HHS Issues Much-Anticipated Proposed HITECH Privacy, Security And Enforcement Rulemaking

On July 14, 2010, the Department of Health and Human Services (HHS) released much-anticipated proposed regulations implementing privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009.  The proposed regulations and accompanying preamble discussion from HHS do not have the scope of the behemoth rulemaking issued to implement the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in 2000, but they do contain significant changes to the federal health information privacy regime that are sure to impact all sectors of the health industry. 

A number of proposed changes to the HIPAA regime are expected to have a substantial impact in the health sector, including—

  • New obligations for “business associates”—including subcontractors and health information exchanges—under HIPAA Privacy and Security rules.  The proposed regulations would require business associates (now defined expressly to include subcontractors of business associates, health information exchanges and others): (i) to use or disclose protected health information (PHI) only as permitted by the Privacy Rule and as consistent with its Business Associate Agreement and, additionally, to disclose PHI to HHS for compliance purposes; (ii) disclose PHI in an electronic format to a covered entity or an individual in order to facilitate the covered entity’s compliance with the Privacy Rule; (iii) comply with the minimum necessary standard; and (iv) take reasonable steps to cure a material breach of a subcontractor or terminate the agreement with the subcontractor.  Importantly, the proposed regulations would also require a business associate to comply with all the requirements of the Privacy Rule to the extent it carries out a covered entity’s obligations under the HIPAA rules.  The proposed regulations also clarified the HITECH Act’s requirement that business associates comply with the Security Rule in the same manner as a covered entity. 
  • Expanding individuals’ right to access their PHI.  The proposed rule would require a covered entity that uses or maintains electronic PHI in a designated record set to provide individuals with access to the PHI in the electronic format requested (if it is readily producible) and to comply with an individual’s request for PHI to be sent to a third party. 
  • New restrictions on disclosure of PHI to health plans.  The proposed rule would require covered entities to comply with an individual’s request to restrict disclosure of his or her PHI to a health plan if the disclosure is for purposes of payment or health care operations, and the PHI relates to health care services for which an individual (or someone on that individual’s behalf) paid out of pocket in full.
  • Changes to the Notice of Privacy Practices.  The proposed rule would require covered entities to revise their Notice of Privacy Practices to include, among other existing and new elements, a description of the uses and disclosures of PHI that require an authorization (including uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and sale of PHI) and a statement (i) that other uses and disclosures not described in the Notice of Privacy Practices will be made only with the individual’s written authorization and (ii) that the individual may revoke any such authorization.  In addition, to the extent a covered entity wishes to send to an individual either fundraising requests or certain treatment communications whereby the provider receives financial remuneration in exchange for making the communications, the covered entity may need to include a statement in the Notice of Privacy Practices informing the individual about the possibility of such communications and providing the individual with a means to opt out of such communications. 

Other important changes addressed through the proposed rulemaking include new restrictions on the use and disclosure of PHI for marketing and fundraising, as well as restrictions on sale of PHI. 

The proposed regulations do not address all privacy and security questions raised by the HITECH Act.  For example, HHS stated that it will provide guidance on what constitutes “minimum necessary” in future rulemakings and that, for now, covered entities and business associates should continue to use limited data sets whenever feasible.  HHS also did not propose regulations to implement the HITECH Act’s requirements on accounting for disclosures or the new grant of authority to state attorneys general to enforce HIPAA.  Significant questions also remain regarding the interaction between the HIPAA Enforcement Rule and the HIPAA Breach Notification Rule.  While HHS clarified in a previous rulemaking that a HIPAA privacy violation is necessary, but not sufficient, to trigger the breach notification requirements, agency guidance may be helpful concerning whether entities reporting breaches to HHS as required by law will have to bear the full brunt of penalties for underlying HIPAA violations revealed, among other issues. 

HHS proposed that compliance with most components of the rulemaking would be required six months after the final regulations are published, with an extension of an additional six months for bringing Business Associate Agreements into compliance.  A final (or interim final) rulemaking may not emerge until 2011.

Contact Information

If you have any questions regarding this alert, please contact— 

Jorge Lopez, Jr.
Washington, D.C.


Kelly Cleary
Washington, D.C. 

Jo-Ellyn Sakowitz Klein
Washington, D.C.


Anna Dolinsky
Washington, D.C.