The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the Office for Civil Rights ( OCR ) of the U.S. Department of Health and Human Services ( HHS ) issued its long-awaited final rule ( Final Rule ) modifying the Health Insurance Portability and Accountability Act ( HIPAA ) privacy, security, enforcement, and breach notification rules in accordance with the Health Information Technology for Economic and Clinical Health ( HITECH ) Act and the Genetic Information Nondiscrimination Act ( GINA ). Published in the Federal Register on January 25, the Final Rule becomes effective on March 26, 2013, although compliance with most of its provisions is not required until September 23, 2013. 1 Although some commenters have suggested that the Final Rule did not include significant changes to the proposed and interim final HIPAA Administrative Simplification rules, in reality covered entities and business associates in particular have substantial work to do before the September 23 compliance deadline. Generally speaking, the Final Rule provides additional protections to individuals and requires greater transparency about the uses and disclosures that are made of individuals protected health information ( PHI ), whereas it significantly expands liability for covered entities and their business associates. The Final Rule provisions making the most dramatic changes and therefore necessitating the most substantial operational and policy changes are those pertaining to business associates and breach notification. However, revisions to the HIPAA enforcement rule incorporating the HITECH Act s increased civil monetary penalty tiered structure and changes to several of the HIPAA privacy and security standards also will require considerable attention. This outline addresses the Final Rule s changes to breach notification; enforcement; individuals rights to request electronic copies of their PHI and to have providers restrict uses or disclosures of their PHI to their health plans when the individuals pay for services out-of-pocket; and revisions that covered entities will need to make to their notices of privacy practices ( NPPs ). Marilyn Lamar s outline for this session will address the Final Rule s revisions pertaining to: business associates and their subcontractors, business associate agreements, and liability of subcontractors based on agency; research authorizations; uses of PHI for marketing and fundraising purposes, and restrictions on the sale of PHI; and revisions to the privacy rule based on GINA. II. BREACH NOTIFICATION Following several years in which there was little, if any, actual enforcement activity in response to violations of the HIPAA privacy and security rule requirements, the HITECH Act for 1 78 Fed. Reg. 5566, 5569 (Jan. 25, 2013).
the first time required covered entities to provide written notification to the Secretary of HHS, to affected individuals, and in some cases to the media, following the discovery of a breach of unsecured PHI. Where a business associate was responsible for a breach, the business associate was required to notify the covered entity of the breach. On August 24, 2009, HHS published an interim final rule ( IFR ) clarifying the specific requirements for breach notification by covered entities and business associates. 2 These regulations became effective on September 23, 2009. A. Interim Final Rule The IFR defined the term breach as the acquisition, access, use, or disclosure of PHI, in a manner not permitted by the HIPAA privacy rule, which compromises the security or privacy of the PHI. 3 Compromises the security or privacy of the PHI was defined to mean poses a significant risk of financial, reputational, or other harm to the individual. 4 The IFR included three narrow exceptions to the definition of breach. A breach did not include: 1. An unintentional acquisition, access, or use of PHI by a member of the work force or an agent of the covered entity or business associate, if the acquisition, access, or use was made in good faith, within the scope of authority, and did not result in a further impermissible use or disclosure; 5 2. An inadvertent disclosure by a person authorized to access PHI at a covered entity or business associate to another authorized person at the same covered entity or business associate or organized health care arrangement, if the PHI received was not further used or disclosed impermissibly; or 3. A disclosure of PHI where the covered entity or business associate believed in good faith that the unauthorized person to whom the PHI was disclosed would not reasonably have been able to retain the information. 6 In addition to the above-noted exceptions, a use or disclosure of a limited data set 7 which also excluded dates of birth and ZIP codes was not considered to be a breach of PHI, because the 2 74 Fed. Reg. 42740 (Aug. 24, 2009). 3 45 C.F.R. 164.402. 4 Id. 5 Id. The IFR offered, as an example of this exception, a billing employee who receives and opens an e-mail containing PHI about a patient which a nurse mistakenly sent to the billing employee. Once the billing employee notices that he is not the intended recipient of the e-mail, he alerts the nurse of the misdirected e-mail and then deletes the message. See 74 Fed. Reg. at 42747. 6 45 C.F.R. 164.402. The IFR offered, as an example of this exception, a covered entity that sends several EOBs to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable, but several of the EOBs which the covered entity knew were misaddressed were not returned. Under these circumstances, the covered entity may conclude that the EOBs that were returned could not reasonably have been retained by the addressees; however, the covered entity may not reach that conclusion with respect to those EOBs that were not returned as undeliverable. See 45 Fed. Reg. at 42748. 7 A limited data set is created by removing sixteen (16) direct identifiers, set forth in 45 C.F.R. 164.514(e)(2), from PHI. Even with these identifiers removed from the PHI, however, a limited data set is not completely de- 2
information had essentially been de-identified. 8 De-identified data is no longer PHI and, accordingly, is not subject to the breach notification requirements. However, if a limited data set which still contained date of birth and ZIP code was impermissibly accessed, acquired, used, or disclosed, the IFR proposed that a covered entity or business associate would be required to perform a risk assessment to determine whether the risk of re-identification of the information posed a significant risk of harm to the individual. 9 As indicated above, the IFR specified that not every impermissible acquisition, access, use or disclosure of PHI constituted a breach for which notification must be made. However, in circumstances where a covered entity or business associate determined that an impermissible acquisition, access, use or disclosure of PHI did occur, the IFR indicated that the situation should be treated as a breach, and the covered entity or business associate then must conduct a factspecific risk assessment to determine whether the impermissible acquisition, access, use or disclosure of PHI posed a significant risk of financial, reputational, or other harm to the individual. 10 In performing the risk assessment, covered entities and business associates were required to consider the following types of factors: Who impermissibly used the PHI, or to whom was the PHI impermissibly disclosed? In what form was the PHI accessed used, or disclosed? Was the impermissible access, use, or disclosure of PHI intentional? What steps, if any, were taken to mitigate the potential harm of the impermissible access, use, or disclosure? What type of PHI was impermissibly accessed, used, or disclosed? Significantly, the entity performing the risk assessment had the burden of demonstrating that it made all breach notifications required by the HITECH Act or that the use or disclosure did not constitute a breach. 11 Accordingly, covered entities and business associates were required to carefully document and maintain their risk assessment processes so that they could later identified, because the elements of dates (including birth dates) and ZIP codes increase the possibility that the information may be re-identified; accordingly, the HIPAA privacy rule treats limited data sets as PHI. 8 45 C.F.R. 164.402. 9 See 74 Fed. Reg. at 42746. 10 This harm threshold has proved to be controversial, as many commenters suggested that the statutory language of the HITECH Act did not include such a threshold. In the IFR, however, HHS noted that the statutory phrase compromises the security or privacy appeared to contemplate that some type of risk assessment would be necessary to determine whether a risk of harm in fact resulted from a breach, and that including a harm threshold aligned the HITECH Act breach notification requirement with various state breach notification laws. See id. 11 45 C.F.R. 164.414(b). 3
demonstrate, if necessary, that no breach notification was required following a given impermissible access, use, or disclosure of PHI. 12 If, following the risk assessment, a significant risk of harm was determined to exist, then notification of the breach was required to be made. If the risk assessment resulted in a determination that no significant risk of harm existed, the investigation could be concluded without breach notification. B. Final Rule 1. Definition of breach and risk assessment approach The Final Rule was issued nearly three and a half years after the IFR was published, and many in the industry speculated that the lengthy delay was due to a reconsideration of the harm standard. Such speculation appears to have been accurate. In the preamble to the Final Rule, OCR noted that 60 of the 70 commenters who specifically addressed the IFR s definition of breach supported the proposed risk of harm standard and risk assessment approach. These commenters believed that this approach enabled the appropriate parties covered entities and business associates to assess the likely impact of impermissible uses or disclosures of PHI and then to strike a proper balance between enabling individuals to protect themselves from likely negative consequences of a breach without unnecessarily flooding individuals with notifications about inconsequential events. 13 Other commenters, however, suggested that the subjective risk of harm standard gave too much discretion to covered entities and business associates and appeared to set a higher threshold for breach notification than the HITECH Act or OCR intended. 14 OCR agreed with this smaller group of commenters. In the Final Rule, it revises the definition of breach and the risk assessment approach to create what OCR describes as a more objective standard. 15 Now, an impermissible access, use or disclosure of PHI is presumed to be a breach, and notification is required, unless either the disclosing covered entity or business associate demonstrates that there is a low probability that the PHI was compromised or one of the other exceptions to the definition of breach applies. 16 Thus, the risk assessment now focuses on the potential harm to the data rather than the potential risk of harm to the individual, and the covered entity or business associate now has the burden of proving that there was not a breach. The probability of compromise to PHI must be determined based upon a risk assessment of at least the following factors: 12 A covered entity or business associate is required to maintain documentation sufficient to meet its burden of proof for a period of six years. 45 C.F.R. 164.530(j)(2). 13 See 78 Fed. Reg. at 5640. 14 78 Fed. Reg. at 5641. 15 78 Fed. Reg. at 5566. 16 78 Fed. Reg. at 5641. 4
The nature and extent of the PHI involved, including the types of identifiers and the likelihood that the information may be re-identified; The unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; Whether the PHI was actually accessed or viewed; and The extent to which the risk to the information has been mitigated. 17 If a thorough, good-faith assessment of these and perhaps other factors in combination fails to demonstrate that there is a low probability that the PHI was compromised, then breach notification is required. 18 In further discussing these factors, the Final Rule provides numerous examples suggesting that a finding of a low probability that the data was compromised will be the exception rather than the rule. For example, if a covered entity mails information to the wrong individual, who opens the envelope and then contacts the entity to advise that she received the information in error, the unauthorized recipient viewed and acquired the information. Accordingly, OCR asserts that the covered entity s consideration of the third factor should weigh in favor of notification. 19 OCR also indicates that the identity of the recipient of the PHI may affect whether the covered entity can conclude that an impermissible use or disclosure has been appropriately mitigated. 20 For example, a covered entity may be able to rely on an assertion by another covered entity or business associate employee that the entity or person destroyed a misdirected communication containing PHI, whereas that type of assurance from some other third parties may result in a finding that the risk to PHI was not sufficiently mitigated. 21 The revised standard effectively removes the fairly broad discretion that covered entities and business associates had under the risk of harm standard to determine whether to make notification of breaches. This appears to have been OCR s intent, as it agreed with commenters who suggested that the risk of harm standard would lead to inconsistent interpretations and results across covered entities and business associates. 22 The Final Rule maintains the three narrow exceptions proposed in the IFR, but it eliminates the IFR exception for impermissible uses or disclosure of limited data sets which also exclude dates of birth and ZIP codes; instead, entities now will have to perform a risk assessment to determine whether breach notification is required. 23 More 17 78 Fed. Reg. at 5642. 18 78 Fed. Reg. at 5643. 19 See 78 Fed. Reg. at 5643. 20 78 Fed. Reg. at 5643. 21 Id. 22 78 Fed. Reg. at 5642. 23 78 Fed. Reg. at 5643. 5
troubling is OCR s clarification that violations of the minimum necessary standard are subject to the risk assessment requirement outlined above. 24 OCR acknowledges that risk assessments surrounding both of these types of privacy violations frequently may result in determinations that breach notification is not required. 25 Nonetheless, OCR s commentary on the new risk assessment standard plainly illustrates its expectation that covered entities and business associates devote significantly more time and thought to performing risk assessments, and evaluate a wider variety of potential breach scenarios, than these entities may have done pursuant to the IFR s risk assessment process. OCR indicates that it will issue specific guidance to assist covered entities and business associates in performing risk assessments in certain frequently-occurring scenarios. 26 Until the September 23, 2013 compliance date, covered entities and business associates must comply with the breach notification requirements of the HITECH Act in accordance with the IFR. 27 2. Notice of breaches The Final Rule offers minor modifications and insight into a few of the IFR s proposed requirements pertaining to notice of breaches. First, OCR agreed to some commenters request for permission to provide oral or telephone breach notification to individuals receiving highly confidential treatment services where the individual has requested to receive verbal communications, so long as the health care provider orally advises the individual to pick up the written breach notice from the provider directly. Should an individual not agree to pick up the written breach notice, the provider may read the entire breach notice over the phone to the individual and document that is has done so, but OCR cautions that this practice is not to be used where providing the oral notice is simply easier for the provider or where the individual has consented to receive information by e-mail and the provider has a valid e-mail address on file. 28 In response to a comment requesting that providers be excused from providing breach notification to individuals in situations where a licensed health care professional believes that such notice likely will cause substantial harm to the individual, OCR declines to excuse notice to such individuals. However, providers may call such an individual or request that the individual to come into the provider s office to discuss the incident before the breach notification is mailed, so long as that process does not delay the timely issuance of the notice. 29 Finally, with respect to notifications to the Secretary for breaches affecting fewer than 500 individuals, the Final Rule clarifies that covered entities must notify HHS within 24 78 Fed. Reg. at 5643. 25 See 78 Fed. Reg. at 5644. 26 78 Fed. Reg. at 5643. 27 78 Fed. Reg. at 5570. 28 78 Fed. Reg. at 5651. 29 Id. 6
60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. 30 III. ENFORCEMENT Covered entities are required to report to the Secretary all breaches, large and small. Because breaches by definition involve a violation of the privacy rule, and because reporting to the Secretary admits such violations, covered entities must be aware of the greatly enhanced enforcement penalties that apply following the enactment of the HITECH Act and adoption of the interim final enforcement rule. In addition, the Final Rule confirms that business associates and subcontractors now are subject to civil monetary penalties and enforcement actions for noncompliance with applicable provisions of HIPAA. A. Interim Final Rule 1. Penalty tiers and culpability The chart below summarizes the post-hitech penalty scheme, which provides for increasing degrees of culpability and parallel increases in the amount of applicable penalties. Under the interim final enforcement rule, 31 OCR had enormous discretion under this penalty scheme and this discretion has been amplified under the Final Rule. Moving down the chart, each tier of culpability involves a diminished degree of attention and compliance by the covered entity or business associate, and each tier of violation is punishable by increasingly greater penalties. Nature of violation Range of Penalties under 13,410 of HITECH Range of Penalties under IFR 45 CFR 160.404(b) Maximum Penalty Violation unknown or by exercising reasonable diligence would not have known $100 for each violation, up to $25,000 for all identical violations in a calendar year $100 -$50,000 for each violation $1,500,000 for all violations of this type Violation due to reasonable cause and not willful neglect $1,000 for each violation, up to $100,000 for all such violations in a calendar year $1,000 - $50,000 for each violation $1,500,000 for all violations of this type Violation due to willful neglect, if corrected within 30 days from knowledge of violation $10,000 for each violation, up to $250,000 for all such violations in a calendar year $10,000 -$50,000 for each violation $1,500,000 for all violations of this type Violation due to willful $50,000 for each violation, up to $1,500,000 for all $50,000 for each violation $1,500,000 for all 30 78 Fed. Reg. at 5654. 31 70 Fed. Reg. 20224 (Apr. 18, 2005). 7
neglect not corrected such violations during a calendar year violations of this type The interim final enforcement rule described the degrees of culpability through the following key definitions: a. Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. 32 b. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. This term has been equated to constructive knowledge. 33 c. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 34 2. Secretary s Enforcement Authority OCR has broad authority in resolving complaints of HIPAA violations. If, in the course of an investigation, it determines that the covered entity failed to comply, it will so advise the covered entity and attempt to resolve the matter by informal means whenever possible. 35 In its July 14, 2010 Notice of Proposed Rulemaking ( NPRM ) modifying the privacy, security, and enforcement rules under HITECH, 36 OCR proposed to require, rather than permit, the Secretary to formally investigate all complaints or initiate compliance reviews where the facts indicate possible violations due to willful neglect. 37 The Secretary still would have discretion to investigate or conduct a compliance review in other circumstances. 38 OCR further proposed to require the Secretary to determine the extent of civil money penalties based upon the nature and extent of the harm resulting from a HIPAA violation. 39 The NPRM also proposed to permit the Secretary to share PHI with other law enforcement agencies if and as permitted under the Privacy Act. 40 B. Final Rule 32 Id. at 20238. 33 Id. at 20237-38. 34 Id. at 20238. 35 45 C.F.R. 160.312(a). 36 75 Fed. Reg. 40868 (Jul. 14, 2010). 37 See 78 Fed. Reg. at 5577. 38 78 Fed. Reg. at 5579. 39 See 78 Fed. Reg. at 5577. 40 78 Fed. Reg. at 5579. 8
The Final Rule adopts the NPRM s proposals increasing the discretion the Secretary has in determining when to investigate potential HPAA violations. Now, if a preliminary review of facts cited in a complaint indicates a possible violation due to willful neglect, the Secretary must investigate the complaint. 41 Similarly, if facts indicating a possible violation due to willful neglect come to the Secretary s attention for other reasons, the Secretary must conduct a compliance review. The Secretary now also has enforcement discretion to impose a civil money penalty or other more formal action without exhausting informal means of resolution. 42 The Final Rule also implements the HITECH Act s tiered civil monetary penalty structure, shown in the chart above, that includes significantly increased financial penalties for HIPAA violations. In response to concerns expressed by commenters about the Secretary s wide range of discretion in determining penalty amounts, OCR emphasizes that HHS will not impose the maximum penalty in every case but will, as required by the HITECH Act, determine penalty amounts based on the facts of each case and the nature and extent of both the violation and the resulting harm. 43 In addition, the Secretary has the ability to waive a civil money penalty to the extent the penalty would be excessive in relation to the violation, and entities may appeal the imposition of penalties they believe to be unfair to an administrative law judge. 44 Responding to questions about how the number of occurrences is determined for purposes of calculating penalties, the Final Rule clarifies that the number of identical violations may be counted by the number of individuals affected by the violation or the number of days the violation continued before it was corrected. Rather ominously, however, the commentary goes on to state that covered entities and business associates may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately, thus feasibly resulting in total penalties in amounts substantially higher than the $1.5 million calendar year limit for each type of violation. 45 Additionally, the Final Rule adopts the NPRM s proposed revised definition of reasonable cause to clarify the state of mind, or mens rea, required for the second category of violations. Reasonable cause now means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. 46 The Final Rule also outlines a broad variety of factors that may be considered in determining the amount of a civil money penalty, including: The nature of the violation (including the number of individuals affected and the time period during which the violation occurred); 41 78 Fed. Reg. at 5578-79. 42 78 Fed. Reg. at 5579. 43 78 Fed. Reg. at 5583. 44 78 Fed. Reg. at 5583-84. 45 78 Fed. Reg. at 5584. 46 78 Fed. Reg. at 5580. 9
The nature and extent of the resulting harm (including physical, reputational, or financial harm or the inability to obtain health care); The history of prior HIPAA compliance by the entity (including previous violations, previous corrections of noncompliance, and response to previous complaints); and The financial condition of the noncompliant covered entity or business associate (including whether the noncompliance may have resulted from financial hardship, the size of the entity, and whether imposing a penalty would jeopardize the entity s ability to continue to provide health care). 47 IV. INDIVIDUAL RIGHTS A. Right to Request Restrictions on Uses and Disclosures of PHI The privacy rule provides individuals with a right to request restrictions on a covered entity s use or disclosure of their PHI for the purposes of treatment, payment, or health care operations, but before enactment of the HITECH Act covered entities were not required to grant such requests. The Final Rule implements the HITECH Act provision requiring that covered entities agree to an individual s request to restrict uses and disclosures of his or her PHI related to a treatment or service, if: (1) the request is to restrict disclosure of information to the individual s health plan for payment or health care operations purposes; and (2) the information relates solely to an item or service for which the individual pays the covered entity out-of-pocket and in full. 48 OCR received numerous questions about how to operationalize this new right. response, the commentary to the Final Rule clarifies that: In Health care providers need not create separate medical records or otherwise segregate PHI that is subject to such a restriction, but they will need to flag this restriction in the record to assure that such information is not provided to the health plan inadvertently or for other operations purposes, such as health plan audits; 49 If the restriction sought is for a service that is one of a number of bundled services provided in a single encounter, the provider should counsel the patient about whether it is able to unbundle the service to permit the individual to pay for that individual service and the possible effect of doing so (e.g., the health plan still may be able to determine that the service was provided). If unbundling the service is possible, the provider should abide by the individual s request to unbundle; if it is not possible, the provider should permit the individual to restrict and pay out-of-pocket for the entire bundle of services; 50 47 78 Fed. Reg. at 5585. 48 78 Fed. Reg. at 5628. 49 Id. 50 78 Fed. Reg. at 5629. 10
Providers do not have an obligation to inform downstream providers of a restriction, but OCR encourages providers to counsel patients to request a restriction and pay out-of-pocket with such downstream providers in order for the restriction to apply to disclosures by those providers; 51 Providers within an HMO who cannot by law accept payment from an individual in excess of the individual s cost-sharing amount may counsel individuals to use an out-of-network provider if they wish to restrict from disclosure PHI about certain health care items or services; 52 and If an individual s payment for the restricted item or service is dishonored, OCR expects providers to make reasonable efforts to contact the individual and obtain payment by alternative means before billing a health plan, but this does not mean that an individual s debt must be placed in collection before a provider may bill the health plan for the item or service. 53 B. Right to Access Copies of Electronically-Stored PHI 1. Form and format The privacy rule permits individuals to request and receive copies of their PHI that a covered entity maintains in a designated record set. The Final Rule adopts the NPRM s proposed expansion of this right to permit individuals to receive a copy of PHI that is maintained in an electronic health record in electronic format. Accordingly, if an individual requests an electronic copy of PHI that the covered entity maintains electronically in one or more designated record sets ( ephi ), the covered entity must provide access to the ephi in the electronic form and format sought by the individual, if readily producible in that form and format. 54 If such access is not possible for example, if the individual seeks to access her ephi through a web-based portal and the provider does not maintain a portal then the covered entity and the individual must agree on the readable electronic format in which the information will be provided. 55 If the individual refuses to accept the ephi in the available electronic formats, the covered entity must provide a hard copy. 56 OCR clarifies that covered entities are not required to purchase new systems or software in order to provide ephi in a form or format that is not readily producible, but that entities whose systems cannot produce a copy of ephi in any electronic form (including some legacy systems) may need to invest in software or hardware to offer 51 Id. 52 Id. 53 78 Fed. Reg. at 5629-30. 54 78 Fed. Reg. at 5631. 55 78 Fed. Reg. at 5633. 56 Id. 11
some form of electronic copy. 57 Additionally, covered entities that maintain hybrid records need not scan paper documents in order to provide individuals with electronic copies of those paper records. 58 Several covered entities commented that they should not have to use portable devices brought in by individuals to comply with this requirement, because doing so might introduce viruses or security risks to their systems. OCR acknowledges this risk in commentary to the Final Rule and permits covered entities to provide access to ephi on media provided by the covered entity or, if an individual does not wish to pay for such portable media, to provide the individual an electronic copy through alternative means, such as through e-mail. Covered entities also raised concerns about the potential vulnerability of unencrypted e-mails and their potential liability for breach should ephi be compromised when transmitted by this method to individuals. In response, OCR confirms that entities may provide copies of ephi in unencrypted e-mails if they first notify the individual of the possible risk that a third party may read the e-mail. If, despite this risk, the individual still prefers to receive an unencrypted e-mail instead of an available electronic alternative, the covered entity may e-mail the information. 59 2. Third parties Upon an individual s written request, a covered entity must transmit a copy of PHI directly to a third party designated by the individual. The individual s request must be signed, and it must clearly identify the third party and where to send the information. 60 3. Copy fees Covered entities may charge individuals a reasonable, cost-based fee for providing copies of PHI. The Final Rule permits entities to include labor costs for copying in the calculation of the fee. Such costs may include staff time to create and copy electronic files (such as compiling, extracting, scanning, or burning PHI to media and distributing the media). 61 Fees also may be charged for supplies used in creating electronic media (such as discs and flash drives) for individuals who seek copies on portable media, and for postage incurred on behalf of individuals who request mailing of the electronic media. 62 However, entities may not charge for costs related to maintaining systems, data storage, or new technology, nor may they charge a retrieval fee for electronic copies, since such a fee is not permitted for production of paper copies. Finally, in instances where HIPAA permits charging higher costs than does applicable state law, under state law preemption principles covered entities will not be permitted to charge more than state law allows. Conversely, if applicable state law 57 Id. 58 Id. 59 78 Fed. Reg. at 5634. 60 Id. 61 78 Fed. Reg. at 5636. 62 Id. 12
permits charging a higher fee than the copying costs the covered entity actually incurs, the covered entity may only charge for its actual costs. 63 4. Time frame Because access to ephi is almost instantaneous, the Final Rule shortens the time frame within which covered entities must respond to access requests, even where the PHI is stored off-site, to a total of no more than 60 days. Covered entities have 30 days to respond to an individual s access request, and they may have a single 30-day extension upon providing written notice to the individual stating the reason for the delay and the expected date of completion. 64 C. Notice of Privacy Practices The Final Rule adopts the NPRM s proposal that health care providers and health plans update their notices of privacy practice ( NPPs ) to address numerous changes, including that most uses and disclosures of psychotherapy notes, along with marketing communications and the sale of PHI, are not permitted without the individual s prior written authorization. 65 Entities that do not maintain psychotherapy notes, however, need not reference them in the NPP. Covered entities also must notify affected individuals of a breach of unsecured PHI, and those covered entities that engage in fundraising using PHI must notify individuals that they may opt out of receiving any fundraising communications from the provider or plan. 66 Finally, providers must notify individuals that they may restrict disclosures of PHI to health plans where they have paid out-of-pocket and in full for such care. 67 Most health plans (excluding only long-term care plans) also must inform individuals that the plans are prohibited from using or disclosing individuals genetic information for underwriting purposes. 68 In response to concerns expressed about printing costs for new NPPs, OCR advises that providers need not print and hand out revised NPPs to all individuals seeking treatment, but they must post the revised NPP in a prominent location and have copies available for individuals who request a copy to take with them. 69 OCR also reiterates that covered entities may employ a layered notice, including a summary of the individual s rights atop a longer notice that contains all of the required elements. 70 With respect to health plans, the Final Rule specifies that a health plan that currently posts its NPP on its website must both prominently post the change or revised NPP on the website by the effective date of the change (in this case, the compliance deadline of the Final Rule) and provide the revised NPP or information about the change and how to obtain the NPP in its next annual mailing to plan members. Those health plans that do not maintain a website 63 Id. 64 78 Fed. Reg. at 5637. 65 78 Fed. Reg. at 5624. 66 Id. 67 Id. 68 78 Fed. Reg. at 5625. 69 Id. 70 Id. 13
must provide the revised NPP or information about the changes and how to obtain the NPP to plan members within 60 days of the change. 71 revised V. CONCLUSION The Final Rule turns the breach notification s risk assessment methodology on its head, subjects new categories of business associates and many thousands of their subcontractors to direct liability for compliance with portions of the privacy, security, and breach notification rules, and significantly augments the Secretary s enforcement discretion. In order to achieve this, the Final Rule contains scores of details and nuances that will take time for affected parties to evaluate and digest. Covered entities and business associates (and subcontractors) have nearly eight months to come into compliance with all of the new requirements. Given the wide-ranging and substantial implications of noncompliance with the Final Rule, however, it is not too soon for these organizations to begin mapping out the various procedural, policy, and operational changes that must be made and working with internal staff and outside counsel and consultants to effectuate these changes. 71 Id. 14