The Department of Health and Human Services (“HHS”) has issued a final rule (the “Final Rule”) modifying the HIPAA Privacy, Security, and Enforcement Rules (the “HIPAA Rules”). The Final Rule incorporates the statutory amendments under the HITECH Act, makes final modifications to the Breach Notification Rule, implements privacy protections for genetic information under GINA, and makes other changes to the HIPAA Rules that are intended to improve their workability and flexibility. The Final Rule is effective on March 26, 2013. Covered entities and business associates will have 180 days after the effective date, or until September 23, 2013, to come into compliance with most of the Final Rule’s provisions.
Many provisions of the Final Rule implement the HITECH Act provisions extending to business associates direct liability for compliance with certain aspects of the HIPAA Rules. As is the case with covered entities, the requirements of the Security Rule continue to be designed to be technology neutral and scalable to all different sizes of entities. Thus, business associates have the flexibility to choose security measures appropriate for their size and resources, as well as the nature of the security risks they face.
Unlike under the Security Rule, the HITECH Act does not make business associates directly liable for compliance with all requirements of the Privacy Rule (i.e., it does not treat them as covered entities). Thus, although business associates are directly liable for uses and disclosures of PHI that violate the Privacy Rule, they are not required to provide a notice of privacy practices, nor to designate a privacy official. As was the case under the Privacy Rule before the HITECH Act, business associates remain contractually liable for all other Privacy Rule obligations that are included in their agreements with covered entities.
Despite this direct liability of business associates, HHS specifically indicates that a business associate agreement remains necessary to clarify and limit, as appropriate, the permissible uses and disclosures by the business associate, given the relationship between the parties and the activities and services being performed by the business associate. The business associate agreement also serves to notify the business associate of its status under the HIPAA Rules, so that it is fully aware of its obligations and potential liabilities.
Business associate agreements may now need to be amended, even if they were already generally amended for HITECH. The Final Rule establishes a transition period, however, during which covered entities and business associates may continue operating under certain existing contracts. This transition period lasts for up to one year beyond the compliance date of the Final Rule, or September 23, 2014, and is available if, (1) prior to the publication date of the Final Rule (January 25, 2013), the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, respectively, that complied with the prior provisions of the HIPAA Rules, and (2) such contract or arrangement is not renewed or modified between the effective date and the compliance date of the Final Rule. HHS has released a new model business associate agreement that includes revisions to comply with the Final Rule.
Furthermore, business associates must now enter into business associate agreements with their own subcontractors. A subcontractor is “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.” Thus, subcontractors will be contractually obligated to comply with the same requirements as a business associate.
Definition of Protected Health Information (“PHI”)
Following an individual’s death, the Privacy Rule generally requires covered entities to protect the privacy of the decedent’s PHI in the same manner and to the same extent that is required for the PHI of living individuals. In many cases, this would require a covered entity to obtain an authorization from the decedent’s personal representative. Recognizing that this can be difficult, particularly after an estate has been closed, the Final Rule amends the definition of PHI to exclude information regarding a person who has been deceased for more than 50 years.
The regulators note that they believe a 50-year period is appropriate taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. The regulations indicate, however, that the Privacy Rule does not override or interfere with state or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers. They also clarify that the 50-year period of protection is not a record-retention requirement and that covered entities may destroy (or keep) records for whatever period of time they choose, subject to state or other applicable law.
Notice of Privacy Practices
The Final Rule requires the addition of certain statements in the notice of privacy practices (“NPP”) regarding uses and disclosures that require authorization. While the Final Rule does not require the NPP to include a list of all situations requiring authorization, the NPP must contain a statement indicating that (1) most uses and disclosures of psychotherapy notes, (2) uses and disclosures of PHI for marketing purposes, and (3) disclosures that constitute a sale of PHI require authorization. The notice must also include a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual. Covered entities that do not record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement for uses and disclosures of psychotherapy notes.
The NPP must also inform individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service. However, clearing up confusion in the statute, the final regulations clarify that only health care providers are required to include such a statement in the NPP. Thus, health plans may retain existing language indicating that a covered entity is not required to agree to a requested restriction.
The Final Rule also requires covered entities to include in their NPP a statement of the right of affected individuals to be notified following a breach of unsecured PHI. A simple statement in the NPP that an individual has a right to, or will receive, notifications of breaches of his or her unsecured PHI will suffice.
Health plans that use or disclose PHI for underwriting purposes must now include a statement in their NPP that they are prohibited from using or disclosing PHI that is genetic information about an individual for such purposes. Health care providers and health plans that do not perform underwriting need not revise their NPPs to reference this prohibition.
Because these changes represent material changes to the NPP, covered health plans will be required to distribute new NPPs. If a health plan currently posts its NPP on its web site, the revised notice (or a summary of the material changes) must be prominently posted on its web site by September 23, 2013. The plan must also provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during the open enrollment period. Health plans that do not have customer service web sites are required to provide the revised NPP, or information about the material change and how to obtain the revised notice, within 60 days of the material revision to the notice.
Individual Right to Access PHI
If an individual requests an electronic copy of PHI that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. HHS notes its expectation that covered entities will provide individuals with a “machine readable” copy of their PHI in a standard format, such as MS Word or Excel, HTML, or PDF.
Covered entities are not required to provide individuals with direct access to their systems. They need only provide individuals with an electronic copy of their PHI. They are also not required to purchase new software or systems in order to accommodate an electronic copy request for a specific form that is not readily producible by the covered entity at the time of the request, provided that the covered entity is able to provide some form of electronic copy. However, some legacy or other systems may not be capable of providing any form of electronic copy. As a result, some covered entities may need to invest in technology in order to meet the basic requirement to provide some form of electronic copy.
Breach Notification Rule
The Final Rule amends the definition of “breach” to clarify that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised. This standard replaces the “risk of harm” standard that was part of the interim Breach Notification Rule.
The Final Rule also identifies the following four objective factors that covered entities and business associates must consider when performing a risk assessment:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification of the information;
- The unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made;
- Whether the PHI was actually acquired or viewed, or alternatively, if only the opportunity existed for the information to be acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Covered entities are required to document the results of their risk assessment even if they conclude that a breach notice is not required.
Plan sponsors should keep in mind, however, that the breach notification rule applies only to “unsecured” PHI. If PHI is encrypted pursuant to the existing guidance on permissible encryption methodologies, then no breach notification is required following an impermissible use or disclosure of the information.
Under the Final Rule, HHS will not only investigate any complaint when a preliminary review of the facts indicates a possible violation due to willful neglect, but will also conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable rule. Further, HHS “may” – rather than “will” – attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. This change will permit HHS to proceed with a willful neglect violation determination and civil penalties without exhausting informal resolution options.
Plan sponsors will have until September 23, 2013, to review and revise HIPAA policies and procedures, amend privacy notices, and retrain their workforce. As mentioned above, a transition rule will allow a one-year extension – until September 23, 2014 – for amending certain business associate agreements, provided such agreements were in existence and complied with the prior HIPAA Rules. Given the relatively short time before the compliance date, health plan sponsors should begin this process sooner rather than later.