OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules
New standards imposed on business associates and their partners.
Guest commentary from Daniel F. Gottlieb, Bernadette M. Broccolo, Jennifer S. Geetter, Jerry Tichner, Jeanna Palmer Gunville, Sarah S. Nelson, Edward G. Zacharias and Stephen W. Bernstein, attorneys in the Health Industry Advisory Practice Group of global law firm McDermott, Will & Emery, LLP
[Editor's note: Due to its length, this guest commentary will be presented in a series of three blog posts on consecutive days. Part 1 appears below.]
On July 14, 2010, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS), issued a proposed rule (Proposed Rule) containing modifications to the privacy standards (Privacy Rule), security standards (Security Rule) and enforcement regulations (Enforcement Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed modifications include changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and other changes deemed appropriate by OCR in order to strengthen the privacy and security of health information and to improve the "workability and effectiveness" of the Privacy Rule, Security Rule and Enforcement Rule (collectively, the Administrative Simplification Regulations).
OCR is accepting comments on the Proposed Rule through Sept. 13, 2010. Covered entities, business associates and others affected by the Administrative Simplification Regulations should consider submitting comments to OCR in order to shape the final rule. The Proposed Rule indicates that final amendments to the Administrative Simplification Regulations will be effective 180 days after the publication of a final rule. However, covered entities and business associates that have agreed to comply with HITECH Act requirements or other Administrative Simplification Regulation requirements through business associate agreements will continue to have contractual compliance obligations prior to the effective date.
This post addresses new privacy and security standards imposed on business associates and their subcontractors.
New categories of business associates
As required by the HITECH Act, the Proposed Rule would amend the definition of "business associate" to specify that the following additional categories of entities are business associates and, therefore, directly subject to the Administrative Simplification Regulations: organizations that provide data transmission services and that require routine access to such PHI, including health information organizations, regional health information organizations and e-prescribing gateways; and vendors that offer a personal health record to patients on behalf of a covered entity.
Application of certain HIPAA requirements to business associates
The current Security Rule and Privacy Rule impose requirements on covered entities, which include certain health care providers, health plans and health care clearinghouses, and do not regulate business associates directly. Instead, the rules require covered entities to enter into business associate agreements that contractually obligate their business associates to comply with certain business associate agreement requirements. One of the most significant changes made by the HITECH Act was the extension of certain HIPAA and Administrative Simplification Regulation requirements to business associates.
Specifically, the HITECH Act requires business associates to comply with the Security Rule's administrative, physical and technical safeguard requirements as well as its written compliance policy and documentation requirements. In addition, the HITECH Act requires business associates to comply with the business associate contract requirements of the Privacy Rule. Consequently, effective Feb. 18, 2010, the HITECH Act makes business associates both contractually liable to a covered entity for breach of the business associate agreement with the covered entity and civilly and criminally liable to the government for violations of those Security Rule requirements and the Privacy Rule's business associate agreement requirements. The civil and criminal penalty provisions will be discussed further in part three of this series.
The Proposed Rule would modify the Security Rule and the Privacy Rule to reflect the HITECH Act provisions. In addition, the Proposed Rule includes further amendments to the Privacy Rule and the Security Rule to clarify business associates' compliance obligations and impose additional obligations. For example, the Proposed Rule imposes the Privacy Rule's minimum necessary standard on business associates so that they must limit their requests for and uses and disclosures of PHI to the minimum amount necessary to accomplish the purpose of the use, disclosure or request.
Business associate agreements
The Proposed Rule would modify the current business associate agreement requirements in the Privacy Rule to mandate new contract provisions obligating a business associate to take the following actions:
- to report breaches of unsecured PHI to covered entities in accordance with certain Privacy Rule standards; and,
- to the extent the business associate takes on certain of the covered entity's obligations under the Privacy Rule (e.g., delivery of notices of privacy practices), to comply with the covered entity's obligations.
Inclusion of subcontractors as business associates
In addition to the new categories of business associates mandated by the HITECH Act and discussed above, the Proposed Rule adds "subcontractors" (including agents and contractors) of a business associate with access to PHI as a new category of business associate to the extent they are not acting as members of the primary business associate's workforce. This proposed change makes subcontractors subject to HIPAA's civil and criminal penalties in the same manner as primary business associates. Vendors serving the health care industry are likely to object to this proposal on the basis that OCR has exceeded its authority under the HITECH Act, which only made business associates, as defined under the current Administrative Simplification Regulations, subject to certain of the Administrative Simplification Regulations.
Downstream business associate agreements with subcontractors
The Proposed Rule does not require a covered entity to enter into a business associate agreement with subcontractor business associates. Instead, as under the current Privacy Rule and Security Rule, the Proposed Rule requires the primary business associates to enter into a downstream business associate agreement with the subcontractor. If a primary business associate knows of a subcontractor business associate's pattern of activity or practice constituting a material breach of a business associate agreement, the primary business associate is required to take reasonable steps to cure the breach or, if such steps were unsuccessful, terminate the contract, if feasible.
Transition provisions
OCR recognizes that covered entities have existing contracts with business associates and that renegotiation could require significant time and effort. Consequently, the Proposed Rule allows covered entities and business associates to continue operating under business associate agreements that are (1) in effect prior to the date of publication of a final rule in the Federal Register and (2) compliant with the current Administrative Simplification Regulations for up to a maximum of one year and 240 days after the publication date. If the parties to the agreement renew or modify the agreement on or after the date 60 days after the publication date, the Proposed Rule requires the renewal or modification to satisfy the final rule's business associate agreement requirements.
Mr. Gottlieb represents a wide range of health industry clients, with a focus on advising them on compliance with HIPAA and other health information privacy laws; electronic health information exchanges and data warehouses; health information technology acquisitions; and other transactions involving health information or health information technology. He can be reached at dgottlieb@mwe.com.
Ms. Broccolo serves as chair of the Life Sciences Division of the firm's Health Industry Advisory practice and advises clients on health industry relationship formation and realignments; health information technology acquisitions; electronic health information networks; conflict-of-interest compliance and overall corporate compliance programs. She can be reached at bbroccolo@mwe.com.
Ms. Geetter focuses on emerging biotechnology and safety issues, advising hospital, industry, insurance and provider clients on matters relating to research, drug and device development, off-label use, personalized medicine, formulary compliance, privacy and security, electronic health records and other matters. She can be reached at jgeetter@mwe.com.
Mr. Tichner maintains a general health law practice, focusing on the representation of hospitals, health systems, pharmaceutical companies, durable medical equipment companies and medical device manufacturers, and providing regulatory and transactional representation in connection with acquisitions, joint ventures, strategic affiliations, conversions to tax-exempt status and other transactional matters. He can be reached at jtichner@mwe.com.
Mr. Bernstein is head of the firm's Health Industry Advisory Practice Group, specializing in e-health, deployment of electronic health record systems, health-related matters impacted by the Internet and HIPAA, as well as mergers, acquisitions, affiliations and joint ventures in the hospital and physician areas. He can be reached at sbernstein@mwe.com.
Ms. Gunville is an associate with the firm. She can be reached at jgunville@mwe.com.
Ms. Nelson is an associate with the firm. She can be reached at snelson@mwe.com.
Mr. Zacharias is an associate with the firm. He can be reached at ezacharias@mwe.com.