“Significant rules (defined by Executive Order 12866) and major rules (defined by the Small Business Regulatory Enforcement Fairness Act) are required to have a 60 day delayed effective date,” which was the case with the Final Rule discussed herein.

Here are comments from the preamble of the Final Rule pertaining to the effective and compliance dates:

“The final rule is effective on March 26, 2013.  Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.  We understand that some covered entities, business associates, and subcontractors remain concerned that a 180-day period does not provide sufficient time to come into compliance with the modifications. However, we believe not only that providing a 180-day compliance period best comports with section 1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d–4, and our implementing provision at 45 CFR 160.104(c)(1), which require the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules, but also that providing a 180-day compliance period best protects the privacy and security of patient information, in accordance with the goals of the HITECH Act.

“In addition, to make clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules, we adopt the provision we proposed at 45 CFR 160.105, which provides that with respect to new or modified standards or implementation specifications in the HIPAA Rules, except as otherwise provided, covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. In cases where a future modification necessitates a longer compliance period, the Department will expressly provide for one, as it has done in this rulemaking with respect to the time permitted for business associate agreements to be modified.

“For the reasons proposed, the final rule also retains the compliance date provisions at 45 CFR 164.534 and 164.318, which provide the compliance dates of April 14, 2003, and April 20, 2005, for initial implementation of the HIPAA Privacy and Security Rules, respectively. We note that 160.105 regarding the compliance date of new or modified standards or implementation specifications does not apply to modifications to the provisions of the HIPAA Enforcement Rule, because such provisions are not standards or implementation specifications (as the terms are defined at 160.103). Such provisions are in effect and apply at the time the final rule becomes effective or as otherwise specifically provided. In addition, as explained above, our general rule for a 180-day compliance period for new or modified standards would not apply where we expressly provide a different compliance period in the regulation for one or more provisions. For purposes of this rule, the 180-day compliance period would not govern the time period required to modify those business associate agreements that qualify for the longer transition period in 164.532….

“Finally, the provisions of section 13402(j) of the HITECH Act apply to breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule. Thus, during the 180 day period before compliance with this final rule is required, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. We believe that this transition period provides covered entities and business associates with adequate time to come into compliance with the revisions in this final rule and at the same time to continue to fulfill their breach notification obligations under the HITECH Act.”

78 Federal Register 5569-5570

We began a two-day examination of the modifications pertaining to 45 CFR 164.520:  Notice of Privacy Practices for Protected Health Information on Friday, March 22, looking at Content of Notice in subsection (b). Today, we focus on modifications to 164.520(c): Implementation specifications:  Provision of Notice, with modification in bold:

“(c) Implementation specifications:  Provision of Notice.  A covered entity must make the notice required by this section available on request to any person and to individuals as specified in paragraphs (c)(1) through (c)(3) of this section, as applicable.

(1) Specific requirements for health plans.  (i) a health plan must provide notice:

…

(B) Thereafter, at the time of enrollment, to individuals who are new enrollees.

…

(v) If there is a material change to the notice:

(A) A health plan that posts its notice on its web site in accordance with paragraph (c)(3)(i) of this section [Specific requirements for electronic notice] must prominently post the change or its revised notice on its web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan.

(B) A health plan that does not post its notice on a web site pursuant to paragraph (c)(3)(i) of this section must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals then covered by the plan within 60 days of the material revision to the notice.

We provide here the content of the Final Rule preamble that underpins the Notice of privacy practices for protected health information:  Provision of Notice:

“Section 45 CFR 164.520(c)(1) of the final rule requires a health plan that currently posts its NPP on its Web site in accordance with164.520(c)(3)(i) to: (1) Prominently post the material change or its revised notice on its web site by the effective date of the material change to the notice (e.g., the compliance date of this final rule) and (2) provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals then covered by the plan, such as at the beginning of the plan year or during the open enrollment period. Health plans that do not have customer service web sites are required to provide the revised NPP, or information about the material change and how to obtain the revised notice, to individuals covered by the plan within 60 days of the material revision to the notice. These requirements apply to all material changes including, where applicable, the rule change adopted pursuant to GINA to prohibit most health plans from using or disclosing genetic information for underwriting purposes.

“We believe these distribution requirements best balance the right of individuals to be informed of their privacy rights with the burden on health plans to provide the revised NPP. We also note that health plans should provide both paper- and web-based notices in a way accessible to all beneficiaries, including those individuals with disabilities. These modifications provide an avenue for an individual to be informed of material changes upon their effective date while better aligning the NPP distribution with health plans’ normal mailings to individuals.

“For health care providers, the final rule does not modify the current requirements to distribute revisions to the NPP. As such, 45 CFR 164.520(c)(2)(iv) requires that when a health care provider with a direct treatment relationship with an individual revises the NPP, the health care provider must make the NPP available upon request on or after the effective date of the revision and must comply with the requirements of 164.520(c)(2)(iii) to have the NPP available at the delivery site and to post the notice in a clear and prominent location. In response to several comments expressing concern about printing costs for new NPPs, we clarify that providers are not required to print and hand out a revised NPP to all individuals seeking treatment; providers must post the revised NPP in a clear and prominent location and have copies of the NPP at the delivery site for individuals to request to take with them. Providers are only required to give a copy of the NPP to, and obtain a good faith acknowledgment of receipt from, new patients. As a result, we do not believe that the current requirement is overly burdensome to providers, nor is it overly costly. We also clarify that while health care providers are required to post the NPP in a clear and prominent location at the delivery site, providers may post a summary of the notice in such a location as long as the full notice is immediately available (such as on a table directly under the posted summary) for individuals to pick up without any additional burden on their part. It would not be appropriate, however, to require the individual to have to ask the receptionist for a copy of the full NPP.

“To the extent that some covered entities have already revised their NPPs in response to the enactment of the HITECH Act or State law requirements, we clarify that as long as a covered entity’s current NPP is consistent with this final rule and individuals have been informed of all material revisions made to the NPP, the covered entity is not required to revise and distribute another NPP upon publication of this final rule. Finally, we note that to the extent a covered entity is required to comply with Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take steps that may be necessary to ensure effective communication with individuals with disabilities, which could include making the revised NPP or notice of material changes to the NPP available in alternate formats, such as Braille, large print, or audio.”

78 Federal Register 5625

Tomorrow is the effective date of the Final Rule discussed herein.

We begin a two-day examination of the modifications pertaining to 45 CFR 164.520:  Notice of Privacy Practices for Protected Health Information.  Today, we focus on modifications to 164.520(b): Implementation specifications:  Content of Notice, and Monday, March 25, on modifications to 164.520(c):  Implementation specifications: Provision of notice.

Modifications to 164.520(b):  Implementation specifications:  Content of notice

“(1) Required elements.

“(ii) Uses and disclosures.  The notice must contain:

“(E) A description of the types of uses and disclosures that require an authorization under 45 CFR 164.508(a)(2)–(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization, and a statement that the individual may revoke an authorization as provided by 164.508(b)(5).”

78 Federal Register 5701

Here are the provisions for 45 CFR 164.508 referenced in 164.520(b)(1)(ii)(E), with modifications shown in bold:

“(a)(2) Authorization required:  Psychotherapy notes.

“(a)(3) Authorization required:  Marketing.  (ii) If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at 164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved.

“(a)(4) Authorization required:  Sale of protected health information. (i) Notwithstanding any provision of [the HIPAA Privacy Rule], other than the transition provisions in 164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in 
164.501 of [the HIPAA Privacy Rule]. (ii) Such authorization must state that the disclosure will result in remuneration to the covered entity.

“(b)(5) Revocation of authorizations.”

78 Federal Register 5699

Continuing with the modifications to 45 CFR 164.520(b)(1):  Content of Notice:  Required elements:

“(iii) Separate statements for certain uses or disclosures.  If the covered entity intends to engage in any of the following activities, the description required by paragraph (b)(1)(ii)(A) of this section must include a separate statement informing the individual of such activities, as applicable:

“(A) In accordance with 164.514(f)(1) [Fundraising communications: Standard:  Uses and disclosures for fundraising, as modified at 78 Federal Register 5700], the covered entity may contact the individual to raise funds for the covered entity and the individual has a right to opt out of receiving such communications;

“(B) In accordance with 164.504(f) [Standard:  Requirements for group health plans, as modified at 78 Federal Register 5698], the group health plan, or a health insurance issuer or HMO with respect to a group health plan, may disclose protected health information to the sponsor of the plan; or

“(C) If a covered entity that is a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, intends to use or disclose protected health information for underwriting purposes, a statement that the covered entity is prohibited from using or disclosing protected health information that is genetic information of an individual for such purposes.”

78 Federal Register 5701

Here are two references mentioned in the provisions immediately above:

In (iii), “(b)(1)(ii)(A)” is:  “ A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by [the HIPAA Privacy Rule] to make for each of the following purposes:  treatment, payment, and health care operations.”

In (C), “(1)(viii) of the definition of health plan” is:  “An issuer of a long-term care policy, excluding a nursing home fixed indemnity policy.”  78 Federal Register 5689

“(iv) Individual rights.

“(A) The right to request restrictions on certain uses and disclosures or protected health information as provided by 45 CFR 164.522(a), including a statement that the covered entity is not required to agree to a requested restriction, except in case of a disclosure restricted under 164.522(a)(1)(vi); “

78 Federal Register 5701

Here is the content, as modified (in bold), for 164.522(a)(1)(vi), as referenced immediately above:

“A covered entity must agree to the request of an individual to restrict disclosure of protected health information about the individual to a health plan if:

(A) The disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and

(B) The protected health information pertains solely to a health care item or service for which the individual, or person other than the health plan on behalf of the individual, has paid the covered entity in full.”

78 Federal Register 5701

“(v) Covered entity’s duties.

“(A) A statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected health information;”

78 Federal Register 5701

We provide here the content of the Final Rule preamble that underpins the Notice of privacy practices for protected health information:  Implementation specifications—Content of Notice, with reference to the modified provisions above:

“First, the final rule adopts the modification to 45 CFR 164.520(b)(1)(ii)(E), which requires certain statements in the NPP regarding uses and disclosures that require authorization. We note that, contrary to some commenter concerns, the final rule does not require the NPP to include a list of all situations requiring authorization. Instead, the NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of protected health information for marketing purposes, and disclosures that constitute a sale of protected health information require authorization, as well as a statement that other uses and disclosures not described in the NPP will be made only with authorization from the individual.

“The final rule does not require the NPP to include a description of a covered entity’s recordkeeping practices with respect to psychotherapy notes; however, covered entities are free to include such additional information in their NPP if they choose. Additionally, in response to requests by some commenters, we clarify that covered entities that do not record or maintain psychotherapy notes are not required to include a statement in their NPPs about the authorization requirement for uses and disclosures of psychotherapy notes.

“Second, because the final rule treats all subsidized treatment communications as marketing communications, we have not adopted the proposal to require a statement in the NPP about such communications and the ability of an individual to opt out….

“The final rule, however, adopts the proposed requirement for a statement in the NPP regarding fundraising communications and an individual’s right to opt out of receiving such communications, if a covered entity intends to contact an individual to raise funds for the covered entity. Because individuals will be provided the opportunity to opt out of fundraising communications with each solicitation, the final rule does not require the NPP to include the mechanism for individuals to opt out of receiving fundraising communications, although covered entities are free to include such information if they choose to do so.

“The final rule also adopts the proposal that the NPP inform individuals of their new right to restrict certain disclosures of protected health information to a health plan where the individual pays out of pocket in full for the health care item or service. Only health care providers are required to include such a statement in the NPP; other covered entities may retain the existing language indicating that a covered entity is not required to agree to a requested restriction.”

78 Federal Register 5624

On Monday, March 25, we present 45 CFR 164.520(c): Implementation specifications:  Provision of Notice.

Our focus yesterday was on the modified rule: 45 CFR 164.502(f): Standard:  Deceased individuals. Today, we finish up with a related modified rule: 164.510(b):  Disclosures about a decedent to family members and others involved in care, which is in 164.510(b)(5):

“Uses and disclosures when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons identified in paragraph (b)(1) of this section who were involved in the individual’s care or payment for health care prior to the individual’s death, protected health information of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.”

For reference, we provide modified 164.510(b)(1) here:

“(b) Standard:  Uses and disclosures for involvement in the individual’s care and notification purposes—(1) Permitted uses and disclosures.

“(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

“(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.  Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable.”

78 Federal Register 5699

We provide here the content of the Final Rule preamble that underpins the Disclosure about a decedent to family members and others involved in care:

“The final rule adopts the proposal to amend 45 CFR 164.510(b) to permit covered entities to disclose a decedent’s protected health information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

“In response to commenters who opposed this provision, we believe the provision strikes the appropriate balance in allowing communications with family members and other persons who were involved in the individual’s care or payment for care prior to death, unless doing so is inconsistent with the prior expressed wishes of the individual. This will ensure family members and others can find out about the circumstances surrounding the death of their loved ones, unless the individual prior to his or her death objected to the covered entity making such communications. Further, the Privacy Rule limits such disclosures, similar to the other disclosures permitted under 164.510(b), to the protected health information relevant to the family member or other person’s involvement in the individual’s health care or payment for health care. For example, a covered health care provider could describe the circumstances that led to an individual’s passing with the decedent’s sister who is asking about her sibling’s death. In addition, a covered health care provider could disclose billing information to a family member of a decedent who is assisting with wrapping up the decedent’s estate. However, in both of these cases, the provider generally should not share information about past, unrelated medical problems. Finally, these disclosures are permitted and not required, and thus, a covered entity that questions the relationship of the person to the decedent or otherwise believes, based on the circumstances, that disclosure of the decedent’s protected health information would not be appropriate, is not required to make the disclosure.”

78 Federal Register 5615

Tomorrow, we begin two days presentation of modifications to the Notice of Privacy Practices for Protected Health Information.

Our focus last week and early this week has been on 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules.  Today, we finish up with this modified rule with: 164.502(f): Standard:  Deceased individuals.

“164.502(f): Standard:  Deceased individuals.  A covered entity must comply with the requirements of [the HIPAA Privacy Rule] with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.”

We provide here the content of the Final Rule preamble that underpins the Uses and disclosures of protected health information:  General Rules pertaining to deceased individuals:

“We believe 50 years is an appropriate period of protection for decedent health information, taking into account the remaining privacy interests of living individuals after the span of approximately two generations have passed, and the difficulty of obtaining authorizations from a personal representative of a decedent as the same amount of time passes. For the same reason, we decline to shorten the period of protection as suggested by some commenters or to adopt a 100-year period of protection for decedent information. We also believe the 50-year period of protection to be long enough so as not to provide an incentive for covered entities to change their record retention policies in order to profit from the data about a decedent once 50 years has elapsed.

“With respect to commenters’ concerns regarding protected health information about decedents that is sensitive, such as HIV/AIDS, substance abuse, or mental health information, or that involves psychotherapy notes, we emphasize that the 50-year period of protection for decedent health information under the Privacy Rule does not override or interfere with State or other laws that provide greater protection for such information, or the professional responsibilities of mental health or other providers. Covered entities may continue to provide privacy protections to decedent information beyond the 50-year period, and may be required to do so under other applicable laws or as part of their professional responsibility. Alternatively, covered entities may choose to destroy decedent information although other applicable law may prescribe or limit such destruction.

“We also decline to limit protections under the Privacy Rule to a certain period beyond the last date in the medical record. While we appreciate the challenges that may be present in determining the date of death of an individual in cases in which it is not sufficiently clear from the age of the record whether the individual is deceased, we believe that this determination is necessary in closer cases to protect the individual, as well as living relatives and others, who may be affected by disclosure of the information. Further, as we stated in the [July 14, 2010, Notice of Proposed Rule Making], this modification has no impact on a covered entity’s disclosures permitted under other provisions of the Privacy Rule. For example, a covered entity is permitted to disclose protected health information of decedents for research that is solely on the information of decedents in accordance with 45 CFR 164.512(i)(1)(iii) [Uses and disclosures for which an authorization or opportunity to agree or object is not required], without regard to how long the individual has been deceased.

“Finally, we clarify that the 50-year period of protection is not a record retention requirement. The HIPAA Privacy Rule does not include medical record retention requirements and covered entities may destroy such records at the time permitted by State or other applicable law. (We note that covered entities are subject to the accounting requirements at 45 CFR 164.528 [Accounting of disclosures of protected health information] and, thus, would need to retain or record certain information regarding their disclosures of protected health information.) However, if a covered entity does maintain decedent health information for longer than 50 years following the date of death of the individual, this information will no longer be subject to the Privacy Rule.”

78 Federal Register 5614

Tomorrow, we look at a related modified HIPAA Privacy Rule pertaining to decedents:  45 CFR 164.510(b):  Disclosures about a decedent to family members and others involved in care.

Our focus last week was on 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules, and, on Friday, March 8, on 45 CFR 164.502(e):  “(1) Standard: Disclosures to business associates, and (2) Implementation specification: Documentation.” Today, we focus on the modified provisions at 164.504(e)(1):  Uses and disclosures: Organizational requirements–Standard:  Business associate contracts, that were referenced in 45 CFR 164.502(e):  164.504(e)(1), (e)(2), (e)(3), and (e)(5).

“164.504(e)(1) Standard: Business associate contracts.

“(i) The contract or other arrangement required by 45 CFR 164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable.

“(ii) A covered entity is not in compliance with the standards in 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

“(iii) A business associate is not in compliance with the standards in 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

“164.504(e)(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:

“(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except that:

“(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) [Implementation specifications:  Other requirements for contracts and other arrangements, at 78 Federal Register 5698] of this section; and

“(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

“(ii) Provide that the business associate will:

“(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

“(B) Use appropriate safeguards and comply, where applicable, with [the HIPAA Security Rule] with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

“(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by 45 CFR 164.410 [Breach Notification Rule:  Notification by a business associate, as modified at 78 Federal Register 5695];

“(D) In accordance with
 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

“(E) Make available protected health information in accordance with 164.524 [Access of individuals to protected health information, as modified at 78 Federal Register 5701-5702];

“(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with 164.526 [Amendment of protected health information];

“(G) Make available the information required to provide an accounting of disclosures in accordance with
§ 164.528 [Accounting of disclosures of protected health information];

“(H) To the extent the business associate is to carry out a covered entity’s obligation under [the HIPAA Privacy Rule], comply with the requirements of [the HIPAA Privacy Rule] that apply to the covered entity in the performance of such obligation.

“(I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

“(J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

“(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

“(e)(3) Implementation specifications: Other arrangements. (i) If a covered entity and its business associate are both governmental entities:

“(A) The covered entity may comply with this paragraph and 164.314(a)(1) [HIPAA Security Rule: Standard:  Business associate contracts or other arrangements, as modified at 78 Federal Register 5694], if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and 164.314(a)(2) [Implementation specifications], if applicable.

“(B) The covered entity may comply with this paragraph and 164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and 164.314(a)(2), if applicable.

“(ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in 45 CFR 160.103 [as modified at 78 Federal Register 5688] to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and 164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and 164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.

“(iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

“(iv) A covered entity may comply with this paragraph and 164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with 164.514(e)(4) [Implementation specifications:  [Limited data set] Data use agreement, as modified at 78 Federal Register 5700] and
 164.314(a)(1), if applicable.

“(e)(5) Implementation specifications: Business associate contracts with subcontractors. The requirements of
 45 CFR 164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by 164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.”

78 Federal Register 5697

On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) launched a Business Associate Contract Web site with Sample Business Associate Agreement Provisions that provides guidance to covered entities on preparing appropriate business associate agreements with required provisions, including those discussed in this posting.

Tomorrow, we close the presentation of 45 CFR 164.502 with 164.502(f):  Standard:  Deceased individuals.

Our focus this week has been on 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules.  Today, we focus on the modified provisions at 164.502(e):  Standard:  Disclosures to business associates:

45 CFR 164.502(e):  “(1) Standard: Disclosures to business associates.

(i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with 45 CFR 164.504(e)(1)(i) [Uses and disclosures:  Organizational requirements—Standard:  Business associate contracts (see below)], that the subcontractor will appropriately safeguard the information.

(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of 45 CFR164.504(e).”

Here is the language for 45 CFR 164.504(e)(1)(i) referenced in (1)(ii) above, as modified in the January 25, 2013, Final Rule:

“(e)(1) Standard:  Business associate contracts. (i) The contract or other arrangement required by 45 CFR 164.502(e)(2) must meet the requirements of paragraph (e)(2) [Implementation specifications:  Business associate contracts], (e)(3) [Implementation specifications:  Other arrangements], or (e)(5) [Implementation specifications:  Business associate contracts with subcontractors] of 45 CFR 164.504, as applicable.”  78 Federal Register 5697

On Monday, March 11, we shall present the content of 45 CFR 164.504(e), referenced in the preceding paragraph.  On Tuesday, we close the presentation of 45 CFR 164.502 with 164.502(f):  Standard:  Deceased individuals.

Our focus today is on the second of two prohibited uses and disclosures of protected health information in the General rules regulatory provisions of 45 CFR 164.502(a)(5): (ii) Sale of protected health information at 78 Federal Register 5696-5697:

(A) Except pursuant to and in compliance with 45 CFR 164.508(a)(4) [Standard—Authorization Required: Sale of protected health information], a covered entity or business associate may not sell protected health information.

(B) For purposes of this paragraph, sale of protected health information means:

(1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.

(2) Sale of protected health information does not include a disclosure of protected health information:

(i) For public health purposes pursuant to 45 CFR 164.512(b) [Standard: Uses and disclosures for public health activities] or 164.514(e) [Standard:  Limited data set];

(ii) For research purposes pursuant to 45 CFR 164.512(i) [Standard:  Uses and disclosures for research purposes] or 164.514(e) [Standard:  Limited data set], where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;

(iii) For treatment and payment purposes pursuant to 45 CFR164.506(a) [Standard:  Permitted uses and disclosures];

(iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph 45 CFR 164.501(6)(iv) of the definition of health care operations [(iv):  The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity], and pursuant to 45 CFR 164.506(a) [Standard:  Permitted uses and disclosures];

(v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to 45 CFR 164.502(e) [Standard:  Disclosures to business associates] and 164.504(e) [Standard:  Business associate contracts], and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;

(vi) To an individual, when requested under 45 CFR 164.524 [Access of individuals to protected health information] or 164.528 [Accounting of disclosures of protected health information];

(vii) Required by law as permitted under 45 CFR 164.512(a) [Standard:  Uses and disclosures required by law]; and

(viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.

We provide here the content of the Final Rule preamble that underpins the prohibited use and disclosure regulatory provision above:

“The final rule adopts the HITECH Act’s prohibition on the sale of protected health information but makes certain changes to the provisions in the proposed rule to clarify the scope of the provisions and otherwise address certain of commenters’ concerns. First, we have moved the general prohibition on the sale of protected health information by a covered entity or business associate to 45 CFR 164.502(a)(5)(ii) and created a definition of  ‘sale of protected health information.’ Numerous commenters requested that the Privacy Rule include a definition of sale to better clarify what types of transactions fall within the scope of the provisions. Accordingly, 164.502(a)(5)(ii)(B)(1) defines ‘sale of protected health information’ to generally mean ‘a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.’  Section 164.502(a)(5)(ii)(B)(2) then excludes from the definition the various exceptions that were in the proposed rule (discussed further below).

“We do not limit a ‘sale’ to those transactions where there is a transfer of ownership of protected health information as some commenters suggested. The HITECH Act does not include such a limitation and the Privacy Rule rights and protections apply to protected health information without regard to ownership interests over the data. Thus, the sale provisions apply to disclosures in exchange for remuneration including those that are the result of access, license, or lease agreements.

“In addition, we do not consider sale
 of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct
 a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes. (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.) Similarly, we clarify that the exchange of protected health information through a health information exchange (HIE) that is paid for through fees assessed on HIE participants is not a sale of protected health information; rather the remuneration is for the services provided by the HIE and not for the data itself. (Such disclosures may also be exempt from these provisions under the exception for disclosures to or by a business associate that is being compensated by a covered entity for its services.) In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). Thus, such disclosures require the individual’s authorization unless they otherwise fall within an exception at 45 CFR 164.502(a)(5)(ii)(B)(2). For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below).

“In response to questions by commenters, we also clarify the scope of the term ‘remuneration.’ The statute uses the term ‘remuneration,’ and not ‘payment,’ as it does in the marketing provisions at section 13406(a) [of the HITECH Act]. Because the statute uses different terms, we do not believe that remuneration as applied to the sale provisions is limited to financial payment in the same way it is so limited in the marketing provisions. Thus, the prohibition on sale of protected health information applies to the receipt of nonfinancial as well as financial benefits. In response to commenters who indicated that the statute’s terms ‘direct and indirect’ apply to how the remuneration is received rather than the remuneration itself, we agree and have moved the terms in the definition to further make clear that the provisions prohibit the receipt of remuneration not only from the third party that receives the protected health information but also from another party on behalf of the recipient of the protected health information. However, this does not change the scope of the term ‘remuneration.’ As discussed above, we interpret the statute to mean that nonfinancial benefits are included in the prohibition. Thus, a covered entity or business associate may not disclose protected health information in exchange for in kind benefits, unless the disclosure falls within one of the exceptions discussed below. Consider, for example, a covered entity that is offered computers in exchange for disclosing protected health information. The provision of protected health information in exchange for the computers would not be considered a sale of protected health information if the computers were solely used for the purpose of preparing and transmitting protected health information to the person collecting it and were returned when such disclosure was completed. However, if the covered entity is permitted to use the computers for other purposes or to keep the computers even after the disclosures have been made, then the covered entity has received in kind remuneration in exchange for the protected health information above what is needed to make the actual disclosures.

“We retain in the final rule the broad exception for disclosures for public health purposes made pursuant to
 45 CFR 164.512(b) and 164.514(e). Based on the concerns from the public comment that narrowing the exception could discourage voluntary public health reporting, we do not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data.

“With respect to the exception for research disclosures, the final rule adopts the language as proposed, including the cost-based fee limitation provided for in the HITECH Act. Thus, disclosures for research purposes are excepted from the remuneration prohibition to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. We do not remove the fee limitation as requested by some commenters; the statutory language included in Section 13405(d)(2)(B) of the HITECH Act clearly states that any remuneration received in exchange for research disclosures must reflect only the cost of preparation and transmittal of the data for such purpose.

“In response to comments about the types of costs that are permitted in the reasonable cost-based fee to prepare and transmit the data, we clarify that this may include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. We believe allowing a profit margin would not be consistent with the language contained in Section 13405 of the HITECH Act. We intend to work with the research community to provide guidance and help the research community reach a common understanding of appropriate cost-based limitations on remuneration.

“We retain the exceptions proposed for treatment and payment disclosures without modification and agree with commenters that these exceptions are necessary to make clear that these core health care functions may continue. Similarly, we retain the exception to the remuneration prohibition for disclosures for the transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity, and related due diligence, to ensure that such disclosures may continue to occur in accordance with the Privacy Rule. We retain the proposed exception for disclosures that are otherwise required by law to ensure a covered entity can continue to meet its legal obligations without imposing an authorization requirement. We also retain the exception for disclosures to the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so are in accord with the Privacy Rule.

“We adopt the exceptions for remuneration paid by a covered entity to a business associate for activities performed on behalf of a covered entity, as well as the general exception permitting a covered entity to receive remuneration in the form of a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for any disclosure otherwise permitted by the Privacy Rule. However, we make a number of clarifications to address commenters questions and concerns regarding the ability of a business associate rather than a covered entity to receive the permitted remuneration. First, we add the term ‘business associate’ in the general exception permitting reasonable, cost-based fees to prepare and transmit data (or fees permitted by State laws) to make clear that business associates may continue to recoup fees from third party record requestors for preparing and transmitting records on behalf of a covered entity, to the extent such fees are reasonable, cost-based fees to cover the cost to prepare and transmit the protected health information or otherwise expressly permitted by other law. Second, we clarify in the business associate exception that the exception would also cover remuneration by a business associate to its subcontractor for activities performed by the subcontractor on behalf of the business associate. Finally, we add the term ‘business associate’ to the general prohibition on sale of protected health information for consistency, even though, without the addition, a business associate still would not be permitted to sell protected health information as a business associate may generally only make uses and disclosures of protected health information in manners in which a covered entity would be permitted under the Privacy Rule.

“With respect to the types of costs that would be permitted as part of a reasonable, cost-based fee under this provision, we clarify that the final rule permits the same types of costs under this exception as the research exception, as well as costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin. We intend to continue to work with interested stakeholders to develop more guidance on direct and indirect costs and on remuneration.”  78 Federal Register 5606-5608

Tomorrow, we look at modifications to 45 CFR 164.502(e):  Standard: Disclosures to business associates.

Our focus today is on the first of two prohibited uses and disclosures of protected health information in the General rules regulatory provisions of 45 CFR 164.502(a)(5): (i) Use and disclosure of genetic information for underwriting purposes at 78 Federal Register 5696:

Notwithstanding any other provision of [the HIPAA Privacy Rule], a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan:

(A) Except as provided in paragraph (a)(5)(i)(B) of this section:

(1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and

(4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

We provide here the content of the Final Rule preamble that underpins the prohibited use and disclosure regulatory provision above:

“The final rule adopts the proposed prohibition on a health plan’s use or disclosure of genetic information for underwriting purposes, except with regard to health plans that are issuers of long term care policies…. This prohibition, located in this final rule at 45 CFR 164.502(a)(5), applies to all genetic information from the compliance date [September 23, 2013] of these modifications forward, regardless of when or where the genetic information originated. We do not believe a clarification of this fact in the regulatory text is necessary.

“Consistent with Sec. 101(a) of the [GINA] statute, this prohibition should not be construed to limit the ability of a health plan to adjust premiums or contribution amounts for a group health plan based on the manifestation of a disease or disorder of an individual enrolled in the plan, even though a health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other group members and to further increase the premium for the plan. Similarly, for the individual health insurance market, a health plan is not prohibited from establishing rules for eligibility for an individual to enroll in coverage or from adjusting premium or contribution amounts for an individual based on the manifestation of a disease or disorder in that individual or in a family member of such individual where such family member is covered under the individual’s policy, even though the health plan cannot use the manifestation of a disease or disorder in one individual as genetic information about other individuals to further increase premiums or contribution amounts for those other individuals.  [We covered these issues in an earlier HIPAA.com posting.]

“To illustrate how the prohibition operates, we reiterate the following examples (but for the reasons explained above, decline to include them in the regulatory text). If a health insurance issuer, with respect to an employer-sponsored group health plan, uses an individual’s family medical history or the results of genetic tests maintained in the group health plan’s claims experience information to adjust the plan’s blended, aggregate premium rate for the upcoming year, the issuer would be using protected health information that is genetic information for underwriting purposes in violation of 45 CFR 164.502(a)(5)(i) [above]. Similarly, if a group health plan uses family medical history provided by an individual incidental to the collection of other information on a health risk assessment to grant a premium reduction to the individual, the group health plan would be using genetic information for underwriting purposes in violation of 164.502(a)(5)(i).

“The prohibition is limited to health plans. A health care provider may use
 or disclose genetic information as it sees fit for treatment of an individual. If a covered entity, such as an HMO, acts as both a health plan and health care provider, it may use genetic information for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule, but may not use such genetic information for underwriting purposes. Such covered entities, in particular, should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information.”  78 Federal Register 5666-5667

Tomorrow, we look at the second of two categories of modified prohibited uses and disclosures regulations: sale of protected health information.

Our focus today is on business associates in 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules­—(a) Standard.  A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements].  Below we present the modified regulations pertaining to (3) Business associates:  Permitted uses and disclosures; and (4) Business associates:  Required uses and disclosures.  78 Federal Register 5696

(3) Business associates:  Permitted uses and disclosures.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to 45 CFR 164.504(e) [Uses and disclosures:  Organizational requirements—Standard.  Business associate contracts: at 78 Federal Register 5697-5698] or as required by law.  The business associate may not use or disclose protected health information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except for the purposes specified under 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.

Here are 164.504(e)(2)(i)(A) and (B):

164.504(e)(2):  Implementation specifications:  Business associate contracts.  A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of protected health information by the business associate.  The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of [the HIPAA Privacy Rule], if done by the covered entity, except that;

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section [Implementation specifications:  Other requirements for contracts and other arrangements]; and

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

78 Federal Register 5697

(4) Business associates:  Required uses and disclosures.  A business associate is required to disclose protected health information:

(i) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the business associate’s compliance with this subchapter.

(ii) To the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations under 45 CFR 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for an electronic copy of protected health information.

Here are 164.524(c)(2)(ii) and (3)(ii):

164.524(c):  Access of individuals to protected health information— Implementation specifications: Provision of access:

(2)(ii) Form of access requested—Notwithstanding paragraph (c)(2)(i) of this section, if the protected health information that is the subject of a request for access is maintained in one or more designated record sets electronically and if the individual requests an electronic copy of such information, the covered entity must provide the individual with access to the protected health information in the electronic form and format requested by the individual, if it is readily producible in such form and format; or, if not, in
a readable electronic form and format as agreed to by the covered entity and the individual.

(3)(ii) Time and manner of access—If an individual’s request for access directs the covered entity to transmit the copy of protected health information directly to another person designated by the individual, the covered entity must provide the copy to the person designated by the individual. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of protected health information.

We provide here a selection of the Final Rule preamble that underpins the regulatory provisions above:

“[T]he final rule provides that a business associate is a person who performs functions or activities on behalf of, or certain services for, a covered entity or another business associate that involve the use or disclosure of protected health information. The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate.

“Liability also does not depend on the type of protected health information that a business associate creates, receives, maintains, or transmits on behalf of a covered entity or another business associate, or on the type of entity performing the function or service, except to the extent the entity falls within one of the exceptions at paragraph 4 of the definition of business associate. First, protected health information created, received, maintained, or transmitted by a business associate may not necessarily include diagnosis-specific information, such as information about the treatment of an individual, and may be limited to demographic or other information not indicative of the type of health care services provided to an individual. If the information is tied to a covered entity, then it is protected health information by definition since it is indicative that the individual received health care services or benefits from the covered entity, and therefore it must be protected by the business associate in accordance with the HIPAA Rules and its business associate agreement. Second, the definition of business associate is contingent on the fact that the business associate performs certain activities or functions on behalf of, or provides certain services to, a covered entity or another business associate that involve the use or disclosure of protected health information. Therefore, any person, defined in the HIPAA Rules as a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private, who performs these functions or activities or services is a business associate for purposes of the HIPAA Rules, regardless of whether such person has other professional or privilege-based duties or responsibilities. …

“In response to comments requesting clarification on which HIPAA provisions a business associate is directly liable for compliance, we provide the following. Business associates are directly liable under the HIPAA Rules for impermissible uses and disclosures, for a failure to provide breach notification to the covered entity,  for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement), for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules, for a failure to provide an accounting of disclosures, and for a failure to comply with the requirements of the Security Rule.  Business associates remain contractually liable for other requirements of the business associate agreement … .

“With respect to a business associate’s direct liability for a failure to provide access to a copy of electronic protected health information, business associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.”  78 Federal Register 5598-5599

Tomorrow, we look at the first of two categories of modified prohibited uses and disclosures regulations: use and disclosure of genetic information for underwriting purposes.

Our focus today is on covered entities in 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules­—(a) Standard.  A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements].  Below we present the modified regulations pertaining to (1) Covered entities:  Permitted uses and disclosures; and (2) Covered entities:  Required disclosures.  78 Federal Register 5696

(1) Covered entities:  Permitted uses and disclosures.  A covered entity is permitted to use or disclose protected health information as follows:

(i) To the individual;

(ii) For treatment, payment, or health care operations, as permitted by and in compliance with 45 CFR 164.506 [Uses and disclosures to carry out treatment, payment, or health care operations];

(iii) Incident to a use or disclosure otherwise permitted or required by [the HIPAA Privacy Rule], provided that the covered entity has complied with the applicable requirements of 45 CFR 164.502(b) [Uses and disclosures of protected health information—Standard.  Minimum necessary], 164.514(d) [Other requirements relating to uses and disclosures of protected health information—Minimum necessary requirements], and 164.530(c) [Administrative requirements—Safeguards] with respect to such otherwise permitted or required use or disclosure;

(iv) Except for uses and disclosures prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures—Use and disclosure of genetic information for underwriting purposes], pursuant to and in compliance with a valid authorization under 45 CFR 164.508 [Uses and disclosures for which an authorization is required];

(v) Pursuant to an agreement under, or as otherwise permitted by, 45 CFR 164.510 [Uses and disclosures requiring an opportunity for the individual to agree or to object];

(vi) As permitted by and in compliance with this section, 45 CFR 164.512 [Uses and disclosures for which an authorization or opportunity to agree or object is not required], 164.514(e) [Other requirements relating to uses and disclosures of protected health information—Standard:  Limited data set], 164.514(f) [Fundraising communications], or 164.514(g) [Standard:  Uses and disclosures for underwriting and related purposes].

(2) Covered entities:  Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when requested under, and required by 45 CFR 164.524 [Access of individuals to protected health information] and 164.528 [Accounting of disclosures of protected health information]; and

(ii) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the covered entity’s compliance with this subchapter.

Tomorrow, we look at modified permitted and required uses and disclosures regulations pertaining to business associates.

Here are excerpts from the relatively lengthy discussion in the Final Rule at 78 Federal Register 5595-5597 related to the modifications to the definition of marketing from the Notice of Proposed Rule Making (NPRM), followed by the Final Rule definition of marketing:

“The final rule significantly modifies the proposed rule’s approach to marketing by requiring authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. …  We acknowledge that the distinction between what constitutes a treatment versus a health care operations communication may be difficult to make with precision in all cases, placing covered entities at risk for violating the authorization requirement for marketing communications. We, therefore, believe that requiring authorizations for all subsidized communications that market a health related product or service is the best policy. Such a policy will ensure that all such communications are treated as marketing communications, instead of requiring covered entities to have two processes in place based on whether the communication provided to individuals is for a treatment or a health care operations purpose. …

“We adopt the term ‘‘financial remuneration’’ and its definition as proposed without modification in the final rule. Most commenters were generally satisfied with the proposed use of the term and its definition. There was, however, some confusion among commenters as to what constitutes direct or indirect payment from or on behalf of a third party. We clarify that under this provision direct payment means financial remuneration that flows from the third party whose product or service is being described directly to the covered entity. In contrast, indirect payment means financial remuneration that flows from an entity on behalf of the third party whose product or service is being described to a covered entity.

“We also clarify that where a business associate (including a subcontractor), as opposed to the covered entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service, such communication also requires prior authorization from the individual. …  Thus, individual authorization also must be obtained if a business associate is to send these communications instead of the covered entity.

“We also confirm, in response to comments, that the term ‘‘financial remuneration’’ does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only payments made in exchange for making such communications. In addition, we continue to emphasize that the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication and such communication must encourage individuals to purchase or use the third party’s product or service. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, then this marketing provision does not apply. For example, if a third party provides financial remuneration to a covered entity to implement a program, such as a disease management program, the covered entity could provide individuals with communications about the program without obtaining individual authorization as long as the communications are about the covered entity’s program itself. There, the communications would only be encouraging individuals to participate in the covered entity’s disease management program and would not be encouraging individuals to use or purchase the third party’s product or service.

“Under the final rule, for marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing protected health information for such purposes, and such authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party. The scope of the authorization need not be limited only to subsidized communications related to a single product or service or the products or services of one third party, but rather may apply more broadly to subsidized communications generally so long as the authorization adequately describes the intended purposes of the requested uses and disclosures (i.e., the scope of the authorization) and otherwise contains the elements and statements of a valid authorization under 45 CFR 164.508 [Uses and disclosures for which an authorization is required]. This includes making clear in the authorization that the individual may revoke the authorization at any time he or she wishes to stop receiving the marketing material. …

“[N]o authorization is required where a covered entity receives financial remuneration from a third party to make a treatment or health care operations communication (or other marketing communication), if the communication is made face-to-face by a covered entity to an individual or consists of a promotional gift of nominal value provided by the covered entity. For example, a health care provider could, in a face to face conversation with the individual, recommend, verbally or by handing the individual written materials such as a pamphlet, that the individual take a specific alternative medication, even if the provider is otherwise paid by a third party to make such communications. However, communications made over the phone (as well as all communications sent through the mail or via email) do not constitute face to face communications, and as such, these communications require individual authorization where the covered entity receives remuneration in exchange for making the communications.

“With respect to the exception for refill reminders or to otherwise communicate about a drug or biologic currently being prescribed to the individual, we adopt the exception as proposed. We continue to provide a stand-alone exception for refill reminders, given that the HITECH Act expressly does so. … At this time, we clarify that we consider communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed fall within the scope of this exception. Additionally, we clarify that where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, fall under this exception. With respect to the array of other examples and suggestions provided by commenters as to what should fall within or outside of the exception, we intend to provide future guidance to address these questions.

“The proposed rule contained the Act’s limitation that the financial remuneration received in exchange for providing a refill reminder or to otherwise communicate about a drug or biologic currently being prescribed to the individual must be ‘‘reasonable in amount,’’ by providing that such remuneration must be reasonably related to the covered entity’s cost of making the communication for the exception from marketing to apply. We adopt this provision in the final rule. In response to comments regarding what types of costs fall within permissible remuneration, we clarify that we consider permissible costs for which a covered entity may receive remuneration under this exception are those which cover only the costs of labor, supplies, and postage to make the communication. …

“Finally, in addition to the communications that fall within the refill reminder exception, two other types of communications continue to be exempt from the marketing provisions. First, as explained in the NPRM, communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, such as annual mammograms, do not constitute marketing and thus, do not require individual authorization.

“Second, communications about government and government-sponsored programs do not fall within the definition of ‘‘marketing’’ as there is no commercial component to communications about benefits through public programs. Therefore, a covered entity may use and disclose protected health information to communicate with individuals about eligibility for programs, such as Medicare, Medicaid, or the State Children’s Health Insurance Program (CHIP) without obtaining individual authorization.”

Here is the modified definition of marketing, 45 CFR 164.501, at 78 Federal Register 5696, which is effective March 26, 2013:

(1) Except as provided in paragraph (2) of this definition, marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

(2) Marketing does not include a communication made:

(i) To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication.

(ii) For the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:

(A) For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;

(B) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about:  the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or

(C) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

(3) Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

Next week, we examine modifications to HIPAA Privacy Rule provisions, starting with 45 CFR 164.502 (Uses and disclosures of protected health information:  General Rules).

Here is the discussion in the Final Rule related to the proposed modification to the definition of health care operations from the Notice of Proposed Rule Making (NPRM), with the proposed modification altered, then accepted in the Final Rule:

“The definition of ‘‘health care operations’’ at 45 CFR 164.501 includes at paragraph (3) ‘underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits * * *.’  To avoid confusion with the use of both ‘underwriting’ and ‘underwriting purposes’ in the Privacy Rule, and in recognition of the fact that the proposed definition of ‘underwriting purposes’ includes activities that fall within both the definitions of ‘payment’ and ‘health care operations’ in the Rule, the Department proposed to remove the term ‘underwriting’ from the definition of ‘health care operations.’  We also proposed to add the term ‘enrollment’ to the express list of health care operations activities to make clear that the removal of the term ‘underwriting’ would not impact the use or disclosure of protected health information that is not genetic information for enrollment purposes. These proposed revisions were not intended to be substantive changes to the definition and thus, health plans would be permitted to continue to use or disclose protected health information, except genetic information, for underwriting purposes.  …

“Due to the confusion and concern expressed by the commenters regarding the removal of the term ‘underwriting’ from the definition, we retain the term ‘underwriting’ within the definition of ‘health care operations’ at 45 CFR164.501. However, to make clear that a health plan may continue to use or disclose only protected health information that is not genetic information for underwriting, we include a reference to the prohibition on using or disclosing genetic information for underwriting purposes within the definition. The final rule also retains the term ‘enrollment’ within the definition because we believe it is helpful to clarify that this is a permitted health care operations activity.”  78 Federal Register 5666

Here is the modified definition of health care operations, which will be effective March 26, 2013, with the modifications underlined in (1) and (3):

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

(3) Except as prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures  Use and disclosure of genetic information for underwriting purposes], underwriting, enrollment, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of 45 CFR 164.514(g) [Standard:  Uses and disclosures for underwriting and related purposes, as modified, 78 Federal Register 5700] are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

(6) Business management and general administrative activities of the entity, including, but not limited to:

(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;

(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.

(iii) Resolution of internal grievances;

(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

(v) Consistent with the applicable requirements of 45 CFR 164.514 [Other requirements relating to uses and disclosures of protected health information, as modified, 78 Federal Register 5700-5701], creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Tomorrow, we continue with the modified Privacy Rule definition:  Marketing.

Here is the discussion in the Final Rule related to the proposed modification to the definition of payment from the July 14, 2010, Notice of Proposed Rule Making (NPRM), with the proposed modification accepted in the Final Rule:

“The definition of payment in the Privacy Rule at 45 CFR 164.501 includes activities, such as ‘determinations of eligibility or coverage’ by a health plan, some of which may fall within the definition of ‘underwriting purposes.’ To avoid any implication that a health plan would be permitted to use or disclose protected health information for ‘payment’ purposes that are otherwise prohibited by the underwriting prohibition, we proposed to include a cross-reference in the definition of ‘payment’ to the prohibition. Further, we believed the inclusion of such a cross-reference to be necessary to properly align the definition of payment in the Privacy Rule with the nondiscrimination provisions of GINA Title I and their implementing regulations. GINA provides a rule of construction at section 102(a)(2), which adds paragraph 2702(c)(3) of the Public Health Service Act (PHSA), to make clear that health plans are not prohibited from obtaining and using the results of 
a genetic test in making determinations regarding payment, as such term is defined by the HIPAA Privacy Rule. Thus, the proposed exception would make clear that GINA’s rule of construction regarding payment does not allow a health plan to use the results of genetic tests for activities that would otherwise constitute ‘underwriting purposes,’ such as for determinations of eligibility for benefits.”  78 Federal Register 5666

Here is the modified definition of payment, which will be effective March 26, 2013, with the modification underlined:

Payment means:

(1) The activities undertaken by:

(i) Except as prohibited under 45 164.502(a)(5)(i) [Prohibited uses and disclosures:  Use and disclosure of genetic information for underwriting purposes], a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or

(ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:

(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;

(v) Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services; and

(vi) Disclosure to consumer reporting agencies of any of the following protected health information relating to collection of premiums or reimbursement:

(A) Name and address;

(B) Date of birth;

(C) Social security number;

(D) Payment history;

(E) Account number; and

(F) Name and address of the health care provider and/or health plan.

45 CFR 164.501, at 78 Federal Register 5696

Tomorrow, we continue with the modified Privacy Rule definition:  Health care operations, and Friday, with Marketing.

As of February 18, 2009, Section 13410(e) of the HITECH Act granted State attorneys general the authority to enforce HIPAA Rules by bringing civil actions on behalf of State residents in federal district court.  In the July 14, 2010, Notice of Proposed Rule Making (NPRM) that was finalized in the January 25, 2013, Final Rule, the Department of Health and Human Services (HHS) noted:  “we clarify that we are not issuing regulations with respect to the new authority of the State Attorneys General to enforce the HIPAA Rules.”  75 Federal Register 40870

The HITECH Act Section 13410(e)(1) provisions describe the role of State attorneys general for enforcement of HIPAA Rules. Section 13410, Improved Enforcement of the HITECH Act provided in subsection (e) for Enforcement Through State Attorneys General.  Here is the statutory language for provisions in (1) at 123 STAT. 274-275:

“(1) In General.—Section 1176 of the Social Security Act (42 USC 1320d-5) is amended by adding at the end the following new subsection:

‘(d) Enforcement by State Attorneys General.—

‘(1) Civil Action.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—

‘(A) to enjoin further such violation by the defendant; or

‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).

‘(2) Statutory Damages.—

‘(A) In General.—For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100.  For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1180(b)(3)) for violations of subsection (a).

‘(B) Limitation.—The total amount of damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

‘(C) Reduction of Damages.—In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.

‘(3) Attorney Fees.—In the case of any successful action under paragraph (1), the court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.

‘(4) Notice to the Secretary.—The State shall serve prior written notice of any action under paragraph (1) upon the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately after instituting such action.  The Secretary shall have the right—

‘(A) to intervene in the action;

‘(B) upon so intervening, to be heard on all matters arising therein; and

‘(C) to file petitions for appeal.

‘(5) Construction.—For purposes of bringing any civil action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State.

‘(6) Venue; Service of Process.—

‘(A) Venue.—Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

“(B) Service of Process.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

‘(i) is an inhabitant; or

‘(ii) maintains a physical place of business.

‘(7) Limitation on State Action While Federal Action is Pending.—If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

‘(8) Application of CMP Statute of Limitations.—A civil action may not be instituted with respect to a violation of this part unless an action to impose a civil money penalty [CMP] may be instituted under subsection (a) with respect to such violation consistent with the second sentence of section 1128A(c)(1).’”

The following discussion about a modification to 45 CFR 160.310(c)(3), adopted in the Final Rule, is relevant to the enforcement role of State attorneys general [78 Federal Register 5579]:

“Section 160.310 requires that covered entities make information available to and cooperate with the Secretary during complaint investigations and compliance reviews. Section 160.310(c)(3) provides that any protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed by the Secretary, except as necessary for determining and enforcing compliance with the HIPAA Rules or as otherwise required by law. In the proposed rule, we proposed to modify this paragraph to also allow the Secretary to disclose protected health information if permitted under the Privacy Act at 5 U.S.C. 552a(b)(7). Section 5 U.S.C. 552a(b)(7) permits the disclosure of a record on an individual contained within a government system of records protected under the Privacy Act to another agency or instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law and if the agency has made a written request to the agency that maintains the record. The proposed change would permit the Secretary to coordinate with other law enforcement agencies, such as the State Attorneys General pursuing civil actions to enforce the HIPAA Rules on behalf of State residents pursuant to section 13410(e) of the Act….

“To facilitate cooperation between the Department and other law enforcement agencies, the final rule adopts the modifications to 45 CFR 160.310(c)(3) as proposed in the NPRM [referenced earlier in this posting]. Further, the Department will be working closely with State Attorneys General to coordinate enforcement in appropriate cases, as provided under section 13410(e) of the HITECH Act. The Department will continue to update its web site as necessary and appropriate to maintain transparency with the public and the regulated community about these coordinated activities and its other enforcement actions and activities.”

The just referenced Web Site, entitled State Attorneys General, provides the following information:

“This new enforcement authority granted to State Attorneys General (SAG) by section 13410(e) of the HITECH Act will require significant coordination between OCR and SAG.  OCR welcomes collaboration with SAG seeking to bring civil actions to enforce the HIPAA Privacy and Security Rules, and OCR will assist SAG in the exercise of this new enforcement authority.  OCR will provide information upon request about pending or concluded OCR actions against covered entities or business associates related to SAG investigations. OCR will also provide guidance regarding the HIPAA statute, the HITECH Act, and the HIPAA Privacy, Security, and Enforcement Rules as well as the Breach Notification Rule.”

A companion Web site, entitled HIPAA Enforcement Training for State Attorneys General, provides the following information:

“OCR developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules.  The training course will aid State Attorneys General in investigating and seeking damages for HIPAA violations that affect residents of their states.  Videos and slides from live training sessions conducted in 2011 are available through the OCR website.”

Tomorrow, we begin to examine modifications to the HIPAA Privacy Rule.

The Department of Health and Human Services (HHS) identified “five general factors” for modification of 45 CFR 160.408 in conformance with the HITECH Act:

• Nature and extent of the violation
• Nature and extent of the harm resulting from a violation
• History of prior compliance with the administrative simplification provision, including violations by the covered entity or business associate
• Financial condition of the covered entity or business associate
• Such other matters as justice may require.

Within each of the five general categories, HHS identified “specific factors” for consideration, the information relating to which would be collected and compiled during an investigation.  As we pointed out in our enforcement posting last week, the modified 45 CFR 160.306, at 78 Federal Register 5690, provides for:

(c) Investigation.

(1) The Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect.

(2) The Secretary may investigate any other complaint filed under this section.

(3) An investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation.

(4) At the time of the initial written communication with the covered entity or business associate about the complaint, the Secretary will describe the acts and/or omissions that are the basis of the complaint.

Here is the modified 45 CFR 160.408, at 78 Federal Register 5691, that outlines the five general factors and specific factors within each of the five:

Factors considered in determining the amount of a civil money penalty.

In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate:

(a) The nature and extent of the violation, consideration of which may include but is not limited to:

(1) The number of individuals affected; and

(2) The time period during which the violation occurred;

(b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to:

(1) Whether the violation caused physical harm;

(2) Whether the violation resulted in financial harm;

(3) Whether the violation resulted in harm to an individual’s reputation; and

(4) Whether the violation hindered an individual’s ability to obtain health care;

(c) The history of prior compliance with the administrative simplification provisions, including violations, by the covered entity or business associate, consideration of which may include but is not limited to:

(1) Whether the current violation is the same or similar to previous indications of noncompliance;

(2) Whether and to what extent the covered entity or business associate has attempted to correct previous indications of noncompliance;

(3) How the covered entity or business associate has responded to technical assistance from the Secretary provided in the context of a compliance effort; and

(4) How the covered entity or business associate has responded to prior complaints;

(d) The financial condition of the covered entity or business associate, consideration of which may include but is not limited to:

(1) Whether the covered entity or business associate had financial difficulties that affected its ability to comply;

(2) Whether the imposition of a civil money penalty would jeopardize the ability of the covered entity or business associate to continue to provide, or to pay for, health care; and

(3) The size of the covered entity or business associate; and

(e) Such other matters as justice may require.

We recommend that you visit three of the sites that the Office for Civil Rights (OCR) maintains regarding enforcement:  Enforcement Process, Case Examples and Resolution Agreements, and HIPAA Privacy & Security Audit Program.  OCR is HHS’ enforcement arm for HIPAA Privacy and Security Rules and the HITECH Act Breach Notification Rule.  Each of these sites provides information on the enforcement process and examples of the type of information OCR seeks during an investigation to address the general and specific factors identified in 45 CFR 160.408 above, as modified and effective March 26, 2013.

Tomorrow, we examine the HITECH Act role of State Attorneys General in the enforcement process.

Student immunization records are protected under two federal laws:  HIPAA, via the HIPAA Privacy Rule, as discussed below, and the Family Educational Rights and Privacy Act (FERPA) “once a student’s immunization records are obtained and maintained by an educational institution or agency to which FERPA applies.  This posting focuses on the HIPAA Privacy Rule provisions vis-à-vis such records prior to their receipt by an educational institution or agency to which FERPA applies.  For further information on the “intersection of FERPA and HIPAA, consult Joint Guidance on the Application of FERPA and HIPAA to Student Health Records.  78 Federal Register 5616

The Final Rule states:  “The Privacy Rule, at 45 CFR 164.512(b) [Uses and Disclosures for which an authorization or opportunity to agree or object is not required], recognizes that covered entities must balance protecting the privacy of health information with sharing health information with those responsible for ensuring public health and safety, and permits covered entities to disclose the minimum necessary protected health information to public health authorities or other designated persons or entities without an authorization for public health purposes specified by the Rule.

“Schools play an important role in preventing the spread of communicable diseases among students by ensuring that students entering classes have been immunized.  Most States have ‘school entry laws’ which prohibit a child from attending school unless the school has proof that the child has been appropriately immunized. …

“Typically, schools ensure compliance with those requirements by requesting the immunization records from parents (rather than directly from a health care provider).  However, where a covered health care provider is requested to send the immunization records directly to a school, the Privacy Rule generally requires written authorization by the child’s parent before a covered health care provider may do so…. “

Because of concerns with the difficulty of obtaining authorization in some cases, the “National Committee on Vital and Health Statistics …recommended that HHS regard disclosure of immunization records to schools to be a public health disclosure, thus eliminating the requirement for [written] authorization….  While written authorization … would no longer have been required for disclosure of such information under the proposal, the covered entity would still have been required to obtain agreement, which may have been oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual him- or herself, if the individual is an adult or emancipated minor.”  78 Federal Register 5616

Final Rule.  “The final rule adopts the proposal to amend 45 CFR 164.512(b)(1) by adding a new paragraph that permits a covered entity to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student.  While written authorization will no longer be required to permit this disclosure, covered entities will still be required to obtain agreement, which may be oral, from a parent, guardian or other person acting in loco parentis for the individual, or from the individual himself or herself, if the individual is an adult or emancipated minor….

“The final rule additionally requires that covered entities document the agreement obtained under this provision… The documentation must only make clear that agreement was obtained as permitted under this provision.  For example, if a parent or guardian submits a written or email request to a covered entity to disclose his or her child’s immunization records to the child’s school, a copy of the request would suffice as documentation of the agreement.  Likewise, if a parent or guardian calls the covered entity and requests over the phone that his or her child’s immunization records be disclosed to the child’s school, a notation in the child’s medical record of elsewhere of the phone call would suffice as documentation of the agreement.”

“[W]e still require active agreement from the appropriate individual, and a health care provider may not disclose immunization records to a school under this provision without such agreement….  A mere request by a school to a health care provider for the immunization records of a student would not be sufficient to permit disclosure under this provision.”  78 Federal Register 5617

There is another distinction worth noting here, with emphasis added:  “[T]he Privacy Rule at 45 CFR 164.512(a) permits a covered entity to use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law….  [W]ith regard to State laws that permit but do not require covered entities to disclose immunization records to schools, this does not meet the requirements of the provisions at 164.512(a), and disclosures of immunization records are subject to the Privacy Rule agreement and documentation requirements.  78 Federal Register 5618

Note, “the Privacy Rule at 45 CFR 164.512(b) permits a covered entity to disclose protected health information for public health activities.  Disclosures of protected health information to State immunization registries are therefore permitted by the Privacy Rule and also do not require authorization.”  78 Federal Register 5618.

This modification facilities removal of identified bottlenecks in getting immunization records to schools and lessens burdens on covered healthcare providers in documenting written or oral agreements by appropriate parties for doing so.  It is important to note that such documentation is required to be maintained under the Privacy Rule Documentation standard at 45 CFR 164.530(j).

Here is the modified paragraph relating to school immunization records at 45 CFR 164.512(b)(1)(vi)

(b) Standard:  Uses and disclosures for public health activities. (1) A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:

(vI) A school, about an individual who is a student or prospective student of the school, if:

(A) The protected health information that is disclosed is limited to proof of immunization;

(B) The school is required by State or other law to have such proof of immunization prior to admitting the individual; and

(C) The covered entity obtains and documents the agreement to the disclosure from either:

(1) A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or

(2) The individual, if the individual is an adult or emancipated minor.

On Monday, we look at 45 CFR 160.408:   Factors considered in determining the amount of a civil money penalty.

We start with two definitions, the first of which, Reasonable cause, was modified in the Final Rule, and the second of which, was not modified:

“Reasonable cause means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”  45 CFR 160.401, at 78 Federal Register 5691

As modified, this definition “would now include violations due both to circumstances that would make it unreasonable for the covered entity or business associate, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated, as well as to other circumstances in which a covered entity or business associate has knowledge of a violation but lacks the conscious intent or reckless indifference associated with the willful neglect category of violations.”  78 Federal Register 5580

“Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.”

The Final Rule states:  “[S]ection 13410(d) of the HITECH Act revised section 1176 of the Social Security Act to establish four tiers of increasing penalty amounts to correspond to the levels of culpability associated with the violation.  The first category of violation (and lowest penalty tier) covers situations where the covered entity of business associate did not know, and by exercising reasonable diligence would not have known, of a violation.  The second category of violation (and next highest penalty tier) applies to violations due to reasonable cause and not to willful neglect.  The third and fourth categories apply to circumstances where the violation was due to willful neglect that is corrected with a certain time period (second highest penalty tier) and willful neglect that is not corrected (highest penalty tier).”  78 Federal Register 5580  Willful neglect was discussed in yesterday’s posting.

Here are the penalties for each tier from 45 CFR 160.404(b)(2), effective March 26, 2013, with modified paragraphs underlined and the modification in italics:

(i) For a violation in which it is established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision,

(A) In the amount of less than $100 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(ii) For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect,

(A) In the amount of less than $1,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iii) For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, would have known that the violation occurred,

(A) In the amount of less than $10,000 or more than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

(iv) For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred,

(A) In the amount of less than $50,000 for each violation; or

(B) In excess of $1,500,000 for identical violations during a calendar year (January 1 through the following December 31);

Tomorrow, we look at the relationship of FERPA and HIPAA vis-a-vis disclosure of immunization records to schools, with a return to enforcement Monday and Tuesday of next week.

Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”  45 CFR 160.401

Section 13410(a) of the HITECH Act [123 STAT. 271] added a new subsection (c) to section 1176 of the Social Security Act:

(c) Noncompliance Due to Willful Neglect.

(1) In general.  A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1) [General Penalty.  In General.]

(2) Required investigation.  For purposes of paragraph (1), the Secretary shall formally investigate any complaint of a violation of a provision of this part if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.

HHS made four proposed modifications to buttress investigations and imposition of penalties for willful neglect that were adopted in the Final Rule [78 Federal Register 5578]:

Complaint Investigations.  “The October 30, 2009, Enforcement Rule at 45 CFR 160.306(c) currently provides the Secretary with discretion to investigate HIPAA complaints through the use of the word ‘may.’  As a practical matter, however, the Department currently conducts a preliminary review of every complaint received and proceeds with the investigation in every eligible case where its preliminary review of the facts indicates a possible violation of the HIPAA Rules.  Nonetheless, to implement section 1176(c)(2) [above], the Department proposed to add a new paragraph (1) [above] … to make clear that the Secretary will investigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect. [emphasis added]  Under proposed 45 CFR 160.306(c)(2), the Secretary would have continued discretion with respect to investigating any other complaints.

Compliance Reviews.  “The Department proposed to modify 45 CFR 160.308 by adding a new paragraph (a) to provide that the Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provision when a preliminary review of the facts indicates a possible violation due to willful neglect. Like 45 CFR 160.306(c) with respect to complaints [discussed above], the current 160.308(c) provides the Secretary with discretion to conduct compliance reviews. While section 13410(a) of the HITECH Act specifically mentions complaints and not compliance reviews with respect to willful neglect, the Department proposed to treat compliance reviews in the same manner because it believed doing so would strengthen enforcement with respect to potential violations of willful neglect and would ensure that investigations, whether or not initiated by a complaint, would be handled in a consistent manner. Under proposed 45 CFR 160.308(b), the Secretary would continue to have discretion to conduct compliance reviews in circumstances not indicating willful neglect.

Resolving Investigations or Compliance Reviews.  “Given the HITECH Act’s requirement that the Secretary impose a penalty for any violation due to willful neglect, the Department proposed changes to 45 CFR 160.312, which currently requires the Secretary to attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. The NPRM proposed to provide instead in 45 CFR 160.312(a) that the Secretary ‘‘may’’ rather than ‘‘will’’ attempt to resolve investigations or compliance reviews indicating noncompliance by informal means. This change would permit the Department to proceed with a willful neglect violation determination as appropriate, while also permitting the Department to seek resolution of complaints and compliance reviews that did not indicate willful neglect violations by informal means (e.g., where the covered entity or business associate did not know and by exercising reasonable diligence would not have known of a violation, or where the violation is due to reasonable cause).

Compliance Cooperation. “The Department proposed a conforming change to 45 CFR 160.304(a), which currently requires the Secretary to seek, to the extent practicable, the cooperation of covered entities in obtaining compliance with the HIPAA Rules. The July 14, 2010, Notice of Proposed Rule Making (NPRM) proposed to clarify that the Secretary would continue to do so ‘consistent with the provisions of this subpart’ in recognition of the new HITECH Act requirement to impose a civil money penalty for a violation due to willful neglect. While the Secretary often will still seek to correct indications of noncompliance through voluntary corrective action, there may be circumstances (such as circumstances indicating willful neglect), where the Secretary may proceed directly to formal enforcement.”

The Final Rule adopted the modifications discussed above, which are in 45 CFR 160.304, 160.306, 160.308, and 160.312, effective March 26, 2013, and accessible online at the link at the top of this post [78 Federal Register 5690-5691].

Tomorrow, we look at the penalty structure for violations of HIPAA Rules.

We presented in the posting of February 15 manifestation or manifested as one of the new definitions related to GINA cited in the Final Rule, and repeat it here:

Manifestation or manifested means, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved. For purposes of this subchapter, a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information.  [78 Federal Register 5689]

GINA did not define manifestation or manifested, but the Department did in the Final Rule “given the importance of the term.”  [78 Federal Register 5663]

The Final Rule discusses the concept of manifestation or manifested:

“Although not separately defined by GINA, the terms manifestation or manifested are used in GINA in three important contexts:

First, GINA uses the term manifestation to incorporate ‘family medical history’ into the definition of ‘genetic information’ by stating that ‘genetic information’ includes, with respect to an individual, the manifestation of a disease or disorder in family members of such individual.

Second, GINA uses the term ‘manifested’ to exclude from the definition of ‘genetic test’ those tests that analyze a physical malady rather than genetic makeup by excluding from the definition analyses of proteins or metabolites that are directly related to a manifested disease, disorder, or pathological condition.

Third, GINA uses the term ‘manifestation’ to clarify that nothing in Title I of GINA should be construed to limit the ability of a health plan to adjust premiums or contribution amounts for a group health plan based on the manifestation of a disease or disorders of an individual enrolled in the plan. [Final Rule Footnote:  ‘We note that the Affordable Care Act, enacted on March 23, 2010, includes a provision effective for plan years beginning on or after January 1, 2014, that prohibits insurers from discriminating against individuals or charging individuals higher rates based on pre-existing conditions.  See Public Law 111-148’] However, GINA provides that, in such case, the manifestation of a disease or disorder in one individual cannot also be used as genetic information about other group members and to further increase the premium for the plan.  Similarly, for the individual health insurance market, GINA clarifies that it does not prohibit a health plan from establishing rules for eligibility for an individual to enroll in coverage or from adjusting premium or contribution amounts for an individual based on the manifestation of a disease or disorder in that individual or in a family member of such individual where such family member is covered under the individual’s policy.  However, under GINA, the manifestation of a disease or disorder in one individual cannot also be used as genetic information about other individuals and to further increase premiums or contribution amounts.”  [78 Federal Register 5663]

In contrast to health plans, “[a] health care provider may use or disclose genetic information as it sees fit for treatment of an individual.  If a covered entity, such as an HMO, acts as both a health plan and health care provider, it may use genetic information for purposes of treatment, to determine the medical appropriateness of a benefit, and as otherwise permitted by the Privacy Rule, but may not use such genetic information for underwriting purposes.  Such covered entities, in particular, should ensure that appropriate staff members are trained on the permissible and impermissible uses of genetic information.”  [78 Federal Register 5667]

We recommend that any covered entity that creates, receives, or maintains genetic information, as defined at 45 CFR 60.103, 78 Federal Register 5688-5689, and effective March 26, 2013, carefully read Section VI of the Preamble in the Final Rule:  Modifications to the HIPAA Privacy Rule (pages 5658-5669).

Tomorrow, we begin to examine Final Rule modifications related to enforcement.

The Final Rule states:  “The final rule adopts the approach of the proposed rule to apply the prohibition on using or disclosing protected health information that is genetic information for underwriting purposes to all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply, except with regard to issuers of long term care policies….  We also continue to believe that individuals have a strong privacy interest in not having their genetic information used in an adverse manner for underwriting purposes and to believe that this privacy interest outweighs any adverse impact on most health plans covered by the Privacy Rule.”  [78 Federal Register 5660]

With regard to long-term care plans:  “The Department did hear from a number of sources [during the public comment period] about the potential adverse impact a prohibition on using genetic information for underwriting would have on the ability of a long-term care insurer to effectively underwrite and thus, on the viability of the long-term care insurance market generally.  The Department recognizes the importance of long-term care insurance coverage and the need to ensure its continued availability.  The Department also acknowledges that, at this time, it does not have the information necessary to more precisely and carefully measure the extent of such an impact on the long-term market in order to appropriately balance an individual’s privacy interests with such an impact.  Thus, this final rule excludes long-term care plans from the underwriting prohibition….  At the current time,…, we do not have sufficient information to determine the proper balance between the individual’s privacy interests and the industry’s concerns about the cost effects of excluding genetic information….  Based on the information the Department may obtain, the Department will reassess how best to move forward in this area in the future.”  [78 Federal Register 5661]

While the Final Rule extends coverage of the HIPAA Privacy Rule to health plans beyond those covered under GINA, it is important to note, given the discussion excluding for now long-term care plans from the underwriting restriction pertaining to genetic information, that those long-term care plans still fall under HIPAA Privacy as covered entities.  [78 Federal Register 5659]  The Final Rule states:  “Long-term care plans, while not subject to the underwriting prohibition, continue to be bound by the Privacy Rule, as are all other covered health plans, to protect genetic information from improper uses and disclosure and to only use or disclose genetic information as required or expressly permitted by the Rule, or as otherwise authorized by the individual who is the subject of the genetic information.”  [78 Federal Register 5661]

In the posting on Friday, February 15, we presented the new definitions in the Final Rule pertaining to GINA.  With regard to the definition of underwriting purposes, which was defined in the proposed rule, the Final Rule adopted the definition, but moved it to “within the underwriting prohibition at 45 CFR 164.502(a)(5)(i).”  [78 Federal Register 5665]  The underwriting prohibition paragraphs are presented here with the embedded definition of underwriting purposes:

(5) Prohibited uses and disclosures.

(i) Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan:

(A) Except as provided in paragraph (a)(5)(i)(B) of this section:

(1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost- sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);

(3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and

(4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.

[78 Federal Register 5696]

Tomorrow, we finish up the discussion on the HIPAA Privacy Rule with regard to genetic information.

The Final Rule states:  “The Genetic Information Nondiscrimination Act of 2008, Public Law 110-233, 122 STAT. 881, prohibits discrimination based on an individual’s genetic information in both the health coverage and employment contexts.  With respect to health coverage, Title I of GINA generally prohibits discrimination in premiums or contributions for group coverage based on genetic information, proscribes the use of genetic information as a basis for determining eligibility or setting premiums in the individual and Medicare supplemental (Medigap) insurance markets, and limits the ability of group health plans, health insurance issuers, and Medigap issuers to collect genetic information or to request or require that individuals undergo genetic testing.  Title II of GINA generally prohibits use of genetic information in the employment context, restricts employers and other entities covered by Title II from requesting, requiring, or purchasing genetic information, and strictly limits such entities from disclosing genetic information…

“In addition to these nondiscrimination provisions, section 105 of Title I of GINA contains new privacy protections for genetic information, which require the Secretary of HHS to revise the Privacy Rule to clarify that genetic information is health information and to prohibit group health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies from using or disclosing genetic information for underwriting purposes.”  78 Federal Register 5658-5659

Below are new GINA-related definitions for the discussion in this series on the January 25, 2013, Final Rule Modifications as they relate to HIPAA Privacy Rule provisions.  45 CFR 160.103, at 78 Federal Register 5688-5689

Family member means, with respect to an individual:

(1) A dependent (as such term is defined in 45 CFR 144.103), of the individual; or

(2) Any other person who is a first-degree, second-degree, third-degree, or fourth-degree relative of the individual or of a dependent of the individual. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity (that is, relatives who share a common biological ancestor). In determining the degree of the relationship, relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the same as relatives by full consanguinity (such as siblings who share both parents).

(i) First-degree relatives include parents, spouses, siblings, and children.

(ii) Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces.

(iii) Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and first cousins.

(iv) Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first cousins.

Genetic information means:

(1) Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information about:

(i) The individual’s genetic tests;

(ii) The genetic tests of family members of the individual;

(iii) The manifestation of a disease or disorder in family members of such individual; or

(iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.

(2) Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:

(i) A fetus carried by the individual or family member who is a pregnant woman; and

(ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology.

(3) Genetic information excludes information about the sex or age of any individual.

Genetic services means:

(1) A genetic test;

(2) Genetic counseling (including obtaining, interpreting, or assessing genetic information); or

(3) Genetic education.

Genetic test means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.

Manifestation or manifested means, with respect to a disease, disorder, or pathological condition, that an individual has been or could reasonably be diagnosed with the disease, disorder, or pathological condition by a health care professional with appropriate training and expertise in the field of medicine involved. For purposes of this subchapter, a disease, disorder, or pathological condition is not manifested if the diagnosis is based principally on genetic information.

In addition to the new GINA-related definitions above, the definition of Health information below was revised “to make clear that the term includes ‘genetic information’.

Health information means any information, including genetic information, whether oral or recorded in any form or medium, that:

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Next week, on Monday and Tuesday, we look at how GINA modified the HIPAA Privacy Rule, Wednesday and Thursday, we look at how the Final Rule modified the Enforcement Rule, and Friday look at how FERPA and HIPAA interact with respect to school immunization records.

Paragraph (4) of the modified definition outlines 4 exceptions (45 CFR 160.103, Definitions, as shown at 78 Federal Register 5688):

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of 164.504(f) [Standard:  Requirements for group health plans] of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

In general, these exclusions have been a part of the HIPAA Rules, but three have been moved from other parts of the Rules, as described below, to the definition, and wording has been tightened or modified (e.g., in (iii), protected health information has been substituted for individually identifiable health information). [78 Federal Register 5574]

Exception (iv) was part of the predecessor definition of business associate at 45 CFR 160.103(2), with slight changes in wording, but not substance.

The Final Rule discusses items (i)-(iii):  “Sections 164.308(b)(2) [Standard:  Business associate contracts and other arrangements “does not apply”] and 164.502(e)(1)(ii) [Standard:  Disclosures to business associates “does not apply”] of the HIPAA Rules currently describe certain circumstances, such as when a covered entity discloses protected health information to a health care provider concerning the treatment of an individual [i], in which a covered entity is not required to enter into a business associate contract or other arrangement with the recipient of the protected health information.  We proposed to [and did, in the Final Rule] move these provisions to the definition of ‘business associate’ itself as exceptions to make clear that the Department does not consider the recipients of the protected health information in these circumstances to be business associates.  The movement of these exceptions also was intended to help clarify that a person or an entity is a business associate if the person or entity meets the definition of ‘business associate,’ even if a covered entity, or business associate with respect to a subcontractor, fails to enter into the required business associate contract with the person or entity.”  [78 Federal Register 5574]

Tomorrow, we begin to examine new definitions in the Final Rule, and next week we look at modifications in the Final Rule regarding enforcement.

Here is the last of three parts of this paragraph:

“(3) Business associate includes:  (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.”  [78 Federal Register 5688]

Predecessor Definition: The HIPAA Security Rule Organizational Requirements at 45 CFR 164.314(a)(2)(i)(B), requires the following:

“(a) Standard:  Business associate contracts or other arrangements.  (2) Implementation specifications (Required).  (i) Business associate contracts.  The contract between a covered entity and a business associate must provide that the business associate will–  (B) Ensure that any agent, including subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it.” [www.ecfr.gov]

There is no specificity as to the nature of the agreement or requirements between a business associate and subcontractor with respect to the implementation of “reasonable and appropriate safeguards.”

Modified Definition:  The Final Rule explicitly defines a subcontractor as a business associate, and modified 45 CFR 164.314(a)(2)(iii) provides for the following:

(a) Standard:  Business associate contracts or other arrangements.  (2) Implementation specifications (Required).  “(iii) Business associate contracts with subcontractors.  The requirements of paragraphs (a)(2)(i) [Business associate contracts] and (a)(2)(ii) [Other arrangements] of this section apply to the contract or other arrangement between a business associate and a subcontractor required by 164.308(b)(3) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.”

Under the Final Rule modified definition, we have specificity with respect to the agreement and requirements:  implement the Security Rule as a business associate.

Under the Final Rule, the definition of subcontractor is added to 45 CFR 160.103:  Definitions, and is as follows:  “A subcontractor is a person to whom a business associate has delegated a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”  [78 Federal Register 5689]  Again, as a reminder, as also defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule goes on to clarify further:  “A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.” … and ”makes clear that a covered entity is not required to enter into a contract or other arrangement with a business associate that is a subcontractor.”  [78 Federal Register 5573]

As to “satisfactory assurances” that a subcontractor will appropriately safeguard protected health information, the Final Rule states:  “[C]overed entities must ensure that they obtain satisfactory assurances required by the Rules from their business associates, and business associates must do the same with regard to subcontractors, and so on, no matter how far ‘down the chain’ the information flows.  This ensures that individuals’ health information remains protected by all parties that create, receive, maintain, or transmit the information in order for a covered entity to perform its health care functions.  For example, a covered entity may contract with a business associate (contractor), the contractor may delegate to a subcontractor (subcontractor 1) one or more functions, services, or activities the business associate has agreed to perform for the covered entity that require access to protected health information, and the subcontractor may in turn delegate to another subcontractor (subcontractor 2) one or more functions, services, or activities it has agreed to perform for the contractor that require access to protected health information, and so on.  Both the contractor and all of the subcontractors are business associates under the final rule to the extent they create, receive, maintain, or transmit protected health information.”  [78 Federal Register 5574]

Finally, in light of the discussion earlier this week with respect to transmission services and conduits having an impact on a person who may or may not be deemed a business associate, the Final Rule notes:  “[T]he same interpretations that apply to determining whether a first tier contractor is a business associate also apply to determining whether a subcontractor is a business associate.  Thus, our interpretation of who is and is not excluded from the definition of business associate as a conduit also applies in the context of subcontractors as well.” [78 Federal Register 5574]

Here are several things to remember about subcontractors:

• Subcontractors are business associates to the extent they create, receive, maintain, or transmit protected health information.
• Subcontractors are not business associates of covered entities, but rather to another business associate.
• If a subcontractor discovers a breach, the subcontractor reports it up the line through the hierarchy of subcontractors, if applicable, to the business associate that is the contractor to the covered entity, and it is the business associate contractor that reports the discovered breach to the covered entity.

Tomorrow, we conclude the discussion of business associate by looking at four categories of persons in paragraph (4) that are excluded as business associates.

Here is the second of three parts of this paragraph, which is the subject of today’s post:

(3) Business associate includes:

“(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.”  [78 Federal Register 5688]

Again, as a reminder, “business associate means, with respect to a covered entity, a person.”  [emphasis added]  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule modified the definition of business associate to include explicitly a personal health record vendor under certain conditions to enable provisions of the HITECH Act, and discusses the role of the personal health record vendor as follows:

“As with data transmission services [discussed in the February 11, 2013, post], determining whether a personal health record vendor is a business associate is a fact specific determination.  A personal health record vendor is not a business associate of a covered entity solely by virtue of entering into an interoperability relationship with a covered entity.  For example, when a personal health record vendor and a covered entity establish the electronic means for a covered entity’s electronic health record to send protected health information to the personal health record vendor pursuant to the individual’s written authorization, it does not mean that the personal health record vendor is offering the personal health record on behalf of the covered entity, even if there is an agreement between the personal health record vendor and the covered entity governing the exchange of data (such as an agreement specifying the technical specifications for exchanging of data or specifying that such data shall be kept confidential).  In contrast, when a covered entity hires a vendor to provide and manage a personal health record service the covered entity wishes to offer its patients or enrollees, and provides the vendor with access to protected health information in order to do so, the personal health record vendor is a business associate.

“A personal health record vendor may offer personal health records directly to individuals and may also offer personal health records on behalf of covered entities.  In such cases, the personal health record vendor is only subject to HIPAA as a business associate with respect to personal health records that are offered to individuals on behalf of covered entities.

“[A] personal health record vendor that offers a personal health record to a patient on behalf of a covered entity does not act merely as a conduit.  Rather, the personal health record vendor is maintaining protected health information on behalf of the covered entity (for the benefit of the individual).  Further, a personal health record vendor that operates a personal health record on behalf of a covered entity is a business associate if it has access to protected health information, regardless of whether the personal health record vendor actually exercises this access….  As with other aspects of the definition of ‘business associate,’ we intend to provide future guidance on when a personal health record vendor is a business associate for purposes of the HIPAA Rules.”  [78 Federal Register 5572]

Tomorrow, we take up the third of three parts of paragraph (3) of the modified definition of business associate:  subcontractors.

Here is the first of three parts of this paragraph, (i), which is the subject of today’s post:

(3) Business associate includes:

“(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”  [78 Federal Register 5688]

Again, as a reminder, “business associate means, with respect to a covered entity, a person.”  [emphasis added]  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

The Final Rule modified the definition of business associate to include explicitly each of the organizations listed above to conform with provisions of the HITECH Act.

Health Information Organization.  According to the Final Rule:  “We decline to provide a definition for Health Information Organization.  We recognize that the industry continues to develop and thus the type of entities that may be considered Health Information Organizations continues to evolve.  For this reason, we do not think it prudent to include in the regulation a specific definition at this time.  We anticipate continuing to issue guidance in the future on our Web site on the types of entities that do and do not fall within the definition of business associate, which can be updated as the industry evolves.”  [78 Federal Register 5571]

Access on a routine basis.  The Final Rule distinguishes between a business associate that requires access on a routine basis versus a conduit function or activity.  The Final Rule states:  “a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity.  The conduit exception is a narrow one … a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by law…. Such occasional, random access to protected health information would not qualify [a] company as a business associate….We intend to issue further guidance in this area as electronic health information exchange continues to evolve.” [78 Federal Register 5571-5572]

The Final Rule discusses another critical difference:  “We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission.  In contract, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis….  To help clarify this point, we have modified the definition of ‘business associate’ to generally provide that a business associates includes a person who ‘creates, receives, maintains, or transmits’ (emphasis added) protected health information on behalf of a covered entity.” [78 Federal Register 5572]

Tomorrow, we discuss personal health record vendors as business associates.

As with its predecessor, the modified definition of business associate refers to “business associate means, with respect to a covered entity, a person.”  [emphasis added]  That’s legal lingo.  As defined at 45 CFR 160.103, person means “a natural person, trust or estate, partnership, corporation, professional association or corporation, or other entity, public or private.”

Here is the modified version of the first two parts of business associate definition, with modifications underlined, followed by the complete predecessor version of the business associate definition.

Modified Definition of Business Associate

(1) Except as provided in paragraph (4) [Exceptions to Business Associate] of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

Predecessor Definition of Business Associate

(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in § 164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

(B) Any other function or activity regulated by this subchapter; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

(3) A covered entity may be a business associate of another covered entity.

Here are three key modifications in (1) of the modified definition, aside from some wording rearrangement.

1.  “Individually identifiable health information” in the predecessor version is modified to “protected health information” in the modified version.  The reason for the modification:  “a business associate has no obligation under the HIPAA Rules with respect to individually identified health information that is not protected health information.” [78 Federal Register 5574]

2. ”Performs, or assists in the performance of” in the predecessor version is modified to “creates, receives, maintains, or transmits protected health information” in the modified version.  The reason for the modification:  “to clarify  that a business associate includes an entity that ‘creates, receives, maintains, or transmits’ protected health information on behalf of a covered entity.  This change is to make the definition more consistent with language at 164.308(b) [Security Rule Business associate contracts and other arrangements standard] and 164.502(e) [Privacy Rule Disclosures to business associates standard], as well as to clarify that entities that maintain or store protected health information on behalf of a covered entity are business associates, even if they do not actually view the protected health information. [78 Federal Register 5574]

3. The modified version includes a new activity, patient safety activities performed by an organization as a business associate:  Patient Safety Organization (PSO).  The Patient Safety and Quality Improvement Act of 2005 (PSQIA) “provides that PSOs must be treated as business associates when applying the Privacy Rule.  PSQIA provides for the establishment of PSOs to receive reports of patient safety events or concerns from providers and provide analyses of events to reporting providers.  A reporting provider may be a HIPAA covered entity and, thus, information reported to a PSO may include protected health information that the PSO may analyze on behalf of the covered provider.  The analysis of such information is a patient safety activity for purpose of PSQIA and the Patient Safety Rule, 42 CFR 3.10, et seq.  While the HIPAA Rules as written would treat a PSO as a business associate when the PSO was performing quality analyses and other activities on behalf of a covered health care provider, … this change to the definition of ‘business associate’ [is] to more clearly align the HIPAA and Patient Safety Rules.” [78 Federal Register 5570]

Finally, note that (2) in the modified version of the business associate definition is identical to (3) in the predecessor definition.  An example is a healthcare clearinghouse in a business associate role with a healthcare provider.

Monday, we begin examination of the new provisions of the modified business associate definition in part (3) of 4 parts.

Business Associate:  Definition (78 Federal Register 5688)–

“(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3) Business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are  met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.”

HIPAA.com will discuss each of the 4 categories over the next five days, beginning tomorrow with (1) and (2).  The discussion will be based on the presentation at 78 Federal Register 5570-5575.  Monday through Wednesday next week will focus on each of the three new categories in (3), and Thursday will conclude the discussion with (4), the business associate exclusions.

HIPAA did not directly regulate business associates of covered entities.  The HITECH Act’s 13401 statutorily changed that:  The Security Rule’s administrative, physical, and technical safeguard requirements, and policies and procedures and documentation requirements were made applicable to business associates “in the same manner” as they applied to covered entities, and business associates became civilly and criminally liable for violations of these provisions.”  [78 Federal Register 5589]  The Final Rule published on January 25, 2013, modified and extended federal regulatory enforcement, with “direct liability for compliance with the Security Rule to business associates” instead of just having covered entities relying on “satisfactory assurances” in a business associate agreement, where a covered entity’s recourse, in the absence of an indemnification provision, was terminating the agreement.

The Final Rule notes that “the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it.”  [78 Federal Register 5589]  The Final Rule defines subcontractor as “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”  [78 Federal Register 5689].

In the Final Rule, “a covered entity is not required to enter into a business associate agreement with a subcontractor; rather, this is the obligation of the business associate that has engaged subcontractor to perform a function or service that involves the use or disclosure of protected health information.” [78 Federal Register 5590]  “To ensure appropriate and strong security protections for electronic protected health information, subcontractors are required to comply with the Security Rule to the same extent as business associates with a direct relationship with a covered entity.”  With respect to notification of a discovered breach, a subcontractor would notify the business associate, who would in turn notify the covered entity for carrying out further notifications, as applicable.

The Final Rule provides new language pertaining to the relationship between the covered entity and business associate, and between the business associate and a subcontractor under the modified Security Rule Administrative Safeguards:

(b)(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with
§ 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

(2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.

(3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) launched a Business Associate Contract Web site with Sample Business Associate Agreement Provisions that provides guidance to covered entities on preparing an appropriate business associate agreement with required provisions.

Tomorrow, we present the Final Rule modified definition of Business Associate.

Security Standards:  General Rules.  The five General Rules govern how the administrative, physical, and technical safeguards are implemented by covered entities, and, as modified, by business associates.  They are, where Final Rule modified wording is underlined:

(a) General Requirements:  Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Privacy Rule [as modified].

(4) Ensure compliance with the HIPAA Security Rule by its workforce.

(b) Flexibility of Approach:  (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementations specifications as specified in the HIPAA Security Rule.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

(c) Standards.  A covered entity or business associate must comply with the applicable standards as provided in this section and in 164.308 (Administrative safeguards), 164.310 (Physical safeguards), 164.312 (Technical safeguards), 164.314 (Organizational requirements), and 164.316 (Policies and procedures and documentation requirements) with respect to all electronic protected health information.

(d) Implementation Specifications.  In the HIPAA Security Rule–

(1) Implementation specifications are required or addressable.  If an implementation specification is required, the word Required appears in parentheses after the the title of the implementation specification.  If an implementation specification is addressable, the word Addressable appears in parentheses after the title of the implementation specification.

(2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316, includes required implementation specifications, a covered entity or business associate must implement the implementation specifications.

(3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316, includes addressable implementation specifications, a covered entity or business associate must–

(i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting electronic protected health information; and

(ii) As applicable to the covered entity or business associate–

(A) Implement the implementation specification if reasonable and appropriate; or

(B) If implementing the implementation specification  is not reasonable and appropriate–

(1) Document why it would not be reasonable and appropriate to implement the implementation specification; and

(2) Implement an equivalent alternative measure if reasonable and appropriate.

(e) Maintenance.  A covered entity or business associate must review and modify the security measures implemented under the HIPAA Security Rule as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update as needed documentation of such security measures in response to environmental or operational changes affecting the security of the ePHI [i.e., in accordance with 45 CFR 164.316(b)(2)(iii) of the required Updates implementation specification of the Documentation standard].

As shown by the underlinings, the General Rule modifications require compliance by business associates by September 23, 2013.  Compliance for covered entities began on April 20, 2005, except for small health plans, which had an extra year to comply.  Except for a rewording of (e) Maintenance, the substance of the General Rules was not modified except for applicability to business associates.

Administrative Safeguard Modifications (a). There are eight standards in (a).  As discussed in yesterday’s post, the introductory text was modified to include business associates:  ”A covered entity or business associate must, in accordance with 164.306 [Security Standards:  General Rules, as modified].”  We show only the modifications below for each of the eight standards, with modifications underlined.

(1)(i) Standard:  Security Management Process

(ii) Implementation specifications

(A) Risk analysis (Required).  Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

(C) Sanction policy (Required).  Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

(2) Standard:  Assigned Security Responsibility.  Identify the security official who is responsible for the development and implementation of the policies and procedures required by the HIPAA Security Rule for the covered entity or business associate.

(3)(i) Standard:  Workforce Security

(ii) Implementation specifications

(C) Termination procedures (Addressable).  Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in the preceding addressable implementation specification, Workforce clearance procedure [paragraph (a)(3)(ii)(B)].

(4)(i) Standard:  Information access management

(ii) Implementation specifications

(C) Access establishment and modification (Addressable).  Implement polices and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

(5) Standard:  Security Awareness and Training–No modification

(6)(i) Standard:  Security Incident Procedures

(ii) Implementation specification–Response and reporting (Required). Identify and respond to suspected or know security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

(7) Standard:  Contingency plan–No modification

(8) Standard:  Evaluation.  Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of the HIIPAA Security Rule.

With one exception, the modifications in Administrative Safeguards (a) are to extend applicability to business associates, and in a few instances, as underlined, to clarify that an entity meant covered entity.  The exception relates to “or other arrangement with” in the Termination procedures implementation specification of the Workforce Security Standard (a)(3)(i).  The Final Rule states:  ”The final rule adopts the proposed modifications to 164.308.  We proposed a technical change to (a)(3)(ii)(C) regarding security termination procedures for workforce members…in recognition of the fact that not all workforce members are employees (e.g., some may be volunteers) of a covered entity or business associate.” [78 Federal Register 5590]

Tomorrow, we examine modifications relating to Administrative Safeguards (b):  Business associate contracts and other arrangements.

The statutory authority for applicability of the HIPAA Security Rule is in Section 13401 of the HITECH Act (123 STAT. 262):  Application of Security Provisions and Penalties to Business Associates of Covered Entities

(a) Application of Security Provisions.–Sections 164.308 (Administrative Safeguards), 164.310 (Physical Safeguards), 164.312 (Technical Safeguards), and 164.316 (Policies and Procedures and Documentation Requirements) of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

(b) Application of Civil and Criminal Penalties.–In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 USC 1320d-5, 1320d-6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

We focus on (a) in this post, and will discuss (b) later in this series of posts when we discuss Enforcement.

In general, the modifications to the HIPAA Security Rule by the Final Rule HITECH Act modifications were as stated in the statutory language above:  business associates are directly regulated by the federal government in a manner similar to that of covered entities.  Previously, the business associate provided “satisfactory assurances” in the business associate contract, so enforcement was contractual via the covered entity rather than through direct federal regulation.  Today, we look at modifications to the definitions of administrative, physical, and technical safeguards.  Tomorrow, we look at the change in language in the administrative safeguards (a)(1)-(8), and Wednesday the change in language for administrative safeguard (b):  Business associate contracts and other arrangements.

First, the introductory texts of 164.308, 164.310, and 164.310, as noted above in (a) with respect to application, were changed to include “business associate,” so each reads the same:  ”A covered entity or business associate, in accordance with 45 CFR 164.306:” where 164.306 is Security Standards:  General Rules.  We will cover modifications to 164.306 tomorrow.

Next, the language of the standards and implementation specifications for the Physical Safeguards (164.310) and Technical Safeguards (164.312) were not modified in the Final Rule, but the modification of the introductory text requires business associates to comply and document compliance with them, as well as with the Administrative Safeguards (164.308), where in some standards, “business associate” is included in the regulatory language, as we will show tomorrow.

Finally, the definitions of Administrative Safeguards and Physical Safeguards are modified to include “business associate,” whereas the Technical Safeguard definition is not modified.

Definitions (modifications are underlined)

Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.

Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or business associate’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

Tomorrow, Security Standards:  General Rules and Administrative Safeguards (a).

Notification by a Business Associate.  There was only a “technical and non-substantive correction” in 45 CFR 164.410:  Notification by a Business Associate.  [78 Federal Register 5656].  Here is the Standard [164.410(a)] from the Final Rule:

“(1) General Rule.  A business associate shall, following discovery of a breach of unsecured protected health information, notify the covered entity of such breach.

“(2) Breaches treated as discovered.  For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate.  A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).” [78 Federal Register 5695]

Here is an important point from the Final Rule regarding timing and discovery:  ”Section 164.410(b) requires that a business associate provide notice of a breach of unsecured protected health information to a covered entity without unreasonable delay and in no case later than 60 days following the discovery of a breach.  With respect to timing, if a business associate is acting as an agent of a covered entity, then, pursuant to 164.404(a)(2) [Notification to individuals:  breaches treated as discovered], the business associate’s discovery of the breach will be imputed to the covered entity.  In such circumstances, the covered entity must provide notifications under 164.404(a) [to individuals] based on the time the business associate discovers the breach, not from the time the business associate notifies the covered entity.  In contrast, if the business associate is not an agent of the covered entity, then the covered entity is required to provide notification based on the time the business associate notifies the covered entity of the breach.  We encouraged [in the 2009 discussion of the interim final rule] covered entities and business associates to address the timing of this notification in their business associate contracts.” [78 Federal Register 5655] “Because of the agency implications on the timing of breach notifications, we encourage covered entities to discuss and define in their business associate agreements the requirements regarding how, when, and to whom a business associate should notify the covered entity of a potential breach.” [78 Federal Register 5656]  Consult with your organization attorney on defining any agency role and timing in the business associate agreement, and, for guidance on the business associate agreement, also visit the Office for Civil Rights (OCR) Web site: Business Associate Contract–Sample Business Associate Agreement Provisions, published January 25, 2013.

Administrative Requirements and Burden of Proof.  45 CFR 164.414 was not modified in the Final Rule.  Nevertheless, the preamble makes two important points:

With respect to administrative requirements, “[w]e emphasize the importance of ensuring that all workforce members are appropriately trained and knowledgable about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured protected health information.  We note that because this final rule modifies the definition of breach as stated in the interim final rule, covered entities will need to update their policies and procedures and retrain workforce members as necessary to reflect such modifications.”  [78 Federal Register 5657-5658]  This applies to business associates as well.  Remember, your organization will have 180 days between the effective date of the Final Rule, March 26, 2013, and the compliance date of the Final Rule, September 23, 2013, to update policies and procedures and retain your workforce members on all of the modifications in the Final Rule.  For assistance on training, visit HIPAA School; if you are a member of the American Medical Association, visit AMA HIPAA School.

With respect to burden of proof, “section 13402 of the [HITECH Act] places the burden of proof on a covered entity or business associate, if applicable, to demonstrate that all notifications were made as required. Therefore, section 45 CFR 164.530(j)(1)(iv) [of the HIPAA Privacy Rule] requires covered entities to maintain documentation to meet this burden of proof.  This includes documentation that all required notifications have been provided or that no breach occurred and notification was not necessary.  If a covered entity’s determination with respect to whether a breach occurred is called into question, the covered entity should produce the documentation that demonstrates the reasonableness of its conclusions based on the findings of its risk assessment.” [78 Federal Register 5658]  Remember, the burden is on the covered entity–not the business associate–to report the particulars of the breach and notifications to the HHS Secretary on the OCR Web site:  Instructions for Submitting Notice of a Breach to the Secretary.

Next week, we take up modifications to the Security Rule.

Limited Data Sets.  ”In addition to the removal of the harm standard and the creation of more objective factors to evaluate the probability that protected health information has been compromised, we have removed the exception for limited data sets that do not contain any dates of birth and zip codes.  In the final rule, following the impermissible use of disclosure of any limited data set, a covered entity or business associate must perform a risk assessment that evaluates the factors discussed [earlier this week] to determine if breach notification is not required.” [78 Federal Register 5644]

Notification to Individuals.  Without modification, but the Final Rule makes this point with respect to implementation specification (d): Methods of individual notification–”In response to questions raised with respect to a breach at or by a business associate, we note that the covered entity ultimately maintains the obligation to notify affected individuals of the breach under Notification to Individuals, although a covered entity is free to delegate the responsibility to the business associate that suffered the breach or to another of its business associates…. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.”  [78 Federal Register 5650-5651]

Notification to Media.  With a minor change that aligns the definition of “State” [American Samoa and Northern Mariana Islands] with HIPAA Rules, and not germane herein for discussion, the Final Rule does point out this caution:  ”We also emphasize that posting a press release regarding a breach [involving 500 or more residents of a State or jurisdiction] of unsecured protected health information on the home page of the covered entity’s Web site will not fulfill the obligation to provide notice to the media (although covered entities are free to post a press release regarding a breach on their Web site).  To fulfill this obligation, notification, which may be in the form of a press release, must be provided directly to prominent media outlets serving the State or jurisdiction where the affected individuals reside.”  [78 Federal Register 5653]

Notification to the Secretary.  There is one modification that focuses on breaches “discovered” in a calendar year as opposed to “occurred” in a calendar year.  ”The modification clarifies that covered entities are required to notify the Secretary of all breaches of unsecured protected health information affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breaches were ‘discovered,’ not in which the breaches ‘occurred.’”  [78 Federal Register 5654].  Here is a reminder:  ”Although covered entities need only provide notification to the Secretary of breaches involving less than 500 individuals annually, they must still provide notification of such breaches to affected individuals without unreasonable delay and not later than 60 days after discovery of the breach pursuant to 45 CFR 164.404 [Notification to Individuals]. [78 Federal Register 5654]  Finally, another Final Rule reminder for large breaches:  ”With respect to breaches involving 500 or more individuals, we interpreted the term ‘immediately’ in the statute to require notification be sent to the Secretary concurrently with the notification sent to the individual under 45 CFR 164.404 [Notification to Individuals] (i.e., without unreasonable delay but in no case later than 60 calendar days following discovery of a breach.)”  [78 Federal Register 5653] For more on notification, visit the HHS Notification to the Secretary Web site:  ”Instructions for Submitting Notice of a Breach to the Secretary.”

Tomorrow, we wrap up discussion of the breach notification rule.  Next week, HIPAA.com looks at the modifications to the Security Rule.

Here is the definition of unsecured protected health information: “protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of the Department of Health and Human Services (HHS)] under section 13402(h)(2) of Public Law 111-5.”  [78 Federal Register 5695] Public Law 111-5 is the American Recovery and Reinvestment Act of 2009, which included the HITECH Act, and was enacted on February 17, 2009.  There are two minor changes in the definition:  first, “unauthorized individuals” in the interim final rule is changed to “unauthorized persons” in the Final Rule, with the following reason: “the term ‘individual’ is defined in 45 CFR 160.103 to mean the person who is the subject of the protected health information, which is not what is intended with the reference to ‘individual’ in the definition of ‘unsecured protected health information. Accordingly, the final rule uses more appropriately the term ‘unauthorized persons.” [78 Federal Register 5647]  Second, the Final Rule definition removes at the end of the interim final rule definition, “on the HHS Wed site as unnecessary language.”  [78 Federal Register 5647]  Note, however, the Final Rule indicates:  ”While we remove the reference to the HHS Web site from the regulatory text, we do plan to continue to post updates to the guidance on the Web site as they are issued.”

In accordance with the HITECH Act, the Secretary of HHS issued the Guidance on April 17, 2009, and it was published in the Federal Register on April 27, 2009. [74 Federal Register 19006]  Subsequently, it was published in the Federal Register as part of the Interim Final Breach Notification Rule on August 24, 2009.  [74 Federal Register 42742-42743]  The Guidance as published in 2009 is in force today and available on the HHS Web site, which is linked in the first paragraph. Note the following from the Final Rule:  ”Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information–that is, the information is not considered ‘unsecured’ in such cases. ”  [78 Federal Register 5639]  Finally, “[w]e encourage covered entities and business associates to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other protected health information pursuant to the Guidance.  If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information.”   [78 Federal Register 5644]

Tomorrow, we discuss further changes in the Final Breach Notification Rule.

Risk Assessment Factors.  The four risk assessment factors that must be considered are in subsection two of the definition of breach.  “As we have modified and incorporated the factors that must be considered when performing a risk assessment into the regulatory text, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.” [78 Federal Register 5695]  Note that these are the required factors that must be considered.  There may be others the covered entity or business associate should consider as necessary based on particular circumstances related to or characteristics of the covered entity or business associate.  [78 Federal Register 5642] Here are the factors [78 Federal Register 5695], following the opening statement:  (2) “Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrate that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors”:

(2)(i). “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification.”  In the risk assessment, examine the sensitivity of the identifiers involved and the likelihood of re-identification or linkage to other information to determine probability of impermissible use or disclosure.  The “identifiers of the individual or of relatives, employers, or household members of the individual” are at 45 CFR 164.514(b)(2)(i):

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

( 1 ) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

( 2 ) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code.

Note footnote 12 on page 5642 of the Final Rule:  ”Information that has been de-identified in accordance with 45 CFR 164.514(a)-(c) is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information is not considered a breach for purposes of this rule.”  In other words, de-identified data are without any of the identifiers noted above in (a)-(r).

(2)(ii). “The unauthorized person who used the protected health information or to whom the disclosure was made.”  In the risk assessment, examine “whether the unauthorized person who received the information has obligations to protect the privacy and security of the information,” [78 Federal Register 5643] and the likelihood of re-identification, discussed above with respect to (2)(i), to determine probability of impermissible use or disclosure.  ”The final rule expressly includes a factor that would require consideration of the re-identifiability of the information, as well a factor that requires an assessment of the unauthorized person who used the protected health information or to whom the disclosure was made (i.e., whether this person has the ability to re-identify the affected individuals).” [78 Federal Register 5644]  For more on re-identification, see 45 CFR 164.514(c):  Implementation specifications:  re-identification.

(2)(iii). “Whether the protected health information was actually acquired or viewed.”  In the risk assessment, consider the distinction between actual acquisition or view of unsecured protected health information versus the opportunity for the information to be acquired or viewed, to determine the probability of impermissible use or disclosure, as the following example in the Final Rule illustrates:  “[I]f a laptop computer was stolen and later recovered and a forensic analysis shows that the protected health information on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, the entity could determine that the information was not actually acquired by an unauthorized individual event though the opportunity existed.” [78 Federal Register 5643]

(2)(iv).  ”The extent to which the risk to the protected health information has been mitigated.”  In the risk assessment, “consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised,” [78 Federal Register 5643] as the following example in the Final Rule illustrates:  “Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed,”… and “acknowledge that the recipient of the information will have an impact on whether the covered entity [or business associate] can conclude that an impermissible use or disclosure has been appropriately mitigated.”

Tomorrow, we will look at the definition of unsecured protected health information and the state of the Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, and Indecipherable to Unauthorized Individuals, which may provide a safe harbor for breach notification.

Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [HIPAA Privacy Rule] of this part [Part 164] which compromises the security or privacy of the protected health information.

Here is the Final Rule Summary:

“The Department of Health and Human Services (HHS) is issuing this final rule to:  Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.”

Beginning Monday, January 28, and each weekday through the effective date, March 26, HIPAA.com will post on some aspect of the Final Rule. On Monday, the discussion will focus on the change in definition of breach and the change from a “harm standard” to “probability standard” pertaining to breach notification.

HIPAA.com will be providing commentary on the provisions of the “Omnibus” Final Rule on weekdays beginning on January 25, 2013–the day of publication in the Federal Register–and continuing through March 26, 2013–the effective date of the final rule.  You may sign up on the upper right of this screen to be notified of postings.

Here, we provide from the “Omnibus” Final Rule, the Summary, followed by the Summary of Major Provisions.

Summary.  ”The Department of Health and Human Services (HHS) is issuing this final rule to:  Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to strengthen the privacy and security protection for individuals’ health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.”

Summary of Major Provisions.  ”This omnibus final rule is comprised of the following four final rules:

1.  Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, and certain other modifications to improve the Rules, which were issued as a proposed rule on July 14, 2010.  These modifications:

• Make business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.
• Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
• Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
• Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
• Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
• Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced in #2 below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rule due to willful neglect.

2.  Final rule adopting changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

3.  Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s ‘harm’ threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

4.  Final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.”

The outline of the 10 steps for Meaningful Use are:

1.   Confirm that you are a covered entity.

2.   Provide leadership [Most importantly, appoint a Privacy Official and a Security Official, which may be the same person, depending upon the scale of your practice].

3.   Document your process, findings, and actions [Most importantly, you must document in writing (which may be electronic) your privacy and security policies and procedures].

4.   Conduct a security risk analysis.

5.   Develop an action plan [to mitigate identified threats and vulnerabilities to your electronic systems and electronic protected health information].

6.   Manage and mitigate risks [by implementing your action plan].

7.   Prevent breaches with eduction and training of your workforce.

8.   Communicate with patients about the confidentiality and security of their protected health information.

9.   Update business associate agreements [to include HITECH Act Breach Notification requirements].

10. Attest for the Security Risk Analysis Meaningful Use Objective.

The Stage 1 Meaningful Use Core Objective and Measure 15 are:

Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  [The Stage 1 technical capabilities relate to: access control, emergency access,automatic log-off, audit log, integrity, authentication, general encryption, encryption with when exchanging electronic health information, accounting of disclosures (optional)].

Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 160.308(a)(1) [HIPAA Administrative Safeguard Standard:  Security Management Process] and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Attestation, Core Measure 15 (Yes or No Response): Have you conducted or reviewed a security risk analysis per 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of your risk management process?

“Providers …can only attest after they have met the meaningful use requirements for an EHR reporting period.  Only attest for an EHR incentive program, after you have fulfilled the security risk analysis requirements and have documented your efforts. …  ”When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited.” CMS attestation Audits began in Summer 2012.

Chapter 3 of ONC’s Guide to Privacy and Security of Health Information: 10 Step Plan for Meeting Privacy and Security Portions of Meaningful Use concludes (p.26):  ”If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim.  From this perspective, consider implementing multiple security measures as feasible, prior to attesting.  The priority would be mitigating high-impact and high-likelihood risks.”

In addition to the Meaningful Use Audit program as it pertains to the Stage 1 Core Objectives, including security, under auspices of CMS, also be aware of the HIPAA Privacy & Security Audit Program conducted under auspices of the Office for Civil Rights (OCR) of the Department of Health and Human Services, which HIPAA.com has discussed in earlier postings. HIPAA.com noted at the beginning that ONC recommends giving yourself at least 90 days to conduct security compliance activities as they pertain to attestation, and even longer to meet HIPAA privacy, security, and breach notification implementation specifications as well.  Take this new climate of privacy and security enforcement and increased probability of audit of risk analysis, policies and procedures, and workforce training seriously.  [20121204]

“This final rule adopts the standard for a national unique health plan identifier (HPID) and establishes requirements for the implementation of the HPID.  In addition,it adopts a data element that will serve as an other entity identifier (OEID), or an identifier for entities that are not health plans, health care providers, or individuals, but that need to be identified in standard transactions.  This final rule also specifies the circumstances under which an organization covered health care provider must require certain noncovered individual health care providers who are prescribers to obtain and disclose a National Provider Identifier (NPI).  Lastly, this final rule changes the compliance date for the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding, including the Official ICD-10-CM Guidelines for Coding and Reporting, and the International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS) for inpatient hospital procedure coding, including the Official ICD-10-PCS Guidelines for Coding and Reporting, from October 1, 2013 to October 1, 2014.”

This Final Rule as official policy is effective on November 5, 2012.  Health plans other than small health plans must obtain an HPID by November 5, 2014.  Small health plans have an additional year to comply, on November 5, 2015.  Covered entities must use the HPID in standard transactions on or after November 7, 2016.  With regard to the NPI, an organization covered health care provider must comply by May 6, 2013, with the implementation specifications in 45 CFR 162.410(b):

“An organization covered health care provider that has as a member, employs, or contracts with, an individual health care provider who is not a covered entity and is a prescriber, must require such health care provider to–

(1) Obtain an NPI form the National Plan and Provider Enumeration System (NPPES); and

(2) To the extent the prescriber write a prescription while acting within the scope of the prescriber’s relationship with the organization, disclose the NPI upon request to any entity that needs it to identify the prescriber in a standard transaction.” [p. 54719]

Associated with this objective is a Measure that is the same for Eligible Professionals [45 CFR 495.6(j)(16)(i) at p. 54154], and for Eligible Hospitals or Critical Access Hospitals (CAHs) [45 CFR 495.6(l)(15)(i) at p. 54156]: “Conduct or review a security risk analysis in accordance with the requirements [of the HIPAA Security Rule] under 45 CFR 164.308(a)(1) [Security Management Process Administrative Safeguard Standard], including addressing the encryption/security of data stored in Certified EHR Technology [CEHRT] in accordance with [HIPAA Security Rule] requirements under 45 CFR 164.312(a)(2)(iv) [Encryption and decryption addressable implementation specification of the Technical Safeguard Access Control Standard] and 45 CFR 164.306(d)(3) [Addressable requirements for Security Standard Implementation Specifications], and implement security updates as necessary and correct identified security deficiencies as part of the [EP's, Eligible Hospitals, CAH's] risk management process.”

Preamble comments include the following excerpts related to this measure:

“As noted in the proposed rule, this measure is the same as in Stage 1 except that we specifically highlight the encryption/security of data that is stored in CEHRT (data at rest).  Recent HHS analysis of reported breaches indicates that almost 40 percent of large breaches (breaches affecting 500 or more individuals) involve lost or stolen devices.  Had these devices been encrypted, their data would have been secured.  It is for these reasons that we specifically call out this requirement under 45 CFR 308(a)(1).  We did not propose to change the HIPAA Security Rule requirements, or require any more under this measure than is required under HIPAA.  We only emphasize the importance of an EP or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure. [pp. 54002-54003] …

“We do not proposes to change the HIPAA Security Rule requirements or impose additional requirements under this measure than those required under HIPAA.  A [risk analysis] review must be conducted for each EHR reporting period and any security updates and deficiencies that are identified should be included in the provider’s risk management process and implemented or corrected as dictated by that process. [emphasis added]  We refer providers to the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with the requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), of the HIPAA Security Rule. The scope of the security risk analysis for purposes of this meaningful use measure applies only to data created or maintained by CEHRT.  This measure does not apply to data centers that are not part of CEHRT.  However, we note that such data centers may be subject to the security requirements under 45 CFR 164.308(a)(1) and refer providers to the HIPAA Security Rules for compliance information. [p. 54003] …

“We are making a change in this final rule to the language  of ‘data at rest’ to specify our intention of data that is stored in CEHRT…. We further specify that in order to meet this objective and measure, an EP, eligible hospital, or CAH must use the capabilities and standards of CEHRT at 45 CFR 170.314(d)(1) through 170.314(d)(8).”

These “capabilities and standards of CEHRT,” as referenced are published in the September 4, 2012, Federal Register in the ONC Final Rule entitled:  Health Information Technology:  Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, 2014 Edition; Revisions to the Permanent Certification Program for Health Information Technology.  They are:

45 CFR 170.314:  2014 Edition electronic health record certification criteria

(d):  Privacy and security [pp. 54289-54290]

(1)  Authentication, access control, and authorization

(2)  Auditable events and tamper-resistance

(3)  Audit report(s)

(4)  Amendments

(5)  Automatic log-off

(6)  Emergency access

(7)  End-user device encryption

(8)  Integrity

Here is the Executive Summary from the Final Rule:

“This rule adopts a standard unique health plan identifier (HPID) and a data element that will serve as an other entity identifier (OEID).  This rule also adopts an addition to the National Provider Identifier (NPI) requirements.  Finally, this rule changes a compliance date for the ICD-10-CM and ICD-10-PCS medical data code sets (hereinafter ‘code sets’) from October 1, 2013 to October 1, 2014.

“(1) HPID.  Currently, health plans and other entities that perform health plan functions, such as third party administrators and clearinghouses, are identified in Health Insurance and Portability and Accountability Act of 1996 (HIPAA) standard transactions with multiple identifiers that differ in length and format.  Covered health care providers are frustrated by various problems associated with the lack of a standard identifier, such as: improper routing of transactions; rejected transactions due to insurance identification errors; difficulty in determining patient eligibility; and challenges resulting from errors in identifying the correct health plan during claims processing.

“The adoption of the HPID and the OEID will increase standardization with HIPAA standard transactions and provide a platform for other regulatory and industry initiatives. Their adoption will allow for a higher level of automation for health care provider offices, particularly for provider processing of billing and insurance related tasks, eligibility responses from health plans, and remittance advice that describes health care claim payments. [Health plans with the exception of small health plans must obtain an HPID by November 5, 2014.  Small health plans must obtain an HPID by November 5, 2015. Covered entities must use HPIDs in the standard transactions on or after November 7, 2016.]

“(2) NPI.  In the January 23, 2004 Federal Register (69 FR 3434), the U.S. Department of Health and Human Services (HHS) published a final rule establishing the standard for a unique health identifier for health care providers for use in the health care system and adopting the National Provider Identifier (NPI) as that standard (’2004 NPI final rule’). The rule also established the implementation specifications for obtaining and using the NPI.  Since that time, pharmacies have encountered situations where they need to include the NPI of a prescribing health care provider in a pharmacy claim, but where the prescribing health care provider has been a noncovered health care provider who did not have an NPI because he or she was not required to obtain one.  This situation has become particularly problematic in the Medicare Part D program.  The addition to the NPI requirements addresses this issue.  [An organization covered health care provider must comply by May 6, 2013 with the implementation specifications in 45 CFR 162.410(b), as shown on page 202 of the final rule version referenced above.]

“(3) ICD-10-CM and ICD-10-PCS Code Sets.  In the January 16, 2009 Federal Register (74 FR 3328), HHS published a final rule in which the Secretary of of HHS (’the Secretary’) adopted the ICD-10-CM and ICD-10-PCS (’ICD-10′) code sets as the HIPAA standards to replace the previously adopted International Classification of Diseases, 9th Revision, Clinical Modification, Volumes 1 and 2 (diagnoses), and 3 (procedures) including the Official ICD-9-CM Guidelines for Coding and Reporting. The compliance date set by the final rule was October 1, 2013.

“Since that time, some provider groups have expressed strong concern about their ability to meet the October 1, 2013 compliance date and the serious claims payment issues that might ensue if they do not meet the date.  Some providers’ concerns about being able to meet the ICD-10 compliance date are based, in part, on difficulties they had meeting the compliance deadline for the adopted Associated Standard Committee’s (’ASC’) X12 Version 5010 standards (’Version 5010′) for electronic health care transactions. Compliance with Version 5010 and ICD-10 by all covered entities is essential to a smooth transition to the updated medical data code sets, as the failure of any one industry segment to achieve compliance would negatively affect all other industry segments and result in returned claims and provider payment delays.  We believe the change in the compliance date for ICD-10 [to October 1, 2014] gives health care providers and other covered entities more time to prepare and fully test their systems to ensure a smooth and coordinated transition by all covered entities.”

From enactment of HIPAA Administrative Simplification in August 1996 through issuance of HIPAA privacy (April 2003) and security (April 2005) enabling regulations[5] until enactment of the HITECH Act, federal enforcement was lax and covered entities evinced attitudes of “we’re compliant,” without understanding what compliance entailed, or “the feds will never check on whether I am compliant or not.”

Be forewarned…detection and enforcement has increased markedly, both at federal and state[6] levels, and is about to get much tougher with the release of the Omnibus regulation.  Further, penalties for violations of privacy, security, and breach notification provisions are substantial.  Currently, as a covered entity, your organization is subject to HHS’ privacy and security enforcement agency, Office for Civil Rights (OCR), compliance audits[7] that were initiated earlier this year, and to investigations relating to complaints and to breaches of protected health information (PHI).

Achieving compliance is a time-consuming process.  Here are five activities your organization should be doing NOW in advance of release of the Omnibus regulations and that it needs to complete before compliance kicks in sometime in May 2013.

1.  Conduct a thorough risk analysis or update an existing risk analysis. The foundation of safeguarding your organization’s oral, hard copy, and electronic PHI is the risk analysis that identifies threats and vulnerabilities to PHI that your organization creates, maintains, receives, or transmits, and consideration of risk mitigation strategies and tools that are the basis for your organization’s policies and procedures for safeguarding its PHI.[8] Failure to have conducted a new risk analysis or review periodically an existing risk analysis is evidence of non-compliance, and the penalties are such to imperil your organization as a viable business.  Failure to conduct a risk analysis is tantamount to willful neglect!

2.  Document your privacy, security, breach notification polices and procedures.  On June 26, 2012, OCR issued audit procedures by security, privacy, and breach notification implementation specification identifying the inquiries that will be addressed to senior management and the written documentation that compliance auditors will need to review, and in some cases, take samples of, as evidence of compliance.[9] Your documented policies and procedures will be the next step after completing a risk analysis or its update, the findings of which will be the basis for the safeguard policies and procedures.  Failure to document may subject your organization to willful neglect—not corrected violations, for which the penalty is a mandatory $50,000 per violation up to a maximum of $1.5 million for repeat of a specific violation in a calendar year.  Those penalties were raised in 2009 from $100 per violation up to a maximum of $25,000 for repeat of a specific violation in a calendar year.[10] In addition, participants in the Medicare and Medicaid Financial Incentive Programs for Adoption and Meaningful Use of Certified Electronic Health Record Technology must document risk analysis and Core security policies, and are subject to compliance audits that began in July 2012.[11]

3.  Train your workforce members, including management.  When privacy, security, and breach notification policies and procedures are in place, as they should be now and modified later to reflect the HITECH Act Omnibus regulatory provisions, covered entities are required to provide each workforce member access to them and to train each workforce member on their implementation so that its PHI is safeguarded.[12] Workforce members are required to have “awareness and understanding” of the safeguards and to follow the policies and procedures, and the covered entity must document that such training has occurred.  A review of case examples and HHS resolution agreement “corrective action plans” shows that training is a key element in demonstrating compliance in an audit and as part of the remediation enforcement process.[13] For example, in reference to the Blue Cross Blue Shield Tennessee (BCBST) resolution agreement[14], in which BCBST paid a fine of $1.5 million, the Director of OCR, Leon Rodriguez said:  “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”  The three pillars of that compliance program will be risk analysis, documented policies and procedures, and privacy and security training.

4.  Encrypt your protected health information on mobile and portable devices. As of August 23, 2012, OCR has publicly disclosed 487 breaches involving 500 or more individuals since September 23, 2009, affecting a total of just over 21 million persons.[15] Of the total number of breaches where location of breached information is known (e.g., electronic or hard copy source), 73% of the breaches involve electronic sources and 27% paper sources.  Of the total irrespective of source, just under 19% involve a business associate.  Of the electronic sourced breaches, just over 60% involved a laptop or other portable electronic device, and just under 92% of those are reported as stolen or lost. Many of these incidents could be avoided if the data were secured through encryption, which is required under OCR Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.[16]

5.  Remember the 1981 Oil Filter Commercial Adage:  “You can pay me now or pay me later.” Remediating breaches is costly, not only financially, but also in time, potential damage to reputation and customer goodwill, and lost business.  The Ponemon Institute[17], a privacy and information management research firm, in March 2011, announced results of the sixth annual U.S. Cost of a Data Breach Study.  According to this study, based on survey data, breach incidents cost U.S. companies $214 per compromised customer record (2010 data).  Looking just at OCR’s publicly disclosed 487 breaches, affecting just over 21 million individuals, potentially the cost is just under $4.5 billion for remediation.  The August 3, 2011, HDM Breaking News article,  “What Happens After a Data Breach?” states: “[t]he cost to reduce the risk to protected health information before a breach can be as low as 10 percent of the cost to remediate a medium-sized breach.”[18] As the old automotive oil filter TV ad[19] stated, “you can pay me now or pay me later.” Investment now in HIPAA/HITECH Act privacy and security safeguards to minimize risk to PHI is a cost-effective and wise investment, especially in ENCRYPTING YOUR PHI on mobile and portable electronic devices and media with a high likelihood of being lost or stolen.

If your organization has already performed items 1-3 above, it will have to address those items again to reflect HITECH Act modifications in the Omnibus regulation.  To help your organization attain compliance in an affordable and timely manner, check out online self-assessment risk and document management software at www.hipaarms.com and online HIPAA/HITECH Act privacy and security training courses at http://ama.hipaaschool.com.

[2] The HITECH Act, which is incorporated in Public Law 111-5 on pages 226-279, is available online at:  http://www.gpo.gov/fdsys/pkg/PLAW-111publ5/pdf/PLAW-111publ5.pdf.

[3] www.reginfo.gov/public/do/eAgendaViewRule?pubId=201110&RIN=0945-AA03.  The Omnibus regulation includes Final Privacy, Security, Breach Notification, and Enforcement Rules, along with a HIPAA privacy modification to Clinical Laboratory Clinical Amendments (CLIA).

[4] Joseph Goedert, “HIPAA Summit Well-Timed with Expected Rules,” Health Data Management, July 13, 2012, which is available online at:  http://www.healthdatamanagement.com/news/hipaa-summit-privacy-security-breach-44739-1.html?zkPrintable=true.

[5] The HIPAA statute and enabling regulations are available online at:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/.

[6] H.B. 300, the Texas Medical Privacy Act, goes into effect on September 1, 2012, and requires “customized” privacy training for new employees within 30 days, and, for all workforce members, recurring protected health information (PHI) safeguard training at least every two years or whenever business operations pertaining to PHI privacy policies change.  See http://www.dallasbar.org/content/new-medical-privacy-law-texas-what-you-need-know and http://legiscan.com/gaits/text/316787.

[7] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.

[8] See National Institute of Standards and Technology (NIST), Guide for Conducting Risk Assessments.  NIST Special Publication (SP) 800-30 Revision 1, September 2011, which is available online at:  http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf.

[9] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.

[10] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.

[11] http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html and Marla Durben Hirsch, “CMS Starts Meaningful Use Attestation Audits,” July 23, 2012, which is available online at:  http://www.fierceemr.com/story/cms-meaningful-use-attestation-audits-providers/2012-07-23.  A determination of attesting falsely may make the attester subject to criminal prosecution under the False Claim Act, and will certainly require reimbursement of financial incentives received falsely.

[12] See 45 CFR 164.308(a)(5) (security) and 45 CFR 164.530(b) (privacy and breach notification), which are available online at: http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=c83ef165e5b089a3351012715b247a02&tpl=/ecfrbrowse/Title45/45cfr164_main_02.tpl.

[13] http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

[14] HHS News Release, “HHS Settles HIPAA Case with BCBST for $1.5 million,” March 13, 2012, which is available online at:  http://www.hhs.gov/news/press/2012pres/03/20120313a.html.

[15] The OCR Web site lists 489 breaches, but two duplicates are included in the dataset.  http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.

[16] http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html.

[17] See http://www.ponemon.org/blog/post/cost-of-a-data-breach-climbs-higher.

[18] Joseph Goedert, “What Happens After a Data Breach?”, Health Data Management, August 3, 2011, which is available online at:  http://www.healthdatamanagement.com/news/protected-health-information-data-breach-42935-1.html.

[19] http://www.youtube.com/watch?v=aq3wL8ZXjBU.

“A.  Purpose of the Regulatory Action.  Health care spending in the United States constitutes nearly 18 percent of the US Gross Domestic Product (GDP) and costs an average of $9,000 per person annually. Many factors contribute to the high cost of health care in the United States, but studies point to administrative costs as having a substantial impact on the growth of spending and an area of costs that could likely be reduced.

“One area of administrative burden that can be lessened for health care providers is the time and labor spent interacting with multiple health insurance plans, called billing and insurance related (BIR) tasks.  The average physician spends a cumulative total of 3 weeks a year on BIR tasks according to one study, and, in a physician’s office, two-thirds of a full-time employee per physician is necessary to conduct BIR tasks.

“The tasks and costs of activities directly related to collecting payments is a category of BIR tasks.  Nearly 40 percent of nonclinical staff time spent on BIR tasks in a physician practice is dedicated to activities directly related to collecting payments.  According to estimates that are discussed more broadly in the Regulatory Impact Analysis (RIA) [of the IFC], most health care providers collect and deposit paper checks, and manually post and reconcile the health care claim payments in their accounting systems.  By automating some of these tasks, time and labor spent on the collection of payments can be decreased. Automation can be achieved through the electronic transfer of information or electronic date interchange (EDI).  Through the use of electronic funds transfers (EFT) for health care claim payments and the use of electronic remittance advice (ERA) that describes adjustments to the payments, BIR costs can be decreased.

“The benefits of EFT have been realized in many other industries.  The benefits include material cost savings, fraud control, and improved cash flow and cash forecasting.  The benefits of ERA have also been demonstrated in terms of cost savings in paper and mailings.  By receiving remittance advice electronically, providers can use electronic denial management tools that dramatically improve payment recovery and reconciliation. Despite these advantages, an estimated 70 percent of health care claim payments continue to be in paper check form and an estimated 75 percent of remittance advices is sent through the mail in paper form.

“There is evidence that the use of operating rules for specific electronic health care transactions results in higher use of EDI by health care providers.  We expect usage of EFT and ERA by the health care industry will increase and administrative savings will be realized when industry implements the operating rules for those transactions.

“B.  Legal Authority for the Regulatory Action.  The legal authority for the adoption of operating rules rests in section 1173(g) of the Social Security Act (the Act).  Section 1173(g) of the Act was added by section 1104(b)(2) of the Patient Protection and Affordable Care Act (Public Law 111-148), enacted on March 23, 2010, as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law 111-152), enacted on March 30, 2010 (collectively known as and hereinafter referred to as the Affordable Care Act.

“C.  Summary of the Major Provisions of the Regulatory Action.  In this interim final rule with comment period (IFC), we are adopting the Phase III Council for Affordable Quality Healthcare (CAQH) Committee on Operating Rules for Information Exchange (CORE) EFT & ERA Operating Rule Set, including the CORE v5010 Master Companion Guide Template, for the health care EFT and remittance advice transaction  (hereinafter referred to as the EFT & ERA Operating Rule Set), with one exception:  We are not adopting Requirement 4.2, titled ‘Health Care Claim Payment/Advice Batch Acknowledgement Requirements,’ of the Phase III Core 350 Health Care Claim Payment/Advice (835) Infrastructure Rule because that requirement requires the use of the Accredited Standards Committee (ASC) X12 999 acknowledgement standard, and the Secretary [of HHS] has not adopted standards for acknowledgements.

“Covered entities must be in compliance with the EFT & ERA Operating Rule Set by January 1, 2014.

“D.  Costs and Benefits.  Both costs and benefits are analyzed by examining the costs and cost savings of implementing and using the EFT & ERA Operating Rule Set adopted in this IFC in the following four areas of administrative tasks–

• Provider enrollment in EFT and ERA;
• Implementing infrastructure and communication networks between trading partners;
• Reassociation of the payment information with the remittance information; and
• Posting payment adjustments and claim denials.

“To a large extent, the costs of implementing the EFT & ERA Operating Rule Set will be borne by the health plans, with much of the benefits accruing to providers.  Many health plans actively participated in the development of these rules, and the requirements they put on themselves were carefully deliberated.  In the RIA of this IFC, we estimate the cost to implement the EFT & ERA Operating Rule Set is $1.2 to $2.7 billion for government and commercial health plans, including third party administrators (TPAs), hospitals, and physician offices.  The savings from and cost benefit of using the EFT & ERA Operating Rule Set is $3 to $4.5 billion for government and commercial health plans, hospitals, and physician offices.  The net savings derived from using the EFT & ERA Operating Rule Set over 10 years ranges from approximately $300 million to $3.3 billion.”

“The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate.  OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits.  The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.  The combination of these multiple requirements may vary based on the type of covered entity selected for review.

• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI [protected health information], (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
• The protocol covers requirements for the Breach Notification Rule.”

The OCR Audit Protocol Web site link highlighted above outlines each of the audit procedures that starts with the phrase “inquire of management,” and permits keyword search. As an example, we identify below the first audit procedure under the Security Rule, whose key activity is:  conduct risk assessment:

Section: 45 CFR 164.308

Established Performance Criteria:  45 CFR 164.308(a)(1).  Security Management Process (45 CFR 164.308(a)(1)(ii)(a)–Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Key Activity:  Conduct Risk Assessment

Audit Procedures:  Inquire of management as to whether formal or informal policies or practices exist to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI [electronic PHI].  Obtain and review relevant documentation and evaluate the content relative to the specified criteria for an assessment of potential risks and vulnerabilities of ePHI.  Evidence of covered entity risk assessment process or methodology considers the elements in the criteria and [whether the it] has been updated or maintained to reflect changes in the covered entity’s environment. Determine if the covered entity risk assessment has been conducted on a periodic basis.  Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.

Implementation Specification:  Required.

HIPAA.com recommends that covered entities pay close attention to the wording of OCR’s audit procedures as they pertain to their documented and implemented policies and procedures for successfully passing a compliance audit and avoiding potentially costly and time consuming OCR enforcement action.

The Office of Management and Budget (OMB) has been sitting on the delayed Final Privacy, Security, Breach Notification, and Enforcement Rules since March 24, 2012.  A speedier exit from OMB’s EO 12866 review of these Final Rules before publication in the Federal Register might get greater attention of covered entities and business associates to securing protected health information (PHI) and diminishing the likelihood of these large breaches, the consequences of which are costly and time consuming to remedy, as has been shown in the recent Corrective Action Plan that is part of the April 17, 2012, Phoenix Cardiac Surgery Resolution Agreement with HHS. Hopefully, OMB soon will release the delayed Final Rules, and OCR will accompany publication of them with a comprehensive and continued educational effort that highlights the importance of conducting a risk analysis, developing policies and procedures to safeguard PHI, training workforce members on those safeguards, and demonstrating consequences of not achieving compliance.

Chapters are:

1. What Is Privacy & Security and Why Does It Matter?

2. Privacy & Security and Meaningful Use.

3.  Privacy & Security Step Plan for Meaningful Use.

4.  Integrating Privacy and Security into Your Practice.

5.  Privacy and Security Resources.

The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures relating to Privacy (Objective #12) and Security (Objective #15):

“Objective #12:  Provide Patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies) upon request.  Measure:  More than 50 percent of all patients who request an electronic copy of their health information are provided it within three business days.  Under the HIPAA Privacy Rule (access), patients have a right to view and obtain a copy of their protected health information (PHI) in your designated record set, including information stored in your EHR [electronic health record].

“Objective #15: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  Measure:  Conduct or review a security risk analysis in accordance with the requirements under the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)), implement security updates as necessary and correct identified security deficiencies as part of the risk management process.  Under the HIPAA Security Rule, you are required to conduct a security risk analysis (45 CFR 164.308).”

The Guide also outlines 10 steps for achieving Meaningful Use:

“1.  Confirm you are a ‘covered entity’

2.  Provide leadership

3.  Document your process, findings, and actions

4.  Conduct security risk analysis

5.  Develop an action plan

6.  Manage and mitigate risks

7.  Prevent with education and training

8.  Communicate with patients

9.  Update business associate agreements

10. Attest for the Security Risk Analysis MU [meaningful use] Objective.”

While each of those steps is important, the content provides little guidance for compliance with HIPAA Privacy and Security and HITECH Act Breach Notification Rules, and ONC does not have enforcement authority for them.  The Guide does state on page 7:

“[t]hese Meaningful Use requirements [Core Objectives and Measures 12 and 15] are not intended to supersede or substitute for compliance required under HIPAA. If you are a covered entity, you are still required to comply with the HIPAA Privacy and Security Rules.”

While the content in the Guide focuses on attaining and attesting to Privacy and Security related to Meaningful Use of Certified EHR Technology,  the resources identified in this Guide in Chapter 5 are useful for assembling information on HIPAA Privacy, Security, and HITECH Act Breach Notification Rules.  Again, other than for risk analysis guidance, the content in the Guide is insufficient for meaningfully attaining compliance with the HIPAA Privacy, Security, and HITECH Act Breach Notification Rules, particularly standards and implementation specifications, and should not be relied upon for that.  In addition to the risk analysis, HIPAA Privacy and Security and HITECH Act Breach Notification compliance requires mitigating security risks, such as securing protected health information (PHI) from unauthorized access or use, preparing and documenting administrative, physical, and technical policies and procedures for safeguarding PHI, and training workforce members and designated representatives of business associates on those safeguards.  We have covered these topics extensively on HIPAA.com and additional information is available at the HHS enforcement arm for privacy and security, the Office for Civil Rights (OCR).

In its April 17, 2012, News Release, HHS stated:

“The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“‘This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,’ said Leon Rodriguez, director of OCR. ‘We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.’

“OCR’s investigation [of Phoenix Cardiac Surgery] also revealed the following issues:

• Failed to implement adequate polices and procedures to appropriately safeguard patient information;
• Failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Failed to identify a security official and conduct a risk analysis; and
• Failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

“Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and [to] a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.”

HIPAA.com recommends that the reader review the Corrective Action Plan, especially sections V. (Corrective Action Obligations:  A.  Policies and Procedures; B.  Distribution and Updating of Policies and Procedures; C.  Minimum Content of the Policies and Procedures; D. Training; and E. Reportable Events) on pages 7-10; VI. (Implementation Report) on pages 10-11; and VIII. (Breach Provisions:  D.  Imposition of CMP (civil money penalty) ["for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the Privacy or Security Rules"]) on page 12.  As we have mentioned frequently in earlier posts, covered entities–and business associates after publication of the Final Rules in the Federal Register–will find it less onerous, costly, and time consuming now to conduct a risk analysis, implement policies and procedures for safeguarding protected health information, and train workforce members than under constraints of a possible Corrective Action Plan after discovery of HIPAA Privacy or Security Rule violations from a compliance audit, complaint investigation, or breach.

From the NPRM is the Summary of the Major Provisions:

“a. HPID.  This rule proposes the adoption of the HPID [national unique health plan identifier] as the standard for the unique identifier for health plans and definitions for ‘Controlling Health Plan’ and ‘Subhealth Plan.’ The proposed definitions of these two terms seek to differentiate between health plan entities that would be required to obtain an HPID, and those that would be eligible, but not required, to obtain an HPID. This rule also proposes to require all covered entities to use an HPID whenever a covered entity identifies a health plan in a covered transaction.  Because health plans today have many different business structures and arrangements that affect how health plans are identified in standard transactions, these two proposed definitions also seek to enable health plans to obtain HPIDs to reflect differing business arrangements so they can be identified appropriately in standard transactions.

“This rule also proposes the adoption of a data element that would serve as an other entity identifier (OEID).  The OEID would serve as an identifier for entities that are not health plans, health care providers, or ‘individuals’ (as defined in 45 CFR 160.103), but that need to be identified in standard transactions (including, for example, third party administrators, transaction vendors, clearinghouses, and other payers). Under this proposed rule, these other entities would not be required to obtain an OEID, but they could obtain and use one if they needed to be identified in covered transactions.  Because other entities are identified in standard transactions in a similar manner as health plans, we believe that establishing a data element to serve as an identifier for these entities will increase efficiency by encouraging the use of a uniform identifier.

“The most significant benefit of the HPID and the OEID is that they will increase standardization within HIPAA standard transactions by establishing uniform identifiers.

“b.  NPI.  This rule purpose that an organization covered health care provider require certain non covered individual health care providers who are prescribers to:  (1) Obtain NPIs [National Provider Identifiers] and; (2) to the extent the prescribers write prescriptions while acting within the scope of the prescribers’ relationship with the organization, disclose them to any entity that needs the NPIs to identify the prescribers in standard transactions.  This addition to the NPI requirements would address the issue that pharmacies are encountering when the NPI of a prescribing health care provider needs to be included on a pharmacy claim, but the prescribing health care provider does not have, or has not disclosed an NPI.

“c.  ICD-10-CM and ICD-10-PCS.  This rule proposes that the compliance date for ICD-10-CM and ICD-10-PCS be changed from October 1, 2013 to October 1, 2014.  We believe this change will give covered entities the additional time needed to synchronize system and business process preparation and changeover to the updated medical data code sets.”

HHS invites comments on this NPRM, to be received no later than 5 PM on Thursday, May 17, 2012.  Instructions for submitting comments are provided in the NPRM on page 22950.

Here is the NPRM summary:  ”This proposed rule would implement section 1104 of the Patient Protection and Affordable Care Act (hereinafter referred to as the Affordable Care Act) by establishing new requirements for administrative transactions that would improve the utility of the existing Health Insurance Portability and Accountability Act of 1996 (HIPAA) transactions and reduce administrative burden and costs.  It proposes the adoption of the standard for a national unique health plan identifier (HPID) and requirements or provisions for the implementation of the HPID.  This rule also proposes the adoption of a data element that will serve as an other entity identifier (OEID), an identifier for entities that are not health plans, health care providers, or ‘individuals,’ that need to be identified in standard transactions.  This proposed rule would also specify the circumstances under which an organization covered health care provider must require certain noncovered individual health care providers who are prescribers to obtain and disclose an NPI [National Provider Identifier].  Finally, this rule proposes to change the compliance date for the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding, including the Official ICD-10-CM Guidelines for Coding and Reporting, and the International Classification of Diseases, 10th Revision, Procedure Coding System (ICD-10-PCS ) for inpatient hospital procedure coding, including the Official ICD-10-PCS Guidelines for Coding and Reporting, from October 1, 2013 to October 1, 2014.”

Comments on the NPRM may be submitted to HHS up to 30 days from the April 17, 2012, Federal Register publication of the NPRM.  HHS has indicated that “[w]hen made final, the effective date of this regulation would be October 1, 2012.”