On Wednesday, July 14, 2010, the Department of Health and Human Services released regulations to implement statutory provisions of the HITECH Act which impact HIPAA’s privacy, security and enforcement provisions.
The proposed rules change some of the key definitions. Under the proposed rules, “business associate” will include persons performing patient safety activities (required by the Patient Safety and Quality Improvement Acts of 2005 (PSQIA)) as well as Health Information Organizations (HIOs), E-Prescribing Gateways, vendors of personal health records, and persons that facilitate data transmissions. The definition of protected health information (PHI) will explicitly not include the individually identifiable health information of persons who have been deceased for more than 50 years. And the definition of “workforce” will include employees, volunteers, trainees and other persons who work under the direct control of a business associate.
The proposed rules also extend some Security Rule and Privacy Rule requirements to business associates and their subcontractors. Business associates will now have to implement the Security Rule’s administrative, physical and technical safeguards, including documentation of appropriate policies and procedures, in the same manner as covered entities. Violations of these requirements may result in the business associate incurring civil and criminal penalties. The proposed rules would also allow business associates to use and disclose PHI only as permitted or required by HIPAA, their business associate contracts or other arrangements, or as provided by law. In addition, a business associate’s subcontractors and other “downstream entities” will have to comply with applicable provisions of the privacy and security rules in the same way as is required of the primary business associate, and will likewise be liable for noncompliance.
The proposed rules also will expand a covered entity’s liability for civil penalties for violations by a business associate, even when the covered entity has a compliant business associate agreement in place, is unaware of any practice pattern or violation by the business associate, and responds appropriately once the covered entity becomes aware of the violation.
The proposed rules will enhance an individual’s privacy rights by establishing new limits on the use and disclosure of PHI for marketing and fundraising purposes, prohibiting the sale of PHI and expanding an individual’s rights to access their PHI and to obtain restrictions on certain disclosures of PHI.
Because HHS considers these proposed rules to be material changes, covered entities will have to revise and distribute updates Notices of Privacy Practices promptly. In view of the administrative burden these new regulations impose, HHS intends to allow covered entities and business associates up to 180 days following the effective date of the final rule in which to come into compliance. Further HHS is proposing a transition period of up to one year after the compliance date for the final rule for covered entities and business associate to revise their business associate agreements.
