Thursday, July 8, 2010

Preliminary Thoughts on the HITECH/HIPAA NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act

The Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to present.
Introduction.

At this point I think the following are the key points:

• The most significant innovation is that the NPRM proposes comprehensive regulation of all entities which obtain or use PHI to perform activities or functions serving Covered Entities, whether they are Business Associates or Subcontractors (a newly defined term) of Business Associates. It no longer matters where the entity falls on a chain of contracts, or even if there is a contract in place, any entity which fits this description will be regulated and subject to penalties for failure to comply. Of course, failure to have a required Business Associate Contract in place would create a lot of HIPAA violations.

• Business Associates – including Subcontractors now, so this means all entities which obtain or use PHI to perform activities or functions serving Covered Entities, regardless of their contract status – will have to be in compliance with the Security Rule, as well as the other Business Associate compliance obligations HITECH imposes, by the date which is 180 days from the date the final rule is published. However, I believe (subject to further analysis) that all Business Associates including Subcontractors will be subject to the breach notification rules as of the date the final rule is effective.

• Business Associate Contracts which are compliant with the existing rules and in effect before the date the final rule is published will be grandfathered and “deemed compliant” for the next year and 240 days from the date the final rule is published. Business Associate Contracts which are entered into or renewed or modified after the date the final rule is published will have to be compliant with the new standards. “Evergreen” Business Associate Contracts, which renew automatically without changing, are not considered to be “renewed” for this purpose.

• My impression is that there will be a number of good reasons to want to come up with new Business Associate Contract forms to deal with the new standards and arrangements.

• Business arrangements where revenues or other remuneration are tied to PHI use or disclosure will be subject to closer scrutiny and will have to comply with some new limitations. While this shouldn’t disallow most such arrangements – though it probably will do so for some – most such arrangements should be reviewed to ensure compliance, and appropriately documented.

• We have some potentially useful new enforcement standards proposed, which clarify how violations will be classed. The upshot is, as is typical in compliance matters, that documentation of decisions and policies will be important to avoiding liability.

The NPRM also proposes regulations in a few other areas which may be important to some organizations or in some contexts.

Because this is a NPRM these proposed rules are not actually the provisions which will be required for compliance. The proposed rules are being published for comment, and final rules will published after review of the comments. Comments may be submitted for sixty days after official publication, through September 12, 2010. There is no set date for publication of final rules after that.

The effective date for compliance for the HITECH provisions to be clarified by these rules was February 18, 2010 under the legislation, which obviously has passed. In order to allow for a reasonably orderly transition DHHS has provided an extension of the compliance date through the date 180 days from publication of the final rules, for most of the regulations requiring action by Covered Entities or Business Associates. I think this probably won’t apply, however, to compliance with the breach notification regulations which were effective last September; Covered Entities and Business Associates are already subject to those.

Business Associates and Subcontractors.

The most significant changes, as expected, apply to Business Associates and “Subcontractors.” As expected, the NPRM clarifies a number of points around HITECH’s extension of HIPAA regulatory jurisdiction to Business Associates. However, the NPRM also proposes to extend the same requirements to Subcontractors of Business Associates as well. This is a potentially very significant additional extension of jurisdiction. Understanding why requires a bit of review of the “Business Associate” concept.

A Business Associate is a concept created under the initial HIPAA regulations intended to extend HIPAA’s PHI protections to information obtained by non-Covered Entities to perform activities on the Covered Entities’ behalf. The regulatory definition is therefore that a Business Associate is any “person” performs any function or activity on behalf of a Covered Entity involving the use or disclosure of PHI. Because HIPAA did not provide for jurisdiction over entities other than the statutorily established Covered Entities, the initial HIPAA regulations extended protections indirectly by requiring Covered Entities to have a specific form of contract, the Business Associate Contract, in place before allowing their Business Associates access to PHI. If the Business Associate violated the contract and did something improper with the PHI the Covered Entity was required to take actions up to and including contract termination, and the Covered Entity (but not the Business Associate) could be penalized for failure to do so.

Of course, sometimes Business Associates also need additional parties to perform functions or activities involving PHI they have on behalf of a Covered Entity, and under the initial HIPAA regulations a Business Associate Contract could include a provision allowing them to do so if they “ensure that any [such] agent, including a subcontractor” agrees to the same “conditions and restrictions” as apply to the Business Associate under its Business Associate Contract. This has generally been interpreted as a much looser standard than the Business Associate Contract requirements, and practices in this area have often been fairly relaxed.
Under the NPRM this will change, because the NPRM proposes to extend jurisdiction to Subcontractors of Business Associate, by defining them also as Business Associates and requiring Business Associates to have Business Associate Contracts with their Subcontractors. (Yes, this will be confusing to figure out, and take some analysis of the NPRM to see how it works and if there are any strange logical loops, etc.)

“Subcontractor” is now proposed to be defined as a “person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.” The definition of Business Associate is also now proposed to be modified to add Subcontractors, even though they do not have a direct relationship to the Covered Entity. Since a Subcontractor is now defined as a Business Associate, it logically seems that any person which acts on its behalf performing a function or activity involving PHI is also a Subcontractor, and therefore a Business Associate.

In other words, in any activity or function involving a chain of relationships among entities, there will need to be a chain of Business Associate Contracts. One effect of this change would therefore seem to be a broad expansion of the use of Business Associate Contracts throughout the health care sector, probably to many types of entity which never had to have them before. Less visibly, acting as a Subcontractor (even without a Business Associate Contract in place) will automatically bring an entity under HITECH/HIPAA jurisdiction, including required compliance with all the rules applicable to Business Associates.
Grandfathered Business Associate Contracts.

It will likely take some work to develop good Business Associate Contract forms for this purpose, and my impression is that due to these and some other changes it will be desirable for Covered Entities also to revise their forms. The good news, however, is that most Covered Entities and Business Associates should currently be in compliance if they have appropriate Business Associate Contract forms in place, and will have some time to implement new forms.

The NPRM proposes Business Associate Contract transition provisions which would “grandfather” Business Associate Contracts which are in place as of the date of publication of the final rules, as long as the contract is not renewed or modified during the period from sixty days from the date of publication of the final rules through the date 240 days from that date. Grandfathered contracts will then be considered compliant until the earlier of (1) their “renewal or modification” after the 240 day period, or (2) the date one year and 240 days from the date of publication of the final rules.

This is a bit confusing, but looks like it would work as follows. Assume a final rule publication date of October 1, 2010:
• Any Business Associate Contract in place before October 1, 2010 is deemed compliant (as long as it is compliant with the initial rules, of course).
• If the Business Associate Contract is “renewed or modified” at any time after October 1, 2010, the new rules will apply.
• If the Business Associate contract is not “renewed or modified,” it will have to be reviewed and possibly amended to ensure compliance with the new rules no later than May 29, 2011.

The same transition rules do not apply to other compliance obligations. In particular, Business Associates (including Subcontractors, of course) will have to be compliant with the Security Rule 180 days from the date of publication of the final rules – e.g., for a publication date of October 1, 2010, by March 30, 2011.

Business Associate Security Compliance.

There is some good news for Business Associates around Security Rule compliance, however. Business Associates will be fully required to comply with the Security Rule, as required by HITECH. However, the NPRM clarifies that Business Associates are to determine the safeguards they implement based on the “flexible factors” and “addressable specifications” applicable under 164.306 of the Security Rule. This was not clear under HITECH.

This is a helpful clarification, but does mean that Business Associates will need to document their security decision-making in more depth than they may be used to. My suspicion is that many Business Associates – especially Subcontractors which have been able to operate outside the sphere of HIPAA. This kind of Subcontractor may also not be ready to deal with the security breach notification regulations, which will kick in only 60 days after the final rules are published.

Business Arrangement Implications.

The extension of regulatory jurisdiction to every entity which uses PHI for some activity or function which serves a Covered Entity is likely to cause some entities to take a serious look at how they do business. This may become even more significant for those which are involved in processes such as data mining and other secondary uses of PHI and PHI-derived data.

Some entities may even wind up becoming regulated without knowing it, if they are far enough down a contract chain and don’t have controls to identify the sources of information they receive. This can be shown by an example given in the Preamble to the rule, where a third party administrator (“TPA”) acting as a Business Associate to a health plan contracts with a document and media shredding company to destroy records including PHI. The shredding company is a Subcontractor, and therefore a Business Associate, and therefore regulated – but won’t know that unless the TPA tells it so, or it reviews the information it is shredding and can ascertain that it is PHI from a Covered Entity which has contracted with the TPA (something the shredding company shouldn’t be doing in the first place).

A wider range of entities providing services to the health care sector than those which already know they are Business Associates should probably consider their business models, and if they involve PHI consider whether they can modify their model to avoid regulation (by avoiding PHI), or if not how they will have to adapt it to the new rules. In this connection many will also need to look at financial models, if they are at all tied to PHI (e.g. per-records processing fees, etc.), since these too are proposed to be more tightly regulated.
HITECH included a directive for regulations tightening up the sale of PHI and its use PHI for marketing, and the NPRM makes some helpful clarifications in this area.

Part of this clarification, however, is to propose standards in an area which has to date been fairly loose. The rule is now clear that individual authorization is required for the disclosure of PHI in a “sale,” unless it fits one of several specific exceptions. This rule applies whenever PHI is disclosed in return for “remuneration,” a very broad term which covers any kind of compensation. While the exceptions are intended to allow for ordinary and legitimate transactions, there are likely to be some existing arrangements which don’t fit.

Conclusion.

The NPRM presents a few other issues, and from a lawyer’s point of view some of the clarifications around enforcement standards are also helpful. Other issues not yet identified are bound to crop up, especially as we begin working through the implications. While these are not final regulations and compliance is not required, my recommendation is that entities in the health care sector – especially Business Associates, under its expanded meaning – take a careful look at possible implications for their own activities. They may find undesirable implications and want to comment, and hope their concerns will be resolved; and in some cases they may want to start planning a reorganization to change their business model or begin planning to adapt to the new reality.

Overall, my impression is that the NPRM is very consistent with the agenda of increased regulation of secondary players in the health care sector, to enable increased use of electronic health records and health information exchange. In legal terms I think it is a significant step toward that goal. I am sure there will be some changes based on comments, but I frankly would not expect important additions or deletions. I expect the final rule, which I would guess will issue some time this Fall (but it is only a guess) will be very consistent with the NPRM, so this is the shape of things to come.