Wednesday, January 23, 2013
HHS has issued a prepublication copy of modifications to the HIPAA rule required by the HITECH Act and GINA, together with some additional modifications to HIPAA to enhance its workability and effectiveness. The official copy of the four final rules will be published on January 25th. In issuing the rules, HHS states that it is unable to give a complete cost/benefit analysis, because of the impossibility of monetizing individuals’ privacy and dignity. The final rules’ effective date is March 26, 2013, and full compliance by covered entities and business associates is required 180 days later (by September 23, 2013); HHS also emphasizes that in the future it will impose the 180-day compliance period for new or modified HIPAA standards. This rulemaking does not address either accounting for disclosures or the HITECH Act requirement to develop a methodology to distribute penalties to individuals harmed by HIPAA violations.
Here are some highlights (of more than 500 pages) of the changes:
The first rule contains modifications to the HIPAA rules required by the HITECH Act. Business associates of covered entities are made directly liable for compliance with some HIPAA rules. The use and disclosure of protected health information (PHI) for marketing or fundraising is made more difficult, and the sale of such information is prohibited without individual patient authorization. The final rule also implements individuals’ rights under the HITECH Act to receive electronic copies of their health information, requires modifications of privacy notices, modifies individual authorization requirements for proof of childhood immunizations and for information concerning decedents, and adopts additional HITECH Act enforcement requirements.
Included in this first rule are a number of provisions about the definition of business associate. One is the addition of patient safety activities as a function giving rise to a business associate relationship. Health Information Organizations (including exchanges and RHIOs), e-prescribing gateways, other facilitators of data transmission, and vendors of personal health records also are included as business associates. HHS did not provide a definition for Health Information Organization, noting that the types of entities undertaking this role continue to evolve. HHS also stated that whether a personal health record vendor offers a PHR “on behalf of a covered entity” is a fact-specific enquire; however, vendors establishing electronic means for a covered entity to send information on patients’ requests are not thereby business associates. The final rule also specifies that “subcontractors” of business associates in the sense of entities delegated functions for covered entities by the business associate are business associates—whether or not they have entered into actual subcontractor relationships. “Researchers” are not business associates, even if they have identifiable health information, unless they perform functions that fall within the definition of business associate, such as creating a de-identified data set.
Privacy advocates may be concerned to learn that HHS decided to retain the provision that PHI does not include information about individuals who have been deceased for more than 50 years.
The second rule implements the tiered civil money penalty structure for HIPAA violations provided by the HITECH Act. This penalty structure has functioned under an interim final rule issued in October 2009. This rule includes clarifications of how HHS will cooperate with the FTC and other federal and state agencies on enforcement. It also modifies the definitions of “reasonable cause” for noncompliance and of “willful neglect,” in order to implement the tiered penalty system. The final rule retains the position in the interim final rule that it is within the Secretary’s discretion to impose the maximum statutory penalty for actions within any of the tiers. The rule also reaffirms methods of calculating the number of violations: each individual, and each day, counts as a separate violation.
The third rule implements the HITECH Act’s breach notification requirements. Most importantly, it replaces the requirement of “harm” with an objective standard, supplanting the interim final rule issued in August 2009.
Fourth, the GINA requirement that health plans may not use or disclose genetic information for underwriting purposes is now incorporated into the HIPAA privacy rule. This NPRM was published in October 2009. An area of contention following the NPRM was whether the GINA protections should be extended to all plans covered by the Privacy Rule—including importantly long term care plans—or whether the protections should extend only to those plans covered by GINA. The final rule extends coverage to all plans covered by the Privacy Rule except long term care plans; these plans successfully made the case to HHS that more information was needed about the likely impact of imposing the GINA prohibitions on the long term care market. HHS plans further study of the issue, perhaps with the National Association of Insurance Commissioners.
Another important provision in the GINA rule is the definition of what it is for a condition to be “manifested”—and thus not covered by the GINA protections. “Manifested” conditions are those that have been or could reasonably have been diagnosed by a health care professional with appropriate training and expertise. Conditions are “manifest” if signs or symptoms are present, even though the condition is diagnosed primarily through a genetic test.