The federal government's recently issued proposed amendments to the Health Insurance Portability and Accountability Act ("HIPAA") significantly enhance the burden of HIPAA compliance - and the consequences of non-compliance - for both Covered Entities and Business Associates.[1]  Among other changes, these proposals clarify the standards for assessment of penalties for HIPAA violations, mandate revisions to Business Associate Agreements and Notice of Privacy Practices, and expand HIPAA's regulatory reach beyond the traditional healthcare context.

The U.S. Department of Health and Human Services - Office for Civil Rights ("OCR") issued the Proposed Rules on July 14, 2010 to implement the 2009 HITECH Act's mandated changes to HIPAA's regulatory structure.  OCR proposes to amend specific provisions of the HIPAA Privacy, Security and Enforcement Rules, but does not indicate a publication date or effective date for a Final Rule.

Impact on Business Associates

Prior to the HITECH Act, Business Associates were subject only to contractual requirements of Business Associate Agreements.  The HITECH Act and Proposed Rules directly regulate Business Associates through application of the HIPAA Security Rule and parts of the Privacy Rule to such entities.  The Proposed Rules also provide new contractual obligations for Business Associates and expand liability for violations of those contracts.  These regulatory changes complete the expansion of HIPAA from a relatively small group of Covered Entities to all Business Associates.  

Changes to Definition of Business Associate

Prior to the HITECH Act, HIPAA regulations did not directly govern Business Associates and their subcontractors; rather, their obligations were found only in contracts.  The Privacy Rule also did not require written Business Associate Agreements with Business Associate subcontractors.  The Proposed Rules significantly change this dynamic by expanding the definition of Business Associate to include "downstream" entities that work at the direction of, or on behalf of, a Business Associate and handle protected health information ("PHI").  Accordingly, such downstream entities would be subject to the applicable provisions of the Security and Privacy Rules and the penalties for violations of those Rules.  Business Associates will need to execute a Business Associate Agreement with their direct subcontractors:  for example, a Business Associate ("BA 1") would enter into a Business Associate Agreement with its subcontractor ("BA 2"), who would enter into a Business Associate Agreement with its own subcontractor ("BA 3").  A Covered Entity would not have to enter into Business Associate Agreements with all downstream Business Associates (i.e., the subcontractors). 

Additionally, the Proposed Rules expand the definition of Business Associates to include:

• Patient Safety Organizations performing functions for a Covered Entity under the Patient Safety and Quality Improvement Act;

• Organizations such as Health Information Exchange Organizations, E-Prescribing Gateways, and Regional Health Information Exchanges that provide data transmission of PHI to a Covered Entity or its Business Associate and that require routine access to the PHI; and

• Vendors that contract with Covered Entities to allow the Covered
  Entity to offer a personal health record to patients as part of the Covered Entity's electronic health record. 

 

Limits on Business Associates' Use and Disclosure of PHI

The Proposed Rules provide that a Business Associate (like a Covered Entity) cannot use or disclose PHI except as permitted by the Privacy Rule or Enforcement Rule.  The Proposed Rules further amend the Privacy Rule to permit Business Associates to use or disclose PHI only as permitted or required by their Business Associate Agreement (with certain existing exceptions for the Business Associate's operational purposes).  Therefore, under the Proposed Rules a Business Associate's use or disclosure of PHI without a Business Associate Agreement (unless required by law) is a direct Privacy Rule violation.  OCR notes that a Business Associate that fails to execute a Business Associate Agreement "may use or disclose protected health information . . . to perform its obligations for the covered entity" pursuant to the underlying service agreement between the parties or as required by law.  However, such action would violate the both the existing Privacy Rule and the Proposed Rules.

The Proposed Rules require the Business Associate to disclose PHI to the government for compliance purposes (for example, to determine the Business Associate's compliance with applicable Privacy Rule obligations), or consistent with an individual's request for an electronic copy of PHI.

The Proposed Rules also clarify that the minimum necessary standard applies to a Business Associate's use and disclosure of PHI. A Business Associate's use or disclosure is not permitted if it does not apply the minimum necessary standard.

Amendments to Business Associate Agreements

The Proposed Rules mandate specific revisions to Business Associate Agreements and alter relationships so that revisions to discretionary provisions of such contracts may be advisable. Depending on the services to be provided by a Business Associate, Covered Entities may also consider revising Business Associate Agreements to reflect the enhanced obligations mandated by the HITECH Act.   For example, parties to Business Associate Agreements may consider incorporating obligations and responsibilities under the HIPAA Breach Notification Rules.

• The Proposed Rules remove the Covered Entity's obligation to report a Business Associate's noncompliance with a Business Associate Agreement if termination of the Agreement is not feasible.  OCR concludes that other mechanisms, such as the breach notification obligations, will provide notice of noncompliance.  

• The Privacy Rule currently requires a Covered Entity that becomes aware of a Business Associate's material breach of a Business Associate Agreement to take reasonable steps to cure the breach, or terminate the Agreement.  The Proposed Rule extends that obligation so that Business Associates must act when aware of a subcontractor's breach of the Business Associate Agreement. 

 

The Proposed Rules specifically require Business Associate Agreements to:

• Note a Business Associate's obligation to use appropriate safeguards and comply with applicable provisions of the Security Rule with regard to electronic PHI.

• Provide that the Business Associate will report breaches of unsecured PHI to Covered Entities as required by the HIPAA Breach Notification Requirements.

• Require that subcontractors that create or receive PHI on behalf of the Business Associate agree to same restrictions and conditions that apply to the Business Associate. 

• Require the Business Associate to comply with the requirements of the Privacy Rule that apply to the Covered Entity, to the extent the Business Associate carries out a Covered Entity's obligation under the Business Associate Agreement. This provision clarifies that a Business Associate is contractually liable for all other requirements of the Privacy Rule to the extent applicable in performance of the Business Associate's contract.

 

Deadline to Amend Business Associate Agreements

The Proposed Rules do not mandate immediate revisions to Business Associate Agreements.  Agreements that comply with existing Privacy Rule requirements and are not revised between 60 and 240 days after publication of the Final Rule will qualify for a transition period in which the existing Agreement will be deemed compliant with the Final Rule's requirements for such Agreements. Business Associate Agreements that qualify for the extension are deemed compliant until 18 months from the effective date of the Final Rule.  As noted above, the Proposed Rules do not indicate a publication date or effective date for a Final Rule.

Business Associate Agreements that are modified within 60 days after the Final Rule's publication, or after 240 days following publication, must satisfy the Final Rule's requirements for modification to Business Associate Agreements.  An automatic rollover of an "evergreen contract" is not considered a modification that would preclude the extension.

Since the compliance extension applies only to existing Business Associate Agreements that satisfy the current Privacy Rule requirements for such Agreements, both Covered Entities and Business Associates should review their contracts to ensure they qualify for the extension.

Covered Entities and Business Associates would need to comply with the enhanced obligations and requirements upon the Final Rule' compliance date, even if the Business Associate Agreement has yet to be updated.  To avoid inconsistency between the new HIPAA requirements and a Business Associate Agreement's provisions, parties should consider revising their Agreements at the earliest opportunity.

Amendments to Notice of Privacy Practices

OCR proposes to amend a Covered Entity's Notice Privacy Practices ("NPP") to include:

• A statement that describes the uses and disclosures of PHI that require patient authorization; and that other uses and disclosures not described in the NPP will require an individual's authorization;

• An indication that most uses and disclosures of psychotherapy notes, or for marketing purposes, require an authorization;

• A notification that individuals have an opportunity to opt out of receiving communications concerning (i) treatment alternatives or other health-related products or services where the healthcare provider receives remuneration in exchange for making the communication and (ii) contacts regarding fund raisers for the Covered Entity; and 

• A statement that reflects a Covered Entity's obligation to honor certain patient requests for restrictions on use and disclosure of their PHI.

 

Additionally, OCR requests comment on whether a statement regarding compliance with the HIPAA Breach Notification Rule should be included in the NPP. 

Penalty and Enforcement Provisions

The HITECH Act imposes direct liability on Business Associates for violations of certain Privacy Rule and Security Rule provisions, including the HIPAA Breach Notification Rules. Notably, under the HITECH Act the government can directly penalize a Business Associate for violation of its Business Associate Agreement. The Proposed Rules clarify and elaborate the levels of culpability and state of mind for which escalating levels of penalties may be accessed, as first discussed in the HIPAA Enforcement Rule (issued October 30, 2009).  The ranges apply to both Covered Entities and Business Associates:

Violation – State of Mind	Penalty Range per Violation	Maximum amount for all such violations of an identical provision in a calendar year
Did Not Know	$100 – $50,000	$1,500,000
Reasonable Cause	$1,000 – $50,000	$1,500,000
Willful Neglect —Corrected	$10,000 – $50,000	$1,500,000
Willful Neglect — Not Corrected	$50,000	$1,500,000

 

In a change from current regulation, the Proposed Rules provide that that a Covered Entity would remain liable for the acts of its Business Associate agents, regardless of whether the Covered Entity has a Business Associate Agreement.  OCR advises this change is necessary to ensure that the Covered Entity is responsible for the failure of its Business Associate agent to perform an obligation on the Covered Entity's behalf, when such acts are mandated by the HIPAA Rules.  Covered Entities would not be liable for acts of Business Associates who are not agents (such as independent contractors).

Privacy Provisions

Marketing Communications

The current HIPAA Privacy Rule requires an authorization for communications made for "marketing" purposes.  Marketing is defined as a communication about a product or service that encourages the recipient to purchase or use the product or service (including the Covered Entity's own products or services, or disclosures to third parties in exchange for direct or indirect remuneration for the third parties to make a communications about their own product or service).  The following communications are excluded from the definition of marketing:

1. Communications made to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about:  
   • The entities participating in a healthcare provider network or health plan network;
   • Replacement of, or enhancements to, a health plan; and
   • Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
2. For treatment; and
3. For case management or care coordination; direct recommendation of alternate treatment, therapies, healthcare providers or settings of care to the individual.

 

If the Covered Entity receives direct or indirect remuneration from a third party related to either of the patient care exceptions, then such communications must be limited to drugs or biologics that are currently prescribed to the individual.  Face-to-face communications and nominal gifts are also permitted under the Privacy Rule.

The Proposed Rules expand the permissible marketing communications exceptions for patient care related purposes if certain requirements are met.  As an initial matter, OCR clarifies that any direct or indirect payment for treatment of an individual will not be considered "financial remuneration" for purposes of marketing.  "Financial remuneration" is defined as direct or indirect payment from (or on behalf of) a third party whose product or service is being described in the communication.  Any financial remuneration the Covered Entity receives from the third party for the communication must also be reasonable in amount. 

OCR also proposes to revise the three exceptions to the definition of marketing:

• Expanded Treatment Communications.  The Proposed Rules also exclude from the definition of marketing any communications about health-related products or services; case management or care coordination; direct recommendation of alternate treatment, therapies, healthcare providers or settings of care to the individual.  However, if any such communication is in writing and the Covered Entity receives financial remuneration for making the communication, then the communication must disclose the fact it is subsidized and provide a clear and conspicuous opportunity for the individual to opt out of such communications in the future.  The Proposed Rules also require that the Covered Entity include statements in its Notice of Privacy Practices to advise individuals of the Covered Entity's intent to send subsidized communications and notice of an opportunity to opt-out of such communications.  The comments to the Proposed Rules advise that requiring an individual to send a written letter to opt out of future communications would create an undue burden on an individual and suggests that a Covered Entity should other options such as a toll-free number or e-mail address. 

• Refill Reminders.  A Covered Entity would be allowed to receive financial remuneration related to the cost of communicating with an individual for refill reminders or about a drug or biologic that is currently prescribed for the individual.

• Operational Purposes.  Communications for healthcare operations purposes (non-treatment purposes) under (1) and (3) above would be excluded from the definition of marketing as long as the Covered Entity did not receive financial remuneration for such communications.

 

Restrictions on Use and Disclosure

The HITECH Act requires Covered Entities to honor certain requests for restrictions on use and disclosure of PHI.  This requirement amends existing regulations, which permit Covered Entities to decline such requests. 

OCR proposes to require a Covered Entity to agree to a requested restriction on the disclosure of PHI to a health plan or Business Associate of such health plan if the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and the PHI pertains solely to a healthcare item or service for which the individual has paid for in full.  Additionally, OCR proposes an amendment to clarify that a Covered Entity may not itself unilaterally terminate such a restriction.

Access to PHI

The HITECH Act strengthens an individual's access with respect to PHI maintained in an electronic health record.  Specifically, the HITECH Act grants a right to obtain a copy of such information in an electronic format and to direct that such information also be copied to the individual's designee.  HITECH also allows for the imposition of a fee for providing the electronic copy.  To implement this provision the Proposed Rules:  

• Require that Covered Entities maintaining PHI electronically in one or more designated record sets, provide individuals with access to the ePHI in a format requested by the individual, if it is readily producible, or, if not, in an electronic format as agreed to by the Covered Entity and the individual;

• Require a Covered Entity to transmit a copy of the requested PHI directly to the person specified by individual, regardless of whether the PHI is in electronic or paper form.  The request would need to be signed and clearly identify the designated recipient.

• Clarify the fees that may be assessed for providing copies of PHI in paper or electronic format.  Among other changes, OCR proposes to allow for charges for supply costs incurred in copying to an "electronic medium" (for example, compact discs or USB flash drives) unless the individual provides their medium.

 

Sale of PHI

The HITECH Act limits a Covered Entity's ability to disclose an individual's PHI in exchange for remuneration. To implement this statutory mandate, OCR proposes to require that an authorization for the sale of an individual's PHI state that the disclosure will result in the Covered Entity's receipt of remuneration in exchange for the disclosed PHI, unless an exception applies. 

The exceptions include: (1) public health activities; (2) research purposes, if the price charged for the PHI consists of a reasonable, cost-based fee that covers the cost to prepare and transmit the information; (3) treatment of the individual or for payment purposes; (4) the sale, transfer, merger, or consolidation of all or part of a Covered Entity and for related due diligence; (5) services rendered by a Business Associate pursuant to a Business Associate Agreement and at the specific request of the Covered Entity if the remuneration is only for the performance of such activities; (6) providing an individual with access to his or her PHI; (7) as required by law; and (8) other purposes related to the Privacy Rule's procedures for hearings on civil monetary penalties.

These proposed additions would also apply to Business Associates.  Further disclosure of PHI exchanged for payment to another Covered Entity or Business Associate would have to be in compliance with the Privacy Rules. 

Other Provisions

Research Authorizations

Currently, Covered Entities conducting research must obtain separate authorizations for conditioned activities (i.e., treatment related to a clinical trial) and unconditioned activities (i.e., collection of PHI for a deposit in a central repository).  In order to streamline the process for obtaining an individual's authorization for the use of PHI for research activities, OCR proposes to allow a Covered Entity to combine both a conditioned and unconditioned authorization for research as long as the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual to opt in to the unconditioned activities.  This would allow a Covered Entity to combine an authorization for the use and disclosure of PHI associated with a tissue collection for a central repository and an authorization for the use and disclosure of PHI for a clinical trial that conditions research-related treatment on the execution of such an authorization. 

Disclosure of Student Immunizations to Schools

The Proposed Rules allow Covered Entities to disclose proof of immunization to schools in states that have laws prohibiting a child from attending school unless the school has proof that the child has been appropriately immunized.  Under the proposed rule, the Covered Entity would still be required to obtain oral agreement from the individual or a parent or guardian to release the proof of immunization to the school. 

PHI of Decedents

OCR proposes to require a Covered Entity to comply with the Privacy Rule for only 50 years following an individual's death. The Proposed Rules include a corresponding amendment to the definition of PHI.

OCR also proposes to permit Covered Entities to disclose a decedent's PHI to family members or others who were involved in the individual's care or payment for care prior to death, unless such a disclosure would be inconsistent with the prior expressed wishes of the deceased individual.  A Covered Entity would not be required to disclose PHI under these circumstances.

---

¹ The American Recovery and Reinvestment Act of 2009’s provisions addressing health information technology (the “HITECH Act”) mandated specific changes to existing HIPAA regulations.