Today, we continue to examine definitions pertaining to the HIPAA Privacy Rule, for which we shall begin to examine modifications of provisions next week. Today’s definition is health care operations, as modified in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Here is the discussion in the Final Rule related to the proposed modification to the definition of health care operations from the Notice of Proposed Rule Making (NPRM), with the proposed modification altered, then accepted in the Final Rule:
“The definition of ‘‘health care operations’’ at 45 CFR 164.501 includes at paragraph (3) ‘underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits * * *.’ To avoid confusion with the use of both ‘underwriting’ and ‘underwriting purposes’ in the Privacy Rule, and in recognition of the fact that the proposed definition of ‘underwriting purposes’ includes activities that fall within both the definitions of ‘payment’ and ‘health care operations’ in the Rule, the Department proposed to remove the term ‘underwriting’ from the definition of ‘health care operations.’ We also proposed to add the term ‘enrollment’ to the express list of health care operations activities to make clear that the removal of the term ‘underwriting’ would not impact the use or disclosure of protected health information that is not genetic information for enrollment purposes. These proposed revisions were not intended to be substantive changes to the definition and thus, health plans would be permitted to continue to use or disclose protected health information, except genetic information, for underwriting purposes. …
“Due to the confusion and concern expressed by the commenters regarding the removal of the term ‘underwriting’ from the definition, we retain the term ‘underwriting’ within the definition of ‘health care operations’ at 45 CFR164.501. However, to make clear that a health plan may continue to use or disclose only protected health information that is not genetic information for underwriting, we include a reference to the prohibition on using or disclosing genetic information for underwriting purposes within the definition. The final rule also retains the term ‘enrollment’ within the definition because we believe it is helpful to clarify that this is a permitted health care operations activity.” 78 Federal Register 5666
Here is the modified definition of health care operations, which will be effective March 26, 2013, with the modifications underlined in (1) and (3):
Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:
(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
(3) Except as prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures Use and disclosure of genetic information for underwriting purposes], underwriting, enrollment, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of 45 CFR 164.514(g) [Standard: Uses and disclosures for underwriting and related purposes, as modified, 78 Federal Register 5700] are met, if applicable;
(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
(6) Business management and general administrative activities of the entity, including, but not limited to:
(i) Management activities relating to implementation of and compliance with the requirements of this subchapter;
(ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.
(iii) Resolution of internal grievances;
(iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and
(v) Consistent with the applicable requirements of 45 CFR 164.514 [Other requirements relating to uses and disclosures of protected health information, as modified, 78 Federal Register 5700-5701], creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.