HIPAA Rule Update: Stop, Drop . . . and Comply – Understanding the New Restrictions on the Sale of PHI and the HIPAA Enforcement Rule
Health Law Update 02/01/13 Sarah E. Coyne, Kevin J. Eldridge, Ilana Bamberger Spector
As we indicated in a recent Health Law Update, the U.S. Department of Health and Human Services (HHS) published the final rule implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act (Final Rule) on January 25, 2013. Over the coming days and weeks, we will provide a series of Health Law Updates focusing on specific topics addressed by the Final Rule. In this Update, we will discuss the changes to the Health Insurance Portability and Accountability Act (HIPAA) prohibition on the sale of protected health information (PHI) and the HIPAA Enforcement Rule (Enforcement Rule). Yes, it's true! We hope you're able to contain your excitement as you read this installment.
Sale of PHI:
As we told you when the proposed rules came out, a good guiding principle on the sale of PHI is, "Don't be a criminal." However, there is a little more to it than that - the new regulatory structure means that covered entities and business associates will need to have greater vigilance in ensuring that previously acceptable remuneration is permissible. Covered entities and business associates should review their forms, policies and processes involving any kind of payment for disclosure of PHI.
The provisions governing sale of PHI under the Final Rule contain no surprises from HITECH or the proposed rules: Covered entities and business associates must obtain specific authorization for sale of PHI, with certain exceptions. The Final Rule defines sale of PHI to include "direct or indirect" remuneration in exchange for the disclosure and clarifies that "remuneration" can be financial or non-financial benefit. We will have to see whether this broad definition affects disclosures that would otherwise have been acceptable.
The affirmative requirement for authorization for sale of PHI is now a third circumstance in which HIPAA specifically requires authorization, in addition to psychotherapy notes (which are a mental health professional's notes about a patient that are maintained separately from the record) and marketing disclosures. The bottom line is that a covered entity or business associate may not now receive remuneration for a disclosure of PHI unless an exception is met or the patient signs an authorization containing a specific statement acknowledging that the disclosure will result in remuneration.
The Final Rule includes a catch-all exception for any permissible disclosure if remuneration is limited to the cost of preparation and transmittal. The Final Rule explicitly clarifies that while limited data sets are subject to the rule (unlike completely de-identified data), those data sets may be disclosed in exchange for a reasonable cost-based fee.
Business associates (now broadly defined to include subcontractors) may continue to be reimbursed for preparing and transmitting records on behalf of a covered entity, provided the remuneration is a "reasonable cost-based fee." The exception also applies to remuneration by a business associate to a subcontractor. The business associate may also be reimbursed for disclosures where the only remuneration is for the business associate's or subcontractor's activity, which makes sense because reimbursement for services is not a violation of HIPAA anyway. The Final Rule clarifies that the following exceptions also apply:
- For public health purposes.
- For research purposes where the only remuneration received by the Covered Entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes (and ongoing research is grandfathered).
- For treatment and payment purposes.
- For the sale, transfer, merger, or consolidation of all or part of the Covered Entity and related due diligence.
- To an individual, when requested under the access and accounting of disclosures provisions of the Privacy Rule.
- For disclosures required by law.
The Enforcement Rule:
Good news! The Office for Civil Rights (OCR) has decided not to enforce HIPAA after all; we are all just encouraged to comply with it voluntarily. Oh, wait - we were dreaming for a moment. Sorry. It turns out, there are lots of new teeth in the Final Rule.
The Final Rule implements HITECH expansion of the Enforcement Rule to (1) allow HHS to impose civil money penalties directly on business associates, (2) increase potential liability of covered entities and business associates for violations caused by their agents, (3) mandate compliance reviews and compliance investigations for certain HIPAA violations, (4) permit HHS to bypass informal resolution and move directly to civil money penalties and (5) clarify the categories of violations under HIPAA and factors used to determine civil money penalties.
As discussed in a previous Health Law Update, HHS previously updated the Enforcement Rule in October 2009 (Interim Final Rule) to implement the significantly increased civil money penalties required by the HITECH Act. Additional changes to the Enforcement Rule were proposed in July 2010 and finalized as part of the Final Rule.
While the Final Rule is not effective until March 2013, and enforcement of the new provisions will not commence until September 2013, it is important to note that HHS is still enforcing the rules currently in effect.
Business Associates and Subcontractors Are on the Hook:
The Final Rule applies directly to business associates and subcontractors in the same manner it applied to covered entities. As a result, HHS will be able to impose civil money penalties on business associates and subcontractors for HIPAA violations.
Liability for the Acts of Agents:
The Final Rule removes liability protections for covered entities when a HIPAA violation is caused by an agent of the covered entity. In the past, a covered entity would not be liable for a HIPAA violation caused by an agent as long as the covered entity had met business associate agreement requirements, did not know the business associate was in violation of the agreement and did not fail to act as required by HIPAA if it was aware of a pattern or practice of violations by the agent.
Under the Final Rule, however, covered entities can be held liable for the acts of business associates who qualify as agents, regardless of whether the covered entity has a compliant business associate agreement in place. Similarly, business associates can be held liable for the acts of their agents (e.g., subcontractors) and subcontractors can be held liable for the acts of their subcontractors (and so on).
"When is a business associate or subcontractor an agent of a covered entity," you ask? Not all business associates and subcontractors are agents of the covered entity, and having a business associate agreement in place does not in itself establish an agency relationship. The factors for determining whether a business associate or subcontractor is an agent of the covered entity are consistent with federal case law.
The primary factor in the analysis is the extent to which the covered entity controls a business associate's conduct (or a business associate controls a subcontractor's conduct). Then, you basically look at everything else: the time, place and purpose of the business associate's (or subcontractor's) conduct; whether the conduct performed by the business associate (or subcontractor) is the type of conduct a business associate (or subcontractor) will commonly engage in to accomplish the service provided to the covered entity (or business associate); and whether the covered entity (or business associate) reasonably expected its business associate (or subcontractor) to engage in the conduct in question. An agency relationship may even exist where a covered entity (or business associate) does not control every aspect of a business associate's (or subcontractor's) activities, where the covered entity (or business associate) is not exercising control but has the authority to, or where the two are geographically distant from each other (e.g., located in different countries).
Clear as mud, right?
Compliance Reviews and Investigations:
Historically, HHS has had the discretion to investigate complaints and to conduct compliance reviews. Under the Final Rule, HHS will be required to conduct a complaint investigation or compliance review where facts indicate a possible violation due to willful neglect, although when willful neglect is not indicated, HHS still retains discretion to decide whether to conduct a compliance review or complaint investigation.
The previous HIPAA rule also required HHS to first attempt to resolve noncompliance by informal means, i.e., agreed-upon resolutions with covered entities. The Final Rule now provides HHS the discretion to do so. Thus, HHS may move directly to civil money penalties without trying informal resolution efforts first, especially in those cases involving alleged willful neglect violations.
Civil Money Penalties:
The Final Rule retains the revised civil money penalty structure that was implemented in the Interim Final Rule, which provided for increasing penalties for increasing levels of culpability (did not know, reasonable cause, willful neglect - corrected, and willful neglect - not corrected). For a refresher on the penalties and levels of culpability, see the handy-dandy chart in our update on the Interim Final Rule on "improved enforcement" under HITECH.
Note, however, the Final Rule revised the state of mind requirement for the reasonable cause tier (the second tier from the top on the chart). "Reasonable cause" (as it did in the past) covers violations caused by circumstances which made it unreasonable for the covered entity to comply with the HIPAA provision violated but now includes (this is new) other circumstances where a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.
The Final Rule also lists the factors that HHS considers in determining the amount of a civil money penalty for a HIPAA violation. These factors include the nature of the violation, the nature and extent of the harm resulting from the violation, the entity's history of prior compliance with HIPAA and the financial condition of the covered entity or business associate.
The key takeaways from the Final Rule are that HHS is currently enforcing and will continue to enforce violations of HIPAA. The government is affirmatively auditing noncompliance and has ramped up the penalties - HITECH and the Final Rule have been a wake-up call in this regard. As with any new rulemaking, a review of policies and procedures, and updating of documents is in order. Moreover, all regulated entities, now including business associates, should vigilantly monitor their workforce and have good detection systems for noncompliance. Quarles & Brady will continue to issue focused client alerts and is developing a toolkit of compliant forms, policies and procedures to facilitate HIPAA compliance.
Previous HITECH Updates:
- HIPAA Rule Update: Extended Compliance Time for "Grandfathered" Agreements
- It's Finally Here! HHS Releases the Final Rule to Modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules
If you have any questions, please contact Sarah Coyne at (608) 283-2435 / [email protected], Kevin Eldridge at (608) 283-2452 / [email protected], Ilana Bamberger Spector at (312) 715-5231 / [email protected] or your Quarles & Brady attorney.