Get Ready – More HIPAA Changes Are Coming

For many years, health plans, employers that sponsor self-insured health plans and healthcare providers subject to HIPAA have made significant investments in HIPAA compliance. The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) increased HIPAA’s scope and increased penalties for violations. On July 8, 2010, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued proposed rules that would make changes to HIPAA’s requirements.

Smoothing Out the Rough Spots

The proposed rules address provisions required by the HITECH Act. They also include sections to “improve the workability and effectiveness of all three sets of HIPAA Rules.” The Privacy Rule has not been amended since 2002, the Security Rule has not been amended since 2003, and, aside from certain HITECH Act changes, the Enforcement Rule has not had substantive changes since 2006. Some changes are needed to address long-standing difficulties and confusion regarding existing rule language.

One change would allow a covered entity to release information on someone who has died to family members and others who were involved in the patient’s care or payment of care prior to the death, unless the covered entity knows that doing so would be against the decedent’s wishes. This change is designed to address concerns about situations where family members have not been allowed to access information about their deceased loved ones because they did not qualify as the legal “personal representative” under state law.

Records of decedents remain protected, but the proposal contains another change related to patients who have died. The proposed rules specify that HIPAA’s protections would not apply to records of those who have been dead for at least 50 years. This would allow historians and other researchers to obtain protected health information from covered entities without the authorization of the patient or the patient’s next-of-kin if this significant amount of time has passed.

Under the current rules, covered entities can disclose information for certain public health purposes. A proposed change would allow covered entities to disclose proof of immunization to schools in states that have laws that require students to be vaccinated in order to be admitted to school. The covered entity would still need to obtain agreement from the patient or his or her personal representative in order to make the disclosure, but this agreement may be oral.

A Surprise for Subcontractors

The HITECH Act expands much of HIPAA’s reach to third parties, called business associates, that need access to protected health information to provide services to covered entities. Some document shredding companies, IT vendors, and other third parties that are subcontractors of business associates and that may, perhaps unknowingly, receive protected health information from these business associates, may be surprised to learn that these proposed rules would extend some of those HIPAA requirements to them. The proposed rules for subcontractors would apply to agents or other persons who act on behalf of business associates. The proposed rules bring back a variation of the old “chain of trust” concept in HIPAA and would require downstream entities to protect the health information they receive.

Other Changes

Notice of Privacy Practices

Many covered entities have spent significant time and resources developing HIPAA compliance programs and related documents. One of these documents is the Notice of Privacy Practices, which, in many cases, must be provided to patients and displayed at the covered entity’s premises and posted on its website. The proposed rules would require that the Notice of Privacy Practices contain additional statements relating to various topics, including authorizations and psychotherapy notes. Covered entities would also need to amend the Notice of Privacy Practices to indicate that, as required by the HITECH Act, a patient could restrict certain uses or disclosures when the patient paid out-of-pocket for the treatment. OCR has asked for comments regarding whether this document should also include additional statements regarding notifications of breaches.

Fundraising Communications

Under the HITECH Act, HHS was required to promulgate a rule requiring covered entities to provide patients with a clear and conspicuous opportunity to opt out of receiving future fundraising communications. The proposed rules would require each fundraising communication sent to include clear information about opting out. OCR is encouraging the use of toll-free phone numbers, email addresses, or similar “simple, quick, and inexpensive” ways to opt out. Requiring individuals to send a letter asking to opt out would constitute an undue burden and would not comply. OCR is soliciting comments on whether more detailed information should be allowed to be used for fundraising purposes. For example, OCR seeks comment on whether certain treatment information can be shared, such as the hospital department where a patient received services or the treatment outcome. This could allow a covered entity to avoid sending a fundraising request to a patient who had a bad treatment outcome, for example.

Marketing Communications

The HITECH Act places new limitations on marketing communications when the covered entity receives payment or other remuneration to make the communication. OCR recognizes that it may not always be easy to determine whether a health-related communication is “marketing” or “treatment,” so OCR is requesting comment on this issue.

Typographical Errors

Finally, the proposed changes include amendments that are designed to correct typographical errors in prior versions of the rule.

Next Steps

These changes are merely proposals – they are not set in stone. OCR has solicited comments on certain aspects of the proposed rules. Those wishing to comment on these provisions, or on other aspects of the proposed changes, may submit comments on or before 60 days after the date the proposed rules are published in the Federal Register.

OCR recognizes that entities subject to the rules will need some time to come into compliance once the rules become final. For many of the changes, affected entities will have 180 days beyond the rule’s effective date to comply. There may be an additional one-year transition period to modify certain business associate agreements. Entities awaiting the final rules should use this time to update their risk analyses and review existing HIPAA compliance documents so that once the rules become final, they can begin their additional compliance efforts right away.