Publications

---

The Department of Health and Human Services has released its long-anticipated Notice of Proposed Rulemaking (the Proposed Rules) to modify the HIPAA privacy, security and enforcement rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Proposed Rules will implement changes required by the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act), made into law last year as part of the American Recovery and Reinvestment Act of 2009. 

As expected, the Proposed Rules track the HITECH Act and focuses on Business Associates (BAs), increased enforcement and other privacy and security issues.

In a press briefing on July 8, 2010, the same day the Proposed Rules were announced, HHS Secretary Kathleen Sebelius said the Proposed Rules represents “sweeping” changes to the privacy and security landscape.  “While health information technology will help America move its health care system forward, the privacy and security of personal health data is at the core of all our work,” Sebelius commented.

The Proposed Rules also extends HIPAA compliance requirements to subcontractors of BAs and strengthens patient rights to health information privacy.  According to the Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules for HHS, the “significant” modifications to HIPAA pursuant to the Proposed Rules include: 

• A requirement that BAs of HIPAA-covered entities operate under most of the same rules as the covered entities and have direct liability for HIPAA compliance
• New limitations on the use and disclosure of protected health information (“PHI”) for marketing and fundraising purposes
• Prohibition of the sale of PHI without an authorization
• Expansion of individuals’ rights to access their information and to restrict certain types of disclosures of PHI to health plans, and
• Provisions that strengthen and expand HIPAA’s enforcement rule.

Some of the other major points in the Proposed Rules include:

• Privacy protection now extends only 50 years after the death of the patient
• Covered entities can charge costs associated with providing an individual ePHI on electronic media – e.g., the cost of a flash drive or CD
• Updates to the components of HIPAA Notice of Privacy Practices requiring new notices
• Strong case examples on breaches and how to handle them, and
• BAs’ subcontractors must comply with HIPAA and contract with the BA regarding the same.

HHS in the Proposed Rules also says HIPAA’s “minimum necessary” requirements still apply, but will be given greater clarification in upcoming guidance.

Business Associates and Subcontractors

The HITECH Act made BAs liable for compliance with the Security Rule and the use and disclosure provisions of the Privacy Rule.  HHS now proposes extending those compliance requirements to BA subcontractors by including them in the definition of a BA.  A BA contract with subcontractors has to contain all the provisions, current and new, required to be in BA contracts.  Also, subcontractors of BAs must implement the same “reasonable and appropriate” safeguards required by HIPAA to ensure they prevent breaches of unsecured PHI.  Furthermore, BAs who hire subcontractors must supply information to HHS regarding their subcontractors’ compliance.  Subcontractors being required to comply with HIPAA expand the number of organizations subject to HIPAA and the HITECH Act.

The Proposed Rules note that the term “subcontractor” would apply to any agent or other person who acts on behalf of BAs.  “The proposed provisions avoid having privacy and security protections for protected health information lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity,” the Proposed Rules say.  Thus, “we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance.”

HHS also indicated that covered entities will be held directly liable for the violations of BAs who are agents, rather than independent contractors.  This distinction between “agents” and BAs was introduced in the Breach Notification regulations issued in 2009.  HHS also announced that BAs can be directly liable for breaches of unsecured PHI and will have to pay fines.  The Proposed Rules make explicit that certain entities providing services to covered entities are BAs (e.g., Electronic Health Record vendors).

HHS missed the February 18 deadline for delivering these Proposed Rules per the HITECH Act.  By June 18, OCR was to release regulations to modify the HIPAA Privacy Rule’s accounting of disclosures provisions.  However, OCR published a notice in the May 3 Federal Register requesting information to assist in its crafting of a proposed rule on accounting of disclosures from electronic health records, pursuant to the HITECH Act.  The Proposed Rules were published in the Federal Register on July 14, 2010.  The regulations would not be effective until publication of a final rule.  Comments on the proposed regulations will be accepted for 60 days beginning July 14, 2010.

The HITECH Act established the position of Chief Privacy Officer in the Office of the National Coordinator for Health Information Technology (ONC).  Joy Pritts recently assumed the new position at ONC and is leading HHS efforts to develop and implement privacy and security programs and polices related to electronic health information and coordinating with OCR on enforcement issues.

OCR has redesigned its breach notification website to allow the Secretary of HHS to provide detailed information about reported breaches affecting more than 500 individuals.  Under the HITECH Act, covered entities must notify individuals, the HHS Secretary and, in some cases, the media when a breach of unsecured protected health information is discovered or reasonably should have been discovered.  HHS Secretary Sebelius also announced a new website that will provide the public with information about efforts to protect privacy.  She said the website furthers a new level of openness and transparency to help consumers feel confident about embracing health information technology.

NOTE:  It is important to remember that most of the privacy and security provisions of the HITECH Act went into effect on February 18, 2010, and do not depend on implementing regulations.  However, HHS proposes to allow covered entities 180 days after the effective date of the final regulations to become compliant with the privacy and security standards in the new rule.  Changes to the enforcement rule would be effective immediately.

You may access the Proposed Rules through the OCR privacy website or by clicking here  ( the actual rule modifications begin on page 176).  

Here are links to the access OCR’s new breach notification website and the new privacy website. 

Also see our 2009 Alert, “Economic Stimulus Package Contains Broad New Health Privacy Protections,”   for an overview of the American Recovery and Reinvestment Act and HITECH Act changes to HIPAA which are being further implemented through the Proposed Rules.  

For more information, please contact: 

 

Senator Tom Daschle
Senior Policy Advisor, Government Affairs

Kimberly K. Egan
Co-Chair, Health Care

Stephen L. Goff
Co-Chair, Health Care

 

William P. Cook

Chair, Communications, E-Commerce and Privacy

 

Mary B. Langowski

Senior Policy Advisor
Co-Chair, Health Care Policy and Regulatory Group

 

Darrell Taylor

Associate, Health Care

Finally, to read our library of writings about the implications of the health care reforms, please click here.