HHS Proposes Expansion of HIPAA Privacy Rule

On May 31, 2011, The U.S. Department of Health and Human Services’ Office of Civil Rights (HHS-OCR) published a notice of proposed rulemaking to amend the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule on the retention and disclosure requirements for entities who maintain Protected Health Information (PHI). This Legislative Alert highlights the proposed amendments.

Overview:  What Does the Proposed Rule Cover?

The proposed Privacy Rule changes would expand individuals’ rights to track how their PHI is disclosed or used. The proposed changes cover two main areas: 

1.    “The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and health care operations);” and

2.    “(T)he right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations).”¹ 

The drafters of the proposed rule commented further by saying, “The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person's access). In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.”² 

As a result, the proposed rule will increase some of the record-keeping responsibilities of Covered Entities (CEs) and Business Associates (BAs). However, the time period to store PHI and document how it was disclosed would be shortened from the current requirement of six years to a three-year time period prior to the individual’s report request date. These changes, if adopted as proposed, would begin to take effect on January 1, 2013.

“This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,” said OCR Director Georgina Verdugo. “We need to protect peoples’ rights so that they know how their health information has been used or disclosed.”³

Background:  Understanding HIPAA’s Key Terms

To understand just what, and who, is impacted by the potential rule change, it is important that you become familiar with several key HIPAA terms. 

Protected Health Information  (PHI)

HIPAA’s Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information” or PHI.⁴

Simply put, “individually identifiable health information” is information, including demographic data, which relates to:

• An individual’s past, present or future physical or mental health or condition;
• The provision of health care to the individual; and
• The past, present or future payment for the provision of health care to the individual.

The term is especially applicable to data that identifies an individual, or for which there is a reasonable basis to believe it can be used to identify the individual. This can include, but is not limited to, name, address, birth date and social security number. Additionally, the Privacy Rule excludes from protected health information employment and education records that a covered entity maintains in its capacity as an employer, as well as other data subject to the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.⁵

Covered Entity (CE)

The term “covered entity” is defined in section 160.103 of title 45, Code of Federal Regulations.⁶  A covered entity is essentially a health care provider or partner of a health care provider who is bound by HIPAA rules and regulations. Currently, HIPAA Security Rule 45 CFR 164.312 requires covered entities (and now business associates – see below) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI."⁷     

Business Associate (BA)

The term “business associate” has a more complex definition under section 160.103 of title 45, Code of Federal Regulations.⁸  “In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.”⁹

Final Thoughts:  Providing Feedback

As mentioned previously, the most dramatic change if the new proposed rule is implemented is that CEs and BAs must provide individuals with a report identifying which organizations have accessed their PHI for up to three years prior to the date of their request.  Specifically, the response to the request must identify any party who accessed the PHI in an electronic format, as well as the date and time the party accessed the PHI, a description of the information accessed, and a description of the action by the user, if available.

For Brokers and other industry stakeholders, it is important to review the proposed HIPAA changes and become familiar with the new requirements before and after they become finalized later this year.  The public comment period on the proposed rule ends on August 1, 2011.¹⁰ 

As always, HHS should strive to strike the right balance between too much protection of PHI and too little. Is the expansion of HIPAA worth the additional administrative burdens to CEs and BAs? We encourage you to let HHS know what you think.

All Brokers and industry stakeholders must keep abreast of developments in the health insurance field. This legislative alert is part of a broader initiative by BenefitMall to keep you informed as to the changes affecting your profession.

*     *     *    *    *

As more information becomes available, BenefitMall is committed to keeping you up-to-date in a timely manner. Visit www.BenefitMall.com to view past Legislative Alerts under the News and Events tab. Or, you may visit www.HealthcareExchange.com for blog posts, polls, surveys and numerous resources. If you have any questions, please contact your local BenefitMall Sales Team and they will be happy to assist you. Thank you for taking the time to read through this important notification.

1.    federalregister.gov

2.    Idbid.

3.    hhs.gov

4.    hhs.gov

5.    ed.gov

6.    access.gpo.gov

7.    aspe.hhs.gov

8.    As written in section 160.103 of title 45, Code of Federal Regulations:

1.    Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:

1.    On behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:

1.    A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

2.    Any other function or activity regulated by this subchapter; or

2.    Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

2.    A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a services as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.

3.    A covered entity may be a business associate of another covered entity.

9.    hhs.gov

10.  Instructions on how to make send in an official comment letter to HHS is detailed at federalregister.gov