The HIPAA Privacy and Security Rules
The HIPAA Privacy Rule and Security Rule govern covered entities, which are defined as health care providers that engage in HIPAA electronic standard transactions, health plans, and health care clearinghouses. The Privacy Rule regulates covered entities’ uses and disclosures of PHI. PHI is broadly defined as individually identifiable information about health care or payment for health care. Under the Privacy Rule, covered entities are permitted to use and disclose PHI for certain purposes without obtaining written authorization. If a use or disclosure does not fit within such an exception, then a covered entity cannot use or disclose it without obtaining prior authorization. The Privacy Rule also provides patients with certain rights related to their PHI, such as the right to access their records and request restrictions on uses and disclosures of their PHI.
The Security Rule requires covered entities to take steps to protect the confidentiality, integrity, and availability of electronic PHI. These rules cover PHI in any electronic media that maintains or transmits PHI, including computer systems and mobile devices.
In order to buttress public trust in electronic claims systems, HIPAA authorized HHS to publish and enforce privacy and security regulations to protect PHI.
Prior to the Final Rule, the Privacy Rule and Security Rule also regulated two other categories of entities, but did so indirectly: business associates and subcontractors. Covered entities routinely engage other kinds of organizations to perform a wide range of functions and activities and provide them with services involving PHI. These parties, HIPAA’s “business associates,” range from attorneys and accountants to outsourced IT services, including cloud services vendors.
To indirectly regulate business associates and subcontractors, the Privacy Rule and Security Rule required covered entities to pass along specified PHI-related requirements to business associates through a required form of contract called a Business Associate Agreement. In this indirect form of regulation, covered entities could be penalized for letting a business associate use or disclose PHI to provide services without having a Business Associate Agreement in place. Prior to the Final Rule, business associates were permitted, in turn, to use subcontractors to support their functions, activities, or services, subject to a required Business Associate Agreement provision requiring the business associate to pass along “the same” contractual obligations to the subcontractor.
Final Rule Changes to Business Associates and Subcontractors
The Final Rule makes business associates directly liable under HIPAA. It also specifically names the following three types of entities as falling within the “business associate” definition:
- Entities that both transmit and routinely access PHI on behalf of a covered entity (e.g., health information organizations, e-prescribing gateways, etc.)
- Personal health record vendors serving covered entities
- Business associate subcontractors
Of these three groups, the extension of HIPAA to subcontractors is likely to prove the most challenging to attorneys from a compliance perspective. For instance, attorneys who maintain and transmit PHI on behalf of their business associate clients would be required to comply with all applicable HIPAA provisions, despite the fact that the client itself is not an actual covered entity. As a result, the client and attorney would need to enter into a Subcontractor Business Associate Agreement, and both parties would be held subject to the same breach notification requirements applicable to their upstream covered entity. Compliance with the Security and Privacy Rules would also fall upon such attorneys.
Note that certain entities that transmit PHI on behalf of covered entities may avoid business associate status if they fall within the “conduit exception,” an existing, informal HIPAA exception that HHS further clarified in the Final Rule. Originally intended to exclude courier services such as the U.S. Postal Service or Federal Express, the conduit exception gained increasing attention as data storage and cloud computing companies sought regulatory cover under the provision. The Final Rule restricted the use of the conduit exception for cloud service providers by clarifying that the conduit exception is not available for any entities that maintain PHI other than in a temporary or transient manner, thus increasing the likelihood that they would be deemed business associates.
It appears that the question may remain open as to whether cloud service providers and similar entities that store fully encrypted PHI for covered entities (or their business associates), but that never have the key to decrypt that data, would be deemed business associates. It is likely that at least some such service providers may take the position that they are not business associates. Attorneys contracting with such entities, either on behalf of their clients or on their own behalf, should remain aware of this issue and watch for additional guidance from OCR.
Given the expanded definition of business associate, which creates regulatory jurisdiction down “chains” of entities subcontracting one from another, there would seem to be a significant risk that a “lower tier” entity might not have notice of facts indicating potential business associate status, and this risk increases as it is further and further removed from the covered entity at the top of the chain.
Although a vendor should be alert to potential business associate status when contracting with a hospital, physician practice, or health plan, it is not always nearly so clear for all types of vendors. For example, it may not be clear for a data storage service that contracts with a secure messaging service, which in turn contracts with an application services provider, which is the only party with an actual contract with a covered entity hospital. As a result, all vendors will need to assess their potential status under the Final Rule.
Final Rule Changes to the Breach Notification Requirements
One of the changes to HIPAA mandated by the HITECH Act was creation of security breach notification requirements. Shortly after the HITECH Act, an interim final rule to implement the breach notification requirements was issued. As a result, covered entities implemented policies, procedures, and processes for breach notification under that rule. This version of the breach notification regulations contained a harm threshold, meaning that only those breaches posing a significant risk of financial, reputational, or other harm were reportable.
The Final Rule replaced the harm threshold standard with a new “rebuttable presumption” standard. HHS indicated that it modified the harm standard because this standard was too subjective in its focus on “harm to the individual” and resulted in inconsistent interpretations. The Final Rule clarifies that an impermissible use or disclosure of PHI is presumed to be a reportable breach unless the covered entity or business associate can demonstrate that there is a “low probability” that the PHI has been compromised. The Final Rule provides four factors to be considered to determine whether the PHI has been compromised. The four factors are as follows:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. For example, risk increases when sensitive financial information, such as credit card numbers or Social Security Numbers, is involved or if the potential breach involves sensitive medical information.
- The identity of the unauthorized person who used the PHI or to whom the disclosure was made. If the recipient is another covered entity or business associate or covered under other privacy laws, the risk is decreased.
- Whether the PHI was actually acquired or viewed. For example, if a laptop is lost or stolen but later recovered, and a forensic analysis shows that the PHI was never accessed, that decreases risk.
- The extent to which the risk to the PHI has been mitigated. For example, the covered entity may mitigate risk by having the recipient sign a confidentiality agreement that the PHI will be destroyed or will not be further used or disclosed.
A covered entity or business associate must conduct a risk assessment that considers each one of these four factors; however, HHS indicated that additional factors may also be considered where necessary. Ultimately, covered entities and business associates must then evaluate the overall probability that the PHI has been compromised by considering all the factors in combination. In doing so, HHS emphasizes such risk assessments must be thorough and completed in good faith, and the conclusions reached must be reasonable. If an evaluation of these factors fails to demonstrate that there is a low probability that the PHI has been compromised, notification is required.
Changes to the Right to Access PHI
The Privacy Rule provides individuals a right to review or obtain copies of their PHI. Previously, covered entities were required to provide the records in the form or format requested by the individual, but if not readily producible in the requested format, then in hard copy form. The Final Rule changes these requirements for covered entities who maintain PHI electronically. Such covered entities must provide an electronic copy of an individual’s PHI in the electronic form and format requested by the individual, if it is readily producible, or in another agreed upon electronic form and format. The electronic copy must contain all PHI electronically maintained at the time the request is fulfilled, including images or other data linked to the designated record.
If the individual declines to accept any of the electronic formats the covered entity can readily produce, it can provide a hard copy. However, absent such refusal, a hard copy is insufficient for satisfying an electronic access request.
The Final Rule also provides the individual with the right to have a copy of PHI transmitted directly to another person that the individual designates in writing. The covered entity must comply with this written request as long as it is signed by the individual and clearly identifies the designated person and where the PHI is to be sent. Under this new change, attorneys seeking to obtain copies of their clients’ PHI will no longer have to submit a HIPAA-compliant authorization to a covered entity. Rather, they can simply have their clients make an access request and designate the attorney as the recipient.
Changes to the Right to Restriction
The Privacy Rule provides individuals with the right to request that a covered entity restrict otherwise permissible uses and disclosures of PHI in certain circumstances. However, prior to the Final Rule, covered entities were not required to accept a restriction request and many chose, as a matter of policy, not to. They typically chose not to do so because of the difficulty in implementing any such restriction and ensuring that future disclosures of PHI did not include the restricted information.
The Final Rule has created a mandatory restriction request. It directs that “A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan” when the disclosure “is for carrying out payment or health care operations” and the protected health information “pertains solely to a health care item or service for which the individual or person other than the health plan on behalf of the individual, has paid the covered entity in full.”
This new requirement raises interesting complexities for record keeping and may present particular challenges when the records at issue are in electronic systems that have been acquired from a third party.
Knowing which transactions are restricted should be simple and straightforward. Each health care item or service should be coded and its cost connected to the health care event for which payment is being sought. Similarly, accounts receivable systems should show which items are being paid for in any incoming payment transaction. By connecting payer identity to coded care items and services, the covered entity should know what information not to disclose.
Unfortunately, health care systems historically have been separated by function; patient billing, payment and reimbursement, and electronic medical records functions may be in separate systems. For the attorney representing a provider, the challenge will be assessing whether records are automated and whether automated systems can make the necessary data linkages. For the attorney representing patients, vigilance over whether providers are complying with the new rule will likely require a significant understanding of what is technically possible and the standards to which information systems providers should be held. The Final Rule seems quite clear on this last point; there is no exception for poorly designed systems.
Sale of PHI
The Final Rule prohibits covered entities and business associates from selling patients’ PHI without first obtaining specific authorization to do so, with certain exceptions. HHS defines “sale of PHI” to mean a disclosure of PHI by a covered entity, where the covered entity directly or indirectly receives “remuneration,” or compensation, in exchange for PHI. Remuneration may be either a financial or nonfinancial benefit.
The prohibition on the sale of PHI and specific authorization requirement does not apply to disclosures of PHI for the following situations:
- For public health purposes;
- For treatment and payment purposes;
- For the sale, transfer, merger, or consolidation of all or part of the covered entity and related due diligence;
- For discloses required by law;
- For research purposes, where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost of preparing and transmitting PHI;
- To the individual to respond to an access request; or
- To a business associate or subcontractor for services undertaken on behalf of a covered entity.
The Final Rule also includes a catchall exception for any permissible disclosure if remuneration is limited to only the cost of PHI preparation and transmittal. Covered entities and business associates will have to evaluate all disclosures they make of PHI that involve remuneration.
Constraints on the Use of PHI for Marketing Purposes
The Privacy Rule prohibits covered entities and business associates from using or disclosing PHI for marketing purposes without the individual’s express consent. Marketing is defined as “a communication about a product or service that encourages recipients . . . to purchase or use the product or service.” Previously, no prior authorization was required to make such communications provided there was an underlying treatment or health care operations justification. Now, under the Final Rule, covered entities must obtain written authorization to make a communication that would fall within the definition of marketing, regardless whether it could otherwise be defined as a treatment or health care operations communication, if the communication is made in exchange for direct or indirect “remuneration” from a third party. “Remuneration” does not include nonfinancial benefits such as in-kind payments or payments for a purpose other than for making the marketing communication.
There is an exception for “refill reminders.” Such reminders must relate to a drug or biologic that is currently being prescribed for the individual, and any financial remuneration received by the covered entity must be reasonably related to the cost of making the communication.
The Final Rule did not make changes to certain exceptions that were in place under the Privacy Rule. As a result, face-to-face marketing communications and promotional gifts of nominal value are not subject to the authorization requirement. However, covered entities will have to review all their subsidized communications to determine the impact of the new Final Rule on marketing.
The Privacy Rule permits Covered Entities to use and disclose demographic information and dates of service about a patient for fund-raising purposes, provided that any fund-raising communications contain language instructing the recipient on how to opt out of receiving future communications.
The Final Rule expands the permissible PHI that can be used to include the department where the service was received (e.g., surgery), treating physician information, outcome information, and health insurance status. These additional categories of PHI will allow covered entities to engage in more targeted fund-raising efforts.
However, to temper the expansion of permissible PHI that can be used for fund-raising, the Final Rule strengthened the opt-out requirements. Each fund-raising communication must provide the individual with a clear and conspicuous opportunity to opt out of receiving further fund-raising communications, and the method must not result in undue burden or more than nominal cost to the individual. HHS indicates that requiring the individual to write a letter to opt out would be an undue burden. If an individual does opt out, the covered entity must not make any further fund-raising communications to the individual. Previously, covered entities only had to make “reasonable efforts” not to send further fund-raising communications.
Changes to the Notice of Privacy Practices
The Privacy Rule requires most covered entities to distribute a notice of privacy practices (NPP) that contains a description of the uses and disclosures of PHI a covered entity is permitted to make, its legal duties regarding PHI, and the individual’s rights concerning PHI.
The Final Rule requires covered entities to revise their NPPs to include a statement indicating that an individual’s written authorization is required for
- Most uses and disclosures of psychotherapy notes;
- Uses and disclosures of PHI for marketing purposes; and
- Disclosures that constitute a sale of PHI.
Covered entity health care providers are required to include language that informs individuals of their new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.
NPPs now must also include a statement regarding individuals’ right to be notified of breaches. The statement need not be entity-specific nor describe the types of information that must be provided in a breach notification. Indeed, “a simple statement in the NPP that an individual has a right to or will receive” breach notifications will suffice.
The Final Rule cements HHS’ enforcement powers. Covered entities, business associates, and subcontractors are all subject to civil monetary penalties (CMPs) and other enforcement actions. This includes an increased and tiered CMP structure and mandatory investigation of complaints that indicate potential willful neglect.
Enforcement actions are on the rise, and significant CMPs have been imposed. As covered entities and business associates are audited and issues of non-compliance identified, it is likely that such trends will continue.
Other changes under the Final Rule include changes to the authorization requirements for clinical research and the exclusion from HIPAA of the information of individuals who have been dead more than 50 years.
In light of the changes to HIPAA under the Final Rule, all covered entities will need to evaluate their current policies, procedures, and processes and update them to incorporate the new requirements. Business associates and subcontractors will also need to do so in light of their new direct liability under HIPAA. Vendors and other service providers will need to evaluate their contracts to determine if they are business associates or subcontractors under the new Final Rule.