On January 17, 2013, the federal Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR"), issued the long-anticipated final omnibus amendments (the "2013 Amendments") to the Privacy, Security, Breach Notification and Enforcement Rules (the "HIPAA Rules") under the Health Insurance Portability and Accountability Act ("HIPAA"), as directed pursuant to the Health Information Technology for Economic and Clinical Health ("HITECH") Act, enacted as part of the American Recovery and Reinvestment Act of 2009. The 2013 Amendments are effective as of March 26, 2013, and compliance with applicable requirements generally must be made within 180 days, by September 23, 2013 (with important exceptions for existing business associate arrangements). Significant penalties apply for non-compliance.
The 2013 Amendments include a number of sweeping changes to the HIPAA Rules, including the expansion of the definition of a business associate to include their subcontractors that handle protected health information ("PHI"); a higher threshold for determining whether a breach has occurred for reporting purposes; and restrictions on "marketing" activities and the "sale" of PHI. Business associates are now directly subject to HIPAA with respect to the Security Rule. The 2013 Amendments also implement the Genetic Information Nondiscrimination Act of 2008 ("GINA") by including genetic information in the HIPAA definition of health information and by prohibiting health insurance issuers from using such information for underwriting purposes. Finally, covered entities must issue new notices of privacy practices to comply with the amended HIPAA Rules. Overall, these changes will have a profound effect on healthcare providers, plans, individuals, entrepreneurs, investors and advertisers, as well as many others that support the healthcare industry, such as entities that analyze, create, maintain or use healthcare data. HHS states that industry-wide costs for first-year compliance will range from $115 million to $225 million, but industry analysts anticipate real costs to be exponentially higher.
Below, we briefly address and summarize the key provisions and changes contained in the 2013 Amendments.
a. Inclusion of Subcontractors
The 2013 Amendments significantly expand the definition of a "business associate"—and thereby the application of HIPAA—to include subcontractors of business associates (and their subcontractors) that create, receive, maintain or transmit PHI in performing a function, activity or service delegated by the business associate to a subcontractor. A covered entity must obtain satisfactory assurances in the form of a written contract or other arrangement from each business associate, and each business associate in turn must do the same with regard to each subcontractor that handles PHI on its behalf, and so on—no matter how far "down the chain" the PHI flows.
Disclosures of PHI by a business associate and its business associate subcontractors for its own management and administration or legal responsibilities, however, do not create a business associate relationship with the recipient of the PHI because such disclosures are made outside of the entity's role as a business associate. Furthermore, covered entities are not required to enter into a contract or other arrangement directly with a HIPAA-covered subcontractor of a business associate. Notably, the 2013 Amendments also make some technical revisions to the HIPAA Rules to clarify that failing to enter into a business associate agreement or contract does not exempt a person from the definition of business associate and thereby HIPAA's requirements; rather, the applicable facts and circumstances control.
b. Inclusion of Health Information Organizations, Vendors of Personal Health Records and Others That Facilitate Data Transmission
Also included in the definition of a business associate are entities that create, receive, maintain or transmit PHI through electronic means, such as health information organizations ("HIOs"); vendors of personal health records; and others that facilitate data transmission. As HHS explains, the business associate definition now applies to an entity that "maintains" PHI (in addition to creating, receiving or transmitting it)—i.e., an entity that accesses PHI "on a routine basis." There is an exception for a "conduit" of PHI, i.e., an entity that provides mere courier or transmission services (in digital or hard form). Only an "opportunity to access" PHI is needed to implicate HIPAA, and the key is whether the opportunity is "transient" as opposed to "persistent." Specifically, HHS noted that entities which "manage" the exchange of PHI through a network, including oversight or governance functions for the electronic HIO, fall within the purview of HIPAA because they have more than random access to PHI. Whether or not they view PHI is not key. HHS stated that this area is evolving and that additional guidance will be provided in the future, as the areas of healthcare information technology and exchanges develop.
c. Compliance Deadlines for Business Associate Compliance
Covered entities and business associates (including their subcontractors) must ensure compliance, including by entering into written agreements, by September 26, 2013. There is an exception for covered entities and business associates (including their subcontractors) that had preexisting business associate agreements prior to January 25, 2013. In such cases, if the agreement is not renewed or modified prior to September 23, 2013, then the parties are deemed compliant until the earlier of the date that the agreement is renewed or modified, or September 24, 2014.
The 2013 Amendments make significant changes to the current Interim Final Breach Notification Rule that was published in August 2009 and to date has guided covered entities and business associates with respect to breaches. The most dramatic change concerns the definition of the term "breach." Under the current interim rule, a "breach" is defined as an inappropriate use or disclosure of PHI involving a significant risk of financial, reputational or other harm. The 2013 Amendments modify this definition by providing that an impermissible use or disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised based upon a four-part risk assessment that considers: (1) the nature and extent of the PHI involved in the breach; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to PHI has been mitigated. If the risk assessment evaluation fails to demonstrate there is a low probability that any PHI has been compromised, breach notification is required. Certain exceptions to the definition of a breach continue to apply.
In the case of a breach, the 2013 Amendments require covered entities to notify each affected individual whose unsecured PHI has been compromised. Even if such breach is caused by a business associate, the covered entity is ultimately responsible for providing the notification (although the covered entity is free to delegate the breach response function to the business associate). Moreover, a business associate's, as well as the workforce member's, knowledge of a breach will be imputed onto a covered entity. If the breach involves more than 500 persons, OCR must be notified in accordance with instructions posted on its website. The HIPAA-covered entity bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach and must maintain supporting documentation, including documentation pertaining to the risk assessment.
The 2013 Amendments substantially modify the definition of marketing to require an authorization from an individual for the receipt of certain marketing materials for treatment or operations purposes. This modification will significantly impact third parties who wish to market their products or services through covered entities.
Marketing broadly applies to any communications about a product or service that encourages a recipient to purchase or use the product or service. Under the 2013 Amendments, exceptions to the definition of marketing communications include any communication that is made: (1) to provide refill reminders or information regarding a drug that is currently being prescribed, as long as any financial remuneration received by the covered entity is "reasonably related" to the cost related to the marketing; (2) regarding the product or service of a third party for certain treatment or operations purposes, except where financial remuneration is involved. The kinds of communications covered by this provision include those offered to an individual as part of treatment, or to a larger population as part of operations, regarding case management, care coordination or alternative treatment modalities; or to describe a health-related product or service—or payment for the product or service—that is provided by the covered entity or included in a plan of benefits, such as communications about network-participating providers or value-added products or services not offered by a plan (e.g., vision plan enhancements).
In other words, the definition of marketing now includes communications issued by a covered entity or business associate regarding a treatment- or operations-related product or service offered by a third party and the third party has compensated the covered entity or business associate for the communication. In these situations, an individual's authorization that covers subsidized communications is required. It is important to note there are key exceptions to the authorization requirement—i.e., when the covered entity makes the communication face-to-face or the communication consists of a promotional gift of nominal value.
IV. Security Rule
The HIPAA Security Rule applies to electronic PHI (ePHI) that is created, received, maintained or transmitted by a covered entity. Pursuant to HITECH, the 2013 Amendments expand the application of the Security Rule to business associates (that now are defined to include subcontractors of business associates that handle PHI for or on behalf of business associates). This means that business associates must comply with all of the Security Rule's applicable administrative safeguards (security management procedures, training, etc.); physical safeguards (workstation security, device and media controls, etc.); and technical safeguards (audit controls, transmission security, etc.). Business associates, including their subcontractors that handle PHI, must enter into agreements that require the business associates to comply with the Security Rule. Significantly, a downstream business associate (or a business associate subcontractor) must notify the upstream entity of any security incident or breach under the breach notification rules.
V. Amendments to the Authorization Requirements
a. Sale of PHI
The 2013 Amendments provide a general prohibition on any disclosure in exchange for remuneration (i.e., a sale) of any PHI by a covered entity or by a business associate without an authorization from the individual for such disclosure. Additionally, the authorization must state that such disclosure will result in remuneration. The 2013 Amendments define "sale of PHI" broadly to mean any disclosure where the covered entity or business associate receives, directly or indirectly, any remuneration in exchange for the PHI. OCR confirms the broad scope of this provision by clarifying that the term "remuneration" is not limited to financial payments (as the marketing provisions are, above); therefore, this prohibition applies to the receipt of financial as well as nonfinancial benefits. The 2013 Amendments provide a number of exceptions to this general authorization requirement, such as disclosures for public health, treatment and payment purposes, and sale and merger transactions, among others.
b. PHI After Death
Prior to the 2013 Amendments, the HIPAA Privacy Rule applied the same protections to the PHI of non-living individuals as it did to the PHI of living individuals. By amending the definition of PHI to generally exclude any health information of a person who has been deceased for more than 50 years, the 2013 Amendments limit the HIPAA Privacy Rule's protections with regard to a deceased individual's PHI for a period of 50 years after the date of death. Additionally, the 2013 Amendments provide that covered entities may disclose deceased individuals' PHI to non-family members, as well as family members, who were involved in the care or payment for healthcare of the decedent prior to death; however, the disclosure must be limited to PHI relevant to such care or payment and cannot be inconsistent with any prior expressed preference of the deceased individual.
c. Disclosure to Schools of Student Immunizations
The 2013 Amendments permit a covered entity to disclose, without written authorization, immunization records to a school where state or other law requires, as opposed to merely permits, the school to have such information prior to admitting the student. While written authorization would no longer be required, the covered entity would nevertheless be required to obtain and document agreement to the disclosure that may be oral and over the phone from the parent or person acting in loco parentis for the individual, or from the individual himself or herself. A mere request by a school for the immunization records of a student would not be sufficient to permit disclosure without authorization.
VI. Notice of Privacy Practices
The 2013 Amendments reflect modifications from the interim final rule that provide significant changes to covered entities' Notice of Privacy Practices ("NPP") regarding uses and disclosures that require authorization. While the 2013 Amendments do not require the NPP to include all situations requiring authorization, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures and sale of PHI do require prior authorization, as well as the right of the individual to be notified in case of a breach of unsecured PHI. OCR clarifies that distribution by covered entities of new NPPs to individuals is required because the changes to the NPP requirements are material.
VII. Individuals' Right to Restrict Disclosures; Right of Access
To implement the HITECH Act, the Privacy Rule is amended to require a covered entity to restrict the disclosure of PHI about the individual to a health plan, upon request, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which the individual has paid the covered entity in full. OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restrict healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan.
The 2013 Amendments also adopt the proposal in the interim rule requiring a covered entity to provide a copy of PHI to any individual requesting it in electronic form. The electronic format must be provided to the individual if it is readily producible. OCR clarifies that covered entities must provide individuals only with an electronic copy of their PHI, not direct access to their electronic health record systems. The 2013 Amendments also provide the right to individuals to direct a covered entity to transmit an electronic copy of PHI to an entity or person designated by the individual. Furthermore, the amendments restrict the fees that covered entities may charge for handling and reproduction of PHI, which must be reasonable, cost-based and identify separately the labor for copying PHI (if any). Finally, the 2013 Amendments modify the timeliness requirement for right of access, from up to 90 days currently permitted to 30 days, with a one-time extension of 30 additional days.
The 2013 Amendments continue to permit a covered entity or business associate to use PHI for its fundraising without the individual's authorization, and even expand the fundraising rules by allowing covered entities to utilize demographic information, including the individual's health insurance status and certain treatment and outcome information. With respect to individuals' right to opt out of fundraising communications, covered entities are now free to decide which opt-out methods to provide to individuals, as long as the chosen methods do not impose an undue burden or more than a nominal cost for the individuals. For example, requiring a written letter would be an undue burden, but a pre-printed, prepaid postcard would be appropriate; use of a toll-free number or an e-mail address is encouraged.
IX. Modifications to the HIPAA Privacy Rule Under GINA
The Genetic Information Nondiscrimination Act of 2008 ("GINA") prohibits discrimination based upon an individual's genetic information and, among other things, required OCR to revise the HIPAA Privacy Rule to include genetic information within the definition of health information. The 2013 Amendments amend the existing HIPAA Privacy Rule by adding the prohibition on the use of "genetic information" for "underwriting purposes," with the exception of the underwriting of long-term care policies. OCR was persuaded to exempt long-term care insurance by rulemaking comments that prohibiting use of genetic information for underwriting purposes would impair the viability of the long-term care insurance market. As with other terms used in this section of the 2013 Amendments, "genetic information" and "underwriting purposes" are defined terms. It is important to note that nothing in GINA should be construed to limit the ability of a health plan to adjust premiums or establish eligibility criteria on the basis of a manifestation of a disease or disorder of an enrollee. The terms "manifestation or manifested" are defined because they are used to distinguish permissible uses of genetic information by insurance companies from impermissible uses. The 2013 Amendments also require health plans that perform underwriting to include in their NPPs a statement that they are prohibited from using or disclosing genetic information for underwriting purposes. We will be reporting on a separate, detailed analysis of the provisions of the 2013 Amendments implementing GINA in the near future.
X. The Hybrid Entity, Its Healthcare Components and Business Associate Functions
Under the HIPAA Rules, a "hybrid entity" is one that performs HIPAA-covered and non-covered functions, such as a small manufacturing company and its health clinic that is a HIPAA-covered entity. In this example, the health clinic constitutes a "health care component" under HIPAA. The 2013 Amendments clarify that the business associate functions provided by the hybrid entity to its healthcare component, such as billing for the health clinic in the example above, are now considered part of the healthcare component and are subject to HIPAA.
XI. Compliance and Investigations; Liability
a. Investigations; Basis for Liability
Under the 2013 Amendments, as required by HITECH Act, any complaint or violation must be formally investigated if a preliminary review of the facts indicates a possible violation due to willful neglect. Thus, in such situations, informal means can no longer be used to resolve such violations. OCR also confirmed that preliminary review needs to indicate only "possible" as opposed to "probable" willful neglect. OCR emphasized that they retain discretion to decide whether to conduct a formal investigation where preliminary review of the facts indicates a degree of culpability less than willful neglect.
Significantly, the 2013 Amendments make covered entities and business associates liable for acts of their business associates that are deemed to be agents. A number of comments expressed concerns to this new rule in proposed form, but OCR justifies its interpretation under the federal common law of agency. Commenters argued that contractual provisions, not the federal common law of agency, should control, but all such arguments were dismissed by OCR.
b. Civil Monetary Liability
As required by the HITECH Act, the 2013 Amendments substantially increase the potential civil monetary fines for violations for covered entities and business associates, and establish tiers of escalating penalty amounts based on increasing degrees of culpability of violators and other responsible parties. The 2013 Amendments also reduce OCR’s discretion in assessing these fines.
Violation Category – Section 1176(a)(1)
All Such Violations of an Identical Provision in a Calendar Year
(A) Did Not Know
$100 - $50,000
(B) Reasonable Cause
$1,000 - $50,000
(C)(i) Willful Neglect-Corrected
$10,000 - $50,000
(C)(ii) Willful Neglect-Not Corrected
In circumstances where discretion is available, the Secretary, in determining the amount of penalty, is required to take into account the nature of the claims and the circumstances under which they were presented, the degree of culpability, history of prior offenses, financial condition of the person presenting the claims and other matters. OCR also intends to consider factors, such as the time period during which the violations occurred; reputational harm; and the number of individuals affected.
Therefore, every HIPAA-covered entity, its business associates and their subcontractor business associates are strongly encouraged to quickly review the 2013 Amendments, consider its implications and promptly begin working to achieve compliance with applicable provisions and mitigate statutory liability risks. Significant penalties apply for lack of compliance. It may be worthwhile to consider taking prompt action.
The above discussion provides a cursory discussion of the 2013 Amendments, which cannot and should not be relied upon for any purpose other than informational purposes. All situations and questions concerning PHI, the 2013 Amendments and other subjects discussed above present unique facts and issues, which along with applicable state laws should be considered on a case-by-case basis.
For Further Information
If you have any questions or would like further information, please contact David Loder, Lisa W. Clark, Harry Silver, Neville Bilimoria, Erin Duffy, Emmy Monahan, Dmitry Tuchinsky, any other member of the Health Law Practice Group, or the attorney in the firm with whom you are regularly in contact.