Healthcare Information Privacy, Security and Technology Bulletin

OCR Publishes HITECH Act Rulemaking and Implementation Update Confirming Delayed Compliance For Certain HITECH Act Requirements

On March 15, 2010, the Office of Civil Rights posted an "Update" on its website which confirmed statements made by its representatives that additional HITECH Act Regulations are being prepared and that OCR will exercise its discretion to delay enforcement of certain HITECH Act provisions to be covered in these additional Regulations.

The Update specifically lists several of the HITECH Act provisions that have caused particular concern in the health care community, including:

• A New Individual Right To Restrict Disclosure of PHI. Under the Privacy Rule, an individual has a right to request restrictions on disclosure of the individual's Protected Health Information, but a Covered Entity is not required to grant that request. The HITECH Act added a provision that a Covered Entity is required to agree to an individual's request for privacy protections as to the disclosure of Protected Health Information to a health plan for payment or health care operations if the information pertains only to a health care item or service that the individual has paid for out-of-pocket in full, unless disclosure is otherwise required by law. Clearly intended to allow individuals to obtain services such as genetic testing at their own expense and keep the results from their insurance record, implementation of this provision has been widely viewed as administratively challenging, to say the least. This provision was effective on February 17, 2010.
• A New Prohibition on the "Sale" of PHI. The HITECH Act prohibited a Covered Entity or a Business Associate from "directly or indirectly" receiving remuneration in exchange for any Protected Health Information of an individual except pursuant to a valid HIPAA authorization that include specifics on any further exchanges of the Protected Health Information by its recipient. A number of exceptions were provided, including transfers for public health activities; transfers for research purposes, subject to limitations on the remuneration; and transfers for treatment, unless the Secretary of HHS determines otherwise. This provision is particularly concerning, since it could be read to prohibit or severely limit activities that are, at present, viewed as permissible and are common practice. This provision of the HITECH Act is effective only for exchanges that occur six months after the Secretary of HHS promulgates implementing regulations.
• Classification of Certain Health Care Operations Communications as Marketing. Pre- HITECH Act, a Covered Entity could provide communications that might otherwise be considered marketing without individual authorization if the communication was to describe a health care item or service or third party payment for the item or service, for treatment, or for case management or counseling about alternative treatments. These activities were considered Health Care Operations. Under the HITECH Act, such communications are not Health Care Operations, if the Covered Entity or Business Associate making the communication receives "direct or indirect remuneration" for making the communication. Exceptions include a communication is about a current drug or biological the recipient is taking, under certain circumstances, if the remuneration is "reasonable"; communications pursuant to a valid authorization and certain communications "made by a business associate", consistent with a Business Associate Agreement which meets the requirements of the Privacy Rule for disclosures to a Business Associate. This provision, particularly the provisions as to Business Associates, is particularly difficult to parse and, once again, may drastically change what has been, to date, common practices. This provision was effective as of February 17, 2010.
• Other topics specifically mentioned in the March 15, 2010 OCR Update are:
• • The right of individuals to opt-out of fund raising communications;
  • The right of individuals to access electronic medical records, presumably including the HITECH Act provisions giving individuals the right to require transfers of electronic medical records to directly to third parties (such as a provider of Personal Health Records);
  • "Business Associate Liability", which may refer to allocation of responsibility for breach of the HITECH Act responsibilities shared by Business Associates and Covered Entities in some circumstances, such as provision of timely notice to individuals and, in some cases, the Secretary, of breaches of unsecured PHI.

• The posting reminds the industry that the Breach Notification requirements of the HITECH Act, which were subject to a six (6) month enforcement delay, became effective for breaches discovered on or after September 23, 2009 and will be enforced by OCR for those breaches occurring on or after February 22, 2010. Similarly, the posting reminds all that violations of the Privacy and Security Rules became subject to new, higher penalty amounts as of February 17, 2009.

The Update states that the Secretary will publish a Notice of Proposed Rulemaking ("NPRM") on these topics, and possibly others. An NPRM, in contrast to the Breach Notification Interim Final Rule, contemplates a greater opportunity for public comment and government response, before publication of the Final Rule. As to enforcement, the Update states:

Entities affected by the new HITECH Act provisions should consider submitting comments in response to the NPRM. While the list of HITECH Act provisions in the Update does not include all of the provisions that have raised concerns in the health care community, the NPRM comment period will certainly allow review of the government's initial proposal and an opportunity to comment or suggest different approaches to a number of problem areas, prior to those provisions becoming effective.

A copy of the entire update can be accessed at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.