On January 17, 2013 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released the much-anticipated final rule to implement changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules enacted as part of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The final rule also modifies the HIPAA breach notification regulations, implements certain provisions of the Genetic Information Nondiscrimination Act of 2008 (GINA), and makes additional changes to the HIPAA privacy, security, and enforcement rules. The text of the final rule can be found at: https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf.
The final rule addresses many changes to the HIPAA regulations that will be important to covered entities, their business associates, and subcontractors. The provisions with the broadest impact will: (a) change the definition of “breach” associated with covered entities’ breach notification obligations and change the risk assessment that covered entities and business associates must perform to determine whether protected health information (PHI) has been compromised, thereby triggering notification of a breach to the affected individuals, OCR, and in some cases relevant media outlets; and (b) make business associates of covered entities (and their subcontractors) directly liable for compliance with the HIPAA security rules and certain parts of the HIPAA privacy rules.
This article summarizes these and other new regulations that comprise the final rule.
Covered entities and business associate must comply with these new regulations by September 23, 2013, except that OCR granted an additional year, until September 23, 2014, for covered entities and business associates to make necessary amendments to their business associate agreements. Compliance efforts to meet these new rules will be time consuming. Covered entities and business associate should begin work now to evaluate the necessary changes to policies, procedures, contracts and arrangements, as well as complete training on these new rules.
I. HIPAA Breach Notification Obligations
A. Definition of “Breach” and Risk Assessment
The final rule significantly changes HIPAA’s breach notification obligations. Under current regulations, if a covered entity discovers that unsecured PHI was acquired, accessed, used or disclosed in a manner not permitted under the privacy rule, the covered entity must use a “risk of harm standard” to assess whether the improper acquisition, access, use or disclosure “poses a significant risk of financial, reputational, or other harm to the individual.”
OCR concluded that the current “risk of harm standard” is too subjective, leads to inconsistent interpretations and results, and gives covered entities excessive latitude to avoid breach notification.
Therefore, OCR adopts a new definition of “breach” under which an impermissible acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach, and breach notification is required, unless the covered entity (or business associate, as applicable) demonstrates through a risk assessment that there is a low probability the PHI has been compromised.
The following four specific factors must be considered in this new risk assessment:
- the nature and extent of the PHI involved (including the types of PHI, and the likelihood of re-identification);
- the unauthorized person who used the PHI or to whom the disclosure was made. OCR notes there is a lower probability that PHI has been compromised if the impermissible user or recipient of the information has obligations to protect the privacy and security of PHI;
- whether the PHI was actually acquired or viewed; and
- the extent to which the risk to the PHI has been mitigated. The extent and efficacy of mitigation should be considered when determining the probability that PHI has been compromised.
Although each breach notification assessment must analyze at least the above four factors, other factors may also be considered where necessary. If the evaluation of all these factors fails to demonstrate a low probability that the PHI has been compromised, then breach notification is required.
In a further change to the breach definition, OCR removed the current exception for limited data sets that do not contain dates of birth and zip codes. Under the final rule, a covered entity must perform a breach notification involving a breach of a limited data set containing no dates of birth or zip codes, unless the risk assessment demonstrates a low probability that the limited data set has been compromised.
This new breach definition represents a significant shift away from the focus on an individual’s potential injury and toward an assessment of the PHI itself. The new regulations impose a presumption that a breach has occurred unless a formal risk assessment concludes that there is a low probability that PHI has been compromised.
Covered entities and business associates must modify their breach notification policies and risk assessment protocols and procedures to account for the new breach notification rules, and should provide appropriate staff training regarding this change.
B. Breach Notification Obligations and Timing
In comments to the final rule, OCR reminded covered entities that the breach notification obligations solely belong to covered entities. Even if the breach occurs at a business associate’s site, the breach notification obligations lie with the covered entity.
Covered entities are required to provide breach notification to the affected individuals without unreasonable delay and in no event later than sixty days following discovery of the breach.
A breach is deemed discovered if “any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate” knows or should reasonably have known of the breach. A business associate is required to notify a covered entity of a breach no later than sixty days following its discovery of a breach. OCR states that if a business associate is acting as an agent of the covered entity (as determined under the Federal common law of agency), then the business associate’s discovery of the breach will be imputed to the covered entity for purposes of starting the sixty day clock on the covered entity’s required breach notifications. In contrast, if the business associate is not acting as an agent of the covered entity, then the covered entity is required to provide the breach notifications no later than sixty days from when the business associate notifies the covered entity of the breach. The timing of a business associate’s obligation to provide notice of a breach to the covered entity should be clearly addressed in the business associate agreement.
II. Business Associates
A. Definition of Business Associate
The enactment of HITECH provided statutory authority to extend liability under the HIPAA privacy and security rules to business associates. The final rule implements this regulation of business associates, with a compliance date of September 23, 2013.
The final rule broadens the definition of a business associate in several meaningful ways. First, the final rule implements the HITECH provisions specifying that entities providing patient safety activities, as well as health information organizations, E-prescribing gateways, or other persons providing data transmission services with respect to PHI, and that require access to PHI on a routine basis, are business associates.
In addition, the new regulations make clear that entities that maintain PHI on behalf of a covered entity are business associates under HIPAA, even if they are unable or have no rights to access, view, or use the PHI. In other words, the mere storage of PHI on behalf of a covered entity makes an entity a business associate, and consequently regulated under HIPAA.
The final rule also makes clear that entities entering into contracts with business associates and creating, receiving, maintaining, or transmitting PHI on behalf of the business associates are themselves regulated as business associates. The extension of HIPAA liability does not stop at the entity having a direct relationship with a covered entity; to the extent subcontractors or even further downstream contractors create, receive, maintain, or transmit the covered entity’s PHI, all of those subcontractors and downstream entities will be considered business associates and have the same HIPAA obligations and potential liabilities as the business associate that directly contracts with the covered entity.
B. What Must a Business Associate Do?
In the preamble to the final rule, OCR sets out the list of HIPAA privacy and security rule provisions for which a business associate may be held liable. First, a business associate is directly liable for violating any provision of the HIPAA security rule. Second, a business associate is directly liable under the HIPAA privacy rule for uses and disclosures of PHI that do not comply with the business associate agreement between the covered entity and the business associate. A business associate may also be directly liable for failing to enter into business associate agreements with its subcontractors. Further, a business associate may be directly liable for failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the business associate’s use, disclosure or request. Finally, a business associate may be directly liable for failing to disclose PHI to HHS to investigate and determine the business associate’s compliance with the HIPAA rules, and for failing to disclose PHI to the covered entity, or the individual, as necessary to satisfy the covered entity’s obligation to respond to an individual’s request for an electronic copy of PHI.
Compliance with the full HIPAA security rule and many elements of the privacy rule will likely be a significant challenge for many business associates and their subcontractors. For example, although many business associates perform some level of security analysis for their electronic systems, relatively few have performed the comprehensive HIPAA security assessments and ensured that their security policies and practices address the full matrix of HIPAA security standards.
C. HIPAA Liability For Actions of a Business Associate
Another significant final rule change involves liability based upon the actions of a business associate acting as an agent of the covered entity. The final rule adopts the Federal common law of agency, and eliminates a current exception excusing covered entities for liability based on actions of their agents who are business associates. Under the new rules, covered entities may, in certain circumstances, be held liable for actions of business associate agents. Additionally, the final rule also adds a provision allowing for imposition of civil money penalty liability against a business associate for the actions of its agents. Whether a covered entity will be liable for a business associate’s actions, or whether a business associate is liable for the actions of its agents, will be a fact-specific inquiry. The final rule states the essential factor will be “the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.” Additional factors to consider include: “(1) time, place, and purpose of a business associate agent’s conduct; (2) whether a business associate agent engaged in a course of conduct subject to a covered entity’s control; (3) whether a business associate agent’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity; and (4) whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question.”
D. Business Associate Contracts
The final rule makes clear that covered entities must amend their business associate contracts to ensure that those agreements specifically address the HITECH provisions added to the mandated business associate agreement terms. The final rule allows covered entities, business associates, and subcontractors to continue operating under existing compliant business associate contracts up to September 23, 2014, at which time, current business associate agreements must be amended to comply with the HITECH changes.
III. Other Changes to The HIPAA Privacy and Enforcement Rules
A major change involves OCR’s investigation of HIPAA complaints, and imposes four new regulations for HIPAA violations. The first two new regulations remove OCR’s discretion to investigate violations based on willful neglect. The final rule mandates an investigation of any complaint filed indicating a possible HIPAA violation due to willful neglect. Additionally, the new regulations require OCR to conduct a full compliance review of a covered entity's or business associate’s compliance with applicable administrative simplification provisions if the OCR’s preliminary review indicates possible violations due to willful neglect. Third, if an entity is found guilty of a violation due to willful neglect, the new rules give OCR discretion either to resolve the noncompliance by informal means or to move directly to imposing a willful neglect violation determination. Finally, in contrast to current regulations, which mandate that OCR work to obtain voluntary corrective action, the new rules allow OCR to move directly to formal enforcement action in an instance of willful neglect.
The final rule also allows OCR to disclose PHI to another governmental agency for a civil or criminal enforcement activity. This will allow OCR to work with law enforcement agencies such as the State Attorneys General and the FTC in the course of investigations.
The final rule also implements changes to the civil monetary penalty amounts that may be imposed for HIPAA violations. The final rule incorporates the tiered penalty structure from the HITECH Act, which categorizes violations of the HIPAA rules based on culpability of the entity into four categories: did not know, reasonable cause, willful neglect (but corrected within thirty days), and willful neglect (not corrected within thirty days). Penalties are assessed per violation and range from a minimum of $100 up to a maximum of $1.5 million for all such violations of an identical provision in a calendar year. In all cases, the penalties will be assessed after an evaluation of applicable factors including: (a) the nature and extent of the violation, including the number of individuals affected; (b) the nature and extent of resulting harm, including consideration of reputational harm to individuals affected; (c) history of prior compliance, including indications of noncompliance by the covered entity or business associate; (d) the financial condition of the covered entity or business associate; and (e) other such matters as justice shall require.
B. Privacy Rule
The final rule changes the privacy provisions that apply to subsidized communications that covered entities (or their business associates) make regarding health-related products or services. The final rule requires covered entities to obtain written patient authorization in order to make treatment and health care operations communications to individuals if the covered entity receives direct or indirect payment from a third party whose product or service is being marketed. However, subsidized refill reminders and communications about a drug or biologic currently being prescribed to the individual may be made without written patient authorization, but only so long as the payment to the covered entity is reasonably related to the covered entity’s cost of making the communication.
The new HIPAA marketing rules are a significant tightening of the current federal privacy regulations governing payment arrangements between product manufacturers and health care providers for product and treatment communications, and should prompt covered entities to review those arrangements in time to make any required changes by September 23, 2013.
In contrast to the general trend in the final rule to tighten or expand the HIPAA regulations, two research-related changes loosen the privacy requirements. First, the final rule allows covered entities to provide a single combined, or “compound,” written patient authorization to authorize the use or disclosure of PHI for research-related treatment, such as a clinical trial (for which the signing of an authorization can be a condition of providing the treatment), with an authorization to use or disclose PHI for a voluntary research project (such as a central database or biospecimen databank project, the authorization for which a provider is not permitted to condition treatment). Second, the final rule states that written authorizations to use and disclose PHI for research do not need to be study-specific, and may authorize future research projects, so long as the authorization adequately describes the future research purposes.
3. Sale of PHI
The final rule implements the HITECH statutory provision prohibiting the sale of PHI, with certain exceptions. Sale of PHI means a disclosure of PHI by a covered entity or business associate where the covered entity or business associate directly or indirectly receives financial remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Some of the exceptions to the sale prohibition are: (a) payment for the sale, merger, or consolidation of a covered entity; (b) payment for public health purposes; and (c) payment for research purposes, so long as payment is solely a reasonable cost-based fee to cover the cost to prepare and transmit the PHI.
Another change in the final rule considered covered entities’ use of PHI for their own fundraising purposes. For fundraising purposes, a covered entity may use demographic information including names, addresses, contact information, age, date of birth and gender; health insurance status; dates of health care; department of service information; treating physician information; and outcome information. However, an individual may choose to opt out of fundraising communications and, to that end, the final rule requires a covered entity to include “a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications” on each fundraising communication sent. The opt-out process must not be burdensome, and the covered entity is prohibited from conditioning treatment or payment on the decision regarding fundraising communication. While covered entities can decide both the scope of the opt out and how an individual can opt back in to receiving communications, it may not send further fundraising communications to individuals who already opted out.
5. Notice of Privacy Practices
The final rule makes a number of changes to the provisions relating to the Notice of Privacy Practices (NPP) under the HIPAA privacy rule. First, the NPP must now contain a statement that uses and disclosures of psychotherapy notes, marketing purposes, and sales of all PHI require authorization, and that the covered entity must seek authorization before using or disclosing PHI in a way not described in the NPP. Second, the NPP must contain a statement that an individual may opt out of fundraising communications (as discussed above). Third, the NPP must inform individuals of their right to restrict access to their PHI (as discussed below). Finally, the NPP must inform individuals of their right to be notified following a breach of PHI.
The final rule also makes changes to the method of distribution for NPP changes required under the final rule. Health plans that already post NPPs on their website must communicate these changes by posting them on the plan’s website and including information about the changes in the next annual mailing. If the health plan does not have a website, it must provide information to individuals within sixty days of the change. The final rule does not change the process for health providers’ distribution of NPP changes.
6. Individual Right to Restrict Access to PHI
Another privacy rule modification allows individuals to request a restriction on the uses and disclosures of their PHI to a health plan. The final rule states that if (a) “the disclosure is for the purposes of carrying out payment or health care operations and is not otherwise required by law”; and (b) “the protected health information pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full” the covered entity must agree to the requested restriction. This “paid in full” exception applies if an individual, an individual’s family member or other person pays for the service in full. Additionally, if an individual makes such a restriction request, the covered entity may not disclose the PHI to a business associate of the health plan. Under the final rule, such a restriction will not require separate files, but will require health care providers to flag or otherwise make note of the restriction in the individual’s record.
When an individual requests such a restriction, it is the responsibility of the individual to notify downstream providers, such as pharmacists or specialists, of his or her wish to restrict health plan access to PHI. However, even if an individual requests restriction and pays in full for a service, if the individual does not pay in full for any follow-up service, and the provider needs to include previously restricted information to have the service deemed medically necessary, the provider may do so.
7. Individual Right to Access PHI
The final rule strengthens the current regulations on individual access to PHI. The final rule requires that if an individual requests an electronic copy of his or her PHI, the covered entity must provide the individual electronic access in the form and format the individual requests. If the electronic form and format is not easily producible, the covered entity must provide the information in a readable electronic form and format. Additionally, an individual has the right to request a copy of his or her PHI be sent to a third party, so long as the request is in a writing that clearly identifies the designated third party (including the identity of a designated person and the contact information), and is signed by the individual requesting the record. The final rule states that fees for requests of PHI may include labor costs, including costs of skilled workers to compile the information, supplies, and postage. Finally, the final rule removes the current additional thirty day extension for off-site data storage, so that all requests for access must be serviced within thirty days, plus a one-time thirty day extension if necessary.
GINA prohibits discrimination based on an individual’s genetic information in the context of health care coverage and employment. The final rule implements certain GINA provisions by modifying the HIPAA privacy rule to strengthen privacy protections for genetic information.
The final rule revises the privacy rule to clarify that “health information” includes “genetic information.” It defines “genetic information” as information with respect to any individual about: (a) such individual’s genetic tests; (b) the genetic tests of family members; (c) the manifestation of a disease or disorder in family members of such individual (i.e. family medical history); (d) any request for, or receipt of, genetic services or participation in clinical research which includes genetic services, by the individual or family members; (e) the genetic information of any fetus carried by a pregnant woman; and (f) the genetic information of any embryo legally held by an individual or family member. Genetic information does not include information about the sex or age of any individual.
A significant effect of these changes is to clarify that covered entities may not use or disclose genetic information when it qualifies as PHI except as the privacy rule permits or requires, or in most circumstances, as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Also significant, the final rule prohibits most health plans from using or disclosing genetic information for underwriting purposes, even if a HIPAA authorization is obtained. The prohibition applies to most health plans that are covered entities under HIPAA, including those to which GINA does not expressly apply. As a result of concern expressed by commenters, the final rule excludes long term care plans from the underwriting prohibition. However, this exclusion may not be permanent as OCR states it is looking into ways to obtain more information about attaining a proper balance between an individual’s privacy interests and the long term care insurance industry’s concerns about the cost effect of excluding genetic information from underwriting. OCR further clarifies that long term care plans, like other covered entities, are still bound by the privacy rule to protect genetic information from improper uses and disclosures and to only use or disclose genetic information as required or expressly permitted by the rule, or as otherwise authorized by the individual who is the subject of the genetic information.
Finally, OCR states that health plans that use or disclose PHI for underwriting are required to include a statement in their NPP that the health plan is prohibited from using or disclosing PHI that is genetic information about an individual for underwriting purposes. This is likely to necessitate amendments to most health plan NPPs. Issuers of long term care policies, health care providers and health plans that do not perform underwriting are not required to revise their NPPs in this manner.
The final rule covers a wide range of new regulations addressing privacy, security, and HIPAA enforcement topics, and will have significant impact on many segments of the health care industry. It also implements the HITECH provisions making business associates (and their subcontractors) directly liable under HIPAA. With a compliance date of September 23, 2013 for most of the final rule provisions, many covered entities, business associates, and subcontractors will be engaged in HIPAA compliance reviews, operational changes, and compliance readiness activities throughout the initial three quarters of 2013, and beyond.