More HIPAA, Anyone?
Health Law Update 07/14/10 Sarah E. Coyne
We know that you have been waiting for the next installment of HIPAA even more than the next Harry Potter movie. Your wait is coming to an end; a display copy of the proposed rules were issued July 8, 2010, and the rules were published in the Federal Register on July 14, 2010. Do not get too excited just yet. The rules are not yet final, and there is a 60-day comment period. The rules implement the parameters of the Health Information Technology for Economic and Clinical Health Act ("HITECH") which - as our faithful readers know well - made sweeping changes to the HIPAA privacy and security rules. The rules provide a description of the statutory and regulatory background and a section-by-section description of the proposed HIPAA modifications. Anyone wishing to comment to the Department of Health and Human Services must do so by September 13, 2010 at the latest.
Some of the most fascinating aspects of the rule are detailed here (subsequent updates will include more detail):
- Providing clarification of HITECH's effect on business associates (i.e., that they are directly liable for HIPAA violations and have affirmative compliance obligations).
- Providing clarification of which entities are business associates, including Patient Safety Organizations, Health Information Organizations, E-Prescribing Gateways, other persons that provide data transmission services to covered entities with respect to protected health information (where there is routine access), personal health record vendors and certain subcontractors.
- Note: The subcontractor point is a big deal. Currently, all business associates have obligations to get reasonable assurances from subcontractors that they will comply with HIPAA, but these regulations would actually render the subcontractors business associates (and thus directly liable) even in the absence of a contract between the business associate and the subcontractor. This is true even though the word "subcontractor" has the word "contract" in it. Go figure.
- Redefining "protected health information" to exclude the information of individuals who have been dead for more than 50 years (Thank goodness).
- Clarifying the meaning of "willful neglect," which is the "Big Bad" penalty category and requiring the government to investigate any and all complaints where a preliminary review of the facts indicates a possible violation due to willful neglect.
- Providing some examples of willful neglect, including throwing computer hard drives containing PHI in an unsecured dumpster and not having any policies to prevent this from happening, or declining to provide required breach notification due to worries about reputation or bad press. Our advice: Don't do these things. Have policies.
- Defining "reasonable cause" which is an excuse for certain violations that would otherwise result in a violation; you have reasonable cause if despite the exercise of ordinary business care and prudence, it would be unreasonable to comply with HIPAA. Hmmm….seems kind of circular to us. You're reasonable if you're not unreasonable? Thankfully there is an example where a covered entity did not respond to a patient's request for access but had the right policies, was swamped with access requests, and then got itself on the right track.
- There are quite a few changes required to the Notice of Privacy Practices, which must: (1) include a statement that describes certain (specified) uses and disclosures of protected health information requiring an authorization; (2) provide that other uses and disclosures not described in the NPP will be made only with the individual's authorization; (3) include notice that most uses and disclosures of psychotherapy notes and for marketing purposes require an authorization; (4) if applicable, include a statement that the covered entity is receiving financial remuneration for communications it sends regarding treatment alternatives or health care-related products or services, and that the individual has the right to opt-out of receiving such communications; and (5) clarify that covered entities may not refuse a requested restriction relating to disclosures to a health plan where the patient
(or someone on the patient's behalf) has paid for the service out-of-pocket.
- Providing that when patients or other individuals ask for their records in electronic form, those covered entities and business associates that maintain PHI electronically in designated record sets must do so and provide the requested format "if readily producible," and if not, then in a readable electronic format as agreed to with the individual.
- Removing the prohibition on combining an authorization for research in which research-related treatment is conditioned on an executed authorization (e.g., a typical clinical trial) with any other written permission for related research activities in which research-related treatment is not conditioned on signing the authorization (e.g., as part of the clinical trial, tissue identified with PHI will be deposited with tissue bank). This will simplify the process for clinical trials to allow one single authorization to cover both the clinical trial and any related collection of specimens identified with PHI for banking with a central repository. The authorization form will streamline the process for both covered entities and study subjects. There are certain requirements for the authorization form.
- Proposing to reconsider the interpretation of the original HIPAA regulations which would require authorizations for research studies to be research-study specific or whether the authorization could contemplate future research purposes to some extent.
- Clarifying that authorization is required for disclosure of protected health information in exchange for money.
- Exempting disclosures of immunization records to schools from the requirement of authorization where there are state laws requiring proof of immunization. Once the records are obtained by the school, they are protected by FERPA and not HIPAA.
- Strengthening the fundraising opt-out by requiring a "clear and conspicuous" opportunity for the individual not to receive further fundraising communications. Our advice: This means that using 2 point font and providing the opt-out in hieroglyphics will no longer be acceptable.
We hope you are not too excited to sleep tonight after reading these proposed modifications! We will provide more detail on some of the key issues above. Some of these modifications would require some investment by covered entities and business associates, including significant revisions to the Notice of Privacy Practices and to business associate contracting. But hey, the upside is if you have been dead for fifty years or more, you don't have to worry about HIPAA at all! (And you might want to take yourself off our mailing list).
Happy HIPAA! More to come!
If you have any HIPAA questions, please feel free to call Sarah Coyne or your Quarles & Brady attorney.