The final rule under the Health Information Technology for Clinical and Economic Health (HITECH) Act was published January 25, 2013. The HITECH Act made a number of significant changes to the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final rule implements many of those changes.
The final rule broadens the definition of "breach" of unsecured protected health information (PHI), resulting in more circumstances in which covered entities and business associates must give notice of a breach.
The HITECH Act defines a "breach" as the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information. The interim final rule required covered entities and business associates to perform a risk assessment and required notification only if the incident resulted in a significant risk of financial, reputational or other harm to the individual.
The final rule replaces the harm standard of the interim final rule with a presumption that any use or disclosure of PHI not permitted by HIPAA is a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. This determination must be based on a risk assessment that considers at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
It is likely that more unauthorized uses and disclosures of PHI will need to be reported to the affected individuals and the Office for Civil Rights (OCR) under the final rule.
The final rule also eliminates a provision in the interim final rule that exempted improper uses or disclosures of a limited data set from the breach notification requirements unless the limited data set included birthdates or zip codes. The preamble notes that, in most cases, upon consideration of the four risk assessment factors in the final rule "the result would be the same ... as under the interim final rule with respect to whether an impermissible use or disclosure of a limited data set that also excludes dates of birth and zip codes constitutes a breach for which notification is required." Nevertheless, covered entities and business associates will have to evaluate these situations on a case-by-case basis.
Some of the most significant changes included in the final rule impacts business associates, the organizations that use and disclose PHI to provide administrative services to covered entities.
The final rule imposes on business associates the obligation to enter into and follow business associate agreements with each covered entity. Business associates may use and disclose PHI only as permitted or required by their business associate contracts or as required by law. It will be important to ensure that business associate agreements describe all the contemplated uses and disclosures of PHI by the business associate.
The final rule also makes business associates subject to certain provisions of the HIPAA security rule. As a result, business associates must ensure they comply with the Security Rule standards addressing administrative, physical and technical safeguards to protect electronic PHI.
The final rule expands the reach of HIPAA's business associate requirements by broadening the definition of a business associate to include persons receiving protected health information from a business associate to perform legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. This extension of the definition of a business associate to include subcontractors drew significant negative comments, but was nevertheless adopted. The final rule does not require covered entities to enter into business associate agreements with their business associate's subcontractors, but the business associate will need such an agreement with each subcontractor.
Access to Electronic Protected Health Information
Under the final rule, if a covered entity maintains PHI electronically and an individual requests his or her PHI in electronic format, the covered entity or business associate must provide the PHI in the electronic format requested by the individual if the PHI is "readily producible" in that format, or, if not, in a different electronic format agreed to by the covered entity and the individual. If the covered entity provides a patient with electronic access to PHI, the rule only allows the covered entity to charge the costs of labor and supplies associated with the preparation of the request.
Requests for Restrictions
The HITECH Act required that when a patient requests a restriction on disclosure of his or her PHI, the covered entity must agree to the requested restriction if it pertains to disclosures of PHI to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to PHI that pertains solely to a health care item or service for which the provider has been paid out of pocket in full. This was a change from previous privacy rule provisions that said a covered entity was not required to agree to requested restrictions. To implement this change, HHS has added conforming language to the HIPAA privacy rule.
Under HITECH, certain communications to encourage the use of a product or service that were previously excluded from the definition of marketing are treated as marketing communications (and therefore subject to an authorization requirement) if the covered entity receives remuneration for making them. Covered entities may provide refill reminders without authorization, even if they receive financial remuneration, as long as the remuneration is reasonably related to the cost of making them. Communications for treatment to provide health-related products or services provided by the covered entity, or for case management and care coordination, are also permitted without authorization as long as the covered entity has not received payment for making them.
Sales of PHI
The HITECH Act barred certain sales of protected health information without express authorization. To implement this, the final rule requires covered entities to get authorizations for any disclosure of PHI in exchange for direct or indirect remuneration unless an exception applies. The authorization must state expressly that the covered entity will receive remuneration for the communication. There are numerous exceptions, including for public health activities, treatment and payment, sales of a covered entity, business associate arrangements, providing information to individuals such as accountings, disclosures required by law and disclosures otherwise permitted by HIPAA.
Under HITECH, covered entities that use individuals' names and treatment dates to raise funds are required to provide a clear and conspicuous opportunity to opt out of future fundraising communications. The final rule requires each fundraising communication made to the individual to include the notice of the opportunity to opt out. The method for the individual to opt out may not cause the individual to incur an undue burden or more than a nominal cost. The covered entity may not condition treatment or payment on the individual's choice about receiving fundraising communications.
Notice of Privacy Practices (NPP)
The final rule requires covered entities to modify their NPPs to advise affected individuals of several now-strengthened privacy protections, including: (1) new authorization requirements for sales of PHI, marketing and psychotherapy notes; (2) the right of an individual to restrict disclosures of PHI to a health plan for health care for which the individual has paid out of pocket; (3) the duty of a covered entity to provide notice of a breach of unsecured PHI; and (4) the right to opt out of fundraising communications. In one of the more entertaining parts of the final rule, HHS estimates that each health care provider can read, understand and assimilate these changes into a newly drafted and printed NPP in approximately 20 minutes at a cost of $28 per provider.
The final rule implements changes requested by industry to provide more flexibility for researchers. Specifically, the final rule permits the use of a compound authorization that covers the use and disclosure of PHI for a research study as well as any other type of written permission for the same or another research study. For example, a covered entity could combine authorization for a study, the creation of a research database and consent for study participation in a single document. If the provider is conditioning the provision of research-related treatment on an authorization, a compound authorization must differentiate between conditioned and non-conditioned components.
HHS has implemented three provisions of the Genetic Information Nondiscrimination Act of 2008 (GINA), which generally prohibits using genetic information to underwrite insurance. Specifically, the final rule:
- Explicitly provides that genetic information is health information for purposes of the Privacy Rule.
- Prohibits all health plans covered by the HIPAA Privacy Rule other than long-term care plans from using or disclosing PHI that is genetic information for underwriting purposes.
- Requires health plans that perform underwriting to state in their Notice of Privacy Practices that the plan is prohibited from using or disclosing genetic information for such underwriting purposes.
Student Immunization Records
Parents who need to prove that their children have received certain immunizations will have an easier time getting the necessary information provided to their child's school. If the parent agrees orally or in writing, a covered entity may disclose immunization data to a school. A HIPAA-compliant authorization will no longer be needed.
The final rule does not address the new requirements for accountings of disclosures for treatment, payment and health care operations from an electronic health record, the minimum necessary standard, the distribution of penalties to individuals or enforcement by state attorneys general.
The Secretary of HHS must now conduct a compliance review whenever preliminary review of the facts indicates a possible violation by a covered entity or business associate due to willful neglect. Previously, there were no circumstances in which a compliance review was mandated. More generally, the final rule extends the enforcement provisions of HIPAA to business associates.
If a HIPAA violation is caused by more than one covered entity or business associate, the Secretary may impose a civil money penalty against each covered entity or business associate. Members of an affiliated covered entity are jointly and severally liable for penalties. Covered entities are also liable for penalties based on the acts or omissions of an agent, including a business associate.
The Secretary may consider a number of factors in assessing penalties, including the number of individuals affected, the time period in which the violation occurred, the nature and extent of the harm, prior compliance with HIPAA, the covered entity or business associate's response to technical assistance from the Secretary, past responses to complaints, the financial condition of the entity, the size of the entity, and other matters as justice requires.
Effective and Compliance Dates
Recognizing that covered entities and business associates will need time to come into compliance with the final rules, HHS has stated that for most provisions, covered entities and business associates will have 180 days after the publication of the final rule (until September 25, 2013) to comply. In addition, HHS provided an additional one-year transition period to modify certain business associate agreements. These provisions allow covered entities, business associates and subcontractors to continue to operate under existing business associate agreements for up to one year beyond the compliance date for the final rule if the parties had an agreement in place on or before January 25, 2013, that complied with then-applicable law, and the contract is not renewed or modified between the effective date and the compliance date of the modifications to the final rules.