FAQ on the Proposed Modifications to the HIPAA Rules: Part One

As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act).  For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering.  We thought people might like to know what the proposed modifications actually say, and what they mean.  So, this post provides Part One of a FAQ on the 234 page NPRM.  This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules.  Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.

General

• What did HHS actually do?

HHS issued this NPRM to modify the Standards for Privacy of Individually Identifiable Health Information (known as the HIPAA Privacy Rule), the Security Standards for the Protection of Electronic Protected Health Information (referred to as the HIPAA Security Rule), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (the HIPAA Enforcement Rule) issued under HIPAA.  HHS's articulated purpose in issuing these proposed modifications "is to implement recent statutory amendments under the" HITECH Act, "to strengthen the privacy and security protection of health information, and to improve the workability and effectiveness of these HIPAA Rules."  The NPRM includes several sections:

1. a description of the statutory and regulatory background of the proposed rules;
    
2. a section-by-section description of the proposed modifications;
    
3. the impact statement and other required regulatory analyses; and
    
4. the proposed modifications themselves [hint:  these begin at page 176 of the NPRM].

• Have the proposed modifications been published in the Federal Register?

No, not yet.  We expect them to be published this Wednesday, July 14, 2010.

• Will there be an opportunity to comment on these proposed modifications before they become final?

Yes, the public comment period will begin when the proposed modifications are published in the Federal Register.  Therefore, organizations and individuals will have until approximately September 12, 2010, to comment.  Note, however, that September 12 is a Sunday, so individuals and organizations should plan to submit any comments by September 10, 2010, at the latest.

• What is the compliance deadline for the proposed modifications?

There is time.  These are only proposed modifications.  As noted above, there will be 60 days after publication for public comment, and it will take HHS more time to issue the final rule.  HHS also states in the NPRM that it intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule's provisions.  (However, this 180 default rule would NOT apply to modifications to the HIPAA Enforcement Rule, which will be in effect and apply at the time the final rule becomes effective or as otherwise specifically provided, or where HHS expressly provides a different compliance period in the regulation for one or more provisions.)

• Does the NPRM address breach notification?

No.  That was the subject of previous rulemaking, reported here.  However, the practical impact of the proposed modifications would be to require subcontractors that are acting as business associates (see more on that below) to report breaches and other security incidents to business associates (which requirement must be included in the contract between the business associate and the subcontractor).  As noted in the NPRM, "if a breach of unsecured protected health information occurs at or by a subcontractor, the subcontractor must notify the business associate of the breach, which then must notify the covered entity of the breach. The covered entity then notifies the affected individuals, the Secretary, and, if applicable, the media, of the breach, unless it has delegated such responsibilities to a business associate."

• Does the NPRM cover all of the changes effected by the HITECH Act?

No, the NPRM does not address breach notification, the modified civil money penalty structure, the accounting for disclosures requirement, the penalty distribution methodology requirement, the new authority of the State Attorneys General to enforce the HIPAA Rules, or the required studies, reports, guidance, audits, or education efforts.

General Impact on Business Associates

•  How would the proposed modifications affect business associates?

As business associates already know, the HITECH Act makes the Security and Privacy Rules, and certain other aspects of HIPAA, directly applicable to business associates.  The proposed modifications would make this crystal clear.  Consistent with the requirements of the HITECH Act, the proposed modifications "would make clear that, where provided, the standards, requirements, and implementation specifications of the HIPAA Privacy, Security, and Breach Notification Rules apply to business associates."

• Would the NPRM include additional entities within the definition of business associate?

Yes.  The proposed definition would make clear that the following entities are all business associates covered by the Rule:  Patient Safety Organizations, Health Information Organizations, E-prescribing Gateways, other persons that provide data transmission services with respect to protected health information to a covered entity and that require routine access to such protected health information, persons who offer a personal health record to one or more individuals on behalf of a covered entity, and certain subcontractors (see below for elaboration on subcontractors).  HOWEVER, importantly, "data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates."  This is a narrow category.  HHS is careful to note that "entities that manage the exchange of protected health information through a network, including providing patient locator services and performing various oversight and governance functions for electronic health information exchange, have more than 'random' access to protected health information" and therefore would be business associates.

• I am hearing a lot of concern about the possibility that subcontractors might be treated as business associates even if they don't have a business associate agreement.  What is that all about?

Yes, the proposed modifications would make subcontractors of a covered entity business associates to the extent they require access to protected health information, even if the agent or other person who acts on behalf of a business associate does not have a contract with the business associate.  In other words, such an agent or other organization would not be able to rely on the fact that a business associate has not made it execute a business associate agreement in taking the position that it is not actually a business associate.  If it acts on behalf of a business associate and it requires access to protect health information for some or all of its functions, it would be deemed a business associate for purposes of the Rule and must comply.  This would be a major change. 

The NPRM states as follows:

We propose to add language in . . . the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” . . .  to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person."

(Emphasis added.)

In today's business world, with ever-expanding multi-level arrangements for outsourcing, offshoring, and cloud computing, such a change in the HIPAA regulatory structure would have a tremendous impact.  This appears to be exactly what HHS has in mind.  As noted by the NPRM, "we propose that downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance." 

It is quite possible that many such vendors have no idea that they serve in such a capacity, or fail to do due diligence to determine if they are an agent of a business associate.  Going forward, if the proposed modifications become final in their current form, vendors MUST determine whether they are playing such a role and set up contracts/handle compliance obligations accordingly.  It will be the business associate's responsibility to set up a contract (and a business associate will be liable for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency).  However, lack of such a contract (i.e., the business associate's failure to comply with its own responsibility in this regard) would not let the agent off the hook.

The NPRM provides the following example:

under this proposal, if a business associate, such as a third party administrator, hires a company to handle document and media shredding to securely dispose of paper and electronic protected health information, then the shredding company would be directly required to comply with the applicable requirements of the HIPAA Security Rule (e.g., with respect to proper disposal of electronic media) and the Privacy Rule (e.g., with respect to limiting its uses and disclosures of the protected health information in accordance with its contract with the business associate).

• OK, but if the covered entity fails to set up a contract with me as a business associate in the first place, I am not a business associate, right?

Wrong.  Even if there is no contract, under the proposed modifications, you are a business associate if you meet the definition of business associate: 

a person is a business associate if it meets the definition of “business associate,” even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required contract with the business associate."

(Note that a covered entity is not off the hook if it fails to set up a contract.  To the contrary, under the proposed modifications, a covered entity would remain liable for the acts of its business associate agents, "regardless of whether the covered entity has a compliant business associate agreement in place.")

Definition of PHI

• Does the NPRM alter the definition of protected health information in any way?

Yes, the definition would be modified to make clear that the Privacy and Security Rules "do not protect the individually identifiable health information of persons who have been deceased for more than 50 years," so those who have been deceased since at least 1960 (assuming the final Rule becomes effective this year).

Proposed Modifications to the HIPAA Security Rule

As discussed above, the proposed modifications would add references to business associates in the Security Rule to make clear that, consistent with the requirements of the HITECH Act, business associates are now directly responsible for complying with the Security Rule.

• Is a covered entity required to obtain by contract assurances regarding security of ePHI from subcontractors acting as business associates under the new definition?

No. That is the responsibility of the business associate. The proposed modifications would "clarify that covered entities are not required to obtain satisfactory assurances in the form of a contract or other arrangement with a business associate that is a subcontractor" but instead would "make clear that it is the business associate that must obtain the required satisfactory assurances from the subcontractor to protect the security of electronic protected health information."

Proposed Modifications to the HIPAA Enforcement Rule

• How would be proposed modifications impact enforcement in cases of willful neglect?

The HITECH Act established four tiers of penalty amounts to correspond with levels of culpability. The lowest penalty tier addresses situations where the covered entity or business associate did not know, and by exercising reasonable diligence would not have known, of a violation. The second category applies to violations due to reasonable cause and not to willful neglect. The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected within a certain time period and willful neglect that is not so corrected.  Consistent with the changes under HITECH, the proposed modifications would make clear that the Secretary will investigate any complaint filed when a preliminary review of the facts indicates a possible violation due to willful neglect.  As a practical matter, this may not change much, as the NPRM states that "HHS currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicate a possible violation of the HIPAA Rules."  HHS is not required to attempt to resolve by informal means cases of noncompliance due to willful neglect.

Further, under the proposed modifications, the Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provision when a preliminary review of the facts indicates a possible violation due to willful neglect. 

The NPRM includes a few examples of willful neglect, as follows, two of which highlight the importance of written policies and procedures:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.

2. A covered entity failed to respond to an individual’s request that it restrict its uses and disclosures of protected health information about the individual. HHS’s investigation reveals that the covered entity does not have any policies and procedures in place for consideration of the restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.

3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

• Do the proposed modifications otherwise speak to the penalty tiers established by the HITECH Act?

Yes.  HHS proposes to modify the definition of “reasonable cause” to clarify the full scope of violations that will come within the reasonable cause category of violations, including those
circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provisions violated, as well as those circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.  Specifically, HHS proposes to replace the current definition of “reasonable cause” with the following:

an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.

The NPRM provides the following example:

A covered entity received an individual’s request for access but did not respond within the time periods provided for in § 164.524(b)(2). HHS’s investigation reveals that the covered entity had compliant access policies and procedures in place, but that it had received an unusually high volume of requests for access within the time period in question. While the covered entity had responded to the majority of access requests received in that time period in a timely manner, it had failed to respond in a timely manner to several requests for access. The covered entity did respond in a timely manner to all requests for access it received subsequent to the time period in which the violations occurred.

HHS also notes that the modified definition of reasonable cause would encompass those circumstances in which a covered entity or business associate has knowledge of the violation but lacks the conscious intent or reckless indifference associated with willful neglect, and provides the following example:

A covered entity presented an authorization form to a patient for signature to permit a disclosure for marketing purposes that did not contain the core elements required by § 164.508(c). HHS’s investigation reveals that the covered entity was aware of the requirement for an authorization for a use or disclosure of protected health information for marketing and had attempted to draft a compliant authorization but had not included in the authorization the core elements required under § 164.508.

• Do the nature and extent of the violation and the harm resulting from the violation matter for purposes of penalties?

Yes.  The proposed modifications would require the Secretary’s consideration of the nature and extent of the violation, as well as the nature and extent of the harm resulting from violation, in assessing civil monetary penalties, working under the tiered structure described above.  This would include considering the time period during which the violation(s) occurred and the number of individuals affected. 

With respect to the nature and extent of the harm, "HHS proposes to add reputational harm to make clear that reputational harm is as cognizable a form of harm as physical or financial harm." 

The history of an entity's compliance is also relevant-HHS proposes to revise the term "violations" to “indications of noncompliance” to confirm to "HHS’ policy of considering a covered entity’s general history of HIPAA compliance."

• Are civil monetary penalties barred if the act is criminally punishable?

After February 18, 2011, HHS’s authority to impose a civil money penalty would only be barred to the extent a covered entity or business associate can demonstrate that a criminal penalty has been imposed under 42 U.S.C. 1320d-6 with respect to such act (not merely "criminally punishable").  42 U.S.C. 1320d-6 provides that a person who knowingly (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.