(From the July 19, 2010 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)
HITECH Requirements: HHS Proposes Amendments to HIPAA Regulations
The Department of Health and Human Services (HHS) issued proposed amendments to bring the HIPAA regulations into alignment with the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Changes will be made to the regulation's Privacy, Security and Enforcement Rules.
The regulations systematically identify the numerous changes that were formulated to bring the current Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations into alignment with recent changes in law - primarily HITECH, but also the Patient Safety and Quality Improvement Act of 2005 (PSQIA) - as well as other modifications. HITECH made major changes to HIPAA, including extending certain requirements of the Privacy and Security Rules to business associates, requiring both covered entities and business associates to provide notice of breaches of unsecured protected health information, and expanding individuals' rights to access (and to receive an accounting of disclosure of) their protected health information (PHI).
Although HITECH generally became effective on February 18, 2010, business associates and covered entities will have 180 days after the effective date of the final regulations to comply with their requirements. The preamble indicates this 180-day compliance rule is expected to apply to future modifications of the HIPAA rules as well.
Comments on the proposed regulations are requested on or before September 13, 2010.
Of the numerous and extensive changes being proposed to the HIPAA Privacy, Security, and Enforcement Rules, selected highlights are noted below.
- Business Associate is defined consistent with the PSQIA and will include patient safety organizations, health information organizations, e-prescription gateways, persons that facilitate data transmission, vendors of personal health records, and subcontractors of a covered entity.
- Electronic Media will be defined to reflect the current National Institute of Standards and Technology (NIST) definition, and includes intranets as well as voice technology digitally produced from information systems and transmitted by phone.
- Deceased Persons will, in terms of their individually identifiable health information, be protected under the Privacy and Security Rules until they have been deceased more than 50 years.
- The "workforce" of a business associate includes employees, volunteers, trainees and others whose conduct is under the direct control of the business associate. Under the Privacy and Security Rules, certain obligations are imposed on business associates regarding their workforce (e.g., see Non-compliance penalties, below).
- New Social Security Act § 1176(c) will become effective on February 18, 2011 to impose specific obligations on the HHS regarding noncompliance due to willful neglect. HHS will be required to impose a penalty in the case of noncompliance due to willful neglect, and will be required to investigate where preliminary facts indicate possible willful neglect.
The regulations clarify the distinction between willful neglect and reasonable cause. Willful neglect will not be found where, despite ordinary care and prudence, it is unreasonable for the covered entity or business associate to comply - nor will it be found where the covered entity or business associate lacks the conscious intent or reckless indifference to constitute willful neglect.
- Non-compliance penalties may be imposed on covered entities and business associates for the acts of their agents, including workforce members and subcontractors acting within the scope of the agency. Covered entities will remain liable for the acts of their business associate agents, regardless of whether a business associate agreement is in place. HHS will be revoking the exception to liability that is currently provided in that circumstance.
- Transition rules are being proposed by which business associates and covered entities can continue to operate under their existing business associate agreements up to one year after the compliance date of the regulations. Agreements will need to be brought into compliance if they are earlier modified, however.
- Common-sense exceptions to the disclosure rule will allow covered entities to disclose information about a decedent to family members and others involved in the decedent's care, and to disclose proof of immunization to a child's school on the oral authorization of a parent. (Comments are requested on the school immunization exception.)
- Notice of Privacy Practices will require material changes, including a statement that describes the uses and disclosures of PHI that would require the individual's authorization.
Normally, material changes require a new notice to be provided within 60 days. HHS is proposing modifications to relax this requirement, however, including an option that would allow new notices to be provided at the next annual mailing to plan members. Comments are requested on the alternative proposals.
- Individual access to PHI is enhanced under HITECH, as noted above. The regulations propose further that, if PHI is maintained electronically in one or more designated record sets, the covered entity must provide access by the individual in the electronic form and format required by the individual, if readily reproducible. If not, it must be provided in a readable electronic format agreed upon by the covered entity and the individual. Also, if requested by the individual, the covered entity must transmit the PHI directly to another person designated by the individual.
HHS is reassessing the reasonableness of the current rule that requires the covered entity to respond to the individual's request and forward the information within 30 days, in light of the increasing expectation and capacity to provide almost instantaneous electronic access to PHI. Comments on the 30-day standard are requested.
|The information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations.
If you have any questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact:
Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Mary Jones 202.378.5067, Stephen LaGarde 202.879-5608, Bart Massey 202.220.2104, Tom Pevarnik 202.879.5314, Sandra Rolitsky 202.220.2025, Deborah Walker 202.879.4955.
Copyright 2010, Deloitte.
BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.