HHS Issues Proposed Rules to Implement Privacy and Security Provisions of HITECH Act

On July 8, 2010, the Department of Health & Human Services (HHS) released proposed rules that would modify the privacy, security, and enforcement rules of the Health Insurance Portability and Accountability Act (HIPAA) to implement changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HHS also intends to take the opportunity to make other modifications to the rules that HHS says will make them more workable and effective.

The proposed regulations are slated for publication in the Federal Register on July 14. They would not be effective until publication of a final rule. Comments on the proposed regulations will be accepted for 60 days following publication in the Federal Register.

As expected, the proposed rules track the HITECH Act. They focus on business associates, enforcement, and an assortment of other privacy and security topics. They would require business associates to comply with the HIPAA security rule and the privacy provisions of the HITECH Act. They would also require small amendments to business associate contracts and notices of privacy practices, but covered entities would be given time to make these changes.

The proposed regulations would require no changes to minimum necessary practices, beyond the need for covered entities to consider the feasibility of using the minimum data set—HHS just solicits comments on this topic. Perhaps the most disturbing surprise is the indication that covered entities will be held directly liable for the violations of business associates who are agents, rather than independent contractors—a troubling distinction that was first made in the data-breach reporting regulations issued last year.

In addition, HHS would take the opportunity to make changes unrelated to the HITECH Act: Health records of decedents could be discussed with family members and friends who are not personal representatives of the deceased, and would be freed from all privacy restrictions after 50 years; there would be more flexibility for research authorizations; and providers would be allowed to disclose immunization information to schools.

Most of the privacy and security provisions of the HITECH Act went into effect on Feb. 18, 2010, and do not depend on implementing regulations. However, HHS proposes to allow covered entities 180 days after the effective date of final regulations to come into compliance with the privacy and security standards in the new rule; changes to the enforcement rule would be effective immediately. HHS would allow a longer period to amend business associate contracts. This vindicates Davis Wright Tremaine’s wait-and-see approach to amending business associate contracts in the wake of the HITECH Act.

For a summary of the proposed rules, please click here (PDF).

For more information, please contact:

Los Angeles: Adam Romney or Aleah Yung

Seattle: Becky Williams, Jane Eckels