The HIPAA-HITECH regulations, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” (final rule), were published in the
Federal Register on Jan. 25, 2013 (78 Fed. Reg. 5566.) The final rule not only implements many of the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act but also the Genetic Information Nondiscrimination Act. It also makes other changes under the general authority of the Department of Health and Human Services (HHS). Clinical Laboratories have six months, until Sept. 23, 2013, to come into compliance. An additional 12 months, until Sept. 23, 2014, may be available for certain qualifying business associate agreements. However, the enforcement rule changes are effective on March 26, 2013. The key issues as they apply to clinical laboratories are summarized below.
Business Associates
Downstream Contractors: If a clinical laboratory contracts with a billing company, the billing company is a business associate. Nothing new there; the billing company needs protected health information (PHI) from the clinical laboratory to provide its services. If the billing company contracts with a shredding company to dispose of its records (i.e., the clinical laboratory’s PHI) the shredding company becomes a subcontractor under the Health Insurance Portability and Accountability Act (HIPAA). The final rule makes it clear, however, that each entity (clinical laboratory, billing company, and shredding company) is directly responsible for its own compliance with the business associate requirements of the HIPAA security rule and the HIPAA privacy rule, even if the parties fail to enter into written business associate agreements. Under the final rule, the clinical laboratory would still be required to enter into a business associate agreement with the billing company. The billing company, in turn, must obtain written “satisfactory assurances,” now clearly in the form of another business associate agreement, from the shredding company.
Privacy Rule Obligations: The final rule provides that a business associate is responsible for (1) limiting uses and disclosures of PHI to what is provided in the business associate agreement or the privacy rule, (2) disclosing PHI to HHS for an investigation of the business associate’s HIPAA compliance, (3) if disclosure of PHI is otherwise appropriate under the privacy rule, disclosing PHI in electronic form if it is requested and is stored electronically (as discussed below), (4) making reasonable efforts to comply with the minimum necessary requirements of the privacy rule, and (5) entering into a business associate agreement with a subcontractor.
Transition Provisions: The final rule grandfathers business associate agreements for up to one year beyond the compliance date, up to Sept. 23, 2014. The business associate agreement must have been in existence prior to Jan. 25, 2013, complied with HIPAA, and not be renewed or modified during the grandfather period. An automatic renewal does not constitute a renewal or modification for purposes of the availability of the grandfather period.
Enforcement Rule
Investigation and Resolution of Violations: The final rule provides that HHS will investigate a possible HIPAA violation if a preliminary review of the facts indicates the possibility of willful neglect as to HIPAA compliance. However, absent indications of
willful neglect, HHS may seek compliance through informal, voluntary action in appropriate cases.
Violations Due to Reasonable Cause: The HITECH Act includes four tiers of penalties focused on state of mind. The final rule clarified the definition of second-tier violations due to reasonable cause not amounting to willful neglect. The second tier likely covers many common violations by otherwise generally compliant covered entities and business associates, such as those that occur due to human error, despite workforce training and appropriate policies and procedures. Reasonable cause applies to HIPAA violations in which the entity exercised ordinary business care and prudence to comply with the provision that was violated or in which the entity knew of the violation but lacked the “conscious intent or reckless indifference” associated with a violation due to willful neglect.
Upstream Vicarious Liability: If a business associate is an
agent of the clinical laboratory under federal common law, the clinical laboratory can be liable for civil monetary penalties (CMPs) imposed on the downstream contractor for a HIPAA violation, so long as the violation arose within the scope of the agency. The same is true for a business associate and a subcontractor. HHS’s description of federal common law of agency is that it is based on the right or authority of the clinical laboratory to control the business associate’s conduct in the course of performing the service, even if that right was not actually exercised with respect to the violation for which the CMP is imposed.
Marketing
The final rule requires a HIPAA authorization for treatment communications and for communications that are otherwise permitted under the definition of
health care operations,
if the clinical laboratory or other covered entity (or a business associate) receives financial remuneration from the third party whose product or service is subject to the communication.
Financial remuneration is direct or indirect payment to the covered entity or business associate from, or on behalf of, the third party whose product is the subject of the communication. Certain exceptions exist for prescription refill reminders or communications about a currently prescribed drug.
Direct remuneration means the payment is paid directly to the covered entity or business associate and
indirect remuneration means that the remuneration was channeled through a third party.
Financial remuneration for marketing purposes does not include in-kind or other nonfinancial subsidies.
Sale of PHI
Direct or indirect remuneration received by a covered entity or business associate in exchange for the disclosure of PHI represents a “sale” of PHI, and a HIPAA authorization must be obtained from each individual. Exceptions exist for, among other things, public health activities, research, treatment, and other purposes designated by HHS. Disclosure includes granting access directly or through licenses or lease agreements. Remuneration for sales of PHI includes in-kind value. The final rule allows cost-based fees for the costs of preparing and transmitting the data, including direct and indirect costs so long as there is no profit factor.
Research
The final rule permits covered entities to combine conditional and unconditional authorizations for research if they differentiate between the two activities and allow for an opt-in of unconditional research activities. Future research studies may now be part of a properly executed authorization that includes all the required core elements. Previously, covered entities could not combine or condition authorizations for purposes other than research that involves treatment, while a separate authorization was needed for future research or to create or build a central research database or repository. This change brings HIPAA in line with common rule requirements related to biospecimens and databases.
Disclosures About a Decedent
The final rule permits disclosure of information about a decedent, previously restricted to a personal representative, to be made to family members and others who were involved in the care or payment for care of the decedent prior to death, unless inconsistent with any prior expressed preference by the decedent that is known to the covered entity.
Notice of Privacy Practices
The final rule requires that a covered entity include uses and disclosures of PHI in its notice of privacy practices. The notice can list categories that require authorization, such as marketing and sale of PHI. The notice must include a statement that other uses and disclosure not described in the notice will be made only with authorization from the individual. In addition, the notice must include the new right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service. Finally, the notice must include a statement regarding a breach of unsecured PHI, although an entity-specific statement is not required.
Right to Request a Restriction of Uses and Disclosures
The final rule creates a new right to restrict certain disclosures of PHI to a health plan under which the health care item or service is paid out of pocket in full. Clinical laboratories must operationalize this key change in the privacy rule. Clinical laboratories still can submit restricted information for required Medicare and Medicaid audits under the privacy
rule’s required by law requirement.
Access to Protected Health Information
Individuals: The final rule amends the privacy rule to allow individuals to request electronic copies of their PHI that is maintained in an electronic health record or other electronic designated record set, such as clinical, billing, or other records used to make decisions about the individual. A clinical laboratory must provide an electronic, “machine readable copy,” which means digital information stored in a standard format enabling the PHI to be processed and analyzed by a computer. HHS provides flexibility as to the exact format, acknowledging that systems may vary, but requires the clinical laboratory to accommodate individuals’ requests for specific formats, if possible.
Third Parties: Under the final rule, a clinical laboratory must comply with an individual’s request to transmit PHI directly to another individual when such request is in writing, is signed by the individual, and clearly identifies the designated person and where to send the copy of the PHI. If a clinical laboratory already requires that access requests be written, either the same request or a separate written request can be used to access the individual’s PHI.
Fees: Under the final rule, covered entities can charge reasonable cost-based fees for preparing and transmitting PHI, including labor costs for copying PHI; supply costs for both paper and electronic copies, including CDs or USB flash drives; and postage for shipping portable media. Fees related to maintaining systems, infrastructure, and storage are not considered reasonable, cost-based fees.
Timeliness: The final rule removes the 60-day time frame for retrieval of records held off site, leaving covered entities with 30 days to provide access to records to individuals in all circumstance, with a one-time 30-day extension. Clinical laboratories should check state law related to more stringent timeliness requirements and modify current policies and procedures.
Breach Notification Rule
Definition of Breach: The final rule modifies the definition of breach under the breach notification rule by adding language to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the responsible entity can demonstrate that there is a low probability that the protected health information has been compromised.
Harm Standard: The final rule modifies the harm standard to require the use of a more objective risk assessment. The new standard requires that the covered entity conduct a risk assessment of at least the following factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification, (2) the unauthorized person who used the PHI or to whom the disclosure was made, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk to the PHI has been mitigated.
Notification to Individuals: The final rule clarifies certain aspects of notice. Most significantly, it states that notice has not been given if a written notice is returned as undeliverable. Clinical laboratories responding to a breach with more than 10 notifications returned as undeliverable may take some reasonable time to search for correct, current addresses for the affected individuals but must provide substitute notice “as soon as reasonably possible” and within the original 60-day time frame for notifications.
Notifications to the Media: The final rule clarifies several points regarding media notifications, including that media outlets are not obligated to publicize each and every breach notice they receive (and a failure to publicize does not render the notice provided insufficient) and that covered entities must deliver a press release directly to the media outlet being notified. Posting a general press release on a Web site, for instance, is insufficient.
James Wieland, Esq., can be reached at jbwieland@ober.com;
Sarah Swank, Esq., can be reached at seswank@ober.com;
and Joshua Freemire can be reached at jjfreemire@ober.com.