Practice Strengths
Find Lawyers
About Us
Offices
News / Resources
Firm Diversity
Career Opportunities
Contact Us
Print
Print Page    Print as PDF    Email Page   

News / Resources

Newsletters / Alerts

Executive Alert

The HITECH Act Reloaded: HHS Issues Proposed Modifications to HIPAA Privacy, Security and Enforcement Rules

On July 14, 2010, the U.S. Department of Health and Human Services (“HHS”) published proposed regulations (the “Proposed Rule”) that will implement modifications to the HIPAA Privacy, Security and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted on February 17, 2009.

The long-anticipated proposed regulations, when finalized later this year, will implement the HITECH Act’s expansion of the HIPAA Privacy, Security and Enforcement Rules to directly apply them to Business Associates (those persons and entities which perform services for or on behalf of Covered Entities and that have access to, create, receive or use or disclose Protected Health Information (“PHI”)). Business Associates and Covered Entities will be required to comply with the new regulations within 180 days (6 months) after the effective date of the Final Rule, and to amend or replace their existing Business Associate Agreements at the earliest renewal or modification which occurs during an 18-month contract transition period calculated from the effective date of the Final Rule. Comments on the Proposed Rule will be accepted for 60 days, until September 13, 2010.

A few of the more significant changes contained in the Proposed Rule are summarized as follows:

  • Expanded Definition of Business Associate: The Proposed Rule adds the following entities as Business Associates: health information organizations, e-prescribing gateways, other persons that provide data transmission services requiring access to PHI on a routine basis, vendors offering personal health records to patients on behalf of Covered Entities, and subcontractors of Business Associates requiring access to PHI. Business Associates must have a written Business Associate Agreement with each subcontractor. A subcontractor will be required to comply with the Security Rule and applicable Privacy Rule provisions to the same extent as the principal Business Associate. A written contract between the subcontractor and the upstream Covered Entity will not be required, however.
  • HIPAA Privacy, Security and Enforcement Rules Expanded to Directly Apply to Business Associates: The Proposed Rule promulgates the HITECH Act’s requirement that Business Associates (and subcontractors) be directly subject to the HIPAA Security and Privacy Rules with respect to PHI of their Covered Entities, including direct application of the Security Rule’s administrative, technical and physical safeguards, and direct enforcement and penalties by the HHS Office of Civil Rights for HIPAA violations.
  • New Scope and Limitations of Privacy Rule’s Marketing and Fundraising Provisions: The Proposed Rule restricts the ways in which Covered Entities may use or disclose PHI for marketing and fundraising purposes. For example, fundraising communications must contain clear language allowing individuals to opt out of future communications. The Proposed Rule would essentially ban disclosures of PHI for written marketing communications in the absence of a written authorization from the individual, except for limited “remunerated treatment communications” for prescribed drugs or biologics, and certain non-remunerated communications about treatment, case management, care coordination, or other health-related products or services. The Proposed Rule requires a Covered Entity’s Notice of Privacy Practices to inform individuals of these requirements.
  • Expansion of Individuals’ Rights: The Proposed Rule implements the HITECH Act’s expansion of individuals’ rights to access and receive copies of their PHI, to request restrictions of disclosures to health plans for services paid out of pocket and to be informed of marketing and fundraising disclosures in the Notice of Privacy Practices. (However, the Proposed Rule does not address the changes to the accounting of disclosures requirement enacted by the HITECH Act.)
  • Increased Enforcement and Penalties: The Proposed Rule modifies the Enforcement Rule to require mandatory investigation of HIPAA violations where the facts indicate a possible violation due to willful neglect, makes Business Associates direct liable for HIPAA violations and clarifies that Covered Entities and Business Associates will remain directly liable for the acts of their agents, regardless of whether a Business Associate Agreement is in place. HHS indicates in the preamble that Covered Entities and Business Associates will not be held directly liable for the acts of independent contractors.
  • Minimum Necessary Disclosures: The preamble to the Proposed Rule recognizes the mandate under the HITECH Act for HHS to issue guidance on what constitutes “minimum necessary” disclosures of PHI, and that Covered Entities (and Business Associates with respect to subcontractors) must consider the feasibility of using Limited Data Sets (data with certain individual identifiers removed) in making disclosures of PHI. The Proposed Rule leaves the regulation text on “minimum necessary” unchanged, instead soliciting comments relating to the content of the future HHS guidance.
  • Knowledge of Violation: Covered Entities (or Business Associates contracting with subcontractors) that have knowledge of a practice or pattern of activity of a Business Associate (or subcontractor) in violation of the terms of the Business Associate Agreement must take steps to cure the violation, or terminate the contract, but are not required to report the violation to the Secretary of HHS unless the violation triggers reporting of a breach of unsecured PHI under the Breach Notification Rule (45 C.F.R. part 164, subpart D).
  • Allowance of Compound Authorizations in Research Studies: The Proposed Rule would allow an authorization for use or disclosure of PHI for a research study to be combined with other types of written permission for the same or another research study, as long as certain conditions are satisfied.

It will likely be several months before these regulations are finalized and compliance dates established, but Covered Entities and Business Associates should be assessing their current level of HIPAA Privacy and Security compliance in light of HITECH Act provisions that are currently in effect. Modifications to policies, procedures, Business Associate Agreements, Notices of Privacy Practices and reasonable and appropriate encryption and other data security measures should be considered in light of these changes.

For further information, please contact any member of Baker Hostetler’s Healthcare Industry Team or Employee Benefits Group.

Authorship Credit: John S. Mulhollan

Subscribe to Baker Hostetler’s Healthcare News

Subscribe to Baker Hostetler’s Benefits Broadcast

 

 

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2010 Baker & Hostetler LLP