Major Changes to the HIPAA Privacy, Security and Enforcement Rules Introduced in the HHS Proposed Rule

Some of the major changes introduced under the Proposed Rule include:

• Business Associates and Business Associate Agreements— HHS modifies the current definition of business associates to explicitly include several new entities, most importantly sub-contractors who create, receive or transmit protected health information (PHI) on behalf of business associates. Subcontractors who meet this criterion are now business associates and consequently required to enter into business associate agreements with business associates and subject to direct liability under the HIPAA Rules.

The Proposed Rule also makes a number of modifications to the business associate agreement contractual requirements, including (but not limited to) requiring that business associate agreements include language that require business associates to report breaches of unsecured PHI to covered entities, and to the extent a business associate is carrying out any covered entity Privacy Rule obligations, comply with the relevant Privacy Rule requirements that apply to the covered entity.

The Proposed Rule proposes a one year transition period for compliance with the new business associate agreement requirements for certain existing contracts. 

• Security Rule— The Proposed Rule makes § 164.306 of the Security Rule, which sets out general rules that apply to all standards and implementation sections of the Security Rule, apply to business associates. HHS also introduces several other changes to the Security Rule with respect to business associates in the Proposed Rule.

• Marketing— HHS proposes significant, complex revisions to the exceptions to the definition of “marketing” and solicits comments on a number of its proposals, including the distinction it draws in the Proposed Rule between treatment and health care operations communications.

• Research Authorizations—In the Proposed Rule, HHS considers two revisions to the current requirements for research authorizations. First, the agency is proposing to allow covered entities to combine conditioned and unconditioned authorizations for research, provided that certain conditions are met including that the authorization clearly allows an individual the option of opting into the unconditioned research activities. Second, HHS is considering modifying its interpretation that an authorization for the use or disclosure of PHI for research be study specific. In the Proposed Rule, HHS proposes several options and specifically requests comments on each of the options.

• Notice of Privacy Practices—HHS proposes several material revisions to the current content of covered entities’ notice of privacy practices. Given that the current Privacy Rule only allows health plans 60 days following a material revision to their notice of privacy practices to notify individuals, HHS is specifically soliciting comments on other options to allow health plans to notify individuals of changes to their notice of privacy practices that would not impose an undue burden on the health plans.

• Right to Request Restrictions on Uses and Disclosures—The Proposed Rule provides some additional clarification regarding individuals’ right to request restrictions on certain disclosures of PHI to health plans. Additionally, in the Proposed Rule HHS recognizes and solicits comments on some of the unique issues that may arise with respect to individuals exercising their right to request restrictions and covered entities terminating restrictions.

• Electronic Access—The Proposed Rule extends the scope of the rights afforded to individuals under HITECH to access their PHI. Under the Proposed Rule, individuals’ electronic access rights apply to all PHI maintained electronically in a designated record set. Additionally, the Proposed Rule requires that a covered entity transmit a copy of PHI to a person designated by an individual, regardless of whether the PHI is in electronic or paper form, provided that the individual’s request meets certain specified conditions (e.g., in writing, signed).

 Other notable topics addressed in the Proposed Rule and for which HHS is soliciting comments on include: the minimum necessary, the sale of PHI, fundraising, and certain Privacy Rule organizational requirements.

 The Proposed Rule is scheduled for publication in the Federal Register on July 14. Public comments will be due to HHS 60 days after publication of the Proposed Rule in the Federal Register. Hogan Lovells attorneys are actively involved in helping clients implement the privacy and security requirements of HITECH. If you would like additional information on the HITECH requirements, need assistance writing comments on the Proposed Rule, or need assistance implementing privacy or data protection programs, please contact a Hogan Lovells attorney.

Authored by Barbara Bennett.