HHS Proposed HITECH Rule Changes HIPAA Landscape
Authors: Robert D. Belfort | Susan R. Ingargiola
The Health Information Technology for Economic and Clinical Health Act (“HITECH”), enacted on February 17, 2009, was designed to promote the widespread adoption of electronic health records (“EHRs”) and other health information technology tools.
In connection with advancing this goal, HITECH included a number of provisions to strengthen the privacy and security protections established under the Health Insurance Portability and Accountability Act (“HIPAA”). On July 8, 2010, the U.S. Department of Health and Human Services (“HHS”) issued a long-awaited Notice of Proposed Rulemaking (“NPRM”) that both implements many of the HITECH provisions and modifies other HIPAA requirements.
Covered Entities (“CEs”) and Business Associates (“BAs”) will have a grace period of 240 days from the publication of the final rule to come into compliance with the changes, notwithstanding that many of the HITECH statutory provisions became effective on February 18, 2010. The NPRM is open to public comment for 60 days beginning July 14, 2010. Highlights are provided below.
Direct Application of HIPAA to BAs
- The NPRM implements HITECH’s statutory requirement that BAs directly comply with the HIPAA Security Rule provisions mandating administrative, physical, and technical safeguards, and that they adhere to the terms of their Business Associate Agreements (“BAAs”) as well as HITECH’s privacy-related requirements. BAs are subject to the same civil and criminal penalties as CEs for violating these obligations.
- The NPRM extends HIPAA’s reach to subcontractors of BAs, making them liable for privacy and security violations to the same extent as BAs. The NPRM revises the definition of a BA to include BA subcontractors, even though they do not contract directly with a CE. Further, the NPRM requires BAs to execute BAAs with their subcontractors. Previously, BAs were required only to ensure that subcontractors agree to comparable restrictions on the use and disclosure of protected health information (“PHI”).
- In accordance with HITECH, the NPRM modifies the definition of a BA to include a “Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to [PHI] to a CE and that requires routine access to such protected health information” and a person who offers a personal health record to one or more individuals on behalf of a CE. The Preamble to the NPRM specifies that entities that manage the exchange of PHI through a network, including providing patient locator services and performing various oversight and governance functions for an electronic health information exchange, fall within the definition of a BA.
- Because these new provisions could necessitate that CEs and BAs amend their BAAs, the NPRM proposes transition provisions to allow CEs, BAs, and BA subcontractors to continue to operate under existing contracts for up to one year beyond the compliance date of the final rule.
New Limitations on Disclosures for Marketing and Fundraising
- In accordance with HITECH, the NPRM proposes to modify the definition of prohibited “marketing” to include certain health-related promotional communications if the CE making the communication receives financial remuneration from a third party. Interestingly, the NPRM distinguishes between a promotional communication made to carry out health care operations from one that is treatment-related. CEs may not receive remuneration for communications carrying out health care operations without patient authorization, except in limited circumstances, such as refill reminders. But treatment-related communications paid for by a third party are permitted without patient authorization if the communication discloses the remuneration and provides the individual a clear and conspicuous opportunity to opt out of receiving future subsidized communications. This distinction could provide a continued basis for many subsidized communications that were previously thought by many to be prohibited under HITECH.
- The NPRM requires that any fundraising communication sent to an individual provide a clear and conspicuous opportunity to opt out of receiving any further fundraising communications. It is worth noting that the NPRM solicits comments on whether CEs should be allowed to use or disclose PHI related to the department in which a patient was treated (e.g., surgery or oncology) and other categories of information for fundraising activities without patient authorization. Currently, the Privacy Rule limits the information a CE may use or disclose for fundraising to demographic information and dates of health care services provided. Such a change would facilitate the type of targeted fundraising hospitals have been restricted from carrying out under HIPAA.
Prohibition on Sale of PHI
- As set forth in HITECH, the NPRM requires a CE to obtain an authorization for any disclosure of PHI in exchange for direct or indirect remuneration. The authorization must state that the disclosure will result in the receipt of remuneration by the CE. The NPRM proposes to except several disclosures from the authorization requirement, generally following the exceptions provided in HITECH, which include those for public health; research purposes, provided that the price charged for the information reflects the costs of preparation and transmittal of the data; treatment; the sale, transfer, merger, or consolidation of all or part of a CE and for related due diligence; services by a BA; and the provision of access to an individual to his or her PHI. The NPRM proposes to add to the list of exceptions disclosures for payment purposes, disclosures pursuant to requests for accountings of disclosures, disclosures required by law, and other permitted disclosures, provided that the remuneration is a reasonable fee to cover the cost of preparation and transmittal.
Individuals’ Access to PHI in Electronic Format
- In accordance with HITECH, the NPRM requires CEs to give individuals electronic copies of any PHI maintained in an EHR. But the NPRM broadens this HITECH requirement by applying the electronic copy mandate to all PHI maintained electronically in a designated record set. CEs must also provide an electronic copy to an individual’s designee if requested. The NPRM includes details about the labor and media (if the electronic copy is provided in physical media) costs that CEs may charge individuals for providing electronic access to their PHI.
- Due to the expansion of HITECH’s electronic copy requirement to all electronic data, HHS evidently did not deem it necessary to define the term “electronic health record.” As a result, CEs are still in the dark as to how this HITECH term will be interpreted in the more significant accounting of disclosures context.
Restrictions on Disclosures of PHI to Health Plans
- HITECH requires CEs to honor an individual’s request not to share information with the individual’s health plan for payment or health care operations if the individual is paying the full cost of the service to which the information relates. In implementing this provision, the NPRM clarifies that CEs must permit individuals to determine which health care items or services a restriction applies to, and that CEs may not require individuals who wish to restrict disclosures about certain health care items or services to restrict disclosure of PHI about all items and services. The NPRM requests comments on what, if any, obligations providers should have to notify downstream providers, including pharmacies, that an individual has placed a restriction on the disclosure of information.
- The NPRM proposes to implement a number of HITECH’s enforcement provisions that were not included in a previously-released interim final rule (issued on October 30, 2009 at 74 FR 56123). Further, the NPRM proposes to make regulatory changes necessary to implement HITECH’s imposition of civil money penalty liability on BAs. The NPRM also defines the terms “reasonable cause,” “reasonable diligence,” and “willful neglect,” which underlie the various penalty levels under the Enforcement Rule.
Other Proposed Changes
Among other changes, the NPRM also proposes to:
- Permit compound authorizations for research (e.g., an authorization permitting a CE to use PHI for more than one purpose, if both (or all) purposes relate to the same research project).1 The NPRM also requests comments on whether (and how) an authorization could be used to permit future unspecified research studies using the subject’s PHI.
- Limit the period for which a CE must protect a deceased individual’s health information to 50 years after the individual’s death.
- Require CEs’ Notice of Privacy Practices to include additional information, such as the new authorization requirements proposed in the NPRM.
- Permit CEs to disclose student proof of immunization to schools in certain instances without written authorization (e.g., with the oral agreement of a parent, guardian or other person acting in loco parentis for the individual, or from the individual, if the individual is an adult or emancipated minor).
Status of Related HITECH Rulemakings
- HITECH’s breach notification provisions and modified civil monetary penalty structure were the subject of prior rulemakings.
- HITECH’s accounting of disclosures and minimum necessary provisions will be the subject of future rulemaking.
1 For example, a single authorization could be used for a clinical study as well as for specimen collection for a central repository.
back to top
For additional information on this issue, contact:
Robert D. Belfort Mr. Belfort has extensive experience representing healthcare organizations on regulatory compliance and transactional matters. His clients include hospitals, community health centers, mental health providers, pharmacy chains, health insurers, IPAs, pharmaceutical manufacturers, pharmacy benefit managers, information technology vendors and a variety of other businesses in the healthcare industry.
Susan R. Ingargiola Ms. Ingargiola provides strategic and regulatory advice, policy analysis and project support to pharmaceutical and biotechnology companies, healthcare providers and other healthcare clients on Medicare regulatory and reimbursement, health information technology and other issues.