On January 17, 2013, the U.S. Department of Health & Human Services (HHS) released the long-awaited final rule laying out the privacy and security requirements for entities covered under HIPAA. The new final rule is a highly detailed document that runs 563 pages in its prepublication format, or about 138 pages as printed in the Federal Register. It updates and clarifies the obligations that were enacted in February 2009 by the HITECH Act, expounded upon in August and October 2009 by interim final rules published by HHS, and then subsequently expanded in July 2010 by a notice of proposed rulemaking.
Consistent with the goals that HHS has communicated in the past, the new rule has a decidedly consumer-based focus. The new requirements are intended to provide the public with increased protection and control of protected health information (PHI) by expanding the responsibilities of providers, health plans, and other entities that handle and process health information and insurance claims. Of particular noteworthiness is the extension of HIPAA requirements to business associates including contractors and subcontractors. Continuing the consumer protection theme, the penalties for negligent-type noncompliance have increased, with a new maximum penalty of $1.5 million per violation.
Observers appear to agree that the new final HIPAA Privacy and Security Rule represents the most sweeping changes to HIPAA since the law was first implemented. Moreover, the rule indicates a new orientation on the part of the federal government toward active enforcement. In an official statement, for example, HHS Office for Civil Rights Director Leon Rodriguez noted, “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”(1) With these new rules now promulgated — along with the new HIPAA audit program emerging from pilot phase and now underway — the stakes for covered entities clearly have been raised.
What’s New in the Final Rule?
Below is a summary of the most important changes made in the final rule, along with an indication of some of the main implications for covered entities. Note that further significant clarifications were not offered in the areas of encryption, accounting of disclosures or the use of multi-factor authentication — three topics that are often discussed alongside the main areas of focus in HIPAA.
1. Expansion of Responsibilities to Business Associates
Business associates are partners and vendors (such as health plans, third-party administrators, e-prescribing gateways, billing companies and technology vendors) that perform work on behalf of a covered entity and that handle or store PHI. Under the new final rule, business associates of covered entities are directly liable for compliance with HIPAA requirements and must enter into written contracts called business associate agreements.(2) As such, business associates are subject to increased penalties for noncompliance. Covered entities are not required to have direct written agreements with subcontractors used by their business associates, but the business associates are required to enter into written agreements that provide “satisfactory assurances” that HIPAA rules will be followed. Finally, companies that serve as merely conduits for PHI — such as an internet service provider or a courier service — are not considered business associates. Prior to these changes, it was not clear that the privacy and security rules added by the HITECH Act extended this far, or that the federal government had the authority to penalize business associates and subcontractors.
2. Use of PHI for Marketing
The new final rule tightens the limitations on the use and disclosure of PHI for marketing purposes by requiring covered entities to obtain authorization from individuals if the covered entity receives payment for producing or distributing the materials. Certain communications are allowed without authorization, such
as treatment communications (e.g., about case management, care coordination, therapies, alternative treatments or providers), as long as the recipient is allowed to opt-out simply and easily. Likewise, communications regarding prescription refill reminders are allowable, if the remuneration received by the covered entity is limited to reasonable costs.
3. Sale of PHI
The new final rule prohibits the sale of PHI without individual authorization. Covered entities must get authorization from individuals for any sale of PHI unless it is for use by a public health agency, for treatment and payment, or for other allowed disclosures such as normal disclosures to business associates.(3) The authorization must be worded clearly so that individuals can make informed decisions, and it must include the fact that the covered entity will receive payment for the disclosure.
4. Patient Requests for PHI
The new final rule bolsters the right of individuals to request electronic copies of their health information. Covered entities that maintain electronic records must provide the PHI in the format requested by the individual, and may not charge more than the cost of labor and materials required to do so.
5. Patient Requests for Restrictions on Disclosures
Under the new final rule, individuals can request that a covered entity not disclose to the individual’s health plan information concerning treatment for which the provider has been paid out of pocket in full. Prior to this rule, covered entities were not required to agree to such a request.(4)
6. Use of PHI for Research
Under the new final rule, the process of gaining individual authorizations for use of PHI for research has been simplified and streamlined. Covered entities can ask an individual for consent to share PHI for a particular research study, and by extension use the consent for related research purposes, such as the creation of a database to store and allow for querying of the information.(5) Previously, researchers were obligated to ask for permission for each distinct use of PHI, which the industry argued added unnecessary complexity and confusion to the process of obtaining consent.
7. Breach Notification
In the new final rule, HHS has shifted the burden of proof to covered entities regarding breaches. It is now presumed that any unauthorized use or disclosure of PHI is a breach unless the organization can show that there is a low probability that the PHI has been compromised. This interpretation differs from the previous rule in which organizations only needed to disclose a breach if it resulted in a significant risk of financial, reputational or other harm. In other words, the “threshold of harm” has been lowered, which means that incidents that may not have been considered serious risks in the past will now need to be reported to the affected individuals and to the Office for Civil Rights.(6) While the new threshold is stricter, it is also intended to be more objective and thus easier to interpret and apply across the industry. Note also that under the final rule, business associate that experience
a breach must provide notice of breach of unsecured PHI to its covered entity “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”(7)
8. Enhanced Enforcement
The new final rule solidifies and enhances provisions related to compliance reviews and investigations, the imposition of civil money penalties, and procedures for hearings. Under the new rule, the maximum penalty for noncompliance due to negligence has also been increased, with a new maximum of $1.5 million per violation. The rule requires the HHS Secretary to conduct a compliance review whenever a preliminary review of a complaint indicates a possible violation of an organization (covered entity or business associate) due to willful neglect.(8) Additionally, HHS has leeway in deciding the amount of the fine, and can base its decision on factors including past complaints, the nature of the harm, and the size and financial condition of the violating entity.
9. Use of Genetic Information
The new final rule provides enhanced privacy protections for genetic information as required by the Genetic Information Nondiscrimination Act of 2008 (GINA). In compliance with GINA, the final rule clarifies that genetic information is considered health information for the purposes of HIPAA interpretation, and it prohibits health plans (except for issuers of long-term care policies) from using or disclosing genetic information that could be used for underwriting purposes. Insurers must also communicate this to consumers in their Notice of Privacy Practices.
10. Notice of Privacy Practices
Under the new final rule, covered entities must modify and redistribute their Notices of Privacy Practices (NPPs) to include announcements regarding the new privacy protections described above. Specifically, the revised NPPs must include notice of: 1) the new authorization requirements surrounding the sale and marketing of PHI, 2) the breach notification responsibilities of the covered entity, 3) the right to opt out of fundraising and marketing communications, and 4) the right of patients to be able to request disclosure restrictions on out-of-pocket payments to providers. Healthcare providers are required to revise their NPPs and make them available at the delivery site by posting them in a clear and prominent location.
The new final rule will go into effect on March 26, 2013. The stated compliance date, however, for covered entities and business associates to comply with the vast majority of the new applicable requirements occurs 180 days later, which is September 23, 2013. HHS is allowing the 180-day adjustment period in order to allow covered entities and business associates some time to address compliance of new or modified standards. Until then, organizations must comply with the interim final rules as published.
Responding to concerns that some covered entities, business associates and subcontractors would not have sufficient time to make changes to their practices, HHS reiterated that it believed a short lag is in the best interest of patients. For agreements between covered entities and business associates, and business associates and subcontractors, HHS has provided a one-year extended transition period in cases where the parties had an agreement in place on or before January 25, 2013 that complied with then-applicable law.(9) (That agreement may stay in place for the extended transition period as long as the contract is not renewed or modified.)
What can organizations do?
Now that the final details have been set and enforcement will be tightened, organizations can no longer afford to treat privacy and security as back-burner concerns. Organizations have an abundance of reasons and motivation to invest in the processes, procedures and technologies that they use to make health information safe. Whether to comply with the HIPAA law, satisfy onsite HIPAA auditors, attest to the meaningful use risk assessment requirement, or obey other potentially applicable state and federal laws, healthcare organizations need to develop a comprehensive, serious approach to privacy and security. Above all, it is the right thing to do for patients.
In this brief update, we shall not present a new list of recommendations. Rather, we’d like to point readers to the discussions, tips and recommendations made in CSC’s other recent papers on privacy and security in healthcare — all of which remain highly relevant. Those papers are:
- Enterprise Security in Healthcare: From Cybercompliance to Cyberconfidence (November 2012)
- Doing It Right: Getting a Jump on Privacy and Security (July 2012)
- Achieving Comprehensive Health IT Privacy and Security (August 2011)
- Update on Patient Health Information: Privacy, Security and Enforcement (September 2010)
Although there are many new rules to comply with, much of what is contained in the final omnibus rule fortunately was foreshadowed during the rulemaking process and in interim rules. Many of the actions organizations need to take, such as reviewing business associate agreements and fine-tuning breach notification procedures, should already be well underway and part of organization’s overall privacy and security strategy.
About the author
Jared Rhoads is a senior research specialist with CSC’s Global Institute for Emerging Healthcare Practices, the research arm of CSC’s Healthcare Group. The whitepaper originally appeared on the CSC website and is reprinted with permission.
For full details on specific changes, it is recommended that readers refer to the full text of the HIPAA Privacy and Security Final Rule, available in the single-column prepublication format, or the multi-column Federal Register format.
- “New rule protects patient privacy, secures health information” HHS press Release, January 17, 2013.
- “HHS Releases HIPAA/HITECH Omnibus Final Rule” Morgan Lewis & Bockius, LLP, January 18, 2013.
- “Quick parse: 4 parts to HIPAA final rule on Privacy and Security” Government Health IT, January 17, 2013.
- “HITECH Final Rule Results in Significant Changes to HIPAA Provisions” Faegre Baker Daniels, January 30, 2013.
- “Update on Patient Health Information: Privacy, Security, and Enforcement” CSC, August 2010.
- “HIPAA Final Rule Sheds Light On Some Uncertainties, But Judgment Calls Will Persist” Government Health IT, January 22, 2013.
- “Long-expected omnibus HIPAA rule implements significant privacy and security regulations for entities and business associates” Mayer Brown LLP, February 11, 2013.
- “HITECH Final Rule Results in Significant Changes to HIPAA Provisions” Faegre Baker Daniels, January 30, 2013.