On January 25, 2013, the Department of Health and Human Services ("HHS") issued a major overhaul of the HIPAA rules that will require covered entities, including health plans and their business associates, to make significant changes to their policies and procedures, Notice of Privacy Practices and business associate agreements, as applicable. With a September 23, 2013, compliance deadline, health plans and business associates must quickly understand how the final rules modify the HIPAA Privacy and Security Rules and implement the amendments made by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act" or the "Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"), and make the changes accordingly.
Changes to the Breach Notification Requirement
In 2009, the HITECH Act amended HIPAA to require covered entities to notify affected individuals, HHS and the media, as applicable, if unsecured protected health information ("PHI") is breached. "Unsecured PHI" is PHI that has NOT been encrypted or destroyed in accordance with the guidelines issued by the National Institute of Standards and Technology ("NIST") (i.e., the only technologies and methodologies designated by HHS for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals). Any PHI that has not been encrypted or destroyed in accordance with these standards is considered "unsecured" and is subject to the breach notification requirement.
Shift Away from Harm Standard
The HITECH Act defines a breach as an impermissible use or disclosure of unsecured PHI that compromises the security or privacy of the PHI. Under the interim final rules, PHI is considered compromised if the violation poses a significant risk of financial, reputational, or other harm to the individual whose PHI was impermissibly used or disclosed. Thus, under the interim final rules an impermissible use or disclosure will not constitute a breach unless the risk of harm to the individual has first been assessed.
The final rules set a new standard for determining whether breach notification is required. Under the final rules, an impermissible use or disclosure of unsecured PHI (including PHI in a limited data set) will be presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. This means that an entity may choose to conduct a risk assessment to determine whether notification is even necessary, or simply provide the notification. If an entity opts to perform the risk assessment, the focus of the assessment is no longer on the risk of harm to the affected individual(s). Rather, the entity must consider at least the following factors, in combination, to evaluate the overall probability that the PHI has been compromised:
What is the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification?
- Is it sensitive PHI that would allow the unauthorized recipient to use it in a manner that is adverse to the individual or would further the recipient’s own interests (for example, a credit card number, Social Security Number, or other information that increases the risk of identity theft or financial fraud, or clinical information like test results)?
- Who was the unauthorized person who used the PHI or to whom the disclosure was made? Was the unauthorized person already obligated to protect the privacy and security of the PHI?
- Was the PHI actually acquired or viewed? Or, did an opportunity exist for the PHI to be acquired or viewed? For example, if a laptop was stolen, can a forensic analysis show if its information was accessed?
- Was the risk to the PHI mitigated? Did the entity obtain the recipient’s satisfactory reassurances that the PHI will be destroyed or not further used or disclosed (through a confidentiality agreement or similar means)?
If an entity conducts a risk assessment, it must be documented, thorough, completed in good faith, and its conclusions must be reasonable. If an entity’s evaluation of the above factors fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification must be provided. In any event, the covered entity has the burden of demonstrating that all appropriate notifications have been provided or not provided, as applicable.
Business Associates and Expansion of BAA Requirements to Agents and Subcontractors
With the enactment of the HITECH Act, provisions of the Security Rule and the Privacy Rule became directly applicable to business associates in the same way that they apply to covered entities. The Act requires business associates to comply with the terms of their business associate agreements ("BAAs"). The final rules further confirm that business associates are directly subject to the same Security Rule requirements as covered entities — that is, they must perform as needed risk assessments, implement appropriate administrative, physical, and technical safeguards, adopt policies and procedures, and document the same accordingly.
Agents and Subcontractors Are Business Associates, Too
It is of significance that the final rules now consider a business associate’s agents or subcontractors to be business associates in their own right (for example, a document shredding company that has been engaged to destroy claim files by a business associate that performs third party administration for a self-funded health plan). The rules require the business associate, not the covered entity, to enter into a business associate agreement ("BAA") with any agent or subcontractor that creates, receives, maintains or transmits PHI on behalf of the business associate. If the agent or subcontractor, in turn, delegates a function, activity or service involving PHI to another agent or subcontractor, the agent or subcontractor must enter into a BAA with that entity, and so on with respect to any other downstream agent or subcontractor to whom a function, activity or service has been delegated involving PHI. Previously, business associates were only required to ensure that their agents or subcontractors agreed to the same restrictions that applied to the business associate with respect to the PHI they received from the health plan.
Covered Entities and Business Associates Are Now Liable for Acts of Agents
Currently under HIPAA, penalties may not be imposed on a covered entity for the acts of a business associates if a BAA is in place and the covered entity was unaware of a pattern or practice of the business associate that violated HIPAA or, if it knew, took action to end the violation or cure the breach. The final rules eliminate this exemption from liability and adopt the federal common law of agency. This means that a covered entity or business associate (i.e., the "principal") will be held liable for the actions of any agent who acts within the scope of agency. For example, if the business associate or agent fails to carry out a delegated function, HHS may penalize the covered entity for the business associate’s failure (for example, if the business associate fails to distribute the covered entity’s Notice of Privacy Practices or a required breach notification). Under federal common law, an entity is an "agent" if, based on the totality of the circumstances involved in the ongoing relationship between the parties, the covered entity or business associate, as applicable, controls or has the authority to control the services provided by the entity.
New Required Content for BAAs
To facilitate compliance with the HITECH Act and the final rules, BAAs must be drafted to include the following additional provisions:
- The business associate’s obligation to comply with the Security Rule’s standards and implementation specifications
- If the business associate has been delegated a covered entity’s obligation under the Privacy Rule, the business associate’s obligation to comply with the Privacy Rule’s requirements that apply to the covered entity in the performance of that function
- The business associate’s obligation to provide PHI when required by the Secretary of HHS to facilitate the Secretary’s investigation of the business associate and its compliance with HIPAA
- The business associate’s obligation to disclose PHI as necessary to satisfy an individual’s request for an electronic copy of PHI (note: this is a new right, see below under "Other Changes to the Privacy Rule")
- The business associate’s obligation to notify the covered entity of any security incident or breach of unsecured PHI
- The business associate’s obligation to enter into a BAA with appropriate agents and subcontractors
- An agent’s or subcontractor’s obligation to notify the business associate of any security incident or breach of unsecured PHI
Covered entities and business associates must have compliant BAAs for business associates, agents and subcontractors in place by September 23, 2013. However, for BAAs that were in place as of January 25, 2013, and are not renewed or modified between March 26, 2013, and September 23, 2013, entities have until the earlier of the date the BAA is renewed or modified, or September 22, 2014, to amend the BAA. During this transition period, the business associates must comply with the final rules.
Other Changes to the Privacy Rule
The final rules also include the following provisions that implement changes made by the HITECH Act:
- Right to Request a Restriction of Uses and Disclosures
Unless the disclosure is otherwise required by law, a covered entity (generally a health care provider) must agree to an individual’s request to restrict the disclosure of his or her PHI to a health plan for any payment or health care operations purpose that relates to a health care item or service that has been paid for in full out-of-pocket by the individual or a third party on the individual’s behalf.
- Right to Request an Electronic Copy of PHI
The final rules state that covered entities that maintain PHI in an electronic designated record set must provide requesting individuals (or their designees) with a copy of the information in the electronic form and format requested by the individual if it is readily producible or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual (e.g., machine readable copy in the format of MS Word, or Excel, text, HTML, or text-based PDF, etc.). The covered entity may charge a fee for responding to such requests, but no more than the entity’s labor costs in responding to the request. We note that the prior rules limited the right to electronic health records only.
- Information about Decedents
The final rules state that to the extent such information is maintained by a covered entity or business associate, the Privacy Rule ceases to apply to the PHI of a decedent 50 years following his or her death. The final rules also state that a covered entity or business associate may disclose a decedent’s PHI (other than information about past, unrelated medical problems) to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so would be inconsistent with any prior expressed preference of the individual that is known to the covered entity.
The final rules state that a covered entity or business associate must obtain an authorization prior to:
- The sale of any PHI (i.e., any disclosure of PHI for which the covered entity or business associate, as applicable, will receive direct or indirect remuneration). The rules list a number of disclosures that would not constitute a "sale," such as a disclosure in connection with a payment or treatment activity, any disclosure that is required by law and any disclosure to a business associate for which the only remuneration is for the services provided.
Any use or disclosure of PHI for "marketing." "Marketing" is now defined as a communication about a product or service that encourages recipients to purchase or use the product or service for which the covered entity or business associate receives remuneration from a third party whose product or service is being marketed. The final rules clarify that communications about the following treatment and health care operations activities do not constitute "marketing" and will not trigger the authorization requirement:
- Refill reminders (reasonable remuneration related to the covered entity’s cost of making the communication permitted)
- Care coordination (no remuneration permitted)
- Alternative treatments (no remuneration permitted)
- Plan benefits (no remuneration permitted)
- Health-related products or services available to a health plan enrollee that add value to, but are not part of the plan (no remuneration permitted)
Changes to Notice of Privacy Practices
In light of the substantive changes to HIPAA, the final rules also require covered entities to amend their respective Notice of Privacy Practices to include the following additional provisions:
- If the covered entity engages in fundraising, a statement regarding the entity’s fundraising activities and the right to opt out of receiving further fundraising communications
A statement that the following uses and disclosures of PHI require an authorization:
- Most uses and disclosures of psychotherapy notes
- Any use or disclosure for marketing purposes
- Any use or disclosure that constitutes a sale of PHI
- Any other use or disclosure not described in the Notice of Privacy Practices
- In accordance with the Genetic Information Nondiscrimination Act of 2008 ("GINA"), for health plans that perform underwriting, a statement that the plan is prohibited from using or disclosing PHI for such purposes (note: the final rules state that all plans other than long-term care plans, including those that are not subject to GINA, may not use or disclose genetic information for underwriting purposes)
- A simple statement regarding the right to be notified following a breach of unsecured PHI
- For covered entities that are health care providers, a statement regarding the individual right to restrict certain disclosures of PHI to a health plan where the individual pays for the health care item or service in full, out-of-pocket
Finding that the above referenced content requirements will represent material changes to the Notice of Privacy Practices, the final rules require covered entities to distribute their revised Notices within 60 days after the September 23, 2013, compliance deadline. If a health plan posts the Notice on its website, it may post the revised Notice by the effective date of the material change (i.e., September 23, 2013) and then provide the revised Notice, or information about how to obtain it, in the next annual mailing to individuals who are covered by the plan (for example, during the open enrollment period). If a health plan does not have a customer service web site, it must mail the revised Notice to individuals covered by the plan within 60 days of the material revision (i.e., 60 days after September 23, 2013). Lastly, the preamble notes that if a covered entity is subject to Title VI of the Civil Rights Act of 1964 (i.e., a government agency that receives federal funds), the covered entity must take reasonable steps to ensure meaningful access for "limited English proficient" persons. This may require the agency to translate the Notice into other languages.
Strengthened Enforcement and Increased Liability
To help ensure compliance, the final rules also strengthen HHS’s enforcement rights:
- HHS is required to investigate any complaint filed against a covered entity or business associate when a preliminary review of the facts indicates a possible violation of HIPAA due to willful neglect. The Secretary of HHS will continue to have discretion to investigate any other complaints.
HHS is required to conduct a compliance review of a covered entity or a business associate to determine whether it is complying with the applicable administrative simplification provision when a preliminary review of the facts indicates a possible violation due to willful neglect. The Secretary of HHS will have discretion to conduct compliance reviews in circumstances not indicating willful neglect.
- The preamble notes that HHS generally conducts compliance reviews to investigate alleged violations that are brought to its attention through a mechanism other than a complaint (e.g., through a media report, or from a State or another federal agency).
- While the Secretary of HHS has the discretion to resolve investigations or compliance reviews by informal means, the Secretary also has the discretion to move directly to a civil monetary penalty without exhausting informal resolution efforts, particularly in cases involving willful neglect violations.
- To facilitate cooperation between HHS and other law enforcement agencies (e.g., a State Attorney General or the FTC), the Secretary of HHS may disclose any PHI obtained in connection with an investigation or compliance review if permitted under the Privacy Act.
Implementing the penalty structure provided by the HITECH Act, the final rules set forth the following factors that the Secretary may consider when imposing a penalty on a covered entity or a business associate:
- The entity’s financial condition
- The nature and extent of violation (for example, the time period during which violation occurred and the number of individuals affected)
- The nature and extent of harm resulting from the violation (was any reputational harm suffered by the affected individuals - any adverse effect on employment, standing in the community, or personal relationships?)
- History of prior compliance or non-compliance, including prior violations gleaned from previous investigations by HHS)
- Such other matters as justice may require
The above referenced enforcement provisions are effective now.
Given the impending September 23, 2013, compliance deadline, it is critical for health plans and their business associates to understand the final rules, quickly review and revise their policies and procedures, BAAs and Notice of Privacy Practices, as applicable, implement required changes, and provide appropriate training to all applicable employees and other workforce members. If you have any questions or would like assistance in understanding how the final rules affect you, contact the author of this article, or the Trucker Huss attorney with whom you normally work.