It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights (“OCR”), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget (“OMB”) for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.
Now, as we approach HITECH’s four year anniversary in February, the industry is again speculating that release of the final rule will be before year end. As the regulation’s title makes clear, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules,” it is expected that this rule will address the July 2010 proposed rule, as well as the interim final rules (regarding both breach notification and enforcement) and, hopefully, the May 2011 proposed accounting and access report rule. Therefore, regardless of the ultimate release date, it remains important for Covered Entities and Business Associates to prepare for the forthcoming changes.
The following is a brief review of some key considerations in anticipation of the publication of the final HITECH omnibus rule.
Business Associates: Direct Enforcement and Expansion
- What was proposed? Though the specifics remain the purview of the final rule, Business Associates will generally be required to comply directly with the Privacy, Security, and Breach Notification Rules as required by HITECH. The proposed rule also included a significantly expanded definition of “Business Associate,” which would convert the subcontractors of Business Associates into actual Business Associates themselves.
- Why is this important? In addition to the continuing obligation that Business Associates (and now, potentially, their subcontractors) enter into Business Associate Agreements, they will be directly regulated under the Privacy, Security, Breach Notification, and Enforcement Rules. This will require, for example, that Business Associates and their subcontractors comply with the Security Rule’s administrative, physical, and technical safeguards requirements, as well as the Rule’s policies and procedures and documentation requirements. Additionally, Business Associates and their subcontractors would incur statutory liability for noncompliance. Such a change in the framework of HIPAA’s application, in addition to OCR’s more focused approach to enforcement, will have the potential to require Business Associates to spend considerable time and resources on compliance considerations.
- What should you be doing now? Covered Entities should identify their current Business Associates and consider what additional subcontractors will now require Business Associate Agreements (for example, patient safety organizations and vendors of personal health records who routinely access PHI). Covered Entities and Business Associates should examine the extent to which their existing relationships with providers and payors, for example, may not properly characterize them as a Business Associate. Business Associates should take stock of their current subcontractors who handle PHI and engage in discussions regarding compliance with the Privacy and Security Rules. Business Associates should also begin assessing their technological capabilities and, at a minimum, begin the process of developing policies and procedures to ensure compliance. Importantly, the proposed rule provides that OCR will not begin enforcing the modified Privacy and Security Rule requirements set forth in the final rule until 180 days after the effective date of the final rule..
Breach Notification Rule: Will OCR say goodbye to the “risk of harm” threshold?
- What was proposed? At this stage, we have been living the Breach Notification Rule for more than three years. Although no specific changes have been proposed, HHS has made it clear that a final omnibus HITECH rule will include changes to the current interim final regulation.
- Why is this important? Since the inception of the interim final Breach Notification Rule, there has been speculation that a “final” final regulation may remove the ability of Covered Entities and Business Associates to self-determine whether an “incident” rises to the level of a Breach or is merely impermissible disclosure under the Privacy Rule. Shortly after the release of the interim final Breach Notification Rule, Senator Waxman sent a pointed letter to HHS/OCR indicating his belief that HITECH did not give OCR the authority to include the “risk of harm” analysis in the determination of whether a Breach occurred. Add to that the fact that many state law equivalents of the Breach Notification Rule do not allow the potential risk of harm resulting from a particular incident to impact whether an affected individual must receive notification about the incident, and we are left with an overriding industry concern that all impermissible disclosure under the Privacy Rule (harm or not) may soon become more expensive and logistically challenging to address.
- What should you be doing now? Regardless of what a “final” final Breach Notification Rule looks like, it seems unlikely that OCR will remove the “encryption safe harbor.” With this in mind, and to the extent not already underway, Covered Entities and Business Associates should strongly consider encrypting PHI (especially in the context of portable devices).
Creation of a New Individual Right: Access Reports
- What was proposed? In the May 2011 proposed rule, OCR proposed to give individuals the right to know who, during the prior three year period, has accessed their PHI stored in an electronic designated records set maintained by the Covered Entity. Significantly departing from the type of activity covered by the Privacy Rule’s current accounting provisions, this “access report” must include a listing of access by employees of the Covered Entity and access for treatment, payment, and health care operations.
- Why is this important? The right to receive an “access report” would be a new right under the Privacy Rule. Currently, individuals have a right to access and amend their PHI, as well as to receive an accounting of certain disclosures. While the proposed rule would limit an individual’s right to an access report to only PHI maintained in an electronic designated record set (and for only three years prior to the date of the request), individuals would now have the right to receive a report identifying who has accessed their PHI for treatment, payment, and health care operations.
- What should you do now? Covered Entities and Business Associates should be engaging their electronic medical records vendors in an open dialogue regarding the capabilities and limitations of their current software programs. Additionally, both types of entities should ensure that they appropriately budget for the potentially significant cost of compliance with a final Access Report Rule.
Marketing and the Sale of Protected Health Information
- What was proposed? The proposed rule modified the current definition of “marketing” and narrowed the existing exceptions under the Privacy Rule. In particular, the proposed rule distinguished treatment and health care operations communications, and clarified the role “financial remuneration” would play in rendering marketing communications as part of health care operations. Additionally, OCR removed from the current definition of marketing situations where a Covered Entity discloses PHI to another entity in exchange for remunerations. Instead, OCR characterized this as the “sale of PHI,” which would be specifically prohibited without an Authorization.
- Why is this important? According to OCR, the Privacy Rule’s definition of marketing has not sufficiently addressed concerns about the ability of “a third party to pay a Covered Entity  for the Covered Entity to send health-related communications to an individual about the third party’s products or services.” OCR is signaling a stricter approach to marketing communications, which would affect certain remunerated communications previously considered to be permissible in furtherance of “health care operations.” It also remains unclear whether existing Authorizations (that do not, as would be required under the proposed rule, specifically describe certain payments made for communications) will be deemed compliant after release of the final rule and, if not, what the timeline for compliance will be.
- What should you be doing now? Covered Entities should identify and analyze situations where they communicate with individuals and receive financial remuneration, either directly or indirectly, from a third party for doing so. Additionally, Covered Entities should scrutinize any situation where the receive financial remuneration in return for a third party communicating with an individual. It is these situations that are likely to be targeted by OCR and may no longer be permissible, without valid Authorizations, pursuant to a final regulation.
- What was proposed? OCR proposed to require Covered Entities to provide, with each fundraising communication, a clear and conspicuous opportunity for the individual to opt-out of future fundraising communications. Additionally, this opt-out may not cause the individual to incur an undue burden or more than nominal cost. The proposed rule also prohibits Covered Entities from conditioning treatment or payment on an individual’s decision to opt-out of future fundraising communications.
- Why is this important? For the most part, the proposed fundraising provisions track HITECH’s statutory language, and will most likely be finalized in their current form. HITECH strengthened an individual’s right under the Privacy Rule to opt-out of fundraising communications by requiring OCR to modify the Privacy Rule so that Covered Entities must treat an opt-out as a revocation of an Authorization. OCR interpreted “shall be treated as a revocation of authorization” as prohibiting the conditioning of treatment or payment on an individual’s decision to allow fundraising communications.
- What should you be doing now? Covered Entities should consider their current fundraising endeavors and the extent to which such endeavors rely upon the use or disclosure of PHI. It may be prudent to brainstorm cost-effective methods for an individual to opt-out of fundraising communication, such as utilizing existing toll-free numbers and e-mail.
Although the delay in the release of the highly anticipated HITECH final rule has certainly caused Covered Entities and Business Associates to patiently live in a state of flux, it has been clear since 2009 that the final regulation will significantly change portions of Privacy, Security, Breach, and Enforcement Rules. While the specifics remain unclear, the HITECH statutory requirements, including the above discussed considerations, provide a good starting point for meaningful continued preparation.