The HIPAA / HITECH Privacy Rule has been changed.Under the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Fed. Reg. 5566 (Jan. 25, 2013), these are mainly technical changes, although HHS has some important commentary (see my bold).
Modifications to the Privacy Rule
- § 164.500 was modified to clarify that, where provided, the standards, requirements, and implementation specifications of the Privacy Rule apply to business associates.
- Under the final rule, a business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.
- Further, a business associate is directly liable for failing to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. See § 164.502(b). Finally, business associates are directly liable for failing to enter into business associate agreements with subcontractors that create or receive protected health information on their behalf. See § 164.502(e)(1)(ii).
- The definition of “healthcare operations” is revised to dovetail with PSQIA.
- Marketing was previously defined as, “to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” There were exceptions, including for communications that describe a product or service provided by the CE or that recommend alternative treatments. (See (Section 164.501, 164.508(a)(3) and HITECH Section 13406(a))
- Now, marketing includes any treatment or healthcare operations communications to individuals about health-related products or services, if the covered entity or its business associate (BA) receives financial remuneration in exchange for making the communication from or on behalf of the third party whose product or service is being described.
- CEs must obtain a valid authorization before using or disclosing PHI to market a product or service to patients. Now, if a covered entity has used PHI to identify individuals to receive a communication about an item or service, and receives financial remuneration from a third party to send the communication to the targeted individuals, that transaction falls within the definition of marketing. (If a CE receives financial remuneration in exchange for disclosing PHI to a third party, that transaction is a sale of PHI).
- The Final Rule requires authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. HHS states:
We, therefore, believe that requiring authorizations for all subsidized communications that market a health related product or service is the best policy. Such a policy will ensure that all such communications are treated as marketing communications, instead of requiring covered entities to have two processes in place based on whether the communication provided to individuals is for a treatment or a health care operations purpose.
The Final Rule defines financial remuneration as “direct or indirect payment from or on behalf of a third party whose product or service is being described.”
- The prior rule contained requirements that the Notice of Privacy Practices inform patients about marketing, and allow them to opt out. These requirements are now obliterated, since the new rule “treats subsidized treatment communications as marketing communications that require authorization.” The authorization must disclose that remuneration is received from a third party and state that the individual may revoke the authorization at any time.
- Authorization is also required where the business associate wants to send marketing communications to the patient.
- Refill reminders are not marketing, so long as the financial remuneration for the marketing is reasonably related to the cost of the marketing.
- Importantly: “Communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, such as annual mammograms, do not constitute marketing and thus, do not require individual authorization.”
- The rule still provides that no authorization is required where a covered entity receives financial remuneration from a third party to make a marketing communication, if the communication is made face-to-face by a covered entity to an individual or consists of a promotional gift of nominal value provided by the covered entity.
Sale of PHI
- Th Final Rule provides modifications to Section 164.508, essentially requiring authorization for disclosure of PHI in exchange for direct or indirect remuneration. Essentially, the Final Rule prohibits sale of PHI without an individual’s written authorization. The authorization must state that the disclosure of PHI will result in remuneration to the entity.
- § 164.502(a)(5)(ii)(B)(1) defines “sale of protected health information” to generally mean “a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.” Section 164.502(a)(5)(ii)(B)(2) then excludes from the definition the various exceptions.
- Access, license or lease arrangements are included.
- Financial as well as non-financial remuneration is included. There are several exceptions (i.e., where disclosures of PHI do not require an authorization):
- For public health activities described in Sections 164.512(b) or 164.514(e) of the HIPAA Privacy Rule;
- For research, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purposes;
- For treatment and payment;
- For the sale, transfer, merger, or consolidation of all or part of the covered entity and related due diligence;
- To or by a BA for activities that the BA undertakes on behalf of the covered entity, if the only remuneration is provided by the covered entity to the BA for its performance of such activities (or disclosures to or by a subcontractor, if the only remuneration is provided by the BA to the subcontractor);
- Providing an individual with access to his or her PHI;
- For disclosures required by law; and
- For any other purposes permitted by and in accordance with the applicable requirements of the Privacy Rule, where the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose, or a fee otherwise expressly permitted by other law.
- The Notice of Privacy Practices should be suitably updated to advise individuals about the prohibition on the sale of PHI without express written authorization.
PHI of Deceased Individuals
- A covered entity’s duty to safeguard the protected health information of a deceased individual expires fifty (50) years after the death of the individual.
- The Final Rule modifies the public health disclosure provisions of the Privacy Rule to include a new category under which a covered entity may use or disclose protected health information for public health activities and purposes. The Final Rule now provides that a covered entity may use or disclose protected health information to a school, about an individual who is a student or prospective student of the school, if (1) the protected health information that is disclosed is limited to proof of immunization, (2) the school is required by state or other law to have such proof prior to admitting the individual, and (3) the covered entity obtains and documents the agreement to the disclosure from either a parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor, or the individual, if the individual is an adult or emancipated minor.
Restrictions on Health Plan Disclosures
- A covered entity must honor an individual’s request to limit disclosure to his or her health plan if 1) the disclosure is for the purpose of carrying out payment or health care operations, 2) the disclosure is not otherwise required by law, and 3) the protected health information pertains solely to a health care item or service paid in full by the individual or someone other than the health plan on behalf of the individual.
- The Final Rule prohibits health plans from using or disclosing an individual’s protected health information that is genetic information for underwriting, even though such a use or disclosure is considered payment or health care operations.
Right to Agree or Object to Disclosure
- A covered entity may disclose to a family member, other relative, close personal friend, or any other person previously identified by a deceased individual the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to that health care unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
Right to Access Protected Health Information
- If an individual requests to receive his or her own protected health information maintained electronically in one or more designated record sets, the covered entity must provide access in the particular electronic form or format requested if it is readily producible in the requested form or format. If the protected health information is not maintained in the requested form or format, the entity must provide the individual with the protected health information in a readable electronic form and format agreed to by both parties.
- If the individual directs the covered entity to transmit a copy of the individual’s protected health information to another person designated by the individual, the covered entity must transmit the protected health information to the person so designated. The designation must be in writing, signed by the individual, and clearly identify the designated person as well as where to send the copy.
- Covered entities must act on an individual’s request for access to his or her own protected health information, whether paper or electronic, within thirty (30) days following receipt of the request, regardless of whether the protected health information is maintained onsite. No longer will off-site storage or inaccessibility warrant a 30-day extension of the customary deadline under the Privacy Rule.
- The Final Rule makes some changes to privacy standards relating to research.
See our full series of articles:
The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.