By Sara H. Shanti and Fatema Zanzi
On January 17, 2013, the Department of Health and Human Services (HHS) publically released the long-awaited HIPAA Omnibus Final Rule (Final Rule). The Final Rule (1) implements many provisions of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), expanding the privacy and security standards directly governing covered entities and business associates; (2) modifies the interim final rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule); (3) modifies the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and (4) makes certain other modifications to the HIPAA Privacy, Security and Enforcement Rules to improve their workability. Notably, the Final Rule does not address the anticipated accounting of disclosures requirements, which was the subject of a separate proposed rule published on May 1, 2011.
The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply with the applicable provisions by September 23, 2013.
Below we have highlighted some of the significant changes that the Final Rule makes to the current landscape of HIPAA regulations.
Breach Notification Rule
- The Final Rule revises the definition of “breach” such that there is an automatic presumption that an impermissible use or disclosure of protected health information (PHI) constitutes a breach. As a result, breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised or one of the other exceptions to the definition of “breach” applies.
- HHS removes the harm standard. Instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that PHI has been compromised based on a risk assessment.
- The Final Rule modifies the risk assessment procedure to focus on objective factors. Therefore, if a covered entity or business associate performs a risk assessment to determine whether there is a low probability that PHI has been compromised, then the risk assessment must consider, at a minimum, the following factors: 1) the nature and extent of the PHI involved, including the likelihood of re-identification of the information; 2) the unauthorized person(s) who used or received the PHI; 3) whether the PHI was acquired or viewed; and 4) the extent to which the compromise of the PHI has been mitigated. Other factors may also be considered where necessary. HHS plans to provide entities with additional guidance related to risk assessments and frequently occurring breach scenarios.
- HHS notes that a covered entity or business associate has the discretion to provide the required breach notifications following an impermissible use or disclosure of PHI without performing a risk assessment. Because there is a presumption that a breach has occurred following every impermissible use or disclosure of PHI, entities may decide to notify without evaluating the probability of the compromise.
- The Final Rule removes the exception to the breach definition related to limited data sets. Therefore, following an impermissible use or disclosure of any limited data set, even those that do not include dates of birth and zip codes, covered entities or business associates must notify affected individuals or perform a risk assessment and determine that breach notification is not required.
Modifications of HIPAA Privacy, Security and Enforcement Rules
- The definition of “PHI” explicitly excludes information related to a person deceased for more than 50 years.
- The Final Rule confirms the enhanced enforcement penalties as well as the willful neglect standard, which carry additional penalties, and acceptable affirmative defenses.
- The definition of a “business associate” has been expanded to generally include all those entities that create, receive, maintain, or transmit PHI on behalf of a covered entity. The business associate definition now includes subcontractors, Patient Safety Organizations, Health Information Organizations, e-prescribing Gateways, and vendors of Personal Health Records that provide services on behalf of a covered entity.
- The Final Rule sets forth permissible uses and disclosures of PHI by business associates. Effectively, business associates are directly liable for impermissible uses and disclosures of PHI. HHS may impose penalties on the covered entity, business associate, or both if the Secretary establishes a violation of an applicable provision of HIPAA.
- Business associates are directly responsible for compliance with the Security Rules’ implementation specifications. Business associates must ensure the confidentiality, integrity, and availability of all electronic PHI through reasonable and appropriate administrative, physical, and technical safeguards. Business associates are now also required to conduct a risk analysis of potential security risks and vulnerabilities.
Business Associate Agreements
- The Final Rule makes business associate agreements (BAAs) applicable to arrangements involving a business associate and a subcontractor of that business associate in the same manner as BAAs apply to arrangements between covered entities and business associates. To the extent a subcontractor creates, receives, maintains, or transmits PHI, then a business associate must have a BAA with the subcontractor.
- HHS notes the continued need for BAAs by covered entities even though business associates are now held directly accountable for many provisions of HIPAA. HHS believes BAAs are necessary to clarify and limit permissible uses and disclosures of PHI, ensure business associates are contractually responsible for activities they are not directly liable for under HIPAA, and clarify respective responsibilities related to patient rights, such as access to PHI.
- Each agreement in the BAA chain must be as or more stringent than the one above it regarding the uses and disclosures of PHI.
- The Final Rule provides an important transition period for existing BAAs. The transition period allows existing BAAs, which are not renewed or modified between March 26 and September 23, 2013, to remain compliant until the earlier of 1) the date the BAA is renewed or modified on or after September 23, 2013; or 2) September 22, 2014.
Notice of Privacy Practices
- The Final Rule will require covered entities to modify their Notice of Privacy Practices (NPP).
- An NPP must include a description of types of uses and disclosures that require an authorization. The NPP must include a statement that other uses and disclosures not described in the NPP will be made with the individual’s written authorization and that such authorization(s) may be revoked.
- If the covered entity engages in fundraising activities, the NPP must explain that the individual may be contacted to raise funds, but retains the right to opt-out of such communications.
- An NPP must include a statement related to an individual’s right to request a restriction as well as a statement that covered entities are not required to agree to such a request.
- An NPP must provide a statement that the covered entity is required to notify affected individuals of breaches of unsecured PHI.
- For health plans that engage in underwriting activities, the NPP must include a statement that the covered entity is prohibited from using or disclosing PHI that is genetic information for such purposes.
- Covered entities must agree to an individual’s request to restrict PHI if the information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid in full out of pocket.
- Covered entities must provide an individual with access to PHI in the electronic form and format requested by the individual if the PHI is maintained electronically in one or more designated record sets. Covered entities may charge for the labor for copying PHI requested by the individual.
- Covered entities continue to have 30 days to respond to requests for access to PHI; no shorter time period is required despite potential instantaneous availability of electronic PHI.
- The Final Rule requires authorization for all treatment and health care operations communication where the covered entity receives financial remuneration from a third party whose product or service is being marketed. The Final Rule removed the notice of remuneration and opt-out language requirement that had been included in the proposed rule.
- Exceptions to the authorization requirement include refill reminders and other communications about currently prescribed drugs or biologics. However, HHS interprets the permissible costs under this exception to include only those which cover the costs of labor, supplies, and postage to make the communications. Thus, if a covered entity receives an amount in excess of the allowable costs, authorization is again required.
- Other exceptions to the authorization requirement include the promotion of health in general, provided that the communications do not promote the products and services of a particular provider, and the promotion of government and government-sponsored programs.
- The Final Rule prohibits the sale of PHI by covered entities and business associates; however, the Final Rule described disclosures excluded from the definition of “sale of protected health information,” provided remuneration is reasonable and cost-based.
- The Final Rule permits compound authorizations for research purposes. Specifically, it allows the authorization for disclosure of PHI for a research study to be combined with any other written permission for the same or another study.
- Where a covered health care provider has conditioned the provision of research-related treatment on the provision of one of the authorizations, any compound authorization must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt-in to the research activities described in the unconditioned authorization.
- To harmonize HIPAA’s authorization requirements with the Common Rule of informed consent, the Final Rule modifies HHS’ previous interpretation that HIPAA research authorizations must be study specific. With respect to authorizations for future research, an authorization for future research purposes is permissible so long as it describes such purposes in a manner that allows the individual to reasonably expect the future use(s) or disclosure(s) of PHI for research.
Genetic Information Nondiscrimination Act of 2008 (GINA)
- The Final Rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.
- Long-term care plans are exempt from these underlying prohibitions.
In its press release, HHS stated that the Final Rule “greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.” However, it also recognized the significant costs that may result from the overhaul of these regulatory specifications. Compliance costs include the necessary revisions and distributions of revised NPPs; assessing potential breaches; drafting and implementing BAAs for subcontractor arrangements; and implementing revised policies and procedures. For more information regarding the Final Rule, HIPAA compliance, or implementation of applicable provisions of the HITECH Act, please contact any member of Drinker Biddle’s Health Care Practice Group.
In the coming weeks, we will be publishing a series of client alerts addressing in more depth specific provisions of the Final Rule.