Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

HITECH UPDATE #11: New Restrictions on “Sale” of Personal Health Information

Posted in Health Privacy

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization.

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule.

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.

Exceptions.  The final rule includes several exceptions under which covered entities and business associates may conduct a “sale of PHI” and receive financial or non-financial remuneration in exchange for providing PHI, without having to obtain authorization:

  • For public health purposes as enumerated in the rule;
  • For research purposes, but only when remuneration is a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
  • For purposes of treatment and payment as allowed in the rule;
  • For the sale, transfer, merger, or consolidation of all or part of a covered entity and for related due diligence;
  • To or by a business associate for activities the business associate undertakes on behalf of the covered entity (including a subcontractor);
  • To the individual when requested or in connection with an accounting of disclosures if the fees are in accordance with the Privacy Rule;
  • When required by law;
  • For any purpose permitted by and in accordance with the Privacy Rule, as long as the remuneration is a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI.

Redisclosures.  HHS noted that “it is expected to be the usual case” that a separate, additional authorization would be required before the recipient may redisclose an individual’s PHI for remuneration.  However, HHS indicates that “it may be possible that redisclosures of information for remuneration by a recipient covered entity or business associate do not require an additional authorization, provided it is sufficiently clear to the individual in the original authorization that the recipient covered entity or business associate will further disclose the individual’s PHI in exchange for remuneration.”

Prior Authorizations Before Compliance Date.  Several commentators expressed concern that this new requirement could endanger research studies based on a prior permission under the Privacy Rule that does not give the covered entity or business associate the authorization to “sell” PHI for remuneration.  HHS clarified that a covered entity may continue to rely on a prior authorization obtained before the compliance date (September 23, 2013) “even if remuneration is involved.”  This grace period is available for all any permissible disclosure under the Privacy Rule, not just for research purposes.

Implications.  Covered entities and business associates should ensure that, as of the date of compliance (September 23, 2013), they obtain proper authorization from individuals before exchanging their PHI for remuneration, financial or otherwise, unless the exchange falls within one of the exceptions enumerated above.  Even then, covered entities and business associates should ensure that the fees charged for PHI are reasonable and cost-based when required by the rule.