On July 14, 2010, the Department of Health and Human Services' Office for Civil Rights ("OCR") published long-awaited proposed regulations addressing many of the provisions set forth in the Health Information Technology for Economic and Clinical Health ("HITECH") Act which expand upon the HIPAA Privacy and Security Rules. Comments on the proposed rule must be submitted to OCR no later than September 13, 2010. We strongly encourage covered entities and business associates alike to submit comments on the practical implications of various provisions of the proposed rule. If you would like to submit a comment anonymously, consider contacting us or one of the professional organizations in which you participate with your comments.
This article represents the first in a two-part series on the proposed rule and focuses on the deadline for compliance with the provisions in the proposed rule, as well as the proposed rule's treatment of business associate subcontractors and business associate agreements ("BAAs"), an individual's right to access protected health information ("PHI"), and an individual's right to request restrictions on the use or disclosure of certain PHI. The second article will address the proposed rule's treatment of marketing, fundraising, and the sale of PHI, as well as other HIPAA Privacy and Security Rule-related issues, and the HIPAA enforcement rule. These articles are not intended to be an exhaustive summary of the proposed rule but, rather, to note highlights of the rule in each of the topic areas discussed.
1. Timing Issues.
- Compliance Deadline. In the proposed rule, OCR states that it intends to require compliance with most of the proposed rule's requirements 180 days after the effective date of the final rule. Because the public comment period for the proposed rule remains open until September 13, 2010, and because OCR's review and consideration of such comments will take some time, OCR estimates that it may issue a final rule sometime around the end of 2010. The effective date of the final rule will be 60 days after its publication, which means that the earliest OCR likely would be enforcing the requirements of the final rule is late summer or fall of 2011.
- BAA Transition Period. In order to "prevent rushed and hasty changes to thousands of existing on-going business associate agreements," OCR proposes a one-year "transition period" within which covered entities and business associates can modify their BAAs to comply with the new requirements. Specifically, covered entities and business associates can continue to operate under BAAs in place as of the publication date of the final rule ("Publication Date"), so long as those BAAs comply with the pre-HITECH BAA requirements, for up to one year and 240 days after the Publication Date. (The one year "transition period" apparently begins 240 days after the Publication Date, due to the 60 days between the Publication Date and the effective date of the final rule and the subsequent 180-day grace period for compliance noted above.)
BAAs which are renewed or modified within 60 days after the Publication Date are deemed compliant with the new requirements until one year and 240 days after the Publication Date, as long as such BAAs comply with the pre-HITECH BAA requirements. BAAs that include "evergreen" clauses (and thus automatically renew without amendment) also can remain in place for up to one year and 240 days after the Publication Date, at which point they must be revised to comply with the new requirements. However, BAAs which are renewed or modified between 60 and 240 days after the Publication Date must comply with the new requirements at the time of renewal or modification.
- Compliance Deadlines for Future Amendments. OCR further proposes, for future modifications to the HIPAA Privacy and Security Rules, to require compliance by covered entities and business associates with such modifications within 180 days from the effective date of such modifications, unless OCR determines that a longer compliance period is required for a particular rule.
Practically speaking, given these grace and transition periods, covered entities and business associates may wish to refrain from making amendments to their BAAs, notices of privacy practices, and HIPAA policies and procedures that are affected by the proposed rule at least until the final rule is published, as it is quite possible that the requirements of the final rule will vary in some measure from those described in the proposed rule. However, we would encourage covered entities and business associates to begin thinking about and planning a process now for making such amendments at the appropriate time. In addition, they should consider whether they wish to take advantage of the BAA transition period or, for business or liability reasons, whether they prefer to amend their BAAs within 60 days of the Publication Date.
2. Expansion of "Business Associates" to Subcontractors and Others. OCR for the first time proposes to include subcontractors of a covered entity—in other words, contractors of business associates who create, receive, maintain, or transmit PHI on behalf of such business associates—within the definition of a "business associate." OCR further proposes to define a "subcontractor" as a person who acts on behalf of a business associate, other than in the capacity of a member of the business associate's workforce, whether or not the person has a contract in place with the business associate. This means that subcontractors would have the same obligations under the HIPAA Privacy and Security Rules as do business associates, and subcontractors also would be directly liable for any violations of those rules. OCR made this significant change to the definition of "business associate" to assure that privacy and security protections for PHI do not lapse simply because a function involving PHI is performed by a subcontractor, rather than an entity having a direct contractual relationship with the covered entity. OCR clarifies that the proposed rule does not require covered entities to have separate contracts with business associate subcontractors.
Instead, the proposed rule requires that business associates now enter into BAAs with each such subcontractor, and that subcontractors enter into BAAs with their subcontractors who perform functions involving PHI for or on behalf of the primary subcontractors. The purpose of requiring BAAs is to ensure that subcontractors agree to the same privacy and security protections that apply to covered entities and business associates under HIPAA. Practically speaking, the inclusion of subcontractors within the definition of a "business associate" means that subcontractors are liable for their violations of HIPAA even absent a BAA. However, because the proposed rule specifically requires business associates to enter into BAAs with their subcontractors, and because some subcontractors may not be aware of the detailed privacy and security obligations to which they are subject by virtue of now being considered business associates, we advise business associates to require their subcontractors who regularly handle PHI to execute BAAs, subject to the timing considerations noted in Section 1 of this article.
The proposed rule also adds the following entities to the definition of "business associate":
- Patient safety organizations ("PSOs"), in conformance with the requirements of the Patient Safety and Quality Improvement Act of 2005.
- Health information organizations, e-prescribing gateways, and other organizations that offer data transmission of PHI to covered entities and, in so doing, require routine access to PHI. In commentary, OCR confirms that "mere conduits" which access PHI only randomly or infrequently are not business associates.
- Persons or entities offering a personal health record to one or more individuals on behalf of a covered entity.
3. Individual's Right to Request Restrictions. Section 164.522 of the HIPAA Privacy Rule requires covered entities to permit individuals to request restrictions on the manner in which a covered entity may use or disclose that individual's PHI for purposes of treatment, payment, and health care operations, but covered entities are not required to agree to such requested restrictions (and typically do not do so). Section 13405(a) of the HITECH Act, effective as of February 18, 2010, for the first time requires covered entities to agree to a requested restriction where (a) an individual has requested the covered entity not to disclose PHI to a health plan for payment or health care operations purposes, and (b) the PHI at issue relates solely to a health care item or service for which the individual, or another person on behalf of the individual (other than the health plan), has paid the covered entity out of pocket in full. This statutory requirement overrides the existing regulatory provision that the covered entity is not required to agree to requests for restrictions, so OCR has proposed revisions to Section 164.522 to include this new requirement.
OCR clarifies, however, that this new provision does not permit covered entities to require an individual, as a condition of taking advantage of this right, to pay out of pocket for all services received by the individual from that provider. For example, a patient who receives both asthma and diabetes treatment from the same provider may pay out-of-pocket for the diabetes treatment and therefore have a right to have the provider restrict disclosure of diabetes-related treatment information to the health plan, without also having to pay out-of-pocket for asthma treatment in order to have the provider honor the request regarding the diabetes treatment information. Because most HMO plans do not permit individuals to pay a provider in full for treatment, OCR notes that HMO enrollees might be required to use out-of-network providers if they wish to ensure that PHI for certain conditions is not disclosed to their HMO.
This HITECH Act provision on restrictions has generated significant concern across the health care industry due to unanswered questions about whether current technology will permit covered entities to comply with such requested restrictions and how this new requirement practically can be put into operation by covered entities and business associates in a cost-effective manner. In the proposed rule, OCR requests comment on numerous facets of this new requirement, suggesting that it may appreciate some of the technical and operational complexities involved in complying with this provision. For example, OCR seeks comment on:
- the types of interactions between covered entities and individuals that would make requesting or implementing a restriction on uses or disclosures of PHI more difficult. Specifically, OCR seeks suggestions about methods by which a provider, through the use of e-prescribing, can alert a pharmacy that an individual may wish to request a restriction and that the individual plans to pay for the prescription out of pocket. Without such an alert, a pharmacy typically provides the prescription information to the individual's health plan for payment before the individual arrives at the pharmacy to pick up the prescription.
- the obligation of a covered entity that knows of an individual's restriction to inform "downstream" providers of such restriction. Should the restriction apply to such information as it moves downstream, or should it no longer apply unless and until the individual visits the downstream provider, requests a restriction, and pays out of pocket for the item or service at that visit? OCR further requests comment on the extent to which technology exists that would facilitate such downstream notifications and how widespread these technologies are.
- the extent to which covered entities must make reasonable efforts to secure payment from the individual prior to submitting PHI to the health plan for payment. For example, if the individual pays for an item or service by check but the check bounces, should covered entities be required to notify the individual of this fact and give the individual another opportunity to submit payment?
- whether it is appropriate, when an individual who has requested (and paid out of pocket for) a restriction on disclosure of PHI about a particular health care service visits the same provider for follow-up care but neither requests a restriction nor pays out of pocket for the follow-up care, for the covered entity to submit PHI related to the previous treatment to the individual's health plan if such PHI is necessary for the provider to obtain payment for the follow-up treatment.
4. Individual's Right to Access PHI. Section 164.524 of the HIPAA Privacy Rule requires covered entities to permit individuals to inspect and obtain a copy of their PHI that is maintained in a designated record set, but the copy is not required to be provided in an electronic format. The proposed rule implements the HITECH Act requirement that covered entities which maintain PHI in an electronic health record ("EHR") must permit individuals to access such PHI electronically or to obtain an electronic copy of such PHI, and upon specific request covered entities must provide a copy of that PHI to any entity or person specifically designated by the individual. In addition, if a covered entity maintains PHI electronically in a format other than an EHR, the proposed rule would require the covered entity to provide copies of all such PHI to the individual, not solely the PHI maintained in an EHR. The PHI must be provided in an electronic form and format requested by the individual if possible or, if not, in an electronic form and format upon which the individual and the covered entity agree. One practical problem with OCR's approach in this regard is that not all vendors' electronic equipment is required to produce, or is capable of producing, readable electronic copies of information maintained in that equipment. Accordingly, meeting this requirement, as proposed, will be quite difficult in the near term.
The HIPAA Privacy Rule permits covered entities to impose a "reasonable, cost-based fee" for providing an individual with a copy of PHI, which fee may include the cost of copying, including the cost of supplies for and labor of copying. In the proposed rule, OCR evaluates what elements are appropriately included in a "reasonable, cost-based fee," and it proposes that such a fee includes costs attributable to the labor involved in reviewing and responding to the request (which OCR expects would be "negligible"). Covered entities and business associates should take note that, in OCR's view, charging individuals for labor costs involved in making an electronic copy is improper, where such costs result from technical problems or from a workforce member's lack of adequate training.
OCR acknowledges that the HITECH Act permits covered entities to charge a reasonable, cost-based fee for any electronic media (e.g., a thumb drive or a CD) furnished in the process of responding to an individual's request for an electronic copy of PHI. However, according to OCR, if an individual brings in his or her own CD or requests that the covered entity send the electronic copy of PHI by unencrypted e-mail, the covered entity should counsel the individual about the risks associated with unencrypted e-mail but could not, in either instance, require the individual to pay for an encrypted thumb drive to obtain the copy of PHI. We hope OCR will clarify in the final rule two points related to this statement. First, for legitimate information security reasons, covered entities should not be required to accept a thumb drive furnished by an individual for use in making an electronic copy of PHI. Second, if individuals insist on receiving electronic copies of PHI by unencrypted e-mail, covered entities should be permitted to obtain releases from such individuals acknowledging that the individual will not hold the covered entity liable if a breach of the individual's PHI results from the unencrypted e-mail transmission.
Once again, OCR requests comment on numerous facets of this new HITECH requirement. OCR seeks comment on:
- the appropriateness of its presumption that covered entities are capable of providing individuals electronic access to their PHI through a secure portal, via e-mail, on portable electronic media, or in some other manner.
- what types of activities related to managing requests for electronic access to PHI should be considered compensable aspects of labor.
- whether all requests for access to PHI (both paper and electronic) should be responded to without unreasonable delay and not later than 30 days after the request, or whether different response periods are appropriate depending upon whether the PHI is maintained electronically or on paper.