The Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act, 78 Fed. Reg. 5566 (Jan. 25, 2013), makes a number of additional important changes to existing privacy and security law.These include:
- New rules about fundraising (45 CFR 154.514(f)) expand the ability to disclose PHI to do fundraising without individual authorization. Specifically: a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of Sec. 164.508: (i) demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; (ii) dates of health care provided to an individual; (iii) department of service information; (iv) treating physician; (v) outcome information; and (vi) health insurance status.
- A covered entity that intends to contact the individual to raise funds under these provisions MUST include a statement to that effect in its notice of privacy practices.
- With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.
- A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(1)(ii)(B) of this section [i.e., has opted out].
- A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.
- Notice of Privacy Practices (45 CFR 164.520). Providers and health plans likely will need to update their notices of privacy practices (NPPs). The updated NPPs must advise individuals of the Omnibus Rule’s required changes, specifically including, as applicable, the following:
- The NPP must “contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization, as well as a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual.”
- The NPP must describe the right of the individual to restrict disclosures of PHI to a health plan with respect to health care for which the individual has paid out-of-pocket and in full.
- The NPP must contain a statement “regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a covered entity intends to contact an individual to raise funds for the covered entity.”
- The NPP must “inform individuals of their new right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service. Only health care providers are required to include such a statement in the NPP; other covered entities may retain the existing language indicating that a covered entity is not required to agree to a requested restriction.”
- The NPP must “include in their NPP a statement of the right of affected individuals to be notified following a breach of unsecured protected health information.”
- The NPP must notify about the prohibition on the sale of PHI without the express written authorization of the individual.
- Health plans. Most health plans will need to inform individuals of the prohibition against using or disclosing genetic information for underwriting purposes.
- nNotice and a separate statement informing the individual will be necessary if the covered entity desires to disclose protected health information to the sponsor of a group health plan, health insurance issuer or HMO; or if an entity is a health plan, notice of intentions to disclose for underwriting purposes is required.
- Dissemination. There are specific rules for health plans about disseminating revised NPPs. Health care providers must make the NPP “available upon request on or after the effective date of the revision and must comply with the requirements of § 164.520(c)(2)(iii) to have the NPP available at the delivery site and to post the notice in a clear and prominent location.”
- Individual’s right to request restrictions of certain uses and disclosures.
- Covered health care providers will, however, need to employ some method to flag or make a notation in the record with respect to the protected health information that has been restricted to ensure that such information is not inadvertently sent to or made accessible to the health plan for payment or health care operations purposes, such as audits by the health plan. Covered entities should already have in place, and thus be familiar with applying, minimum necessary policies and procedures, which require limiting the protected health information disclosed to a health plan to the amount reasonably necessary to achieve the purpose of the disclosure.
- There is a lot more detail in this rule, some applicable to health plans, and some applicable to restrictions involving referrals to subsequent providers.
- Section 164.524—Access of Individuals to Protected Health Information. An individual continues to have a right to a copy of the individual’s designated record set in the individual’s requested form and format if readily producible, but now has the right to an electronic copy if the designated record set is maintained electronically and the requested form and format is not readily producible.
- “The Final rules amends § 164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. In such cases, to the extent possible, we expect covered entities to provide the individual with a machine readable copy of the individual’s protected health information.”
- Note: “How and to what extent a business associate is to support or fulfill a covered entity’s obligation to provide individuals with electronic access to their records will be governed by the business associate agreement between the covered entity and the business associate. For example, the business associate agreement may provide for the business associate to give copies of the requested information directly to the individual, or to the covered entity for the covered entity to provide the copies to the individual. There is no separate requirement on business associates to provide individuals with direct access to their health records, if that is not what has been agreed to between the covered entity and the business associate in the business associate agreement.”
- What about encryption? “Covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
- If requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual.
- The Final Rule talks about fees, and, timeliness.
- Other technical changes. There are other technical changes, such as: “Section 164.510(b)(3) covers uses and disclosures of protected health information when the individual is not present to agree or object to the use or disclosure, and, as pertinent here, permits disclosure to persons only of “the protected health information that is directly relevant to the person’s involvement with the individual’s health care.” We proposed to delete the last two quoted words and substitute the following: “care or payment related to the individual’s health care or needed for notification purposes.” This change aligns the text of paragraph (b)(3) with the permissions provided for at paragraph (b)(1) of this section.”
- Family Access to Decedents’ PHI. Family members of a decedent who were involved in the person’s care prior to his or her death may now access the decedent’s PHI.
- Modifications to the HIPAA Privacy Rule Under GINA. GINA prohibits discrimination based on an individual’s genetic information in both the health coverage and employment contexts.
See our full series of articles:
* * *
The healthcare privacy and security requirements of HIPAA and HITECH can be daunting. Even small healthcare offices can be subject to federal and state privacy and confidentiality compliance rules. For healthcare legal and regulatory expertise, contact the HIPAA and HITECH legal team at the Cohen Healthcare Law Group.