The Department of Health and Human Services (HHS) Thursday released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed 'significant' modifications include:
- A requirement that BAs of HIPAA-covered entities be under most of the same rules as the covered entities
- New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
- Prohibition of the sale of PHI without an authorization
- Expansion of individuals' rights to access their information and to restrict certain types of disclosures of PHI to health plans
- Provisions that strengthen and expand HIPAA's enforcement rule
- Privacy protection now only extends 50 years after the death of the patient
- Covered entities can charge costs associated with providing an individual ePHI on electronic media — the cost of a flash drive or CD, for example
- Strong case examples on breaches
The proposed rule is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama, February 17, 2009. The Act was part of the $787 billion economic American Recovery and Reinvestment Act of 2009, which includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.
HHS will receive comments for up to 60 days after the proposal's July 14 publication in the Federal Register, after which it will release an interim final rule. HHS says it will give covered entities and BAs 180 days after the final rule is in effect to comply with most of the provisions.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of the HIPAA Boot Camp in Casa Grande, AZ, says some of the major points in the proposed rule include:
BAs' subcontractors must comply
HITECH made BAs liable for compliance with the security rule and the use and disclosure provisions of the privacy rule. Now, HHS proposes extending those compliance requirements to BA subcontractors by including them in the definition of a BA.
A BA contract with subcontractors has to contain all the provisions, current and new, required to be in BA contracts. Also, subcontractors of BAs must implement the same "reasonable and appropriate" safeguards required by HIPAA to ensure they prevent breaches of unsecured PHI.
Furthermore, BAs who hire subcontractors must supply information to HHS regarding their subcontractors' compliance, notes Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
Subcontractors complying with HIPAA "would greatly expand the number of organizations subject to the privacy and security regulations and penalties," says Kate Borten, CISSP, CISM, president of The Marblehead Group. "From the perspective of consumers, such change would be a significant benefit and would certainly strengthen the actual privacy and security controls over their protected health information."
HHS also announced that BAs can be directly liable for breaches of unsecured PHI and may be subject to fines. Susan McAndrew, deputy director for health information privacy for OCR, had previously confirmed this to HCPro at the 18th Annual National HIPAA Summit in early February.
The proposed rule makes explicit that certain entities providing services to covered entities — e.g., vendors of personal health records — are BAs.
"This was sorely needed with all the emerging 'Health Vault' types of services out there," Herold says.
Herold also points out that the proposed rule's Notice of Privacy Practices (NPP) components "will require all current ones to be updated."
Experts: Changes not huge
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, called today's HHS press conference announcing the proposed rule "good press for HHS/OCR."
"Proposed rules are generally far from final, and there is no guarantee that they will be finalized soon," Apgar says. "A good example is a rule that was published as draft in January and still has not been passed along to OMB (Office of Management and Budget) and is sorely needed — the meaningful use rule."
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, said that a quick glance of the proposed rule doesn't reveal many significant changes from requirements already in place under HITECH.
"I don't see any blockbuster new rules here," Drummond said.
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, agrees there were no "real surprises."
"But it was definitely a move in the right direction of clarifying and reiterating this administration's seriousness about enforcing stricter privacy and security standards in a push toward a more patient-centric, health information technology driven environment," Parmigiani says. "I was encouraged by some positive, albeit later than promised or expected, movement on the part of HHS and [Office for National Coordinator]."
HHS missed the February 18 deadline for delivering this proposed rule per HITECH.
By June 18, OCR was to release regulations to modify the HIPAA Privacy Rule's accounting of disclosures provisions. However, OCR published a notice in the May 3 Federal Register requesting information to assist its crafting of a proposed rule on accounting of disclosures from electronic health records, pursuant to HITECH.
HHS in the proposed rule released Thursday says the "minimum use" principles still apply but will be given greater clarification in upcoming guidance as opposed to a formal rule.
Editor's note: Access the proposed rules through the OCR privacy site. Access OCR's new breach notification and privacy Web sites.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.