CDT Breaks Down Proposed Changes to HIPAA
The U.S. Department of Health and Human Services (HHS) proposed a set of significant updates to health privacy rules. The proposed rule tackles how sensitive patient information is handled under the Health Insurance Portability and Accountability Act (HIPAA), which is the nation’s foremost health privacy law. The rule is open for public comment until September 13th, and CDT intends to file a set during this period.
Although the proposed rule does not clarify some outstanding issues in the health information technology (health IT) area, CDT is encouraged that HHS’ proposed rule would strengthen patient privacy, data security and enforcement of the law. The proposed rule contains numerous changes to the HIPAA Privacy Rule; of those changes, CDT considers the four discussed below to be the most consequential.
1. Business associates
Under HIPAA, “business associates” are organizations or individuals that perform activities involving patients’ personal data on behalf of doctors, hospitals, health insurance companies and other “covered entities.” Historically, business associates were not directly accountable for complying with HIPAA privacy and security requirements. Instead, the law required covered entities and business associates to enter into specialized contracts – called “business associate agreements” – that contained certain patient privacy and security protections. However, the protections in the business associate agreements were still generally less comprehensive than those covered entities themselves were required to follow under HIPAA.
The HITECH Act made business associates directly subject to portions of the HIPAA Security Rule requiring physical, administrative and technical data safeguards. HITECH also required business associates to comply with those Privacy Rule provisions that are made applicable to them by their contract with the covered entity; in addition, business associates must comply with any changes to the Privacy Rule that were part of HITECH regardless of whether or not those provisions are in their contracts with covered entities. The proposed rule codifies these requirements, generally tracking the legislative language.
In the proposed rule, HHS – interpreting Congress’ intent in enacting HITECH – would also count subcontractors of business associates as business associates themselves. The proposed rule would therefore hold subcontractors to the same HIPAA requirements as business associates. The proposed rule would also provide that business associates may not use or disclose patient health information except as permitted under the Privacy and Enforcement Rules and within the limits of their business associate agreements.
With respect to the constraints that business associate agreements place on a business associate’s use and disclosure of patient health information, the proposed rule references the Privacy Rule language: The business associate agreement will provide that business associates cannot further use or disclose the information other than as permitted or required by the contract or by law. CDT is pleased to see HHS highlight this important component of the Privacy Rule. In the past, anecdotal reports indicate business associates may not have been sufficiently limited in their uses of patient data, in part due to overbroad agreements with covered entities and/or a failure of covered entities to more actively monitor their business associates. Business associates should not be permitted to indulge in creative expansion of vague business associate agreements to chase additional revenue streams with patient data. CDT thinks the new limits on business associates and subcontractors are excellent in concept, but would like HHS to more strongly emphasize the role of business associate agreements in restricting use of patient information. In our comments, CDT intends to request HHS be very clear that the business associate agreement is intended to limit business associates’ uses and disclosures of patient data. Although HHS provides model contract language, it is too general to be very helpful. Business associate agreements should be very specific and allow business associates to use and disclose patient data only for the tasks necessary to carry out the services for which the covered entity hired the business associate.
CDT blog post on HHS NPRM
HITECH made some very positive changes regarding enforcement of HIPAA, but the proposed rule added only a little to that which was required under HITECH. Prior to HITECH, HHS had an obligation to try and solve compliance issues with covered entities through informal means. However, HITECH states that HHS will investigate any complaint of a violation if the facts indicate that an organization was willfully neglecting HIPAA rules. HITECH also stated that HHS will impose a civil penalty in cases of willful neglect.
The proposed rule implements these requirements and also proposes a provision stating that HHS will conduct a compliance review when a preliminary review indicates willful neglect. HITECH only referred to complaints, not compliance reviews. HHS must still resolve via informal means other complaints in which the prelim review does not indicate willful neglect, but HHS maintains its discretion regarding whether or not it will conduct a compliance review or a formal investigation in cases where willful neglect is not suspected.
Through HITECH and the proposed rule, HHS now has considerably more leverage to enforce HIPAA. It remains an open question, however, whether HHS will use its new enforcement tools effectively. In the past, HHS has shown reticence to levy civil penalties for even serious violations. CDT will urge HHS to take a proactive role in HIPAA stewardship, and to conduct reviews/investigations at a lower threshold than willful neglect.
The proposed rule would add reputational harm to factors HHS will consider when deciding how severe a penalty to impose for HIPAA violations. According to the proposed rule, HHS wanted to be clear that reputational harm was as concrete as financial and physical harm, which are currently listed as penalty factors.
CDT supports the inclusion of reputational harm when deciding on penalties; however, we do not believe that regulations should consider harm to individuals to be the determining factor for whether a privacy violation took place, and CDT argued against a “harm standard” in comments to HHS on data breach notification rules. (Under the breach notification "harm standard," covered entities must notify patients of a data breach if the covered entity determines that there is a significant risk the breached data will cause physical, financial, reputational or other harm to the patient.) However, given that the harm standard for breach notification is currently in effect, it is appropriate for the penalty factors to include all the parameters of the breach notification harm standard. Thus, CDT will request that HHS include “other” harm in the penalty factors in addition to reputational harm.
CDT will also request that the penalty factors incorporate some consideration of what actually happens to the data – i.e., whether an unauthorized party accesses the data. The Federal Trade Commission issued breach notification rules that gave significant weight to unauthorized access to the breached data. A focus on whether data was compromised – not harm to individuals – was also Congress’ intent with regard to the breach notification provisions in HITECH that formed the basis of HHS’ breach notification rule.
Joint comments of CDT and the Markle Foundation on the HHS breach notification rule
CDT blog post on HHS breach notification rules
Covered entities need to obtain patient authorization to send marketing communications to patients. The Privacy Rule’s definition of marketing contains several exceptions, however, and covered entities do not need patient authorization to make communications that fall within those exceptions. The exceptions include communications about treatment, alternative therapies, and “value-added” benefits. HITECH revoked this exception when an entity receives “direct or indirect remuneration” from an outside entity (such as a product manufacturer) to make the communication. In HITECH, Congress declared such subsidized communications to be marketing, with one exception: when the communication is about a drug or a biologic that the patient is currently taking.
But the proposed rule goes further and states that prior patient authorization would not be required to send subsidized communications for treatment, provided the communications are tailored to an individual’s health condition. Subsidized communications not related to treatment, or that are more population-based, would still count as marketing and require patient authorization. Although the proposed rule would not require prior patient authorization for subsidized treatment communications, it would establish certain requirements:
- The provider must notify the patient of its intent to send the patient subsidized treatment communications,
- The notice must inform the patient that she may opt out of receiving such communications, and
- The treatment communication itself reiterates the patient’s ability to opt out and discloses the fact of that someone paid the provider to send the communication.
The provisions of HITECH related to marketing included a statement that “direct or indirect remuneration does not include payment for treatment of an individual.” It is unclear to what extent HHS relied on this provision as a basis for the proposed exception for subsidized treatment communications, but CDT believes such reliance would be misguided. Under HITECH, communications for which the covered entity receives remuneration count as marketing, and remuneration does not include payment for treatment, but HHS should not interpret “payment for treatment” to encompass subsidized treatment communications. In the current Privacy Rule, the term “payment” covers only the activities of health plans in paying for health care and those of providers in seeking payment for care. In removing payment for treatment from “remuneration”, Congress sought only to ensure that payment activities under HIPAA could proceed without the need to first obtain patient authorization. The proposed exception, however, includes treatment communications subsidized by third parties who are neither health plans nor providers. CDT would like HHS to clarify its legislative authority in carving out the exception for subsidized treatment communications.
CDT is concerned that the proposed rule undermines HITECH by allowing patients’ information to be used to market products and services to them that are not part of the care plan established by their treatment physicians (for example, communications urging patients to switch from their current drug to another brand). The opt-out is a slim concession, as it places the burden of ensuring their data is not used for marketing on patients. The proposed opt out scheme is complicated by increasing levels of data sharing using health information technology. If patient data is shared with multiple entities, will patients have to make separate requests to each entity in order to fully opt out?
CDT generally believes that subsidized communications are marketing and should require the prior consent of the individual, subject only to the exception for current drugs and biologics to ensure there are no obstacles to patients receiving information about recalls or important drug safety issues. CDT will request that HHS preserve the opt in standard for subsidized communications. In the event that preserving the opt in is not achievable, CDT may ask that HHS structure its opt out to maximize the level of protection it can offer.
As mentioned above, HIPAA requires covered entities to obtain patients’ authorization for certain disclosures of their health information. The current HIPAA Privacy Rule prohibits health care providers from conditioning a patient’s treatment, payment, or enrollment in a health plan or eligibility for benefits on obtaining an authorization from the patient. However, there is an exception to this general rule that permits conditioning research-related treatment on an authorization for the research itself. Still, the current privacy rule prohibits covered entities from “compound authorizations”: combining a conditional authorization with an authorization that is not conditional.
The proposed rule would allow covered entities to combine conditioned and unconditioned authorizations for research. However, the authorization must distinguish clearly between the conditioned and unconditioned components and allow patients to opt out of the latter. At first read, this proposal seems reasonable, but educating patients on how to distinguish the two components is a crucial challenge.
In addition to its proposed changes on compound authorizations, the proposed rule clarified HHS’ interpretation of another aspect of health privacy and research. HHS interprets the current Privacy Rule to require that patient authorizations to use or disclose health information for research be specific to each study – one authorization per study. However, HHS is contemplating whether to modify this rule to avoid having to re-contact the patient for multiple authorizations for future research. More specifically, HHS is considering whether to permit:
- authorizations for uses and disclosures of patient health information for future research purposes, so long as the future research is described in sufficient detail in the authorization that patients can make an informed decision, or
- to permit the above as a general rule, but require disclosure statements on authorizations for certain types of sensitive research activities.
CDT’s comments will ask HHS to specify what the initial authorization must include in order to obtain meaningful consent from the patient to uses of protected health information for future research purposes. Any such authorization should explain in detail what those future research purposes would be. Blanket authorizations permitting indefinite and undefined use of patient data for research purposes would violate Fair Information Practice principles. CDT would also seek clarification from HHS regarding the ability of patients to revoke their authorization many years after the fact. It would most likely be considerably difficult for patients to track down researchers after years of no contact. HHS has yet not proposed any modification to the rules on future research authorizations, but seeks public comment on the issue.