The Department of Health and Human Services Office for Civil Rights (OCR) released its final rule, Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013). The federal government also publishes the HIPAA rule on a Federal Register website that has convenient hyperlinks to various sections of the rule. In this blog series, we go through some of the important rules. Our review is not exhaustive, but rather tries to highlight major points.
In this 8-part series, we’ll examine:
Part 1 – Overview
Part 2 – Business Associates & Subcontractors
Part 3 – Enforcement & Penalties
Part 4 – Security Rule Changes
Part 5 – Privacy Rule Changes
Part 6 – Business Associate Agreements
Part 7 – Other Provisions
Part 8 – Breach Analysis
In a nutshell, this Omnibus Rule:
- Modifies the HIPAA Privacy, Security, and Enforcement Rules, consistent with the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
- Modifies the Breach Notification Rule.
- Increases privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
The Summary of Major Provisions states that the Final Rule is 4 rules in one:
1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010.
- Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.
2. Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.
4. Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.
HIPAA Administrative Simplification Provisions
The HIPAA Privacy, Security, and Enforcement Rules implement certain of the Administrative Simplification provisions of title II, subtitle F, of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. 104-191), which added a new part C to title XI of the Social Security Act (sections 1171-1179 of the Social Security Act, 42 U.S.C. 1320d-1320d-8).
The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as “covered entities” (CEs): health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses.
HIPAA Privacy Rule
The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires covered entities to have safeguards in place to ensure the privacy of protected health information, sets forth the circumstances under which covered entities may use or disclose an individual’s protected health information, and gives individuals rights with respect to their protected health information, including rights to examine and obtain a copy of their health records and to request corrections. Covered entities that engage business associates to work on their behalf must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule.
HIPAA Security Rule
The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, applies only to protected health information in electronic form and requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information. Like the Privacy Rule, covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities.
HIPAA Enforcement Rule
The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C-E, establishes rules governing the compliance responsibilities of covered entities with respect to the enforcement process, including the rules governing investigations by the Department, rules governing the process and grounds for establishing the amount of a civil money penalty where a violation of a HIPAA Rule has been found, and rules governing the procedures for hearings and appeals where the covered entity challenges a violation determination.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted on February 17, 2009, as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public Law 111-5, modifies certain provisions of the Social Security Act pertaining to the HIPAA Rules, as well as requires certain modifications to the Rules themselves, to strengthen HIPAA privacy, security, and enforcement. The Act also provides new requirements for notification of breaches of unsecured protected health information by covered entities and business associates.
HITECH Act provisions included rules:
- extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
- requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates;
- requiring HIPAA covered entities and business associates to provide for notification of breaches of “unsecured protected health information”;
- establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
- prohibiting the sale of protected health information;
- expanding individuals’ rights to access their protected health information, and to obtain restrictions on certain disclosures of protected health information to health plans.
- strengthening and expanding HIPAA’s enforcement provisions.
Since HITECH, HHS published several regulations:
On August 24, 2009, the Department published interim final regulations to implement the breach notification provisions at section 13402 of the HITECH Act (74 FR 42740), which were effective September 23, 2009. Similarly, the Federal Trade Commission (FTC) published final regulations implementing the breach notification provisions at section 13407 for personal health record vendors and their third party service providers on August 25, 2009 (74 FR 42962), effective September 24, 2009. For purposes of determining to what information the HHS and FTC breach notification regulations apply, the Department also issued, first on April 17, 2009 (published on April 27, 2009, 74 FR 19006), and then later with its interim final rule, the guidance required by the HITECH Act under 13402(h) specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. Additionally, to conform the provisions of the Enforcement Rule to the HITECH Act’s tiered and increased civil money penalty structure, which became effective on February 18, 2009, the Department published an interim final rule on October 30, 2009 (74 FR 56123), effective November 30, 2009.
The Department published a notice of proposed rulemaking (NPRM) on July 14, 2010, (75 FR 40868) to implement many of the remaining privacy, security, and enforcement provisions of the HITECH Act. The public was invited to comment on the proposed rule for 60 days following publication. The comment period closed on September 13, 2010. The Department received about 300 comments on the NPRM.
The Genetic Information Nondiscrimination Act of 2008 (GINA) calls for changes to the HIPAA Privacy Rule to strengthen privacy protections for genetic information. This final rule implements the modifications required by GINA, as well as most of the privacy, security, and enforcement provisions of the HITECH Act. This final rule also includes certain other modifications to the HIPAA Rules to improve their workability and effectiveness.
The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.
Who is Impacted
HHS estimates that these changes will impact the following (by NAICS Code):
- nursing facilities
- offices of MD, Dos, mental health practitioners, dentists, PTs, OTs, STs, and audiologists
- outpatient care centers
- medical diagnostic and imaging service covered entities
- home health service
- other ambulatory care center
- DME suppliers
- Health insurance carriers
- Third party administrators working on behalf of covered entities
Organizational Requirements–Hybrid Entities
The Final Rule notes that many covered entities perform both covered and non-covered functions as part of their business operations. For such covered entities, the entire entity is generally required to comply with the Privacy Rule.
However, the hybrid entity provisions of the HIPAA Rules permit the entity to limit the application of the Rules to the entity’s components that perform functions that would make the component a “covered entity” if the component were a separate legal entity. Specifically, this provision allows an entity to designate a health care component by documenting the components of its organization that perform covered entity functions. The effect of such a designation is that most of the requirements of the HIPAA Rules apply only to the designated health care component of the entity and not to the functions the entity performs that are not included in the health care component. While most of the HIPAA Rules’ requirements apply only to the health care component, the hybrid entity retains certain oversight, compliance, and enforcement obligations.
We explained in the preamble to the 2002 modifications to the Privacy Rule that the Rule provides hybrid entities with discretion as to whether or not to include business associate divisions within the health care component. However, a disclosure of protected health information from the health care component to any other division that is not part of the health care component, including a business associate division, is treated the same as a disclosure outside the covered entity. As a result, because an entity generally cannot have a business associate agreement with itself, a disclosure from the health care component to the business associate division(s) of the entity likely would require individual authorization. See 67 FR 53182, 53205 (Aug. 14, 2002).
Importantly, after this final rule, business associates, by definition, are separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts. With respect to a hybrid entity, however, not including business associate functions within the health care component of a hybrid entity could avoid direct liability and compliance obligations for the business associate component. Thus, we agree with the commenters that supported requiring inclusion of business associate functions inside the health care component of a hybrid entity. As such, the final rule requires that the health care component of a hybrid entity include all business associate functions within the entity.
OCR Future Guidance
OCR has promised to provide additional regulations and guidance with respect to the following areas:
- Types of entities that fall within the definition of business associate, updated as the industry and electronic health information exchange evolves
- Types of communications falling under the refill reminder exception to the marketing prohibition
- Cost-based limitations on remuneration, direct, and indirect costs for the exceptions permitting disclosure of protected health information
- Minimum necessary standards for covered entities and business associates and the interaction with the breach notification requirements
- Frequently occurring scenarios to aid covered entities and business associates performing the risk assessment to determine whether protected health information has been compromised
- Guidance on protections for genetic information
- Accounting for disclosures of protected health information (by regulation)
- Penalty distribution methodology (by regulation)
About Our HIPAA and HITECH Practice
The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.
See our full series of articles:
Note: Covered entities and business associates should revise their policies, procedures, and forms for compliance with the Final Rule; document compliance; and appropriately train their workforce.
“Hybrid” entities that share PHI in a joint arrangement must consider integrated HIPAA compliance.