In July, the federal Office for Civil Rights issued a proposed rule that contains modifications to the privacy standards, security standards, and enforcement regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and includes changes under the Health Insurance Technology for Economic and Clinical Health (HITECH) Act. In addition, on July 29, the U.S. Department of Health and Human Services announced that final breach notification will be delayed for further consideration in light of the comments the agency received during the comment period on interim regulations that were issued in August 2009.
HHS maintains that the proposed rule is meant to strengthen HIPAA rules by expanding individuals’ rights to access their health information, clarifying responsibilities of business associates of HIPAA-covered entities, and setting new limits on the use and disclosure of protected health information for marketing. HCI Managing Editor John DeGaspari recently spoke with Amy M. Gordon, a partner in the health care reform and HIPAA practice groups of the Chicago-based law firm McDermott Will & Emery to learn about what healthcare providers should do to make sure they comply with the regulations as they evolve.
Healthcare Informatics: Can you elaborate on the basic scope of the regulations?
Amy Gordon: HIPAA in general was enacted to protect people’s health and benefit information, so that it would remain private. In the past, this had been governed by state law, and states had been all over the place. Some much more restricted than others, some with no restrictions whatsoever. What HIPAA was designed to do, from a federal perspective, was to really set a floor and make all states and all health entities comply, essentially, with at least a bare minimum of protection. HITECH enhanced the requirements a little bit further, especially with respect to the business associate agreements, and also with electronic protected health information. And then [it] also enhanced enforcement.
[The proposed regulations] are really not going to be effective until 180 days after the publication of the final rule, for which they were seeking guidance through September 13, 2010. So, whether the final rule is going to make it out this year remains to be seen.
HCI: What is the general intent of the proposed regulations?
Gordon: I think what they were doing, was trying to tighten some of the reins when it came to, for example, when you contract with a business associate. When you used to contract with a business associate, it was almost like there was this black hole. The business associate would agree to certain things; the covered entity would sign off on the agreement, and then the business associate would go and use sub-contractors, or business associates of its own. And then the question was, what happens if one of those entities posts somebody’s medical information on the Internet? What happens then?
So I think the whole intent of HITECH in general, was really to say, who is responsible for what, and who has to do what, and to delineate the responsibilities and the liabilities with having, touching protected health information.
HCI: So the intent was to clarify the rules under HITECH?
Gordon: Right. And also enhance some of the responsibilities. For example, originally HIPAA said business associates were not held to the same level of culpability that a covered entity was, that they were these outside parties that you would engage; and, even though they would have tons of contact with protected health information, their only liability really was in response to a contract entered into between the covered entity and the business associate.
And one of the things that HITECH did was that it raised the responsibility of a business associate almost to that of a covered entity. Because now, business associates are responsible for having their own policies and procedures. They never had to do that before. And then, there is culpability in general, whether or not a contract makes them liable, if they misuse or mis-disclose protected health information; essentially, they [now] are as responsible as a covered entity under these new HITECH proposed rules.
HCI: Do you recommend that there be a contract between all players?
Gordon: Absolutely. Under HIPAA now, you [as a covered entity] have to have a contract with your business associate. So that contract is definitely required.
The other thing is, as you go downstream, and you have a business associate that contracts with another business associate or a subcontractor, what happens there. The rules don‘t necessarily require the covered entity to have a contract with those business associates or subcontractors. But it does require a business associate who is using that other business associate or subcontractor to have an agreement in place. And that is new.