After long anticipation, on January 25, the U.S. Department of Health and Human Services (HHS) published final regulations in the Federal Register (Vol. 78, No. 17) modifying the HIPAA Privacy, Security, Enforcement and Breach Notification rules pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH), the Genetic Information Nondiscrimination Act (GINA) and HHS’s general rulemaking authority.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), generally speaking, is a federal law that was passed in 1996, the purpose of which is to protect the personal health information of Americans. HIPAA is broken into several categories, including the Privacy Rule, Security Rule and Enforcement Rule.

The final rule is effective March 26, but covered entities will have 180 days — until September 23 — to bring themselves into compliance. However, it should be noted that the Enforcement Rule changes go into effect March 26 because HHS does not consider these to be changes to standards or implementation specifications, per its comments in the Federal Register. For purposes of the breach notification rule, compliance with the interim final rule is mandated until the final rule changes come into effect September 23.

HHS had previously issued proposed, interim and/or final rules October 30, 2009 (the interim final rule on the HIPAA civil monetary provisions under the HITECH Act); August 24, 2009 (the interim final rule for breach notification pursuant to the HITECH Act); October 7, 2009 (final rules modifying HIPAA pursuant to GINA); and July 14, 2010 (proposed rules for modifications to the HIPAA Privacy, Security and Enforcement rules mandated by the HITECH Act).

While certain provisions of the previous rules were maintained, there were also material changes adopted by this final rule. This article serves as an overview of some of the material changes to HIPAA adopted by the final rule.

Business Associates

Under the final rule, the definition of a "business associate" was modified in certain ways. First, patient safety organizations, health information organizations, e-prescribing gateways and other people providing data transmission services for protected health information are all specifically included in the definition of "business associate."

Furthermore, the definition of "business associate" was broadened to encompass "downstream vendors," meaning that any subcontractor "that creates, receives, maintains, or transmits protected health information on behalf of" a business associate are also business associates to the extent they required access to protected health information. In this way, these subcontractors are directly responsible for compliance with the HIPAA Privacy and Security rules. By way of example of how this could come into effect, a billing company who is a direct business associate of a physician practice may contract with a company to store all of the billing work it has performed. This storage company would be a "subcontractor" required to comply with the HIPAA Security and Privacy rules. Despite the direct liability of business associates, business associate agreements are still required.

Furthermore, business associates and subcontractors are given no additional time to come into compliance with the final rule. They are bound by the same September 23 deadline as covered entities. This may prove to be difficult, particularly for subcontractors who may previously have had little to no HIPAA exposure or training on its requirements.

In reference to these changes to business associate obligations, on January 25, the HHS published on its website sample business associate contract provisions, which may also be adapted for contracts between business associates and subcontractors. This information is available at http://goo.gl/0OYWs. This language is not mandatory, but rather serves as a guide for entities to bring themselves into compliance with the amended HIPAA provisions.

Enforcement Rule Changes

The category of changes to the Enforcement Rule predominantly applies to the HITECH Act’s mandate of four tiers of penalties for HIPAA violations, which escalate based upon the state of mind of the violating entity. The lowest category is for violations where the entity did not know, and would not have known, of a violation even by exercising reasonable diligence. The second category applies to violations due to reasonable cause. The third and fourth tiers (the highest) apply to situations of "willful neglect." In the third tier, the violation is cured within a mandated timeframe and in the fourth, the violation is uncorrected.

Pursuant to this tier of penalties, the final rule dealt with the category of violations for "willful neglect." As noted in the Federal Register comments, the HITECH Act mandated that the HHS formally investigate a complaint "if a preliminary investigation of the facts of the complaint indicates a possible violation to willful neglect." The final rule reflects this change by indicating the HHS will investigate any complaint under this circumstance and gives the HHS discretion to investigate other complaints. In its comments, however, the HHS warned that it proceeds with an investigation of any complaint where its preliminary investigation reveals a possible HIPAA violation. The final rule further adds that the HHS will also conduct a compliance review when the preliminary review indicates a possible violation due to willful neglect.

To reflect the HITECH Act mandate that penalties be assessed in cases of willful neglect, the HHS has modified the regulations to permit itself to be able to proceed with willful neglect violations as needed, while being able to resolve cases outside of this category by informal means.

The final rule also modified the definition of "reasonable cause" for purposes of the assessment of monetary penalties. Under the final rule, reasonable cause shall mean "an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that an act or omission violated an administrative simplification provision, but in which the covered entity of business associates did not act with willful neglect."

Privacy Rule Modifications

A significant modification to the proposed changes to the Privacy Rule comes with the category of "marketing activities." Under the final rule as explained by the HHS in the Federal Register, a covered entity must obtain an authorization for "all treatment and health care operations communications where the covered entity receives financial remuneration from a third party whose product of services is being marketed."

The final rule also clarifies the prohibition mandated by the HITECH Act on the sale of protected health information without a valid authorization and the exceptions to that general rule. The final rule adopts a definition of "sale of protected health information" to mean "a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information." The exceptions to this general rule are also clarified in the final rule.

The final rule lessens the burdens on health care providers for obtaining consent to submit immunization records to a school in those states that require schools to obtain such information. Rather than having to obtain written authorization, covered entities may now obtain non-written consent by the child’s parent, guardian or other person acting in loco parentis. It should be noted that the final rule mandates that this consent be documented by the covered entity, though the method of documentation was deliberately omitted. The HHS offers by way of example a parent calling a doctor’s office to request his or her child’s records be sent to the school. A notation of this call in the child’s medical records would suffice for the documentation requirement.

The final rule will further require covered entities to modify their notice of privacy practices. First, there must be language to include separate statements about permitted uses and disclosures that the covered entity intends to make. It must also include a list of categories of activities that require authorization. The notice must state that authorization must be obtained for other circumstances not described in the notice. A statement must also be included regarding an individual’s right to opt out of receiving fundraising communications, if the covered entity plans to contact the individual in order to fundraise. The notice further must inform the individual of his or her right to restrict certain disclosures of protected health information to a health plan where the individual pays for the service entirely on his or her own. Finally, the notice requires covered entities to notify patients of their right to be notified following a breach of unsecured protected health information.

Vasilios J. Kalogredis is the president and founder of Kalogredis Sansweet Dearden & Burke, a health care law firm, and Professional Practice Consulting Inc., a health care consulting firm, in Wayne, Pa. He can be contacted at 800-688-8314 or at BKalogredis@KSDBhealthlaw.com

Karilynn Bayus is an associate at the firm. Her practice involves litigation of health care-related matters. Bayus graduated from Temple University’s Beasley School of Law in 2006. She may be reached at KBayus@KSDBhealthlaw.com.