Last Friday, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) published the final rule modifying the privacy and security regulations issued under the Health Insurance Portability and Accountability Act (HIPAA), in part to implement the statutory amendments under the Health Information Technology for Economics and Clinical Health Act (HITECH Act). The final rule is effective March 26, 2013 with compliance generally required by September 23, 2013.

For the most part, the final rule includes changes proposed in the interim final rule issued on July 14, 2010, with some other changes and clarifications. This alert focuses on the changes most relevant to those covered entities that are group health plans.

Action Item: Employers who sponsor a group health plan will need to review and revise the following documents for compliance with the final rule:

  • HIPAA policies and procedures;
  • business associate agreements; and
  • notices of privacy practices.

Business Associates

Perhaps the most controversial provision of the HITECH Act embodied in the interim final rule was the proposal to make business associates directly subject to many of the requirements under HIPAA’s privacy and security rules. Under the final rule, business associates are directly subject to the security rule and a majority of the requirements under the privacy rule. A business associate includes any entity that creates, receives, maintains or transmits protected health information (PHI) in connection with services to a covered entity (such as a group health plan). HHS notes that vendors storing PHI for a covered entity can be business associates by virtue of their ability to access PHI even if their services do not involve accessing the PHI.

The final rule applies the minimum necessary standard directly to business associates when using or disclosing PHI or when requesting PHI from another covered entity. Requests for PHI directed to another business associate must also be limited to the minimum necessary.

Direct Liability

A business associate is not subject to all of the requirements under HIPAA’s privacy rule that apply to a group health plan (such as designating a privacy officer or distributing notices of privacy practices) but will be directly liable under HIPAA for:

  • impermissible uses and disclosures;
  • failure to enter into business associate agreements with subcontractors;
  • failure to provide breach notification to the plan;
  • failure to provide access to a copy of electronic PHI to either the plan, the individual or the individual’s designee (as specified in the business associate agreement);
  • failure to disclose PHI where required by the Secretary of HHS to the determine business associate’s compliance with HIPAA;
  • failure to provide an accounting of disclosures; and
  • failure to comply with the requirements of HIPAA’s security rule.


Under the final rule, a business associate’s subcontractors are treated as business associates for purposes of compliance with HIPAA’s privacy and security rules. A subcontractor is a person to whom a business associate delegates a function, activity or service, other than in the capacity of a member of the business associate’s workforce. The final rule makes clear that it is the responsibility of the business associate (and not the covered entity) to obtain assurances from its subcontractors regarding compliance with HIPAA before disclosing PHI to the subcontractor or allowing the subcontractor to create or receive PHI on its behalf. Further, if a business associate is aware of noncompliance by a subcontractor, the business associate must respond to the situation in the same manner as a covered entity that becomes aware of noncompliance by its business associate (such as taking reasonable steps to cure the breach and possibly terminating the arrangement with the subcontractor, if feasible).

Transitional Relief

HHS has adopted transitional relief that allows plans and business associates to continue to operate under their existing contracts until September 23, 2014, or if earlier, the date the contract is renewed or modified. However, to qualify for this relief, the contract must have been in effect on January 25, 2013, so any contracts not finalized by that date will need to be amended for the final regulations by September 23, 2013, a whole year earlier.

Notice of Privacy Practices

Required Notice Items

The final rule adopts the proposals in the interim final rule requiring notices of privacy practices to include a description of the uses and disclosure of PHI that require an authorization (including statements regarding uses and disclosures of psychotherapy notes and uses and disclosures of PHI for marketing purposes and the sale of PHI) and a statement that other uses and disclosures not described in the notice will be made only with the individual’s authorization. The final rule also requires the notice to include a statement of the right of affected individuals to be notified following a breach of unsecured PHI and of the prohibition on using genetic information for underwriting purposes.

Distribution of New Notice

A revised notice or information about these material changes and how to obtain a revised notice must be provided to individuals covered under the plan within 60 days of the changes. However, to the extent a plan’s notice of privacy practices is consistent with the final rule and individuals have previously been informed of the revisions, the plan is not required to revise and distribute another notice upon publication of the final rule.

Breach Notification and Reporting

Breach Determinations

Under the final rule, an impermissible use or disclosure of PHI will be presumed to be a breach, unless the covered entity or business associate can demonstrate that there is a low probability that the PHI has been "compromised". Although the privacy rule uses the terms "use" and "disclosure", HHS interprets both access and acquisition to fall within the definition of use and disclosure.

In an effort to make breach determinations more uniform and objective, the final rule eliminates the harm standard from the risk analysis and focuses on the following factors for assessing the probability that the PHI has been compromised:

  • the nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification;
  • the unauthorized person who used the PHI or to whom the disclosure was made. A plan or business associate should consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information or if the unauthorized person has the ability to re-identify the information (if the information is not immediately identifiable);
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.

Depending on the circumstances of the impermissible use or disclosure, additional factors may need to be considered to appropriately assess the risk that the PHI has been compromised. Note that uses or disclosures that impermissibly involve more than the minimum necessary information may qualify as breaches and must be evaluated in the same manner. A covered entity or business associate will have the burden of proof to demonstrate that all notifications were provided or that the impermissible use or disclosure did not constitute a breach and to maintain documentation as necessary to meet this burden of proof.

Since the final rule modifies the definition of a breach, group health plans will need to update their policies and procedures and retain workforce members as necessary.

Notification Requirements for Business Associates

To the extent possible, the business associate must provide the covered entity with the identity of each individual whose unsecured PHI has, or is reasonably believed to have been, affected by the breach along with any other available information that the covered entity is required to include in its notification to affected individuals (either at the time it provides notice of the breach to the covered entity or promptly thereafter as such information becomes available). A group health plan and its business associate should consider which entity is in the best position to provide any required notice to individuals and ensure that individuals do not receive notifications from both the plan and the business associate about the same breach.

Notifications to Affected Individuals and the Media

The final rule retains the content and timing requirements from the interim final rule for notifications to affected individuals and the media and also offers additional guidance. A covered entity and business associate continue to be required to provide notification of any breach without unreasonable delay and in no case later than 60 days from discovery of the breach. However, notification may be delayed if a law enforcement official states that notification would impede a criminal investigation or cause damage to national security. The covered entity or business associate may delay notification for up to 30 days (or longer if a written statement is provided).

A group health plan will be permitted to send one breach notice address to both a plan participant and the participant’s spouse or other dependents under the plan who are affected by the breach, so long as they all reside at the same address and the plan clearly identifies on the notice the individuals to which the notice applies. A plan may send a notice regarding the breach of a dependent child’s PHI addressed to the plan participant and/or the participant’s spouse living with the dependent child, provided the participant and/or participant’s spouse are the personal representatives of the dependent child and the notice clearly identifies to whom it applies. If the plan participant (and/or spouse) is not the personal representative of the dependent, the plan must address the breach notice to the dependent.

A group health plan can attempt to cure out-of-date contact information on individual when notices are returned as undeliverable by the postal service to avoid having to provide substitute Web or media notice as long as the plan does so promptly and upon receiving the returned notices and within 60 calendar days from discovery of the breach.

HHS clarified that notification to the media does not require a covered entity to incur any costs to print or run media notice about the breach. Further, media outlets are not required to print or run the information provided about the breach. To fulfill the obligation, notification (which may be in the form of a press release) must be provided directly to prominent media outlets serving the applicable state or jurisdiction.

HHS notes that because every breach has an underlying impermissible use or disclosure under the HIPAA privacy rule, OCR has the authority to impose a civil monetary penalty for the underlying violation, even in cases where all required breach notifications were provided.

Notification to the Secretary

The final rule makes one modification with respect to notification to the Secretary. A covered entity will be required to provide notification of all breaches of unsecured PHI affecting fewer than 500 individuals to the Secretary no later than 60 days after the end of the calendar year in which the breaches were "discovered" and not in which the breaches occurred. In response to comments suggesting that covered entities be permitted to submit a log of all smaller breaches to the Secretary instead of submitting each breach individually through the current online form, HHS indicated that it is considering alternate ways to receive the reports.

Individual Access to PHI

The final rule expands an individual’s rights to electronic PHI beyond electronic health records. If a covered entity or business associate maintains PHI electronically in one or more designated record sets, it must provide an individual, upon request, with access to the electronic information and with a copy of such information (or summary or explanation if agreed to by the individual) in the electronic form and format requested by the individual. The final rule provides that if an individual requests a form of electronic copy that is not readily producible, the covered entity or business associate must offer other electronic formats that are available on their systems. If the individual declines to accept any of the electronic formats that are readily producible, a hard copy must be provided as an option to fulfill the access request. Note that if the designated record set contains electronic links to images or other data, the images or other data that are linked to the designated record set must be included in the electronic copy provided to the individual.

Providing PHI directly to a Third Party

If requested by the individual, a covered entity must transmit the copy of PHI directly to another person designated by the individual. Any such request must be in writing, signed by the individual and must clearly identify the designated person and where to send the copy of the PHI. A group health plan may rely on this written information when providing PHI to the third-party recipient identified by the individual, but the plan must also have reasonable policies and procedures in place to verify the identity of any person who requests PHI.

Distribution of PHI via e-mail

If the individual has requested that PHI be provided via e-mail, a group health plan is permitted to send the information in an unencrypted e-mail if it has notified the individual that there may be some level of risk that the information in the e-mail could be read by a third-party and the individual continues to prefer the unencrypted e-mail. The plan will not be responsible for any unauthorized access of the PHI while in transmission to the individual or for safeguarding the information once delivered to the individual.

Timing Requirements

The final rule modifies the timeframe for a covered entity to respond to an individual’s request to access and/or obtain a copy of PHI by eliminating the 30-day extension for PHI that is not maintained or accessible on-site. Rather, a covered entity will have 30 days to provide access to or a copy of the requested PHI with a one-time 30-day extension available if the individual is notified of the need for the extension within the original timeframe. HHS confirmed that the time period for responding to a request for access begins on the date of the request (regardless of the amount of time spent reaching an agreement on the electronic format for the response).

Imposition of Fees

A covered entity may impose a fee for a copy of PHI (or a summary or explanation of such information) but it must be reasonable and cost-based. Any such fee may only include the cost of (i) supplies for, and labor of, copying the PHI, (ii) the postage associated with mailing the PHI and (iii) the preparation of an explanation or summary of the PHI. However, in the case of PHI from an electronic health record in electronic form, the covered entity may not charge more than its labor costs. HHS clarified that labor costs can include compiling, extracting, scanning and burning PHI to media, skilled technical staff time spent to create and copy the electronic file, and distributing the media. However, in deviation from the interim final rule, a covered entity cannot include the labor costs associated with retrieval of the electronic PHI. A fee can be imposed for the preparation of an affidavit requested by an individual to accompany the PHI, which is not subject to the cost-based fee limitation

Protected Health Information

Deceased Individuals

The definition of PHI is revised to exclude any individually identifiable health information of persons who have been deceased for more than 50 years. However, this 50-year period does not override any state or other law providing greater protection. Under the final rule a covered entity is permitted to disclose a decedent’s PHI to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. HHS clarifies that such disclosures are permitted but not required. Therefore, a plan that questions the relationship to the decedent or otherwise believes, based on the circumstances, that disclosure of the decedent’s PHI would not be appropriate, is not required to make the disclosure.

Genetic Information

In accordance with the Genetic Information Nondiscrimination Act of 2008 (GINA), the final rule also modifies the definition of "health information" to include genetic information and prohibits the use or disclosure of PHI that is genetic information for underwriting purposes. Definitions for "family member," "genetic information," "genetic services," "genetic test," and "manifestation or manifested" are also incorporated. HHS clarifies that medical tests that do not detect genotypes, mutations or chromosomal changes are not genetic tests.

Restrictions on Disclosure of PHI

The interim final rule required a covered entity to agree to a request by an individual to restrict the disclosure of PHI to a health plan if the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law and the PHI pertains solely to a health care item or service for which the individual (or person on behalf of the individual, other than the health plan) has paid out-of-pocket in full. HHS has clarified under the final rule that this requirement applies only to covered entities that are covered health care providers. Accordingly, any reference to such right in a plan’s notice of privacy practices should be removed to avoid confusion.


Under the interim final rule, treatment communications about health-related products or services, case management or alternative treatments did not constitute marketing (even if financial remuneration is received) if certain notice and opt-out conditions were met. However, the final rule requires an authorization for all treatment and health care operations communications if the covered entity receives financial remuneration for making the communications from a third-party whose product or service is being marketed. Exceptions under the interim final rule for the following communications continue to apply:

  • face-to-face communications;
  • promotional gifts of nominal value;
  • communications promoting health in general and not promoting a product or service from a particular provider;
  • communications about government and government-sponsored programs; and
  • communications about a drug or biologic currently being prescribed and drug refill reminders.

Note that the proposal requiring a notice of privacy practices to include a statement regarding the possibility of an individual’s receipt of treatment communications was not adopted in the final rule.

Sale of PHI

A sale of PHI generally is prohibited in the absence of an individual’s authorization that states whether the PHI can be further exchanged for remuneration by the entity receiving the information. The final rule defines a sale of PHI as a disclosure of PHI by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. A sale is not intended to be limited to those transactions where there is a transfer of ownership of PHI and the prohibition applies to the receipt of non-financial as well as financial benefits. However, the following will not fall within the scope of a sale of PHI: (i) payment to a covered entity in the form of a grant, contract or other arrangement to perform programs or activities (such as a research study), (ii) receipt of a grant or funding from a government agency to conduct a program, and (iii) exchange of PHI through a health information exchange (HIE) that is paid for through fees assessed on HIE participants.

Exceptions to Required Authorizations

An individual’s authorization is not required where the purpose of the exchange is for (i) public health activities, (ii) research purposes (provided the price charged for the information reflects the cost of preparation and transmittal of the data), (iii) treatment of the individual or for payment for health care, (iv) the sale, transfer, merger or consolidation of all or part of a covered entity and for related diligence, (v) services rendered by a business associate pursuant to a business associate agreement and at the specific request of the covered entity, (vi) providing an individual with access to his or her PHI or an accounting of disclosures and (vii) other purposes permitted by the HIPAA privacy rule (provided the only remuneration received is a reasonable, cost-based fee to cover the costs to prepare and transmit the PHI or the fee is otherwise expressly permitted by other law).

Future Disclosures for Remuneration

If a covered entity or business associate that receives PHI in exchange for remuneration wishes to further disclose that information, an authorization must be obtained unless it is sufficiently clear to the individual in the original authorization that the recipient covered entity or business associate will further disclose the individual’s PHI in exchange for remuneration. If the recipient of the information is another covered entity or business associate, such recipient cannot redisclose the PHI in exchange for remuneration unless a valid authorization is obtained.

The final rule also addresses the uses and disclosures of PHI for fundraising and the use of combined authorizations for research activities, which are not discussed in this client alert due to their unlikely application to a group health plan.

Increased Civil Penalties

The final rule modified the tiered penalty structure set forth in the interim final rule as follows:

Click here to view table.

For penalty assessment purposes, "reasonable cause" is defined as an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated HIPAA but in which the covered entity or business associate did not act with willful neglect.

Liability of Actions of Agents

The final rule also provides that both covered entities and business associates can be liable for civil penalties based the actions of their agents. The essential factor in determining whether an agency relationship exists between a plan and a business associate is the right or the authority of the plan to control the business associate’s conduct in the course of performance services on behalf of the plan. This right to control also is the essential factor in determining whether an agency relationship exists between a business associate and a subcontractor.