In the January 25, 2013 Federal Register, the Department of Health and Human Services (DHHS) published the long anticipated Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules (78 Fed. Reg. 5566; the Final Rule). The Final Rule is effective March 26, 2013, but provides for a transition period to September 23, 2013 for affected parties to comply with the changes. The new regulations set forth in the Final Rule implement revisions to both the HIPAA Privacy and Security Rules imposed by Congress pursuant to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act).
The Final Rule is comprised of the following four final rules:
- Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated or necessitated by the HITECH Act and certain other modifications to improve the Rules initially described in a proposed rule on July 14, 2010
- Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act
- Final Rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act
- Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA)
Some highlights from the Final Rule are set forth below.
Breach Definition Modified
A significant development and “game changer”, the Final Rule eliminates the so-called “risk of harm” analysis that was adopted by DHHS in the Interim Final Breach Rule. Covered Entities and Business Associates applied this analysis to determine whether a Breach of Unsecured Protected Health Information (Breach) had occurred and thus whether they were required to provide notices to affected individuals, DHHS and, in instances involving 500 or more individuals, the media. The “harm standard is replaced with a presumption that any impermissible use or disclosure of Protected Health Information (PHI) is a Breach unless the Covered Entity or Business Associate can demonstrate there is a “low probability” that the PHI was “compromised.” The modified risk assessment must consider the following factors:
- The nature and extent of the PHI involved
- Any unauthorized person who used or received the PHI
- Whether the PHI was actually acquired or viewed
- Whether the risk to the PHI has been reduced or resolved
DHHS specifically declined to comment whether certain inadvertent disclosures, such as sending a fax containing PHI to the wrong fax number or sending a mailing containing PHI to the wrong address, could potentially constitute a Breach. Instead, DHHS a risk assessment is required in each instance where a Covered Entity or Business Associate used or disclosed Unsecure PHI in a manner not permitted under HIPAA to evaluate whether there is a low probability such PHI was compromised.
The previously promulgated Breach “safe harbor” based on compliance with certain encryption standards remains intact in the Final Rule.
New Civil Monetary Penalties (CMPs)
The Final Rule also implements new enforcement of the tiered CMP structure established by the HITECH Act. Depending on the degree of knowledge that the Covered Entity or Business Associate had or should have had regarding the violation, penalties for each violation range between $100 (did not know or have reason to know) and $50,000 (willful neglect without correction), with a maximum penalty for a given year of $1,500,000 for any violations of the same requirement or prohibition.
The Final Rule specifies that DHHS should consider the following factors when determining the amount, within such ranges, of the CMP to impose:
- The nature and extent of the violation, including the number of individual affected and the time period of the violation
- The nature and extent of harm resulting from the violation
- The history of prior compliance with HIPAA
- The financial condition of the Covered Entity or Business Associate
- Such other matters as justice may require
DHHS will not impose a CMP if a HIPAA violation is corrected within 30 days of discovery (or with the exercise of reasonable diligence would have been discovered) unless resulting from the willful neglect of the Covered Entity or Business Associate.
The Final Rule specifies that DHHS can impose liability on Covered Entities for HIPAA violations by their Business Associate agents.
Marketing and Sale of Patient Information
The Final Rule adopts a more robust definition of “marketing” than that set forth in the proposed rule. A Covered Entity that, directly or indirectly, through a Business Associate or otherwise, receives payment from or on behalf of a third party whose product or services is being described in a communication is precluded from sending that communication to an individual—even if treatment-related—without a prior written authorization. Such communications are now considered marketing even if they contain educational or other general health information. The Final Rule specifically excepts refill reminders and communications about a drug or biologic currently being prescribed to any individual from the “marketing” definition even if the Covered Entity is remunerated related to the communication so long as the financial remuneration does not exceed that “reasonably related to the covered entity’s cost of making the communication.” DHHS clarified that the exception would encompass medication adherence communications as well as communications to individuals about generic therapeutic equivalents. DHHS intends to provide future guidance as to the types of communications that will fall within this exception.
DHHS retracted the approach described in the proposed rule that a Covered Entity would not need a patient authorization in order to use PHI for certain third–party sponsored treatment-oriented communications so long as the use was disclosed in its Notice of Privacy Practice and on the communication itself and the patient had the right to opt out of future communications.
The Final Rule also specifically prohibits the sale of an individual’s PHI to third parties without a patient authorization.
Business Associates and Subcontractors
DHHS emphasized in the Final Rule the expanded responsibility and liability Business Associates of covered entities (and hybrid entities) assumed under HITECH. Business Associates have direct liability for violations of the privacy and security standards and are subject to the new CMP’s described above to the same extent as covered entities. Subcontractors of Business Associates will covered under the mandated Business Associate Agreements and similarly bound and liable to HIPAA requirements imposed on Business Associates, even where their access to PHI is for limited purposes.
The definition of Business Associate now includes Patient Safety Organizations as well as Health Information Organizations (HIOs), E-Prescribing Gateways, Vendors of Personal Health Records and “other persons that facilitate data transmission. DHHS affirmed the conduit exception for entities that do not access PHI other than on a random or infrequent basis. However, DHHS noted that the exception is limited to transmission and that any entity the stores or maintains PHI would be Business Associate, even if their access to PHI is limited or infrequent.
Compound Authorizations for Research
DHHS finalized a proposal to permit the use of compound patient authorizations for research. Such a compound authorization could allow a patient to authorize the use of his/her PHI related to a certain research project as well a specimen collection on the same authorization form. In addition, patients can authorize the use of their PHI broadly for research purposes, including for unspecified future research projects.
Prohibition of Use of Genetic Information for Underwriting Purposes
The Final Rule modifies the definition of Protected Health Information to include genetic information. The regulations also finalize rules against the use of genetic information for health plan underwriting. The Final Rule makes clear that any health plan covered by the Privacy Rule is subject to this requirement, not just health plans and insurers defined by GINA. Long-term care insurers are excluded by the regulations from this prohibition and may share genetic information for underwriting purposes, but they remain subject to the Privacy Rule.
One area of the Final Rule that will provide for expanded use of health information relates to the use of certain information by a non-profit covered entity for purposes of its internal fundraising efforts. Under the existing rule, targeted fundraising solicitations to individuals with a particular condition or treatment were not permitted without advance authorization. The Final Rule allows for use of certain demographic information of a patient along with information on the date and department where they were treated, their treating physician, general indication of the outcome and their insurance status for purposes of raising funds. Non-profits who intend to utilize this information will need to update the Notice of Policy Practices and continue to allow individuals to opt out of receipt of fundraising communications.
No PHI Related to Certain Deceased Individuals
The Final Rule removes from the definition of PHI that information related to an individual who has been deceased for more than 50 years from the definition of PHI. As such, there are no limitations on how such information may be used or disclosed, which should allow for broader use of such data in historical research projects.
Covered Entities will need amend and update their respective Notices of Privacy Practices and Covered Entities and Business Associates will need to update existing privacy policies and procedures to address the Final Rule by the compliance date. For existing business associate agreements, the Final Rule gives Covered Entities and Business Associates an additional year to modify their current contracts to reflect the new regulations—September 23, 2014. This relief is available to Business Associate agreements entered into on or before January 25, 2013, the date the regulations were published in the Federal Register. On January 25, 2013, the DHHS Office of Civil Rights released an updated sample Business Associate Agreement, available here, which includes provisions to address updated requirements in the Final Rule. The sample Business Associate Agreement can be used by both Covered Entities and Business Associates to model and amend existing Business Associate agreements as needed to comply with the Final Rule.