One of the guiding principles behind the federal government's efforts to improve health care through health IT is that the benefits of health IT can be fully realized only if patients and health care providers are confident that electronic health information is kept private and secure.
The Health Information Technology for Economic and Clinical Health Act -- enacted on Feb. 17, 2009, and designed to promote widespread adoption of electronic health records and electronic health information exchange -- included a number of provisions to strengthen the privacy and security protections established under the Health Insurance Portability and Accountability Act. Amid a flurry of other regulations, including the final rule defining "meaningful use" of EHRs under HITECH's Medicare and Medicaid incentive programs, HHS last month released a Notice of Proposed Rulemaking that both implements many of the HITECH provisions and modifies other HIPAA requirements.
The NPRM was published in the Federal Register on July 14, 2010, and is open to public comment until Sept. 13, 2010.
History of HITECH Privacy and Security Activity
The NPRM follows a series of recently released regulations implementing various HITECH privacy and security provisions. On Aug. 24, 2009, HHS issued an Interim Final Rule implementing the act's breach notification provisions. The rule required HIPAA covered entities (CEs) to notify affected individuals, the HHS secretary, and, in some cases, the media, of a breach of protected health information (PHI), thereby holding CEs and their business associates (BAs) accountable for proper safeguarding of the private information entrusted to their care.
HHS also released an Interim Final Rule on Oct. 30, 2009, implementing the increased civil monetary penalties for violations of HIPAA required under HITECH.
Details of the NPRM
Stakeholders have been anxiously awaiting the NPRM because it implements so many of HITECH's privacy and security provisions and also because many of the provisions had statutory effective dates of Feb. 18, 2010.
The NPRM includes provisions related to BAs, individual access to PHI, limits on uses and disclosures of PHI, and enforcement, all of which are detailed below. It also includes a number of proposed changes not in HITECH, including:
- Removing the PHI of deceased individuals from protection after 50 years;
- Providing more flexibility for research authorizations;
- Making it easier for providers to disclose student immunization records to schools; and
- Requiring CEs' Notice of Privacy Practices to include additional information.
Extension of HIPAA Regulation to BAs
Most notable of the NPRM's many provisions is its direct application of HIPAA to BAs. In accordance with HITECH, the NPRM requires that BAs directly comply with the HIPAA Security Rule provisions mandating administrative, physical and technical safeguards and that they adhere to the terms of both their Business Associate Agreements (BAAs) and HITECH's privacy-related requirements. BAs that violate these obligations are subject to the same civil and criminal penalties as CEs.
In a somewhat surprising move, the NPRM extends HIPAA's reach to subcontractors of BAs, making them liable for privacy and security violations to the same extent as BAs. The NPRM revises the definition of a BA to include BA subcontractors, and requires BAs to execute BAAs with their subcontractors.
Of note to those engaged in HIE, the NPRM, in accordance with HITECH, modifies the definition of a BA to include a "health information organization, e-prescribing gateway, or other person that provides data transmission services with respect to [PHI] to a CE and that requires routine access to such [PHI]" and a person who offers a personal health record to one or more individuals on behalf of a CE. The Preamble to the NPRM specifies that entities that manage the exchange of PHI through a network, including providing patient locator services and performing various oversight and governance functions, fall within the definition of a BA.
New Patient Rights
The NPRM expands individuals' rights to access their PHI and to restrict certain types of disclosures to health plans:
-
Access to PHI in Electronic Format: In accordance with HITECH, the NPRM requires CEs to give individuals electronic copies of any PHI maintained in an EHR, but broadens this requirement by applying the electronic copy mandate to all PHI maintained electronically in a designated record set. The NPRM also requires CEs to provide an electronic copy to an individual's designee if requested. The NPRM specifies the labor costs and, if the electronic copy is provided in physical media, the media costs that CEs may charge individuals for providing electronic access to their PHI.
-
Restrictions on Disclosures of PHI to Health Plans: HITECH requires CEs to comply with an individual's request not to share information with the individual's health plan if the individual is paying the full cost of the service to which the information relates. In implementing this provision, the NPRM clarifies that CEs must permit individuals to determine which health care items or services a restriction applies to, and that CEs may not require individuals who wish to restrict disclosures about certain health care items or services to restrict disclosure of PHI about all items and services.
Restrictions on Uses and Disclosures of PHI
The NPRM also sets new limitations on uses and disclosures of PHI:
-
Disclosures for Marketing: In accordance with HITECH, the NPRM proposes to modify the definition of prohibited "marketing" to include certain health-related promotional communications if the CE that is making the communication receives financial remuneration from a third party. Interestingly, the NPRM distinguishes between promotional communications made to carry out health care operations from treatment-related promotional communications. CEs may not receive remuneration for communications made to carry out health care operations without patient authorization, except in limited circumstances, such as refill reminders. But treatment-related communications paid for by a third party are permitted without patient authorization if the communication discloses the remuneration and provides the individual a clear and conspicuous opportunity to opt out of receiving future subsidized communications.
-
Fundraising: The NPRM requires that any fundraising communication sent to an individual provide a clear and conspicuous opportunity to opt out of receiving any further fundraising communications.
-
Sale of PHI: In accordance with HITECH, the NPRM requires a CE to obtain an authorization for any disclosure of PHI in exchange for direct or indirect remuneration, and requires the authorization to state that the disclosure will result in the receipt of remuneration by the CE. However, like HITECH, the NPRM exempts several disclosures from the authorization requirement, including disclosures for public health; research purposes, provided that the price charged for the information reflects the costs of preparation and transmittal of the data; treatment; the sale, transfer, merger, or consolidation of all or part of a CE and for related due diligence; services by a BA; and the provision of access to an individual to his or her PHI. The NPRM also adds to the list of exceptions disclosures for payment purposes, disclosures pursuant to requests for accountings of disclosures, disclosures required by law, and other permitted disclosures, provided that the remuneration is a reasonable fee to cover the cost of preparation and transmittal.
Enforcement
The NPRM implements a number of HITECH enforcement provisions that were not included in the previously released Interim Final Rule on enforcement. The NPRM also proposes to make regulatory changes necessary to implement HITECH's imposition of civil money penalty liability on BAs. Finally, the NPRM defines the terms "reasonable cause," "reasonable diligence" and "willful neglect," which relate to the various penalty levels under HIPAA's Enforcement Rule.
Timeline for Compliance
Although many of the HITECH statutory provisions became effective on Feb. 18, 2010, CEs and BAs will have a grace period of 240 days from publication of a final rule to come into compliance with the changes. In addition, the NPRM includes transition provisions that permit CEs, BAs and BA subcontractors to continue to operate under existing contracts for up to one year beyond the compliance date of the final rule.
HHS' Ongoing Focus on the Role of Privacy and Security in Health IT Adoption
HHS views the NPRM as an integral piece of the federal government's efforts to broaden the use of health IT in health care. HHS' Office for Civil Rights has indicated that additional regulations implementing HITECH's privacy and security provisions (e.g., its accounting of disclosures provision) are forthcoming. Likewise, the Office of the National Coordinator for Health IT -- which recently established a chief privacy and security officer, as mandated by HITECH -- has indicated it will design new policies to address privacy and security issues in every phase of health IT development and implementation.