This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.

Continue Reading HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization.

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule.

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.

Continue Reading HITECH UPDATE #11: New Restrictions on “Sale” of Personal Health Information

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule implements provisions in the HITECH Act pertaining to two individual rights: an individual’s right to request a restriction on the disclosure of his or her protected health information (“PHI”) and an individual’s right to access his or her PHI.

Right to Restrict Uses and Disclosures of PHI

The current Privacy Rule grants individuals the right to request restrictions on the use or disclosure of their PHI, but covered entities are not required to agree to such restrictions.  The HITECH Act strengthens the right to request restrictions on disclosures by requiring covered entities to accept a restriction on disclosing PHI to a health plan where the disclosure is for payment or health care operations purposes and the PHI “pertains solely to a health care item or service for which the health care provider involved as been paid out of pocket.”  The omnibus rule amends the Privacy Rule to account for this provision.  Under this new requirement, if a patient pays her physician in full for a specific blood test and requests that the physician not disclose PHI that pertains solely to that blood test to the health plan, the physician must agree to this restriction unless the disclosure is otherwise required by law.  In these circumstances, the health care provider also may not disclose the relevant PHI to a business associate of the health plan.  The restriction applies only where the service or item has been paid in full out of pocket; it does not apply to follow-up visits if they are not paid for in full out of pocket.

Continue Reading HITECH Update #9: Omnibus Rule Revises Individual Rights to Request Restrictions, Access to Protected Health Information

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule requires covered entities to add several new provisions to the Notice of Privacy Practices (“NPP”) that they distribute to patients and beneficiaries.  Generally, an NPP describes how the covered entity may use and disclose protected health information (“PHI”), an individual’s rights with respect to PHI (e.g., the right to access PHI and request restrictions on uses and disclosures), and the covered entity’s legal duties with respect to PHI (e.g., the duty to abide by the terms of the NPP).

Continue Reading HITECH Update #8: New Requirements for HIPAA Notices of Privacy Practices

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.

Continue Reading HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule addresses several changes to business associate agreements as a result of the new obligations imposed upon business associates by HITECH.


Continue Reading HITECH Update # 6: New Requirements for Business Associate Agreements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization–unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.

Continue Reading HITECH Update #5: HHS Tightens HIPAA Marketing Requirements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule contains major changes to the HIPAA requirements for research authorizations.  Specifically, as described below, HHS has loosened the current restrictions on “compound authorizations” for research purposes, and is now interpreting the HIPAA Privacy Rule to allow authorizations for future research.  These changes could have a tremendous impact on the manner in which  informed consent for clinical trials is documented in the United States and on the availability of clinical trial data for future research.

Compound Authorizations.  The HIPAA Privacy Rule generally prohibits “compound authorizations,” which are authorizations that are combined with any other legal permission.  An exception allows the combining of an authorization for a research study with written permission for the same study, usually found in an informed consent form.  But under the current rules, this exception is not available if one authorization conditions treatment, payment, enrollment in a health plan, or eligibility for benefits on the individual providing an authorization (conditioned authorization) and the other authorization does not contain such conditions (unconditioned authorization).  This prevents a covered entity from, for example, using a single authorization for a research study that covers both treatment as part of a clinical study and tissue banking of specimens for future research.  Many groups have informed HHS that this lack of integration is inconsistent with the Common Rule (45 C.F.R. Part 46) and creates unnecessary documentation burdens.

Continue Reading HITECH Update #4: HHS Relaxes HIPAA Requirements for Research Authorizations

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors:

  1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”

Continue Reading HITECH Update #3: HHS Revises Breach Notification Rule