Health Care Law

Among all the discussions, debates and forecasts involving health reform laws, HIPAA has taken somewhat of a backseat. However, protecting the privacy and security of individually identifiable health information remains at the forefront for many health care providers and health plans engaged in managing the day-to-day issues involving the use, disclosures, access and storage of protected health information. On July 14, 2010, the Department of Health and Human Services (“HHS”) published its notice of proposed rulemaking (“Proposed Rule”) implementing changes to the HIPAA Privacy, Security, and Enforcement Rules pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”). Summary of Proposed Rule The Proposed Rule addresses a number of changes to the HIPAA Privacy, Security, and Enforcement Rules including the following key modifications: • Making clear that certain Privacy and Security Rule requirements apply to business associates of covered entities; • Expanding the definition of business associate to explicitly include a Health Information Organization, E-prescribing Gateway, and other persons that provide data transmission services; • Establishing a new category of business associate – “subcontractors.” Subcontractors that perform functions for or provide services to a business associate are also considered business associates to the extent such subcontractor requires access to protected health information (“PHI”); • Requiring business associates to enter into written contracts with subcontractors. (Historically, business associates were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI); • Revising the definition of PHI to exclude individually identifiable health information regarding a person who has been deceased for more than 50 years; • Establishing new limitations regarding the use and disclosure of PHI for purposes of marketing and fundraising. Such limitations require “opt-out” provisions for certain marketing and fundraising communications; • Requiring authorization for the sale of PHI in exchange for direct or indirect remuneration, unless an exception applies; • Specifying that a covered entity must restrict disclosure of PHI about an individual to a health plan if the disclosure is for payment or health care operations and the PHI pertains to health care items or services for which the individual paid the covered entity in full; • Creating an individual's right to access their PHI in a form and format requested by the individual (e.g., electronic format), provided that the PHI may be produced in such form or format and if not, in a readable form and format as agreed by the covered entity and individual; • Expanding the enforcement provisions by specifying that business associates are subject to civil monetary penalties (“CMPs”) for violations HIPAA; covered entities are liable, pursuant to Federal common law agency principles, for HIPAA violations based on the act or omission of any agent of the covered entity including a workforce member or business associate; and • Identifying factors to determine the amount of a CMP as well as including the application of penalties against business associates; increasing the penalty cap to $1.5 million depending on level of culpability, plus providing examples of violations that fall into the different penalty levels; and imposing vicarious liability based on common law “agency” principles. Transition Period For purposes of addressing compliance issues involving current written business associate agreements between covered entities and business associates, the Proposed Rule provides a transition period (e.g., grandfather clause) for existing business associate agreements (“BAAs”). The Proposed Rule would permit covered entities and business associates (and business associates and business associate subcontractors) to continue operating under certain existing BAAs for up to one (1) year beyond the compliance date set forth in the future final rule. The transition period would be available to a covered entity or business associate if, prior to the publication date of the final rules, the covered entity or business associate had an existing written BAA in place that complied with the prior provisions of HIPAA and such BAA was not renewed or modified between the effective date and the compliance date the final rules. Importantly, however, the transition provision only pertains to amending BAAs. The transition provision does not affect any other compliance obligation under the HIPAA Rules. Covered entities and business associates with current written BAAs will be deemed compliant with HIPAA requirements so long as the conditions described in the Proposed Rule are met. Compliance Dates and Comment Period Following promulgation of final rules, covered entities and business associates will have 180 days to come into compliance with most of the Proposed Rule provisions. For future modifications to HIPAA, covered entities and business associates will have 180 days from the effective date of such future rule modifications. Therefore, we recommend that covered entities and business associates take advantage of this time period to evaluate compliance with the modifications set forth in the Proposed Rule. HHS will be accepting comments regarding the Proposed Rule until September 13, 2010. A copy of the Proposed Rule is available online at: http://www.access.gpo.gov/su_docs/fedreg/a100714c.html. * * * If you have any questions regarding this Client Alert, please contact the author or your Clark Hill attorney. All articles are also posted on the Clark Hill Website for future reference and can be accessed by visiting www.clarkhill.com or www.clarkhill.com/HealthCare.aspx.