On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released final regulations (Final Rule) modifying the existing privacy and security rules relating to protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The Final Rule, effective March 26, 2013, requires compliance by "Covered Entities" and "Business Associates" no later than September 23, 2013.
Employer Relationship to "Covered Entities" and "Business Associates"
As we have discussed in prior Alerts, HIPAA requires all health plans, health care providers, and health care clearinghouses ("Covered Entities") to adopt privacy procedures to protect PHI, defined as individually identified health information maintained or transmitted in electronic media or other form. The Final Rule adds genetic information to HIPAA's definition of health information and therefore clarifies that genetic information is PHI. HIPAA privacy rules provide that PHI may not be used or disclosed unless authorized by the individual or by HHS regulations. HIPAA also requires that Covered Entities maintaining or transmitting health information electronically adopt security standards to ensure the integrity and confidentiality of PHI.
While HIPAA does not include employers within the definition of "Covered Entities," employers with self-insured group health plans must ascertain that their plans have adopted privacy and security compliance procedures, appropriate HIPAA notices, and compliant business associate agreements. Employers with insured plans providing flexible spending arrangements, medical reimbursement programs, and wellness programs should also review the plans' compliance with the Final Rule.
HIPAA defines a "Business Associate" as any person who performs or assists a Covered Entity in the performance of a function or an activity involving the use or disclosure of PHI. Covered Entities are required to enter in agreements with Business Associates designed to ensure that the Business Associates protect any PHI which may come into their possession or to their attention.
The Final Rule establishes that Covered Entities and Business Associates can be held liable for non-compliant actions and can be held liable for the actions of their agents. The Final Rule now incorporates the tiered civil money penalty structure set forth in the HITECH Act, calibrating fines for noncompliance according to three levels of culpability: "reasonable cause," "reasonable diligence" or "willful neglect." Violations can result in civil money penalties of up to $50,000 per incident, totaling up to $1.5 million per year, and criminal penalties of up to 10 years' imprisonment.
Four Principal Changes In The Final Rule
Business Associate Agreements
The Final Rule expands the definition of "Business Associate." Newly included within the definition are "Health Information Organizations" (undefined in the Final Rule), E-prescribing Gateways, or other persons that provide data transmission services for PHI to a Covered Entity and that require routine access to such PHI. Also newly included are persons who offer a personal health record to one or more individuals on behalf of a Covered Entity.
HHS will issue future guidance on its Web site on "the types of entities that do and do not fall within the definition of business associate."
Additionally, the Final Rule clarifies that subcontractors of a Business Associate (defined as those who act on behalf of a Business Associate but who are not members of its workforce) will themselves be considered Business Associates to the extent that they have access to PHI. As such, they too must comply with the HIPAA privacy and security requirements. The Business Associate, however, and not the Covered Entity, will have the obligation to enter into a Business Associate Agreement or some other arrangement to ensure that the subcontractor appropriately safeguards PHI.
The Final Rule also holds Business Associates directly liable under the HIPAA Rules for:
- Uses and disclosures of PHI not permitted under HIPAA;
- A failure to provide breach notification to the Covered Entity;
- A failure to provide access to a copy of electronic PHI to the Covered Entity, the individual, or the individual's designee (as specified in the Business Associate agreement);
- A failure to disclose PHI to HHS to investigate or determine the Business Associate's compliance with the HIPAA Rules;
- A failure to provide an accounting of disclosures; and
- A failure to comply with the HIPAA Security Rule.
On January 25, 2013, HHS published a sample business associate contract. It can be found at the following site: www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
Security Breach Notification Rule
Under the Final Rule, an acquisition, access, use or disclosure of unsecured PHI in a manner not permitted under the Privacy Rules is presumed to be a breach unless a Covered Entity or Business Associate demonstrates a "low probability" that the PHI has been compromised.
The "low probability" determination is derived through an assessment of the nature and extent of the PHI involved; the unauthorized person who used the PHI or to whom it was disclosed; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. If an evaluation of the factors fails to demonstrate there is a low probability the PHI has been compromised, a breach notification is required.
The Final Rule's "low probability" standard markedly departs from the "risk of significant harm" announced in HHS's interim final rule, under which security breach notification was required only upon determination that there had been a significant risk that individuals could suffer financial, reputational or other harm from the disclosure of PHI.
Access to PHI
The Final Rule expands individuals' rights to receive copies of their PHI. The rule now requires Covered Entities to provide access, within 30 days, to PHI in the form and format requested by the individual, if it is readily available in that format, and if not, then in a readable hard copy format. If, however, the requested PHI is available in electronic form and the individual requests an electronic copy, the Covered Entity must provide the data to the individual electronically.
The Final Rule also allows family members who were involved with a decedent's care to receive access to the decedent's PHI.
Authorizations Required for Marketing and Sale of PHI
The Final Rule now requires individual authorization for communications when a Covered Entity is expected to receive financial remuneration from a third party in exchange for marketing the third party's product or service. However, promotions of health in general and the promotion of government-sponsored programs are permitted without authorization.
The Final Rule also generally prohibits a Covered Entity or Business Associate from receiving direct or indirect remuneration in exchange for the disclosure of PHI, unless the Covered Entity or Business Associate has obtained an authorization from the individual.
Employer Action After Final Rule
HHS will continue to conduct random audits and investigate breach reports and complaints under HIPAA and HITECH. The Final Rule allows HHS to impose a civil money penalty without exhausting informal resolution options, although this approach is likely to be limited to cases of willful neglect.
In light of the new penalties, expansions and enforcement contemplated under the Final Rule, employer group health plan sponsors should review their HIPAA and HITECH compliance to identify issues, fill gaps, and correct problems, including but not limited to:
- Reviewing all Business Associate agreements for compliance;
- Reviewing any other relationships with contractors and subcontractors that relate to PHI that might now require a Business Associate agreement;
- Reviewing and amending internal policies and procedures and privacy notices as needed; and
- Retraining personnel with regard to new requirements under the Final Rule.