HITECH Requirements: HHS Proposes Amendments to HIPAA Regulations

• Business Associate is defined consistent with the PSQIA and will include patient safety organizations, health information organizations, e-prescription gateways, persons that facilitate data transmission, vendors of personal health records, and subcontractors of a covered entity.
• Electronic Media will be defined to reflect the current National Institute of Standards and Technology (NIST) definition, and includes intranets as well as voice technology digitally produced from information systems and transmitted by phone.
• Deceased Persons will, in terms of their individually identifiable health information, be protected under the Privacy and Security Rules until they have been deceased more than 50 years.
• The "workforce" of a business associate includes employees, volunteers, trainees and others whose conduct is under the direct control of the business associate. Under the Privacy and Security Rules, certain obligations are imposed on business associates regarding their workforce (e.g., see Non-compliance penalties, below).
• New Social Security Act § 1176(c) will become effective on February 18, 2011 to impose specific obligations on the HHS regarding noncompliance due to willful neglect. HHS will be required to impose a penalty in the case of noncompliance due to willful neglect, and will be required to investigate where preliminary facts indicate possible willful neglect.

  The regulations clarify the distinction between willful neglect and reasonable cause. Willful neglect will not be found where, despite ordinary care and prudence, it is unreasonable for the covered entity or business associate to comply - nor will it be found where the covered entity or business associate lacks the conscious intent or reckless indifference to constitute willful neglect.

• Non-compliance penalties may be imposed on covered entities and business associates for the acts of their agents, including workforce members and subcontractors acting within the scope of the agency. Covered entities will remain liable for the acts of their business associate agents, regardless of whether a business associate agreement is in place. HHS will be revoking the exception to liability that is currently provided in that circumstance.
• Transition rules are being proposed by which business associates and covered entities can continue to operate under their existing business associate agreements up to one year after the compliance date of the regulations. Agreements will need to be brought into compliance if they are earlier modified, however.
• Common-sense exceptions to the disclosure rule will allow covered entities to disclose information about a decedent to family members and others involved in the decedent's care, and to disclose proof of immunization to a child's school on the oral authorization of a parent. (Comments are requested on the school immunization exception.)
• Notice of Privacy Practices will require material changes, including a statement that describes the uses and disclosures of PHI that would require the individual's authorization.

  Normally, material changes require a new notice to be provided within 60 days. HHS is proposing modifications to relax this requirement, however, including an option that would allow new notices to be provided at the next annual mailing to plan members. Comments are requested on the alternative proposals.

• Individual access to PHI is enhanced under HITECH, as noted above. The regulations propose further that, if PHI is maintained electronically in one or more designated record sets, the covered entity must provide access by the individual in the electronic form and format required by the individual, if readily reproducible. If not, it must be provided in a readable electronic format agreed upon by the covered entity and the individual. Also, if requested by the individual, the covered entity must transmit the PHI directly to another person designated by the individual.

  HHS is reassessing the reasonableness of the current rule that requires the covered entity to respond to the individual's request and forward the information within 30 days, in light of the increasing expectation and capacity to provide almost instantaneous electronic access to PHI. Comments on the 30-day standard are requested.

If you have any questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact:

Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Mary Jones 202.378.5067, Stephen LaGarde 202.879-5608, Bart Massey 202.220.2104, Tom Pevarnik 202.879.5314, Sandra Rolitsky 202.220.2025, Deborah Walker 202.879.4955.

Copyright 2010, Deloitte.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.