In 2009 Congress enacted the Health Information Technology for Economic and Clinical Health Act, also known as HITECH. HITECH amended aspects of the Health Insurance Portability and Accountability Act (HIPAA) and established a number of security provisions relating to Protected Health Information (PHI). Close to four years after HITECH became law, the United States Department of Health and Human Services has issued omnibus final regulations (the Final Rule), with several goals in mind:
- to strengthen the privacy and security for individuals’ health information, by modifying HIPAA Privacy, Security and Enforcement rules to implement statutory amendments under HITECH;
2. to modify the rule for Breach Notification for Unsecured PHI under HITECH;
3. to modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of the Genetic Information Nondiscrimination Act of 2008; and
4. to make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules to improve their workability and effectiveness and to increase flexibility for and decrease the burden on the regulated entities.
The Final Rule became effective on March 26, 2013 and covered entities and business associates must comply with the Final Rule by September 23, 2013.1
It is not feasible to cover each aspect of the Final Rule in this article. Instead the focus will be on the key provisions that affect business associates (given that a significant portion of the final rule addresses the application of the HIPAA/HITECH regulations to business associates). It should be noted, however, that there are aspects of the Final Rules that will require modifications to Notices of Privacy Practices (see in particular Section 164.520), and that have a bearing on patient rights. Some of these points are mentioned later in this article.
While HITECH made certain aspects of the Privacy, Security and Enforcement Rules applicable to business associates and created direct civil and criminal liability for violations of the same, the Final Rule broadens that scope. The Final Rule also expands the scope of who is a business associate.
The definition of business associate now covers any person who, other than in the capacity of a workforce member, creates, receives, maintains, or transmits PHI on behalf of a covered entity. Accordingly, businesses who merely maintain PHI without accessing it are now considered to be business associates under the Final Rule. Likewise, a subcontractor that creates, receives, maintains, or transmits PHI on behalf of a business associate is a business associate. A subcontractor of a subcontractor is a business associate as well, and so on down the line. A business associate also includes Health Information Organizations, E-Prescribing Gateways, and other persons that provide data transmission services with respect to PHI who require access on a routine basis to such protected PHI.2 A person who offers a personal health record to one or more individuals on behalf of a covered entity is a business associate.
Business associate references were not added to all provisions of the Privacy Rule that address uses and disclosures of PHI by a covered entity. However, a business associate may not use or disclose PHI except as permitted or required by the Privacy Rule or Enforcement Rule. Therefore, any Privacy and Enforcement Rule limitations on how a covered entity may use or disclose PHI now automatically extend to a business associate. Further limitations on a business associate’s uses and disclosures of PHI are set forth under sections 164.502 (3) and (4) of the Final Rule. The Final Rule also applies the minimum necessary standard to business associates when using or disclosing PHI or when requesting PHI from another covered entity or business associate.
The Final Rule makes it clear that business associates must comply with the Security Rule provisions, including administrative, physical and technical safeguards regulations, as well as the written policy and documentation requirements. These responsibilities will impose significant additional burdens on many business associates. For example, business associates will need to appoint a compliance officer and undertake risk assessments. Business associates will now be subject to compliance reviews. Given that notice requirements arise from unsecured PHI, business associates will want to make sure that PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5 (generally appropriate encryption or destruction). Obviously it is critical that existing business associate agreements be reviewed as soon as possible, and amended as needed to comply with the new legal requirements.
Business associates are directly liable under the HIPAA Rules for: (a) impermissible uses and disclosures, (b) failure to provide breach notification to the covered entity, (c) failure to provide access to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), (d) failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, (e) failure to provide an accounting of disclosures, and (f) failure to comply with the requirements of the Security Rule. In addition to required compliance with the law, business associates also remain contractually liable for compliance with the terms of their business associate agreements.
Another notable provision of the Final Rule is Section 160.402(c) which provides that:
(1) A covered entity is liable, in accordance with the Federal law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.
(2) A business associate is liable, in accordance with the Federal law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.
These provisions raise concerns about the need for indemnification provisions in business associate agreements to address circumstances where the covered entity is held liable for acts of its business associate, or the business associate for acts of its subcontractor.
The net effect of the Final Rule is that a covered entity must have a written agreement with its business associates that comports with the applicable provisions of HIPAA/HITECH and the related implementing regulations, and those business associates must have written agreements with their subcontractors (who are deemed to be business associates as well) and so on down the line. However, the Final Rule is clear that a covered entity is not required to enter into a business associate agreement with the subcontractors of its business associates. Never the less, even though a covered entity’s business associates are required by law to have written agreements with their subcontractors, the covered entity should require in its business associate agreement that its business associates obtain the necessary written agreements with their subcontractors.
Another key change to the Final Rule that impacts both covered entities and business associates is the definition of “breach” as to PHI which triggers certain notice and other obligations. Under the Final Rule, (apart from limited exclusions) “breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the applicable regulations which compromises the security or privacy of the PHI. Prior to the Final Rule, the covered entity had to make a subjective determination of whether the PHI was compromised (i.e., whether the breach posed a significant risk of financial, reputational, or other harm to the individual involved). Under the Final Rule, an unauthorized acquisition, access, use, or disclosure of PHI is presumed to be a breach; the burden is on the covered entity or the business associate (as applicable) to demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
- the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. the unauthorized person who used the PHI or to whom the disclosure was made;
3. whether the PHI was actually acquired or viewed; and
4. the extent to which the risk to the PHI has been mitigated.
The significance of this change is two-fold: it establishes an “objective” standard in relation to breaches and it triggers notification obligations unless the covered entity or business associate as applicable, after making the appropriate risk assessment, demonstrates that there is a low probability that PHI has been compromised. A covered entity or business associate concluding that no breach has occurred must maintain documentation supporting its conclusion. The notification requirement springs from the fact that “unsecured” PHI has been improperly acquired, accessed, used or disclosed. Accordingly, as mentioned above, use of appropriate encryption technology and destruction procedures can help the covered entity or business associate be relieved of notice requirements.
Among other things, the Final Rule has added provisions that seek to strengthen patient rights and protections, and to make it easier in some circumstances for family members of patients to access records of a patient. For example, patients have a right to request in an electronic format a copy of their electronic medical records maintained in one or more designated record sets. Family members, relatives or close personal friends may be able to access records of a patient, including a deceased patient, if they were involved in the patient’s care prior to death. It should be noted that HIPAA generally does not pre-empt the applicability of state laws that have stricter requirements than HIPAA provides. Accordingly, if, for example, state law would not allow access by family members, then that state law prohibition would apply. Under the Final Rule, PHI of individuals who have been deceased for over 50 years is no longer subject to Subpart E of the HIPAA Rules. There are limitations on the use of genetic information as well.
The Final Rule also puts some limitations on use of PHI for fundraising purposes and with respect to sale of PHI. While some additional elements of PHI can be used for fundraising purposes without a patient’s permission, an appropriate notice must be included in the Notice of Privacy Practices, and in each fundraising communication patients must be given the opportunity to opt out of receiving fundraising communications. The opt-out method provided may not cause the individual to incur an undue burden or more than a nominal cost. Also, apart from limited exceptions, the sale of PHI is strictly prohibited without patient permission and the Final Rule clarifies that sale of PHI means disclosure of PHI by a covered entity or a business associate in exchange for direct or indirect remuneration.
As mentioned at the outset, it is not possible in this article to cover all of the changes implemented to HIPAA/HITECH regulations under the Final Rule. Notable areas discussed include key impacts on business associates and breach notification. Some of the more significant changes relating to patient rights were addressed as well. The key takeaway point is that it is crucial for covered entities and business associates to review existing business associate agreements and Notices of Privacy Practices to bring them into compliance in a timely manner. Likewise, business associates must make sure that they have appropriate business associate agreements in place with their subcontractors. Given that business associates (including subcontractor business associates) are now directly liable for violations of the applicable regulations, there is no time like the present to make sure these changes are made.