HHS has discretion to conduct an investigation in such circumstances. The Final Rule adopts this mandatory investigation standard and further requires HHS to conduct a compliance review when an alleged HIPAA violation is brought to its attention through means other than a formal complaint, such as through a media report or from a state or other federal agency. If a lesser degree of culpability is indicated, HHS has discretion to decide whether to conduct a compliance review.
The current enforcement rule requires HHS to attempt to resolve indicated violations of HIPAA through "informal" means, such as by allowing a provider to demonstrate compliance or implement a corrective action plan. The Final Rule removes this requirement and instead leaves it to HHS' discretion as to whether to attempt to resolve allegations through informal means. Not surprisingly, commenters expressed concern with giving HHS the discretion to proceed directly to formal enforcement without allowing the Covered Entity or Business Associate the opportunity to demonstrate voluntary compliance. However, HHS indicates that adopting this new standard is consistent with the enhanced enforcement provision of HITECH by allowing HHS to "move directly to a civil monetary penalty without exhausting informal resolution efforts at [its] discretion, particularly in cases involving willful neglect violations."
The Final Rule provides that Covered Entities and Business Associates are liable for the acts of their Business Associate agents. Further, the Final Rule sets forth a revised list of factors that HHS must consider in determining the amount of civil monetary penalty for a HIPAA violation, including the requirement to consider the nature and extent of the violation and the nature and extent of harm resulting from the violation. HHS will consider, however, an entity’s financial condition in determining the amount of civil monetary penalty to impose, a factor that includes whether the entity had financial difficulties that affected its ability to comply, as well as whether the imposition of a civil monetary penalty would jeopardize the ability of the entity to continue to provide, or to pay for, health care. Lastly, the Final Rule adopts the provision stating that HHS' authority to impose a civil monetary penalty will be barred only to the extent a criminal penalty has been imposed with respect to a HIPAA violation.
Part II: Additional Changes to the HIPAA Enforcement Rule
On October 30, 2009, HHS issued an Interim Rule to strengthen the enforcement provisions of HIPAA as mandated by HITECH. Prior to HITECH, civil monetary penalties were capped at $100 per violation and $25,000 for all violations of an identical requirement per year. HITECH implemented a "tiered" system of penalties with four categories of violations that reflect increasing levels of culpability. The Final Rule adopts the tiered penalty structure mandated by HITECH, whereby a Covered Entity or Business Associate may be subject to a penalty of up to $1.5 million for all violations of an identical provision of HIPAA in a calendar year. Further, the Final Rule removes the previous affirmative defense to the imposition of penalties under HIPAA if the entity did not know and with the exercise of reasonable diligence would not have known of the violation. Such a violation is now punishable under the lowest tier of penalties. Instead, the Final Rule provides an affirmative defense to the imposition of penalties if the violation is due to willful neglect and is corrected, within a 30-day time period as long as the violation was not due to willful neglect.
Part III: Breach Notification Rule
The Interim Rule that implemented the HITECH breach notification requirements in 2009 set forth a "harm" standard that, if met with respect to a non-permitted access, use or disclosure of PHI, would trigger the reporting obligation. Under this standard, a non-permitted use or disclosure of PHI would only be considered a breach if the use or disclosure posed a "significant risk of financial, reputational, or other harm to the individual." The Final Rule removes the harm standard and shifts the burden of proof to the Covered Entity or Business Associate to demonstrate based on a risk assessment that there is a low probability that the PHI has been compromised. The rule specifies the following factors to be used in making such an assessment, thereby attempting to replace the "subjective" harm threshold with a more objective set of factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired; and (iv) the extent to which the risk to the PHI has been mitigated.
Further, the Final Rule modifies the requirements for notifying the Secretary of HHS in the event of a breach. HITECH requires a Covered Entity to report to HHS a breach involving fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breach occurred. Recognizing that a Covered Entity might not become aware of a breach until the calendar year following the one in which it occurred, HHS modifies this provision to state that a Covered Entity must notify HHS of a breach involving fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breach was discovered.
The Final Rule retains other elements of the Interim Rule without modification, such as the content requirements for breach notification and the deadline for informing individuals of a breach. Further, it preserves the safe harbor provision for PHI that has been encrypted or otherwise secured in accordance with the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Fed. Reg. 42740 (August 24, 2009)).
Part IV: Modifications to the HIPAA Privacy Rule Mandated by GINA
On October 7, 2009, HHS published a notice of proposed rulemaking to strengthen the privacy protections for genetic information under the HIPAA Privacy Rule by implementing certain protections required by the Genetic Information Nondiscrimination Act ("GINA"). The Final Rule adopts the provisions of the proposed rule. First, HHS modifies the definition of "health information" to explicitly include genetic information and defines "genetic information" and related terms. Second, the Final Rule prohibits a health plan from using or disclosing PHI that is genetic information for underwriting purposes and further specifies that an individual authorization may not be used to permit a health plan to use or disclose genetic information for underwriting purposes. However, in response to commenters' expressing concern that the prohibition on the use of genetic information for underwriting purposes would have an adverse impact on the viability of the long-term care insurance market, HHS carves out an exception for long-term care insurers from the underwriting prohibition. Health plans that perform underwriting, excluding issuers of long-term care policies must include in their Notice of Privacy Practices a statement that they are prohibited from using or disclosing genetic information for such purposes. The Final Rule also sets forth an exception to the prohibition whereby a health plan is permitted to use or disclose the minimum necessary genetic information about an individual to determine whether the provision of a particular benefit is medically appropriate. Notably, the Final Rule also preserves the ability of a health plan to use or disclose PHI that is not genetic information for purposes of underwriting that fall within the definition of "health care operations" under HIPAA.
What is not covered in the Final Rule?
The Final Rule does not address the methodology for distributing penalties for HIPAA violations to individuals harmed by the violation, nor does it address the accounting of disclosures requirement of the HIPAA Privacy Rule. HHS states that each of these topics will be addressed in a future rulemaking.
What do these changes mean for Covered Entities and Business Associates?
The Final Rule further strengthens the enforcement provisions of HIPAA, foreshadowing the continued development of a more aggressive landscape of HIPAA enforcement. HHS no longer is required to attempt to reach resolution of a HIPAA violation through informal means such as voluntary compliance by the entity alleged to be in violation of the rules. Further, HHS is obligated to conduct a formal investigation of a HIPAA complaint where a preliminary review of the facts indicates a possible violation due to willful neglect, and also must conduct a compliance review to investigate a possible HIPAA violation brought to its attention through less formal means. Covered Entities and Business Associates face harsher penalties under the "tiered" civil monetary penalty scheme. Maintaining a robust HIPAA compliance program can help to lower the risk of government enforcement in the event of a non-permitted use or disclosure of PHI or a related complaint to HHS.
To ensure compliance with the Final Rule, Covered Entities and Business Associates will need to take a number of steps promptly, including the following:
Review and modify existing HIPAA Privacy and Security Policies to comply with the Final Rules, including:
- Revise breach notification policies to address the new “low probability” standard and required risk assessment factors;
- Address the expanded access right to permit individuals to receive an electronic copy of their health information;
- Address the limitations on marketing, fundraising and the sale of PHI;
- For Covered Entities, revise restriction request policies and confirm that requests can be granted and implemented properly for individuals who have paid out of pocket and in full; and
- For health plans, address the limitations on the use of genetic information for underwriting purposes pursuant to GINA.
Business Associates may need to implement new or more detailed policies since they are now directlysubject to the HIPAA privacy and security requirements.
- Re-train relevant workforce members on their revised privacy, security, and breach notification policies. Emphasis should be placed on training workforce members to identify and report breaches of unsecured PHI in a timely manner.
- Revise NPPs to include additional statements specified by the Final Rule and redistribute them consistent with the rule. Health plans have separate requirements for redistribution.
- Confirm that Business Associate Agreements are in place where required (including subcontractor arrangements). Although many Business Associate Agreements should qualify for the one-year grandfathering provision, a number of Covered Entities and Business Associate continue to circulate Business Associate Agreement forms that omit items currently required by the HIPAA Rules, such as the obligation to report Security Incidents. These arrangements will not qualify for the grandfathering provision as they are not compliant with the HIPAA Rules in effect as of January 25, 2013.