[Federal Register Volume 75, Number 134 (Wednesday, July 14, 2010)]
[Proposed Rules]
[Pages 40868-40924]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-16718]
[[Page 40867]]
-----------------------------------------------------------------------
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Modifications to the HIPAA Privacy, Security, and Enforcement Rules
Under the Health Information Technology for Economic and Clinical
Health Act; Proposed Rule
��Federal Register / Vol. 75 , No. 134 / Wednesday, July 14, 2010 /
Proposed Rules��
[[Page 40868]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN: 0991-AB57
Modifications to the HIPAA Privacy, Security, and Enforcement
Rules Under the Health Information Technology for Economic and Clinical
Health Act
AGENCY: Office for Civil Rights, Department of Health and Human
Services.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (HHS or ``the
Department'') is issuing this notice of proposed rulemaking to modify
the Standards for Privacy of Individually Identifiable Health
Information (Privacy Rule), the Security Standards for the Protection
of Electronic Protected Health Information (Security Rule), and the
rules pertaining to Compliance and Investigations, Imposition of Civil
Money Penalties, and Procedures for Hearings (Enforcement Rule) issued
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA). The purpose of these modifications is to implement recent
statutory amendments under the Health Information Technology for
Economic and Clinical Health Act (``the HITECH Act'' or ``the Act''),
to strengthen the privacy and security protection of health
information, and to improve the workability and effectiveness of these
HIPAA Rules.
DATES: Submit comments on or before September 13, 2010.
ADDRESSES: You may submit comments, identified by RIN 0991-AB57, by any
of the following methods (please do not submit duplicate comments):
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments. Attachments should be
in Microsoft Word, WordPerfect, or Excel; however, we prefer Microsoft
Word.
Regular, Express, or Overnight Mail: U.S. Department of
Health and Human Services, Office for Civil Rights, Attention: HITECH
Privacy and Security Rule Modifications, Hubert H. Humphrey Building,
Room 509F, 200 Independence Avenue, SW., Washington, DC 20201. Please
submit one original and two copies.
Hand Delivery or Courier: Office for Civil Rights,
Attention: HITECH Privacy and Security Rule Modifications, Hubert H.
Humphrey Building, Room 509F, 200 Independence Avenue, SW., Washington,
DC 20201. Please submit one original and two copies. (Because access to
the interior of the Hubert H. Humphrey Building is not readily
available to persons without Federal government identification,
commenters are encouraged to leave their comments in the mail drop
slots located in the main lobby of the building.)
Inspection of Public Comments: All comments received before the
close of the comment period will be available for public inspection,
including any personally identifiable or confidential business
information that is included in a comment. We will post all comments
received before the close of the comment period at http://www.regulations.gov. Because comments will be made public, they should
not include any sensitive personal information, such as a person's
social security number; date of birth; driver's license number, State
identification number or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information, or any
non-public corporate or trade association information, such as trade
secrets or other proprietary information.
FOR FURTHER INFORMATION CONTACT: Andra Wicks, 202-205-2292.
SUPPLEMENTARY INFORMATION:
The discussion below includes a description of the statutory and
regulatory background of the proposed rules, a section-by-section
description of the proposed modifications, and the impact statement and
other required regulatory analyses. We solicit public comment on the
proposed rules. Persons interested in commenting on the provisions of
the proposed rules can assist us by preceding discussion of any
particular provision or topic with a citation to the section of the
proposed rule being discussed.
I. Statutory and Regulatory Background
The regulatory modifications proposed below concern several sets of
rules that implement the Administrative Simplification provisions of
title II, subtitle F, of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) (Pub. L. 104-191), which added a new
part C to title XI of the Social Security Act (sections 1171-1179 of
the Social Security Act, 42 U.S.C. 1320d-1320d-8). The Health
Information Technology for Economic and Clinical Health (HITECH) Act,
which was enacted as title XIII of division A and title IV of division
B of the American Recovery and Reinvestment Act of 2009 (ARRA), Public
Law 111-5, modifies certain provisions of the Social Security Act
pertaining to the Administrative Simplification Rules (HIPAA Rules) and
requires certain modifications to the HIPAA Rules themselves.
A. HIPAA Administrative Simplification--Statutory Background
The Administrative Simplification provisions of HIPAA provided for
the establishment of national standards for the electronic transmission
of certain health information, such as standards for certain health
care transactions conducted electronically and code sets and unique
health care identifiers for health care providers and employers. The
Administrative Simplification provisions of HIPAA also required the
establishment of national standards to protect the privacy and security
of personal health information and established civil money and criminal
penalties for violations of the Administrative Simplification
provisions. The Administrative Simplification provisions of HIPAA apply
to three types of entities, which are known as ``covered entities'':
health care providers who conduct covered health care transactions
electronically, health plans, and health care clearinghouses.
B. HIPAA Administrative Simplification--Regulatory Background
The rules proposed below concern the privacy and security standards
issued pursuant to HIPAA, as well as the enforcement rules that
implement HIPAA's civil money penalty authority. The Standards for
Privacy of Individually Identifiable Health Information, known as the
``Privacy Rule,'' were issued on December 28, 2000, and amended on
August 14, 2002. See 65 FR 82462, as amended at 67 FR 53182. The
Security Standards for the Protection of Electronic Protected Health
Information, known as the ``Security Rule,'' were issued on February
20, 2003. See 68 FR 8334. The Compliance and Investigations, Imposition
of Civil Money Penalties, and Procedures for Hearings regulations,
collectively known as the ``Enforcement Rule,'' were issued as an
interim final rule on April 17, 2003 (68 FR 18895), and revised and
issued as a final rule, following rulemaking, on February 16, 2006 (71
FR 8390).
The Privacy Rule protects individuals' medical records and other
individually
[[Page 40869]]
identifiable health information created or received by or on behalf of
covered entities, known as ``protected health information.'' The
Privacy Rule protects individuals' health information by regulating the
circumstances under which covered entities may use and disclose
protected health information and by requiring covered entities to have
safeguards in place to protect the privacy of the information. As part
of these protections, covered entities are required to have contracts
or other arrangements in place with business associates that perform
functions for or provide services to the covered entity and that
require access to protected health information to ensure that these
business associates likewise protect the privacy of the health
information. The Privacy Rule also gives individuals rights with
respect to their protected health information, including rights to
examine and obtain a copy of their health records and to request
corrections.
The Security Rule, which applies only to protected health
information in electronic form, requires covered entities to implement
certain administrative, physical, and technical safeguards to protect
this electronic information. As with the Privacy Rule, the Security
Rule requires covered entities to have contracts or other arrangements
in place with their business associates that provide satisfactory
assurances that the business associates will appropriately safeguard
the electronic protected health information they receive, create,
maintain, or transmit on behalf of the covered entities.
The Enforcement Rule establishes rules governing the compliance
responsibilities of covered entities with respect to cooperation in the
enforcement process. It also provides rules governing the investigation
by the Department of compliance by covered entities, both through the
investigation of complaints and the conduct of compliance reviews. It
establishes rules governing the process and grounds for establishing
the amount of a civil money penalty where the Department has determined
a covered entity has violated a requirement of a HIPAA Rule. Finally,
the Enforcement Rule establishes rules governing the procedures for
hearings and appeals where the covered entity challenges a violation
determination.
C. The HITECH Act--Statutory Background
The HITECH Act, enacted on February 17, 2009, is designed to
promote the widespread adoption and standardization of health
information technology. Subtitle D of title XIII, entitled ``Privacy,''
supports this goal by adopting amendments designed to strengthen the
privacy and security protections of health information established by
HIPAA. These provisions include extending the applicability of certain
of the Privacy and Security Rules' requirements to the business
associates of covered entities; requiring HIPAA covered entities and
business associates to provide for notification of breaches of
``unsecured protected health information''; establishing new
limitations on the use and disclosure of protected health information
for marketing and fundraising purposes; prohibiting the sale of
protected health information; requiring the consideration of a limited
data set as the minimum necessary amount of information; and expanding
individuals' rights to access and receive an accounting of disclosures
of their protected health information, and to obtain restrictions on
certain disclosures of protected health information to health plans. In
addition, subtitle D adopts provisions designed to strengthen and
expand HIPAA's enforcement provisions. We provide a brief overview of
the relevant statutory provisions below.
In the area of business associates, the Act makes a number of
changes. First, section 13401 of the Act applies certain provisions of
the Security Rule that apply to covered entities directly to their
business associates and makes business associates liable for civil and
criminal penalties for the failure to comply with these provisions.
Similarly, section 13404 makes business associates of covered entities
civilly and criminally liable under the Privacy Rule for making uses
and disclosures of protected health information that do not comply with
the terms of their business associate contracts. The Act also provides
that the additional privacy and security requirements of subtitle D of
the Act are applicable to business associates and that such
requirements shall be incorporated into business associate contracts.
Finally, section 13408 of the Act requires that organizations that
provide data transmission of protected health information to a covered
entity or business associate and that require routine access to such
information, such as Health Information Exchange Organizations,
Regional Health Information Organizations, and E-prescribing Gateways,
as well as vendors that contract with covered entities to offer
personal health records to patients as part of the covered entities'
electronic health records, shall be treated as business associates for
purposes of the HITECH Act and the HIPAA Privacy and Security Rules and
required to enter into business associate contracts.
Section 13402 of the Act sets forth the breach notification
provisions, requiring covered entities and business associates to
provide notification following discovery of a breach of unsecured
protected health information. Additionally, section 13407 of the Act,
enforced by the Federal Trade Commission (FTC), applies similar breach
notification provisions to vendors of personal health records and their
third party service providers.
Section 13405 of the Act requires the Department to modify certain
Privacy Rule provisions. In particular, section 13405 sets forth
certain circumstances in which covered entities must comply with an
individual's request for restriction of disclosure of his or her
protected health information, provides for covered entities to consider
a limited data set as the minimum necessary for a particular use,
disclosure, or request of protected health information, and requires
the Secretary to issue guidance to address what constitutes minimum
necessary under the Privacy Rule. Section 13405 also requires the
Department to modify the Privacy Rule to require covered entities that
use or maintain electronic health records to provide individuals, upon
request, with an accounting of disclosures of protected health
information through an electronic health record for treatment, payment,
or health care operations; generally prohibits the sale of protected
health information without a valid authorization from the individual;
and strengthens an individual's right to an electronic copy of their
protected health information, where a covered entity uses or maintains
an electronic health record.
Section 13406 of the Act requires the Department to modify the
marketing and fundraising provisions of the Privacy Rule. With respect
to marketing, the Act requires authorizations for certain health-
related communications, which are currently exempted from the
definition of marketing, if the covered entity receives remuneration in
exchange for making the communication. The Act also strengthens an
individual's right under the Privacy Rule to opt out of fundraising
communications by requiring the Department to modify the Privacy Rule
so that covered entities must provide individuals with a clear and
conspicuous opportunity to opt out of receiving fundraising
[[Page 40870]]
communications and by requiring that an opt out be treated as a
revocation of authorization under the Privacy Rule.
Section 13410 of the Act addresses enforcement in a number of ways.
First, section 13410(a) provides that the Secretary's authority to
impose a civil money penalty will only be barred to the extent a
criminal penalty has been imposed, rather than in cases in which the
offense in question merely constitutes an offense criminally
punishable. In addition, section 13410(a) of the Act requires the
Secretary to formally investigate any complaint where a preliminary
investigation of the facts indicates a possible violation due to
willful neglect and to impose a penalty where a violation is found in
such cases. Section 13410(c) of the Act provides, for purposes of
enforcement, for the transfer to the HHS Office for Civil Rights of any
civil money penalty or monetary settlement collected under the Privacy
and Security Rules and also requires the Department to establish by
regulation a methodology for distributing to harmed individuals a
percentage of the civil money penalties and monetary settlements
collected under the Privacy and Security Rules. Effective as of
February 18, 2009, section 13410(d) of the Act also modified the civil
money penalty structure for violations of the HIPAA Rules by
implementing a tiered increase in the amount of penalties based on
culpability. In addition, as of February 18, 2009, section 13410(e) of
the Act also granted State Attorneys General the authority to enforce
the HIPAA Rules by bringing civil actions on behalf of State residents
in court.
Section 13421 states that HIPAA's State preemption provisions at 42
U.S.C. 1320d-7 shall apply to the provisions of subtitle D of the
HITECH Act in the same manner as they do to HIPAA's provisions.\1\
Section 13423 of the Act provides a general effective date of February
18, 2010, for most of its provisions, except where a different
effective date is otherwise provided.
---------------------------------------------------------------------------
\1\ We note that section 13421 of the HITECH Act and HIPAA's
State preemption provisions do not affect the applicability of other
Federal law, such as the Confidentiality of Alcohol and Drug Abuse
Patient Records Regulation at 42 CFR Part 2, to a covered entity's
use or disclosure of health information.
---------------------------------------------------------------------------
The Act also provides for the development of guidance, reports, and
studies in a number of areas, including guidance on appropriate
technical safeguards to implement the HIPAA Security Rule (section
13401(c)); for purposes of breach notification, guidance on the methods
and technologies for rendering protected health information unusable,
unreadable, or indecipherable to unauthorized individuals (section
13402(h)); guidance on what constitutes the minimum necessary amount of
information for purposes of the Privacy Rule (section 13405(b)); a
report by the Government Accountability Office (GAO) regarding
recommendations for a methodology under which harmed individuals may
receive a percentage of civil money penalties and monetary settlements
under the HIPAA Privacy and Security Rules (section 13410(c)); a report
to Congress on HIPAA Privacy and Security enforcement (section
13424(a)); a study and report on the application of privacy and
security requirements to non-HIPAA covered entities (section 13424(b));
guidance on de-identification (section 13424(c)); and a study on the
Privacy Rule's definition of ``psychotherapy notes'' at 45 CFR 164.501,
with regard to including test data that is related to direct responses,
scores, items, forms, protocols, manuals, or other materials that are
part of a mental health evaluation (section 13424(f)).
Finally, the Act includes provisions for education by HHS on health
information privacy and for periodic audits by the Secretary. Section
13403(a) provides for the Secretary to designate HHS regional office
privacy advisors to offer guidance and education to covered entities,
business associates, and individuals on their rights and
responsibilities related to Federal privacy and security requirements
for protected health information. Section 13403(b) requires the HHS
Office for Civil Rights, not later than 12 months after enactment, to
develop and maintain a multi-faceted national education initiative to
enhance public transparency regarding the uses of protected health
information, including programs to educate individuals about potential
uses of their protected health information, the effects of such uses,
and the rights of individuals with respect to such uses. Section 13411
requires the Secretary to provide for periodic audits to ensure covered
entities and business associates comply with the applicable
requirements of the HIPAA Privacy and Security Rules.
We discuss many of the Act's statutory provisions in more detail
below where we describe section-by-section how these proposed
regulations would implement those provisions of the Act. However, we do
not discuss in detail the breach notification provisions in sections
13402 of the Act or the modified civil money penalty structure in
section 13410(d) of the Act, which as explained below, have been the
subject of previous rulemakings. In addition, we do not address in this
rulemaking the accounting for disclosures requirement in section 13405
of the Act, which is tied to the adoption of a standard under the
HITECH Act at subtitle A of title XIII of ARRA, or the penalty
distribution methodology requirement in section 13410(c) of the Act,
which is to be based on the recommendations noted above to be developed
at a later date by the GAO. These provisions will be the subject of
future rulemakings. Further, we clarify that we are not issuing
regulations with respect to the new authority of the State Attorneys
General to enforce the HIPAA Rules. Finally, other than the guidance
required by section 13405(b) of the Act with respect to what
constitutes minimum necessary, this proposed rule does not address the
studies, reports, guidance, audits, or education efforts required by
the HITECH Act.
D. The HITECH Act--Regulatory Background
As noted above, certain of the HITECH Act's privacy and security
provisions have already been the subject of rulemakings and related
actions. In particular, the Department published interim final
regulations to implement the breach notification provisions at section
13402 of the Act for HIPAA covered entities and business associates in
the Federal Register on August 24, 2009 (74 FR 42740), effective
September 23, 2009. Similarly, the FTC published final regulations
implementing the breach notification provisions at section 13407 for
personal health record vendors and their third party service providers
on August 25, 2009 (74 FR 42962), effective September 24, 2009. For
purposes of determining to what information the HHS and FTC breach
notification regulations apply, the Department also issued, first on
April 17, 2009 (published in the Federal Register on April 27, 2009, 74
FR 19006), and then later with its interim final rule, the guidance
required by the HITECH Act under 13402(h) specifying the technologies
and methodologies that render protected health information unusable,
unreadable, or indecipherable to unauthorized individuals. In addition,
to conform the provisions of the Enforcement Rule to the new tiered and
increased civil money penalty structure made effective by the HITECH
Act on the day after enactment, or February 18, 2009, the Department
published an interim final rule on October 30, 2009 (74 FR 56123),
effective November 30, 2009.
[[Page 40871]]
II. General Issues
A. Effective and Compliance Dates
As noted above, section 13423 of the Act provides that the
provisions in subtitle D took effect one year after enactment, i.e., on
February 18, 2010, except as specified otherwise. There are a number of
exceptions to this general rule. Some provisions were effective the day
after enactment, i.e., February 18, 2009. For example, the tiered and
increased civil money penalty provisions of section 13410(d) were
effective for violations occurring after the date of enactment.
Sections 13402 and 13407 of the Act regarding breach notification
required interim final rules within 180 days of enactment, with
effective dates 30 days after the publication of such rules. Other
provisions of the Act have later effective dates. For example, the
provision at section 13410(a)(1) of the Act providing that the
Secretary's authority to impose a civil money penalty will only be
barred to the extent a criminal penalty has been imposed, rather than
in cases in which the offense in question merely constitutes an offense
that is criminally punishable, becomes effective for violations
occurring on or after February 18, 2011. The rules proposed below
generally pertain to the statutory provisions that became effective on
February 18, 2010, or, in a few cases, on a later date.
We note that the final rule will not take effect until after most
of the provisions of the HITECH Act became effective on February 18,
2010. We recognize that it will be difficult for covered entities and
business associates to comply with the statutory provisions until after
we have finalized our changes to the HIPAA Rules. In addition, we
recognize that covered entities and business associates will need some
time beyond the effective date of the final rule to come into
compliance with the final rule's provisions. In light of these
considerations, we intend to provide covered entities and business
associates with 180 days beyond the effective date of the final rule to
come into compliance with most of the rule's provisions. We believe
that providing a 180-day compliance period best comports with section
1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d-4, and our
implementing provision at 45 CFR 160.104(c)(1), which require the
Secretary to provide at least a 180-day period for covered entities to
comply with modifications to standards and implementation
specifications in the HIPAA Rules. While the Social Security Act and
the HIPAA Rules permit the Secretary to further delay the compliance
date for small health plans, we do not believe that it is necessary to
do so for this rule both because most of the changes being proposed are
discrete modifications to existing requirements of the HIPAA Rules, as
well as because the Department is proposing an additional one-year
transition period to modify certain business associate agreements,
which should provide sufficient relief to all covered entities,
including small health plans. The Department welcomes comment on the
assumption that it is not necessary to extend the compliance date for
small health plans.
We also expect that for future modifications to the HIPAA Rules, in
most cases, a 180-day compliance period will suffice. Accordingly, we
propose to add a provision at Sec. 160.105 to address the compliance
date generally for implementation of new or modified standards in the
HIPAA Rules. Proposed Sec. 160.105 would provide that with respect to
new standards or implementation specifications or modifications to
standards or implementation specifications in the HIPAA Rules, except
as otherwise provided, covered entities and business associates must
comply with the applicable new standards or implementation
specifications or modifications to standards or implementation
specifications no later than 180 days from the effective date of any
such change. Where future modifications to the HIPAA Rules necessitate
a longer compliance period, we would provide so accordingly in the
regulatory text. We propose to retain the compliance date provisions at
Sec. Sec. 164.534 and 164.318, which provide the compliance dates of
April 14, 2003, and April 20, 2005, for initial implementation of the
HIPAA Privacy and Security Rules, respectively, for historical purposes
only.
We note that proposed Sec. 160.105 regarding the compliance date
of new or modified standards or implementation specifications would not
apply to modifications to the provisions of the HIPAA Enforcement Rule
because such provisions are not standards or implementation
specifications (as the terms are defined at Sec. 160.103). Such
provisions are in effect and apply at the time the final rule becomes
effective or as otherwise specifically provided. We also note that our
proposed general rule for a 180-day compliance period for new or
modified standards would not apply where we expressly provide a
different compliance period in the regulation for one or more
provisions. For purposes of this proposed rule, this would mean that
the 180-day compliance period would not govern the time period required
to modify those business associate agreements that qualify for the
longer transition period proposed in Sec. 164.532. We seek comments on
any potential unintended consequences of establishing a 180-day
compliance date as a regulatory default, with the noted exceptions.
B. Other Proposed Changes
While passage of the HITECH Act necessitates much of the rulemaking
below, it does not account for all of the proposed changes to the HIPAA
Privacy, Security, and Enforcement Rules encompassed in this
rulemaking. The Department is taking this opportunity to improve the
workability and effectiveness of all three sets of HIPAA Rules. The
Privacy Rule has not been amended since 2002, and the Security Rule has
not been amended since 2003. While the Enforcement Rule was amended in
the October 30, 2009, interim final rule to incorporate the
enforcement-related HITECH statutory changes that are already
effective, it has not been otherwise substantively amended since 2006.
In the intervening years, HHS has accumulated a wealth of experience
with these rules, both from public contact in various forums and
through the process of enforcing the rules. In addition, we have
identified a number of needed technical corrections to the rules.
Accordingly, we propose a number of modifications that we believe will
eliminate ambiguities in the rules and/or make them more workable and
effective. Further, we propose a few modifications to conform the HIPAA
Privacy Rule to provisions in the Patient Safety and Quality
Improvement Act of 2005 (PSQIA). We address the substantive proposed
changes in the section-by-section description of the proposed rule
below. Technical corrections are discussed at the end of the section-
by-section description of the other proposed amendments to the rules.
III. Section-by-Section Description of the Proposed Amendments to
Subparts A and B of Part 160
Subpart A of part 160 of the HIPAA Rules contains general
provisions that apply to all of the HIPAA Rules. Subpart B of part 160
contains the regulatory provisions implementing HIPAA's preemption
provisions. We propose to amend a number of these provisions. Some of
the proposed changes are necessitated by the statutory changes made by
the HITECH Act, while others are of a technical or conforming nature.
[[Page 40872]]
A. Subpart A--General Provisions, Section 160.101--Statutory Basis and
Purpose
This section sets out the statutory basis and purpose of the HIPAA
Rules. We propose a technical change to include a reference to the
provisions of the HITECH Act upon which most of the regulatory changes
proposed below are based.
B. Subpart A--General Provisions, Section 160.102--Applicability
This section sets out to whom the HIPAA Rules apply. We propose to
add a new paragraph (b) to make clear, consistent with the provisions
of the HITECH Act that are discussed more fully below, that the
standards, requirements, and implementation specifications of the
subchapter apply to business associates, where so provided.
C. Subpart A--General Provisions, Section 160.103--Definitions
Section 160.103 contains definitions of terms that appear
throughout the HIPAA Rules. For ease of reference, we propose to move
several definitions currently found at Sec. 160.302 to Sec. 160.103
without substantive change to the definitions themselves. This category
includes definitions of the following terms: ``ALJ,'' ``civil money
penalty,'' and ``violation or violate.'' As the removal of these
definitions, along with the removal of other definitions discussed
below (e.g., ``administrative simplification provision'' and
``respondent''), would leave Sec. 160.302 unpopulated, we propose to
reserve that section. We also propose to remove a comma from the
definition of ``disclosure'' inadvertently inserted into the definition
in a prior rulemaking, which is not intended as a substantive change to
the definition. In addition, we propose to replace the term
``individually identifiable health information'' with ``protected
health information'' in the definition of ``standard'' to better
reflect the scope of the Privacy and Security Rules. Further, we
propose the following definitional changes:
1. Definition of ``Administrative Simplification Provision''
This definition is currently located in the definitions section of
subpart C of part 160 of the HIPAA Enforcement Rule. We propose to
remove the definition of this term from Sec. 160.302 and move it to
the definitions section located at Sec. 160.103 for clarity and
convenience, as the term is used repeatedly throughout the entire part
160. We also propose to add to the definition a reference to sections
13400-13424 of the HITECH Act.
2. Definition of ``Business Associate''
Sections 164.308(b) of the Security Rule and 164.502(e) of the
Privacy Rule require a covered entity to enter into a contract or other
written agreement or arrangement with its business associates. The
purpose of these contracts or other arrangements, generally known as
business associate agreements, is to provide some legal protection when
protected health information is being handled by another person (a
natural person or legal entity) on behalf of a covered entity. The
HIPAA Rules define ``business associate'' generally to mean a person
who performs functions or activities on behalf of, or certain services
for, a covered entity that involve the use or disclosure of protected
health information. Examples of business associates include third party
administrators or pharmacy benefit managers for health plans, claims
processing or billing companies, transcription companies, and persons
who perform legal, actuarial, accounting, management, or administrative
services for covered entities and who require access to protected
health information. We propose a number of modifications to the
definition of ``business associate.'' In particular, we propose to
modify the definition to conform the term to the statutory provisions
of PSQIA, 42 U.S.C. 299b-21, et seq., and the HITECH Act. Additional
modifications are made for the purpose of clarifying circumstances when
a business associate relationship exists and for general clarification
of the definition.
a. Inclusion of Patient Safety Organizations
We propose to add patient safety activities to the list of
functions and activities a person may undertake on behalf of a covered
entity that give rise to a business associate relationship. PSQIA, at
42 U.S.C. 299b-22(i)(1), provides that Patient Safety Organizations
(PSOs) must be treated as business associates when applying the Privacy
Rule. PSQIA provides for the establishment of PSOs to receive reports
of patient safety events or concerns from providers and provide
analyses of events to reporting providers. A reporting provider may be
a HIPAA covered entity and, thus, information reported to a PSO may
include protected health information that the PSO may analyze on behalf
of the covered provider. The analysis of such information is a patient
safety activity for purposes of PSQIA and the Patient Safety Rule, 42
CFR 3.10, et seq. While the HIPAA Rules as written would encompass a
PSO as a business associate when the PSO was performing quality
analyses and other activities on behalf of a covered health care
provider, we propose this change to the definition of business
associate to more clearly align the HIPAA and Patient Safety Rules.
We note that in some cases a covered health care provider, such as
a public or private hospital, may have a component PSO that performs
patient safety activities on behalf of the health care provider. See 42
CFR 3.20. In such cases, the component PSO would not be a business
associate of the covered entity but rather the persons performing
patient safety activities would be workforce members of the covered
entity. However, if the component PSO contracts out some of its patient
safety activities to a third party, the third party would be a business
associate of the covered entity. In addition, if a component PSO of one
covered entity performs patient safety activities for another covered
entity, such component PSO would be a business associate of the other
covered entity.
b. Inclusion of Health Information Organizations (HIO), E-Prescribing
Gateways, and Other Persons That Facilitate Data Transmission; as Well
as Vendors of Personal Health Records
Section 13408 of the HITECH Act, which became effective on February
18, 2010, provides that an organization, such as a Health Information
Exchange Organization, E-prescribing Gateway, or Regional Health
Information Organization, that provides data transmission of protected
health information to a covered entity (or its business associate) and
that requires access on a routine basis to such protected health
information must be treated as a business associate for purposes of the
Act and the HIPAA Privacy and Security Rules. Section 13408 also
provides that a vendor that contracts with a covered entity to allow
the covered entity to offer a personal health record to patients as
part of the covered entity's electronic health record shall be treated
as a business associate. Section 13408 requires that such organizations
and vendors enter into a written business associate contract or other
arrangement with the covered entity in accordance with the HIPAA Rules.
In accordance with the Act, we propose to modify the definition of
``business associate'' to explicitly designate these persons as
business
[[Page 40873]]
associates. Under proposed paragraphs (3)(i) and (ii) of the
definition, the term ``business associate'' would include: (1) A Health
Information Organization, E-prescribing Gateway, or other person that
provides data transmission services with respect to protected health
information to a covered entity and that requires routine access to
such protected health information; and (2) a person who offers a
personal health record to one or more individuals on behalf of a
covered entity.
Section 13408 of the Act makes reference to Health Information
Exchange Organizations; however, we instead include in the proposed
definition the term ``Health Information Organization'' because it is
our understanding that ``Health Information Organization'' is the more
widely recognized and accepted term to describe an organization that
oversees and governs the exchange of health-related information among
organizations.\2\ Section 13408 of the Act also specifically refers to
Regional Health Information Organizations. However, we do not believe
the inclusion of the term in the definition of ``business associate''
is necessary as a Regional Health Information Organization is simply a
Health Information Organization that governs health information
exchange among organizations within a defined geographic area.\3\
Further, the specific terms of ``Health Information Organization'' and
``E-prescribing Gateway'' are merely illustrative of the types of
organizations that would fall within this paragraph of the definition
of ``business associate.'' We request comment on the use of these terms
within the definition and whether additional clarifications or
additions are necessary.
---------------------------------------------------------------------------
\2\ Department of Health and Human Services, Office of the
National Coordinator for Health Information Technology, The National
Alliance for Health Information Technology Report to the Office of
the National Coordinator For Health Information Technology: Defining
Key Health Information Terms, Pg. 24 (2008).
\3\ Id. at 25.
---------------------------------------------------------------------------
Section 13408 also provides that the data transmission
organizations that the Act requires to be treated as business
associates are those that require access to protected health
information on a routine basis. Conversely, data transmission
organizations that do not require access to protected health
information on a routine basis would not be treated as business
associates. This is consistent with our prior interpretation of the
definition of ``business associate,'' through which we have indicated
that entities that act as mere conduits for the transport of protected
health information but do not access the information other than on a
random or infrequent basis are not business associates. See http://www.hhs.gov/ocr/privacy/hipaa/faq/providers/business/245.html. In
contrast, however, entities that manage the exchange of protected
health information through a network, including providing patient
locator services and performing various oversight and governance
functions for electronic health information exchange, have more than
``random'' access to protected health information and thus, would fall
within the definition of ``business associate.''
c. Inclusion of Subcontractors
We propose to add language in paragraph (3)(iii) of the definition
of ``business associate'' to provide that subcontractors of a covered
entity--i.e., those persons that perform functions for or provide
services to a business associate, other than in the capacity as a
member of the business associate's workforce, are also business
associates to the extent that they require access to protected health
information. We also propose to include a definition of
``subcontractor'' in Sec. 160.103 to make clear that a subcontractor
is a person who acts on behalf of a business associate, other than in
the capacity of a member of the workforce of such business associate.
Even though we use the term ``subcontractor,'' which implies there is a
contract in place between the parties, we note that the definition
would apply to an agent or other person who acts on behalf of the
business associate, even if the business associate has failed to enter
into a business associate contract with the person. We request comment
on the use of the term ``subcontractor'' and its proposed definition.
The proposed modifications are similar in structure and effect to
the Privacy Rule's initial extension of privacy protections from
covered entities to business associates through contract requirements
to protect downstream protected health information. The proposed
provisions avoid having privacy and security protections for protected
health information lapse merely because a function is performed by an
entity that is a subcontractor rather than an entity with a direct
relationship with a covered entity. Allowing such a lapse in privacy
and security protections may allow business associates to avoid
liability imposed upon them by sections 13401 and 13404 of the Act,
thus circumventing the congressional intent underlying these
provisions. The proposed definition of ``subcontractor'' also is
consistent with Congress' overall concern that the privacy and security
protections of the HIPAA Rules extend beyond covered entities to those
entities that create or receive protected health information in order
for the covered entity to perform its health care functions. For
example, as discussed above, section 13408 makes explicit that certain
types of entities providing services to covered entities--e.g., vendors
of personal health records--shall be considered business associates.
Therefore, consistent with Congress' intent in sections 13401 and 13404
of the Act, as well as its overall concern that the HIPAA Rules extent
beyond covered entities to those entities that create or receive
protected health information, we propose that downstream entities that
work at the direction of or on behalf of a business associate and
handle protected health information would also be required to comply
with the applicable Privacy and Security Rule provisions in the same
manner as the primary business associate, and likewise would incur
liability for acts of noncompliance. We note, and further explain
below, that this proposed modification would not require the covered
entity to have a contract with the subcontractor; rather, the
obligation would remain on each business associate to obtain
satisfactory assurances in the form of a written contract or other
arrangement that a subcontractor will appropriately safeguard protected
health information. For example, under this proposal, if a business
associate, such as a third party administrator, hires a company to
handle document and media shredding to securely dispose of paper and
electronic protected health information, then the shredding company
would be directly required to comply with the applicable requirements
of the HIPAA Security Rule (e.g., with respect to proper disposal of
electronic media) and the Privacy Rule (e.g., with respect to limiting
its uses and disclosures of the protected health information in
accordance with its contract with the business associate).
d. Exceptions to Business Associate
We also propose to move the provisions at Sec. Sec. 164.308(b)(2)
and 164.502(e)(1)(ii) to the definition of business associate. These
provisions provide that in certain circumstances, such as when a
covered entity discloses protected health information to a health care
provider concerning the treatment of an individual, a covered entity is
not required to enter into a business
[[Page 40874]]
associate contract or other arrangement with the recipient of the
protected health information. While we do not change the meaning of
these provisions, we believe these limitations on the scope of
``business associate'' are more appropriately placed in the definition
as exceptions to the term to make clear that the Department does not
consider the recipients of the protected health information in these
circumstances to be business associates. The movement of these
exceptions and refinement of the definition of ``business associate''
also would help clarify that a person is a business associate if it
meets the definition of ``business associate,'' even if a covered
entity, or business associate with respect to a subcontractor, fails to
enter into the required contract with the business associate.
e. Technical Changes to the Definition
For clarity and consistency, we also propose to change the term
``individually identifiable health information'' in the current
definition of ``business associate'' to ``protected health
information,'' since a business associate has no obligations under the
HIPAA Rules with respect to individually identifiable health
information that is not protected health information.
3. Definition of ``Compliance Date''
The term ``compliance date'' currently refers only to covered
entities. We propose a technical change to include business associates
in the term, in light of the HITECH Act amendments, which apply certain
provisions of the HIPAA Rules to business associates.
4. Definition of ``Electronic Media''
The term ``electronic media'' was originally defined in the
Transactions and Code Sets Rule issued on August 17, 2000 (65 FR 50312)
and was included in the definitions at Sec. 162.103. That definition
was subsequently revised and moved to Sec. 160.103. The purpose of the
revision was to clarify that--
the physical movement of electronic media from place to place is
not limited to magnetic tape, disk, or compact disk. This
clarification removes a restriction as to what is considered to be
physical electronic media, thereby allowing for future technological
innovation. We further clarified that transmission of information
not in electronic form before the transmission, for example, paper
or voice, is not covered by this definition.
68 FR 8339, Feb. 20, 2003.
We propose to revise the definition of ``electronic media'' in the
following ways. First, we would revise paragraph (1) of the definition
to conform it to current usage, as set forth in ``Guidelines for Media
Sanitization'' (Definition of Medium, NIST SP 800-88, Glossary B, p. 27
(2006)). The NIST definition, which was updated subsequent to the
issuance of the Privacy and Security Rules, was developed in
recognition of the likelihood that the evolution of development of new
technology would make use of the term ``electronic storage media''
obsolete in that there may be ``storage material'' other than ``media''
that house electronic data. Second, we would add to paragraph (2) of
the definition of ``electronic media'' a reference to intranets, to
clarify that intranets come within the definition. Third, we propose to
change the word ``because'' to ``if'' in the final sentence of
paragraph (2) of the definition of ``electronic media.'' The definition
assumed that no transmissions made by voice via telephone existed in
electronic form before transmission; the evolution of technology has
made this assumption obsolete. This modification would extend the
policy described in the preamble discussion quoted above, but correct
its application to current technology, where some voice technology is
digitally produced from an information system and transmitted by phone.
5. Definition of ``Protected Health Information''
We propose to modify the definition of ``protected health
information'' at Sec. 160.103 to provide that the Privacy and Security
Rules do not protect the individually identifiable health information
of persons who have been deceased for more than 50 years. This proposed
modification is explained more fully below in Section VI.E. of the
preamble where we discuss the proposed changes to the Privacy Rule
related to the protected health information of decedents.
6. Definition of ``Respondent''
The definition of the term ``Respondent,'' which is currently in
Sec. 160.302, would be moved to Sec. 160.103. A reference to
``business associate'' would be added following the reference to
``covered entity'' in recognition of the potential liability imposed on
business associates for violations of certain provisions of the Privacy
and Security Rules by sections 13401 and 13404 of the Act.
7. Definition of ``State''
The HITECH Act at section 13400, which became effective February
18, 2010, includes a definition of ``State'' to mean ``each of the
several States, the District of Columbia, Puerto Rico, the Virgin
Islands, Guam, American Samoa, and the Northern Mariana Islands.'' This
definition varies from paragraph (2) of the HIPAA definition of
``State'' at Sec. 160.103, which does not include reference to
American Samoa and the Northern Mariana Islands. Thus, for consistency
with the definition applied to the HIPAA Rules by the HITECH Act, we
propose to add reference to American Samoa and the Commonwealth of the
Northern Mariana Islands in paragraph (2) of the definition of
``State'' at Sec. 160.103.
8. Definition of ``Workforce''
The HITECH Act is directly applicable to business associates and
has extended liability for compliance with certain provisions of the
Privacy and Security Rules to business associates. Because some
provisions of the Act and the Privacy and Security Rules place
obligations on the business associate with respect to workforce
members, we propose to revise the definition of ``workforce member'' in
Sec. 160.103 to make clear that such term includes the employees,
volunteers, trainees, and other persons whose conduct, in the
performance of work for a business associate, is under the direct
control of the business associate.
D. Subpart B--Preemption of State Law, Section 160.201--Statutory Basis
We propose to modify Sec. 160.201 regarding the statutory basis
for the preemption of State law provisions to add a reference to
section 264(c) of HIPAA, which contains the statutory basis for the
exception to preemption at Sec. 160.203(b) for State laws that are
more stringent than the HIPAA Privacy Rule. We also propose to add a
reference to section 13421(a) of the HITECH Act, which applies HIPAA's
preemption rules to the HITECH Act's privacy and security provisions.
Finally, we propose to re-title the provision to read ``Statutory
basis'' instead of ``Applicability.''
We also take this opportunity to make clear that section 264(c)(2)
of HIPAA and Sec. 160.203(b) do not create a Federal evidentiary
privilege. Additionally, we take this opportunity to make clear that
neither the HIPAA statute nor its implementing regulations give effect
to State physician-patient privilege laws or provisions of State law
relating to the privacy of individually identifiable health information
for use in Federal court proceedings. Therefore, consistent with the
Supremacy Clause, any State law that was preempted prior to HIPAA
because of conflicts with a Federal law would continue to be preempted.
Nothing in HIPAA or its implementing regulations is intended to expand
the
[[Page 40875]]
scope of State laws, regardless of whether they are more or less
stringent than Federal law.
E. Subpart B--Preemption of State Law, Section 160.202--Definitions.
1. Definition of ``Contrary''
The term ``contrary'' is currently defined in Sec. 160.202 to make
clear when the preemption provisions of HIPAA apply to State law.
Consistent with the limited application of the HIPAA provisions to
covered entities only, the current definition of the term ``contrary''
does not include reference to business associates. However, section
13421(a) of the HITECH Act provides that the HIPAA preemption provision
(section 1178 of the Social Security Act) applies to the provisions and
requirements under the HITECH Act ``in the same manner'' as it would
apply under the HIPAA provisions. Thus, the preemption provisions would
apply to business associates, who are now, by virtue of the HITECH Act,
required to comply with certain provisions of the HIPAA Rules and are
subject to penalties for noncompliance, as discussed elsewhere. Thus,
we propose to amend the definition of ``contrary'' by inserting
references to business associates in paragraph (1) of the definition.
We also expand the reference to the HITECH statutory provisions in
paragraph (2) of the definition to encompass all of the sections of
subtitle D of the HITECH Act, rather than merely to section 13402,
which was added by the breach notifications regulations. These changes
would give effect to section 13421(a).
2. Definition of ``More Stringent''
The term ``more stringent'' is part of the statutory preemption
language under HIPAA. HIPAA preempts State law that is contrary to a
HIPAA privacy standard unless, among other exceptions, the State law is
more stringent than the contrary HIPAA privacy standard. The current
regulatory definition of ``more stringent'' does not include business
associates. We propose to amend the definition to add a reference to
business associates, for the reasons set out in the preceding
discussion.
IV. Section-by-Section Description of the Proposed Amendments to the
Enforcement Rule--Subparts C and D of Part 160
Section 13410 of the HITECH Act made several amendments that
directly impact the Enforcement Rule, which applies to the Secretary's
enforcement of all of the HIPAA Administrative Simplification Rules, as
well as the recently promulgated Breach Notification Rule. We issued an
interim final rule on October 30, 2009, 74 FR 56123, to address the
HITECH Act amendments impacting the Enforcement Rule that became
effective on February 18, 2009. For context, we describe those
modifications to the Enforcement Rule briefly below. We then provide a
section-by-section description of the other section 13410 amendments
that are part of this proposed rule.
In addition, sections 13401 and 13404 of the HITECH Act impose
direct civil money penalty liability on business associates for
violations of the HITECH Act and certain Privacy and Security Rule
provisions. In doing so, sections 13401(b) and 13404(c) of the Act
provide that section 1176 of the Social Security Act shall apply to a
violation by a business associate ``in the same manner'' as it would
apply to a covered entity with respect to such a violation. Both
provisions are, by virtue of section 13423, effective February 18,
2010.
The provisions of subparts C and D of part 160 currently apply by
their terms solely to covered entities. Accordingly, to implement
sections 13401(b) and 13404(c) of the Act, we propose to revise a
number of provisions in both subparts to reflect this statutory change
by adding the term ``business associate'' where appropriate, following
a reference to ``covered entity.'' For ease, we list the sections in
which the term ``business associate'' is added here rather than repeat
the change in each discussion of the sections below: Sec. Sec.
160.300; 160.304; 160.306(a) and (c); 160.308; 160.310; 160.312;
160.316; 160.401; 160.402; 160.404(b); 160.406; 160.408(c) and (d); and
160.410(a) and (c).
In addition to these references, we propose to add a paragraph in
Sec. 160.402(c)(2) to describe a business associate's liability for
the actions of its agents, in accordance with the Federal common law of
agency. This proposed modification is discussed more fully below in the
discussion of Sec. 160.402(c).
As noted above, the Department issued an interim final rule (IFR)
on October 30, 2009, revising the Enforcement Rule to incorporate the
provisions required by section 13410(d) of the HITECH Act that
immediately took effect: Four categories of violations that reflect
increasing levels of culpability, the corresponding tiers of civil
money penalty amounts, and the revised limitations placed on the
Secretary's authority to impose penalties. More specifically, the IFR
revised subpart D of the Enforcement Rule to transfer the definitions
of ``reasonable cause,'' ``reasonable diligence,'' and ``willful
neglect'' from Sec. 160.410(a) to a new definitions section at Sec.
160.401. The IFR revised Sec. 160.404 to incorporate, for violations
occurring on or after February 18, 2009, the new penalty scheme
required by section 13410(d), as follows: For violations in which it is
established that the covered entity did not know and, by exercising
reasonable diligence, would not have known that the covered entity
violated a provision, an amount not less than $100 or more than $50,000
for each violation; for a violation in which it is established that the
violation was due to reasonable cause and not to willful neglect, an
amount not less than $1000 or more than $50,000 for each violation; for
a violation in which it is established that the violation was due to
willful neglect and was timely corrected, an amount not less than
$10,000 or more than $50,000 for each violation; and for a violation in
which it is established that the violation was due to willful neglect
and was not timely corrected, an amount not less than $50,000 for each
violation; except that a penalty for violations of the same requirement
or prohibition under any of these categories may not exceed $1,500,000
in a calendar year. It also revised the affirmative defenses in Sec.
160.410 for violations occurring on or after February 18, 2009, to
remove a covered entity's lack of knowledge as an affirmative defense
and to provide an affirmative defense when violations not due to
willful neglect are corrected within 30 days. Finally, the IFR added a
requirement that a notice of proposed determination pursuant to Sec.
160.420 also reference the applicable category of violation. Readers
are encouraged to refer to the IFR for a more detailed discussion of
these topics as well as the Enforcement Rule's statutory and regulatory
background. See 74 FR 56123, 56124, Oct. 30, 2009.
The rules proposed below would revise many provisions of subparts C
and D of part 160. However, the Department's current interpretations of
the regulatory provisions at subparts C and D continue unchanged,
except to the extent they are inconsistent with the changes to those
provisions, as indicated below.
A. Subpart C--Compliance and Investigations, Section 160.304--
Principles for Achieving Compliance
Section 160.304 identifies cooperation and assistance as two
overarching principles for achieving compliance. The principle of
cooperation, in Sec. 160.304(a), states that ``[t]he Secretary will,
to the extent practicable, seek the cooperation of covered entities in
[[Page 40876]]
obtaining compliance with the applicable administrative simplification
provisions.''
Section 13410(a) of the HITECH Act adds a new subsection (c) to
section 1176 of the Social Security Act:
(c) NONCOMPLIANCE DUE TO WILLFUL NEGLECT.--
(1) IN GENERAL.--A violation of a provision of this part due to
willful neglect is a violation for which the Secretary is required
to impose a penalty under subsection (a)(1).
(2) REQUIRED INVESTIGATION.--For purposes of paragraph (1), the
Secretary shall formally investigate any complaint of a violation of
a provision of this part if a preliminary investigation of the facts
of the complaint indicate such a possible violation due to willful
neglect.
Section 13410(b)(1) makes the provisions of section 13410(a) effective
February 18, 2011.
Under section 1176(c), HHS is required to impose a civil money
penalty for violations due to willful neglect. Accordingly, although
the Secretary often will still seek to correct indications of
noncompliance through voluntary corrective action, there may be
circumstances (such as circumstances indicating willful neglect), where
the Secretary may seek to proceed directly to formal enforcement. As a
conforming amendment, HHS proposes to add the phrase, ``and consistent
with the provisions of this subpart,'' to Sec. 160.304(a) to recognize
the statutory revision.
B. Subpart C--Compliance and Investigations, Section 160.306(c)--
Complaints to the Secretary
Section 160.306(c) of the Enforcement Rule currently provides the
Secretary with discretion to investigate HIPAA complaints, through use
of the word ``may.'' The new willful neglect provisions, at section
1176(c)(2) of the Social Security Act, will require HHS to investigate
``any complaint of a violation of a provision of this part if a
preliminary investigation of the facts of the complaint indicates * * *
a possible violation due to willful neglect.''
HHS proposes to implement section 1176(c)(2) by adding a new
paragraph (1) at Sec. 160.306(c) to provide that the Secretary will
investigate any complaint filed under this section when a preliminary
review of the facts indicates a possible violation due to willful
neglect. As a practical matter, HHS currently conducts a preliminary
review of every complaint received and proceeds with the investigation
in every eligible case where its preliminary review of the facts
indicate a possible violation of the HIPAA Rules. Nevertheless, we
propose this addition to Sec. 160.306 to make clear our intention to
pursue an investigation where a preliminary review of the facts
indicates a possible violation due to willful neglect.
HHS proposes to conform the remainder of Sec. 160.306(c)
accordingly. The new Sec. 160.306(c)(2) (presently, the initial
sentence of Sec. 160.306(c)) would be revised by replacing
``complaints'' with ``any other complaint'' to distinguish the
Secretary's discretion with respect to complaints for which HHS's
preliminary review of the facts does not indicate a possible violation
due to willful neglect from the statutory requirement to investigate
all complaints for which HHS's preliminary review of the facts
indicates a possible violation due to willful neglect, as set out in
the new Sec. 160.306(c)(1). The current second sentence of Sec.
160.306(c), which addresses the content of an investigation, would be
renumbered as Sec. 160.306(c)(3) and amended by changing the first
word of the sentence from ``such'' to ``an,'' to signal the provision's
application to any investigation, regardless of whether a preliminary
review of the facts indicates a possible violation due to willful
neglect.
C. Subpart C--Compliance and Investigations, Section 160.308--
Compliance Reviews
Section 160.308 provides that the Secretary may conduct compliance
reviews. Use of the word ``may'' in this section makes clear that this
is a discretionary activity. While complaints and not compliance
reviews are specifically mentioned in the statutory language of section
13410(a)(1)(B) of the Act regarding willful neglect, HHS proposes to
also amend Sec. 160.308 to provide that the Secretary will conduct a
compliance review to determine whether a covered entity or business
associate is complying with the applicable administrative
simplification provision when a preliminary review of the facts
indicates a possible violation due to willful neglect. This revision to
Sec. 160.308 furthers Congress' intent to strengthen enforcement with
respect to potential violations due to willful neglect and ensures that
investigations, whether or not initiated by complaint, are handled in a
consistent manner. Also, the current language of Sec. 160.308 would be
redesignated as paragraph (b), and the words ``in any other
circumstance'' would be added to the end of this paragraph to indicate
that the discretionary authority of this paragraph applies to cases
where the preliminary review of the facts does not indicate a possible
violation due to willful neglect. Note that if HHS initiates an
investigation of a complaint because its preliminary review of the
facts indicates a possible violation due to willful neglect, HHS would
not also be required to initiate a compliance review under this
section, since it would be duplicative to do so.
D. Subpart C--Compliance and Investigations, Section 160.310--
Responsibilities of Covered Entities
Section 160.310 explains a covered entity's responsibilities during
complaint investigations and compliance reviews to make information
available to the Secretary and to cooperate with the Secretary. Section
160.310(c)(3) provides that any protected health information obtained
by the Secretary in connection with an investigation or compliance
review will not be disclosed by the Secretary, except as necessary for
determining and enforcing compliance with the HIPAA Rules or if
otherwise required by law. We propose to also allow the Secretary to
disclose protected health information if permitted under the Privacy
Act at 5 U.S.C. 552a(b)(7). Section 552a(b)(7) permits the disclosure
of a record on an individual contained within a Privacy Act protected
system of records to another agency or instrumentality of any
governmental jurisdiction within or under the control of the United
States for a civil or criminal law enforcement activity if the activity
is authorized by law and if the agency has made a written request to
the agency that maintains the record. This proposed change is necessary
to permit the Secretary to cooperate with other law enforcement
agencies, such as the State Attorneys General pursuing HIPAA actions on
behalf of State residents pursuant to section 13410(e) of the Act, or
the Federal Trade Commission, pursuing remedies under other consumer
protection authorities.
E. Subpart C--Compliance and Investigations, Section 160.312--
Secretarial Action Regarding Complaints and Compliance Reviews
Where noncompliance is indicated, Sec. 160.312 requires the
Secretary to attempt to resolve situations by informal means. Section
1176(c)(2) of the Social Security Act, as added by section 13410(a) of
the HITECH Act, will require formal investigation of a complaint ``if a
preliminary investigation of the facts of the complaint indicate * * *
a possible
[[Page 40877]]
violation due to willful neglect.'' Further, section 1176(c)(1) of the
Social Security Act, as added by section 13410(a) of the HITECH Act,
will require the Secretary to impose a civil money penalty where HHS
makes a finding of a violation involving willful neglect. In addition
to the proposed modification to Sec. 160.306(c)(1), in light of the
new provisions at section 1176(c), we propose to make clear that HHS is
not required to attempt to resolve cases of noncompliance due to
willful neglect by informal means. To do so, we propose to replace the
word ``will'' in Sec. 160.312(a)(1) with ``may.'' While this change
would permit HHS to proceed with a willful neglect determination as
appropriate, it would also permit HHS to seek to resolve complaints and
compliance reviews that did not indicate willful neglect by informal
means (e.g., where the covered entity or business associate did not
know and by exercising reasonable diligence would not have known of a
violation, or where the violation is due to reasonable cause).
It should be noted that this amendment would not change the
substance of the response set forth in the April 18, 2005, preamble to
the proposed Enforcement Rule, at 70 FR 20224, 20245-6, regarding
objections to the 60-day time limit for filing a request for a hearing.
In that response, HHS indicated that it was not reasonable to assume
that a notice of proposed determination would be served on a respondent
with no warning because the covered entity would necessarily be made
aware of, and have the opportunity to address, HHS's compliance
concerns throughout the investigative period preceding the notice of
proposed determination. This proposed change to Sec. 160.312 would
allow the Secretary to proceed directly to a notice of proposed
determination without first attempting to resolve the matter
informally. This proposed revision does not change the fact that during
the course of a complaint investigation or a compliance review, a
covered entity or business associate would be made aware of, and have
the opportunity to address, HHS's compliance concerns.
F. Subpart D--Imposition of Civil Money Penalties, Section 160.401--
Definitions
Section 160.401 provides definitions of the terms ``reasonable
cause,'' ``reasonable diligence,'' and ``willful neglect.'' As
discussed in the interim final rule, at 74 FR 56123, 56126-7, given
section 13410(d) of the Act's use of these terms to describe the
increasing levels of culpability for which increasing minimum levels of
penalties may be imposed, HHS transferred these definitions from their
prior placement at Sec. 160.410(a) to signal the definitions' broader
application to the entirety of subpart D of part 160. However, because
section 13410(d) of the Act referred to these terms but did not amend
these definitions, the interim final rule did not alter their content.
HHS encourages readers, as it did in the interim final rule, to refer
to prior preambles to the Enforcement Rule for detailed discussions of
these terms at 70 FR 20224, 20237-9 and 71 FR 8390, 8409-11.
While the provisions of section 13410 of the Act do not explicitly
require modification of these definitions, HHS is concerned that the
mens rea demarcation between the categories of culpability associated
with the new tiers of civil money penalty amounts is not sufficiently
clear based on the existing definitions. As a result, certain
violations (i.e., those of which a covered entity or business associate
has or should have knowledge, but does not have the conscious intent or
reckless indifference associated with willful neglect) might not fit
squarely within one of the established tiers. Therefore, HHS proposes
to amend the definition of reasonable cause to clarify the scope of
violations fitting within that definition.
HHS does not propose to otherwise modify the definitions associated
with the categories of culpability of the amended section 1176(a) of
the Social Security Act. However, we wish to clarify how the Secretary
intends to apply these terms within this newly established context, to
assist covered entities and business associates in tailoring their
compliance activities appropriately. Accordingly, the discussion below
also addresses the terms associated with the other categories of
culpability (i.e., knowledge, reasonable diligence, and willful
neglect).
1. Reasonable Cause
Reasonable cause is currently defined, at Sec. 160.401, to mean
``circumstances that would make it unreasonable for the covered entity,
despite the exercise of ordinary business care and prudence, to comply
with the administrative simplification provision violated.'' This
definition is consistent with the Supreme Court's ruling in United
States v. Boyle, 469 U.S. 241, 245 (1985), which focused on whether
circumstances were beyond the regulated person's control, thereby
making compliance unreasonable. See 70 FR 20224, 20238. Prior to the
HITECH Act, section 1176 of the Social Security Act treated reasonable
cause as a partial limitation on the Secretary's authority to impose a
civil money penalty. That is, by establishing that a violation was due
to reasonable cause and not willful neglect and was either corrected
within a 30-day period or such additional period as the Secretary
determined to be appropriate, a covered entity or business associate
would bar the Secretary's imposition of a civil money penalty.
As described above, section 13410(d) of the HITECH Act revised
section 1176 of the Social Security Act to establish four tiers of
increasing penalty amounts to correspond to the levels of culpability
associated with the violation. The first category of violation (and
lowest penalty tier) covers situations where the covered entity or
business associate did not know, and by exercising reasonable diligence
would not have known, of a violation. The second category of violation
(and next highest penalty tier) applies to violations due to reasonable
cause and not to willful neglect. The third and fourth categories (and
second-highest and highest penalty tiers) apply to circumstances where
the violation was due to willful neglect that is corrected within a
certain time period and willful neglect that is not so corrected,
respectively. The importance of mens rea, or state of mind, in
determining the degree of culpability is clear with respect to the
first, third, and fourth categories, in that there is no mens rea with
respect to the lowest category of violation, while the existence of
mens rea is presumed with respect to the third and fourth categories of
violation.
However, the current definition of reasonable cause does not
address mens rea with respect to the second category of violations. HHS
therefore proposes to amend the definition of ``reasonable cause'' in
Sec. 160.401 to clarify the full scope of violations that will come
within the reasonable cause category of violations, including those
circumstances that would make it unreasonable for the covered entity or
business associate, despite the exercise of ordinary business care and
prudence, to comply with the administrative simplification provisions
violated, as well as those circumstances in which a covered entity or
business associate has knowledge of a violation but lacks the conscious
intent or reckless indifference associated with the willful neglect
category of violations. To that end, HHS proposes to replace the
current definition of ``reasonable cause'' with the following:
[[Page 40878]]
an act or omission in which a covered entity or business
associate knew, or by exercising reasonable diligence would have
known, that the act or omission violated an administrative
simplification provision, but in which the covered entity or
business associate did not act with willful neglect.
As modified, the definition of ``reasonable cause'' will continue
to recognize those circumstances that would make it unreasonable for
the covered entity or business associate, despite the exercise of
ordinary business care and prudence, to comply with the administrative
simplification provisions violated. Consider the following example:
A covered entity received an individual's request for access but
did not respond within the time periods provided for in Sec.
164.524(b)(2). HHS's investigation reveals that the covered entity
had compliant access policies and procedures in place, but that it
had received an unusually high volume of requests for access within
the time period in question. While the covered entity had responded
to the majority of access requests received in that time period in a
timely manner, it had failed to respond in a timely manner to
several requests for access. The covered entity did respond in a
timely manner to all requests for access it received subsequent to
the time period in which the violations occurred.
In this example, the covered entity had knowledge of the violations
but the investigation revealed circumstances that would make it
unreasonable for the covered entity, despite the exercise of ordinary
business care and prudence, to comply with the administrative
simplification provisions violated. The investigation also revealed
that the covered entity acted in a way that demonstrated a good faith
attempt to comply with Sec. 164.524(b)(2) by having compliant policies
and procedures in place, responding to the majority of access requests
in a timely manner, and otherwise responding to subsequent requests as
required. In contrast, had the investigation revealed that the series
of access requests occurred over a longer period of time, and that the
covered entity did not attempt to address the backlog or communicate
with the individuals, in writing, regarding the reasons for the delay
or the date by which the covered entity would complete its action on
the requests, the notice of proposed determination might alternatively
categorize the violation as being due to willful neglect.
The modified definition of reasonable cause will also encompass
those circumstances in which a covered entity or business associate has
knowledge of the violation but lacks the conscious intent or reckless
indifference associated with willful neglect. Consider the following
example:
A covered entity presented an authorization form to a patient
for signature to permit a disclosure for marketing purposes that did
not contain the core elements required by Sec. 164.508(c). HHS's
investigation reveals that the covered entity was aware of the
requirement for an authorization for a use or disclosure of
protected health information for marketing and had attempted to
draft a compliant authorization but had not included in the
authorization the core elements required under Sec. 164.508.
In this example, the covered entity failed to act with the ordinary
care and business prudence of one seeking to comply with the Privacy
Rule. Therefore, the violation cannot be considered to come within the
category of violation that is associated with violations where the
covered entity did not know (and by exercising reasonable diligence
would not have known) of the violation. Yet, because the covered entity
had attempted to draft a compliant authorization, it cannot be
established that the omission was due to willful neglect involving
either a conscious, intentional failure or reckless indifference to the
obligation to comply with Sec. 164.508. Unless otherwise resolved by
informal means, HHS would have grounds to find that the violation was
due to reasonable cause.
2. Knowledge and Reasonable Diligence
Prior rulemaking preambles discussing the Enforcement Rule explain
the concept of knowledge, as it applies to the limitations (i.e.,
affirmative defenses) that section 1176(b) of the Social Security Act
places on the Secretary's authority to impose a civil money penalty. As
they explain, ``the knowledge involved must be knowledge that [a]
violation has occurred, not just knowledge of the facts constituting
the violation.'' See 71 FR 8390, 8410, Feb. 16, 2006. Moreover, a
covered entity or business associate cannot assert an affirmative
defense associated with its ``lack of knowledge'' if such lack of
knowledge has resulted from its failure to inform itself about
compliance obligations or to investigate received complaints or other
information indicating likely noncompliance. See 70 FR 20224, 20237-8,
Apr. 18, 2005 and 71 FR 8390, 8410-11, Feb. 16, 2006.
Section 13410(d) of the Act establishes the category of violations
where the covered entity or business associate did not know (and by
exercising reasonable diligence would not have known) of a violation as
warranting the lowest range of civil money penalty amounts. The HITECH
Act incorporated the concepts of knowledge and reasonable diligence
from HIPAA, and it did not revise their substance. HHS therefore
expects to apply these existing concepts to the newly established
penalty structure consistent with its prior interpretations. Consider
the following examples:
1. A covered health care provider with a direct treatment
relationship with an individual patient failed to provide the
patient a complete notice of privacy practices in compliance with
Sec. 164.520(c). HHS's investigation reveals that the covered
entity has a compliant notice of privacy practices, policies and
procedures for provision of the notice, and appropriate training of
its workforce regarding the notice and its distribution. The
violation resulted from a printing error that failed to print two
pages of the notice of privacy practices. The printing error
affected a small number of the covered entity's supply of notices
and was an isolated failure to provide an individual with the
covered entity's notice of privacy practices.
2. A business associate failed to terminate a former employee's
access privileges to electronic protected health information in
compliance with Sec. 164.308(a)(3)(ii)(C). HHS's investigation
reveals that the business associate's policies and procedures
require the termination of such access within a reasonable time
period. The HHS investigation reveals that the business associate
attempted to terminate the former employee's access in accordance
with its policy, but that it instead terminated the access of a
current employee who had the same name as the former employee.
In both examples, HHS's investigations reveal that the covered entity
or business associate has compliant policies and procedures in place,
as well as some action by each covered entity or business associate
indicating its intent to implement the respective Privacy Rule
requirements. The investigations also reveal noncompliance that the
exercise of reasonable diligence would not have avoided.
HHS also notes that, in some circumstances, we expect that the
knowledge of an employee or agent of a covered entity or business
associate may determine whether a violation implicates the ``did not
know'' or ``reasonable cause'' categories of violation. That is, absent
an exception under the Federal common law of agency, the knowledge of
an employee or agent will generally be imputed to its principal (i.e.,
the covered entity or business associate). See 70 FR 20224, 20237 and
71 FR 8390, 8402-3 (discussing imputation of knowledge under the
Federal common law of agency and violations attributed to a covered
entity, respectively). Consider the following example:
[[Page 40879]]
A hospital employee accessed the paper medical record of his ex-
spouse while he was on duty to discover her current address for a
personal reason, knowing that such access is not permitted by the
Privacy Rule and contrary to the policies and procedures of the
hospital. HHS's investigation reveals that the covered entity had
appropriate and reasonable safeguards regarding employee access to
medical records, and that it had delivered appropriate training to
the employee.
In this example, the ``did not know'' category of violation is
implicated with respect to the covered entity because the mens rea
element of knowledge cannot be established. That is, while the
employee's act is attributed to the covered entity, the employee's
knowledge of the violation cannot be imputed to the covered entity
because the employee was acting adversely to the covered entity. The
Federal common law of agency does not permit the imputation of
knowledge to the principal where the agent consciously acts in a manner
that is adverse to the principal.
3. Willful Neglect
Willful neglect is defined, at Sec. 160.401, to mean the
``conscious, intentional failure or reckless indifference to the
obligation to comply with the administrative simplification provision
violated.'' The term not only presumes actual or constructive knowledge
on the part of the covered entity that a violation is virtually certain
to occur but also encompasses a conscious intent or degree of
recklessness with regard to its compliance obligations.
While the HITECH Act references willful neglect in several
provisions, it does not revise the term's definition. HHS therefore
expects to apply the current definition of willful neglect to all newly
established contexts in the same manner as previously discussed.
Consider the following examples:
1. A covered entity disposed of several hard drives containing
electronic protected health information in an unsecured dumpster, in
violation of Sec. 164.530(c) and Sec. 164.310(d)(2)(i). HHS's
investigation reveals that the covered entity had failed to
implement any policies and procedures to reasonably and
appropriately safeguard protected health information during the
disposal process.
2. A covered entity failed to respond to an individual's request
that it restrict its uses and disclosures of protected health
information about the individual. HHS's investigation reveals that
the covered entity does not have any policies and procedures in
place for consideration of the restriction requests it receives and
refuses to accept any requests for restrictions from individual
patients who inquire.
3. A covered entity's employee lost an unencrypted laptop that
contained unsecured protected health information. HHS's
investigation reveals the covered entity feared its reputation would
be harmed if information about the incident became public and,
therefore, decided not to provide notification as required by Sec.
164.400 et seq.
The facts in these examples demonstrate that the covered entities had
actual or constructive knowledge of their various violations. In
addition, the covered entities' failures to develop or implement
compliant policies and procedures or to respond to incidents as
required by Sec. 164.400 et seq. demonstrate either conscious intent
or reckless disregard with respect to their compliance obligations. In
the second example, the covered entity's refusal to accept any requests
for restrictions from individual patients who inquire would be grounds
for a separate finding of a violation due to willful neglect.
4. Correction of Willful Neglect Violations
We also note that while a covered entity's or business associate's
correction of a willful neglect violation will not bar the imposition
of a civil money penalty, such correction may foreclose the Secretary's
authority to impose a penalty from the highest penalty tier prescribed
by section 1176(a)(1) of the Social Security Act. While not all
violations can be corrected, in the sense of being fully undone or
remediated, HHS has previously set forth a broad interpretation of
``corrected,'' in light of the statute's association of the term with
``failure to comply.'' See 71 FR 8390, 8411 (recognizing that the term
``corrected'' could include correction of a covered entity's
noncompliant procedure by making the procedure compliant). For example,
in the event a covered entity's or business associate's inadequate
safeguards policies and procedures result in an impermissible
disclosure, the disclosure violation itself could not be fully undone
or corrected. The safeguards violation, however, could be ``corrected''
in the sense that the noncompliant policies and procedures could be
brought into compliance. In any event, corrective action will always be
required of a covered entity or business associate.
G. Subpart D--Imposition of Civil Money Penalties, Section 160.402--
Basis for a Civil Money Penalty
Section 160.402(a) provides the general rule that the Secretary
will impose a civil money penalty upon a covered entity if the
Secretary determines that the covered entity violated an administrative
simplification provision. Paragraphs (b) and (c) of this section
explain the basis for a civil money penalty against a covered entity
where more than one covered entity is responsible for a violation,
where an affiliated covered entity is responsible for a violation, and
where an agent of a covered entity is responsible for a violation. As
explained above, this proposed rule would add references to ``business
associate'' where appropriate in this section to effectuate the HITECH
Act's imposition of liability on business associates for violations of
the HITECH Act and certain Privacy and Security Rule provisions.
Further, in paragraph (c), which provides the basis for the
imposition of a civil money penalty against a covered entity for the
acts of its agent, in accordance with the Federal common law of agency,
we propose to add a parallel provision providing for civil money
penalty liability against a business associate for the acts of its
agent. Thus, we propose to add a new paragraph (2) to Sec. 160.402(c)
to provide that a business associate is liable, in accordance with the
Federal common law of agency, for a civil money penalty for a violation
based on the act or omission of any agent of the business associate,
including a workforce member or subcontractor, acting within the scope
of the agency.
The existing language of Sec. 160.402(c) regarding the liability
of covered entities for the acts of their agents would be redesignated
as paragraph (1), with one substantive change. This section currently
provides an exception for covered entity liability for the acts of its
agent in cases where the agent is a business associate, the relevant
contract requirements have been met, the covered entity did not know of
a pattern or practice of the business associate in violation of the
contract, and the covered entity did not fail to act as required by the
Privacy or Security Rule with respect to such violations. We propose to
remove this exception to principal liability for the covered entity so
that the covered entity remains liable for the acts of its business
associate agents, regardless of whether the covered entity has a
compliant business associate agreement in place. This change is
necessary to ensure, where the covered entity has contracted out a
particular obligation under the HIPAA Rules, such as the requirement to
provide individuals with a notice of privacy practices, that the
covered entity remains liable for the failure of its business associate
to perform that obligation on the covered entity's behalf.
[[Page 40880]]
We do not believe this proposed change would place any undue burden
on covered entities, since covered entities are customarily liable for
the acts of their agents under agency common law. We note that this
proposed regulatory change does not create liability for covered
entities with respect to business associates that are not agents, e.g.,
independent contractors. The determination of whether a business
associate is an agent of a covered entity, or whether a subcontractor
is an agent of a business associate, will be based on the facts of the
relationship, such as the level of control over the business
associate's or subcontractor's conduct.
H. Subpart D--Imposition of Civil Money Penalties, Section 160.408--
Factors Considered in Determining the Amount of a Civil Money Penalty
1. Determination of Penalty Amounts Prior to the HITECH Act
Section 160.408 implements section 1176(a)(2) of the Social
Security Act, which requires the Secretary, when imposing a civil money
penalty, to apply the provisions of section 1128A of the Social
Security Act ``in the same manner as such provisions apply to the
imposition of a civil money penalty under section 1128A.'' As currently
written, Section 1128A requires the Secretary to take into account--
(1) The nature of the claims and the circumstances under which
they were presented,
(2) The degree of culpability, history of prior offenses and
financial condition of the person presenting the claims, and
(3) Such other matters as justice may require.
Like other regulations that implement section 1128A, HHS tailored these
factors by breaking them down into their component elements and
providing a more specific list of circumstances, within each component,
that apply to the context of HIPAA Rule violations. Because the
Enforcement Rule applies to a number of rules, which apply to an
enormous number of entities and circumstances, HHS left to the
Secretary's discretion the decisions of whether and how (i.e., as
either aggravating or mitigating) to consider the following factors in
determining the amount of a civil money penalty:
(a) The nature of the violation, in light of the purpose of the
rule violated.
(b) The circumstances, including the consequences, of the
violation, including but not limited to * * * [specific
circumstances]
(c) The degree of culpability of the covered entity, including
but not limited to * * * [specific circumstances]
(d) Any history of prior compliance with the administrative
simplification provisions, including violations, by the covered
entity, including but not limited to * * * [specific circumstances]
(e) The financial condition of the covered entity, including but
not limited to * * * [specific circumstances]
(f) Such other matters as justice may require.
See 70 FR 20224, 20235-6 and 71 FR 8390, 8407-9 for a discussion of
HHS's interpretation of the factors currently enumerated in Sec.
160.408.
2. Determination of Penalty Amounts After the HITECH Act
As discussed in more detail in the IFR, section 13410(d) of the
HITECH Act modified section 1176(a)(1) of the Social Security Act in
several ways, including the establishment of tiers of penalty amounts
that are associated with increasing levels of culpability. It also
added a provision to section 1176(a)(1) of the Social Security Act
directing HHS to ``base such determination [of the appropriate penalty
amount] on the nature and extent of the violation and the nature and
extent of the harm resulting from such violation.'' The HITECH Act did
not modify section 1176(a)(2) (requiring application of section 1128A).
In addition, many of the factors currently identified by Sec. 160.408
already pertain to the nature of the violation and the resulting harm.
Section 160.408(a), for example, identifies the nature of the violation
for consideration; paragraph (b) addresses the circumstances, including
the consequences, of the violation (e.g., physical harm, financial harm
and whether the violation hindered or facilitated an individual's
ability to obtain health care); and paragraph (f) addresses such other
matters as justice may require. Thus, HHS did not modify Sec. 160.408
in the IFR.
Upon further consideration of the statutory mandates and the
significantly broader range of penalty amounts available, HHS believes
it is appropriate to amend the structure of Sec. 160.408, to make
explicit the new statutory requirement that the Secretary consider the
nature and extent of the violation and the nature and extent of the
harm resulting from the violation, in addition to those factors
enumerated in section 1128A. Thus, HHS proposes to revise Sec.
160.408(a) and (b), as discussed below, to require the Secretary's
consideration of the nature and extent of the violation, as well as the
nature and extent of the harm resulting from violation, in addition to
those factors referenced by section 1128A. We would exclude, however,
the factor presently identified as Sec. 160.408(c) (the degree of
culpability of covered entity), which originated in section 1128A.
Congress' revision of section 1176(a)(1) of the Social Security Act to
establish increasing tiers of penalty amounts that reflect increasing
degrees of culpability renders consideration of the degree of
culpability as an aggravating or mitigating factor redundant. In
contrast, HHS is not proposing to amend the Secretary's discretion with
respect to the non-exhaustive list of specific circumstances that may
be considered.
In addition, HHS proposes to reorganize the remaining, specific
circumstances under Sec. 160.408(a) and (b) to better reflect the
categories to which they are now attributed, to add another
circumstance for consideration under each, as described below, to
explicitly provide that the Secretary's consideration of all specific
circumstances is optional, and to modify the phrase ``prior
violations'' in subsections (c)(1) and (2) to read ``indications of
noncompliance.''
a. The Nature and Extent of the Violation
HHS proposes to revise subsection (a) to identify ``[t]he nature
and extent of the violation,'' as the first factor the Secretary must
consider in determining a civil money penalty amount. While the ``the
nature of the violation'' was previously identified for consideration,
as it is grounded in section 1128A, the current list of factors in
Sec. 160.408 does not specifically reference ``the extent of the
violation,'' which section 1176(a) now requires. We also propose to
transfer ``the time period during which the violation(s) occurred,'' to
this factor and to add, ``the number of individuals affected,'' since
both circumstances might be indicative measures of ``the nature and
extent of the violation.'' Our compliance and enforcement experience to
date further supports the addition of the latter, particularly with
respect to potential violations that negatively affect numerous
individuals (e.g., where disclosure of protected health information in
multiple explanation of benefits statements that were mailed to the
wrong individuals resulted from one inadequate safeguard but affected a
large number of beneficiaries). We recognize these specific
circumstances might also be considered under Sec. 160.406, with
respect to counting violations. In this regard, we direct readers'
attention to 71 FR 8390, 8409 (responding to a comment expressing
concern that the overlap of certain variables proposed in Sec. 160.406
with factors proposed in Sec. 160.408 might result in compound
liability by asserting that since
[[Page 40881]]
consideration of such circumstances may be relevant to each separable
element of the penalty calculation, their consideration will be
different in nature).
b. The Nature and Extent of the Harm Resulting From the Violations
HHS proposes to revise subsection (a) to identify ``[t]he nature
and extent of the harm resulting from the violation'' as the second
factor the Secretary must consider. This minor amendment merely
conforms the factor's language to the amended statutory language and
continues to include the optional consideration of several specific
circumstances which might be indicative of harm. In addition to these
specific circumstances, HHS proposes to add reputational harm to make
clear that reputational harm is as cognizable a form of harm as
physical or financial harm.
c. The History of Prior Compliance With the Administrative
Simplification Provisions
HHS proposes to modify the phrase ``prior violations'' in Sec.
160.408(c)(1) and (2) to read ``indications of noncompliance.'' As
defined in Sec. 160.302, ``violation'' or ``violate'' means, ``as the
context may require, failure to comply with an administrative
simplification provision.'' Use of the term is generally reserved,
however, to circumstances in which the Department has made a formal
finding of a violation through a notice of proposed determination. As
explained in 71 FR 8390, 8408, a covered entity's general history of
HIPAA compliance is relevant in determining the amount of a civil money
penalty within the penalty range. When we reviewed this language of
Sec. 160.408(c)(1) and (2) for the purposes of this rulemaking, we
noticed that the regulatory text uses the term ``violation'' which is
generally reserved for use in a notice of proposed determination. We
are proposing to change this terminology to ``indications of
noncompliance'' to make the regulatory language consistent with HHS'
policy of considering a covered entity's general history of HIPAA
compliance.
I. Section 160.410--Affirmative Defenses
Section 160.410 currently implements the limitations placed on the
Secretary's authority to impose a civil money penalty under section
1176(b) of the Act. As amended by the IFR, Sec. 160.410 is organized
to implement section 13410(d) of the HITECH Act in a way that
distinguishes the affirmative defenses available to covered entities
and business associates prior to, on, or after February 18, 2009, the
day after section 13410(d) of the HITECH Act became effective. See 74
FR 56123, Oct. 30, 2009, for a detailed discussion of the IFR's recent
amendments.
Section 13410(a)(1) revises section 1176(b) to replace the phrase,
``if the act constitutes an offense punishable under section 1177''
with ``a penalty has been imposed under section 1177 with respect to
such act.'' This statutory change is effective February 18, 2011.
HHS proposes to amend Sec. 160.410 to implement the revision of
section 1176(b)(1) of the Social Security Act by providing in a new
paragraph (a)(1) that the affirmative defense of criminally
``punishable'' is applicable to penalties imposed prior to February 18,
2011. A new paragraph (a)(2) in that section would make clear that, on
or after February 18, 2011, the Secretary's authority to impose a civil
money penalty will only be barred to the extent a covered entity or
business associate can demonstrate that a penalty has been imposed
under 42 U.S.C. 1320d-6 with respect to such act. As a conforming
change, current paragraphs (a)(2) and (a)(3) are renumbered as
paragraphs (b)(1) and (b)(2), respectively, and current paragraph (b)
is renumbered as paragraph (c).
As an additional conforming change, HHS also proposes to amend
Sec. 160.410(a)(3)(i) (which has been redesignated as Sec.
160.410(b)(2)(i)) to replace the term ``reasonable cause'' with the
unrevised text of its current definition. This will ensure that the
current definition is applied to violations occurring prior to February
18, 2009, thereby avoiding any potential issues regarding a retroactive
application of the revised term.
J. Section 160.412--Waiver
We propose conforming changes to this section, to align the cross-
references to Sec. 160.410 with the proposed revisions to that section
discussed above.
K. Subpart D--Imposition of Civil Money Penalties, Section 160.418--
Penalty Not Exclusive
We propose to revise this section to incorporate a reference to the
provision of the Patient Safety and Quality Improvement Act of 2005 at
42 U.S.C. 299b-22 that provides that penalties are not to be imposed
under both that act and the Privacy Rule for the same violation.
V. Section-by-Section Description of the Proposed Amendments to Subpart
A of Part 164 and the Security Rule in Subpart C of Part 164
The HITECH Act made several amendments that directly impact current
provisions of the HIPAA Security Rule. We discuss the proposed changes
to the Security Rule as a result of the HITECH Act in our section-by-
section description below. We also discuss various technical and
conforming proposed changes to the Security Rule, as well as proposed
changes to provisions in subpart A of part 164, which applies to both
the Security and Privacy Rules.
A. Technical Changes to Subpart A--General Provisions
1. Section 164.102--Statutory Basis
This section sets out the statutory basis of part 164. We propose a
technical change to include a reference to the provisions of sections
13400 through 13424 of the HITECH Act upon which the regulatory changes
proposed below are based.
2. Section 164.104--Applicability
This section sets out to whom part 164 applies. We propose to
replace the existing paragraph (b) with an applicability statement for
business associates, consistent with the provisions of the HITECH Act
that are discussed more fully below. Proposed paragraph (b) would make
clear that, where provided, the standards, requirements, and
implementation specifications of the HIPAA Privacy, Security, and
Breach Notification Rules apply to business associates. We propose to
remove as unnecessary the existing language in Sec. 164.104(b)
regarding the obligation of a health care clearinghouse to comply with
Sec. 164.105 relating to organizational requirements of covered
entities.
3. Section 164.105--Organizational Requirements
a. Section 164.105
Section 164.105 outlines the organizational requirements and
implementation specifications for health care components of covered
entities and for affiliated covered entities. As Sec. 164.105 now also
applies to subpart D of part 164 regarding breach notification for
unsecured protected health information, we propose to remove several
references to subparts C and E throughout this section to make clear
that the provisions of this section also apply to the new subpart D of
this part. In addition, we propose the following modifications to this
section.
[[Page 40882]]
b. Section 164.105(a)(2)(ii)(C)-(E)
We propose to modify this section to remove as unnecessary
paragraphs (C) and (D), which pertain to the obligation of a covered
entity to ensure that any component that performs business associate-
like activities and is included in the health care component complies
with the requirements of the Privacy and Security Rules, and to re-
designate paragraph (E) as (C). A covered entity's obligation to ensure
that a health care component complies with the Privacy and Security
Rules is already set out at Sec. 164.105(a)(2)(ii). In addition, in
light of a business associate's new direct liability for compliance
with certain of the Security and Privacy Rule provisions, we request
comment on whether we should require, rather than permit as is
currently the case under Sec. 164.105(a)(2)(iii)(C), a covered entity
that is a hybrid entity to include a component that performs business
associate-like activities within its health care component so that such
components are directly subject to the Rules.
c. Section 164.105(a)(2)(iii)(C)
We propose to modify this section to re-designate Sec.
164.105(a)(2)(iii)(C) as (D), and to include a new paragraph (C), which
makes clear that, with respect to a hybrid entity, the covered entity
itself, and not merely the health care component, remains responsible
for complying with Sec. Sec. 164.314 and 164.504 regarding business
associate arrangements and other organizational requirements. This
proposed modification is intended to recognize that hybrid entities may
need to execute legal contracts and conduct other organizational
matters at the level of the legal entity rather than at the level of
the health care component.
d. Section 164.105(b)(1)
We propose to fix a minor typographical error in this paragraph by
redesignating the second paragraph (1) as paragraph (2).
e. Section 164.105(b)(2)(ii)
We propose to simplify this paragraph by collapsing subparagraphs
(A), (B), and (C) regarding the obligations of an affiliated entity to
comply with the Privacy and Security Rules into one provision, and to
expand the reference to compliance with the ``part'' so that the breach
notification obligations in subpart D are also included.
4. Section 164.106--Relationship to Other Parts
We propose to add a reference to business associates, consistent
with their inclusion elsewhere throughout the other HIPAA Rules.
B. Modifications to the HIPAA Security Rule in Subpart C
1. References to Business Associates
The Security Rule, as it presently stands, does not directly apply
to business associates of covered entities. However, section 13401 of
the HITECH Act, which became effective on February 18, 2010, provides
that the Security Rule's administrative, physical, and technical
safeguards requirements in Sec. Sec. 164.308, 164.310, and 164.312, as
well as its policies and procedures and documentation requirements in
Sec. 164.316, shall apply to business associates in the same manner as
these requirements apply to covered entities, and that business
associates shall be civilly and criminally liable for penalties for
violations of these provisions.
Accordingly, to implement section 13401 of the HITECH Act, we
propose to insert references to ``business associate'' in subpart C, as
appropriate, following references to ``covered entity'' to make clear
that these provisions of the Security Rule also apply to business
associates. In particular, we propose to modify the following sections
by adding references to business associates: Sec. Sec. 164.302
(applicability), 164.304 (definitions of ``administrative safeguard''
and ``physical safeguard''), 164.308, 164.310, 164.312, and 164.316. In
addition, we propose the changes below to the Security Rule.
2. Section 164.306--Security Standards: General Rules
Section 13401 of the HITECH Act pertaining to requirements on
business associates does not specifically make reference to Sec.
164.306 of the Security Rule. However, Sec. 164.306 sets out the
general rules that apply to all of the security standards and
implementation specifications that follow. Thus, for example, Sec.
164.306(b)(2) sets out the particular factors that covered entities
must take into account in deciding which security measures to use, and
Sec. 164.306(d) sets out the general rule that required implementation
specifications must be implemented and the process and basis for
implementing addressable implementation specifications. Accordingly,
Sec. Sec. 164.308, 164.310, and 164.312 provide that the
administrative, physical, and technical safeguards of the Security Rule
must be implemented ``in accordance with Sec. 164.306.'' We do not
believe that Congress intended to apply enumerated Security Rule
sections to business associates in a different manner than to covered
entities, as evidenced by the statutory language that these sections
should be applied to business associates ``in the same manner that such
sections apply to the covered entity.'' For these reasons, we also
propose to revise Sec. 164.306 to insert the word ``business
associate,'' as appropriate, so that the general rules found at Sec.
164.306 apply to business associates in the same manner as covered
entities.
In addition, we propose technical revisions to Sec. 164.306(e) to
more clearly indicate that to maintain security measures that continue
to meet the requirements of Sec. Sec. 164.308, 164.310, and 164.312,
covered entities and business associates must review and modify such
security measures and update documentation accordingly under Sec.
164.316(b)(2)(iii).
3. Section 164.308--Administrative Safeguards
First, as noted above, we propose to modify Sec. 164.308 to
include throughout appropriate references to business associates.
Second, we propose a technical change to Sec. 164.308(a)(3)(ii)(C)
regarding security termination procedures for workforce members, to add
the words ``or other arrangement with'' after ``employment of'' in
recognition of the fact that not all workforce members are employees
(e.g., some may be volunteers) of a covered entity or business
associate. Third, we propose to remove the reference to Sec. 164.306
in paragraph (b)(1) as unnecessary. Fourth, as discussed below, we
propose a number of modifications to the provisions in this section
regarding business associate contracts and other arrangements to
conform to and address modifications proposed in the definition of
``business associate,'' including the proposed inclusion of
subcontractors within the scope of ``business associate.''
Section 164.308(b) provides that a covered entity may permit a
business associate to create, receive, maintain, or transmit electronic
protected health information only if the covered entity has a contract
or other arrangement in place to ensure the business associate will
appropriately safeguard the protected health information. Section
164.308(b)(2) contains several exceptions to this general rule for
certain situations that do not give rise to a business associate
relationship, such as where a covered entity discloses electronic
protected health information to a health care provider concerning the
treatment of an individual. We propose to remove these exceptions from
Sec. 164.308(b)(2), since as discussed
[[Page 40883]]
above, we propose to include these as exceptions to the definition of
``business associate.''
In addition, we propose to modify Sec. 164.308(b)(1) and (2) to
clarify the new proposed requirements on business associates with
regard to subcontractors. As described above with respect to the
definition of ``business associate'' in Sec. 160.103, we propose to
include in the definition subcontractors that create, receive,
maintain, or transmit protected health information on behalf of a
business associate. However, we do not intend this proposed
modification to mean that a covered entity is required to have a
contract with the subcontractor. Rather, such obligation is to remain
with the business associate who contracts with the subcontractor.
Accordingly, in Sec. 164.308(b)(1), we propose to clarify that covered
entities are not required to obtain satisfactory assurances in the form
of a contract or other arrangement with a business associate that is a
subcontractor. In Sec. 164.308(b)(2), we then propose to make clear
that it is the business associate that must obtain the required
satisfactory assurances from the subcontractor to protect the security
of electronic protected health information.
We propose to remove the provision at Sec. 164.308(b)(3), which
provides that a covered entity that violates the satisfactory
assurances it provided as a business associate of another covered
entity will be in noncompliance with the Security Rule's business
associate provisions, as a covered entity's actions as a business
associate of another covered entity are now directly regulated by the
Security Rule's provisions that apply to business associates.
Finally, in Sec. 164.308(b)(4) (renumbered as Sec.
164.308(b)(3)), which requires documentation of the required
satisfactory assurances through a written contract or other
arrangement, we propose to add a reference to the new paragraph at
Sec. 164.308(b)(2) regarding business associates and subcontractors.
4. Section 164.314--Organizational Requirements
Section 13401 of the HITECH Act does not include Sec. 164.314
among the provisions for which business associates are directly liable.
However, section 13401 does state that Sec. 164.308 applies to
business associates ``in the same manner'' that the provision applies
to covered entities. Section 164.308(b) requires a covered entity's
business associate agreements to conform to the requirements of Sec.
164.314. Accordingly, in order for Sec. 164.308(b) to apply to
business associates in the same manner as it applies to covered
entities, we have revised Sec. 164.314 to reflect that it is also
applicable to agreements between business associates and subcontractors
that create, receive, maintain, or transmit electronic protected health
information.
We also propose a number of modifications to the business associate
contract requirements in Sec. 164.314 to streamline the provisions.
First, we propose to remove Sec. 164.314(a)(1)(ii) regarding the steps
a covered entity must take if it knows of a material breach or
violation by the business associate of the contract. A parallel
provision exists in the Privacy Rule's business associate contract
provisions at Sec. 164.504 and, since a business associate for
purposes of the Security Rule is also always a business associate for
purposes of the Privacy Rule, the inclusion of a duplicate provision in
the Security Rule is unnecessary. For the same reason, we also propose
to remove the contract provision at Sec. 164.314(a)(2)(i)(D)
authorizing the termination of the contract by the covered entity if it
is determined the business associate has violated a material term of
the contract. A parallel provision exists in the Privacy Rule at Sec.
164.504(e)(2)(iii). Also, because the Privacy Rule has a parallel
provision, we remove the specific requirements under Sec.
164.314(a)(2)(ii) for other arrangements, such as a memorandum of
understanding when both a covered entity and business associate are
governmental entities, and instead simply refer to the requirements of
Sec. 164.504(e)(3).
Second, we propose the following modifications to the remaining
contract provision requirements: (1) In Sec. 164.314(a)(2)(i)(A), we
streamline the provision to simply indicate a business associate's
obligation to comply with the Security Rule; (2) in Sec.
164.314(a)(2)(i)(B), we revise the language with respect to ensuring
subcontractors implement reasonable and appropriate safeguards to refer
to the proposed requirement at Sec. 164.308(b)(4) that would require a
business associate to enter into a contract or other arrangement with a
subcontractor to protect the security of electronic protected health
information; and (3) in Sec. 164.314(a)(2)(i)(C), with respect to the
reporting of security incidents by business associates to covered
entities, we make clear that the business associate contract must
provide that the business associate will report to the covered entity
breaches of unsecured protected health information as required by Sec.
164.410 of the breach notification rules.
Third, we add a provision at Sec. 164.314(a)(2)(iii) that provides
that the requirements of this section for contracts or other
arrangements between a covered entity and business associate would
apply in the same manner to contracts or other arrangements between
business associates and subcontractors required by the proposed
requirements of Sec. 164.308(b)(4). For example, to comply with
proposed Sec. 164.314(a)(2)(i)(C), a business associate contract
between a business associate and a business associate subcontractor
must provide that the subcontractor report any security incident of
which it becomes aware, including breaches of unsecured protected
health information as required by Sec. 164.410, to the business
associate. Thus, if a breach of unsecured protected health information
occurs at or by a subcontractor, the subcontractor must notify the
business associate of the breach, which then must notify the covered
entity of the breach. The covered entity then notifies the affected
individuals, the Secretary, and, if applicable, the media, of the
breach, unless it has delegated such responsibilities to a business
associate.
Finally, we propose to remove the reference to subcontractors in
Sec. 164.314(b)(2)(iii) regarding amendment of group health plan
documents as a condition of disclosure of protected health information
to a plan sponsor, to avoid confusion with the use of the term
subcontractor when referring to subcontractors that are business
associates. This modification does not constitute a substantive change
to Sec. 164.314(b).
VI. Section-by-Section Description of the Proposed Amendments to the
Privacy Rule
The HITECH Act made a number of amendments that affect current
provisions of the Privacy Rule. In the section-by-section description
of the proposed regulatory changes below, we discuss the HITECH Act
requirements and the regulatory provisions affected by them, as well as
certain other substantive proposed changes to the Privacy Rule intended
to improve the workability and effectiveness of the Rule and to conform
the Privacy Rule to PSQIA. At the end of this discussion, we also
briefly list a number of proposed technical corrections and conforming
changes to the Privacy Rule that are not otherwise addressed elsewhere.
A. Section 164.500--Applicability
We propose to revise Sec. 164.500 to include new Sec. 164.500(c)
and to
[[Page 40884]]
redesignate the current Sec. 164.500(c) as (d). In accordance with
section 13404 of the HITECH Act, which applies certain of the Privacy
Rule requirements to business associates, as discussed more fully
below, Sec. 164.500(c) would now clarify that, where provided, the
standards, requirements, and implementation specifications of the
Privacy Rule apply to business associates.
B. Section 164.501--Definitions
1. Definition of ``Health Care Operations''
PSQIA, 42 U.S.C. 299b-21 et seq., provides, among other things,
that PSOs are to be treated as business associates of covered health
care providers. Further, PSQIA provides that the patient safety
activities of PSOs in relation to HIPAA covered health care providers
are deemed to be health care operations under the Privacy Rule. See 42
U.S.C. 299b-22(i).
We propose to amend paragraph (1) of the definition of ``health
care operations'' to include a reference to patient safety activities,
as defined in the PSQIA implementing regulation at 42 CFR 3.20. Many
health care providers participating in the voluntary patient safety
program authorized by PSQIA are HIPAA covered entities; PSQIA
acknowledges that such providers must also comply with the Privacy Rule
and deems patient safety activities to be health care operations under
the Privacy Rule. While such activities are already encompassed within
paragraph (1) of the definition, which addresses various quality
activities, we propose to expressly include patient safety activities
within paragraph (1) of the definition of health care operations to
expressly conform the definition to PSQIA and to eliminate the
potential for any confusion. This modification would also address
public comments the Department received during the rulemaking period
for the PSQIA implementing regulations, which urged the Department to
modify the definition of ``health care operations'' in the Privacy Rule
to expressly reference patient safety activities so that the
intersection of the Privacy and PSQIA Rules would be clear. See 73 FR
70732, 70780, November 21, 2008.
2. Definition of ``Marketing''
The Privacy Rule requires covered entities to obtain a valid
authorization from individuals before using or disclosing protected
health information to market a product or service to them. See Sec.
164.508(a)(3). Section 164.501 defines ``marketing'' as making a
communication about a product or service that encourages recipients of
the communication to purchase or use the product or service. Paragraph
(1) of the definition includes a number of exceptions to marketing for
certain health-related communications. In particular, the Privacy Rule
does not consider the following communications to be marketing: (1)
Communications made to describe a health-related product or service (or
payment for such product or service) that is provided by, or included
in a plan of benefits of, the covered entity making the communications,
including communications about: the entities participating in a
healthcare provider network or health plan network; replacement of, or
enhancements to, a health plan; and health-related products or services
available only to a health plan enrollee that add value to, but are not
part of, a plan of benefits; (2) communications made for the treatment
of the individual; and (3) communications for case management or care
coordination for the individual, or to direct or recommend alternative
treatments, therapies, health care providers, or settings of care to
the individual. Thus, a covered entity is permitted to make these
excepted communications without an individual's authorization as either
treatment or health care operations communications, as appropriate,
under the Privacy Rule. In addition, the Privacy Rule does not require
a covered entity to obtain individual authorization to communicate
face-to-face or to provide only promotional gifts of nominal value to
the individual. See Sec. 164.508(a)(3)(i). However, a covered entity
must obtain prior written authorization from an individual to send
communications to the individual about non-health related products or
services or to give or sell the individual's protected health
information to a third party for marketing. See the current paragraph
(2) of the definition of ``marketing'' in the Privacy Rule. Still,
concerns have remained about the ability under these provisions for a
third party to pay a covered entity in exchange for the covered entity
to send health-related communications to an individual about the third
party's products or services.
Section 13406(a) of the HITECH Act, which became effective on
February 18, 2010, addresses these marketing provisions. In particular,
section 13406(a) of the HITECH Act limits the health-related
communications that may be considered health care operations and thus,
that are excepted from the definition of ``marketing'' under the
Privacy Rule to the extent a covered entity receives or has received
direct or indirect payment in exchange for making the communication. In
cases where the covered entity would receive such payment, the HITECH
Act at section 13406(a)(2)(B) requires that the covered entity obtain
the individual's valid authorization prior to making the communication,
or, if applicable, prior to its business associate making the
communication on its behalf in accordance with its written contract.
Section 13406(a)(2)(A) of the HITECH Act includes an exception to the
payment limitation for communications that describe only a drug or
biologic that is currently being prescribed to the individual as long
as any payment received by the covered entity in exchange for making
the communication is reasonable in amount. Section 13406(a)(3) of the
Act provides that the term ``reasonable in amount'' shall have the
meaning given such term by the Secretary in regulation. Finally,
section 13406(a)(4) of the Act clarifies that ``direct or indirect
payment'' does not include any payment for treatment of the individual.
We believe Congress intended with these provisions to curtail a covered
entity's ability to use the exceptions to the definition of
``marketing'' in the Privacy Rule to send communications to the
individual that were motivated more by commercial gain or other
commercial purpose rather than for the purpose of the individual's
health care, despite the communication's being about a health-related
product or service.
To implement the marketing limitations of the HITECH Act, we
propose a number of modifications to the definition of ``marketing'' in
the Privacy Rule at Sec. 164.501. In particular, we propose to: (1)
Revise the exceptions to marketing to better distinguish the exceptions
for treatment communications from those communications made for health
care operations; (2) add a definition of ``financial remuneration;''
(3) provide that health care operations communications for which
financial remuneration is received are marketing and require individual
authorization; (4) provide that written treatment communications for
which financial remuneration is received are subject to certain notice
and opt out conditions set out at Sec. 164.514(f)(2); (5) provide a
limited exception from the remuneration prohibition for refill
reminders; and (6) remove the paragraph regarding an arrangement
between a covered entity and another
[[Page 40885]]
entity in which the covered entity receives remuneration in exchange
for protected health information. We propose to revise Sec. Sec.
164.514(f)(2) and 164.520(b)(1)(iii)(A) to include the notice and opt
out conditions that would attach to written treatment communications
about products or services sent by a health care provider to an
individual in exchange for financial remuneration by the third party
whose product or service is being described. We also propose to make a
conforming change to the authorization requirements for marketing at
Sec. 164.508(a)(3)(ii). We describe these proposed modifications in
more detail below.
In paragraph (1) of the definition of ``marketing,'' we propose to
maintain the general concept that ``marketing'' means ``to make a
communication about a product or service that encourages recipients of
the communication to purchase or use the product or service.'' In
paragraph (2) of the definition, we propose to include three exceptions
to this definition to encompass certain treatment and health care
operations communications about health-related products or services.
First, at proposed paragraph (2)(iii), we would exclude from the
definition of ``marketing'' certain health care operations
communications, except where, as provided by section 13406(a)(2) of the
HITECH Act, the covered entity receives financial remuneration in
exchange for making the communication. This provision would encompass
the health care operations activities currently described in paragraph
(1)(i) of the definition of ``marketing,'' which include communications
to describe a health-related product or service (or payment for such
product or service) that is provided by, or included in a plan of
benefits of, the covered entity making the communication. In addition,
the provision would encompass health care operations communications for
case management or care coordination, contacting of individuals with
information about treatment alternatives, and related functions, to the
extent these activities do not fall within the definition of treatment.
These are activities that currently fall within paragraph (1)(iii) of
the definition of ``marketing.''
Although the HITECH Act uses the term ``direct or indirect
payment'' to describe the limitation on permissible health care
operations disclosures, we have substituted the term ``financial
remuneration'' to avoid confusion since the Privacy Rule defines and
uses the term ``payment'' to mean payment for health care and since the
Privacy Rule's authorization requirements for marketing at Sec.
164.508(a)(3) use the term ``remuneration.'' We propose to define
``financial remuneration'' in paragraph (3) of the definition of
``marketing'' to mean direct or indirect payment from or on behalf of a
third party whose product or service is being described. We also
propose to make clear, in accordance with section 13406(a)(4) of the
HITECH Act, that financial remuneration does not include any direct or
indirect payment for the treatment of an individual. Additionally,
because the HITECH Act refers expressly to ``payment,'' rather than
remuneration more generally, we have specified that only the receipt of
financial remuneration in exchange for making a communication, as
opposed to any other type of remuneration, is relevant for purposes of
the definition of marketing. We propose a small conforming change to
Sec. 164.508(a)(3) to add the term ``financial'' before
``remuneration'' and to refer to the definition of ``financial
remuneration'' for consistency with the HITECH Act and the proposed
changes to the definition of ``marketing.''
We also emphasize that financial remuneration for purposes of the
definition of ``marketing'' must be in exchange for making the
communication itself and be from or on behalf of the entity whose
product or service is being described. For example, authorization would
be required prior to a covered entity making a communication to its
patients regarding the acquisition of new state of the art medical
equipment if the equipment manufacturer paid the covered entity to send
the communication to its patients. In contrast, an authorization would
not be required if a local charitable organization, such as a breast
cancer foundation, funded the covered entity's mailing to patients
about the availability of new state of the art medical equipment, such
as mammography screening equipment, since the covered entity would not
be receiving remuneration by or on behalf of the entity whose product
or service was being described. Furthermore, it would not constitute
marketing and no authorization would be required if a hospital sent
flyers to its patients announcing the opening of a new wing where the
funds for the new wing were donated by a third party, since the
financial remuneration to the hospital from the third party was not in
exchange for the mailing of the flyers.
Second, in paragraph (2)(ii) of the definition, we propose to
include the statutory exception to marketing at section 13406(a)(2)(A)
for communications regarding refill reminders or otherwise about a drug
or biologic that is currently being prescribed for the individual,
provided any financial remuneration received by the covered entity for
making the communication is reasonably related to the covered entity's
cost of making the communication. Congress expressly identified these
types of communications as being exempt from the remuneration
limitation only to the extent that any payment received for making the
communication is reasonable in amount. We request comment on the scope
of this exception, that is, whether communications about drugs that are
related to the drug currently being prescribed, such as communications
regarding generic alternatives or new formulations of the drug, should
fall within the exception. In addition, we considered proposing a
requirement that a covered entity could only receive financial
remuneration for making such a communication to the extent it did not
exceed the actual cost to make the communication. However, we were
concerned that such a requirement would impose the additional burden of
calculating the costs of making each communication. Instead, we propose
to allow costs that are reasonably related to the covered entity's cost
of making the communication. We request comment on the types and amount
of costs that should be allowed under this provision.
Third, proposed paragraph (2)(i) would exclude from marketing
treatment communications about health-related products or services by a
health care provider to an individual, including communications for
case management or care coordination for the individual, or to direct
or recommend alternative treatments, therapies, health care providers,
or settings of care to the individual, provided, however, that if the
communications are in writing and financial remuneration is received in
exchange for making the communications, certain notice and opt out
conditions are met. We note that while section 13406(a) of the HITECH
Act expressly provides that a communication to an individual about a
health-related product or service where the covered entity receives
payment from a third party in exchange for making the communication
shall not be considered a health care operation (emphasis added) under
the Privacy Rule, and thus is marketing, it is unclear how Congress
intended these provisions to apply to treatment communications between
a health care provider and a patient. Specifically, it is unclear
whether Congress intended to restrict
[[Page 40886]]
only those subsidized communications about products and services that
are less essential to an individual's health care (i.e., those
classified as health care operations communications) or all subsidized
communications about products and services, including treatment
communications. Given this ambiguity and to avoid preventing
communications to the individual by a health care provider about health
related products or services that are necessary for the treatment of
the individual, we do not propose to require individual authorization
where financial remuneration is received by the provider from a third
party in exchange for sending the individual treatment communications
about health-related products or services. However, to ensure the
individual is aware that he or she may receive subsidized treatment
communications from his or her provider and has the opportunity to
elect not to receive them, we propose to require a statement in the
notice of privacy practices when a provider intends to send such
subsidized treatment communications to an individual, as well as the
opportunity for the individual to opt out of receiving such
communications. In particular, the proposed rule would exclude from
marketing and the authorization requirements written subsidized
treatment communications only to the extent that the following
requirements proposed at Sec. 164.514(f)(2) are met: (1) The covered
health care provider's notice of privacy practices includes a statement
informing individuals that the provider may send treatment
communications to the individual concerning treatment alternatives or
other health-related products or services where the provider receives
financial remuneration from a third party in exchange for making the
communication, and the individual has a right to opt out of receiving
such communications; and (2) the treatment communication itself
discloses the fact of remuneration and provides the individual with a
clear and conspicuous opportunity to elect not to receive any further
such communications. Similar to the modifications discussed below
regarding fundraising communications, the opt out method provided to an
individual for subsidized treatment communications may not cause the
individual to incur an undue burden or more than a nominal cost. We
encourage covered entities to consider the use of a toll-free phone
number, an e-mail address, or similar opt out mechanism that would
provide individuals with a simple, quick, and inexpensive way to opt
out of receiving future communications. We note that we would consider
requiring individuals to write and send a letter to the covered entity
asking not to receive future communications to constitute an undue
burden on the individual for purposes of this proposed requirement. We
request comment on how the opt out should apply to future subsidized
treatment communications. For example, we request comment on whether
the opt out should prevent all future subsidized treatment
communications by the provider or just those dealing with the
particular product or service described in the current communication.
We also request comment on the workability of requiring health care
providers that intend to send subsidized treatment communications to
individuals to provide an individual with the opportunity to opt out of
receiving such communications prior to the individual receiving the
first communication and what mechanisms could be put into place to
implement the requirement.
Given that the new marketing limitations on the receipt of
remuneration by a covered entity would apply differently depending on
whether a communication is for treatment or health care operations
purposes, it is important to emphasize the difference between the two
types of communications. We note first that communications by health
plans concerning health-related products or services included in a plan
of benefits or for case management or care coordination are never
considered treatment for purposes of the Privacy Rule but rather would
always be health care operations and require individual authorization
under the proposed rule if financial remuneration is involved. With
respect to subsidized communications by a health care provider about
health-related products or services for case management or care
coordination or to recommend alternative treatments or settings of
care, whether the communication would require individual authorization,
or a statement in the notice and an opportunity to opt out, would
depend on to what extent the provider is making the communication in a
population-based fashion (health care operations) or to further the
treatment of a particular individual based on that individual's health
care status or condition (treatment). For example, a covered health
care provider who sends a pregnant patient a brochure recommending a
specific birthing center suited to the patient's particular needs is
recommending a setting of care specific to the individual's condition,
which constitutes treatment of the individual. If the health care
provider receives financial remuneration in exchange for making the
communication, the provider would be required to have included a
statement in its notice of privacy practices informing individuals that
it may send subsidized treatment communications to the individual and
that the individual has a right to opt out of such communications, and
to disclose the fact of remuneration with the communication and provide
the individual with information on how to opt out of receiving future
such communications. In contrast, a health care provider who sends a
blanket mailing to all patients with information about a new affiliated
physical therapy practice would not be making a treatment
communication. Rather, the provider would be making a communication for
health care operations if it does not receive any financial
remuneration for the communication, but would be making a communication
for marketing if it does receive financial remuneration.
We are aware of the difficulty in making what may be in some cases
close judgments as to which communications are for treatment purposes
and which are for health care operations purposes. We also are aware of
the need to avoid unintended adverse consequences to a covered health
care provider's ability to provide treatment to an individual.
Therefore, we request comment on the above proposal with regard to
these issues, as well as the alternatives of excluding treatment
communications altogether even if they involve financial remuneration
from a third party or requiring individual authorization for both
treatment and health care operations communications made in exchange
for financial remuneration.
We note that face to face communications about products or services
between a covered entity and an individual and promotional gifts of
nominal value provided by a covered entity are not impacted by these
proposed changes to the definition of ``marketing.'' These
communications may continue to be made without obtaining an
authorization under Sec. 164.508 or meeting the notice and opt out
requirements of Sec. 164.514(f)(2). We also clarify that
communications made by covered entities to individuals promoting health
in general, such as communications about the importance of maintaining
a healthy diet or getting an annual physical are still not considered
to be marketing. These types
[[Page 40887]]
of communications do not constitute marketing because they are not
promoting a specific product or service, and thus do not meet the
definition of ``marketing.'' Similarly, communications about government
and government-sponsored programs do not fall within the definition of
``marketing'' as there is no commercial component to communications
about benefits available through public programs.
Finally, we have proposed to remove the language at paragraph (2)
from the definition of ``marketing'' at Sec. 164.501. The current
language defines as marketing an arrangement between a covered entity
and any other entity in which the covered entity discloses protected
health information to the other entity, in exchange for remuneration,
for the other entity or its affiliate to make a communication about its
own product or service that encourages recipients of the communication
to purchase or use that product or service. This language describes a
situation which, as explained more fully below, would now constitute a
``sale'' of protected health information under section 13405(d) of the
HITECH Act and Sec. 164.508(a)(4) of this proposed rule. Because we
propose to modify Sec. 164.508 to implement section 13405(d) of the
HITECH Act by prohibiting the sale of protected health information
without an authorization, we propose to remove this paragraph from the
definition of ``marketing'' as unnecessary and to avoid confusion.
C. Business Associates
1. Section 164.502--Uses and Disclosures
The Privacy Rule currently does not directly govern business
associates. However, the provisions of the HITECH Act make specific
requirements of the Privacy Rule applicable to business associates, and
create direct liability for noncompliance by business associates with
regard to those Privacy Rule requirements. In particular, section 13404
of the HITECH Act, which became effective February 18, 2010, addresses
the application of the provisions of the HIPAA Privacy Rule to business
associates of covered entities. Section 13404(a) discusses the
application of contract requirements to business associates, paragraph
(b) applies the provision of Sec. 164.504(e)(1)(ii) regarding
knowledge of a pattern of activity or practice that constitutes a
material breach or violation of a contract to business associates, and
paragraph (c) applies the HIPAA civil and criminal penalties to
business associates. We discuss paragraphs (a) and (b) of section 13404
of the HITECH Act below. We address section 13404(c) regarding the
application of penalties to violations by business associates above in
the discussion of the proposed changes to the Enforcement Rule.
Section 13404(a) of the HITECH Act creates direct liability for
business associates by providing that in the case of a business
associate of a covered entity that obtains or creates protected health
information pursuant to a written contract or other arrangement as
described in Sec. 164.502(e)(2) of the Privacy Rule, the business
associate may use and disclose such protected health information only
if such use or disclosure is in compliance with the applicable business
associate contract requirements of Sec. 164.504(e) of the Rule.
Additionally, section 13404(a) applies the other privacy requirements
of the HITECH Act to business associates just as they apply to covered
entities.
Accordingly, we propose to modify Sec. 164.502(a) of the Privacy
Rule containing the general rules for uses and disclosures of protected
health information to address the permitted and required uses and
disclosures of protected health information by business associates.
First, we propose to revise Sec. 164.502(a) to provide that a business
associate, like a covered entity, may not use or disclose protected
health information except as permitted or required by the Privacy Rule
or the Enforcement Rule. Second, we propose to revise the titles of
Sec. 164.502(a)(1) and (2) regarding permitted and required uses and
disclosures to make clear that these paragraphs apply only to covered
entities. Note that in Sec. 164.502(a)(2)(ii), we also propose a
technical change to replace the term ``subpart'' with ``subchapter'' to
make clear that a covered entity is required to disclose protected
health information to the Secretary as needed to determine compliance
with any of the HIPAA Rules and not just the Privacy Rule.
Third, we propose to add new provisions at Sec. 164.502(a)(4) and
(5) to address the permitted and required uses and disclosures of
protected health information by business associates.\4\ In accordance
with section 13404(a) of the HITECH Act, proposed Sec. 164.502(a)(4)
would allow business associates to use or disclose protected health
information only as permitted or required by their business associate
contracts or other arrangements pursuant to Sec. 164.504(e), or as
required by law. If a covered entity and business associate have failed
to enter into a business associate contract or other arrangement, then
the business associate may use or disclose protected health information
only as necessary to perform its obligations for the covered entity
(pursuant to whatever agreement sets the general terms for the
relationship between the covered entity and business associate) or as
required by law; any other use or disclosure would violate the Privacy
Rule. In addition, proposed Sec. 164.502(a)(4) makes clear that a
business associate would not be permitted to use or disclose protected
health information in a manner that would violate the requirements of
the Privacy Rule, if done by the covered entity, except that the
business associate would be permitted to use or disclose protected
health information for the purposes specified under Sec.
164.504(e)(2)(i)(A) or (B), pertaining to uses and disclosures for the
proper management and administration of the business associate and the
provision of data aggregation services for the covered entity, if such
uses and disclosures are permitted by its business associate contract
or other arrangement.
---------------------------------------------------------------------------
\4\ We propose to reserve Sec. 164.502(a)(3) for provisions
implementing modifications to the Privacy Rule required by the
Genetic Information Nondiscrimination Act of 2008 (GINA), which were
proposed on October 7, 2009. See 74 FR 51698.
---------------------------------------------------------------------------
Section 164.502(a)(5) would require business associates to disclose
protected health information either when required by the Secretary
under subpart C of part 160 of this subchapter to investigate or
determine the business associate's compliance with this subchapter, or
to the covered entity, individual, or individual's designee, as
necessary to satisfy a covered entity's obligations under Sec.
164.524(c)(2)(ii) and (3)(ii), as modified, with respect to an
individual's request for an electronic copy of protected health
information. As section 13405(e) requires covered entities that
maintain protected health information in an electronic health record to
provide an individual, or the individual's designee, with a copy of
such information in an electronic format, if the individual so chooses,
and as section 13404(a) applies section 13405(e) to business associates
as well, we propose to include such language in Sec. 164.502(a)(5).
We propose to modify the minimum necessary standard at Sec.
164.502(b) to require that when business associates use, disclose, or
request protected health information, they limit protected health
information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request. Applying the minimum necessary
standard is a condition of the permissibility of many uses and
disclosures of protected health information. Thus, a business associate
[[Page 40888]]
is not making a permitted use or disclosure under the Privacy Rule if
it does not apply the minimum necessary standard, where appropriate.
Additionally, the HITECH Act at section 13405(b) addresses the
application of minimum necessary and, in accordance with section
13404(a), also applies such requirements to business associates. We
note that we have not added references to ``business associate'' to
other provisions of the Privacy Rule that address uses and disclosures
by covered entities. This is because we found such changes to be
unnecessary, since a business associate generally may only use or
disclose protected health information in the same manner as a covered
entity (therefore any Privacy Rule limitation on how a covered entity
may use or disclose protected health information automatically extends
to business associates).
Section 164.502(e) sets out the requirements for disclosures to
business associates. We propose in Sec. 164.502(e)(1)(i) to provide
that covered entities are not required to obtain satisfactory
assurances from business associates that are subcontractors. Rather, as
we previously discussed with regard to proposed modifications to the
Security Rule pertaining to business associates, and as we discuss
further below, we propose in the Privacy and Security Rules to require
that business associates obtain satisfactory assurances, through a
written contract or other arrangement, from subcontractors that provide
that the subcontractor will comply with the applicable requirements of
the Rules. Accordingly, each business associate subcontractor would be
subject to the terms and conditions of a business associate agreement
with a business associate, eliminating the need for a similar agreement
with the covered entity itself.
We also propose to move the current exceptions to business
associates at Sec. 164.502(e)(1)(ii) to the revised definition of
business associates found in Sec. 160.103 for the reasons discussed in
that section.
We propose a new Sec. 164.502(e)(1)(ii) that provides that a
business associate may disclose protected health information to a
business associate that is a subcontractor, and to allow the
subcontractor to create or receive protected health information on
behalf of the business associate, if the business associate obtains
satisfactory assurances, in accordance with Sec. 164.504(e)(1)(i),
that the subcontractor will appropriately safeguard the information. As
such, the business associate must enter into a contract or other
arrangement that complies with Sec. 164.504(e)(1)(i) with business
associate subcontractors, in the same manner that covered entities are
required to enter into contracts or other arrangements with their
business associates. As we discussed with regard to the requirements of
the Security Rule regarding business associates, we believe that
business associates are in the best position to ensure that
subcontractors comply with the requirements of the Privacy Rule. For
example, a covered entity may choose to contract with a business
associate (contractor) to use or disclose protected health information
on its behalf, the business associate may choose to obtain the services
of (and exchange protected health information with) a subcontractor
(subcontractor 1), and that subcontractor may, in turn, contract with
another subcontractor (subcontractor 2) for services involving
protected health information. Under the current rules, the covered
entity would be required to obtain a business associate agreement with
the contractor, the contractor would have a contractual requirement to
obtain the same satisfactory assurances from subcontractor 1, and
subcontractor 1 would in turn have a contractual requirement to obtain
the same satisfactory assurances from subcontractor 2. The proposed
revisions to the Privacy and Security Rules would not change the
parties to the contracts. However, the contractor and subcontractors 1
and 2 all would now be business associates with direct liability under
the HIPAA Rules, and would be required to obtain business associate
agreements with the parties with whom they contract for services that
involve access to protected health information. (Note, however, as
discussed above with respect to the definition of ``business
associate,'' direct liability under the HIPAA Rules attaches regardless
of whether the contractor and subcontractors have entered into business
associate agreements.) The proposed revisions ensure that the covered
entity does not have a new obligation to enter into separate contracts
with the business associate subcontractors.
We propose to remove Sec. 164.502(e)(1)(iii), which provides that
a covered entity that violates the satisfactory assurances it provided
as a business associate of another covered entity will be in
noncompliance with the Privacy Rule's business associate provisions,
given that new proposed Sec. 164.502(a)(4) would restrict directly the
uses and disclosures of protected health information by a business
associate, including a covered entity acting as a business associate,
to those uses and disclosures permitted by its business associate
agreement.
2. Section 164.504(e)--Business Associate Agreements
Section 164.504, among other provisions, contains the specific
requirements for business associate contracts and other arrangements.
As discussed previously, section 13404 of the HITECH Act provides that
a business associate may use and disclose protected health information
only if such use or disclosure is in compliance with each applicable
requirement of Sec. 164.504(e), and also applies the provisions of
Sec. 164.504(e)(1)(ii), which outline the actions that must be taken
if the business associate has knowledge of a breach of the contract, to
business associates. We propose a number of modifications to this
section to implement these provisions and to reflect the Department's
new regulatory authority with respect to business associates, as well
as to reflect a covered entity's and business associate's new
obligations under subpart D to provide for notification in the case of
breaches of unsecured protected health information.
Section 164.504(e)(1)(ii) provides that a covered entity is not in
compliance with the business associate requirements if the covered
entity knew of a pattern of activity or practice of the business
associate that constituted a material breach or violation of the
business associate's obligation under the contract or other
arrangement, unless the covered entity took reasonable steps to cure
the breach or end the violation, as applicable, and if such steps were
unsuccessful, terminated the contract or arrangement or, if termination
is not feasible, reported the problem to the Secretary. We propose to
revise Sec. 164.504(e)(1)(ii) to remove the requirement that covered
entities report to the Secretary when termination of a business
associate contract is not feasible. In light of a business associate's
direct liability for civil money penalties for violations of the HIPAA
Rules and both a covered entity's and business associate's obligations
under subpart D to report breaches of unsecured protected health
information to the Secretary, we have other mechanisms through which we
expect to learn of such breaches and misuses of protected health
information by a business associate. We also propose to add a new
provision at Sec. 164.504(e)(1)(iii) applicable to business associates
with respect to subcontractors to mirror the requirements on covered
entities in
[[Page 40889]]
Sec. 164.504(e)(1)(ii) (minus the requirement to report to the
Secretary if termination of a contract is not feasible). Thus, proposed
Sec. 164.504(e)(1)(iii) would require a business associate, if it knew
of a pattern or practice of activity of its business associate
subcontractor that constituted a material breach or violation of the
subcontractor's contract or other arrangement, to take reasonable steps
to cure the breach of the subcontractor or to terminate the contract,
if feasible. We believe this proposed provision would implement the
intent of section 13404(b) of the HITECH Act, and aligns the
requirements for business associates with regard to business associate
subcontractors with the requirements for covered entities with regard
to their business associates. In other words, a business associate that
is aware of noncompliance by its business associate subcontractor must
respond to the situation in the same manner as a covered entity that is
aware of noncompliance by its business associate.
While business associates are now directly liable for civil money
penalties under the HIPAA Rules for impermissible uses and disclosures
as described above, business associates are still contractually liable
to covered entities pursuant to their business associate contracts, as
provided for and required by Sec. 164.504(e). We propose certain
modifications to these contract requirements. First, we propose to
revise Sec. 164.504(e)(2)(ii)(B) through (D) to require the following:
in (B), that business associates comply, where applicable, with the
Security Rule with regard to electronic protected health information;
in (C), that business associates report breaches of unsecured protected
health information to covered entities, as required by Sec. 164.410;
and in (D), that, in accordance with Sec. 164.502(e)(1)(ii), business
associates ensure that any subcontractors that create or receive
protected health information on behalf of the business associate agree
to the same restrictions and conditions that apply to the business
associate with respect to such information. These proposed revisions
align the requirements for the business associate contract with the
requirements in the HITECH Act and elsewhere within the HIPAA Rules.
Additionally with regard to business associate contract
requirements, we propose to insert a new provision at Sec.
164.502(e)(2)(ii)(H) and to renumber the current paragraphs (H) and (I)
accordingly. Section 164.502(e)(2)(ii)(H), as proposed, would require
that, to the extent the business associate is to carry out a covered
entity's obligation under this subpart, the business associate must
comply with the requirements of the Privacy Rule that apply to the
covered entity in the performance of such obligation. The HITECH Act
places direct liability for uses and disclosures and for the other
HITECH Act requirements on business associates. Beyond such direct
liability, this provision clarifies that a business associate is
contractually liable not only for uses and disclosures of protected
health information, but also for all other requirements of the Privacy
Rule, as they pertain to the performance of the business associate's
contract. For example, if a third party administrator, as a business
associate of a group health plan, fails to distribute the plan's notice
of privacy practices to participants on a timely basis, the third party
administrator would not be directly liable under the HIPAA Rules, but
would be contractually liable, for the failure. However, we emphasize
that in this example, even though the business associate is not
directly liable under the HIPAA Rules for failure to provide the
notice, the covered entity remains directly liable for failure to
provide the individuals with its notice of privacy practices because it
is the covered entity's ultimate responsibility to do so, despite its
having hired a business associate to perform the function.
We also propose to revise Sec. 164.504(e)(3) regarding other
arrangements for governmental entities to include references to the
Security Rule requirements for business associates to streamline the
two rules and, as discussed above, to avoid having to repeat such
provisions in the Security Rule.
To implement the requirements of sections 13404(a) of the HITECH
Act, we propose to include a new Sec. 164.504(e)(5) that applies the
requirements of Sec. 164.504(e)(2) through (e)(4) to the contract or
other arrangement between a business associate and its business
associate subcontractor as required by Sec. 164.502(e)(1)(ii) in the
same manner as such requirements apply to contracts or other
arrangements between a covered entity and its business associate. As
such, the business associate is required by Sec. 164.502(e)(1)(ii) and
by this section to enter into business associate contracts, or other
arrangements that comply with the Privacy and Security Rules, with
their business associate subcontractors in the same manner that covered
entities are required to enter into contracts or other arrangements
with their business associates.
Finally, we propose to remove the reference to subcontractors in
Sec. 164.504(f)(2)(ii)(B) to avoid confusion with the use of the term
subcontractor when referring to subcontractors as business associates.
For the same reason, we propose to remove the reference to
subcontractors in Sec. 164.514(e)(4)(ii)(C)(4) to avoid confusion with
the use of the term subcontractor when referring to subcontractors as
business associates. We do not intend these proposed modifications to
constitute substantive changes.
3. Section 164.532--Transition Provisions
We understand that covered entities and business associates are
concerned with the anticipated administrative burden and cost to
implement the revised business associate contract provisions of the
Privacy and Security Rules. Covered entities may have existing
contracts that are not set to terminate or expire until after the
compliance date of the modifications to the Rules, and we understand
that a six month compliance period may not provide enough time to
reopen and renegotiate all contracts. In response to these concerns, we
propose to relieve some of the burden on covered entities and business
associates in complying with the revised business associate provisions
by adding a transition provision to grandfather certain existing
contracts for a specified period of time. The Department's authority to
add the transition provision is set forth in Sec. 160.104(c), which
allows the Secretary to establish the compliance date for any modified
standard or implementation specification, taking into account the
extent of the modification and the time needed to comply with the
modification. We also note that the Final Privacy Rule, 65 FR 82462
(Dec. 28, 2000), and the Modifications to the HIPAA Privacy Rule, 67 FR
53182 (Aug. 14, 2002), both included transition provisions to ensure
that important functions of the health care system were not impeded
(e.g., to prevent disruption of ongoing research). Similarly, the
proposed transition period, here, will prevent rushed and hasty changes
to thousands of on-going existing business associate agreements. The
following discussion addresses the issue of the business associate
transition provisions.
We propose new transition provisions at Sec. 164.532(d) and (e) to
allow covered entities and business associates (and business associates
and business associate subcontractors) to continue to operate under
certain existing contracts for up to one year beyond the
[[Page 40890]]
compliance date of the revisions to the Rules. The additional
transition period would be available to a covered entity or business
associate if, prior to the publication date of the modified Rules, the
covered entity or business associate had an existing contract or other
written arrangement with a business associate or subcontractor,
respectively, that complied with the prior provisions of the HIPAA
Rules and such contract or arrangement was not renewed or modified
between the effective date and the compliance date of the modifications
to the Rules. The proposed provisions are intended to allow those
covered entities and business associates with contracts with business
associates and subcontractors, respectively, that qualify as described
above to continue to disclose protected health information to the
business associate or subcontractor, or to allow the business associate
or subcontractor to create or receive protected health information on
behalf of the covered entity or business associate, for up to one year
beyond the compliance date of the modifications, regardless of whether
the contract meets the applicable contract requirements in the
modifications to the Rules. With respect to business associates and
subcontractors, this proposal would grandfather existing written
agreements between business associates and subcontractors entered into
pursuant to 45 CFR 164.504(e)(2)(i)(D), which requires the business
associate to ensure that its agents with access to protected health
information agree to the same restrictions and conditions that apply to
the business associate. The Department proposes to deem such contracts
to be compliant with the modifications to the Rules until either the
covered entity or business associate has renewed or modified the
contract following the compliance date of the modifications, or until
the date that is one year after the compliance date, whichever is
sooner.
In cases where a contract renews automatically without any change
in terms or other action by the parties (also known as ``evergreen
contracts''), the Department intends that such evergreen contracts will
be eligible for the extension and that deemed compliance would not
terminate when these contracts automatically roll over. These
transition provisions apply to covered entities and business associates
only with respect to written contracts or other written arrangements as
specified above, and not to oral contracts or other arrangements.
These transition provisions only apply to the requirement to amend
contracts; they do not affect any other compliance obligations under
the HIPAA Rules. For example, beginning on the compliance date of this
rule, a business associate may not use or disclose protected health
information in a manner that is contrary to the Privacy Rule, even if
the business associate's contract with the covered entity has not yet
been amended.
D. Section 164.508--Uses and Disclosures for Which an Authorization is
Required
Section 164.508 of the Privacy Rule permits a covered entity to use
and disclose protected health information only if it has obtained a
valid authorization (i.e., one that meets the requirements of the
section), unless such use or disclosure is otherwise permitted or
required by the Privacy Rule. Section 164.508 also lists two specific
circumstances in which an authorization must be obtained: (1) Most uses
and disclosures of psychotherapy notes; and (2) uses and disclosures
for marketing.
1. Sale of Protected Health Information
Section 13405(d) of the HITECH Act adds a third circumstance that
requires authorization, specifically the sale of protected health
information. Section 13405(d)(1) prohibits a covered entity or business
associate from receiving direct or indirect remuneration in exchange
for the disclosure of protected health information unless the covered
entity has obtained a valid authorization from the individual pursuant
to Sec. 164.508 that states whether the protected health information
can be further exchanged for remuneration by the entity receiving the
information. Section 13405(d)(2) sets forth several exceptions to the
authorization requirement. These exceptions are where the purpose of
the exchange of information for remuneration is for: (1) Public health
activities, as described in Sec. 164.512(b); (2) research purposes as
described in Sec. Sec. 164.501 and 164.512(i), if the price charged
for the information reflects the costs of preparation and transmittal
of the data; (3) treatment of the individual; (4) the sale, transfer,
merger, or consolidation of all or part of a covered entity and for
related due diligence; (5) services rendered by a business associate
pursuant to a business associate agreement and at the specific request
of the covered entity; (6) providing an individual with access to his
or her protected health information pursuant to Sec. 164.524; and (7)
such other purposes as the Secretary determines to be necessary and
appropriate by regulation. Section 13405(d)(4) of the Act provides that
the prohibition on sale of protected health information shall apply to
disclosures occurring 6 months after the date of the promulgation of
final regulations implementing this section.
To implement section 13405(d) of the HITECH Act, we propose to add
new provisions at Sec. 164.508(a)(4) regarding the sale of protected
health information. In proposed Sec. 164.508(a)(4)(i), we propose to
require a covered entity to obtain an authorization for any disclosure
of protected health information in exchange for direct or indirect
remuneration. This authorization must state that the disclosure will
result in remuneration to the covered entity. In proposed Sec.
164.508(a)(4)(ii), we propose to except several disclosures of
protected health information, made in exchange for remuneration, from
this authorization requirement. These exceptions, as discussed more
fully below, generally follow the statutory exceptions described in the
above paragraph.
The proposed language in Sec. 164.508(a)(4)(i) generally follows
the statutory language of section 13405(d)(1) in prohibiting the
disclosure of protected health information without an authorization if
the covered entity receives direct or indirect remuneration from or on
behalf of the recipient of the protected health information. As
required by the Act, this proposed provision would apply to business
associates as well as to covered entities.
We do not include language in proposed Sec. 164.508(a)(4) to
require that the authorization under Sec. 164.508 specify whether the
protected health information disclosed by the covered entity for
remuneration can be further exchanged for remuneration by the entity
receiving the information. We believe the intent of this statutory
language was to ensure that, as currently required by Sec. 164.508 for
marketing, the authorization include a statement as to whether
remuneration will be received by the covered entity with respect to the
disclosures subject to the authorization. Otherwise, the individual
would not be put on notice that the disclosure involves remuneration
and thus, would not be making an informed decision as to whether to
sign the authorization. Accordingly, we propose to require that the
Sec. 164.508(a)(4)(i) authorization include a statement that the
covered entity is receiving direct or indirect remuneration in exchange
for the protected health information. This requirement would ensure
that individuals can make informed decisions regarding whether to
authorize disclosure of their protected health information when the
disclosure
[[Page 40891]]
will result in remuneration to the covered entity. We also note, with
respect to the recipient of the information, if protected health
information is disclosed for remuneration by a covered entity or
business associate to another covered entity or business associate in
compliance with the authorization requirements at proposed Sec.
164.508(a)(4)(i), the recipient covered entity or business associate
could not redisclose that protected health information in exchange for
remuneration unless a valid authorization is obtained in accordance
with proposed Sec. 164.508(a)(4)(i) with respect to such redisclosure.
We request comment on these provisions.
In proposed Sec. 164.508(a)(4)(ii), we set forth the exceptions to
the authorization requirement of proposed paragraph (a)(4)(i). We
propose the exceptions provided for by section 13405(d)(2) of the
HITECH Act, but we also propose to exercise the authority granted to
the Secretary in section 13405(d)(2)(G) to include an additional
exception that we deem to be similarly necessary and appropriate. We
invite public comment on the proposed exceptions to this authorization
requirement and whether there are additional exceptions that should be
included in the final regulation.
The exception at proposed Sec. 164.508(a)(4)(ii)(A) covers
exchanges for remuneration for public health activities pursuant to
Sec. Sec. 164.512(b) or 164.514(e). This exception largely tracks the
statutory language; however, we have added a reference to Sec.
164.514(e), to ensure that a covered entity or business associate that
discloses protected health information for public health activities in
limited data set form is also excepted from the authorization
requirement. We believe it is consistent with the statutory language to
also except the disclosure of a limited data set where Congress has
already excepted the disclosure of fully identifiable protected health
information for the same purpose from the remuneration prohibition.
With respect to the exception for public health disclosures, section
13405(d)(3)(A) of the HITECH Act requires that the Secretary evaluate
the impact of restricting this exception to require that the price
charged for the data reflects only the costs of preparation and
transmittal of the data on research or public health activities,
including those conducted by or for the use of the Food and Drug
Administration (FDA). Section 13405(d)(3)(B) further provides that if
the Secretary finds that such further restriction will not impede such
activities, the Secretary may include the restriction in the
regulations. While we do not propose to include such a restriction on
the remuneration that may be received for disclosures for public health
purposes at this time, we request public comment on this issue to
assist us in evaluating the impact of any such restriction.
The proposed exception at Sec. 164.508(a)(4)(ii)(B) generally
tracks the statutory language and excepts from the authorization
requirement disclosures of protected health information for research
purposes, pursuant to Sec. Sec. 164.512(i) or 164.514(e), in which the
covered entity receives remuneration, as long as the remuneration
received by the covered entity is a reasonable, cost-based fee to cover
the cost to prepare and transmit the information for research purposes.
We request public comment on the types of costs that should be
permitted under this provision. As discussed above with respect to the
exception for public health activities, we also propose to add a
reference to Sec. 164.514(e) to ensure that this exception likewise
applies to the disclosure of protected health information in limited
data set form for research purposes.
Proposed Sec. 164.508(a)(4)(ii)(C) would create an exception from
the authorization requirement for disclosures of protected health
information for treatment and payment purposes, in which the covered
entity receives remuneration. Though the Act only addressed treatment,
we have expressly included disclosures for payment purposes and have
also included reference to Sec. 164.506(a), which sets forth the
standard for disclosures of protected health information for treatment
and payment purposes. We also propose to except disclosures made for
payment for health care from the remuneration limitation to make clear
that we do not consider the exchange of protected health information to
obtain ``payment,'' as such term is defined in the Privacy Rule at
Sec. 164.501, to be a sale of protected health information and thus,
subject to the authorization requirements in this section.
Section 13405(d)(2)(D) of the HITECH Act excepts from the
authorization requirement disclosures described in paragraph (6)(iv) of
the definition of health care operations at Sec. 164.501, i.e.,
disclosures for the sale, transfer, merger, or consolidation of all or
part of a covered entity with another covered entity, or an entity that
following such activity will become a covered entity, and due diligence
related to such activity. Proposed Sec. 164.508(a)(4)(ii)(D) would
accordingly except from the authorization requirement disclosures of
protected health information for the events described in paragraph
(6)(iv). We also add a reference to Sec. 164.506(a), the provision
which permits a covered entity to disclose protected health information
for health care operations purposes.
Proposed Sec. 164.508(a)(4)(ii)(E) would except from the
authorization requirements disclosures of protected health information
to or by a business associate for activities that the business
associate undertakes on behalf of a covered entity pursuant to
Sec. Sec. 164.502(e) and 164.504(e), as long as the only remuneration
provided is by the covered entity to the business associate for the
performance of such activities. We have modified the statutory language
to provide specific references to the provisions of the Privacy Rule
that set forth the standards through which covered entities may make
disclosures of protected health information to business associates and
the standards for business associate contracts which govern the
relationship between covered entities and their business associates.
This proposed exception would exempt from the authorization requirement
in Sec. 164.508(a)(4)(i) a disclosure of protected health information
by a covered entity to a business associate or by a business associate
to a third party on behalf of the covered entity as long as any
remuneration received by the business associate was for payment for the
activities performed by the business associate pursuant to a business
associate contract.
Proposed Sec. 164.508(a)(4)(ii)(F) would except from the
authorization requirement disclosures of protected health information
by a covered entity to an individual when requested under Sec. Sec.
164.524 or 164.528. While section 13405(d)(2)(F) explicitly refers only
to disclosures under Sec. 164.524, we are exercising our authority
under section 13405(d)(2)(G) of the HITECH Act (discussed below) to
include in this proposed section disclosures under Sec. 164.528 as
necessary and appropriate. Section 164.502(a)(2)(i) requires covered
entities to disclose protected health information relating to an
individual to that individual upon request pursuant to Sec. Sec.
164.524 or 164.528. Section 164.524 permits a covered entity to impose
a reasonable, cost-based fee for the provision of access to an
individual's protected health information, upon request. Section
164.528 requires a covered entity to provide a requesting individual
with an accounting of disclosures without
[[Page 40892]]
charge in any 12-month period but permits a covered entity to impose a
reasonable, cost-based fee for each subsequent request for an
accounting of disclosures during that 12-month period. Therefore, as a
disclosure of protected health information under Sec. 164.528 is
similar to a disclosure under Sec. 164.524 in that a covered entity
may be paid a fee for making the disclosure, we have included
disclosures pursuant to requests for accountings of disclosures in this
exception. We note that this exception would not permit a covered
entity to require that an individual pay a fee that is not otherwise
permitted by Sec. Sec. 164.524 or 164.528.
We propose an additional exception at Sec. 164.508(a)(4)(ii)(G),
pursuant to the authority granted to the Secretary in section
13405(d)(2)(G) of the HITECH Act to except from the authorization
requirements at proposed Sec. 164.508(a)(4)(i) disclosures that are
required by law as permitted under Sec. 164.512(a). Section 164.512(a)
permits covered entities to use or disclose protected health
information to the extent that such use or disclosure is required by
law. We propose to add this exception to ensure that a covered entity
can continue to disclose protected health information, where required
by law, even if the covered entity receives remuneration for the
disclosure. We request comment on the inclusion of such an exception.
Finally, we propose an additional exception at Sec.
164.508(a)(4)(ii)(H), pursuant to the authority granted to the
Secretary in section 13405(d)(2)(G), to except from the authorization
requirements at proposed Sec. 164.508(a)(4)(i) a disclosure of
protected health information for any other purpose permitted by and in
accordance with the applicable requirements of subpart E, as long as
the only remuneration received by the covered entity is a reasonable,
cost-based fee to cover the cost to prepare and transmit the protected
health information for such purpose or is a fee otherwise expressly
permitted by other law. We have included this proposed exception as
necessary and appropriate to ensure that the proposed authorization
requirement does not deter covered entities from disclosing protected
health information for permissible purposes under subpart E just
because they routinely receive payment equal to the cost of preparing,
producing, or transmitting the protected health information. We
emphasize that this exception would not apply if a covered entity
received remuneration above the actual cost incurred to prepare,
produce, or transmit the protected health information for the permitted
purpose, unless such fee is expressly permitted by other law.
We recognize that many States have laws in place to limit the fees
a health care provider can charge to prepare, copy, and transmit
medical records. Some States simply require any reasonable costs
incurred by the provider in making copies of the medical records to be
paid for by the requesting party, while other States set forth specific
cost limitations with respect to retrieval, labor, supplies, and
copying costs and allow charges equal to actual mailing or shipping
costs. Many of these State laws set different cost limitations based on
the amount and type of information to be provided, taking into account
whether the information is in paper or electronic form as well as
whether the requested material includes x-rays, films, disks, tapes, or
other diagnostic imaging. We intend that the reference in proposed
Sec. 164.508(a)(4)(ii)(H) to fees expressly permitted by other laws to
include fees permitted by such State laws. Therefore, if a covered
entity discloses protected health information in exchange for
remuneration that conforms to an applicable State law with respect to
such fees, the exception would apply and no authorization pursuant to
Sec. 164.508(a)(4)(i) would be required. We do note, however, that of
the States that do have such laws in place, there is great variation
regarding the types of document preparation activities for which a
provider can charge as well as the permissible fee schedules for such
preparation activities. We invite public comment on our proposal to
include in Sec. 164.508(a)(4)(ii)(H) a general exception for
disclosures made for permissible purposes for which the covered entity
received remuneration that was consistent with applicable State law.
We propose a conforming change to Sec. 164.508(b)(1)(i) to include
a reference to the authorization requirement in proposed Sec.
164.508(a)(4)(i).
2. Research
a. Compound Authorizations
Section 164.508(b)(4) of the Privacy Rule prohibits covered
entities from conditioning treatment, payment, enrollment in a health
plan, or eligibility for benefits on the provision of an authorization.
This limitation is intended to prevent covered entities from coercing
individuals into signing an authorization for a use or disclosure that
is not necessary to carry out the services that the covered entity
provides to the individual. However, this section permits a covered
entity to condition the provision of research-related treatment on
obtaining the individual's authorization in limited situations, such as
for a clinical trial. Permitting the use of protected health
information is part of the decision to receive care through a clinical
trial, and health care providers conducting such trials are able to
condition research-related treatment on the individual's willingness to
authorize the use or disclosure of protected health information for
research associated with the trial.
Section 164.508(b)(3) generally prohibits what are termed
``compound authorizations,'' i.e., where an authorization for the use
and disclosure of protected health information is combined with any
other legal permission. However, Sec. 164.508(b)(3)(i) carves out an
exception to this general prohibition, permitting the combining of an
authorization for a research study with any other written permission
for the same study, including another authorization or consent to
participate in the research. Nonetheless, Sec. 164.508(b)(3)(iii)
prohibits combining an authorization that conditions treatment,
payment, enrollment in a health plan, or eligibility for benefits with
an authorization for another purpose for which treatment, payment,
enrollment, or eligibility may not be conditioned. This limitation on
certain compound authorizations was intended to help ensure that
individuals understand that they may decline the activity described in
the unconditioned authorization yet still receive treatment or other
benefits or services by agreeing to the conditioned authorization.
The impact of these authorization requirements and limitations can
be seen during clinical trials that are associated with a corollary
research activity, such as when protected health information is used or
disclosed to create or to contribute to a central research database or
repository. For example, Sec. 164.508(b)(3)(iii) prevents covered
entities from obtaining a single authorization for the use or
disclosure of protected health information for a research study that
includes both treatment as part of a clinical trial and tissue banking
of specimens (and associated protected health information) collected,
since a research-related treatment authorization generally is
conditioned and a tissue banking authorization generally is not
conditioned. Various groups, including researchers and professional
organizations, have expressed concern at this lack of integration. The
Secretary's Advisory Committee for Human Research Protections in 2004
[[Page 40893]]
(Recommendation V, in a letter to the Secretary of HHS, available at
http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html), as well
as the Institute of Medicine (IOM) in its 2009 Report, ``Beyond the
HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through
Research'' (Recommendation II.B.2), also made specific recommendations
to allow combined authorizations for clinical trials and biospecimen
storage. Research-related treatment offered through a clinical trial is
nearly always conditioned upon signing the informed consent to
participate in the trial and the authorization to use or disclose the
individual's protected health information for the trial. Thus, covered
entities must obtain separate authorizations from research participants
for a clinical trial that also collects specimens with associated
protected health information for a central repository. For clinical
research trials that may have thousands of participants, documenting
and storing twice as many authorizations is a major concern. There is
also a concern that multiple forms may be confusing for research
subjects. The Department has received reports that recruitment into
clinical trials has been hampered, in part, because the multiplicity of
forms for research studies dissuades individuals from participating in
research. We have also heard that redundant information provided by two
authorization forms (one for the clinical study and another for related
research) diverts an individual's attention from other content that
describes how and why the personal health information may be used.
While seeking Institutional Review Board (IRB) or Privacy Board
waiver of the authorization requirement is an option under Sec.
164.512 of the Privacy Rule, an IRB or Privacy Board is less likely to
approve a request for a waiver of authorization for a foreseeable use
or disclosure of protected health information to create and maintain or
contribute to a central tissue or information repository if the covered
entity is planning to seek informed consent from the individual for
this purpose. Accordingly, the waiver provisions generally do not
resolve concerns expressed by the research community.
We agree that allowing a covered provider to combine research
authorizations would streamline the process for obtaining an
individual's authorization for research and would make the
documentation responsibilities of these covered entities more
manageable. Such a modification would also result in an authorization
that would be simpler and, therefore, more meaningful to the individual
(in contrast to the individual receiving multiple forms that may be
confusing). We, therefore, propose to amend Sec. 164.508(b)(3)(i) and
(iii) to allow a covered entity to combine conditioned and
unconditioned authorizations for research, provided that the
authorization clearly differentiates between the conditioned and
unconditioned research components and clearly allows the individual the
option to opt in to the unconditioned research activities. These
provisions would allow covered entities to combine authorizations for
scenarios that often occur in research studies. For example, a covered
entity would be able to combine an authorization permitting the use and
disclosure of protected health information associated with a specimen
collection for a central repository and authorization permitting use
and disclosure of protected health information for clinical research
that conditions research-related treatment on the execution of a HIPAA
authorization.
While the proposed modifications do not alter the core elements or
required statements integral to a valid authorization, covered entities
would have some flexibility with respect to how they met the
authorization requirements. For example, covered entities could
facilitate an individual's understanding of a compound authorization by
describing the unconditioned research activity on a separate page of a
compound authorization. They could also cross-reference relevant
sections of a compound authorization to minimize the potential for
redundant language. In addition, a covered entity could use a separate
check-box for the unconditioned research activity to signify whether an
individual has opted-in to the unconditioned research activity, while
maintaining one signature line for the authorization. Alternatively, a
covered entity could choose to provide a distinct signature line for
the unconditioned authorization to signal that the individual is
authorizing optional research that will not affect research-related
treatment. We request comment on additional methods that would clearly
differentiate to the individual the conditioned and unconditioned
research activities on the compound authorization.
b. Authorizing Future Research Use or Disclosure
Research often involves obtaining health information and biological
specimens to create a research database or repository for future
research. For example, this frequently occurs where clinical trials are
paired with corollary research activities, such as the creation of a
research database or repository where information and specimens
obtained from a research participant during the trial are transferred
and maintained for future research. It also is our understanding that
IRBs in some cases may approve an informed consent document for a
clinical trial that also asks research participants to permit future
research on their identifiable information or specimens obtained during
the course of the trial, or may review an informed consent for a prior
clinical trial to determine whether a subsequent research use is
encompassed within the original consent.
The Department has interpreted the Privacy Rule, however, to
require that authorizations for research be study specific for purposes
of complying with the Rule's requirement at Sec. 164.508(c)(1)(iv)
that an authorization must include a description of each purpose of the
requested use or disclosure. See 67 FR 53182, 53226, Aug. 14, 2002. In
part, the Department's interpretation was based on a concern that
patients could lack necessary information in the authorization to make
an informed decision about the future research, due to a lack of
information about the future research at the time the authorization was
obtained. In addition, it was recognized that not all uses and
disclosures of protected health information for a future research
purpose would require a covered entity to re-contact the individual to
obtain another authorization, to the extent other conditions in the
Privacy Rule were met. For example, a covered entity could obtain a
waiver of authorization from an IRB or Privacy Board as provided under
Sec. 164.512(i) or use or disclose only a limited data set pursuant to
a data use agreement under Sec. 164.514(e) for the future research
purpose.
Subsequent to its issuing this interpretation, the Department has
heard concerns from covered entities and researchers that the
Department's interpretation encumbers secondary research, and limits an
individual's ability to agree to the use or disclosure of their
protected health information for future research without having to be
re-contacted to sign multiple authorization forms at different points
in the future. In addition, many commenters noted that the Department's
interpretation limiting the scope of a HIPAA authorization for research
appeared to diverge from the current practice under the Common Rule
with respect to the
[[Page 40894]]
ability of a researcher to seek subjects' consent to future research so
long as the future research uses are described in sufficient detail to
allow an informed consent. These commenters, as well as the Secretary's
Advisory Committee for Human Research Protections in 2004
(Recommendation IV, in a letter to the Secretary of HHS, available at
http://www.hhs.gov/ohrp/sachrp/hipaalettertosecy090104.html) and the
IOM in its 2009 Report entitled ``Beyond the HIPAA Privacy Rule:
Enhancing Privacy, Improving Health Through Research'' (Recommendation
II.B.1), have urged the Department to allow the HIPAA authorization to
permit future research use and disclosure of protected health
information or, at a minimum, for the Department to modify its
interpretation to allow the authorization to encompass certain future
use and disclosure of protected health information for research,
provided certain parameters are met.
Given these concerns, in addition to the modifications mentioned in
the prior section, the Department is considering whether to modify its
interpretation that an authorization for the use or disclosure of
protected health information for research be research-study specific.
In particular, the Department is considering a number of options and
issues in this area, including whether: (1) The Privacy Rule should
permit an authorization for uses and disclosures of protected health
information for future research purposes to the extent such purposes
are adequately described in the authorization such that it would be
reasonable for the individual to expect that his or her protected
health information could be used or disclosed for such future research;
(2) the Privacy Rule should permit an authorization for future research
only to the extent the description of the future research included
certain elements or statements specified by the Privacy Rule, and if
so, what should those be; and (3) the Privacy Rule should permit option
(1) as a general rule but require certain disclosure statements on the
authorization in cases where the future research may encompass certain
types of sensitive research activities, such as research involving
genetic analyses or mental health research, that may alter an
individual's willingness to participate in the research. We request
comment on each of these options, including their impact on the conduct
of research and patient understanding of authorizations.
We note that any modification in this area would not alter an
individual's right to revoke the authorization for the use or
disclosure of protected health information for future research at any
time and that the authorization would have to include a description of
how the individual may do so. We request comment on how a revocation
would operate with respect to future downstream research studies.
The Department does not propose any specific modifications to the
Privacy Rule at this time but requests public comment on the options
identified above, as well as any others, for purposes of addressing
this issue at the time the final rule is issued, if appropriate. In
addition, any change in interpretation will be closely coordinated with
the HHS Office for Human Research Protections (OHRP) and the FDA to
ensure the Privacy Rule policies are appropriately harmonized with
those under the HHS human subjects protections regulations (45 CFR part
46) and FDA human subjects protections regulations governing informed
consent for research (21 CFR part 50).
E. Protected Health Information About Decedents
1. Section 164.502(f)--Period of Protection for Decedent Information
Section 164.502(f) requires covered entities to protect the privacy
of a decedent's protected health information generally in the same
manner and to the same extent that is required for the protected health
information of living individuals. Thus, if an authorization is
required for the use or disclosure of protected health information, a
covered entity may use or disclose a decedent's protected health
information in that situation only if the covered entity obtains an
authorization from the decedent's personal representative. The personal
representative for a decedent is the executor, administrator, or other
person who has authority under applicable law to act on behalf of the
decedent or the decedent's estate. The Department has heard a number of
concerns since the publication of the Privacy Rule that it can be
difficult to locate a personal representative to authorize the use or
disclosure of the decedent's protected health information, particularly
after an estate is closed. Furthermore, archivists, biographers and
historians have expressed frustration regarding the lack of access to
ancient or old records of historical value held by covered entities,
even when there are likely few remaining individuals concerned with the
privacy of such information. Archives and libraries may hold medical
records that are centuries old. Furthermore, fragments of health
information may be found throughout all types of archival holdings,
such as correspondence files, diaries, and photograph collections, that
are also in some cases centuries old. Currently, to the extent such
information is maintained by a covered entity, it is subject to the
Privacy Rule. For example, currently the Privacy Rule would apply in
the same manner to the casebook of a 19th century physician as it would
to the medical records of current patients of a physician.
Accordingly, we propose to amend Sec. 164.502(f) to require a
covered entity to comply with the requirements of the Privacy Rule with
regard to the protected health information of a deceased individual for
a period of 50 years following the date of death. We also propose to
modify the definition of ``protected health information'' at Sec.
160.103 to make clear that the individually identifiable health
information of a person who has been deceased for more than 50 years is
not protected health information under the Privacy Rule. We believe
that fifty years is an appropriate time span, because by approximately
covering the span of two generations we believe it will both protect
the privacy interests of most, if not all, living relatives, or other
affected individuals, and it reflects the difficulty of obtaining
authorizations from personal representatives as time passes. A fifty-
year period of protection also was suggested at a prior National
Committee for Vital and Health Statistics (NCVHS) (the public advisory
committee which advises the Secretary on the implementation of the
Administrative Simplification provisions of HIPAA, among other issues)
meeting, at which committee members heard testimony from archivists
regarding the problems associated with applying the Privacy Rule to
very old records. See http://ncvhs.hhs.gov/050111mn.htm. We request
public comment on the appropriateness of this time period.
We note that these proposed modifications would have no impact on a
covered entity's permitted disclosures related to decedents for law
enforcement purposes (Sec. 164.512(f)(4)), to coroners or medical
examiners and funeral directors (Sec. 164.512(g)), for research that
is solely on the protected health information of decedents (Sec.
164.512(i)(1)(iii)), and for organ procurement organizations or other
entities engaged in the procurement, banking, or transplantation of
cadaveric organs, eyes, or tissue for the purpose of facilitating
organ, eye or tissue donation and transplantation (Sec. 164.512(h)).
[[Page 40895]]
These disclosures are governed by other provisions of the Privacy Rule.
2. Section 164.510(b)--Disclosures About a Decedent to Family Members
and Others Involved in Care
Section 164.510(b) describes how a covered entity may use or
disclose protected health information to persons, such as family
members or others, who are involved in an individual's care or payment
related to the individual's health care. We have received a number of
questions about the scope of the section, specifically with regard to
the protected health information of decedents. We have heard concerns
that family members, relatives, and others, many of whom may have had
access to the health information of the deceased individual prior to
death, have had difficulty obtaining access to such information after
the death of the individual, because many do not qualify as a
``personal representative'' under Sec. 164.502(g)(4).
As such, we propose to amend Sec. 164.510(b) to add a new
paragraph (5), which would permit covered entities to disclose a
decedent's information to family members and others who were involved
in the care or payment for care of the decedent prior to death, unless
doing so is inconsistent with any prior expressed preference of the
individual that is known to the covered entity. We propose to add
conforming cross-references to paragraphs (b)(1)(i) and (ii) and
(b)(4). We note that this disclosure would be permitted, but would not
be required. We request comment on any unintended consequences that
this permissive disclosure provision might cause.
We also note that these modifications do not change the authority
of a decedent's personal representative with regard to the decedent's
protected health information. Thus, a personal representative may
continue to request access to or an accounting of a decedent's
protected health information, and may continue to authorize uses and
disclosures of the decedent's protected health information that are not
otherwise permitted or required by the Privacy Rule.
F. Section 164.512(b)--Disclosure of Student Immunizations to Schools
The Privacy Rule, in Sec. 164.512(b), recognizes that covered
entities must balance protecting the privacy of health information with
sharing health information with those responsible for ensuring public
health and safety, and permits covered entities to disclose the minimum
necessary protected health information to public health authorities or
other designated persons or entities without an authorization for
public health purposes specified by the Rule. Covered entities may
disclose protected health information: (1) To a public health authority
that is legally authorized to collect or receive the information for
the purpose of preventing or controlling disease, injury, or disability
(such as reporting communicable diseases, births, and deaths, or
conducting public health interventions, investigations, and
surveillance); (2) to a public health authority or other appropriate
government authority to report child abuse if the authority is legally
authorized to receive such reports; (3) to a person or entity subject
to the jurisdiction of the FDA about the quality, safety, or
effectiveness of an FDA-regulated product or activity for which the
person or entity has responsibility (such as reporting adverse drug
events to the drug manufacturer); (4) to notify a person that (s)he is
at risk of contracting or spreading a disease or condition, as
authorized by law, to carry out a public health intervention or
investigation; and (5) to an employer under limited circumstances and
conditions when the employer needs the information to comply with
Occupational Safety and Health Administration (OSHA) or Mine Safety and
Health Administration (MSHA) requirements. Any other disclosures that
do not conform to these provisions, and that are not otherwise
permitted by the Rule, require the individual's prior written
authorization.
Schools play an important role in preventing the spread of
communicable diseases among students by ensuring that students entering
classes have been immunized. Most States have ``school entry laws''
which prohibit a child from attending school unless the school has
proof that the child has been appropriately immunized. Typically,
schools ensure compliance with those requirements by requesting the
immunization records from parents (rather than directly from a health
care provider), particularly because the Privacy Rule generally
requires written authorization by the child's parent before a covered
health care provider may disclose protected health information directly
to the school. Some States allow a child to enter school provisionally
for a period of 30 days while the school waits for the necessary
immunization information.
We have heard concerns that the Privacy Rule may make it more
difficult for parents to provide, and for schools to obtain, the
necessary immunization documentation for students, which may prevent
students' admittance to school. The NCVHS submitted these concerns to
the HHS Secretary and recommended that HHS regard disclosure of
immunization records to schools to be a public health disclosure. See
http://www.ncvhs.hhs.gov/040617l2.htm.
As such, we propose to amend Sec. 164.512(b)(1) by adding a new
paragraph that permits covered entities to disclose proof of
immunization to schools in States that have school entry or similar
laws. While written authorization that complies with Sec. 164.508
would no longer be required for disclosure of such information, the
covered entity would still be required to obtain agreement, which may
be oral, from a parent, guardian or other person acting in loco
parentis for the individual, or from the individual him- or herself, if
the individual is an adult or emancipated minor. Because the proposed
provision would permit a provider to accept a parent's oral agreement
to disclose immunization results to a school--as opposed to a written
agreement--there is a potential for a miscommunication and later
objection by the parent. We, therefore, request comment on whether the
Privacy Rule should require that a provider document any oral agreement
under this provision to help avoid such problems, or whether a
requirement for written documentation would be overly cumbersome, on
balance. We also request comment on whether the rule should mandate
that the disclosures go to a particular school official and if so, who
that should be.
In addition, the Privacy Rule does not currently define the term
``school'' and we understand that the types of schools subject to the
school entry laws may vary by State. For example, depending on the
State, such laws may apply to public and private elementary or primary
schools and secondary schools (kindergarten through 12th grade), as
well as daycare and preschool facilities, and post-secondary
institutions. Thus, we request comment on the scope of the term
``school'' for the purposes of this section and whether we should
include a specific definition of ``school'' within the regulation
itself. In addition, we request comment on the extent to which schools
that may not be subject to these school entry laws but that may also
require proof of immunization have experienced problems that would
warrant their being included in this category of public health
disclosures.
Finally, we note that once a student's immunization records are
obtained and maintained by an educational institution or agency to
which the Family Educational Rights and Privacy
[[Page 40896]]
Act (FERPA) applies, the records are protected by FERPA, rather than
the HIPAA Privacy Rule. See paragraphs (2)(i) and (2)(ii) of the
definition of ``protected health information'' at Sec. 160.103, which
exclude from coverage under the Privacy Rule student records protected
by FERPA. In addition, for more information on the intersection of
FERPA and HIPAA, readers are encouraged to consult the Joint HHS/ED
Guidance on the Application of FERPA and HIPAA to Student Health
Records, available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf.
G. Section 164.514(d)--Minimum Necessary
Section 164.502(b)(1) of the Privacy Rule requires covered entities
to limit uses and disclosures of, and requests for, protected health
information to ``the minimum necessary to accomplish the intended
purpose of the use, disclosure, or request.'' Section 164.502(b)(2)
outlines situations in which the minimum necessary rule does not apply.
With respect to uses of protected health information, Sec.
164.514(d)(2) requires covered entities to identify workforce members
who need access to protected health information, to identify the
categories and conditions of such access, and to make reasonable
efforts to limit access consistent with such policies. With respect to
disclosures of, and requests for, protected health information, Sec.
164.514(d)(3) and (4) require that covered entities adopt policies and
procedures addressing minimum necessary, including with regard to uses
and disclosures that occur routinely.
Section 13405(b)(1)(A) of the HITECH Act provides that a covered
entity shall be treated as being in compliance with the minimum
necessary requirements with respect to the use or disclosure of or the
request for protected health information ``only if the covered entity
limits such protected health information, to the extent practicable, to
the limited data set (as defined in section 164.514(e)(2) of such
title) or, if needed by such entity, to the minimum necessary.''
Section 13405(b)(1)(B) requires the Secretary to issue guidance on what
constitutes ``minimum necessary'' within 18 months after the date of
enactment. This guidance must take into account the guidance required
by section 13424(c), relating to the de-identification of protected
health information, as well as ``the information necessary to improve
patient outcomes and to detect, prevent, and manage chronic disease.''
Section 13405(b)(1)(C) provides that the provisions of paragraph (A) no
longer apply as of the effective date of the guidance issued under
paragraph (B).
Section 13405(b)(2) provides that, with respect to disclosures of
protected health information, the covered entity or business associate
making the disclosure shall determine what constitutes the minimum
necessary. Section 13405(b)(3) provides that section 13405(b)(1) does
not affect the application of the exceptions to the minimum necessary
requirement, while section 13405(b)(4) provides that nothing in
subsection (b) is to be construed as affecting the use or disclosure of
or request for de-identified health information.
Section 13405(b)(1)(A) requires that covered entities consider the
feasibility of utilizing the limited data set in complying with the
minimum necessary requirements of the Privacy Rule. However, that
provision also permits a covered entity to employ its traditional
minimum necessary policies and procedures if it decides that the
limited data set will not meet the needs of the particular use,
disclosure, or request in question. The requirement of this section,
moreover, is an interim one; under section 13405(b)(1)(C), issuance of
the guidance required by section 13405(b)(1)(B) effectively sunsets the
requirement of section 13405(b)(1)(A).
For purposes of the required guidance, we take this opportunity to
solicit public comment on what aspects of the minimum necessary
standard covered entities and business associates believe would be most
helpful to have the Department address in the guidance and the types of
questions entities may have about how to appropriately determine the
minimum necessary for purposes of complying with the Privacy Rule. We
propose to leave the current regulatory text unchanged in this
rulemaking as the issuance of the required guidance will obviate the
need to make any regulatory modifications in this area.
H. Section 164.514(f)--Fundraising
Section 164.514(f)(1) of the Privacy Rule permits a covered entity
to use, or disclose to a business associate or an institutionally
related foundation, the following protected health information for its
own fundraising purposes without an individual's authorization: (1)
Demographic information relating to an individual; and (2) the dates of
health care provided to an individual. Section 164.514(f)(2) of the
Privacy Rule requires a covered entity that plans to use or disclose
protected health information for fundraising under this paragraph to
inform individuals in its notice of privacy practices that it may
contact them to raise funds for the covered entity. In addition, Sec.
164.514(f)(2) requires that a covered entity include in any fundraising
materials it sends to an individual a description of how the individual
may opt out of receiving future fundraising communications and that a
covered entity must make reasonable efforts to ensure that individuals
who do opt out are not sent future fundraising communications.
Section 13406(b) of the HITECH Act, which became effective on
February 18, 2010, requires the Secretary to provide by rule that a
covered entity provide the recipient of any fundraising communication
with a clear and conspicuous opportunity to opt out of receiving any
further fundraising communications. Additionally, section 13406(b)
states that if an individual does opt out of receiving further
fundraising communications, the individual's choice to opt out must be
treated as a revocation of authorization under Sec. 164.508 of the
Privacy Rule.
We propose a number of changes to the Privacy Rule's fundraising
requirements to implement these statutory provisions. First, we propose
to strengthen the opt out by requiring that a covered entity provide,
with each fundraising communication sent to an individual under these
provisions, a clear and conspicuous opportunity for the individual to
elect not to receive further fundraising communications. To satisfy
this requirement, we also propose to require that the method for an
individual to elect not to receive further fundraising communications
may not cause the individual to incur an undue burden or more than
nominal cost. We encourage covered entities to consider the use of a
toll-free phone number, an e-mail address, or similar opt out mechanism
that would provide individuals with a simple, quick, and inexpensive
way to opt out of receiving future communications. We note that we
would consider requiring individuals to write and send a letter to the
covered entity asking not to receive future fundraising communications
to constitute an undue burden on the individual for purposes of this
proposed requirement.
We also propose to provide that a covered entity may not condition
treatment or payment on an individual's choice with respect to
receiving fundraising communications. We believe this modification
would implement the language in section 13406(b) of the HITECH Act that
provides that an election by an
[[Page 40897]]
individual not to receive further fundraising communications shall be
treated as a revocation of authorization under the Privacy Rule. The
legislative history of the HITECH Act indicates that it was Congress'
intent with this language that the protections that apply under Sec.
164.508 to an individual who has revoked an authorization similarly
apply to an individual who has opted out of fundraising communications,
``including the right not to be denied treatment as a result of making
that choice.'' See H.R. Conf. Rep. 111-16, p. 498. Therefore, we make
clear in this proposed rule that a covered entity would not be
permitted to condition treatment or payment for care on an individual's
choice of whether to receive fundraising communications.
Further, we propose to provide that a covered entity may not send
fundraising communications to an individual who has elected not to
receive such communications. This proposed language would strengthen
the current requirement at Sec. 164.514(f)(2)(iii) that a covered
entity make ``reasonable efforts'' to ensure that those individuals who
have opted out of receiving fundraising communications are not sent
such communications. We have proposed stronger language to make clear
the expectation that covered entities abide by an individual's decision
not to receive fundraising communications, as well as to make the
fundraising opt out operate more like a revocation of authorization,
consistent with the statutory language and legislative history of
section 13406(b) of the HITECH Act discussed above.
With respect to the operation of the opt out, we request comment
regarding to what fundraising communications the opt out should apply.
For example, if an individual receives a fundraising letter and opts
out of receiving future fundraising communications, should the opt out
apply to all future fundraising communications or should and can the
opt out be structured in a way to only apply to the particular
fundraising campaign described in the letter? In addition, given that
we would require the opt out method to be simple and quick for the
individual to exercise, such as the use of a phone number or e-mail
address, we request comment on whether the Rule should allow a similar
method, short of the individual signing an authorization, by which an
individual who has previously opted out can put his or her name back on
an institution's fundraising list.
We propose to retain the requirement that a covered entity that
intends to contact the individual to raise funds under these provisions
must include a statement to that effect in its notice of privacy
practices. However, we do propose to modify the required statement
slightly, as indicated below in the discussion of the notice
requirements at Sec. 164.520, by requiring that the notice also inform
individuals that they have a right to opt out of receiving such
communications. We also propose to move all of the fundraising
requirements described above to Sec. 164.514(f)(1), given that the
proposed provisions for subsidized treatment communications discussed
above now would be located at Sec. 164.514(f)(2).
In addition to the above modifications proposed in response to the
HITECH Act, we also solicit public comment on the requirement at Sec.
164.514(f)(1) which limits the information a covered entity may use or
disclose for fundraising demographic information about and dates of
health care service provided to an individual. Since the promulgation
of the Privacy Rule, certain covered entities have raised concerns
regarding this limitation, maintaining that the Privacy Rule's
prohibition on the use or disclosure of certain treatment information
without an authorization, such as the department of service where care
was received and outcomes information, harms their ability to raise
funds from often willing and grateful patients. In particular, covered
entities have argued that the restrictions in the Privacy Rule prevent
them from targeting their fundraising efforts and avoiding
inappropriate solicitations to individuals who may have had a bad
treatment outcome, and obtaining an individual's authorization for
fundraising as the individual enters or leaves the hospital for
treatment is often impracticable or inappropriate. NCVHS also held a
hearing and heard public testimony on this issue in July 2004. After
considering the testimony provided, the NCVHS recommended to the
Secretary that the Privacy Rule should allow covered entities to use or
disclose information related to the patient's department of service
(broad designations, such as surgery or oncology, but not narrower
designations or information relating to diagnosis or treating
physician) for fundraising activities without patient authorization.
NCVHS also recommended that a covered entity's notice of privacy
practices inform patients that their department of service information
may be used in fundraising, and that patients should be afforded the
opportunity to opt out of the use of their department of service
information for fundraising or all fundraising contacts altogether. See
http://www.ncvhs.hhs.gov/040902lt1.htm.
In light of these concerns and the prior recommendation of the
NCVHS, the Department takes this opportunity to solicit public comment
on whether and how the current restriction on what information may be
used and disclosed should be modified to allow covered entities to more
effectively target fundraising and avoid inappropriate solicitations to
individuals, as well as to reduce the need to send solicitations to all
patients. In particular, we solicit comment on: (1) Whether the Privacy
Rule should allow additional categories of protected health information
to be used or disclosed for fundraising, such as department of service
or similar information, and if so, what those categories should be; (2)
the adequacy of the minimum necessary standard to appropriately limit
the amount of protected health information that may be used or
disclosed for fundraising purposes; or (3) whether the current
limitation should remain unchanged. We also solicit comment on whether,
if additional information is permitted to be used or disclosed for
fundraising absent an authorization, covered entities should be
required to provide individuals with an opportunity to opt out of
receiving any fundraising communications before making the first
fundraising solicitation, in addition to the opportunity to opt out
with every subsequent communication. We invite public comment on
whether such a pre-solicitation opt out would be workable for covered
entities and individuals and what mechanisms could be put into place to
implement the requirement.
I. Section 164.520--Notice of Privacy Practices for Protected Health
Information
Section 164.520 of the Privacy Rule sets out the requirements for
most covered entities to have and to distribute a notice of privacy
practices (NPP). The NPP must describe the uses and disclosures of
protected health information a covered entity is permitted to make, the
covered entity's legal duties and privacy practices with respect to
protect protected health information, and the individual's rights
concerning protected health information.
With regard to the description of permitted uses and disclosures,
Sec. 164.520(b)(1)(ii) requires a covered entity to include separate
statements about the uses and disclosures that the covered entity
intends to make for certain treatment, payment, or health care
operations activities. Further, Sec. 164.520(b)(1)(ii)(E) currently
requires
[[Page 40898]]
that the NPP contain a statement that any uses and disclosures other
than those permitted by the Privacy Rule will be made only with the
written authorization of the individual, and that the individual has
the right to revoke an authorization pursuant to Sec. 164.508(b)(5).
The purpose of this statement is to put individuals on notice that
covered entities may make certain uses and disclosures only with an
authorization from the individual.
Section 164.520(b)(1)(iv) requires that the NPP contain statements
regarding the rights of individuals with respect to their protected
health information and a brief description of how individuals may
exercise such rights. Section 164.520(b)(1)(iv)(A) currently requires a
statement and a brief description addressing an individual's right to
request restrictions on the uses and disclosures of protected health
information pursuant to Sec. 164.522(a), including the fact that the
covered entity is not required to agree to this request.
We propose to amend Sec. 164.520(b)(1)(ii)(E) to require that the
NPP include a statement that describes the uses and disclosures of
protected health information that require an authorization under Sec.
164.508(a)(2) through (a)(4), and to provide that other uses and
disclosures not described in the notice will be made only with the
individual's authorization. The proposed provision would ensure that
covered entities provide notice to individuals indicating that most
disclosures of protected health information for which the covered
entity receives remuneration would require the authorization of the
individual. Such uses and disclosures may have previously been
permitted under other provisions of the Rule but now require
authorization, as discussed in connection with proposed Sec.
164.508(a)(4).
We propose to require, in addition, that covered entities provide
notice that most uses and disclosures of psychotherapy notes and for
marketing purposes require an authorization so that individuals will be
made aware of all situations in which authorization is required. We are
concerned that omission of such a specific statement may be somewhat
misleading or confusing, in that the NPP would state that the covered
entity may use or disclose protected health information without
authorization for purposes of treatment, payment, and health care
operations and some individuals might assume that psychotherapy notes
and marketing would be covered by these permissions.
Section 164.520(b)(1)(iii) requires a covered entity to include in
its NPP separate statements about certain activities if the covered
entity intends to engage in any of the activities. In particular, Sec.
164.520(b)(1)(iii) requires a separate statement in the notice if the
covered entity intends to contact the individual to provide appointment
reminders or information about treatment alternatives or other health-
related benefits or services; to contact the individual to fundraise
for the covered entity; or, with respect to a group health plan, to
disclose protected health information to the plan sponsor.
We propose the following changes to these provisions. First, we
propose to modify Sec. 164.520(b)(1)(iii)(A) to align the required
statement with the proposed modifications related to marketing and
subsidized treatment communications. A covered health care provider
that intends to send treatment communications to the individual in
accordance with proposed Sec. 164.514(f)(2) concerning treatment
alternatives or other health-related products or services where the
provider receives financial remuneration in exchange for making the
communication would be required to inform the individual in advance in
the NPP, as well as inform the individual that he or she has the
opportunity to opt out of receiving such communications. Second, at
Sec. 164.520(b)(1)(iii)(B) we propose to require that if a covered
entity intends to contact the individual to raise funds for the entity
as permitted under Sec. 164.514(f)(1), the covered entity must not
only inform the individual in the NPP of this intention but also that
the individual has the right to opt out of receiving such
communications.
We also propose to modify the requirement of Sec.
164.520(b)(1)(iv)(A) which requires covered entities to notify
individuals of the individuals' right to request restrictions. This
provision currently includes a requirement that the NPP state that the
covered entity is not required to agree to such a request. Since this
statement will no longer be accurate when the modifications to proposed
Sec. 164.522(a)(1)(vi) that are required by the HITECH Act are made
(see discussion in the following section), proposed Sec.
160.520(b)(1)(iv)(A) would require, in addition, that the statement
include an exception for requests under Sec. 164.522(a)(1)(vi).
Under subpart D of part 164, covered entities now have new
obligations to comply with the requirements for notification to
affected individuals, the media, and the Secretary following a breach
of unsecured protected health information. We request comment on
whether the Privacy Rule should require a specific statement regarding
this new legal duty and what particular aspects of this new duty would
be important for individuals to be notified of in the NPP.
The proposed modifications to Sec. 164.520 represent material
changes to the NPP of covered entities. Section 164.520(b)(3) requires
that when there is a material change to the NPP, covered entities must
promptly revise and distribute the NPP as outlined by Sec. 164.520(c).
Section 164.520(c)(1)(i)(C) requires that health plans provide notice
to individuals covered by the plan within 60 days of any material
revision to the NPP. We recognize that revising and redistributing a
NPP may be costly for health plans and request comment on ways to
inform individuals of this change to privacy practices without unduly
burdening health plans. In particular, we are considering a number of
options in this area: (1) Replace the 60-day requirement with a
requirement for health plans to revise their NPPs and redistribute them
(or at least notify members of the material change to the NPP and how
to obtain the revised NPP) in their next annual mailing to members
after a material revision to the NPP, such as at the beginning of the
plan year or during the open enrollment period; (2) provide a specified
delay or extension of the 60-day timeframe for health plans; (3) retain
the provision generally to require health plans to provide notice
within 60-days of a material revision but provide that the Secretary
will waive the 60-day timeframe in cases where the timing or substance
of modifications to the Privacy Rule call for such a waiver; or (4)
make no change, and thus, require that health plans provide notice to
individuals within 60 days of the material change to the NPP that would
be required by this proposed rule. We request comment on these options,
as well as on any other options for informing individuals in a timely
manner of this proposed or other material changes to the NPP.
Section 164.520(c)(2)(iv) requires that when a health care provider
with a direct treatment relationship with an individual revises the
NPP, the health care provider must make the NPP available upon request
on or after the effective date of the revision and must comply with the
requirements of Sec. 164.520(c)(2)(iii) to have the NPP available at
the delivery site and to post the notice in a clear and prominent
location. We do not believe these requirements will be overly
burdensome on health care providers and do not propose changes to them,
but we request comment on this issue.
[[Page 40899]]
J. Section 164.522(a)--Right To Request Restriction of Uses and
Disclosures
Section 164.522(a) of the Privacy Rule requires covered entities to
permit individuals to request that a covered entity restrict uses or
disclosures of their protected health information for treatment,
payment, and health care operations purposes, as well as for
disclosures to family members and certain others permitted under Sec.
164.510(b). While covered entities are not required to agree to such
requests for restrictions, if a covered entity does agree to restrict
the use or disclosure of an individual's protected health information,
the covered entity must abide by that restriction, except in emergency
circumstances when the information is required for the treatment of the
individual. Section 164.522 also includes provisions for the
termination of such a restriction and requires that covered entities
that have agreed to a restriction document the restriction in writing.
Section 13405(a) of the HITECH Act, which became effective February
18, 2010, requires that when an individual requests a restriction on
disclosure pursuant to Sec. 164.522, the covered entity agree to the
requested restriction unless otherwise required by law, if the request
for restriction is on disclosures of protected health information to a
health plan for the purpose of carrying out payment or health care
operations and if the restriction applies to protected health
information that pertains solely to a health care item or service for
which the health care provider involved has been paid out of pocket in
full. This statutory requirement overrides the provision in Sec.
164.522(a)(1)(ii) that the covered entity is not required to agree to
requests for restrictions and requires that we modify the regulation.
To implement section 13405(a), we propose to add a new Sec.
164.522(a)(1)(vi) to describe the elements of the required restriction.
We also propose to add conforming language to Sec. 164.522(a)(1)(ii)
to reflect the mandatory nature of the restriction as required by the
statute. Finally, we propose conforming modifications to Sec.
164.522(a)(2) and (3), which address terminating and documentation of
restrictions. We discuss these modifications in more detail below.
We propose to add a new paragraph (vi) to Sec. 164.522(a)(1),
which would require a covered entity, upon request from an individual,
to agree to a restriction on the disclosure of protected health
information to a health plan if: (A) the disclosure is for the purposes
of carrying out payment or healthcare operations and is not otherwise
required by law; and (B) the protected health information pertains
solely to a health care item or service for which the individual, or
person on behalf of the individual other than the health plan, has paid
the covered entity in full. We also propose to modify the language in
Sec. 164.522(a)(1)(ii), which states that a covered entity is not
required to agree to a restriction, to refer to this exception to that
general rule. We note that under the Privacy Rule, a covered entity may
make a disclosure to a business associate of another covered entity
only where the disclosure would be permitted directly to the other
covered entity. Thus, in cases where an individual has exercised his or
her right to have a restriction placed under this paragraph on a
disclosure to a health plan, the covered entity is also prohibited from
making such disclosure to a business associate of the health plan.
Section 13405(a) makes clear that an individual has a right to have
disclosures regarding certain health care items or services for which
the individual pays out of pocket in full restricted from a health
plan. We believe the Act provides the individual with the right to
determine for which health care items or services the individual wishes
to pay out of pocket and restrict. Thus, we do not believe a covered
entity could require individuals who wish to restrict disclosures about
only certain health care items or services to a health plan to restrict
disclosures of protected health information regarding all health care
to the health plan--i.e., to require an individual to have to pay out
of pocket for all services to take advantage of this right regardless
of the particular health care item or service about which the
individual requested the restriction. We believe such a policy would be
contrary to Congressional intent, in that it would discourage
individuals from requesting restrictions in situations where Congress
clearly intended they be able to do so. For example, an individual who
regularly visits the same provider for the treatment of both asthma and
diabetes must be able to request, and have the provider honor, a
restriction on the disclosure of diabetes-related treatment to the
health plan as long as the individual pays out of pocket for this care.
The provider cannot require that the individual apply the restriction
to all care given by the provider and, as a result, cannot require the
individual to pay out of pocket for both the diabetes and asthma-
related care in order to have the restriction on the diabetes care
honored. We encourage covered entities to work with individuals who
wish to restrict certain information from disclosure to health plans to
determine the best method for ensuring that the appropriate information
is restricted from disclosure to a health plan.
Due to the myriad of treatment interactions between covered
entities and individuals, we recognize that this provision may be more
difficult to implement in some circumstances than in others, and we
request comment on the types of interactions between individuals and
covered entities that would make requesting or implementing a
restriction more difficult. For example, an individual visits a
provider for treatment of a condition, and the individual requests the
provider not disclose information about the condition to the health
plan and pays out of pocket for the care. The provider prescribes a
medication to treat the condition, and the individual also wishes to
restrict the health plan from receiving information about the
medication. Many providers electronically send prescriptions to the
pharmacy to be filled so that the medication is ready when the
individual arrives to pick it up; however, at the point the individual
arrives at the pharmacy, the pharmacy would have already sent the
information to the health plan for payment, not permitting the
individual an opportunity to request a restriction at the pharmacy. A
provider who knows that an individual intends to request such a
restriction can always provide the individual with a paper prescription
to take to the pharmacy, allowing the individual an opportunity to
request that the pharmacy restrict the disclosure of information
relating to the medication. However, this might not be practical in
every case, especially as covered entities begin to replace paper-based
systems with electronic systems. We request comment on this issue, and
we ask specifically for suggestions of methods through which a
provider, using an automated electronic prescribing tool, could alert
the pharmacy that the individual may wish to request that a restriction
be placed on the disclosure of their information to the health plan and
that the individual intends to pay out of pocket for the prescription.
Additionally, we request comment on the obligation of covered
health care providers that know of a restriction to inform other health
care providers downstream of such restriction. For example, a provider
has been treating an individual for an infection for several
[[Page 40900]]
months pursuant to the individual's requested restriction that none of
the protected health information relating to the treatment of the
infection be disclosed to the individual's health plan. If the
individual requests that the provider send a copy of his medical
records to another health care provider for treatment, what, if any,
obligation should the original provider have to notify the recipient
provider (including a pharmacy filling the individual's prescription)
that the individual has placed a restriction upon much of the protected
health information in the medical record? We request comment on whether
a restriction placed upon certain protected health information should
apply to, and the feasibility of it continuing to attach to, such
information as it moves downstream, or if the restriction should no
longer apply until the individual visits the new provider for treatment
or services, requests a restriction, and pays out of pocket for the
treatment. In addition, we request comment on the extent to which
technical capabilities exist that would facilitate notification among
providers of restrictions on the disclosure of protected health
information, how widely these technologies are currently utilized, and
any limitations in the technology that would require additional manual
or other procedures to provide notification of restrictions.
In accordance with the HITECH Act, proposed Sec.
164.522(a)(1)(vi)(A) would permit a covered entity to disclose
protected health information to a health plan if such disclosure is
required by law, despite an individual's request for a restriction. We
note that the term ``required by law'' is defined at Sec. 164.103. We
request comment on examples of types of disclosures that may fall under
this provision.
With respect to the proposed requirement in Sec.
164.522(a)(1)(vi)(B) that the covered entity be paid in full for the
health care item or service for which the individual requests a
restriction, we have added some language to the statutory provision to
ensure that this requirement not be limited to solely the individual as
the person paying the covered entity for the individual's care. There
are many situations in which family members or other persons may pay
for the individual's treatment. Thus, this proposed paragraph would
provide that as long as the covered entity is paid for the services by
the individual or another person on behalf of the individual other than
the health plan, the covered entity would be required to abide by the
restriction.
With regard to proposed Sec. 164.522(a)(1)(vi)(B), we emphasize
that when an individual requests a restriction of information to a
health plan and pays out of pocket for the treatment or service, the
individual should not expect that this payment will count towards the
individual's out of pocket threshold with respect to his or her health
plan benefits. As the very nature of this provision is to restrict
information from flowing to the health plan, the health plan will be
unaware of any payment for treatment or services for which the
individual has requested a restriction, and thus, this out of pocket
payment cannot be used to reach the threshold for benefits a health
plan offers.
We request public comment on how this provision will function with
respect to HMOs. A provider who contracts with an HMO generally
receives a fixed payment from an HMO based on the number of patients
seen and not based on the treatment or service provided, and an
individual patient of that provider pays a flat co-payment for every
visit regardless of the treatment or service received. Therefore, it is
our understanding that under most current HMO contracts with providers
an individual could not pay the provider for the treatment or service
received. Thus, individuals who belong to an HMO may have to use an
out-of-network provider if they wish to ensure that certain protected
health information is not disclosed to the HMO. We request public
comment on this issue.
Finally, with respect to proposed Sec. 164.522(a)(1)(vi)(B), we
emphasize that if an individual's out of pocket payment for a health
care item or service to restrict disclosure of the information to a
health plan is not honored (for example, the individual's check
bounces), the covered entity may then submit the information to the
health plan for payment as the individual has not fulfilled the
requirements necessary to obtain a restriction. We do not believe that
the statutory intent was to permit individuals to avoid payment to
providers for the health care services they provide. Therefore, if an
individual does not pay in full for the treatment or services provided
to the individual, then the provider is under no obligation to restrict
the information and may disclose the protected health information to
the health plan to receive payment. However, we expect covered entities
to make some attempt to resolve the payment issue with the individual
prior to sending the protected health information to the health plan,
such as by notifying the individual that his or her payment did not go
through and to give the individual an opportunity to submit payment. We
request comment on the extent to which covered entities must make
reasonable efforts to secure payment from the individual prior to
submitting protected health information to the health plan for payment.
We propose to modify Sec. 164.522(a)(2) and (3) regarding
terminating restrictions and documentation of restrictions to reflect
the addition of these new requirements. First, we would modify the
language in Sec. 164.522(a)(2) to remove the term ``its agreement to''
to clarify that the termination provisions apply to all restrictions,
even those which are mandatory for the covered entity. Similarly, we
would modify the language in Sec. 164.522(a)(3) regarding
documentation to remove the words ``that agrees to a restriction'' to
make clear that the documentation requirements apply to all
restrictions, including those that would be required by proposed
paragraph (a)(1)(vi).
Additionally, we propose to modify Sec. 164.522(a)(2)(iii) to
conform to proposed paragraph (a)(1)(vi), requiring the mandatory
restrictions for certain disclosures to health plans. In particular, in
cases in which a covered entity is required to agree to a restriction
under this section, we propose to add a new paragraph (A) to paragraph
(a)(2)(iii) to clarify that a covered entity may not unilaterally
terminate such a restriction.
The proposed modifications would operate as follows with respect to
termination of a restriction under proposed paragraph (a)(1)(vi). For
example, an individual who has requested a restriction on the
disclosure of protected health information to a health plan about a
particular health care service visits the provider for follow-up
treatment, asks the provider to bill the health plan for the follow-up
visit, and does not request a restriction at the time, nor pays out of
pocket for the follow-up treatment. In such circumstances, there is no
restriction in effect with respect to the follow-up treatment. However,
the provider may need to submit information about the original
treatment to the health plan so that it can determine the medical
appropriateness or medical necessity of the follow-up care provided to
the individual. At this time, we would consider the lack of a
restriction with respect to the follow-up treatment to extend to any
protected health information necessary to effect payment for such
treatment, even if such information pertained to prior treatment that
was subject to a restriction. We encourage covered entities to have an
open dialogue with individuals to
[[Page 40901]]
ensure that they are aware that protected health information may be
disclosed to the health plan unless they request an additional
restriction and pay out of pocket for the follow-up care. We request
public comment on this issue.
K. Section 164.524--Access of Individuals to Protected Health
Information
Section 164.524 of the Privacy Rule currently establishes, with
limited exceptions, an enforceable means by which individuals have a
right to review or obtain copies of their protected health information,
to the extent such information is maintained in the designated record
set(s) of a covered entity. An individual's right of access exists
regardless of the format of the protected health information, and the
standards and implementation specifications that address individuals'
requests for access and timely action by the covered entity (i.e.,
provision of access, denial of access, and documentation) apply to an
electronic environment in a similar manner as they do to a paper-based
environment. See The HIPAA Privacy Rule's Right of Access and Health
Information Technology (providing guidance with respect to how Sec.
164.524 applies in an electronic environment and how health information
technology can facilitate providing individuals with this important
privacy right), available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/eaccess.pdf.
Section 13405(e) of the HITECH Act, which became effective February
18, 2010, strengthens the Privacy Rule's right of access with respect
to covered entities that use or maintain an electronic health record on
an individual. Section 13405(e) provides that when a covered entity
uses or maintains an electronic health record with respect to protected
health information of an individual, the individual shall have a right
to obtain from the covered entity a copy of such information in an
electronic format and the individual may direct the covered entity to
transmit such copy directly to the individual's designee, provided that
any such choice is clear, conspicuous, and specific. Section 13405(e)
also provides that any fee imposed by the covered entity for providing
such an electronic copy shall not be greater than the entity's labor
costs in responding to the request for the copy.
Section 13405(e) applies by its terms only to protected health
information in electronic health records. However, incorporating these
new provisions in such a limited manner in the Privacy Rule could
result in a complex set of disparate requirements for access to
protected health information in electronic health records systems
versus other types of electronic records systems. As such, the
Department proposes to use its authority under section 264(c) of HIPAA
to prescribe the rights individuals should have with respect to their
individually identifiable health information to strengthen the right of
access as provided under section 13405(e) of the HITECH Act more
uniformly to all protected health information maintained in one or more
designated record sets electronically, regardless of whether the
designated record set is an electronic health record. We discuss our
proposed amendments to each provision implicated by section 13405(e)
more specifically below.
Section 164.524(c)(2) of the Privacy Rule requires a covered entity
to provide the individual with access to the protected health
information in the form or format requested by the individual, if it is
readily producible in such form or format, or, if not, in a readable
hard copy form or such other form or format as agreed to by the covered
entity and the individual. Section 13405(e) of the HITECH Act expands
this requirement by explicitly requiring a covered entity that uses or
maintains an electronic health record with respect to protected health
information to provide the individual with a copy of such information
in an electronic format.
We propose to implement this statutory provision, in conjunction
with our broader authority under section 264(c) of HIPAA, by requiring,
in proposed Sec. 164.524(c)(2)(ii), that if the protected health
information requested is maintained electronically in one or more
designated record sets, the covered entity must provide the individual
with access to the electronic information in the electronic form and
format requested by the individual, if it is readily producible, or, if
not, in a readable electronic form and format as agreed to by the
covered entity and the individual. This provision would require any
covered entity that electronically maintains the protected health
information about an individual, in one or more designated record sets,
to provide the individual with an electronic copy of such information
(or summary or explanation if agreed to by the individual in accordance
with proposed Sec. 164.524(c)(2)(iii)) in the electronic form and
format requested or in an otherwise agreed upon form and format. While
an individual's right of access to an electronic copy of protected
health information is currently limited under the Privacy Rule by
whether the form or format requested is readily producible, covered
entities that maintain such information electronically in a designated
record set would be required under these proposed modifications to
provide some type of electronic copy, if requested by an individual.
Because we do not want to bind covered entities to standards that
may not yet be technologically mature, we propose to permit covered
entities to make some other agreement with individuals as to an
alternative means by which they may provide a readable electronic copy,
to the extent the requested means is not readily producible. If, for
example, a covered entity received a request to provide electronic
access via a secure Web-based portal, but the only readily producible
version of the protected health information was in portable document
format (PDF), proposed Sec. 164.524(c)(2)(ii) would require the
covered entity to provide the individual with a PDF copy of the
protected health information, if agreed to by the covered entity and
the individual. We note that while there may be circumstances where a
covered entity determines that it can comply with the Privacy Rule's
right of access by providing individuals with limited access rights to
their electronic health record, such as through a secure Web-based
portal, nothing under the current Rule or proposed modifications would
require a covered entity to do so where the covered entity determines
it is not reasonable or appropriate.
We note that the option of arriving at an alternative agreement
that satisfies both parties is already part of the requirement to
provide access under Sec. 164.524(c)(2)(i), so extension of such a
requirement to electronic access should present few implementation
difficulties. Further, as with other disclosures of protected health
information, in providing the individual with an electronic copy of
protected health information through a Web-based portal, e-mail, on
portable electronic media, or other means, covered entities should
ensure that reasonable safeguards are in place to protect the
information. We also note that the proposed modification presumes that
covered entities have the capability of providing an electronic copy of
protected health information maintained in their designated record
set(s) electronically through a secure Web-based portal, via e-mail, on
portable electronic media, or other manner. We invite public comment on
this presumption.
[[Page 40902]]
Section 164.524(c)(3) of the Privacy Rule currently requires the
covered entity to provide the access requested by the individual in a
timely manner, which includes arranging with the individual for a
convenient time and place to inspect or obtain a copy of the protected
health information, or mailing the copy of protected health information
at the individual's request. The Department has previously interpreted
this provision as requiring a covered entity to mail the copy of
protected health information to an alternative address requested by the
individual, provided the request was clearly made by the individual and
not a third party. Section 13405(e)(1) of the HITECH Act provides that
if the individual chooses, he or she shall have a right to direct the
covered entity to transmit an electronic copy of protected health
information in an electronic health record directly to an entity or
person designated by the individual, provided that such choice is
clear, conspicuous, and specific.
Based on section 13405(e)(1) of the HITECH Act and our authority
under section 264(c) of HIPAA, we propose to expand Sec. 164.524(c)(3)
to expressly provide that, if requested by an individual, a covered
entity must transmit the copy of protected health information directly
to another person designated by the individual. This proposed amendment
is consistent with the Department's prior interpretation on this issue
and would apply without regard to whether the protected health
information is in electronic or paper form. We propose to implement the
requirement of section 13405(e)(1) that the individual's ``choice [be]
clear, conspicuous, and specific'' by requiring that the individual's
request be ``in writing, signed by the individual, and clearly identify
the designated person and where to send the copy of protected health
information.'' We note that the Privacy Rule allows for electronic
documents to qualify as written documents for purposes of meeting the
Rule's requirements, as well as electronic signatures to satisfy any
requirements for a signature, to the extent the signature is valid
under applicable law. Thus, a covered entity could employ an electronic
process for receiving an individual's request to transmit a copy of
protected health information to his or her designee under this proposed
provision. Whether the process is electronic or paper-based, a covered
entity must implement reasonable policies and procedures under Sec.
164.514(h) to verify the identity of any person who requests protected
health information, as well as implement reasonable safeguards under
Sec. 164.530(c) to protect the information that is used or disclosed.
Section 164.524(c)(4) of the Privacy Rule currently permits a
covered entity to impose a reasonable, cost-based fee for a copy of
protected health information (or a summary or explanation of such
information). However, such a fee may only include the cost of: (1) The
supplies for, and labor of, copying the protected health information;
(2) the postage associated with mailing the protected health
information, if applicable; and (3) the preparation of an explanation
or summary of the protected health information, if agreed to by the
individual. With respect to providing a copy (or summary or
explanation) of protected health information from an electronic health
record in electronic form, however, section 13405(e)(2) of the HITECH
Act provides that a covered entity may not charge more than its labor
costs in responding to the request for the copy.
In response to section 13405(e)(2) of the HITECH Act, we propose to
amend Sec. 164.524(c)(4)(i) to identify separately the labor for
copying protected health information, whether in paper or electronic
form, as one factor that may be included in a reasonable cost-based
fee. While we do not propose more detailed considerations for this
factor within the regulatory text, we retain all prior interpretations
of labor with respect to paper copies--that is, that the labor cost of
copying may not include the costs associated with searching for and
retrieving the requested information. With respect to electronic
copies, we believe that a reasonable cost-based fee includes costs
attributable to the labor involved to review the access request and to
produce the electronic copy, which we expect would be negligible.
However, we would not consider a reasonable cost-based fee to include a
standard ``retrieval fee'' that does not reflect the actual labor costs
associated with the retrieval of the electronic information or that
reflects charges that are unrelated to the individual's request (e.g.,
the additional labor resulting from technical problems or a workforce
member's lack of adequate training). We invite public comment on this
aspect of our rulemaking, specifically with respect to what types of
activities related to managing electronic access requests should be
compensable aspects of labor.
We also propose to amend Sec. 164.524(c)(4)(ii) to provide
separately for the cost of supplies for creating the paper copy or
electronic media (i.e., physical media such as a compact disc (CD) or
universal serial bus (USB) flash drive), if the individual requests
that the electronic copy be provided on portable media. This
reorganization and the addition of the phrase ``electronic media''
reflects our understanding that since section 13405(e)(2) of the HITECH
Act permits only the inclusion of labor costs in the charge for
electronic copies, it by implication excludes charging for the supplies
that are used to create an electronic copy of the individual's
protected health information, such as the hardware (computers,
scanners, etc.) or software that is used to generate an electronic copy
of an individual's protected health information in response to an
access request. We note this limitation is in contrast to a covered
entity's ability to charge for supplies for hard copies of protected
health information (e.g., the cost of paper, the prorated cost of toner
and wear and tear on the printer). See 65 FR 82462, 82735, Dec. 28,
2000 (responding to a comment seeking clarification on ``capital cost
for copying'' and other supply costs by indicating that a covered
entity was free to recoup all of their reasonable costs for copying).
We believe this interpretation is consistent with the fact that, unlike
a hard copy, which generally exists on paper, an electronic copy exists
independent of media, and can be transmitted securely via multiple
methods (e.g., e-mail, a secure Web-based portal, or an individual's
own electronic media) without accruing any ancillary supply costs.
We also note, however, that our interpretation of the statute would
permit a covered entity to charge a reasonable and cost-based fee for
any electronic media it provided, as requested or agreed to by an
individual who does not provide their own. For example, a covered
entity can offer to make protected health information available on an
encrypted USB flash drive, and can charge a reasonable cost-based fee
for the flash drive. If, however, an individual has brought his or her
own electronic media (such as a recordable CD), requested that an
electronic copy be placed on it, and the covered entity's systems are
readily able to do so, then the covered entity would not be allowed to
require the individual to purchase an encrypted USB flash drive
instead. Likewise, if an individual requests that an electronic copy be
sent via unencrypted e-mail, the covered entity should advise the
individual of the risks associated with unencrypted e-mail, but the
covered entity would not be allowed to require the individual to
instead purchase a USB flash drive.
While we propose to renumber the remaining factors in Sec.
164.524(c)(4), we
[[Page 40903]]
do not propose to amend their substance. With respect to Sec.
164.524(c)(4)(iii), however, we note that our interpretation of the
statute would permit a covered entity to charge for postage if an
individual requests that the covered entity transmit portable media
containing an electronic copy through mail or courier (e.g., if the
individual requests that the covered entity save protected health
information to a CD and then mail the CD to a designee).
Finally, we are requesting comment on one aspect of the right to
access and obtain a copy of protected health information which the
HITECH Act did not amend. In particular, the HITECH Act did not change
the timeliness requirements for provision of access in Sec.
164.524(b). Under the current requirements, a request for access must
be approved or denied, and if approved, access or a copy of the
information provided, within 30 days of the request. In cases where the
records requested are only accessible from an off-site location, the
covered entity has an additional 30 days to respond to the request. In
extenuating circumstances where access cannot be provided within these
timeframes, the covered entity may have a one-time 30-day extension if
the individual is notified of the need for the extension within the
original timeframes.
With regard to the timeliness of the provision of access, we are
aware that with the advance of electronic health records, there is an
increasing expectation and capacity to provide individuals with almost
instantaneous electronic access to the protected health information in
those records through personal health records or similar electronic
means. On the other hand, we are not proposing to limit the right to
electronic access of protected health information to certified
electronic health records, and the variety of electronic systems that
are subject to this proposed requirement would not all be able to
comply with a timeliness standard based on personal health record
capabilities. It is our assumption that a single timeliness standard
that would address a variety of electronic systems, rather than having
a multitude of standards based on system capacity, would be the
preferred approach to avoid workability issues for covered entities.
Even under a single standard, nothing would prevent electronic health
record systems from being developed through the HITECH Act's standards
and certification process with the technological capabilities to exceed
the Privacy Rule's timeliness requirements for providing access to
individuals. Based on the assumption that a single standard would be
the preferred approach, we are interested in public comment on an
appropriate, common timeliness standard for the provision of access by
covered entities with electronic designated record sets generally. We
would appreciate comment on aspects of existing systems that would
create efficiencies in processing of requests for electronic
information, as well as those aspects of electronic systems that would
provide little change from the time required for processing a paper
record. Alternatively, we request comment on whether the current
standard could be altered for all systems, paper and electronic, such
that all requests for access should be responded to without
unreasonable delay and not later than 30 days.
We are also interested in public comment on whether, contrary to
our assumption, a variety of timeliness standards based on the type of
electronic designated record set is the preferred approach and if so,
how we should operationalize such an approach. For example, how should
we identify and characterize the various electronic designated record
sets to which the different standards would apply, such as personal
health records, electronic health records, and others? What
functionality within these electronic systems would drive the need for
more or less time to provide an individual with electronic access? What
timeliness standards would be appropriate for the different systems?
What timeliness standard(s) would be required of entities with
protected health information spread across hybrid systems that have
different functionalities? What would be the impact of and challenges
to having multiple timeliness standards for access?
Finally, we request comment on the time necessary for covered
entities to review access requests and make necessary determinations,
such as whether the granting of access would endanger the individual or
other persons so as to better understand how the time needed for these
reviews relates to the overall time needed to provide the individual
with access. Further, we request comment generally on whether the
provision which allows a covered entity an additional 30 days to
provide access to the individual if the protected health information is
maintained off-site should be eliminated altogether for both paper and
electronic records, or at least for protected health information
maintained or archived electronically because the physical location of
electronic data storage is not relevant to its accessibility.
L. Other Technical and Conforming Changes
We propose to make a number of technical and conforming changes to
the Privacy Rule to fix minor problems such as incorrect cross-
references, mistakes of grammar, and typographical errors. Technical
and conforming changes of this nature are described and explained in
the table below.
----------------------------------------------------------------------------------------------------------------
Regulation Sec. Current language Proposed change Reason for change
----------------------------------------------------------------------------------------------------------------
164.510(b)(2)(iii)................ ``based the Insert ``on'' Correct typographical error.
exercise of after ``based''.
professional
judgment''.
164.512(b)(1)..................... ``Permitted Insert ``uses Correct inadvertent omission.
disclosures'' and'' and ``use
and ``may or'' before
disclose''. ``disclosures''
and
``disclose,''
respectively.
164.512(e)(1)(iii)................ ``seeking Change Correct typographical error.
protecting ``protecting''
health to
information''. ``protected''.
164.512(e)(1)(vi)................. ``paragraph Change Correct cross-reference.
(e)(1)(iv) of ``(e)(1)(iv)''
this section''. to
``(e)(1)(v)''.
164.512(k)(3)..................... ``authorized by Remove the comma Correct typographical errors.
18 U.S.C. 3056, after ``U.S.C.
or to foreign 3056'' and the
heads of state ``to'' before
. . ., or to ``for''.
for the conduct
of
investigations'
'.
----------------------------------------------------------------------------------------------------------------
In addition to the technical changes listed in the table above, we
propose to make a few changes that are technical or conforming in
nature, but for which the reason for the change is more programmatic in
nature. These are as follows:
[[Page 40904]]
Section 164.506(c)(5) permits a covered entity to disclose
protected health information ``to another covered entity that
participates in the organized health care arrangement.'' We propose to
change the words ``another covered entity that participates'' to
``other participants'' because not all participants in an organized
health care arrangement may be covered entities; for example, some
physicians with staff privileges at a hospital may not be covered
entities.
Section 164.510(a)(1)(ii) permits the disclosure of directory
information to members of the clergy and other persons who ask for the
individual by name. We propose to add the words ``use or'' to this
permission, to cover the provision of such information to clergy who
are part of a facility's workforce.
Section 164.510(b)(3) covers uses and disclosures of protected
health information when the individual is not present to agree or
object to the use or disclosure, and, as pertinent here, permits
disclosure to persons only of ``the protected health information that
is directly relevant to the person's involvement with the individual's
health care.'' We propose to delete the last two quoted words and
substitute therefore the following: ``care or payment related to the
individual's health care or needed for notification purposes.'' This
change would align the text of paragraph (b)(3) with the permissions
provided for at paragraph (b)(1) of this section.
Where an employer needs protected health information to comply with
workplace medical surveillance laws, such as OSHA or MSHA, Sec.
164.512(b)(1)(v)(A) permits a covered entity to disclose, subject to
certain conditions, protected health information of an individual to
the individual's employer if the covered entity is a covered health
care provider ``who is a member of the workforce of such employer or
who provides health care to the individual at the request of the
employer.'' We propose to amend the quoted language by removing the
words ``who is a member of the workforce of such employer or'', as the
language is unnecessary.
In Sec. 164.512(k)(1)(ii), we propose to replace the word
``Transportation'' with ``Homeland Security.'' The language regarding a
component of the Department of Transportation was included to refer to
the Coast Guard; however, the Coast Guard was transferred to the
Department of Homeland Security in 2003. In addition, at Sec.
164.512(k)(5)(i)(E), we propose to replace the word ``and'' after the
semi-colon with the word ``or.'' The intent of Sec. 164.512(k)(5)(i)
is not that the existence of all of the conditions is necessary to
permit the disclosure, but rather that the existence of any would
permit the disclosure.
VII. Regulatory Analyses
A. Introduction
We have prepared a regulatory impact statement in compliance with
Executive Order 12866 (September 1993, Regulatory Planning and Review),
the Regulatory Flexibility Act (RFA) (September 19, 1980, Pub. L. 96-
354), the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), and
Executive Order 13132 on Federalism.
1. Executive Order 12866
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects, distributive impacts, and equity). A regulatory impact
analysis must be prepared for major rules that have economically
significant effects ($100 million or more in any one year) or adversely
affect in a material way the economy, a sector of the economy,
productivity, competition, jobs, the environment, public health or
safety, or State, local, or Tribal government or communities (58 FR
51741).
We estimate that the effects of the requirement for covered
entities (including indirect costs incurred by third party
administrators, which frequently send out notices on behalf of health
plans) to issue new notices of privacy practices, will result in new
costs of $166.1 million within 12 months of the effective date of the
final rule. We estimate that the private sector will bear approximately
71 percent of the costs, with State and Federal plans bearing the
remaining 29 percent of the costs. As a result of the economic impact,
and other costs that are expected but not quantified in the regulatory
analysis below, we determined that this proposed rule is an
economically significant regulatory action within the meaning of
section 3(f)(4) of Executive Order 12866. We present our analysis of
the costs of the proposed rule in section C below.
2. Regulatory Flexibility Act
The RFA requires agencies to analyze options for regulatory relief
of small businesses if a rule has a significant impact on a substantial
number of small entities. We present our regulatory flexibility
analysis of this proposed rule in section E below.
The Act generally defines a ``small entity'' as (1) a proprietary
firm meeting the size standards of the Small Business Administration
(SBA), (2) a nonprofit organization that is not dominant in its field,
or (3) a small government jurisdiction with a population of less than
50,000. Because 90 percent or more of all health care providers meet
the SBA size standard for a small business or are nonprofit
organizations, we generally treat all health care providers as small
entities for purposes of performing a regulatory flexibility analysis.
The SBA size standard for health care providers ranges between $7.0
million and $34.5 million in annual receipts.
With respect to health insurers and third party administrators, the
SBA size standard is $7.0 million in annual receipts. While some
insurers are classified as nonprofit, it is possible they are dominant
in their market. For example, a number of Blue Cross/Blue Shield
insurers are organized as nonprofit entities; yet they dominate the
health insurance market in the States where they are licensed. In
addition, we lack the detailed information on annual receipts for
insurers and plan administrators and, therefore, we do not know how
many firms qualify as small entities. We welcome comments on the number
of small entities in the health insurer and health plan administrator
market.
3. Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA)
requires that agencies assess anticipated costs and benefits before
issuing any rule whose mandates would require spending in any one year
$100 million in 1995 dollars, updated annually for inflation. In 2010,
that threshold is approximately $135 million. UMRA does not address the
total cost of a rule. Rather, it focuses on certain categories of cost,
mainly those ``Federal mandate'' costs resulting from: (1) Imposing
enforceable duties on State, local, or Tribal governments, or on the
private sector; or (2) increasing the stringency of conditions in, or
decreasing the funding of, State, local, or Tribal governments under
entitlement programs.
We are able to identify approximately $166.1 million in costs on
both the private sector and State and Federal health plans. There may
be other costs we are not able to monetize because we lack data, and
the proposed rule may produce savings that may offset some or all of
the added costs. For this purpose, we must also separately identify
costs to
[[Page 40905]]
be incurred by the private sector and those incurred by State and
Federal entities.
As noted above, of the costs we can identify, we estimate that
approximately 71 percent or $118.1 million of new costs will fall on
the private sector. For the purpose of this calculation, we included
all $46 million in provider costs as private sector costs. While we
recognize that some providers are State or Federal entities, we do not
have adequate information to estimate the number of public providers,
but we believe the number to be significantly less than 10% of all
providers shown in Table 1. Therefore, as we did for the RFA analysis
and for ease of calculation, we assumed that all provider costs are
private sector costs. We welcome comment on this assumption and any
information regarding the number of the public sector providers for
future analysis. With regard to identifying the costs to private sector
health plans, based on the data discussed in section C below, we
estimate that 60 percent of policy holders are served by private sector
health plans and, therefore, have allocated 60 percent of the costs to
be incurred by all health plans as private sector costs, or $72.1
million.
Similarly, we estimate that approximately 29 percent or $48 million
of the new costs will fall on State and Federal plans. As noted above,
based on the data discussed in section C below, we estimate that 40
percent of policy holders are served by public sector plans and,
therefore, have allocated 40 percent of the costs for all health plans
as public sector costs, or $48 million. Because the amount of unfunded
mandates incurred separately by either the private sector or by State,
local, and Tribal governments will not exceed the unfunded mandates
threshold of $133 million, we are not required to perform a cost-
benefit analysis under the UMRA. Nonetheless, we have prepared a cost-
benefit analysis of the proposed rule in sections C and D, below, as
required by Executive Order 12866 for an economically significant
regulation. We welcome public comment on the analysis as it bears upon
our assumptions and calculations under the UMRA.
4. Federalism
Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
final rule) that imposes substantial direct requirement costs on State
and local governments, preempts State law, or otherwise has Federalism
implications.
The Federalism implications of the Privacy and Security Rules were
assessed as required by Executive Order 13132 and published as part of
the preambles to the final rules on December 28, 2000 (65 FR 82462,
82797) and February 20, 2003 (68 FR 8334, 8373), respectively.
Regarding preemption, the preamble to the final Privacy Rule explains
that the HIPAA statute dictates the relationship between State law and
Privacy Rule requirements, and the Rule's preemption provisions do not
raise Federalism issues. The HITECH Act, at section 13421(a), provides
that the HIPAA preemption provisions shall apply to the HITECH
provisions and requirements. While we have made minor technical changes
to the preemption provisions in Subpart B of Part 160 to conform to and
incorporate the HITECH Act preemption provisions, these changes do not
raise new Federalism issues. The proposed changes include: (1) Amending
the definitions of ``contrary'' and ``more stringent'' to reference
business associates; and (2) further amending the definition of
contrary to provide that State law would be contrary to the HIPAA
Administrative Simplification provisions if it stands as an obstacle to
the accomplishment and execution of the full purposes and objectives of
not only HIPAA, but also the HITECH Act.
We do not believe that this rule will impose substantial direct
compliance costs on State and local governments that are not required
by statute. It is our understanding that State and local government
covered entities do not engage in marketing, the sale of protected
health information, or fundraising. Therefore, the proposed
modifications in these areas would not cause additional costs to State
and local governments. We anticipate that the most significant direct
costs on State and local governments will be the cost for State and
local government-owned covered entities of drafting, printing, and
distributing revised notices of privacy practices, which would include
the cost of mailing these notices for State health plans, such as
Medicaid. However, the costs involved can be attributed to the
statutory requirements.
In considering the principles in and requirements of Executive
Order 13132, the Department has determined that these proposed
modifications to the Privacy and Security Rules will not significantly
affect the rights, roles, and responsibilities of the States.
B. Why is This Rule Needed?
The proposed rule is needed to implement several provisions of the
HITECH Act that require us to amend our regulations at 45 CFR Parts 160
and 164. These amendments primarily strengthen the privacy and security
protections for protected health information, as well as broaden the
privacy rights of individuals.
C. Costs
1. Notifying Individuals of Their New Privacy Rights
Covered entities must provide individuals with NPPs that detail how
the covered entity may use and disclose protected health information
and individuals' rights with respect to their own health information.
Due to the proposed modifications pursuant to the HITECH Act, covered
entities must modify their NPPs and distribute them to affected
individuals to advise them of the following strengthened privacy
protections: (1) The addition of the sale of protected health
information as a use or disclosure that requires the express written
authorization of the individual; (2) a separate statement that provides
advance notice to the individual if the healthcare provider receives
financial remuneration from a third party to send treatment
communications to the individual about that party's products or
services, and the right of the individual to elect not to receive such
communications; and (3) the right of the individual to restrict
disclosures of protected health information to a health plan with
respect to treatment services for which the individual has paid out of
pocket in full.
For providers, the cost of developing a new NPP consists of
drafting and printing the notice. The costs of distribution are minimal
because providers will hand out the NPPs when patients come for their
appointments. We estimate that drafting the updated NPPs will require
approximately one-third of an hour of professional, legal time at
approximately $90 per hour--or $30--that includes hourly wages of $60
plus 50 percent \5\. The total cost for attorneys for the approximately
697,000 \6\ health care providers in the
[[Page 40906]]
U.S. is, therefore, expected to be approximately $21 million. Printing
the NPPs will require paper and clerical time at a cost of $0.10 per
notice. We estimate that within 12 months from the effective date of
the final rule, providers will print approximately 250 million NPPs to
hand to patients who visit their offices. Printing costs for 250
million NPPs will be $25 million. The total cost for providers is
approximately $46 million.
---------------------------------------------------------------------------
\5\ http://www.bls.gov/oes/2008/may/oes231011.htm for lawyers.
\6\ We identified 701,325 entities that must prepare and deliver
NPPs that are shown in Table 1 below. This includes 696,758 HIPAA
covered entities that are health care providers, including
hospitals, nursing facilities, doctor offices, outpatient care
centers, medical diagnostic, imaging service, home health service
and other ambulatory care service covered entities, medical
equipment suppliers, and pharmacies. For the purposes of our
calculation, we have rounded this number to 697,000. Table 1 also
includes 4,567 health insurance carriers and third party
administrators working on behalf of covered health plans. The cost
estimates for these entities are addressed later.
---------------------------------------------------------------------------
For health plans, the cost of developing a new NPP consists of
drafting, printing and mailing the notice. With the exception of a few
large health plans, most health plans do not self-administer their
plans. The majority of plans are either health insurance issuers
(approximately 1,000) or utilize third party administrators that act on
their behalf in the capacity as business associates. We identified
approximately 3,500 third party administrators acting as business
associates for approximately 446,400 ERISA plans identified by the
Department of Labor. In addition, the Department of Labor identified
20,300 public non-Federal health plans that may use third party
administrators. Almost all of the public and ERISA plans, we believe,
employ third party administrators to administer their health plans.
While the third party administrators will bear the direct costs of
issuing the revised NPPs, the costs will generally be passed on to the
plans that contract with them. Those plans that self-administer their
own plans will also incur the costs of issuing the revised NPPs. We do
not know how many plans administer as well as sponsor health plans and
invite comments on the number of self-administered plans; however,
unless there were many such plans it would not have much effect on
these estimates.
For the approximately 4,500 health insurance issuers and health
plan administrators, the cost of composing and printing the NPPs will
be a similar amount per NPP to the amount calculated for providers.
However, health insurers and plan administrators will have to mail the
NPPs to policy holders. The costs for the mailing will consist of
postage and clerical time. The cost, therefore, depends on the estimate
of the number of policy holders who must receive NPPs. We did not
assume that health plans would communicate with policy holders by e-
mail because we have no data that indicate the extent to which
insurance plans and third party administrators communicate currently
with their policy holders through e-mail. We request public comment on
this assumption.
Because the Privacy Rule requires that only the named insured or
policy holder be notified of changes to the health plans' privacy
practices even if that policy also covers dependents, we expect that
only policy holders will receive the revised NPPs mandated by this
rule. For public programs such as Medicare, where each individual is a
policy holder, Medicare has a policy of mailing one notice or a set of
program materials to a household of four or fewer beneficiaries at the
same address. Although there are 45.6 million individual Medicare
beneficiaries, the program only sends out 38.8 million pieces of mail
per mailing.
Actuarial Research Corporation (ARC), our consultant, estimated the
number of policy holders for all classes of insurance products to be
approximately 183.6 million, including all public programs. The data
comes from the Medical Expenditure Panel Survey from 2004-2006
projected to 2010. ARC estimated 112.6 million private sector policy
holders and 71.0 million public ``policy holders.'' The total,
including more recent Medicare data, is 188.3 million persons (which
results in roughly a split of 60 percent private policy holders and 40
percent public ``policy holders''), whom we expect to receive NPPs from
their plans. The estimates do not capture policy holders who are in
hospitals or nursing homes at the time of the survey, or individuals
who may have been insured under more than one plan in a year, for
example, because their job status changed, they have supplemental
policies, or they have more than one employer, creating duplicate
coverage. Therefore, ARC recommended we use 200 million for the number
of NPPs that will actually be sent.
The costs of drafting, printing, and distributing the NPP are
estimated to be the following. First, drafting the NPP is estimated to
require one-third hour of legal services at a cost of $30 x 4,500
insurance plans and insurance administrative entities, which equals
$135,000. Second, the cost of printing the NPP, which includes the cost
of paper and actual printing, is estimated to be $0.10 per notice x 200
million notices, which equals $20 million. Third, the cost of
distributing the NPPs would involve clerical time to prepare the
mailings and the cost of postage, which we estimate to be a unit cost
of $0.50 per NPP for postage and handling using the rate of $0.44 per
stamp and $0.06 for labor (the same rates we used in the Breach
Notification for Unsecured Protected Health Information Regulations
published in the Federal Register at 74 FR 42763), results in an
estimated $100 million cost for distribution. The total cost for all
plans for drafting, printing, and distributing the NPP therefore, is
approximately $120.1 million. We note that this total may be an
overestimation of the costs because many insurers may use bulk mailing
rates to distribute their NPPs which would reduce their mailing costs.
The total estimated cost for both providers and health plans to
notify individuals and policy holders of changes in their privacy
rights is approximately $166.1 million in the first year following
implementation of the rule. Annualized over 10 years at three percent
and seven percent, the cost equals $194,720 and $236,489, respectively.
Table 1 below shows the number of covered entities by class of
provider and insurer that would be required to issue NPPs under the
proposed rule.
Table 1--Number of Entities by NAICS CODE\1\ Expected To Prepare and
Distribute Revised NPPs
------------------------------------------------------------------------
NAICS Providers/Suppliers Entities
------------------------------------------------------------------------
622................. Hospitals (General Medical and 4,060
Surgical, Psychiatric, Substance
Abuse, Other Specialty).
623................. Nursing Facilities (Nursing Care 34,400
Facilities, Residential Mental
Retardation Facilities, Residential
Mental Health and Substance Abuse
Facilities, Community Care
Facilities for the Elderly,
Continuing Care Retirement
Communities).
6211-6213........... Office of MDs, DOs, Mental Health 419,286
Practitioners, Dentists, PT, OT, ST,
Audiologists.
6214................ Outpatient Care Centers (Family 13,962
Planning Centers, Outpatient Mental
Health and Drug Abuse Centers, Other
Outpatient Health Centers, HMO
Medical Centers, Kidney Dialysis
Centers, Freestanding Ambulatory
Surgical and Emergency Centers, All
Other Outpatient Care Centers).
6215................ Medical Diagnostic, and Imaging 7,879
Service Covered Entities.
6216................ Home Health Service Covered Entities. 15,329
6219................ Other Ambulatory Care Service Covered 5,879
Entities (Ambulance and Other).
n/a................. Durable Medical Equipment 107,567
Suppliers\2\.
[[Page 40907]]
4611................ Pharmacies\3\........................ 88,396
524114.............. Health Insurance Carriers............ 1,045
524292.............. Third Party Administrators Working on 3,522
Behalf of Covered Health Plans.
Total Entities....................... 701,325
------------------------------------------------------------------------
\1\ Office of Advocacy, SBA, http://www.sba.gov/advo/research/data.html.
\2\ Centers for Medicare & Medicaid Services covered entities.
\3\ The Chain Pharmacy Industry http://www.nacds.org/wmspage.cfm?parm1=507.
2. Authorization and Other Requirements for Disclosures Related to
Marketing and Sale of Protected Health Information
The proposed rule would make modifications to the definition of
``marketing,'' such that some communications to individuals about
health-related products or services that are made under health care
operations would now be considered marketing communications if the
covered entity receives financial remuneration by a third party to make
the communication. For marketing communications, individual
authorization is required. In addition, the proposal would require that
a health care provider that receives financial remuneration by a third
party in exchange for sending a treatment communication to an
individual about the third party's product or service must disclose the
fact of remuneration in the communication and provide the individual
with a clear and conspicuous opportunity to opt out of receiving future
subsidized communications. Although this proposed rule would modify the
current definition of ``marketing,'' because we do not have information
on the extent to which covered entities currently receive financial
remuneration from third parties in exchange for sending information to
individuals about the third parties' health-related products or
services, we do not know how these modifications would change how
covered entities operate. We invite public comment on this issue.
In addition, the proposed rule would require an individual
authorization before a covered entity could disclose protected health
information in exchange for remuneration (i.e., ``sell'' protected
health information). The proposal includes several exceptions to this
authorization requirement. On its face, this proposed modification
would appear to increase the burden to covered entities by requiring
them to obtain authorizations in situations in which no authorization
is currently required. However, we believe such a scenario is unlikely
to occur. Even if covered entities attempted to obtain authorizations
in compliance with the proposed modifications, we believe most
individuals would not authorize these types of disclosures. It would
not be worthwhile for covered entities to continue to attempt to obtain
such authorizations, and as a result, we believe covered entities would
simply discontinue making such disclosures. Therefore, we believe this
proposed modification would have little to no impact on covered
entities. We request comment on this issue.
The proposed provision requiring individual authorization prior to
the sale of protected health information contains several exceptions in
which protected health information could be disclosed in exchange for
remuneration without first obtaining individual authorization. Most of
the excepted disclosures would not impose additional requirements and,
therefore, would not impose any additional burden on covered entities
to implement. However, the exception for research disclosures may
impose an additional burden on researchers. The exception applies to
disclosure of protected health information for research as long as the
remuneration received does not exceed the cost to produce and transmit
the information. Researchers who purchase data from covered entities
may now incur additional costs as a result of the proposed rule, in
order to obtain newly required authorizations, if they are currently
paying a covered entity more than the cost to produce and transmit the
protected health information (unless the covered entity is willing to
reduce its charges for the data). The proposed change would classify
such transactions as a sale, and as such would require an individual's
authorization prior to the covered entity's disclosure. This
authorization requirement also may have additional effects on research,
such that the need for authorization may skew the sample, or if the
researcher does not have the resources to obtain the authorizations
from the research subjects, the research may be jeopardized. Since we
have no information on the amounts currently paid to covered entities
by researchers for protected health information, we have no way to
estimate the impact of the provision. We welcome any comments and
information on the impact of these provisions.
3. Authorization for Compound Disclosures
The proposed rule would permit compound authorizations for research
purposes as long as it is clear to individuals that they do not have to
agree to both the conditioned and unconditioned components of an
authorization in order to receive research-related treatment. We
believe that the proposed provision would reduce burden on the research
community by eliminating the need for multiple forms for research
studies involving both a clinical trial and a related research
repository or study. However we have no data which would permit us to
estimate the amount of burden reduction associated with this proposal.
We welcome public comment on this issue.
4. Uses and Disclosures of Decedents' Protected Health Information
The proposed rule would modify the current rule to limit the period
for which a covered entity must protect an individual's health
information to 50 years after the individual's death. We believe this
will reduce the burden on both covered entities and on those seeking
the protected health information of persons who have been deceased for
many years by eliminating the need to search for and find a personal
representative of the decedent, who in many cases may not be known or
even exist after so many years, to authorize the disclosure. We believe
this change would benefit family members and historians who may seek
access to the medical information of these decedents for personal and
public interest reasons. However, we lack any data to be able to
estimate the benefits or costs of this
[[Page 40908]]
provision. We welcome comments on this proposed change.
5. Uses and Disclosures for Care and Notification Purposes
The proposed rule would permit covered entities to disclose a
decedent's protected health information to family members, or other
persons involved in the individual's care or payment for care before
the individual's death, unless doing so would be inconsistent with any
prior expressed preference of the individual that is known to the
covered entity. The rights of the decedent's personal representative to
have access to the protected health information of the decedent would
remain unchanged. We believe the proposed change would reduce burden by
permitting covered entities to continue to disclose protected health
information to family members and other persons who were involved in an
individual's care while the individual was alive after the death of the
individual without needing to obtain authorization from the decedent's
personal representative, who may not be known or even exist. However,
we have no data to permit us to estimate the reduction in burden and we
welcome comment on this change.
6. Public Health Disclosures
The proposed rule would create a new public health provision to
permit disclosure of proof of a child's immunization by a covered
entity to a school in States that have school entry or similar laws.
This proposed change would allow a covered health care provider to
release proof of immunization to a school without having to obtain a
written authorization, provided the provider obtained the agreement
(oral or otherwise) to the disclosure from either the parent or
guardian, or the individual, if the individual is an adult or
emancipated minor. We expect the proposed change to the regulations may
reduce the burden on covered entities and parents in obtaining and
providing written authorizations but it is unclear by how much. Since
the proposed rule would require the covered entity and the responsible
party for the student to agree that the covered entity may release
proof of immunization, some covered entities may request the agreement
in writing. In these cases, there may be little change from the current
authorization requirement in terms of the burden. Because we lack data
on the burden reduction, we cannot provide an estimate of the possible
savings. We welcome comment on the proposed change.
7. Fundraising Requirements
The proposed rule would require that any fundraising communication
sent to an individual must provide the recipient with a clear and
conspicuous opportunity to opt out of receiving any further fundraising
communications. If an individual elects to opt out, the fundraising
entity must not send that individual additional fundraising
communications. We believe that the strengthened language from the
HITECH Act that requires fundraisers to clearly and conspicuously
provide the recipient an opt-out choice from receiving future
communication and to treat such a choice as a revocation of
authorization will result in fewer unwanted fundraising communications.
However, we lack the data to estimate the effects of this change. We
request comment on the extent to which the requirement that the
opportunity to elect not to receive further fundraising communications
be clear and conspicuous would have an impact on covered entities and
their current fundraising materials.
8. Individuals' Access to Protected Health Information
Under the proposed regulations, if a covered entity maintains
protected health information electronically and the recipient requests
copies of his or her protected health information in an electronic
format, the covered entity or business associate must provide the
information in the electronic format requested by the individual if
readily producible in that format, or, if not, in a different
electronic format agreed to by the covered entity and the individual.
If the covered entity provides an individual with electronic access to
protected health information, the proposed rule would only allow the
covered entity to charge the costs of labor associated with the
preparation of the request. The proposed rule clarifies the labor and
supply costs applicable to preparation of electronic requests vs. paper
requests. Labor costs to produce an electronic copy involve the cost of
reviewing and preparing the copy. Supplies for an electronic copy apply
only to the cost of the media, if applicable, for providing the
information to the individual. If the individual provides the media
(e.g., a CD or flash drive), there would be no cost for the media.
Similarly, if the information is transmitted via e-mail or some other
electronic mode, there would be no charge for media.
It is unclear whether there will be any cost increase or decrease
to either the individual or the covered entity with respect to the
individual's increased access to their electronic protected health
information. The fact that the proposed rule requires the covered
entity to provide information in an electronic format may be, in
practice, no different than the current requirement to provide
protected health information to the individual in electronic format, if
readily producible in such format. Both the current and proposed rules
continue to permit the covered entity and individual to negotiate over
the format and delivery of protected health information. By emphasizing
the provision of protected health information electronically, the
proposed rule may lower costs because postage costs are eliminated or
reduced and labor and supply costs are significantly reduced. In
conclusion, there may be some savings that result from the greater use
of electronic access to protected health information, but we cannot
quantify them.
9. Business Associates and Covered Entities and Their Contractual
Relationships
The proposed rule would extend liability for failure to comply with
the Privacy and Security Rules directly to business associates and
business associate subcontractors in a manner similar to how they now
apply to covered entities. The proposed rule would subject business
associates to many of the same standards and implementation
specifications, and to the same penalties, that apply to covered
entities under the Security Rule and to some of the same standards and
implementation specifications, and to the same penalties, that apply to
covered entities under the Privacy Rule. Additionally, business
associates would also be required to obtain satisfactory assurances in
the form of a business associate agreement from subcontractors that the
subcontractors will safeguard any protected health information in their
possession. If the business associate learns of a pattern of activity
or practice of a subcontractor that constitutes a material breach or
violation of the contract, the business associate would be required to
make reasonable attempts to repair the breach or correct the violation.
If unsuccessful, the business associate would be required to terminate
the contract, if feasible. In addition, a business associate would be
required to furnish any information the Secretary requires to
investigate whether the business associate is in compliance with the
regulations.
In the absence of reliable data to the contrary, we assume that
business associates' compliance with their
[[Page 40909]]
contracts range from the minimal compliance to avoid contract
termination to being fully compliant. The burden of the proposed rules
on business associates depends on the terms of the contract between the
covered entity and business associate, and the degree to which a
business associate established privacy policies and adopted security
measures that comport with the HIPAA Rules. For business associates
that have already taken HIPAA-compliant measures to protect the privacy
and security of the protected health information in their possession,
the proposed rules with their increased penalties would impose limited
burden.
We assume that business associates in compliance with their
contracts would have already designated personnel to be responsible for
formulating the organization's privacy and security policies, performed
a risk analysis, and invested in hardware and software to prevent and
monitor for internal and external breaches of protected health
information. We expect that most business associates make a good-faith
effort to follow the terms of their contracts and comply with current
security and privacy standards.
For those business associates that have not already adopted HIPAA-
compliant privacy and security standards for protected health
information, the risk of criminal and/or civil monetary penalties may
spur them to increase their efforts to comply with the privacy and
security standards. Up to this point, the consequences of failing to
meet the privacy and security standards were limited to a business loss
in the form of a terminated contract. In the context of the business
associate's overall business, the risk of losing the contract may not
be a sufficient incentive to warrant investing in added security or
establishing privacy policies potentially at significant expense. There
may be other more benign reasons such as ignorance of potential threats
or lack of knowledgeable personnel on staff. Regardless of the reason,
to avoid the risk of the far more serious penalties in this proposed
rule, we expect that business associates and subcontractors that have
been lax in their complying with the privacy and security standards may
now take steps to enhance their security procedures and strengthen
their policies for protecting the privacy of the protected health
information under their control.
As stated above, we have no information on the degree of contract
enforcement and compliance among business associates. We also lack
information regarding the size or type of business associates that
contract with covered entities. We have only rough estimates as to the
overall number of business associates, which ranges from approximately
one million to two million depending upon the number of business
associates which serve multiple covered entities. As the area of health
information technology expands, we note that the proposed rule also
includes in the definition of business associates entities such as e-
prescribing gateways, health information organizations or other
organizations that provide data transmission services with respect to
protected health information to a covered entity.
As a result of the lack of information, we can only assume that
some business associates and subcontractors comply with existing
privacy and security standards. For them, the proposed rules would
impose only a limited burden. For business associates that do not have
HIPAA-compliant privacy policies and security procedures, the proposed
rules imposing criminal and civil monetary penalties directly on
business associates and their subcontractors may incentivize these
organizations to bolster their security and privacy policies. Depending
on the current level of compliance, for some business associates, the
proposed rule could impose significant burdens. We welcome comments on
our analysis and especially invite information regarding the amount of
burden and the number of affected business associates.
The cost to renegotiate contracts between covered entities and
business associates and between business associates and subcontractors
may be minimal if we assume that all parties are living up to their
current contractual agreements. At the same time, we anticipate that an
unknown number of contracts will have to be modified to reflect the
changes in law and in the rules we propose. The time involved in
modifying a contract is estimated to be one hour of a legal
professional's time. Based on the Bureau of Labor Statistics reports,
the average hourly wage of $60 plus an estimated additional 50 percent
for benefits brings the hourly rate to $90.
Because we are allowing contracts to be phased in over one year
from the compliance date or 18 months from the effective date of the
final rule, we expect that the costs of modifying contracts will be
incorporated into the normal renegotiation of contracts as the
contracts expire. We believe that most contracts will be renegotiated
over the phase-in period. In addition, the Department expects to issue
revised sample business associate contract language when these rules
are finalized, which may help to lessen the costs associated with
contract modifications. Under these assumptions, the costs will be
minimal. We request comments on the number of contracts and covered
entities that will not be able to complete renegotiation of their
contracts with their business associates within 18 months.
Even with the phase-in period for renegotiating contracts, we
expect there will be an unknown number of covered entities and business
associates that will have to renegotiate their contracts before the
term of their current contracts expire because: (1) some contracts may
extend beyond the eighteen month period, (2) fear of incurring civil or
criminal penalties may motivate the parties to ensure they are in
compliance with the new rules, and (3) the covered entity and business
associate may have established only the minimum requirements and seek
to strengthen their compliance under the new rules.
As stated previously, we are unsure which of these scenarios
applies. We welcome comments on the extent of cost to renegotiate
contracts.
D. Benefits
The proposed modifications pursuant to the HITECH Act would provide
benefits to individuals. The benefits for individuals include added
information on their rights through an expanded NPP and greater control
over the uses and disclosures of their personal health information by
expanding the requirements to obtain authorization before a covered
entity or business associate can disclose their protected health
information in exchange for remuneration and to restrict certain
disclosures at the request of the individual. Under the proposed rule,
individuals would also have easier access to their protected health
information in an electronic format, and relatives and friends of
deceased persons would be able to obtain the person's protected health
information when there is no personal representative or without
obtaining authorization under some circumstances. In addition, covered
entities would only need to protect the health information of decedents
for 50 years after their death, as opposed to protecting the
information in perpetuity as is required by the current rule. This
would also mean that the personal health information of persons who had
been deceased for many years would be available to historians,
researchers, and family members. Also, individuals' rights with respect
to fundraising communications would be strengthened. In States that
[[Page 40910]]
require immunization information for school attendance, schools would
have an easier time obtaining immunization records because the proposed
rule would eliminate the need for written authorization.
Under the proposed rule, pursuant to the HITECH Act, an
individual's health information will be afforded greater protection
since business associates of covered entities would share
responsibility with the covered entity for safeguarding against
impermissible disclosures of protected health information. Business
associates and subcontractors would be subject to criminal and civil
penalties for violating the privacy and security of protected health
information entrusted to them.
While we are certain that the proposed regulatory changes represent
distinct benefits, we cannot monetize their value. We have no measure
for valuing the benefit an individual would gain from the authorization
requirement when a covered entity or business associate exchanges
protected health information for remuneration. Neither do we know how
much value would be added when an individual receives their protected
health information in an electronic format nor the amount of time saved
as a result of the public health disclosure provision for student
immunizations. Also, the value that relatives and friends of a deceased
person would gain from obtaining the protected health information of
the decedent that they would not otherwise be able to obtain because
there is no personal representative or, if there is a personal
representative, without the delay of obtaining authorization, is beyond
our ability to measure. We welcome comments and information that could
improve our analysis of the benefits of the proposed rule.
E. Regulatory Flexibility Analysis
The Regulatory Flexibility Act requires agencies that issue a
proposed rule to analyze and consider options for reducing regulatory
burden if the regulation will impose a significant burden on a
substantial number of small entities. The Act requires the head of the
agency to either certify that the rule would not impose such a burden
or perform a regulatory flexibility analysis and consider alternatives
to lessen the burden.
The proposed rule would have an impact on covered providers of
health care, health insurance issuers, and third party administrators
acting on behalf of health plans, which we estimate to total 701,325.
Of the approximately $166.1 million in costs we are able to identify,
the private sector will incur approximately 71 percent of the costs or
$118.1 million. The average cost per covered entity is therefore
approximately $168. We do not view this as a significant burden. We
note that the 3,500 third party administrators included in this
calculation serve as business associates to the approximately 446,000
ERISA plans, most of which are small entities. We have no information
on how many of these plans self-administer, and we request any data the
public may provide on this question. Based on the relatively small cost
per covered entity, the Secretary certifies that the proposed rule
would not have a significant impact on a substantial number of small
entities. However, because we are not certain of all the costs this
rule may impose or the exact number of small health insurers or third
party administrators, we welcome comments that may further inform our
analysis.
Although we certify that the proposed rule will not impose a
significant burden on a substantial number of small entities, in
drafting the proposed provisions of the rule, we considered
alternatives for reducing the burden on small entities.
First, in the rule we are proposing to allow covered entities and
business associates with existing HIPAA compliant contracts twelve
months from the compliance date to renegotiate their contracts unless
the contract is renewed or modified before such date. This amount of
time plus the six months from the effective date of the rule to the
compliance date generally gives the parties 18 months to renegotiate
their agreements. We believe that the added time will reduce the cost
to revise agreements because the changes the rule requires will be
incorporated into the routine updating of covered entities and business
associates contracts.
Second, as we did in the final Privacy Rule published August 14,
2002 (67 FR 53182, 53264-53266) we will provide sample language for
revising the contracts between covered entities and business
associates. While the language is generic and may not suit complex
organizations with complex agreements, we believe that it will help
small entities with their contract revisions and save them time and
money in redrafting their contracts to conform to the new rules.
VIII. Collection of Information Requirements
Under the Paperwork Reduction Act of 1995 (PRA), agencies are
required to provide a 60-day notice in the Federal Register and solicit
public comment before a collection of information requirement is
submitted to the Office of Management and Budget (OMB) for review and
approval. In order to fairly evaluate whether an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that we solicit comment on the following issues:
a. Whether the information collection is necessary and useful to
carry out the proper functions of the agency;
b. The accuracy of the agency's estimate of the information
collection burden;
c. The quality, utility, and clarity of the information to be
collected; and
d. Recommendations to minimize the information collection burden on
the affected public, including automated collection techniques.
Under the PRA, the time, effort, and financial resources necessary
to meet the information collection requirements referenced in this
section are to be considered. We explicitly seek, and will consider,
public comment on our assumptions as they relate to the PRA
requirements summarized in this section. To comment on this collection
of information or to obtain copies of the supporting statement and any
related forms for the proposed paperwork collections referenced above,
e-mail your comment or request, including your address and phone number
to [email protected], or call the Reports Clearance Office
on (202) 690-6162. Written comments and recommendations for the
proposed information collections must be directed to the OS Paperwork
Clearance Officer at the above e-mail address within 60 days.
A. Abstract
As a result of the Health Information Technology for Economic and
Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of
Division B of the American Recovery and Reinvestment Act of 2009 (ARRA)
(Pub. L. 111-5), the Office for Civil Rights (OCR) is required to
revise its information collection under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy and Security
Rules (45 CFR Parts 160 and 164). ARRA was enacted on February 17,
2009. This supporting statement revises a previously approved OCR data
collection, OMB 0990-0294. The HITECH Act requires
modification of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) (Pub. L. 104-191) implementing regulations at 45 CFR
Parts 160 and 164, the HIPAA Privacy and Security Rules, to extend
jurisdiction to business associates and to strengthen privacy and
[[Page 40911]]
security protections for health information.
We have integrated this PRA notice into the Notice of Proposed
Rulemaking, because these costs represent costs to be incurred as one-
time, first year implementation costs. The estimated annualized burden
table below was developed using the same estimates and workload
assumptions in the impact statement in the section regarding Executive
Order 12866, above. Because the HIPAA Privacy and Security Rules have
been in effect for several years, these numbers, as revised pursuant to
the HITECH modifications, are based on past experience with the current
information collection.
With respect to the Sec. 164.520 requirement to revise the Notice
of Privacy Practices, the ``Number of Respondents'' column represents
the number of covered entities that would be required to revise their
Notices of Privacy Practices pursuant to the HITECH modifications. As
such, 701,500 covered entities would be required to modify their
Notices of Privacy Practices. Each covered entity would have to revise
one Notice of Privacy Practices, which is represented by the ``Average
Number of Responses per Respondent'' column. We estimate that each
revision would require 20 minutes to complete. As such, it would take
233,833 total burden hours for 701,500 covered entities to revise their
Notices of Privacy Practices. With respect to the Sec. 164.520
requirement for health plans to disseminate the revised Notice of
Privacy Practices, the ``Number of Respondents'' column represents the
200 million individuals to whom the revised Notice of Privacy Practices
would be sent. Each individual would receive one Notice of Privacy
Practices, which is represented by the ``Average Number of Responses
per Respondent'' column. We estimate that each health plan would need
one hour to prepare 100 Notices of Privacy Practices for mailing to
individuals. As such, the total burden hours it would take health plans
to disseminate Notices of Privacy Practices to 200 million individuals
would be two million.
With regard to the proposed business associate provisions, as
discussed in Section VI of this proposed rule, we assume that business
associates currently comply with the HIPAA Privacy and Security Rules,
and that their contracts range from the minimal compliance to avoid
contract termination to being fully compliant. Because the proposed
rule provides that most business associates may renegotiate their
contracts during the compliance period in the normal course of
business, we anticipate no or minimal additional burden. However, for
those business associates with subcontractors, we anticipate an
increased burden associated with bringing their subcontractors into
compliance with the HIPAA Privacy and Security Rules, specifically with
regard to business associate agreements.
Currently, business associates must obtain satisfactory assurance
from their subcontractors regarding their compliance with the HIPAA
Privacy and Security Rules. We assume that business associates obtained
this satisfactory assurance via contract with their subcontractors.
This proposed rule contains a new explicit requirement that business
associates enter into contracts with their subcontractors to ensure
compliance with the HIPAA Privacy and Security Rules. Because most
business associates already have contracts in place, this new
requirement creates a minimal additional burden associated with
modification of these contracts. As discussed in Section VI above, we
estimated that it will require one hour of a legal professional's time
to modify these contracts. We estimate the number of business
associates that may have to bring subcontractors into compliance to be
1,500,000. Our estimate is based on an average of one to two million
business associates. This correlates to 1,500,000 burden hours.
The overall total for respondents to comply with the information
collection requirements of the Rules is 3,733,833 burden hours. We
request comment on this estimate.
As discussed in the above paragraph, we consider the majority of,
if not all of, the burden associated with this proposed rule to result
from the requirements with regard to the Notice of Privacy Practices
and costs for business associates. However, as there may be an
additional minimal burden associated with other provisions of the
proposed rule, we request comment on the impacts of such provisions, as
follows.
With regard to the proposed marketing, sale, fundraising, and
access provisions discussed above in Section VI of this proposed rule,
we do not anticipate any significant increase in the burden to covered
entities and business associates, because covered entities already have
in place routine business policies, procedures, and forms to address
the current requirements regarding an opt-out for fundraising,
authorizations for marketing and sale of protected health information,
and the provision of access to electronic protected health information.
While the proposed rule strengthens consumer protections in each of
these areas, we do not have sufficient data on the current marketing,
sale, fundraising, and access activities of covered entities and their
business associates to calculate the impact of the increased
protections on the use of these forms and processes.
B. Estimated Annualized Burden Table
----------------------------------------------------------------------------------------------------------------
Average number Average burden
Section Type of Number of of responses hours per Total burden
respondent respondents per respondent response hours
----------------------------------------------------------------------------------------------------------------
164.504....................... Business 1,500,000 1 1 1,500,000
Associates.
164.520....................... Revision of 701,500 1 20/60 233,833
Notice of
Privacy
Practices for
Protected
Health
Information
(drafting
revised
language).
164.520....................... Dissemination of 200,000,000 1 1 per 100 2,000,000
Notice of
Privacy
Practices for
Protected
Health
Information
(health plans).
---------------------------------------------------------------------------------
Total..................... ................ .............. .............. .............. 3,733,833
----------------------------------------------------------------------------------------------------------------
List of Subjects
45 CFR Part 160
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Investigations, Medicaid, Medical research,
Medicare, Penalties, Privacy, Reporting and record keeping
requirements, Security.
[[Page 40912]]
45 CFR Part 164
Administrative practice and procedure, Computer technology,
Electronic information system, Electronic transactions, Employer
benefit plan, Health, Health care, Health facilities, Health insurance,
Health records, Hospitals, Medicaid, Medical research, Medicare,
Privacy, Reporting and record keeping requirements, Security.
For the reasons set forth in the preamble, the Department proposes
to amend 45 CFR Subtitle A, Subchapter C, parts 160 and 164, as set
forth below:
PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS
1. The authority citation for part 160 is revised to read as
follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-8; sec. 264,
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)); 5
U.S.C. 552; and secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
2. Revise Sec. 160.101 to read as follows:
Sec. 160.101 Statutory basis and purpose.
The requirements of this subchapter implement sections 1171-1179 of
the Social Security Act (the Act), as added by section 262 of Public
Law 104-191, section 264 of Public Law 104-191, and sections 13400-
13424 of Public Law 111-5.
3. Amend Sec. 160.102 as follows:
a. Redesignate paragraph (b) as paragraph (c); and
b. Add new paragraph (b) to read as follows:
Sec. 160.102 Applicability.
* * * * *
(b) Where provided, the standards, requirements, and implementation
specifications adopted under this subchapter apply to a business
associate.
* * * * *
4. Amend Sec. 160.103 as follows:
a. Revise the definitions of ``business associate'', ``compliance
date'', ``disclosure'', ``electronic media'', paragraph (2) of
``protected health information,'' and the definitions of ``standard'',
``State'', and ``workforce''; and
b. Add, in alphabetical order, new definitions of ``administrative
simplification provision'', ``ALJ'', ``civil money penalty or
penalty'', ``respondent'', ``subcontractor'', and ``violation or
violate''.
The revisions and additions read as follows:
Sec. 160.103 Definitions.
* * * * *
Administrative simplification provision means any requirement or
prohibition established by:
(1) 42 U.S.C. 1320d-1320d-4, 1320d-7, and 1320d-8;
(2) Section 264 of Pub. L. 104-191;
(3) Sections 13400-13424 of Public Law 111-5; or
(4) This subchapter.
ALJ means Administrative Law Judge.
* * * * *
Business associate: (1) Except as provided in paragraph (4) of this
definition, business associate means, with respect to a covered entity,
a person who:
(i) On behalf of such covered entity or of an organized health care
arrangement (as defined in this section) in which the covered entity
participates, but other than in the capacity of a member of the
workforce of such covered entity or arrangement, performs, or assists
in the performance of:
(A) A function or activity involving the use or disclosure of
protected health information, including claims processing or
administration, data analysis, processing or administration,
utilization review, quality assurance, patient safety activities listed
at 42 CFR 3.20, billing, benefit management, practice management, and
repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the
workforce of such covered entity, legal, actuarial, accounting,
consulting, data aggregation (as defined in Sec. 164.501 of this
subchapter), management, administrative, accreditation, or financial
services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where
the provision of the service involves the disclosure of protected
health information from such covered entity or arrangement, or from
another business associate of such covered entity or arrangement, to
the person.
(2) A covered entity may be a business associate of another covered
entity.
(3) Business associate includes:
(i) A Health Information Organization, E-prescribing Gateway, or
other person that provides data transmission services with respect to
protected health information to a covered entity and that requires
access on a routine basis to such protected health information.
(ii) A person that offers a personal health record to one or more
individuals on behalf of a covered entity.
(iii) A subcontractor that creates, receives, maintains, or
transmits protected health information on behalf of the business
associate.
(4) Business associate does not include:
(i) A health care provider, with respect to disclosures by a
covered entity to the health care provider concerning the treatment of
the individual.
(ii) A plan sponsor, with respect to disclosures by a group health
plan (or by a health insurance issuer or HMO with respect to a group
health plan) to the plan sponsor, to the extent that the requirements
of Sec. 164.504(f) of this subchapter apply and are met.
(iii) A government agency, with respect to determining eligibility
for, or enrollment in, a government health plan that provides public
benefits and is administered by another government agency, or
collecting protected health information for such purposes, to the
extent such activities are authorized by law.
(iv) A covered entity participating in an organized health care
arrangement that performs a function or activity as described by
paragraph (1)(i) of this definition for or on behalf of such organized
health care arrangement, or that provides a service as described in
paragraph (1)(ii) of this definition to or for such organized health
care arrangement by virtue of such activities or services.
Civil money penalty or penalty means the amount determined under
Sec. 160.404 of this part and includes the plural of these terms.
* * * * *
Compliance date means the date by which a covered entity or
business associate must comply with a standard, implementation
specification, requirement, or modification adopted under this
subchapter.
* * * * *
Disclosure means the release, transfer, provision of access to, or
divulging in any manner of information outside the entity holding the
information.
* * * * *
Electronic media means:
(1) Electronic storage material on which data is or may be recorded
electronically, including, for example, devices in computers (hard
drives) and any removable/transportable digital memory medium, such as
magnetic tape or disk, optical disk, or digital memory card;
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
Internet (wide-open), extranet or intranet (using Internet technology
to link a business with information accessible only to collaborating
parties), leased lines, dial-
[[Page 40913]]
up lines, private networks, and the physical movement of removable/
transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media if the information
being exchanged did not exist in electronic form before the
transmission.
* * * * *
Protected health information * * *
(2) Protected health information excludes individually identifiable
health information:
(i) In education records covered by the Family Educational Rights
and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
(iii) In employment records held by a covered entity in its role as
employer; and
(iv) Regarding a person who has been deceased for more than 50
years.
* * * * *
Respondent means a covered entity or business associate upon which
the Secretary has imposed, or proposes to impose, a civil money
penalty.
* * * * *
Standard means a rule, condition, or requirement:
(1) Describing the following information for products, systems,
services, or practices:
(i) Classification of components;
(ii) Specification of materials, performance, or operations; or
(iii) Delineation of procedures; or
(2) With respect to the privacy of protected health information.
* * * * *
State refers to one of the following:
(1) For a health plan established or regulated by Federal law,
State has the meaning set forth in the applicable section of the United
States Code for such health plan.
(2) For all other purposes, State means any of the several States,
the District of Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, American Samoa, and the Commonwealth of the Northern
Mariana Islands.
Subcontractor means a person who acts on behalf of a business
associate, other than in the capacity of a member of the workforce of
such business associate.
* * * * *
Violation or violate means, as the context may require, failure to
comply with an administrative simplification provision.
Workforce means employees, volunteers, trainees, and other persons
whose conduct, in the performance of work for a covered entity or
business associate, is under the direct control of such covered entity
or business associate, whether or not they are paid by the covered
entity or business associate.
5. Add Sec. 160.105 to subpart A to read as follows:
Sec. 160.105 Compliance dates for implementation of new or modified
standards and implementation specifications.
In accordance with Sec. 160.104, with respect to new standards and
implementation specifications or modifications to standards and
implementation specifications in this subchapter that become effective
after [DATE OF PUBLICATION OF THE FINAL RULE IN THE FEDERAL REGISTER],
except as otherwise provided, covered entities and business associates
must comply with the applicable new standards and implementation
specifications or modifications to standards and implementation
specifications no later than 180 days from the effective date of any
such standards or implementation specifications.
6. Revise Sec. 160.201 to read as follows:
Sec. 160.201 Statutory basis.
The provisions of this subpart implement section 1178 of the Act,
as added by section 262 of Public Law 104-191, section 264(c) of Public
Law 104-191, and section 13421(a) of Public Law 111-5.
7. In Sec. 160.202, revise the definition of ``contrary'' and
paragraph (1)(i) of the definition of ``more stringent'' to read as
follows:
Sec. 160.202 Definitions.
* * * * *
Contrary, when used to compare a provision of State law to a
standard, requirement, or implementation specification adopted under
this subchapter, means:
(1) A covered entity or business associate would find it impossible
to comply with both the State and Federal requirements; or
(2) The provision of State law stands as an obstacle to the
accomplishment and execution of the full purposes and objectives of
part C of title XI of the Act, section 264 of Public Law 104-191, or
sections 13400-13424 of Public Law 111-5, as applicable.
More stringent * * *
(1) * * *
(i) Required by the Secretary in connection with determining
whether a covered entity or business associate is in compliance with
this subchapter; or
* * * * *
8. Revise Sec. 160.300 to read as follows:
Sec. 160.300 Applicability.
This subpart applies to actions by the Secretary, covered entities,
business associates, and others with respect to ascertaining the
compliance by covered entities and business associates with, and the
enforcement of, the applicable provisions of this part 160 and parts
162 and 164 of this subchapter.
Sec. 160.302 [Removed and Reserved]
9. Remove and reserve Sec. 160.302.
10. Revise Sec. 160.304 to read as follows:
Sec. 160.304 Principles for achieving compliance.
(a) Cooperation. The Secretary will, to the extent practicable and
consistent with the provisions of this subpart, seek the cooperation of
covered entities and business associates in obtaining compliance with
the applicable administrative simplification provisions.
(b) Assistance. The Secretary may provide technical assistance to
covered entities and business associates to help them comply
voluntarily with the applicable administrative simplification
provisions.
11. In Sec. 160.306, revise paragraphs (a) and (c) to read as
follows:
Sec. 160.306 Complaints to the Secretary.
(a) Right to file a complaint. A person who believes a covered
entity or business associate is not complying with the administrative
simplification provisions may file a complaint with the Secretary.
* * * * *
(c) Investigation.
(1) The Secretary will investigate any complaint filed under this
section when a preliminary review of the facts indicates a possible
violation due to willful neglect.
(2) The Secretary may investigate any other complaint filed under
this section.
(3) An investigation under this section may include a review of the
pertinent policies, procedures, or practices of the covered entity or
business associate and of the circumstances regarding any alleged
violation.
(4) At the time of the initial written communication with the
covered entity or business associate about the complaint, the Secretary
will describe the acts and/or omissions that are the basis of the
complaint.
12. Revise Sec. 160.308 to read as follows:
[[Page 40914]]
Sec. 160.308 Compliance reviews.
(a) The Secretary will conduct a compliance review to determine
whether a covered entity or business associate is complying with the
applicable administrative simplification provisions when a preliminary
review of the facts indicates a possible violation due to willful
neglect.
(b) The Secretary may conduct a compliance review to determine
whether a covered entity or business associate is complying with the
applicable administrative simplification provisions in any other
circumstance.
13. Revise Sec. 160.310 to read as follows:
Sec. 160.310 Responsibilities of covered entities and business
associates.
(a) Provide records and compliance reports. A covered entity or
business associate must keep such records and submit such compliance
reports, in such time and manner and containing such information, as
the Secretary may determine to be necessary to enable the Secretary to
ascertain whether the covered entity or business associate has complied
or is complying with the applicable administrative simplification
provisions.
(b) Cooperate with complaint investigations and compliance reviews.
A covered entity or business associate must cooperate with the
Secretary, if the Secretary undertakes an investigation or compliance
review of the policies, procedures, or practices of the covered entity
or business associate to determine whether it is complying with the
applicable administrative simplification provisions.
(c) Permit access to information.
(1) A covered entity or business associate must permit access by
the Secretary during normal business hours to its facilities, books,
records, accounts, and other sources of information, including
protected health information, that are pertinent to ascertaining
compliance with the applicable administrative simplification
provisions. If the Secretary determines that exigent circumstances
exist, such as when documents may be hidden or destroyed, a covered
entity or business associate must permit access by the Secretary at any
time and without notice.
(2) If any information required of a covered entity or business
associate under this section is in the exclusive possession of any
other agency, institution, or person and the other agency, institution,
or person fails or refuses to furnish the information, the covered
entity or business associate must so certify and set forth what efforts
it has made to obtain the information.
(3) Protected health information obtained by the Secretary in
connection with an investigation or compliance review under this
subpart will not be disclosed by the Secretary, except if necessary for
ascertaining or enforcing compliance with the applicable administrative
simplification provisions, if otherwise required by law, or if
permitted under 5 U.S.C. 552a(b)(7).
14. Revise Sec. 160.312 to read as follows:
Sec. 160.312 Secretarial action regarding complaints and compliance
reviews.
(a) Resolution when noncompliance is indicated.
(1) If an investigation of a complaint pursuant to Sec. 160.306 or
a compliance review pursuant to Sec. 160.308 indicates noncompliance,
the Secretary may attempt to reach a resolution of the matter
satisfactory to the Secretary by informal means. Informal means may
include demonstrated compliance or a completed corrective action plan
or other agreement.
(2) If the matter is resolved by informal means, the Secretary will
so inform the covered entity or business associate and, if the matter
arose from a complaint, the complainant, in writing.
(3) If the matter is not resolved by informal means, the Secretary
will--
(i) So inform the covered entity or business associate and provide
the covered entity or business associate an opportunity to submit
written evidence of any mitigating factors or affirmative defenses for
consideration under Sec. Sec. 160.408 and 160.410 of this part. The
covered entity or business associate must submit any such evidence to
the Secretary within 30 days (computed in the same manner as prescribed
under Sec. 160.526 of this part) of receipt of such notification; and
(ii) If, following action pursuant to paragraph (a)(3)(i) of this
section, the Secretary finds that a civil money penalty should be
imposed, inform the covered entity or business associate of such
finding in a notice of proposed determination in accordance with Sec.
160.420 of this part.
(b) Resolution when no violation is found. If, after an
investigation pursuant to Sec. 160.306 or a compliance review pursuant
to Sec. 160.308, the Secretary determines that further action is not
warranted, the Secretary will so inform the covered entity or business
associate and, if the matter arose from a complaint, the complainant,
in writing.
15. In Sec. 160.316, revise the introductory text to read as
follows:
Sec. 160.316 Refraining from intimidation or retaliation.
A covered entity or business associate may not threaten,
intimidate, coerce, harass, discriminate against, or take any other
retaliatory action against any individual or other person for--
* * * * *
16. In Sec. 160.401, revise the definition of reasonable cause to
read as follows:
Sec. 160.401 Definitions.
* * * * *
Reasonable cause means an act or omission in which a covered entity
or business associate knew, or by exercising reasonable diligence would
have known, that the act or omission violated an administrative
simplification provision, but in which the covered entity or business
associate did not act with willful neglect.
* * * * *
17. Revise Sec. 160.402 to read as follows:
Sec. 160.402 Basis for a civil money penalty.
(a) General rule. Subject to Sec. 160.410, the Secretary will
impose a civil money penalty upon a covered entity or business
associate if the Secretary determines that the covered entity or
business associate has violated an administrative simplification
provision.
(b) Violation by more than one covered entity or business
associate.
(1) Except as provided in paragraph (b)(2) of this section, if the
Secretary determines that more than one covered entity or business
associate was responsible for a violation, the Secretary will impose a
civil money penalty against each such covered entity or business
associate.
(2) A covered entity that is a member of an affiliated covered
entity, in accordance with Sec. 164.105(b) of this subchapter, is
jointly and severally liable for a civil money penalty for a violation
of part 164 of this subchapter based on an act or omission of the
affiliated covered entity, unless it is established that another member
of the affiliated covered entity was responsible for the violation.
(c) Violation attributed to a covered entity or business associate.
(1) A covered entity is liable, in accordance with the Federal common
law of agency, for a civil money penalty for a violation based on the
act or omission of any agent of the covered entity, including a
workforce member or business associate, acting within the scope of the
agency.
[[Page 40915]]
(2) A business associate is liable, in accordance with the Federal
common law of agency, for a civil money penalty for a violation based
on the act or omission of any agent of the business associate,
including a workforce member or subcontractor, acting within the scope
of the agency.
18. In Sec. 160.404, revise the introductory text of paragraphs
(b)(2)(i), (b)(2)(iii), and (b)(2)(iv) to read as follows:
Sec. 160.404 Amount of a civil money penalty.
* * * * *
(b) * * *
(2) * * *
(i) For a violation in which it is established that the covered
entity or business associate did not know and, by exercising reasonable
diligence, would not have known that the covered entity or business
associate violated such provision,
* * * * *
(iii) For a violation in which it is established that the violation
was due to willful neglect and was corrected during the 30-day period
beginning on the first date the covered entity or business associate
liable for the penalty knew, or, by exercising reasonable diligence,
would have known that the violation occurred,
* * * * *
(iv) For a violation in which it is established that the violation
was due to willful neglect and was not corrected during the 30-day
period beginning on the first date the covered entity or business
associate liable for the penalty knew, or, by exercising reasonable
diligence, would have known that the violation occurred,
* * * * *
19. Revise Sec. 160.406 to read as follows:
Sec. 160.406 Violations of an identical requirement or prohibition.
The Secretary will determine the number of violations of an
administrative simplification provision based on the nature of the
covered entity's or business associate's obligation to act or not act
under the provision that is violated, such as its obligation to act in
a certain manner, or within a certain time, or to act or not act with
respect to certain persons. In the case of continuing violation of a
provision, a separate violation occurs each day the covered entity or
business associate is in violation of the provision.
20. Revise Sec. 160.408 to read as follows:
Sec. 160.408 Factors considered in determining the amount of a civil
money penalty.
In determining the amount of any civil money penalty, the Secretary
will consider the following factors, which may be mitigating or
aggravating as appropriate:
(a) The nature and extent of the violation, consideration of which
may include but is not limited to:
(1) The number of individuals affected; and
(2) The time period during which the violation occurred;
(b) The nature and extent of the harm resulting from the violation,
consideration of which may include but is not limited to:
(1) Whether the violation caused physical harm;
(2) Whether the violation resulted in financial harm;
(3) Whether the violation resulted in harm to an individual's
reputation; and
(4) Whether the violation hindered an individual's ability to
obtain health care;
(c) The history of prior compliance with the administrative
simplification provisions, including violations, by the covered entity
or business associate, consideration of which may include but is not
limited to:
(1) Whether the current violation is the same or similar to
previous indications of noncompliance;
(2) Whether and to what extent the covered entity or business
associate has attempted to correct previous indications of
noncompliance;
(3) How the covered entity or business associate has responded to
technical assistance from the Secretary provided in the context of a
compliance effort; and
(4) How the covered entity or business associate has responded to
prior complaints;
(d) The financial condition of the covered entity or business
associate, consideration of which may include but is not limited to:
(1) Whether the covered entity or business associate had financial
difficulties that affected its ability to comply;
(2) Whether the imposition of a civil money penalty would
jeopardize the ability of the covered entity or business associate to
continue to provide, or to pay for, health care; and
(3) The size of the covered entity or business associate; and
(e) Such other matters as justice may require.
21. Revise Sec. 160.410 to read as follows:
Sec. 160.410 Affirmative defenses.
(a) The Secretary may not:
(1) Prior to February 18, 2011, impose a civil money penalty on a
covered entity or business associate for an act that violates an
administrative simplification provision if the covered entity or
business associate establishes that the violation is punishable under
42 U.S.C. 1320d-6.
(2) On or after February 18, 2011, impose a civil money penalty on
a covered entity or business associate for an act that violates an
administrative simplification provision if the covered entity or
business associate establishes that a penalty has been imposed under 42
U.S.C. 1320d-6 with respect to such act.
(b) For violations occurring prior to February 18, 2009, the
Secretary may not impose a civil money penalty on a covered entity for
a violation if the covered entity establishes that an affirmative
defense exists with respect to the violation, including the following:
(1) The covered entity establishes, to the satisfaction of the
Secretary, that it did not have knowledge of the violation, determined
in accordance with the Federal common law of agency, and by exercising
reasonable diligence, would not have known that the violation occurred;
or
(2) The violation is--
(i) Due to circumstances that would make it unreasonable for the
covered entity, despite the exercise of ordinary business care and
prudence, to comply with the administrative simplification provision
violated and is not due to willful neglect; and
(ii) Corrected during either:
(A) The 30-day period beginning on the first date the covered
entity liable for the penalty knew, or by exercising reasonable
diligence would have known, that the violation occurred; or
(B) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
(c) For violations occurring on or after February 18, 2009, the
Secretary may not impose a civil money penalty on a covered entity or
business associate for a violation if the covered entity or business
associate establishes to the satisfaction of the Secretary that the
violation is--
(1) Not due to willful neglect; and
(2) Corrected during either:
(i) The 30-day period beginning on the first date the covered
entity or business associate liable for the penalty knew, or, by
exercising reasonable diligence, would have known that the violation
occurred; or
[[Page 40916]]
(ii) Such additional period as the Secretary determines to be
appropriate based on the nature and extent of the failure to comply.
22. Revise Sec. 160.412 to read as follows:
Sec. 160.412 Waiver.
For violations described in Sec. 160.410(b)(2) or (c) that are not
corrected within the period specified under such paragraphs, the
Secretary may waive the civil money penalty, in whole or in part, to
the extent that the payment of the penalty would be excessive relative
to the violation.
23. Revise Sec. 160.418 to read as follows:
Sec. 160.418 Penalty not exclusive.
Except as otherwise provided by 42 U.S.C. 1320d-5(b)(1) and 42
U.S.C. 299b-22(f)(3), a penalty imposed under this part is in addition
to any other penalty prescribed by law.
PART 164--SECURITY AND PRIVACY
24. The authority citation for part 164 is revised to read as
follows:
Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d--1320d-8; sec.
264, Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320-2(note));
and secs. 13400--13424, Pub. L. 111-5, 123 Stat. 258-279.
25. Revise Sec. 164.102 to read as follows:
Sec. 164.102 Statutory basis.
The provisions of this part are adopted pursuant to the Secretary's
authority to prescribe standards, requirements, and implementation
specifications under part C of title XI of the Act, section 264 of
Public Law 104-191, and sections 13400--13424 of Public Law 111-5.
26. In Sec. 164.104, revise paragraph (b) to read as follows:
Sec. 164.104 Applicability.
* * * * *
(b) Where provided, the standards, requirements, and implementation
specifications adopted under this part apply to a business associate.
27. Amend Sec. 164.105 as follows:
a. Revise the introductory text of paragraph (a)(1), the
introductory text of paragraph (a)(2)(i), paragraph (a)(2)(ii), the
introductory text of paragraph (a)(2)(iii), and paragraphs
(a)(2)(iii)(A) and (B);
b. Redesignate paragraph (a)(2)(iii)(C) as paragraph (a)(2)(iii)(D)
and add new paragraph (a)(2)(iii)(C); and
c. Revise paragraph (b).
The revisions read as follows:
Sec. 164.105 Organizational requirements.
(a)(1) Standard: Health care component. If a covered entity is a
hybrid entity, the requirements of this part, other than the
requirements of this section, Sec. 164.314, and Sec. 164.504, apply
only to the health care component(s) of the entity, as specified in
this section.
(2) * * *
(i) Application of other provisions. In applying a provision of
this part, other than the requirements of this section, Sec. 164.314,
and Sec. 164.504, to a hybrid entity:
* * * * *
(ii) Safeguard requirements. The covered entity that is a hybrid
entity must ensure that a health care component of the entity complies
with the applicable requirements of this part. In particular, and
without limiting this requirement, such covered entity must ensure
that:
(A) Its health care component does not disclose protected health
information to another component of the covered entity in circumstances
in which subpart E of this part would prohibit such disclosure if the
health care component and the other component were separate and
distinct legal entities;
(B) Its health care component protects electronic protected health
information with respect to another component of the covered entity to
the same extent that it would be required under subpart C of this part
to protect such information if the health care component and the other
component were separate and distinct legal entities;
(C) If a person performs duties for both the health care component
in the capacity of a member of the workforce of such component and for
another component of the entity in the same capacity with respect to
that component, such workforce member must not use or disclose
protected health information created or received in the course of or
incident to the member's work for the health care component in a way
prohibited by subpart E of this part.
(iii) Responsibilities of the covered entity. A covered entity that
is a hybrid entity has the following responsibilities:
(A) For purposes of subpart C of part 160 of this subchapter,
pertaining to compliance and enforcement, the covered entity has the
responsibility of complying with this part.
(B) The covered entity is responsible for complying with Sec.
164.316(a) and Sec. 164.530(i), pertaining to the implementation of
policies and procedures to ensure compliance with applicable
requirements of this part, including the safeguard requirements in
paragraph (a)(2)(ii) of this section.
(C) The covered entity is responsible for complying with Sec.
164.314 and Sec. 164.504 regarding business associate arrangements and
other organizational requirements.
* * * * *
(b)(1) Standard: Affiliated covered entities. Legally separate
covered entities that are affiliated may designate themselves as a
single covered entity for purposes of this part.
(2) Implementation specifications.
(i) Requirements for designation of an affiliated covered entity.
(A) Legally separate covered entities may designate themselves
(including any health care component of such covered entity) as a
single affiliated covered entity, for purposes of this part, if all of
the covered entities designated are under common ownership or control.
(B) The designation of an affiliated covered entity must be
documented and the documentation maintained as required by paragraph
(c) of this section.
(ii) Safeguard requirements. An affiliated covered entity must
ensure that it complies with the applicable requirements of this part,
including, if the affiliated covered entity combines the functions of a
health plan, health care provider, or health care clearinghouse, Sec.
164.308(a)(4)(ii)(A) and Sec. 164.504(g), as applicable.
* * * * *
28. Revise Sec. 164.106 to read as follows:
Sec. 164.106 Relationship to other parts.
In complying with the requirements of this part, covered entities
and, where provided, business associates, are required to comply with
the applicable provisions of parts 160 and 162 of this subchapter.
29. The authority citation for subpart C of part 164 is revised to
read as follows:
Authority: 42 U.S.C. 1320d-2 and 1320d-4; sec. 13401, Pub. L.
111-5, 123 Stat. 260.
30. Revise Sec. 164.302 to read as follows:
Sec. 164.302 Applicability.
A covered entity or business associate must comply with the
applicable standards, implementation specifications, and requirements
of this subpart with respect to electronic protected health information
of a covered entity.
31. In Sec. 164.304, revise the definitions of Administrative
safeguards and Physical safeguards to read as follows:
Sec. 164.304 Definitions.
* * * * *
[[Page 40917]]
Administrative safeguards are administrative actions, and policies
and procedures, to manage the selection, development, implementation,
and maintenance of security measures to protect electronic protected
health information and to manage the conduct of the covered entity's or
business associate's workforce in relation to the protection of that
information.
* * * * *
Physical safeguards are physical measures, policies, and procedures
to protect a covered entity's or business associate's electronic
information systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion.
* * * * *
32. Amend Sec. 164.306 as follows:
a. Revise the introductory text of paragraph (a) and paragraph
(a)(1);
b. Revise paragraph (b)(1), the introductory text of paragraph
(b)(2), and paragraphs (b)(2)(i) and (b)(2)(ii);
c. Revise paragraph (c);
d. Revise paragraph (d)(2), the introductory text of paragraph
(d)(3), paragraph (d)(3)(i), and the introductory text of paragraph
(d)(3)(ii); and
e. Revise paragraph (e).
The revisions read as follows:
Sec. 164.306 Security standards: General rules.
(a) General requirements. Covered entities and business associates
must do the following:
(1) Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity or business
associate creates, receives, maintains, or transmits.
* * * * *
(b) * * * (1) Covered entities and business associates may use any
security measures that allow the covered entity or business associate
to reasonably and appropriately implement the standards and
implementation specifications as specified in this subpart.
(2) In deciding which security measures to use, a covered entity or
business associate must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity or
business associate.
(ii) The covered entity's or the business associate's technical
infrastructure, hardware, and software security capabilities.
* * * * *
(c) Standards. A covered entity or business associate must comply
with the applicable standards as provided in this section and in Sec.
164.308, Sec. 164.310, Sec. 164.312, Sec. 164.314 and Sec. 164.316
with respect to all electronic protected health information.
(d) * * *
(2) When a standard adopted in Sec. 164.308, Sec. 164.310, Sec.
164.312, Sec. 164.314, or Sec. 164.316 includes required
implementation specifications, a covered entity or business associate
must implement the implementation specifications.
(3) When a standard adopted in Sec. 164.308, Sec. 164.310, Sec.
164.312, Sec. 164.314, or Sec. 164.316 includes addressable
implementation specifications, a covered entity or business associate
must--
(i) Assess whether each implementation specification is a
reasonable and appropriate safeguard in its environment, when analyzed
with reference to the likely contribution to protecting electronic
protected health information; and
(ii) As applicable to the covered entity or business associate--
* * * * *
(e) Maintenance. A covered entity or business associate must review
and modify the security measures implemented under this subpart as
needed to continue provision of reasonable and appropriate protection
of electronic protected health information, and update documentation of
such security measures in accordance with Sec. 164.316(b)(2)(iii).
33. Amend Sec. 164.308 as follows:
a. Revise the introductory text of paragraph (a), paragraph
(a)(1)(ii)(A), paragraph (a)(1)(ii)(C), paragraph (a)(2), paragraph
(a)(3)(ii)(C), paragraph (a)(4)(ii)(C), paragraph (a)(6)(ii), and
paragraph (a)(8); and
b. Revise paragraph (b).
The revisions read as follows:
Sec. 164.308 Administrative safeguards.
(a) A covered entity or business associate must, in accordance with
Sec. 164.306:
(1) * * *
(ii) * * *
(A) Risk analysis (Required). Conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic protected
health information held by the covered entity or business associate.
* * * * *
(C) Sanction policy (Required). Apply appropriate sanctions against
workforce members who fail to comply with the security policies and
procedures of the covered entity or business associate.
* * * * *
(2) Standard: Assigned security responsibility. Identify the
security official who is responsible for the development and
implementation of the policies and procedures required by this subpart
for the covered entity or business associate.
(3) * * *
(ii) * * *
(C) Termination procedures (Addressable). Implement procedures for
terminating access to electronic protected health information when the
employment of, or other arrangement with, a workforce member ends or as
required by determinations made as specified in paragraph (a)(3)(ii)(B)
of this section.
(4) * * *
(ii) * * *
(C) Access establishment and modification (Addressable). Implement
policies and procedures that, based upon the covered entity's or the
business associate's access authorization policies, establish,
document, review, and modify a user's right of access to a workstation,
transaction, program, or process.
* * * * *
(6) * * *
(ii) Implementation specification: Response and reporting
(Required). Identify and respond to suspected or known security
incidents; mitigate, to the extent practicable, harmful effects of
security incidents that are known to the covered entity or business
associate; and document security incidents and their outcomes.
* * * * *
(8) Standard: Evaluation. Perform a periodic technical and
nontechnical evaluation, based initially upon the standards implemented
under this rule and, subsequently, in response to environmental or
operational changes affecting the security of electronic protected
health information, that establishes the extent to which a covered
entity's or business associate's security policies and procedures meet
the requirements of this subpart.
(b)(1) Business associate contracts and other arrangements. A
covered entity may permit a business associate to create, receive,
maintain, or transmit electronic protected health information on the
covered entity's behalf only if the covered entity obtains satisfactory
assurances, in accordance with Sec. 164.314(a), that the business
associate will appropriately safeguard the information. A covered
entity is not required to obtain such satisfactory assurances from a
business associate that is a subcontractor.
(2) A business associate may permit a business associate that is a
[[Page 40918]]
subcontractor to create, receive, maintain, or transmit electronic
protected health information on its behalf only if the business
associate obtains satisfactory assurances, in accordance with Sec.
164.314(a), that the subcontractor will appropriately safeguard the
information.
(3) Implementation specifications: Written contract or other
arrangement (Required). Document the satisfactory assurances required
by paragraph (b)(1) or (b)(2) of this section through a written
contract or other arrangement with the business associate that meets
the applicable requirements of Sec. 164.314(a).
34. Revise the introductory text of Sec. 164.310 to read as
follows:
Sec. 164.310 Physical safeguards.
A covered entity or business associate must, in accordance with
Sec. 164.306:
* * * * *
35. Revise the introductory text of Sec. 164.312 to read as
follows:
Sec. 164.312 Technical safeguards.
A covered entity or business associate must, in accordance with
Sec. 164.306:
* * * * *
36. Amend Sec. 164.314 by revising paragraphs (a) and (b)(2)(iii)
to read as follows:
Sec. 164.314 Organizational requirements.
(a)(1) Standard: Business associate contracts or other
arrangements. The contract or other arrangement required by Sec.
164.308(b)(4) must meet the requirements of paragraph (a)(2)(i),
(a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide that
the business associate will--
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with Sec. 164.308(b)(2), ensure that any
subcontractors that create, receive, maintain, or transmit electronic
protected health information on behalf of the business associate agree
to comply with the applicable requirements of this subpart by entering
into a contract or other arrangement that complies with this section;
and
(C) Report to the covered entity any security incident of which it
becomes aware, including breaches of unsecured protected health
information as required by Sec. 164.410.
(ii) Other arrangements. The covered entity is in compliance with
paragraph (a)(1) of this section if it has another arrangement in place
that meets the requirements of Sec. 164.504(e)(3).
(iii) Business associate contracts with subcontractors. The
requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section
apply to the contract or other arrangement between a business associate
and a subcontractor required by Sec. 164.308(b)(4) in the same manner
as such requirements apply to contracts or other arrangements between a
covered entity and business associate.
(b) * * *
(2) * * *
(iii) Ensure that any agent to whom it provides this information
agrees to implement reasonable and appropriate security measures to
protect the information; and
* * * * *
37. Revise the introductory text of Sec. 164.316 and the third
sentence of paragraph (a) to read as follows:
Sec. 164.316 Policies and procedures and documentation requirements.
A covered entity or business associate must, in accordance with
Sec. 164.306:
(a) * * * A covered entity or business associate may change its
policies and procedures at any time, provided that the changes are
documented and are implemented in accordance with this subpart.
* * * * *
38. The authority citation for subpart E of part 164 is revised to
read as follows:
Authority: 42 U.S.C. 1320d-2 and 1320d-4; sec. 264 of Pub. L.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and secs.
13400-13424, Pub. L. 111-5, 123 Stat. 258-279.
39. In Sec. 164.500, redesignate paragraph (c) as paragraph (d)
and add new paragraph (c) to read as follows:
Sec. 164.500 Applicability.
* * * * *
(c) Where provided, the standards, requirements, and implementation
specifications adopted under this subpart apply to a business associate
with respect to the protected health information of a covered entity.
* * * * *
40. Amend Sec. 164.501 as follows:
a. Revise paragraph (1) of the definition of ``health care
operations''; and
b. Revise the definition of ``marketing''.
The revisions read as follows:
Sec. 164.501 Definitions.
* * * * *
Health care operations * * *
(1) Conducting quality assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities; patient
safety activities (as defined in 42 CFR 3.20); population-based
activities relating to improving health or reducing health care costs,
protocol development, case management and care coordination, contacting
of health care providers and patients with information about treatment
alternatives; and related functions that do not include treatment;
* * * * *
Marketing: (1) Except as provided in paragraph (2) of this
definition, marketing means to make a communication about a product or
service that encourages recipients of the communication to purchase or
use the product or service.
(2) Marketing does not include a communication made:
(i) For treatment of an individual by a health care provider,
including case management or care coordination for the individual, or
to direct or recommend alternative treatments, therapies, health care
providers, or settings of care to the individual, provided, however,
that if the communication is in writing and the health care provider
receives financial remuneration in exchange for making the
communication, the requirements of Sec. 164.514(f)(2) are met.
(ii) To provide refill reminders or otherwise communicate about a
drug or biologic that is currently being prescribed for the individual,
only if any financial remuneration received by the covered entity in
exchange for making the communication is reasonably related to the
covered entity's cost of making the communication.
(iii) For the following health care operations activities, except
where the covered entity receives financial remuneration in exchange
for making the communication:
(A) To describe a health-related product or service (or payment for
such product or service) that is provided by, or included in a plan of
benefits of, the covered entity making the communication, including
communications about: The entities participating in a health care
provider network or health plan network; replacement of, or
enhancements to, a health plan; and health-related products or services
available only to a health plan enrollee that add value to, but are not
part of, a plan of benefits; or
(B) For case management or care coordination, contacting of
individuals with information about treatment alternatives, and related
functions to the extent these activities do not fall within the
definition of treatment.
[[Page 40919]]
(3) Financial remuneration means direct or indirect payment from or
on behalf of a third party whose product or service is being described.
Direct or indirect payment does not include any payment for treatment
of an individual.
* * * * *
41. In Sec. 164.502, revise paragraphs (a), (b)(1), (e), and (f)
to read as follows:
Sec. 164.502 Uses and disclosures of protected health information:
General rules.
(a) Standard. A covered entity or business associate may not use or
disclose protected health information, except as permitted or required
by this subpart or by subpart C of part 160 of this subchapter.
(1) Covered entities: Permitted uses and disclosures. A covered
entity is permitted to use or disclose protected health information as
follows:
(i) To the individual;
(ii) For treatment, payment, or health care operations, as
permitted by and in compliance with Sec. 164.506;
(iii) Incident to a use or disclosure otherwise permitted or
required by this subpart, provided that the covered entity has complied
with the applicable requirements of Sec. Sec. 164.502(b), 164.514(d),
and 164.530(c) with respect to such otherwise permitted or required use
or disclosure;
(iv) Pursuant to and in compliance with a valid authorization under
Sec. 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by,
Sec. 164.510; and
(vi) As permitted by and in compliance with this section, Sec.
164.512, Sec. 164.514(e), (f), or (g).
(2) Covered entities: Required disclosures. A covered entity is
required to disclose protected health information:
(i) To an individual, when requested under, and required by Sec.
164.524 or Sec. 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the covered entity's
compliance with this subchapter.
(3) [Reserved]
(4) Business associates: Permitted uses and disclosures. (i) A
business associate may use or disclose protected health information
only as permitted or required by its business associate contract or
other arrangement pursuant to Sec. 164.504(e), or as required by law.
The business associate may not use or disclose protected health
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except for the purposes
specified under Sec. 164.504(e)(2)(i)(A) or (B) if such uses or
disclosures are permitted by its contract or other arrangement.
(5) Business associates: Required uses and disclosures. A business
associate is required to disclose protected health information:
(i) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the business associate's
compliance with this subchapter.
(ii) To the covered entity, individual, or individual's designee,
as necessary to satisfy a covered entity's obligations under Sec.
164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request
for an electronic copy of protected health information.
(b) * * * (1) Minimum necessary applies. When using or disclosing
protected health information or when requesting protected health
information from another covered entity, a covered entity or business
associate must make reasonable efforts to limit protected health
information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request.
* * * * *
(e)(1) Standard: Disclosures to business associates. (i) A covered
entity may disclose protected health information to a business
associate and may allow a business associate to create or receive
protected health information on its behalf, if the covered entity
obtains satisfactory assurance that the business associate will
appropriately safeguard the information. A covered entity is not
required to obtain such satisfactory assurances from a business
associate that is a subcontractor.
(ii) A business associate may disclose protected health information
to a business associate that is a subcontractor and may allow the
subcontractor to create or receive protected health information on its
behalf, if the business associate obtains satisfactory assurances, in
accordance with Sec. 164.504(e)(1)(i), that the subcontractor will
appropriately safeguard the information.
(2) Implementation specification: Documentation. The satisfactory
assurances required by paragraph (e)(1) of this section must be
documented through a written contract or other written agreement or
arrangement with the business associate that meets the applicable
requirements of Sec. 164.504(e).
(f) Standard: Deceased individuals. A covered entity must comply
with the requirements of this subpart with respect to the protected
health information of a deceased individual for a period of 50 years
following the death of the individual.
* * * * *
42. In Sec. 164.504, revise paragraphs (e) and (f)(2)(ii)(B) to
read as follows:
Sec. 164.504 Uses and disclosures: Organizational requirements.
* * * * *
(e)(1) Standard: Business associate contracts. (i) The contract or
other arrangement required by Sec. 164.502(e)(2) must meet the
requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as
applicable.
(ii) A covered entity is not in compliance with the standards in
Sec. 164.502(e) and this paragraph, if the covered entity knew of a
pattern of activity or practice of the business associate that
constituted a material breach or violation of the business associate's
obligation under the contract or other arrangement, unless the covered
entity took reasonable steps to cure the breach or end the violation,
as applicable, and, if such steps were unsuccessful, terminated the
contract or arrangement, if feasible.
(iii) A business associate is not in compliance with the standards
in Sec. 164.502(e) and this paragraph, if the business associate knew
of a pattern of activity or practice of a subcontractor that
constituted a material breach or violation of the subcontractor's
obligation under the contract or other arrangement, unless the business
associate took reasonable steps to cure the breach or end the
violation, as applicable, and, if such steps were unsuccessful,
terminated the contract or arrangement, if feasible.
(2) Implementation specifications: Business associate contracts. A
contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of
protected health information by the business associate. The contract
may not authorize the business associate to use or further disclose the
information in a manner that would violate the requirements of this
subpart, if done by the covered entity, except that:
(A) The contract may permit the business associate to use and
disclose protected health information for the proper management and
administration of the business associate, as provided in paragraph
(e)(4) of this section; and
(B) The contract may permit the business associate to provide data
aggregation services relating to the health care operations of the
covered entity.
(ii) Provide that the business associate will:
[[Page 40920]]
(A) Not use or further disclose the information other than as
permitted or required by the contract or as required by law;
(B) Use appropriate safeguards and comply, where applicable, with
subpart C of this part with respect to electronic protected health
information, to prevent use or disclosure of the information other than
as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the
information not provided for by its contract of which it becomes aware,
including breaches of unsecured protected health information as
required by Sec. 164.410;
(D) In accordance with Sec. 164.502(e)(1)(ii), ensure that any
subcontractors that create or receive protected health information on
behalf of the business associate agree to the same restrictions and
conditions that apply to the business associate with respect to such
information;
(E) Make available protected health information in accordance with
Sec. 164.524;
(F) Make available protected health information for amendment and
incorporate any amendments to protected health information in
accordance with Sec. 164.526;
(G) Make available the information required to provide an
accounting of disclosures in accordance with Sec. 164.528;
(H) To the extent the business associate is to carry out a covered
entity's obligation under this subpart, comply with the requirements of
this subpart that apply to the covered entity in the performance of
such obligation.
(I) Make its internal practices, books, and records relating to the
use and disclosure of protected health information received from, or
created or received by the business associate on behalf of, the covered
entity available to the Secretary for purposes of determining the
covered entity's compliance with this subpart; and
(J) At termination of the contract, if feasible, return or destroy
all protected health information received from, or created or received
by the business associate on behalf of, the covered entity that the
business associate still maintains in any form and retain no copies of
such information or, if such return or destruction is not feasible,
extend the protections of the contract to the information and limit
further uses and disclosures to those purposes that make the return or
destruction of the information infeasible.
(iii) Authorize termination of the contract by the covered entity,
if the covered entity determines that the business associate has
violated a material term of the contract.
(3) Implementation specifications: Other arrangements. (i) If a
covered entity and its business associate are both governmental
entities:
(A) The covered entity may comply with this paragraph and Sec.
164.314(a)(1), if applicable, by entering into a memorandum of
understanding with the business associate that contains terms that
accomplish the objectives of paragraph (e)(2) of this section and Sec.
164.314(a)(2), if applicable.
(B) The covered entity may comply with this paragraph and Sec.
164.314(a)(1), if applicable, if other law (including regulations
adopted by the covered entity or its business associate) contains
requirements applicable to the business associate that accomplish the
objectives of paragraph (e)(2) of this section and Sec. 164.314(a)(2),
if applicable.
(ii) If a business associate is required by law to perform a
function or activity on behalf of a covered entity or to provide a
service described in the definition of business associate in Sec.
160.103 of this subchapter to a covered entity, such covered entity may
disclose protected health information to the business associate to the
extent necessary to comply with the legal mandate without meeting the
requirements of this paragraph and Sec. 164.314(a)(1), if applicable,
provided that the covered entity attempts in good faith to obtain
satisfactory assurances as required by paragraph (e)(2) of this section
and Sec. 164.314(a)(1), if applicable, and, if such attempt fails,
documents the attempt and the reasons that such assurances cannot be
obtained.
(iii) The covered entity may omit from its other arrangements the
termination authorization required by paragraph (e)(2)(iii) of this
section, if such authorization is inconsistent with the statutory
obligations of the covered entity or its business associate.
(4) Implementation specifications: Other requirements for contracts
and other arrangements. (i) The contract or other arrangement between
the covered entity and the business associate may permit the business
associate to use the protected health information received by the
business associate in its capacity as a business associate to the
covered entity, if necessary:
(A) For the proper management and administration of the business
associate; or
(B) To carry out the legal responsibilities of the business
associate.
(ii) The contract or other arrangement between the covered entity
and the business associate may permit the business associate to
disclose the protected health information received by the business
associate in its capacity as a business associate for the purposes
described in paragraph (e)(4)(i) of this section, if:
(A) The disclosure is required by law; or
(B)(1) The business associate obtains reasonable assurances from
the person to whom the information is disclosed that it will be held
confidentially and used or further disclosed only as required by law or
for the purposes for which it was disclosed to the person; and
(2) The person notifies the business associate of any instances of
which it is aware in which the confidentiality of the information has
been breached.
(5) Implementation specifications: Business associate contracts
with subcontractors. The requirements of Sec. 164.504(e)(2) through
(e)(4) apply to the contract or other arrangement required by Sec.
164.502(e)(1)(ii) between a business associate and a business associate
that is a subcontractor in the same manner as such requirements apply
to contracts or other arrangements between a covered entity and
business associate.
(f) * * *
(2) * * *
(ii) * * *
(B) Ensure that any agents to whom it provides protected health
information received from the group health plan agree to the same
restrictions and conditions that apply to the plan sponsor with respect
to such information;
* * * * *
43. Revise Sec. 164.506(c)(5) to read as follows:
Sec. 164.506 Uses and disclosures to carry out treatment, payment, or
health care operations.
* * * * *
(c) * * *
(5) A covered entity that participates in an organized health care
arrangement may disclose protected health information about an
individual to other participants in the organized health care
arrangement for any health care operations activities of the organized
health care arrangement.
44. Amend Sec. 164.508 as follows:
a. Revise the headings of paragraphs (a), (a)(1), and (a)(2);
b. Revise paragraph (a)(3)(ii);
c. Add new paragraph (a)(4); and
d. Revise paragraphs (b)(1)(i), and (b)(3).
The revisions and additions read as follows:
[[Page 40921]]
Sec. 164.508 Uses and disclosures for which an authorization is
required.
(a) Standard: Authorizations for uses and disclosures--(1)
Authorization required: General rule. * * *
(2) Authorization required: Psychotherapy notes. * * *
(3) * * *
(ii) If the marketing involves direct or indirect financial
remuneration, as defined in paragraph (3) of the definition of
marketing at Sec. 164.501, to the covered entity from a third party,
the authorization must state that such remuneration is involved.
(4) Authorization required: Sale of protected health information.
(i) Notwithstanding any provision of this subpart, a covered entity
must obtain an authorization for any disclosure of protected health
information for which the disclosure is in exchange for direct or
indirect remuneration from or on behalf of the recipient of the
protected health information. Such authorization must state that the
disclosure will result in remuneration to the covered entity.
(ii) Paragraph (a)(4)(i) of this section does not apply to
disclosures of protected health information:
(A) For public health purposes pursuant to Sec. 164.512(b) or
Sec. 164.514(e);
(B) For research purposes pursuant to Sec. 164.512(i) or Sec.
164.514(e), where the only remuneration received by the covered entity
is a reasonable cost-based fee to cover the cost to prepare and
transmit the protected health information for such purposes;
(C) For treatment and payment purposes pursuant to Sec.
164.506(a);
(D) For the sale, transfer, merger, or consolidation of all or part
of the covered entity and for related due diligence as described in
paragraph (6)(iv) of the definition of health care operations and
pursuant to Sec. 164.506(a);
(E) To or by a business associate for activities that the business
associate undertakes on behalf of a covered entity pursuant to
Sec. Sec. 164.502(e) and 164.504(e), and the only remuneration
provided is by the covered entity to the business associate for the
performance of such activities;
(F) To an individual, when requested under Sec. 164.524 or Sec.
164.528;
(G) Required by law as permitted under Sec. 164.512(a); and
(H) Permitted by and in accordance with the applicable requirements
of this subpart, where the only remuneration received by the covered
entity is a reasonable, cost-based fee to cover the cost to prepare and
transmit the protected health information for such purpose or a fee
otherwise expressly permitted by other law.
(b) * * *
(1) * * *
(i) A valid authorization is a document that meets the requirements
in paragraphs (a)(3)(ii), (a)(4)(i), (c)(1), and (c)(2) of this
section, as applicable.
* * * * *
(3) Compound authorizations. An authorization for use or disclosure
of protected health information may not be combined with any other
document to create a compound authorization, except as follows:
(i) An authorization for the use or disclosure of protected health
information for a research study may be combined with any other type of
written permission for the same or another research study. This
exception includes combining an authorization for the use or disclosure
of protected health information for a research study with another
authorization for the same research study, with an authorization for
the creation or maintenance of a research database or repository, or
with a consent to participate in research. Where a covered health care
provider has conditioned the provision of research-related treatment on
the provision of one of the authorizations, as permitted under
paragraph (b)(4)(i) of this section, any compound authorization created
under this paragraph must clearly differentiate between the conditioned
and unconditioned components and provide the individual with an
opportunity to opt in to the research activities described in the
unconditioned authorization.
(ii) An authorization for a use or disclosure of psychotherapy
notes may only be combined with another authorization for a use or
disclosure of psychotherapy notes.
(iii) An authorization under this section, other than an
authorization for a use or disclosure of psychotherapy notes, may be
combined with any other such authorization under this section, except
when a covered entity has conditioned the provision of treatment,
payment, enrollment in the health plan, or eligibility for benefits
under paragraph (b)(4) of this section on the provision of one of the
authorizations. The prohibition in this paragraph on combining
authorizations where one authorization conditions the provision of
treatment, payment, enrollment in a health plan, or eligibility for
benefits under paragraph (b)(4) of this section does not apply to a
compound authorization created in accordance with paragraph (b)(3)(i)
of this section.
* * * * *
45. Amend Sec. 164.510 as follows:
a. Revise paragraph (a)(1)(ii) introductory text;
b. Revise paragraph (b)(1)(i), the second sentence of paragraph
(b)(1)(ii), paragraph (b)(2)(iii), the first sentence of paragraph
(b)(3), and paragraph (b)(4); and
c. Add new paragraph (b)(5).
The revisions and additions read as follows:
Sec. 164.510 Uses and disclosures requiring an opportunity for the
individual to agree or to object.
* * * * *
(a) * * *
(1) * * *
(ii) Use or disclose for directory purposes such information:
* * * * *
(b) * * *
(1) * * *
(i) A covered entity may, in accordance with paragraphs (b)(2),
(b)(3), or (b)(5) of this section, disclose to a family member, other
relative, or a close personal friend of the individual, or any other
person identified by the individual, the protected health information
directly relevant to such person's involvement with the individual's
health care or payment related to the individual's health care.
(ii) * * * Any such use or disclosure of protected health
information for such notification purposes must be in accordance with
paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as
applicable.
* * * * *
(2) * * *
(iii) Reasonably infers from the circumstances, based on the
exercise of professional judgment, that the individual does not object
to the disclosure.
(3) * * * If the individual is not present, or the opportunity to
agree or object to the use or disclosure cannot practicably be provided
because of the individual's incapacity or an emergency circumstance,
the covered entity may, in the exercise of professional judgment,
determine whether the disclosure is in the best interests of the
individual and, if so, disclose only the protected health information
that is directly relevant to the person's involvement with the
individual's care or payment related to the individual's health care or
needed for notification purposes. * * *
(4) Uses and disclosures for disaster relief purposes. A covered
entity may use or disclose protected health information to a public or
private entity authorized by law or by its charter to assist in
disaster relief efforts, for the purpose of coordinating with such
entities the uses or disclosures
[[Page 40922]]
permitted by paragraph (b)(1)(ii) of this section. The requirements in
paragraphs (b)(2), (b)(3), or (b)(5) of this section apply to such uses
and disclosures to the extent that the covered entity, in the exercise
of professional judgment, determines that the requirements do not
interfere with the ability to respond to the emergency circumstances.
(5) Uses and disclosures when the individual is deceased. If the
individual is deceased, a covered entity may disclose protected health
information of the individual to a family member, or other persons
identified in paragraph (b)(1) of this section who were involved in the
individual's care or payment for health care prior to the individual's
death, unless doing so is inconsistent with any prior expressed
preference of the individual that is known to the covered entity.
46. Amend Sec. 164.512 as follows:
a. Revise the introductory text of paragraph (b)(1) and the
introductory text of paragraph (b)(1)(v)(A);
b. Add new paragraph (b)(1)(vi);
c. Revise the introductory text of paragraph (e)(1)(iii) and
paragraph (e)(1)(vi);
d. Revise paragraph (i)(2)(iii); and
e. Revise paragraphs (k)(1)(ii), (k)(3), and (k)(5)(i)(E).
The revisions and additions read as follows:
Sec. 164.512 Uses and disclosures for which an authorization or
opportunity to agree or object is not required.
* * * * *
(b) Standard: Uses and disclosures for public health activities.
(1) Permitted uses and disclosures. A covered entity may use or
disclose protected health information for the public health activities
and purposes described in this paragraph to:
* * * * *
(v) * * *
(A) The covered entity is a covered health care provider who
provides health care to the individual at the request of the employer:
* * * * *
(vi) A school, about an individual who is a student or prospective
student of the school, if:
(A) The protected health information that is disclosed is limited
to proof of immunization;
(B) The school is required by State or other law to have such proof
of immunization prior to admitting the individual; and
(C) The covered entity obtains the agreement to the disclosure from
either:
(1) A parent, guardian, or other person acting in loco parentis of
the individual, if the individual is an unemancipated minor; or
(2) The individual, if the individual is an adult or emancipated
minor.
* * * * *
(e) * * *
(1) * * *
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section,
a covered entity receives satisfactory assurances from a party seeking
protected health information if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that: * * *
* * * * *
(vi) Notwithstanding paragraph (e)(1)(ii) of this section, a
covered entity may disclose protected health information in response to
lawful process described in paragraph (e)(1)(ii) of this section
without receiving satisfactory assurance under paragraph (e)(1)(ii)(A)
or (B) of this section, if the covered entity makes reasonable efforts
to provide notice to the individual sufficient to meet the requirements
of paragraph (e)(1)(iii) of this section or to seek a qualified
protective order sufficient to meet the requirements of paragraph
(e)(1)(v) of this section.
* * * * *
(i) * * *
(2) * * *
(iii) Protected health information needed. A brief description of
the protected health information for which use or access has been
determined to be necessary by the IRB or privacy board, pursuant to
paragraph (i)(2)(ii)(C) of this section;
* * * * *
(k) * * *
(1) * * *
(ii) Separation or discharge from military service. A covered
entity that is a component of the Departments of Defense or Homeland
Security may disclose to the Department of Veterans Affairs (DVA) the
protected health information of an individual who is a member of the
Armed Forces upon the separation or discharge of the individual from
military service for the purpose of a determination by DVA of the
individual's eligibility for or entitlement to benefits under laws
administered by the Secretary of Veterans Affairs.
* * * * *
(3) Protective services for the President and others. A covered
entity may disclose protected health information to authorized Federal
officials for the provision of protective services to the President or
other persons authorized by 18 U.S.C. 3056 or to foreign heads of state
or other persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct
of investigations authorized by 18 U.S.C. 871 and 879.
* * * * *
(5) * * *
(i) * * *
(E) Law enforcement on the premises of the correctional
institution; or
* * * * *
47. In Sec. 164.514, revise paragraphs (e)(4)(ii)(C)(4) and (f) to
read as follows:
Sec. 164.514 Other requirements relating to uses and disclosures of
protected health information.
* * * * *
(e) * * *
(4) * * *
(ii) * * *
(C) * * *
(4) Ensure that any agents to whom it provides the limited data set
agrees to the same restrictions and conditions that apply to the
limited data set recipient with respect to such information; and
* * * * *
(f) Fundraising and remunerated treatment communications.
(1)(i) Standard: Uses and disclosures for fundraising. Subject to
the conditions of paragraph (f)(1)(ii) of this section, a covered
entity may use, or disclose to a business associate or to an
institutionally related foundation, the following protected health
information for the purpose of raising funds for its own benefit,
without an authorization meeting the requirements of Sec. 164.508:
(A) Demographic information relating to an individual; and
(B) Dates of health care provided to an individual.
(ii) Implementation specifications: Fundraising requirements. (A) A
covered entity may not use or disclose protected health information for
fundraising purposes as otherwise permitted by paragraph (f)(1)(i) of
this section unless a statement required by Sec. 164.520(b)(1)(iii)(B)
is included in the covered entity's notice of privacy practices.
(B) With each fundraising communication sent to an individual under
this paragraph, a covered entity must provide the individual with a
clear and conspicuous opportunity to elect not to receive any further
fundraising communications. The method for an individual to elect not
to receive further fundraising communications may not cause the
individual to incur an undue burden or more than a nominal cost.
(C) A covered entity may not condition treatment or payment on the
individual's choice with respect to the receipt of fundraising
communications.
(D) A covered entity may not send fundraising communications to an
[[Page 40923]]
individual under this paragraph where the individual has elected not to
receive such communications under paragraph (f)(1)(ii)(B) of this
section.
(2) Standard: Uses and disclosures for remunerated treatment
communications. Where a covered health care provider receives financial
remuneration, as defined in paragraph (3) of the definition of
marketing at Sec. 164.501, in exchange for making a treatment
communication to an individual about a health-related product or
service, such communication is not marketing and does not require an
authorization meeting the requirements of Sec. 164.508, only if the
following requirements are met:
(i) The covered health care provider has included the information
required by Sec. 164.520(b)(1)(iii)(A) in its notice of privacy
practices; and
(ii) The communication discloses the fact that the covered health
care provider is receiving financial remuneration in exchange for
making the communication and provides the individual with a clear and
conspicuous opportunity to elect not to receive any further such
communications. The method for an individual to elect not to receive
further such communications may not cause the individual to incur an
undue burden or more than a nominal cost.
* * * * *
48. In Sec. 164.520, revise paragraphs (b)(1)(ii)(E), (b)(1)(iii),
and (b)(1)(iv)(A) to read as follows:
Sec. 164.520 Notice of privacy practices for protected health
information.
* * * * *
(b) * * *
(1) * * *
(ii) * * *
(E) A description of the types of uses and disclosures that require
an authorization under Sec. 164.508(a)(2)-(a)(4), a statement that
other uses and disclosures not described in the notice will be made
only with the individual's written authorization, and a statement that
the individual may revoke an authorization as provided by Sec.
164.508(b)(5).
(iii) Separate statements for certain uses or disclosures. If the
covered entity intends to engage in any of the following activities,
the description required by paragraph (b)(1)(ii)(A) of this section
must include a separate statement informing the individual of such
activities, as applicable:
(A) In accordance with Sec. 164.514(f)(2), the covered health care
provider may send treatment communications to the individual concerning
treatment alternatives or other health-related products or services
where the provider receives financial remuneration, as defined in
paragraph (3) of the definition of marketing at Sec. 164.501, in
exchange for making the communications, and the individual has a right
to opt out of receiving such communications;
(B) In accordance with Sec. 164.514(f)(1), the covered entity may
contact the individual to raise funds for the covered entity and the
individual has a right to opt out of receiving such communications; or
(C) In accordance with Sec. 164.504(f), the group health plan, or
a health insurance issuer or HMO with respect to a group health plan,
may disclose protected health information to the sponsor of the plan.
(iv) * * *
(A) The right to request restrictions on certain uses and
disclosures of protected health information as provided by Sec.
164.522(a), including a statement that the covered entity is not
required to agree to a requested restriction, except in case of a
disclosure restricted under Sec. 164.522(a)(1)(vi);
* * * * *
49. Amend Sec. 164.522 as follows:
a. Revise paragraph (a)(1)(ii);
b. Add new paragraph (a)(1)(vi); and
c. Revise the introductory text of paragraph (a)(2), and paragraphs
(a)(2)(iii), and paragraph (a)(3).
The revisions and additions read as follows:
Sec. 164.522 Rights to request privacy protection for protected
health information.
(a)(1) * * *
(ii) Except as provided in paragraph (a)(1)(vi) of this section, a
covered entity is not required to agree to a restriction.
* * * * *
(vi) A covered entity must agree to the request of an individual to
restrict disclosure of protected health information about the
individual to a health plan if:
(A) The disclosure is for the purpose of carrying out payment or
health care operations and is not otherwise required by law; and
(B) The protected health information pertains solely to a health
care item or service for which the individual, or person other than the
health plan on behalf of the individual, has paid the covered entity in
full.
(2) Implementation specifications: Terminating a restriction. A
covered entity may terminate a restriction, if:
* * * * *
(iii) The covered entity informs the individual that it is
terminating its agreement to a restriction, except that such
termination is:
(A) Not effective for protected health information restricted under
paragraph (a)(1)(vi) of this section; and
(B) Only effective with respect to protected health information
created or received after it has so informed the individual.
(3) Implementation specification: Documentation. A covered entity
must document a restriction in accordance with Sec. 160.530(j) of this
subchapter.
* * * * *
50. Amend Sec. 164.524 as follows:
a. Revise paragraph (c)(2)(i);
b. Redesignate paragraph (c)(2)(ii) as paragraph (c)(2)(iii);
c. Add new paragraph (c)(2)(ii);
d. Revise paragraphs (c)(3) and (c)(4)(i);
e. Redesignate paragraphs (c)(4)(ii) and (c)(4)(iii) as paragraphs
(c)(4)(iii) and (c)(4)(iv), respectively; and
f. Add new paragraph (c)(4)(ii).
The revisions and additions read as follows:
Sec. 164.524 Access of individuals to protected health information.
* * * * *
(c) * * *
(2) Form of access requested. (i) The covered entity must provide
the individual with access to the protected health information in the
form and format requested by the individual, if it is readily
producible in such form and format; or, if not, in a readable hard copy
form or such other form and format as agreed to by the covered entity
and the individual.
(ii) Notwithstanding paragraph (c)(2)(i) of this section, if the
protected health information that is the subject of a request for
access is maintained in one or more designated record sets
electronically and if the individual requests an electronic copy of
such information, the covered entity must provide the individual with
access to the protected health information in the electronic form and
format requested by the individual, if it is readily producible in such
form and format; or, if not, in a readable electronic form and format
as agreed to by the covered entity and the individual.
* * * * *
(3) Time and manner of access. (i) The covered entity must provide
the access as requested by the individual in a timely manner as
required by paragraph (b)(2) of this section, including arranging with
the individual for a convenient time and place to inspect or obtain a
copy of the protected health information, or mailing the copy of the
protected health information at the individual's request. The covered
entity may discuss the scope, format,
[[Page 40924]]
and other aspects of the request for access with the individual as
necessary to facilitate the timely provision of access.
(ii) If an individual's request for access directs the covered
entity to transmit the copy of protected health information directly to
another person designated by the individual, the covered entity must
provide the copy to the person designated by the individual. The
individual's request must be in writing, signed by the individual, and
clearly identify the designated person and where to send the copy of
protected health information.
(4) * * *
(i) Labor for copying the protected health information requested by
the individual, whether in paper or electronic form;
(ii) Supplies for creating the paper copy or electronic media if
the individual requests that the electronic copy be provided on
portable media;
* * * * *
51. In Sec. 164.532, revise paragraphs (d), (e)(1) and (e)(2) to
read as follows:
Sec. 164.532 Transition provisions.
* * * * *
(d) Standard: Effect of prior contracts or other arrangements with
business associates. Notwithstanding any other provisions of this part,
a covered entity, or business associate with respect to a
subcontractor, may disclose protected health information to a business
associate and may allow a business associate to create, receive, or use
protected health information on its behalf pursuant to a written
contract or other written arrangement with such business associate that
does not comply with Sec. Sec. 164.308(b), 164.314(a), 164.502(e), and
164.504(e), only in accordance with paragraph (e) of this section.
(e) Implementation specification: Deemed compliance. (1)
Qualification. Notwithstanding other sections of this part, a covered
entity, or business associate with respect to a subcontractor, is
deemed to be in compliance with the documentation and contract
requirements of Sec. Sec. 164.308(b), 164.314(a), 164.502(e), and
164.504(e), with respect to a particular business associate
relationship, for the time period set forth in paragraph (e)(2) of this
section, if:
(i) Prior to [DATE OF PUBLICATION OF THE FINAL RULE IN THE FEDERAL
REGISTER], such covered entity, or business associate with respect to a
subcontractor, has entered into and is operating pursuant to a written
contract or other written arrangement with the business associate that
complies with the applicable provisions of Sec. Sec. 164.314(a) or
164.504(e) that were in effect on such date; and
(ii) The contract or other arrangement is not renewed or modified
from [DATE THAT IS 60 DAYS AFTER DATE OF PUBLICATION OF THE FINAL RULE
IN THE FEDERAL REGISTER], until [DATE THAT IS 240 DAYS AFTER DATE OF
PUBLICATION OF THE FINAL RULE IN THE FEDERAL REGISTER].
(2) Limited deemed compliance period. A prior contract or other
arrangement that meets the qualification requirements in paragraph (e)
of this section shall be deemed compliant until the earlier of:
(i) The date such contract or other arrangement is renewed or
modified on or after [DATE THAT IS 240 DAYS AFTER DATE OF PUBLICATION
OF THE FINAL RULE IN THE FEDERAL REGISTER]; or
(ii) [DATE THAT IS ONE YEAR AND 240 DAYS AFTER DATE OF PUBLICATION
OF THE FINAL RULE IN THE FEDERAL REGISTER].
* * * * *
Dated: April 9, 2010.
Kathleen Sebelius,
Secretary.
Editorial Note: This document was received in the Office of the
Federal Register on July 2, 2010.
[FR Doc. 2010-16718 Filed 7-8-10; 8:45 am]
BILLING CODE 4153-01-P