A Baker's Dozen of Significant Changes From the HIPAA/HITECH Rule
The long-awaited final omnibus rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health (HITECH) Act (Final Rule), represents an important milestone in the legal landscape of protected health information (PHI).
Leon Rodriguez, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), has made it clear that the Final Rule provides for the most sweeping changes to HIPAA since the Privacy and Security Rules were released. And further, the Final Rule provides OCR with an opportunity to vigorously enforce compliance.
These statements are a reality for the several dozen OCR investigations that BakerHostetler currently is defending. As time passes, and OCR gains experience through the thousands of breaches that are reported and the audits that are conducted, the questions organizations face will become more difficult to answer. The Final Rule is significant for any organization considered to be a HIPAA-covered entity (health systems, healthcare providers, health plans, etc.) or the more broadly defined business associate. Now that the Final Rule is here, what do covered entities and business associates need to do to prepare for compliance? The following report provides a "Baker's Dozen" of significant changes from the Final Rule that organizations need to know to prepare for the new HIPAA/HITECH requirements.
1. Business Associates and Subcontractors
Business associates and subcontractors now are directly liable to OCR for compliance with the Privacy and Security Rules and may be assessed civil monetary penalties (CMPs) directly for any violations. Business associates now are required to meet certain standards under HIPAA, including having administrative, technical and physical safeguards in place to protect PHI. Further, they are required to conduct risk assessments related to the PHI they handle and document such assessments.
By having direct liability to OCR, covered entities can expect to see more protracted negotiations with business associates over their obligations under a business associate agreement and be more judicious in entering into those agreements. The Final Rule also extends the federal common law of agency such that a covered entity or business associate may be liable for violations due to the acts or omissions of an agent, such as a business associate or sub-business associate, acting within the scope of that agency. The Final Rule's definition of business associate includes those that merely store or maintain PHI. Covered entities are not absolved of their own compliance and potential violations, even if a business associate causes a breach. Covered entities must receive assurances from their business associates of compliance with the Privacy and Security Rules. The federal common law is the standard that OCR will apply in determining whether liability is inputted under a theory of agency.
Covered entities are encouraged to shore up their business associate agreements to include indemnification language and consider cyber liability insurance requirements when contracting with business associates. It is expected that OCR will look to both the covered entity and the business associate to determine if each was in compliance with HIPAA and assess penalties to each party, as the agency deems appropriate.
This dynamic may create animosity between the two parties in an attempt to avoid potential regulatory exposure during a breach response or OCR investigation. Business associates cannot avoid regulatory liability by refusing to sign a business associate agreement or limiting liability in those agreements. Business associates also should ensure they have sub-business associate agreements with their subcontractors who handle PHI.
2. Breach Notification
Much remains the same in the Final Rule with respect to breach notification, such as the 60-day time period in which to notify affected individuals, the content requirements of the notification letters, law enforcement delays, substitute notice requirements if the covered entity has ten or more incorrect addresses and media notice if more than 500 persons are affected in a given jurisdiction.
However, the Final Rule modified the standard used to determine whether a breach of PHI has occurred. Specifically, the Final Rule has replaced the previous standard, which required an analysis of significant risk of financial, reputational or other harm to the individual in determining whether a breach occurred. It focused subjectively on the harm to the individual and the risk of significant harm to the individual whose information was potentially disclosed. The new standard has the same basic definition as before but presumes that a breach has occurred unless, after the analysis of four factors, the covered entity determines that there is a low probability that PHI has been compromised by the unauthorized use or disclosure. Compromised is no longer defined but the Final Rule guides with the following four factors:
The nature and extent of the PHI
The unauthorized person involved
Whether the PHI was actually acquired or viewed
The extent to which any risk has been mitigated
The covered entity must document the analysis and has the burden of demonstrating that a breach did not occur.
OCR expects that more breaches will be reported as a result of the new analysis, but the Final Rule does allow for a breach analysis. Covered entities may need to consult experts in forensics and privacy law to assist in the breach analysis and provide the required documentation. Specifically, outside forensics will be helpful to determine if the PHI actually was viewed or acquired. Privacy counsel can provide an objective analysis using the four factors to support whether a breach has occurred. Regardless, covered entities and business associates will need to document their investigation and analysis should it be needed in a subsequent regulatory investigation.
The Final Rule made some clarifications to the previous guidelines surrounding substitute notice, media notification and reporting to OCR. Specifically, the Final Rule states that substitute notice or media notice may at times occur after the 60-day period and after the notification letters have been sent, depending on the circumstances. Further, breaches under 500 persons must be reported to OCR no later than 60 days after the calendar year in which they were discovered, not the year in which they occurred. The Final Rule also confirmed that notification to OCR must occur contemporaneously with notice to individuals for breaches involving more than 500 persons. These clarifications are helpful in understanding what is expected from OCR and show the agency's apparent flexibility regarding the specific circumstances of a breach notification.
3. Covered Entity Organizational Structures
As originally published, the HIPAA Privacy and Security Rules gave covered entities flexibility to designate portions of their businesses as either covered healthcare components or nonhealthcare components separate from HIPAA requirements, or to enter into affiliations and certain clinically integrated arrangements with other covered entities. These include hybrid covered entities, affiliated covered entities and organized healthcare arrangements. Although the changes made to these provisions under the Final Rule are relatively few, the importance of being aware of the availability of such structures and the limits of the flexibility they provide are critical in today's fast-changing healthcare marketplace. For all three types of organizational structures, the Final Rule clarifies that the breach notification requirements of subpart D apply to all covered components and/or affiliated entities or participants, as well as the standards and implementation specifications of the Privacy and Security Rules.
Previously, hybrid covered entities had the option to segregate the nonhealthcare components of their business from the covered healthcare components, even if a nonhealthcare component would constitute a business associate if it were a separate legal entity. Now, under the Final Rule, a hybrid covered entity must include a nonhealthcare component that functions as a business associate as part of the hybrid entity's healthcare components subject to HIPAA.
Affiliated covered entities must ensure that each affiliated covered entity complies with the joint implementation of the standards and implementation specifications of the Privacy and Security Rules. Additionally, whenever the health plan, healthcare provider or healthcare clearinghouse functions are combined, the requirements applicable to protecting clearinghouse data from access by unauthorized functions and the requirement to apply unique privacy requirements to specific covered functions must be followed.
With respect to organized healthcare arrangements (OHCAs), HHS modified the scope of permitted disclosures of PHI within an OHCA for treatment, payment and healthcare operations to recognize the participants in a clinically integrated care setting that may not be covered entities (e.g., physicians with staff privileges that are not workforce members and are not covered entities). HHS stated, however, that "such change does not permit employers and pharmaceutical representatives to receive access to protected health information from or through an OHCA in a manner they would otherwise be prohibited from now."
4. Cloud Computing
In the Final Rule, HHS added to the definition of business associate Health Information Organizations (HIOs), E-Prescribing Gateways and other persons that provide data transmission and require routine access to PHI and pledged that further guidance on HIOs will be forthcoming.
Cloud computing also received eagerly awaited clarification in the Final Rule. Cloud computing essentially is the delivery of computing resources (hardware, software, data) over a network, with varying levels of access, operation and control executed by the customer using either private network or public Internet infrastructures. There are two ways in which the Final Rule has clarified that cloud computing providers, to the extent they have access to, maintain or store a customer's PHI on a persistent basis, are business associates under HIPAA.
First, the definition of business associate has been amended to include persons, such as subcontractors, that "maintain" PHI, as well as persons that create, receive or transmit PHI. Second, according to the Final Rule preamble, persons or entities that have a persistent opportunity to access a customer's PHI (even if actual access or viewing would be rare or nonexistent), such as, for example, data storage providers, are not merely "conduits" for the transmission of data but are business associates required to enter into HIPAA-compliant business associate agreements with their covered entity or business associate customers and comply with the applicable HIPAA security, privacy and breach notification standards and implementation specifications. Thus, cloud computing providers who store, maintain or have access to PHI, even if such access is never acted upon or is merely physical, will be considered business associates for purposes of HIPAA compliance.
The Final Rule significantly alters the definition of marketing by requiring authorization for all treatment and healthcare operations communications for which the covered entity receives "financial remuneration" from a third party whose product or service is being marketed in exchange for making the communication (note, however, that to be valid, the authorization must state that such remuneration is involved). In light of this change, the Final Rule does not adopt certain proposed rules requiring a covered entity to include in its notice of privacy practices (NPP) a statement informing individuals that their provider "may send treatment communications to the individual concerning treatment alternatives or other health-related products or services where the provider receives financial remuneration from a third party" for making such communication. Nonetheless, a covered entity still may include such statements in its NPP if it wishes to do so. Additionally, the Final Rule retains the exception applying to refill reminders and other communications about a drug or biologic that a provider currently is prescribing to an individual. Such communications will not constitute marketing, provided that any financial remuneration the covered entity receives for making the communication is "reasonably related to the covered entity's cost of making the communication."
The Final Rule also adopts the definition of financial remuneration as suggested in the proposed rule, and therefore, defines such remuneration as "direct or indirect payment from or on behalf of a third party whose product or service is being described." This payment does not include "any payment for treatment of the individual." Further, comments to the Final Rule clarify that nonfinancial benefits, such as in-kind benefits, given to a provider in exchange for making a communication will not constitute financial remuneration.
The Final Rule applying to communications made for fundraising purposes generally adopts the language appearing in the proposed rule. Thus, covered entities must provide an individual with a clear and conspicuous opportunity to opt out of receiving fundraising communications, and the method of opting out may not impose an undue burden or cost on the individual. As contemplated in the proposed rule, the Final Rule also prohibits covered entities from conditioning treatment or payment on an individual's choice to receive fundraising communications.
Unlike the proposed rule, however, the Final Rule allows covered entities to use, or disclose to a business associate or institutionally related foundation, the following types of PHI (in addition to demographic information and the dates of healthcare provided to an individual) for fundraising purposes: (1) department of service information, (2) treating physician, (3) outcome information, and (4) health insurance status. The Final Rule also clarifies the meaning of "demographic information" by listing examples, which include name, address, other contact information, age, gender and date of birth. Finally, the Final Rule allows covered entities to provide individuals who have elected not to receive further fundraising communications with a method to opt back in to receiving such communications.
7. Clinical Research
The Final Rule's provisions pertaining to uses and disclosures for which an authorization is required provides for a research exception to the general prohibition on compound authorizations. Under the Final Rule, a covered entity may combine conditioned authorizations for research (i.e., authorizations that condition the provision of research-related treatment on the obtaining of authorization to disclose PHI for research purposes) with unconditioned authorizations for research (i.e., creation/maintenance of a research database or repository; consent to participate in research). The compound authorization must clearly differentiate between the conditioned and unconditioned components. The individual also must have the ability to opt in to the research activities described in the unconditioned research activities.
8. Individual Right to Request Restrictions; Access to or Copies of PHI
The Final Rule implements the requirement of Section 13405(a) of the HITECH Act with respect to allowing individuals to request restriction of disclosures of PHI relating to services for which out-of-pocket payment was made by the individual. Upon an individual's request, a covered entity now must agree to restrict disclosure of PHI about the individual to the health plan if (1) the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law; and (2) the PHI pertains solely to a healthcare item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.
With respect to an individual's right to request access to and copies of the individual's PHI, the Final Rule implements the HITECH Act's requirement that if the subject information is maintained in a designated record set electronically, the covered entity, upon request of the individual, must provide the individual with access to the PHI in the electronic form and format requested by the individual, if readily producible in such form or format or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.
9. Other Privacy Rule Changes
While some of the provisions of the Final Rule don't necessarily fit into the categories identified above, covered entities should nonetheless be aware of the following changes:
GINA. The Final Rule incorporates provisions of the Genetic Information Nondiscrimination Act of 2008 (GINA), adopting and expanding the GINA prohibition against the use of genetic information by health plans for underwriting purposes, modifying the definition of "health information" to include "genetic information" and incorporating GINA-defined terms for "family member," "genetic services," "genetic test," "manifestation" or "manifested."
Under the Final Rule, "genetic information" includes information relating to an individual's genetic tests; genetic tests of family members (including genetic tests for a fetus or embryo); the manifestation of a disease or disorder in an individual's family members; and any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual. Specifically excluded from the definition of "genetic information" is any information about the age or sex of an individual.
"Underwriting" is defined by the Final Rule to include (1) rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits; (2) the computation of premium or contribution amounts under a plan, including discount rates, rebates, payments in kind or other premium differential for completing a health risk assessment or participating in a wellness program; (3) the application of any preexisting condition exclusion under a plan; and (4) other activities related to the creation, renewal or replacement of a contract of health benefits. Notably, the Final Rule prohibits all entities included in the definition of "health plan" (e.g., group health plans, health insurance issuers or issuers of Medicare supplemental policies) from using or disclosing PHI that is genetic information for underwriting purposes except for issuers of long-term care plans. However, the use of genetic information to determine the appropriateness of providing a benefit to an individual under a plan still is permitted. Accordingly, "health plans" must ensure that any medical records maintained segregate genetic information so that such information is not relied upon in any underwriting decisions.
Decedent PHI 50-Year Limit. Prior to the Final Rule, covered entities were required to protect the privacy of a decedent's PHI in generally the same manner as they protected the PHI of living individuals and, perhaps more importantly, to continue this protection indefinitely. However, under the Final Rule, covered entities are only required to protect decedent PHI for 50 years after the individual's death. In addition, the Final Rule permits a covered entity to disclose a decedent's PHI to a family member or other individual who was involved in the care or payment for care of the decedent prior to death, so long as the disclosure is not inconsistent with any prior expressed preference of the decedent of which the covered entity is aware.
Disclosure of Student Immunization History to Schools. The Final Rule permits covered entities to disclose proof of immunization for a student or prospective student to a school if the school is required by the state or other law to obtain proof of immunization prior to admitting the individual, and the covered entity obtains and documents that the student or the student's parent or guardian (for minor students) has agreed to the disclosure.
180-Day Compliance Period. For future modifications to implementation specifications and standards under the HIPAA rules, covered entities and business associates will have 180 days to become compliant unless specifically stated otherwise. This compliance period, however, does not apply for modifications to the HIPAA enforcement rule.
10. Timing and Deadlines
The Final Rule is effective March 26, 2013, but covered entities and business associates will have 180 days beyond the effective date (September 23, 2013) to come into compliance. However, there's more to this story, particularly in relation to the following key areas: (1) NPPs; (2) business associate agreements; and (3) breach notification.
Notice of Privacy Practices. The Final Rule requires covered entities to make significant changes to their NPPs, such as the addition of information regarding certain uses and disclosures requiring authorization, opting out of fundraising communications, requests for restrictions on uses and disclosures, notification following a breach of unsecured PHI and, for health plans, assurances that the plan will not use or disclose genetic information for underwriting purposes. Covered entities will need to revise their NPPs accordingly and begin using the revised NPPs by September 23, 2013. In addition, as the required changes are "material" according to Final Rule preamble, specific NPP distribution provisions are triggered -- some added by the Final Rule, and others that remain unchanged.
Two new NPP distribution provisions added by the Final Rule apply specifically to health plans. For a health plan that does not post its NPP on its website, the revised NPP (or information about the revisions and how to obtain a copy) must be distributed to individuals covered by the plan within 60 days of the material change -- or no later than November 22, 2013 (60 days after the September 23, 2013, compliance deadline). A health plan that does post its NPP on its website must prominently post the revisions by the effective date of the material change -- in this case, no later than September 23, 2013 -- and also must include the revised NPP or information about how to obtain it in its annual mailing to covered individuals. No changes were made to the NPP distribution provisions applicable to healthcare providers, who must make the revised NPP available upon request by the effective date of the revision -- again, no later than the September 23, 2013, compliance deadline -- and must post the revised NPP in a clear and prominent location.
Business Associate Agreements. Covered entities and their business associates (as well as business associates and their subcontractors) who had an existing written agreement in place prior to January 25, 2013, that complied with the prior provisions of the HIPAA rules may continue to operate under such an agreement regardless of whether it complies with the applicable provisions of the Final Rule so long as the agreement is not renewed or modified between March 26, 2013, and September 23, 2013. This extended transition period will terminate on the date the agreement is renewed or modified between September 23, 2013, and September 22, 2014, or on September 22, 2014, whichever comes first. Automatic renewal of "evergreen" agreements will not terminate the extended compliance period.
Breach Notification. Since September 23, 2009, covered entities and their business associates have been subject to the breach notification provisions of the breach notification interim final rule (IFR). The IFR will continue to apply to breaches of unsecured PHI that occur during the 180-day period between the Final Rule's effective date of March 26, 2013, and its compliance date of September 23, 2013. For breaches of unsecured PHI occurring on or after September 23, 2013, the Final Rule's breach notification provisions will apply.
The Final Rule continues to strengthen and expand HIPAA enforcement with the addition of enforcement over the activities of business associates.
Civil Monetary Penalties. Although the Final Rule retains the structure for violations based on four tiers of culpability, it now provides revised factors to be considered in determining CMPs. Accordingly, the Secretary must consider a list of mitigating or aggravating factors, to include:
The nature and extent of the violation — The number of individuals affected and the time period during which the violation occurred.
The nature and extent of the harm resulting from the violation -- Physical harm, financial harm, harm to an individual's reputation and whether the violation hindered an individual's ability to obtain healthcare.
History of prior compliance — Includes whether the current violation is the same or similar to previous indications of noncompliance, whether corrective action was taken with respect to previous indications of noncompliance and responses to both prior complaints and technical assistance from the Secretary in compliance efforts.
Financial condition -- Includes financial difficulties affecting the ability to comply, whether the imposition of a CMP would jeopardize the ability to provide or pay for healthcare, and size of the covered entity or business associate.
Affirmative defenses — The Final Rule prohibits the imposition of a CMP for any violation, unless the violation is due to willful neglect, if the violation is corrected within thirty days from the date the entity knows of or has constructive knowledge of the violation. Also, a CMP may not be imposed if a criminal penalty already has been imposed for the violation.
Investigations — Under the Final Rule, the Secretary has the discretion to resolve violations informally, but is no longer required to do so. The Secretary will initiate an investigation when a preliminary review indicates a possible violation due to willful neglect. For all other possible violations, the Secretary has discretion as to whether to pursue an investigation. For any investigation initiated, the Secretary will continue to describe acts/omissions that are the basis of the complaint and review any pertinent policies, procedures or practices.
12. Application to Health Plans
It is important to remember that health plans are HIPAA-covered entities and must pursue HIPAA compliance in many of the same ways as their covered entity brethren -- healthcare providers and healthcare clearinghouses. A health plan can be either an individual or group plan that provides or pays for medical care, which includes all types of medical care, including, but not limited to, dental and vision plans. The scope of health plans is very broad and includes plans issued by health insurance issuers and almost all other arrangements that pay for medical care. Medicare, Medicaid and employer-sponsored group health plans that provide medical, dental, vision, health flexible spending accounts and certain employee assistance program benefits are some examples of arrangements that pay for medical care. All health plans must comply with the Final Rule, including the new rules regarding the use and disclosure of genetic information.
13. Group Health Plans and Employers Sponsoring Group Health Plans
Employers sponsoring group health plans, already bogged down by the deluge of Affordable Care Act guidance, now must assess and address how the Final Rule will affect them and the group health plans they sponsor. To the extent an employer-sponsored group health plan is insured, the employer plan sponsor can rely on the health insurance issuer for many of the HIPAA obligations so long as the employer plan sponsor is only getting summary health information. However, with limited exception, if the employer-sponsored group health plan is not fully insured or the employer plan sponsor is getting more than summary health information, the employer-sponsored group health plan must undertake its own HIPAA compliance activities.
While the group health plan is the covered entity and is the party ultimately responsible for HIPAA compliance, employer plan sponsors play a large role in ensuring that their group health plans have the resources and direction to achieve HIPAA compliance. In addition, employers that also are covered entities in their own right (i.e., healthcare providers) that sponsor a group health plan for their own employees must remember to pursue HIPAA compliance both as a healthcare provider covered entity and for their covered entity group health plan. This will mean, among other things, maintaining two sets of HIPAA policies and procedures, one for the provider's activities and one for the group health plan's activities, and business associate agreements with business associates of the provider and business associates of the group health plan.
The following list identifies several, but not all, of the things the Final Rule requires of group health plan covered entities and of which employer plan sponsors must be aware so they can ensure their group health plans are on the path to Final Rule compliance. Employers sponsoring group health plans must direct their group health plans to:
Update Business Associate Agreements. To require each business associate with whom they have contracted to comply with the Final Rule (including HIPAA privacy, security and breach notification rules) as described in Section 1, Business Associates and Subcontractors. This would include incorporating the requirement that business associates require subcontractors to comply with the privacy, security and breach notification rules.
Update Breach Notification Policies and Procedures. To reflect the new breach analysis procedure as described in Section 2, Breach Notification.
Update Notices of Privacy Practices. To account for the new rules regarding breach notifications as described in Section 10, Timing and Deadlines, the use of genetic information and the use of PHI for fundraising purposes.
Update Privacy Policies and Procedures. To account for the new rules regarding the uses and disclosures of genetic information, uses and disclosures of PHI of a deceased individual and uses and disclosures of PHI for public health activities as described in Section 9, Other Privacy Rule Changes, for sale of PHI, rights to restrictions of PHI and regarding the provision of access to a third party at the direction of the owner of PHI.
Given the breadth and scope of the Final Rule, employers sponsoring group health plans should direct their covered entity group health plans to undertake a comprehensive review and revision of their privacy, security and breach notification policies and procedures, their NPPs and their business associate agreements. As these documents are reviewed and updated, group health plans also must undertake a retraining program to make sure all employees working with the group health plan understand their new roles and responsibilities under the Final Rule.