On January 17, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services ("HHS") issued its long-awaited final rule ("Final Rule") modifying the Health Insurance Portability and Accountability Act ("HIPAA") privacy, security, enforcement, and breach notification rules in accordance with the Health Information Technology for Economic and Clinical Health ("HITECH") Act and the Genetic Information Nondiscrimination Act ("GINA"). Published in the Federal Register on January 25, the Final Rule becomes effective on March 26, 2013, although compliance with most of its provisions is not required until September 23, 2013.
Although some commenters have suggested that the Final Rule did not include significant changes to the proposed and interim final HIPAA Administrative Simplification rules, in reality covered entities-and business associates in particular-have substantial work to do before the September 23 compliance deadline. Generally speaking, the Final Rule provides additional protections to individuals and requires greater transparency about the uses and disclosures that are made of individuals' protected health information ("PHI"), whereas it significantly expands liability for covered entities and their business associates. The Final Rule provisions making the most dramatic changes-and therefore necessitating the most substantial operational and policy changes-are those pertaining to business associates and breach notification. However, revisions to the HIPAA enforcement rule incorporating the HITECH Act's increased civil monetary penalty tiered structure and changes to several of the HIPAA privacy and security standards also will require considerable attention. This summary is intended to address the main highlights of the Final Rule but, as always, effective compliance will require a review and understanding of the details.
In addition to entities that create, receive, or transmit PHI for or on behalf of covered entities, the Final Rule expands the definition of "business associate" to include entities that "maintain" PHI on behalf of covered entities. This means that physical and "cloud" storage companies likely will be treated as business associates, even if they don't access the PHI of their covered entity clients. Under the July 14, 2010 proposed rule, these entities probably would have been considered mere "conduits" of PHI, because they typically store or transmit but do not routinely access PHI. Accordingly, there is some concern among commenters as to whether storage companies that do not access PHI and may not even be aware that their facilities or servers are being used to store PHI now may be subjected, unfairly and without practical notice, to compliance with the fully array of business associate obligations.
The Final Rule also specifically includes within the definition of "business associate" health information organizations, e-prescribing gateways, patient safety organizations, subcontractors, and entities offering personal health records on behalf of a covered entity. The Final Rule also clarifies that although researchers, financial institutions, and malpractice insurers are not business associates when engaging in their typical activities, each of these individuals or entities may be a business associate if it performs a function, activity, or service for a covered entity that falls within the definition of a business associate. Accordingly, researchers who create a de-identified or limited data set for a covered entity, financial institutions that perform accounts receivable functions on behalf of a covered entity, and malpractice insurers that access PHI in order to perform risk management or risk assessment activities on behalf of a covered entity, all would be acting as business associates.
Application to subcontractors. The Final Rule confirms that business associates, and their subcontractors who use PHI in performing services for those business associates, are directly liable for complying with many of the HIPAA privacy and security rule requirements. In order to ensure "uninterrupted" protection of PHI, compliance with these requirements is required of business associates, their subcontractors, and other entities "down the contractual chain" who access or use PHI of the covered entity in order to perform their contractual duties. Business associate agreements ("BAAs") are required between covered entities and business associates, between business associates and their subcontractors, and so on down the chain, but covered entities need not enter into BAAs directly with their business associates' subcontractors. Given the broad scope of persons and entities who serve as business associate subcontractors, however, covered entities should carefully evaluate how much oversight they will exercise over their business associates and thoughtfully revise their BAAs.
Deadline for revising BAAs. BAAs that comply with current HIPAA requirements, and that are not modified between March 26 and September 23, 2013, may continue in force until the earlier of: (1) the date the BAA is renewed or modified; or (2) September 22, 2014. New BAAs presumably must comply with the Final Rule's requirements by September 23, 2013.
Sample BAA provisions. On January 25 HHS posted to its website sample business associate agreement provisions to assist covered entities and business associates in complying with the requirements of the Final Rule. Because the provisions listed are merely samples and include alternative options, and because entities may want to include additional provisions in their BAAs, covered entities and business associates should use this guidance judiciously and not rely solely on these provisions when revising their BAAs.
In the preamble to the Final Rule, OCR noted that 60 of the 70 commenters who specifically addressed the August 25, 2009 interim final rule's definition of "breach" supported the proposed risk of harm standard and risk assessment approach. These commenters believed that this approach both permitted the appropriate parties to assess the likely impact of impermissible uses or disclosures of PHI and struck a proper balance between permitting individuals to protect themselves from potential negative consequences of a breach while not flooding individuals with notifications for inconsequential events. Other commenters, however, suggested that the subjective risk of harm standard gave too much discretion to covered entities and business associates and appeared to set a higher threshold for breach notification than OCR intended.
OCR agreed with this smaller group of commenters. In the Final Rule, it revises the definition of "breach" and the risk assessment approach to create what it describes as a more objective standard. Now, an impermissible use or disclosure of PHI is presumed to be a breach, and notification is required, unless the disclosing covered entity or business associate demonstrates that there is a low probability that the PHI was "compromised." The probability of compromise must be determined based upon a risk assessment of at least the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood that the information may be re-identified;
- The unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed;
- Whether the PHI was actually accessed or viewed; and
- The extent to which the risk to the information has been mitigated.
The revised standard effectively removes the fairly broad discretion covered entities and business associates had under the risk of harm standard to determine whether to make notification of breaches. Although the Final Rule removes the definition of "compromises," OCR indicates that it will issue specific guidance to assist covered entities and business associates in performing risk assessments in certain frequently-occurring scenarios. Until the September 23, 2013 compliance date, covered entities and business associates must comply with the breach notification requirements of the HITECH Act in accordance with the interim final rule.
The Final Rule also clarifies that for breaches affecting fewer than 500 individuals, covered entities must notify HHS within 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred.
Changes to the Privacy Rule
More types of PHI may be used for fundraising campaigns. The Final Rule makes two main revisions to the interim final rule's limitations on the use of PHI for fundraising. First, in response to requests to permit covered entities more flexibility to target appropriate individuals for fundraising and avoid sending solicitations to others, such as those who experienced adverse outcomes, the Final Rule expands the types of PHI covered entities may use or disclose to a related foundation or business associate without patient authorization. The categories of information that may be used or disclosed for fundraising communications now include: (1) demographic information (including name, address, other contact information, gender, age, and date of birth); (2) dates on which health care was provided to an individual; (3) information about the department(s) in which the patient was treated; (4) name of treating physician; (5) information about outcomes (including death or sub-optimal treatment); and (6) health insurance status.
Clear and conspicuous opportunity to opt out of future campaigns. Additionally, individuals now must be offered a "clear and conspicuous" opportunity to opt out of any future fundraising solicitations-including campaigns by mail, e-mail, and telephone-through a means which would not be unduly burdensome on the individual or cost more than a minimal amount. OCR suggests that enabling individuals to opt out by e-mail, toll-free or local phone calls, or return of a pre-paid postcard are appropriate methods to effectuate such opt outs. A process for opting back in also must be provided. Covered entities have discretion whether to permit individuals to opt out of specific fundraising campaigns or all future fundraising communications. However, covered entities may not condition treatment or payment on an individual's decision to opt out of receiving future fundraising communications, and covered entities must not send such communications to individuals who have opted out, as doing so will be a violation of the privacy rule. In light of the revised risk assessment approach for breach notification, assuring compliance with these responsibilities will require covered entities to carefully track individuals' opt-out decisions.
The Final Rule broadens the categories of uses and disclosures of PHI that are considered marketing and, therefore, that require an individual's prior authorization. "Marketing" now includes any treatment or health care operations communication to an individual about health-related products or services for which a covered entity or its business associate receives financial remuneration from a third party in exchange for making the communication. In other words, if a covered entity or its business associate is paid by a third party for making a marketing communication, even if that communication is about new or alternative treatments, individual authorization is required. A payment that is made for a purpose other than for making the marketing communication, such as to assist a covered entity in implementing a disease management program, does not require individual authorization because the payment is not for the marketing communication. OCR clarifies that non-monetary remuneration is not financial remuneration and, accordingly, the receipt of non-monetary remuneration in exchange for a marketing communication would not require individual authorization.
The Final Rule maintains exceptions to the authorization requirement for face-to-face communications between the covered entity and the individual and for promotional gifts of nominal value. In addition, the definition of marketing excludes communications about refill reminders and about drugs or biologics currently being prescribed for the individual, so long as any financial remuneration received for making the communication is reasonably related to the covered entity's cost of making the communication. In determining that cost, covered entities may consider costs of labor, supplies, and postage required to make the communication. Finally, communications that promote health generally, such as messages encouraging a healthy diet or promoting routine preventative tests, do not require individual authorization.
Sale of PHI Prohibited Without Authorization
Under the Final Rule, a covered entity that receives remuneration to disclose PHI to a third party is selling the PHI. Before it may do so, the covered entity must receive prior authorization from the individual(s) whose PHI is involved. The authorization must indicate that the disclosure will result in remuneration to the covered entity. Unlike with marketing communications, OCR clarifies that the provision of non-monetary remuneration, such as offering a free computer in exchange for using the computer to deliver PHI, also constitutes a sale of PHI. There are several exceptions to the definition of "sale" in the Final Rule, consistent with those listed in the proposed rule, including, among others, disclosures of PHI for certain public health purposes, and disclosures for research purposes where the only remuneration is a reasonable, cost-based fee for the cost of preparing and transmitting the PHI.
The Final Rule implements two changes that undoubtedly will please the clinical research community. The first modifies the privacy rule's prohibition on combining conditioned authorizations (such as for use and disclosure of PHI for a clinical trial) and unconditioned authorizations (such as for tissue banking of specimens for future research) in a single document. Researchers complained that this prohibition complicated authorization paperwork, confused and sometimes discouraged research subjects from participating in studies, and was inconsistent with the requirements of the Common Rule. To alleviate these concerns, the Final Rule permits a covered entity to combine individuals' conditioned and unconditioned authorizations for research into a single authorization, so long as the authorization specifies which research components are conditioned and which are unconditioned and clearly permits individuals to opt in to the unconditioned research activities. Research study authorizations now may be combined with another authorization for the same study, an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research.
In addition, research authorizations no longer need be study specific; rather, they now may be used for future research, as well as specific studies, so long as the authorization describes the research purposes in a way that puts the individual on notice that his or her PHI might be used or disclosed for future research.
Right to Access Copies of Electronically-Stored PHI
Form and format. The Final Rule provides that if an individual requests an electronic copy of PHI that the covered entity maintains electronically in one or more designated record sets ("ePHI"), the covered entity must provide access to the ePHI in the electronic form and format sought by the individual, if readily producible in that form and format. If such access is not possible-for example, if the individual seeks to access her ePHI through a web-based portal and the provider does not maintain a portal-then the covered entity and the individual must agree on the readable electronic format in which the information will be provided. If the individual refuses to accept the ePHI in the available electronic formats, the covered entity must provide a hard copy.
OCR clarifies that covered entities are not required to purchase new systems or software in order to provide ePHI in a form or format that is not readily producible, but that entities whose systems cannot produce a copy of ePHI in any electronic form (including some legacy systems) may need to invest in software or hardware to offer some form of electronic copy. Additionally, covered entities that maintain hybrid records need not scan paper documents in order to provide individuals electronic copies of those paper records. In response to concerns raised by covered entities about the potential vulnerability of unencrypted e-mails, the Final Rule notes that entities may provide copies of ePHI in unencrypted e-mails if they first notify the individual of the possible risk that a third party may read the e-mail. If, despite this risk, the individual still prefers to receive an unencrypted e-mail instead of an available electronic alternative, the covered entity may e-mail the information.
Third parties. Upon an individual's written request, a covered entity must transmit a copy of PHI directly to a third party designated by the individual. The individual's request must be signed, and it must clearly identify the third party and where to send the information.
Copy fees. Covered entities may charge individuals a reasonable, cost-based fee for providing copies of PHI. The Final Rule permits entities to include labor costs for copying in the calculation of the fee. Such costs may include staff time to create and copy electronic files (such as compiling, extracting, or scanning and distributing PHI). Fees also may be charged for supplies used in creating electronic media (such as discs and flash drives) for individuals who seek copies on portable media, and for postage incurred on behalf of individuals who request mailing of the electronic media. However, entities may not charge for costs related to maintaining systems or new technology, nor may they charge a retrieval fee for electronic copies, since such a fee is not permitted for production of paper copies. Finally, in instances where HIPAA permits charging higher costs than does applicable state law, under state law preemption principles covered entities will not be permitted to charge more than state law allows.
Time frame. Because access to ePHI is "almost instantaneous," the Final Rule shortens the time frame within which covered entities must respond to access requests, even where the PHI is stored off-site, to a total of 60 days. Covered entities have 30 days to respond to access requests and may have a single 30-day extension upon providing written notice to the individual noting the reason for the delay and the expected date of completion.
Right to Request Restrictions on Uses and Disclosures
The Final Rule implements the HITECH Act requirement that covered entities agree to an individual's request to restrict uses and disclosures of his or her PHI related to a treatment or service if the request is to restrict disclosure of information to the individual's health plan for payment or health care operations purposes, and if the individual agrees to pay the covered entity for the treatment or service out of pocket and in full. OCR received numerous questions about how to operationalize this new right. In response, the preamble to the Final Rule clarifies that:
- health care providers need not create separate medical records or otherwise segregate PHI that is subject to such a restriction, but they will need to flag this restriction in the record to assure that such information is not provided to the health plan for other operations purposes, such as health plan audits;
- if the restriction requested is for a service that is one of a number of bundled services provided in a single encounter, the provider should counsel the patient about whether it is able to unbundle the service to permit the individual to pay for that service and the possible effect of doing so (e.g., the health plan still may be able to determine that the service was provided). If unbundling the service is possible, the provider should abide by the individual's request to unbundle; if it is not possible, the provider should permit the individual to restrict and pay out of pocket for the entire bundle of services;
- providers do not have an obligation to inform downstream providers of a restriction, but OCR encourages providers to counsel patients to request a restriction and pay out of pocket with such downstream providers in order for the restriction to apply to disclosures by those providers; and
- providers within an HMO who cannot by law accept payment from an individual in excess of the individual's cost-sharing amount may counsel individuals to use an out-of-network provider to obtain items or services about which the individual wishes to restrict PHI from disclosure.
Notice of Privacy Practices
The Final Rule requires health care providers and health plans to update their notices of privacy practice ("NPPs") to address numerous changes, including: (1) that most uses and disclosures of psychiatric notes, along with marketing communications and the sale of PHI, are not permitted without the individual's prior written authorization; (2) that covered entities must notify affected individuals of a breach of unsecured PHI; (3) if applicable to the covered entity, that individuals may opt out of receiving any fundraising communications from the provider or plan; and (4) that individuals may restrict disclosures of PHI to health plans where they have paid out of pocket and in full for such care. Most health plans also must inform individuals that the plans are prohibited from using or disclosing individuals' genetic information for underwriting purposes.
The Final Rule modifies the definition of PHI to exclude individually identifiable health information of individuals who have been dead for more than 50 years. However, OCR is careful to point out that this modification does not impose a 50-year record retention requirement on covered entities. In addition, covered entities now may disclose a decedent's PHI to family members or others who were involved in the individual's care or payment for that care before the person's death, unless such a disclosure would be inconsistent with a preference that the individual expressed to the covered entity before his or her death. Any PHI provided under these circumstances must be limited to that which is relevant to the person's involvement in the individual's care or payment therefor.
In response to complaints from health care providers that obtaining a formal written authorization before releasing immunization information to schools was too burdensome, the Final Rule permits covered entities to disclose student immunization records to schools where the schools are required by law to have this information before admitting students. Before making such a disclosure, a covered entity first must obtain oral or other agreement from the student, if of age, or the student's parent or guardian, and document that agreement. This agreement should be considered effective until revoked and may permit future disclosures.
The Final Rule confirms that business associates and subcontractors now are subject to civil monetary penalties and enforcement actions for noncompliance with applicable provisions of HIPAA. In addition, the Final Rule amplifies the discretion the Secretary of HHS has in determining when to investigate potential HPAA violations. Now, if a preliminary review of facts cited in a complaint indicates a possible violation due to willful neglect, the Secretary must investigate the complaint. Similarly, if during an audit the facts indicate a possible violation due to willful neglect, the Secretary must conduct a compliance review. Where the facts do not indicate a possible violation due to willful neglect, the Secretary has discretion whether or not to further investigate or conduct a compliance review. Accordingly, covered entities and business associates should understand the definition of "willful neglect" and make every effort to avoid this type of violation. The Secretary now also has enforcement discretion to move directly to a civil monetary penalty without exhausting informal means of resolution.
The Final Rule also implements the HITECH Act's tiered civil monetary penalty structure that includes significantly increased financial penalties for HIPAA violations. It also outlines factors that may be considered in determining the amount of a penalty, including the nature of the violation, the nature and extent of the resulting harm, the history of previous HIPAA compliance by the entity, and the financial condition of the noncompliant covered entity or business associate.
The Final Rule clarifies that genetic information is a type of health information and prohibits most health plans (excluding only long-term care plans) from using or disclosing genetic information for underwriting purposes. "Genetic information" includes manifestation of a disease or disorder in an individual's family member, as well as genetic tests of individuals and family members. However, once a disease or disorder manifests in the individual, it is no longer considered genetic information. As noted above, health plans that intend to use or disclose PHI for underwriting purposes now must add a statement to their NPPs providing that the plans will not use or disclose genetic information for such purposes.
Regulatory Impact Analysis
As frequently occurs, the government's estimate of the Final Rule's financial impact on the national economy-between $114 million and $225.4 million during the first year of implementation and about $14.5 million annually thereafter-appears to be pure guesswork and almost certainly vastly underestimates the actual costs of implementation. For example, HHS estimates it will cost $55.9 million in the first year, for all covered entities and third party administrators nationwide, to issue new notices of privacy practices (or an average of $80 per entity), $14.5 million annually to comply with the breach notification rule (or an average of $763 per covered entity responding to a breach), between $22.6 million and $113 million for all business associates to achieve full compliance with the security rule's requirements (or an average of $198 per business associate), and a total of between $21 million and $42 million for all business associates nationwide to establish or modify BAAs with subcontractors (or an average of $84 per business associate). Equally unrealistic are the estimates that each covered entity has, "on average, two to three business associates," that only 6.71 million individuals' PHI will be breached annually, that it will take about one-third of one hour for a lawyer to update a covered entity's NPP at a cost of about $28, and that it will take one hour for a covered entity to compose and document notice of a breach at an average cost of $32.75 per notice.
Those wishing to ferret out these and other details may access the Final Rule here.
The Final Rule contains scores of details and nuances that will take time to evaluate and digest. Although covered entities and business associates have nearly eight months to come into compliance with all of its requirements, it is not too soon to begin mapping out the various procedural, policy, and operational changes that must be made and working with internal staff and outside counsel and consultants to effectuate these changes.
Smith Moore Leatherwood is currently preparing updates to its turnkey package of HIPAA privacy and security template policies, forms, and letters to assist covered entities and business associates in complying with the Final Rule's requirements. The updated document set will be available in the spring.
For more information about the Final Rule, compliance strategies, or information about our HIPAA policies and forms, please contact:
Maureen Demarest Murray