FAQ on the Proposed Modifications to the HIPAA Rules: Part Two

This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week.  Part One can be found here. Part Two focuses on the proposed modifications to the Privacy Rule.

• I know the Security Rule would now apply to business associates.  What about the Privacy Rule?

Yes, the proposed modifications make clear, consistent with the HITECH Act, that, where provided, the standards, requirements, and implementation specifications of the Privacy Rule apply to business associates.  Specifically, among other things:

1. a business associate may not use or disclose PHI except as permitted or required by the Privacy Rule or the Enforcement Rule;
    
2. a business associate may use or disclose PHI only as permitted or required by its business associate contracts or as required by law;
    
3. if a covered entity and business associate have failed to enter into a business associate contract or other arrangement, then the business associate may use or disclose PHI
   only as necessary to perform its obligations for the covered entity (pursuant to whatever
   agreement sets the general terms for the relationship between the covered entity and
   business associate) or as required by law;
    
4. a business associate may not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity, except that the business associate may use or disclose PHI for uses and disclosures for the proper management and administration of the business associate and the provision of data aggregation services for the covered entity, if such uses and disclosures are permitted by its business associate contract or other arrangement;
    
5. a business associate must disclose PHI either when required by the Secretary in connection with an investigation or determination of the business associate's compliance, or to the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations with respect to an individual’s request for an electronic copy of PHI (see more on access rights below);
    
6. when a business associate uses, discloses, or requests PHI, it must limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
    
7. a business associate may disclose PHI to a business associate that is a subcontractor, and may allow the subcontractor to create or receive PHI on behalf of the business associate, if the business associate obtains satisfactory assurances that the subcontractor will appropriately safeguard the information.  See 8 below;
    
8. as discussed with respect to the proposed modifications to the Security Rule in Part One,  a covered entity is not required to obtain satisfactory assurances from a business associate that is a subcontractor.  Instead, the business associate must obtain satisfactory assurances, through a written contract or other arrangement, from subcontractors that provide that the subcontractor will comply with the applicable requirements of the Rules. A business associate must enter into business associate contracts, or other arrangements that comply with the Privacy and Security Rules, with their business associate subcontractors in the same manner that covered entities are required to enter into contracts or other arrangements with their business associates;
    
9. like coverd entities, if a business associate knows of a pattern or practice of activity of its business associate subcontractor that constitutes a material breach or violation of the subcontractor’s contract or other arrangement, it must take reasonable steps to cure the breach of the subcontractor or to terminate the contract, if feasible;
    
10. with respect to business associate agreements, all such contracts must now specify that a business associate (a) comply, where applicable, with the Security Rule with regard to ePHI, (b) report breaches of unsecured PHI to covered entities, (c) ensure that any subcontractors that create or receive PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information, and (d) to the extent it is to carry out a covered entity’s obligation, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligation (to clarify that a business associate is contractually liable not only for uses and disclosures of PHI, but also for all other requirements of the Privacy Rule, as they pertain to the performance of the business associate’s contract). 

HHS notes that it need not add references to business associates everywhere in the Privacy Rule because a business associate generally may only use or disclose PHI  in the same manner as a covered entity, and therefore any Privacy Rule limitation on how a covered entity may use or disclose protected health information "automatically extends to business associates."

• Do the modifications change business associate responsibilities regarding notices of privacy practices?

The proposed modifications would require organizations that currently issue notices of privacy practices to make material changes to those notices (for more, read on below).  However, the proposed modificaitons do not appear to change the existing rules as to who is responsible for issuing the notice of privacy practices.  Ordinarily that is the covered entity, although the covered entity may require a business associate to do so by contract.  If a business associate fails to do so, although it may have contractual liability, the covered entity is still liable under the statute since it has the ultimate responsibility to maintain and distribute the notice.

• Does HHS really expect all covered entities and business associates to amend their business associate contracts within 180 days of the new Rules going into effect?

No.  HHS proposes to relieve some of the burden on covered entities and business associates in complying with the revised business associate provisions by adding a transition provision to grandfather certain existing WRITTEN contracts for a specified period of time - specifically, the transition period would allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under existing contracts for up to one year beyond the compliance date of the revisions to the Rules if, prior to the publication date of the modified Rules, the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, that complied with the prior provisions of the HIPAA Rules and such contract or arrangement was not renewed or modified between the effective date and the compliance date of the modifications to the Rules.  The transition period would also apply to contracts that renew automatically without any change in terms or other action by the parties ("evergreen contracts”) - deemed compliance would not terminate when these contracts automatically roll over.  The transition period applies ONLY to amendments of contracts; it has no other application to the compliance date for the new Rules, discussed in Part One.

• Does the NPRM address notices of privacy practices (NPPs)?

Yes, there are important changes.  The proposed modifications would require that all NPPs include a statement that describes the uses and disclosures of PHI that require an authorization under §164.508(a)(2) through (a)(4), and to provide that other uses and disclosures not described in the notice will be made only with the individual’s authorization. HHS explains that "[t]he proposed provision would ensure that covered entities provide notice to individuals indicating that most disclosures of protected health information for which the covered entity receives remuneration would require the authorization of the individual. Such uses and disclosures may have previously been permitted under other provisions of the Rule but now require authorization."

The changes would also require that covered entities provide notice that most uses and disclosures of psychotherapy notes and for marketing purposes require an authorization.  Further, a covered entity that intends to send treatment communications to the individual concerning treatment alternatives or other health-related products or services where the provider receives financial remuneration in exchange for making the communication would be required to inform the individual in advance in the NPP, as well as inform the individual that he or she has the opportunity to opt out of receiving such communications.  In addition, the proposed modifications would add a requirement that the NPP inform individuals that they have a right to opt out of receiving fundraising communications.  For more on the other changes to requirements for communications for which the provider receives financial remuneration, and fundraising communications, see below.

Due to implementation of the HITECH Act requirements in the proposed modifications to the Rule, the NPP can no longer state that a covered entity is not required to agree to an individual's request for restrictions.  There will be certain circumstances where a covered entity is required to agree.  For more information, see below.  

HHS seeks comment as to whether the Privacy Rule should require a specific statement in the NPP regarding breach notification duties, and on what particular aspects of this new duty would be important for individuals to be notified of in the NPP.

• Wouldn't these modifications require material changes to the NPP that would trigger a requirement to revise and redistribute the NPP?

Indeed.  As noted by HHS, these modifications would constitute a material change to the NPP of a covered entity.  The existing Rule requires that, when there is a material change to the NPP, covered entities must promptly revise and distribute the NPP, and that health plans provide notice to individuals covered by the plan within 60 days of any material revision to the NPP.

HHS recognizes that revising and redistributing a NPP may be costly for health plans and seeks  comment on ways to inform individuals of this change to privacy practices without unduly burdening health plans. HHS is considering the following and seeks comment thereon:  "(1) replace the 60-day requirement with a requirement for health plans to revise their NPPs and redistribute them (or at least notify members of the material change to the NPP and how to obtain the revised NPP) in their next annual mailing to members after a material revision to the NPP, such as at the beginning of the plan year or during the open enrollment period; (2) provide a specified delay or extension of the 60-day timeframe for health plans; (3) retain the provision generally to require health plans to provide notice within 60-days of a material revision but provide that the Secretary will waive the 60-day timeframe in cases where the timing or substance of modifications to the Privacy Rule call for such a waiver; or (4) make no change, and thus, require that health plans provide notice to individuals within 60 days of the material change to the NPP that would be required by this proposed rule."

By contrast, HHS does not think the following existing requirements will be overly burdensome on providers and does not propose any changes:  when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must have the NPP available at the delivery site and post the notice in a clear and prominent location.  Nonetheless, HHS seeks comment on this issue.

• Can an individual restrict disclosure of certain PHI to a health plan under the proposed modifications?

Yes.  The proposed modifications would require a covered entity, upon request from an individual, to agree to a restriction on the disclosure of PHI to a health plan if: (A) the disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and (B) the PHI pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full. In cases where an individual has exercised his or her right to have such a restriction placed, the covered entity is also prohibited from making such disclosure to a business associate of the health plan.

HHS notes its belief that the HITECH Act provides the individual with the right to determine for which health care items or services the individual wishes to pay out of pocket and restrict, and therefore does not believe a covered entity could require individuals who wish to restrict disclosures about only certain health care items or services to a health plan to restrict disclosures of PHI regarding all health care to the health plan - " i.e., to require an individual to have to pay out of pocket for all services to take advantage of this right regardless of the particular health care item or service about which the individual requested the restriction."

The requirement would not apply where the individual fails to pay in full.  However, HHS expects covered entities to make some attempt to resolve the payment issue with the individual prior to sending the PHI to the health plan, "such as by notifying the individual that his or her payment did not go through and to give the individual an opportunity to submit payment."  HHS seeks comment on the extent to which covered entities must make reasonable efforts to secure payment from the individual prior to submitting PHI to the health plan for payment.

HHS recognizes that this provision may be difficult to implement in some circumstances, providing some examples, and requests comment "on the types of interactions between individuals and covered entities that would make requesting or implementing a restriction more difficult."  

HHS wonders how this provision will function as to HMOs, and seeks comments.  Specifically, HHS is concerned that individuals who belong to an HMO may have to use an out-of-network provider if they wish to ensure that certain PHI is not disclosed to the HMO.

HHS is also concerned about whether covered entities should be required to communicate these restrictions downstream to new providers, and seeks comment thereon, providing another real life example.

Even if such restrictions are in place, a covered entity may make disclosures "required by law," as defined in the Rule.  HHS seeks comment on examples of the types of disclosures that may fall under this provision.

HHS also seeks comments on how termination of a restriction would impact a covered entity's ability to share PHI regarding prior treatment.

• Do the proposed modifications provide guidance on the "minimum necessary" standard?

No. However, HHS takes the opportunity to "solicit public comment on what aspects of the minimum necessary standard covered entities and business associates believe would be most helpful to have the Department address in the guidance" required by the HITECH Act "and the types of questions entities may have about how to appropriately determine the minimum necessary for purposes of complying with the Privacy Rule."

• Would the proposed modifications to the Privacy Rule have any impact on marketing conducted by covered entities and their business associates?

Yes.  The proposed modifications implement and attempt to clarify a number of changes effected by the HITECH Act that limit permissible marketing communications without written authorization. Specifically, the proposed modifications would change the definition of "marketing" under the Rule as follows:

(1) revise the exceptions to marketing to better distinguish the exceptions for treatment communications from those communications made for health care operations;

(2) add a definition of “financial remuneration” [to mean direct or indirect payment from or on behalf of a third party whose product or service is being described, and to exclude any direct or indirect payment for the treatment of an individual];

(3) provide that health care operations communications for which financial remuneration is received are marketing and require individual authorization;

(4) provide that written treatment communications for which financial remuneration is received are subject to certain notice and opt out conditions [set forth in the notice of privacy practices and in the treatment communication itself] . . . ;

(5) provide a limited exception from the remuneration prohibition for refill reminders; and

(6) remove the paragraph regarding an arrangement between a covered entity and another entity in which the covered entity receives remuneration in exchange for protected health information [because this is now a prohibited "sale" of PHI under the HITECH Act].

HHS appears to acknowledge that the distinctions mentioned in (1) above will not always be clear.  The NPRM states that, "[w]ith respect to subsidized communications by a health care provider about health-related products or services for case management or care coordination or to recommend alternative treatments or settings of care, whether the communication would require individual authorization, or a statement in the notice and an opportunity to opt out, would depend on to what extent the provider is making the communication in a population-based fashion (health care operations) or to further the treatment of a particular individual based on that individual’s health care status or condition (treatment)."  Acknowledging that some cases will involve close judgment calls, HHS solicits comments on its proposal "as well as the alternatives of excluding treatment communications altogether even if they involve financial remuneration from a third party or requiring individual authorization for both treatment and health care operations communications made in exchange for financial remuneration."  HHS is clear that face-to-face communications about products or services between a covered entity and an individual and promotional gifts of nominal value provided by a covered entity are not impacted by the proposed modifications and do not require authorization.  HHS also clarifies that communications promoting health in general are still not marketing because they are not promoting a specific product or service; communications regarding government and government-sponsored programs also do not constitute marketing.

With respect to "financial remuneration," (2) above, the proposed modifications would make clear that it must be in exchange for making the communication itself and be from or on behalf of the entity whose product or service is being described.

With respect to (4) above, HHS explicitly seeks comment on (a) how the opt out should apply to future subsidized treatment communications (e.g., should it prevent all future subsidized treatment
communications or just those dealing with the particular product or service described in the current communication); and (b) the workability of requiring health care providers that intend to send subsidized treatment communications to individuals to provide an individual with the opportunity to opt out of receiving such communications prior to the individual receiving the first communication
and what mechanisms could be put into place to implement the requirement.

As to (5) above, the proposed modifications would also include the exception to marketing for communications regarding refill reminders or otherwise about a drug or biologic that is currently being prescribed for the individual, provided any financial remuneration received by the covered entity for making the communication is "reasonably related" to the covered entity’s cost of making the communication.  HHS expressly solicits comment with respect to this exception on (a)  scope, "that is, whether communications about drugs that are related to the drug currently being prescribed, such as communications regarding generic alternatives or new formulations of the drug, should fall within the exception," and (b) on the types and amount of costs that should be allowed.

•  Do the proposed modifications address sale of PHI?

Yes, the proposed modifications would implement the new restrictions of the HITECH Act with respect to sales of PHI.  Among other things, the Rules would require covered entities and business associates to obtain an authorization for any disclosure of PHI in exchange for direct or
indirect remuneration. The authorization must state that the disclosure will result in remuneration to the covered entity (and/or business associate).  Not surprisingly, the recipient covered entity or business associate could not redisclose that PHI in exchange for remuneration unless it also obtains a valid authorization. 

The exceptions to this Rule would generally track the statutory language of the HITECH Act.  However, HHS has proposed a few exceptions not found in the HITECH Act.  HHS proposes an exception for disclosures made for payment for health care to make clear that it does not consider the exchange of PHI to obtain “payment” to be a sale of PHI.  HHS also proposed an exception for disclosures of PHI where required by law, even if the covered entity receives remuneration for the disclosure.  Finally, HHS proposed an exception for disclosure of PHI for any other purpose permitted by and in accordance with the applicable requirements of subpart E, as long as the only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the PHI for such purpose or is a fee otherwise expressly permitted by other law.

• Do the proposed modifications have any impact on research uses and disclosures of PHI?

Yes.  The proposed modifications would allow a covered entity to combine conditioned and unconditioned authorizations for research, provided that the authorization clearly differentiates between the conditioned and unconditioned research components and clearly allows the individual the option to opt in to the unconditioned research activities.  HHS seeks comment regarding methods that would "clearly differentiate."

In addition, although it is not currently proposing changes, HHS is considering whether to modify its interpretation that an authorization for the use or disclosure of PHI for research be research-study specific. HHS is looking at the following options, and seeks comments thereon at this time (and on how a revocation would operate with respect to future research studies):

(1) the Privacy Rule should permit an authorization for uses and disclosures of protected health information for future research purposes to the extent such purposes are adequately described in the authorization such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research;

(2) the Privacy Rule should permit an authorization for future research only to the extent the description of the future research included certain elements or statements specified by the Privacy Rule, and if so, what should those be; and

(3) the Privacy Rule should permit option (1) as a general rule but require certain disclosure statements on the authorization in cases where the future research may encompass certain types of sensitive research activities, such as research involving genetic analyses or mental health research, that may alter an individual’s willingness to participate in the research.

• Would the proposed modifications change the current restrictions on use and disclosure for fundraising purposes?

Yes, to some extent.  Consistent with the requirements of the HITECH Act, the proposed modifications would "strengthen the opt out by requiring that a covered entity provide, with each fundraising communication sent to an individual under these provisions, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications" and by requiring that "the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than nominal cost."  HHS explicitly states (as it does elsewhere in the NPRM) that requiring an individual to write and send a letter would constitute an undue burden.  HHS encourages a toll-free number, an e-mail address, or similar opt out mechanisms.  HHS seeks comments as to whether the Rule should allow a similarly simple method for an individual to opt back in.

Because such an opt out constitutes a revocation of authorization under the HITECH Act, the proposed modifications would also prohibit a covered entity from conditioning treatment or payment for care on an individual’s choice of whether to receive fundraising communications.

HHS also proposes to prohibit a covered entity from sending fundraising communications to an individual who has elected not to receive such communications (this would be a change from the current requirement to make "reasonable efforts").

HHS seeks comment as to which fundraising communications the opt out should apply (e.g., all future, or just the campaign at issue).

The current Rule limits disclosures for fundraising purposes to demographic information and dates of health care provided.  In light of feedback received by HHS over many years, HHS seeks comment on "whether and how the current restriction on what information may be used and disclosed should be modified to allow covered entities to more effectively target fundraising and avoid inappropriate solicitations to individuals, as well as to reduce the need to send solicitations to all patients."  Specifically, HHS seeks comments on "(1) whether the Privacy Rule should allow additional categories of protected health information to be used or disclosed for fundraising, such as department of service or similar information, and if so, what those categories should be; (2) the adequacy of the minimum necessary standard to appropriately limit the amount of protected health information that may be used or disclosed for fundraising purposes; or (3) whether the current limitation should remain unchanged."  HHS also solicits comment on "whether, if additional information is permitted to be used or disclosed for fundraising absent an authorization, covered entities should be required to provide individuals with an opportunity to opt out of receiving any fundraising communications before making the first fundraising solicitation, in addition to the opportunity to opt out with every subsequent communication," and invites comment on workability and what mechanisms could be put in place to implement such a requirement.

• Would access rights be changed?

Yes.  HHS  proposes to strengthen the right of access provided under the HITECH Act "more uniformly to all protected health information maintained in one or more designated record sets
electronically, regardless of whether the designated record set is an electronic health
record."  Specifically, if the PHI requested is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual.  Covered entities "should ensure that reasonable safeguards are in place to protect the information" in providing the individual with an electronic copy of PHI through a web-based portal, e-mail, on portable electronic media, or other means.

In addition, the modifications would require that a covered entity transmit a copy of PHI directly to another person designed by the individual, if the individual so requests in a signed writing and the choice is "clear, conspicuous, and specific."  The covered entity must have reasonable policies and procedures in place to verify the identity of the requesting individual and to safeguard the information.

The modifications would make some additional changes with respect to the charges that a covered entity can pass along to an individual requesting information, but would not change the existing timeframe for doing so.  HHS seeks comment on these issues.

• Under the modifications, can the signed writing from the individual requesting that the PHI be disclosed to another person by electronically signed?

This one is for my friends who study electronic and digital signatures.  Yes, an electronic signature would be permissible to the extent it is valid under applicable law.

• How would the proposed modifications affect PHI of decedents?

There are two primary proposed changes.

The proposed modifications would permit covered entities to disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death (in addition to the decedent's personal representative), unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

As discussed in Part One, HHS has proposed to modify the definition of PHI to include individually identifiable health information of a person who has been deceased for 50 or fewer years.  In addition, the proposed modifications would require a covered entity to comply with the Privacy Rule with regard to the PHI of a deceased individual for a period of 50 years following the date of death.  The 50 year period (which would take us back to individuals deceased since 1960) is new.  

• So why 50 years?

HHS explains the timeframe as appropriate "because by approximately covering the span of two generations we believe it will both protect the privacy interests of most, if not all, living relatives, or other affected individuals, and it reflects the difficulty of obtaining authorizations from personal representatives as time passes."  HHS seeks comment on the appropriateness of this time period. 

Query whether this time period is sufficiently limited and whether HHS should be concerned with the privacy of individuals deceased decades before HIPAA became law in the first instance, and before the widespread use of personal computers and the Internet.  It is also worth considering that many records containing PHI of decedents going back to 1960 have made their way into the hands of non-covered entities and non-business associates (e.g., libraries, museums, publishers, schools).  While covered entities and business associates are still required to comply with the Privacy Rule and its restrictions on use and disclosure, these third party organizations are not.

• I have heard that the proposed Rules would eliminate the need for parents to provide written consent for disclosure of children's immunization records to schools-is that true?

Yes.  The proposed modifications would permit covered entities to disclose proof of immunization to schools in States that have school entry or similar laws. The covered entity would still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual him- or herself, if the individual is an adult or emancipated minor. HHS seeks comment on whether the Privacy Rule should require that a provider document any oral agreement or whether a requirement for written documentation would be overly cumbersome, and whether the Rule should mandate that these disclosures go to a particular school official (and, if so, which official).

Interestingly, HHS also seeks comment on the appropriate scope of the term "school" and on whether "school" should be defined.  HHS also solicits comments on whether schools not subject to entry or similar laws should be included within this regulation regarding public health disclosures.

HHS notes that, once the school obtains the records, they are protected by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99, not HIPAA, and encourages readers to consult the Joint HHS/ED Guidance on the Application of FERPA and HIPAA to Student Health Records.