United States: OCR Issues Final Modifications To The HIPAA Privacy, Security, Breach Notification And Enforcement Rules To Implement The HITECH Act

On January 25, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) published a final rule (Final Rule) containing modifications to the privacy standards (Privacy Rule), security standards (Security Rule), interim final security breach notification standards (Breach Notification Rule) and enforcement regulations (Enforcement Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The final modifications include changes required by the HITECH Act and other changes deemed appropriate by OCR in order to strengthen the privacy and security of health information.

The Final Rule contains a number of provisions that will affect a broad range of HIPAA covered entities (which include certain health care providers, health plans and health care clearinghouses) and the vendors that provide services to them involving protected health information (PHI) (i.e., generally, individually identifiable health information other than employment records and certain education records):

• As required by the HITECH Act, business associates are directly liable for civil money penalties (CMPs) and criminal penalties for violations of the Privacy Rule and Security Rule.
• The definition of business associate is expanded to include a subcontractor of a business associate so that subcontractors of a business associate are also liable for violations of the Privacy Rule and Security Rule.
• The definition of a breach of unsecured PHI is revised to make it more difficult for a covered entity or business associate to avoid reporting an unauthorized use or disclosure of PHI to the affected individuals and OCR.
• Except in limited cases, a covered entity may not receive cash or other financial remuneration for marketing communications made for a third party's products or services.
• Certain restrictions on the use of compound authorizations in connection with research studies purposes were changed in a way that will facilitate certain secondary uses of PHI for research purposes. The Final Rule does not change the requirement that a valid authorization must include a description of each "purpose" of a requested use and/or disclosure of PHI. In the Final Rule preamble, however, OCR states that it will no longer interpret the "purpose" requirement to mean that an authorization used in connection with a research study must identify a specific study for which the PHI will be used.

Notably, the Final Rule does not address the accounting for disclosures requirement in Section 13405 of the HITECH Act. OCR advises that it will be the subject of a future rulemaking.

Regulatory History

The Privacy Rule, Security Rule and Enforcement Rule implement certain of the administrative simplification provisions of HIPAA. On February 17, 2009, Congress adopted the HITECH Act, which requires certain modifications to those rules and imposes new requirements for notification of breaches of unsecured PHI.¹ OCR published the Breach Notification Rule on August 24, 2009 to implement the breach notification requirements effective September 23, 2009.² In addition, to conform the Enforcement Rule to the HITECH Act's stepped up enforcement provisions, OCR published an interim final enforcement rule on October 30, 2009 (Interim Enforcement Rule).³

On July 14, 2010, OCR published a notice of proposed rule making to implement most of the HITECH Act's privacy, security and enforcement provisions which were not already implemented through the Breach Notification Rule and the Interim

Enforcement Rule and to make other changes that OCR deemed appropriate. On May 31, 2011, OCR published a notice of proposed rule making to implement the HITECH Act's accounting of disclosures requirement.⁴

The following chart summarizes the following key provisions of the Final Rule:

• New privacy and security standards imposed on business associates and their subcontractors
• Revision to the definition of "breach"
• Restrictions on marketing involving PHI
• Restrictions on the sale of PHI
• Restrictions on the use and disclosure of PHI for fundraising
• Revisions to the authorization requirements for research and other secondary uses of PHI
• Revisions to the Enforcement Rule

To read this White Paper in full, please click here.

Footnotes

1 See our White Paper regarding the HITECH Act, "Economic Stimulus Package: Policy Implications of the Financial Incentives to Promote Health IT and New Privacy and Security Protections," available at www.mwe.com/info/news/wp0209e.pdf.

2 See our White Paper regarding the Breach Notification Rule, "Regulatory Update: HITECH's HHS and FTC Security Breach Requirements," available at www.mwe.com/info/news/wp0809b.pdf.

3 See our On the Subject publication, "HHS Issues Interim Final Rule Conforming HIPAA Civil Money Penalties to HITECH Act Requirements," available at www.mwe.com/publications/uniEntity.aspx?xpST=PublicationDetail&pub=5322&PublicationTypes=d9093adb-e95d-4f19-819a-f0bb5170ab6d.

4 See our White Paperregarding the proposed modifications to the Privacy Rule's accounting of disclosures standard, "OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules to Implement HITECH Act," available at www.mwe.com/info/news/wp0710c.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.