Introduction
Effective and compliance dates
Business associates

Other business associate provisions
Required amendments and transition provisions
Marketing
Research
Sale of protected health information
Protected health information about decedents
Disclosure of student immunisations to schools
Fundraising
Breach notification
Right to request restriction
Notice of privacy practices

Access to electronic protected health information
Hybrid entities
GINA
Enforcement
Future rulemakings
Comment


Introduction

On January 17 2013 the Office for Civil Rights (OCR) of the Department of Health and Human Services released a highly anticipated final rule which makes sweeping changes to the privacy, security and enforcement regulations promulgated under the administrative simplification provisions of the Health Insurance Portability and Accountability Act. The final rule is actually comprised of four rules:

  • final modifications to the Health Insurance Portability and Accountability Act privacy, security and enforcement rules as mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) (PL 411-05), as well as certain other modifications to improve the rules;
  • final modifications to the Health Insurance Portability and Accountability Act enforcement rule, originally published on October 30 2009 as an interim final rule, to incorporate increased and tiered monetary penalties pursuant to HITECH, among other changes;
  • a final rule on breach notification for unsecured protected health information under HITECH, which supplants an interim final rule published on August 24 2009; and
  • a fnal rule implementing certain provisions of the Genetic Information Non-discrimination Act of 2008 (GINA) by revising the Health Insurance Portability and Accountability Act privacy rule to provide for increased privacy protections for genetic information.

With the final rule the OCR seeks to:

  • increase protections of protected health information;
  • improve workability and flexibility;
  • decrease compliance burdens; and
  • better harmonise privacy requirements with other Department of Health and Human Services regulations, such as the Food and Drug Administration's regulations on research involving human subjects.

This update looks at some of the more significant provisions of the final rule.

Effective and compliance dates

The final rule takes effect on March 26 2013. In general, covered entities and their business associates have 180 days beyond the effective date - that is, until September 23 2013 - to comply with the final rule. However, the enforcement rule is effective and applies on March 26 except as otherwise specified in the rule. Additionally, there are transitional provisions allowing covered entities and their business associates up to one year beyond the compliance date of the final rule to amend existing contracts if certain conditions discussed below are met.

Business associates

The final rule broadens the definition of 'business associate' to include several entities, including:

  • health information organisations, e-prescribing gateways or other parties that provide data transmission services with respect to protected health information to a covered entity and that require routine access to such protected health information;
  • persons who offer personal health records to one or more individuals on behalf of a covered entity;
  • patient safety organisations, which are entities that undertake patient safety activities on behalf of a covered entity; and
  • subcontractors of business associates that create, receive, maintain or transmit protected health information on behalf of a business associate, regardless of how far down the chain the entity is from the primary business associate.

While acknowledging that there is an exception to the definition of 'business associate' for data conduits, which are entities that provide mere data transmission services and have only random or infrequent access to electronic protected health information, the OCR emphasises that the conduit exception is narrow.

The OCR makes clear that entities that store or maintain electronic protected health information for covered entities qualify as business associates because they have persistent access to protected health information, even if they do not actually view the information or do so only on a random or infrequent basis. This suggests that cloud providers that store or maintain electronic protected health information on behalf of covered entities qualify as business associates.

Other business associate provisions

The final rule implements HITECH's provisions extending direct liability for compliance with the security rule to business associates. Accordingly, the final rule makes Sections 164.308, 164.310, 164.312, 164.314 and 164.316 of the security rule applicable to business associates in the same manner as these requirements apply to covered entities.

The OCR clarifies that HITECH does not require business associates to comply with all requirements under the Health Insurance Portability and Accountability Act. Under the final rule, a business associate must not do the following and is directly liable under the Health Insurance Portability and Accountability Act for lack of compliance:

  • using and disclosing protected health information in a way that does not accord with its business associate agreement or the privacy rule;
  • failing to disclose protected health information when required by the Department of Health and Human Services secretary to enable the secretary to investigate and determine the business associate's compliance with the Health Insurance Portability and Accountability Act rules;
  • failing to disclose protected health information to the covered entity, individual or individual's designee (whichever is specified in the business associate agreement), as necessary to satisfy a covered entity's obligations with respect to an individual's request for an electronic copy of protected health information;
  • failing to provide breach notification to the covered entity;
  • failing to provide an accounting of disclosures;
  • failing to comply with the requirements of the security rule;
  • failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request; and
  • failing to enter into business associate agreements with subcontractors that create or receive protected health information on their behalf.

In contrast, business associates are not required to comply with provisions such as providing notices of privacy practice, designating a privacy official or amending protected health information in accordance with 45 CFR § 164.526.

The final rule clarifies that covered entities are not required to obtain satisfactory assurances from business associates that are subcontractors. Rather, a business associate is required to obtain such assurances from a subcontractor. Direct liability under the Health Insurance Portability and Accountability Act rules attach regardless of whether the business associate and subcontractors have entered into the required business associate agreements.

Required amendments and transition provisions

One of the more burdensome provisions of the final rule is the requirement to amend business associate agreements to contain additional provisions, including provisions that require the business associate to:

  • comply with applicable provisions of the security rule;
  • ensure that any subcontractor that creates, receives, maintains or transmits electronic protected health information on behalf of the business associate agrees to comply with applicable requirements of the security rule by entering into a contract or other arrangement that complies with the business associate provisions;
  • ensure that any subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate agrees to the same restrictions and conditions that apply to the business associate with respect to such information;
  • report to the covered entity breaches of unsecured protected health information as required by the breach notification rules; and
  • to the extent that the business associate carries out a covered entity's obligation under the privacy rule, comply with the requirements of the rule that apply to the covered entity in the performance of such obligation.

The final rule adopts transitional provisions that allow covered entities, business associates and business associate subcontractors to continue to operate under existing contracts for up to one year beyond the compliance date of the revisions to the Health Insurance Portability and Accountability Act Rules (ie, September 22 2014). The additional transition period is available to a covered entity or business associate if, prior to January 25 2013, the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, respectively, that complies with the prior provisions of the Health Insurance Portability and Accountability Act rules and such contract or arrangement is not renewed or modified from March 26 2013 until September 23 2013.

Marketing

The OCR significantly revises its prior proposals related to the definition of 'marketing'. Overall, the final rule greatly expands the types of product and service-related communication to patients or enrollees that will require individual authorisation by requiring individual authorisation for all treatment and healthcare operations communications where the covered entity receives payment in exchange for the communication from or on behalf of a third party whose product or service is being described.

The OCR finalises its proposal to allow, without individual authorisation, refill reminders or other communications about a drug or biologic that is currently being prescribed to the individual, provided that any financial remuneration received by the covered entity is reasonably related to the covered entity's cost of making the communication. The OCR clarifies that it considers communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed to fall within the scope of this exception. Additionally, the OCR states that where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including for example, an insulin pump, fall under this exception.

In response to comments questioning what types of cost fall within this reasonably related standard, the OCR provides that a covered entity may only receive remuneration to cover the costs of labour, supplies and postage to make the communication. Where the financial remuneration would generate a profit for the covered entity or include payment for other costs, however, individual authorisation is required.

The OCR emphasises that the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication, and that such communication must encourage individuals to purchase or use the third party's product or service to trigger the prohibition. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, the marketing provision does not apply. As an example, the OCR describes a situation where a third party provides financial remuneration to a covered entity to implement a programme, such as a disease management programme. In such a situation, "the covered entity could provide individuals with communications about the program without obtaining individual authorization as long as the communications are about the covered entity's program itself". The scope of this guidance is unclear and it remains to be seen whether it would permit communications related to products or services that would otherwise be prohibited as long as the products or services are offered in connection with the programme described by the communication.

The OCR also clarifies that no authorisation is required where a covered entity receives financial remuneration from a third party to make a treatment or healthcare operations communication (or other marketing communication), if the communication is made face to face by a covered entity to an individual or consists of a promotional gift of nominal value provided by the covered entity.

Research

In a big win for researchers and sponsors of research, the final rule eases restrictions under the privacy rule on the use of compound authorisations. As a general matter, the privacy rule prohibits covered entities from conditioning treatment, payment, enrolment in a health plan or eligibility for benefits on an individual's agreeing to sign a Health Insurance Portability and Accountability Act authorisation for a use or disclosure of protected health information not otherwise permitted or required by the privacy rule. This limitation was developed to ensure that authorisation from an individual for a use or disclosure of protected health information is voluntarily provided. An exception to this rule exists for the provision of research-related treatment in a clinical trial, which may be conditioned on the individual's signing an authorisation to allow the covered entity to use and disclose protected health information for the research. Nonetheless, the privacy rule also prohibits combining an authorisation that conditions treatment, payment, enrollment in a health plan or eligibility for benefits (ie, a conditioned authorisation) with an authorisation for another purpose for which treatment, payment, enrolment or eligibility may not be conditioned (ie, an unconditioned authorisation). Thus, before the final rule, a covered entity could not, for example, combine an authorisation to use and disclose protected health information for research in connection with a clinical trial, which is a conditioned authorisation, with an authorisation to create a central research repository or tissue bank for future research, which is an unconditioned authorisation. In that case the privacy rule required that separate authorisations be secured from an individual.

Recognising that separate authorisations could be confusing for individuals, the final rule allows compound authorisations for research that includes both conditioned and unconditioned activities. Such authorisation must:

  • clearly distinguish the conditioned and unconditioned activities;
  • have an opt-in option for the unconditioned research activity (eg, tissue banking); and
  • not relate to psychotherapy notes, the disclosure of which is subject to stricter rules.


Additionally, the OCR reverses its prior interpretation that authorisations must be study specific, an interpretation that interfered with secondary research and corollary research activities (eg, the creation of a research database or repository where information and specimens obtained from a research participant during the trial are transferred and maintained for future research). The final rule allows authorisation for future research if the authorisation includes sufficient clarity such that a reasonable individual would expect his or her protected health information to be used or disclosed for future research.

These changes are intended to simplify research authorisations, minimise patient confusion and align Health Insurance Portability and Accountability Act regulations with practices permitted under the common rule, while maintaining protections for the use or disclosure of protected health information.

Sale of protected health information

The final rule adopts HITECH's prohibition against the sale of protected health information. Because these provisions are so broad in scope, it will be critical for covered entities and their business associates to satisfy an exception in order for many disclosures of protected health information that are commonplace today not to fall foul of the Health Insurance Portability and Accountability Act. If an exception cannot be met, individual authorisations will have to be secured, which can be burdensome to obtain.

Under the final rule, the sale of protected health information requires individual authorisation stating that the covered entity will receive such remuneration. The phrase 'sale of protected health information' means the disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information. Unlike the marketing provisions, remuneration is not limited to financial payment and includes receipt of non-financial benefits. The sale of protected health information does not include disclosures:

  • for public health activities permitted under applicable provisions of the privacy rule;
  • for research, to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost of preparing and trasmitting the protected health information for such purposes;
  • for treatment and payment in accordance with applicable provisions of the privacy rule;
  • to or by business associates, where the remuneration is paid by a covered entity to a business associate for activities performed on behalf of a covered entity;
  • to the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so accord with the privacy rule;
  • for the transfer, merger or consolidation of all or part of a covered entity with another covered entity, or an entity that will become a covered entity following such activity, and related due diligence;
  • required by law; and
  • for any other purpose permitted by and in accordance with the privacy rule, where the covered entity receives only a cost-based fee to cover the cost of preparing and transmitting the protected health information or a fee otherwise expressly permitted by other law.

With respect to disclosures for research purposes, the OCR clarifies that it does not consider the provisions of the sale of protected health information to encompass payments that a covered entity may receive in the form of grants, contracts or other arrangements to perform programmes or activities, such as a research study, because any provision of protected health information to the entity making payment "is a byproduct of the service being provided". It also clarifies that a reasonable, cost-based fee may include the direct and indirect costs to prepare and transmit the data, including labour, materials and supplies, but not a profit margin.

Compliance with these provisions is required by September 23 2013, except where transition provisions apply, which allow covered entities to continue to rely on existing authorisations or other legal forms of permission as well as to rely on existing data use agreements if certain conditions are met.

Protected health information about decedents

The final rule requires compliance with the privacy rule for the protected health information of decedents for 50 years following the date of death. After 50 years from the date of death, individually identifiable health information of a decedent would no longer qualify as protected health information under the privacy rule. In the OCR's view, this provision strikes the right balance between protecting the privacy of relatives and others connected to a decedent and the difficulty of obtaining authorisations from relatives or other representatives to conduct activities such as research that are valuable from a public policy perspective.

Additionally, the final rule allows disclosure of protected health information of a decedent to family members and others who, prior to the person's death, were involved in the care or payment for care provided to the person, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to the covered entity.

Disclosure of student immunisations to schools

In order to facilitate the sharing of immunisation records with schools, if certain conditions are met the final rule permits a covered entity to disclose proof of immunisation to a school where state or other law requires the school to have such information prior to admitting the student. While written authorisation will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual or from the individual himself or herself, if the individual is an adult or emancipated minor. The final rule also requires that covered entities document the agreement obtained under this provision.

Fundraising

The final rule permits a covered entity to use or disclose to a business associate or to an institutionally related foundation certain protected health information for the purpose of fundraising, without individual authorisation if certain conditions are met. Specifically, with each fundraising communication made to an individual, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications (ie, an opt-out). Furthermore, the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. The final rule allows for the use or disclosure of demographic information (defined as name, address, other contact information, age, gender and date of birth), dates of service to an individual, department of service information, treating physician information, outcome information and health insurance status.

The final rule prohibits the conditioning of treatment or payment on the individual's fundraising communication choice, and requires the covered entity's notice of privacy practices to state that the entity may contact the individual to raise funds and that the individual has a right to opt out of receiving such communications.

Breach notification

In addition to the changes to the marketing provisions, the modifications that are arguably the most significant and difficult to interpret are the changes that the OCR makes to the breach notification requirements. Among other things, the OCR abandons the "significant risk of harm [to an individual]" standard in favour of what it describes as a more objective test to evaluate whether a breach of unsecured protected health information is reportable under the law. Under the new provisions,an impermissible use or disclosure of protected health information is presumed to be a reportable breach unless the covered entity or business associate, as applicable, demonstrates through a documented risk assessment that there is a low probability that protected health information has been compromised. According to the OCR, "some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set". Suggesting that the original standard did not set a high bar in spite of the plain meaning of the phrase 'significant risk', the OCR characterises the new standard as a clarification as opposed to what appears to be a reversal of its prior position.

The final rule articulates four factors that a risk assessment must consider:

  • the nature and extent of the protected health information (eg, sensitivity of data, likelihood of re-identification);
  • the unauthorised person by whom or to whom the protected health information was used or disclosed;
  • whether the protected health information was actually acquired or viewed; and
  • mitigation efforts.

Apparently, potential harm to the individual whose data is compromised is still relevant under the new breach notification standard in relation to the first factor (ie, consideration of the nature of the protected health information). As the OCR explains:

"[c]onsidering the type of protected health information involved in the impermissible use or disclosure will help entities determine the probability that the protected health information could be used by an unauthorized recipient in a manner adverse to the individual."

Notably, the OCR indicates that a risk assessment must be conducted even in the case of impermissible uses (ie, use within a covered entity or business associate that does not comply with the minimum necessary standard) and not simply for impermissible disclosures to third parties. However, it notes that an impermissible use that occurs within an entity may result in a low probability that protected health information has been compromised and thus not trigger a reporting obligation.

The final rule also eliminates the former exception for breaches involving limited data sets that contain no dates of birth or zip codes, and requires a risk assessment when any limited data set is impermissibly used or disclosed to determine whether a reportable breach has occurred.

Like the current interim final rule on breach notification, which applies until compliance is required with the final rule on September 23 2013, the final rule does not pre-empt most state breach reporting laws. Although the Health Insurance Portability and Accountability Act rules generally pre-empt conflicting state laws, there is no conflict if a covered entity or business associate can comply with both federal and state law. As a result and because there is no pre-emption of stricter state laws, covered entities and business associates will continue to face the difficulty of potentially having to comply with a disparate collection of breach reporting laws in the case of data breaches impacting on individuals residing in numerous states.

In light of the breadth and burdens of the final rule's provisions on breach notification, it is imperative that covered entities and business associates consider the safe harbour under the Health Insurance Portability and Accountability Act for encryption. In fact, encrypting data in accordance with the Health Insurance Portability and Accountability Act safe harbour is arguably one of the smartest risk mitigation strategies an entity that is subject to the act could employ.

Right to request restriction

The final rule requires covered entities to agree to an individual's request to restrict disclosure of protected health information to a health plan if:

  • the disclosure is for purposes of payment or healthcare operations and is not otherwise required by law; and
  • the protected health information pertains solely to a healthcare item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full.

Notwithstanding this requirement, covered entities may still make disclosures of protected health information that are otherwise required by law.

The OCR clarifies that these provisions do not require that covered healthcare providers create separate medical records or otherwise segregate protected health information subject to a restricted healthcare item or service. Nevertheless, they will need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to a health plan for payment or healthcare operations purposes, such as audits by the health plan.

Notice of privacy practices

Rejecting comments to its proposed rule that certain revisions to notices of privacy practices are unnecessary, the OCR adopts provisions in the final rule that require covered entities to modify their notices of privacy practices by adding statements which indicate that:

  • authorisation is required for most uses and disclosures of psychotherapy notes (where applicable), protected health information for marketing purposes and the sale of protected health information;
  • individuals will be notified following a breach of unsecured protected health information; and
  • to the extent that the covered entity uses protected health information for fundraising, the covered entity may contact the individual to raise funds and the individual has a right to opt out of receiving such communications.

The final rule also adopts the proposal that the notices of privacy practices inform individuals of their new right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the healthcare item or service. Only healthcare providers are required to include such a statement in their notices of privacy practices.

Additionally, if a covered entity is a health plan excluding certain issuers of long-term care policies and which intends to use or disclose protected health information for underwriting purposes, the notice of privacy practices must include a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.

Because, according to the OCR, the changes mandated by the final rule are material, the final rule requires a covered health plan that currently posts its notice of privacy practices on its website to:

  • prominently post the material change or its revised notice on its website by the effective date of the material change to the notice (eg, the compliance date of the final rule); and
  • provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan (eg, at the beginning of the plan year or during the open enrolment period).

Health plans that do not have customer service websites are required to provide the revised notice of privacy practices, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice.

Covered healthcare providers with a direct treatment relationship must make the notice available on request on or after the effective date of the notice of privacy practices revision and promptly comply with the requirements of the rule related to provision of notice at physical service delivery sites, if any.

Access to electronic protected health information

Section 13405(e) of HITECH strengthens the privacy rule's right of access with respect to covered entities that use or maintain an electronic health record on an individual. The OCR finalises its proposal to expand individuals' access rights to receive electronic copies of their protected health information that is maintained electronically in one or more designated record sets, regardless of whether the designated record set qualifies as an electronic health record.

The OCR clarifies that the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or if not, in a readable electronic form and format as agreed to by the covered entity and the individual. In such cases, the OCR clarifies that it expects covered entities, if possible, to provide a "machine readable" copy (eg, MS Word or Excel, text, HTML, or text-based PDF).

If an individual's request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual's request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.

Significantly, the OCR acknowledges that:

"some legacy or other systems may not be capable of providing any form of electronic copy at present and [we] anticipate that some covered entities may need to make some investment in order to meet the basic requirement to provide some form of electronic copy."

Hybrid entities

Many covered entities perform both covered (eg, academic medical facility) and non-covered (eg, university) functions as part of their business operations. Even though the entity may perform non-covered functions, the privacy rule applies to the entity as a whole to the extent that it is a single legal entity. However, the hybrid entity provisions of the privacy rule permit the entity to limit the application of the rules to the entity's components that perform functions that would make the component a "covered entity" if the component were a separate legal entity. This way, the provisions allow an entity to designate a healthcare component by documenting the components of its organisation that perform covered entity functions. The effect of such a designation is that most of the requirements of the Health Insurance Portability and Accountability Act rules apply only to the designated healthcare component of the entity, and not to the functions that the entity performs that are not included in the healthcare component.

The final rule removes the discretion covered entities had under the prior version of the privacy rule and requires that the healthcare component of a hybrid entity include all business associate functions (eg, billing or compliance departments). In the OCR's view, this change was necessary to prevent hybrid entities from avoiding direct liability and compliance obligations for the business associate component by not including business associate functions within the healthcare component of a hybrid entity.

GINA

The final rule implements provisions of GINA which prohibit health plans and employers from discriminating on the basis of genetic information. The final rule revises the privacy rule expressly to include "genetic information" within its definition of 'health information' and prohibits health plans from "using or disclosing genetic information for underwriting purposes". Notably, the OCR extends GINA's applicability beyond the health plan types specified in the statute to include "all health plans that are covered entities under the Health Insurance Portability and Accountability Act Privacy Rule", except for "issuers of long term care policies".

Under the final rule, 'genetic information' means, with respect to any individual, information about:

  • such individual's genetic tests;
  • the genetic tests of family members of such individual;
  • the manifestation of a disease or disorder in family members of such individual (ie, family medical history); and
  • any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by such individual or family member of such individual.

Genetic information does not include information about the sex or age of an individual. Genetic information concerning an individual or family member of an individual includes the genetic information of:

  • a foetus carried by the individual or family member who is a pregnant woman; and
  • any embryo legally held by an individual or family member utilising an assisted reproductive technology.

'Family member' means, with respect to an individual:

  • a dependant of the individual; or
  • any other person who is a first-degree (eg, parent, spouse, sibling and child), second-degree (eg, grandparent, grandchild, aunt, uncle, nephew and niece), third-degree (eg, great-grandparent, great-grandchild, great aunt, great uncle and first cousin) or fourth-degree (eg, great-great grandparent, great-great grandchild and child of first cousin) relative of the individual or of a dependent of the individual.

Relatives by affinity (eg, by marriage or adoption) are treated the same as relatives by consanguinity (eg, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (eg, half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (eg, siblings who share both parents).

The term 'manifestation or manifested' means, with respect to a disease, disorder or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder or pathological condition by a healthcare professional with appropriate training and expertise in the field of medicine involved. A disease, disorder or pathological condition is not manifested if the diagnosis is based principally on genetic information.

The final rule defines 'underwriting purposes' broadly as:

  • rules for or determination of eligibility (including enrolment and continued eligibility) for or determination of benefits under the plan, coverage or policy;
  • the computation of premium or contribution amounts under the plan, coverage or policy;
  • the application of any pre-existing condition exclusion under the plan, coverage or policy; and
  • other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits.

Significantly, the final rule provides an exception to the definition of 'underwriting purposes' that allows health plans to "use or disclose the minimum necessary genetic information" to make determinations regarding the medical appropriateness of providing a requested benefit (eg, requiring a genetic test or family history to demonstrate increased breast cancer risk as a prerequisite for authorising annual mammograms for a woman under the age of 40).

Unlike most uses and disclosures of protected health information under the Health Insurance Portability and Accountability Act, covered health plans may not use authorisations to permit the use or disclosure of genetic information for underwriting purposes.

Enforcement

HITECH amended the Health Insurance Portability and Accountability Act to establish four categories of violation that reflect increasing levels of culpability and four corresponding tiers of penalty that significantly increased the minimum penalty amount for each violation. The final rule incorporates the four categories of violation and corresponding four-tiered civil money penalty structure provided by HITECH for violations occurring on or after February 18 2009 and extends the penalty provisions to violations by business associates. The four categories of violation are as follows:

  • The first category of violation (and lowest penalty tier) covers situations where the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of a violation.
  • The second category of violation applies to violations due to reasonable cause and not to wilful neglect.
  • The third and fourth categories apply to circumstances where the violation was due to wilful neglect that is corrected within a certain time period and wilful neglect that is not corrected.

The penalties associated with each tier are summarised in the following chart.

Violation category

Per-violation penalty

Annual cap for all violations of identical provision

(A) Did not know

$100 to $50,000

$1.5 million

(B) Reasonable cause

$1,000 to $50,000

$1.5 million

(C)(i) Wilful neglect - corrected

$10,000 to $50,000

$1.5 million

(C)(ii) Wilful neglect - not corrected

$50,000

$1.5 million


Although there is a $1.5 million cap for all violations of an identical provision in a calendar year, a covered entity or business associate may be liable for multiple violations of multiple provisions and a violation of each provision may be counted separately. As such, one covered entity or business associate may be subject to multiple violations of up to $1.5 million for each violation, which would result in a total penalty well above $1.5 million.

The final rule also adopts:

  • provisions that require the Department of Health and Human Services to investigate a complaint or conduct a compliance review when a preliminary review of the facts indicates a possible violation due to wilful neglect; and
  • provisions that define the mens rea standard associated with violations due to "reasonable cause" as:

"an act or omission in which a Covered Entity or Business Associate knew, or by exercising reasonable diligence would have known, that the act or commission violates [a Health Insurance Portability and Accountability Act provision], but in which the Covered Entity or Business Associate did not act with willful neglect."

Under the final rule, the Department of Health and Human Services may share information gathered in any investigations or compliance reviews with other law enforcement agencies to the extent permitted by the Privacy Act.

Importantly, the final rule also provides for civil money penalty liability against covered entities and business associates for the acts of their agents regardless of whether a business associate agreement is in place. The OCR states that it will look to the federal common law of agency in determining whether an entity is acting as an agent.

Finally, the final rule includes a potential affirmative defence with respect to tier one and two violations occurring on or after February 18 2009. Specifically, a covered entity or business associate may establish that an affirmative defence applies where the entity corrects the violation within 30 days of the date on which the entity had knowledge of the violation or, with the exercise of reasonable diligence, would have had knowledge of the violation, or during a period determined appropriate by the secretary based on the nature and extent of the entity's failure to comply.

Future rulemakings

The final rule does not implement several HITECH provisions and instead leaves them to future rulemakings. It does not address either:

  • the accounting of disclosure requirements under HITECH, which require covered entities to account for disclosures of protected health information from electronic health records for treatment, payment and healthcare operations; or
  • the methodology under which an individual who is harmed by a Health Insurance Portability and Accountability Act violation may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offence.

Additionally, it does not provide guidance on the minimum necessary provisions of the Health Insurance Portability and Accountability Act. It will be important for covered entities and business associates to monitor developments related to these provisions, especially the whistleblower provisions, as they are likely to have a significant impact on their compliance obligations and the enforcement of the Health Insurance Portability and Accountability Act.

Comment

The final rule implements the most significant changes to the Health Insurance Portability and Accountability Act since the statute was enacted. Driven in large part by a desire to build patient confidence in the security of electronic health records - in which the Department of Health and Human Services has invested billions of dollars and which many policymakers see as a key pathway to major improvements in healthcare - the final rule strengthens the protections of protected health information in the Health Insurance Portability and Accountability Act privacy and security rules. It also arms the OCR with much stronger tools to enforce the Health Insurance Portability and Accountability Act rules. Clearly, the OCR has laid the foundation in the final rule for a new era of healthcare privacy regulation and enforcement at the federal level. In light of these new requirements and tools, healthcare companies and their contractors should assess their information practices and governance and devote sufficient resources to bringing their operations into compliance with the final rule.

For further information on this topic please contact Anna L Spencer or James Stansel at Sidley Austin LLP by telephone (+1 202 736 8600), fax (+1 202 736 8711) or email (aspencer@sidley.com or jstansel@sidley.com).

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.