Today, July 14, 2010, the Department of Health and Human Services ("HHS") formally published its proposed regulations implementing changes made to the HIPAA Privacy and Security Rules by the Health Information Technology for Economic and Clinical Health Act ("HITECH").  The proposed regulations also include other changes intended to confirm or clarify the original Privacy and Security Rules.  HHS will accept comments regarding the proposed regulations from the public and the industry for a 60-day period ending September 13, 2010.  Sometime thereafter, HHS will issue final regulations.  For most provisions, HHS intends to set the effective date for compliance at 180 days after the final rule is published.

The proposed regulations cover a broad range of topics including the following highlights:

• Expanding HIPAA's enforcement provisions - including the application of penalties against business associates; increasing the penalty cap to $1.5 million depending on level of culpability, plus providing examples of violations that fall into the different penalty levels; and imposing vicarious liability based on "agency" principles
• Extending certain Privacy and Security Rule requirements to business associates - such as the Security Rule requirements to adopt administrative, technical and physical safeguards for ePHI
• Grandfathering current business associate agreements for up to an additional one year transition/grace period before requiring amendment under the new regulations
• Creating a new business associate category of "subcontractors" - downstream entities that are contracted by business associates to perform services for covered entities
• Removing the business associate agreement requirement of termination and required reporting of material breaches to HHS
• Addressing the situation where a covered entity and business associate have failed to enter into a business associate agreement
• Clarifying the reporting obligations for security incidents and breaches by subcontractors, business associates, and covered entities
• Clarifying the new limitations on the use and disclosure of PHI for marketing - such as requiring opt-out notices (instead of authorizations) for "subsidized treatment communications"
• Requiring "conspicuous" opt-out notice - and providing instructions that are not burdensome - on fundraising materials
• Eliminating the requirement of using a limited data set when the minimum necessary rule applies
• Requesting comments on whether certain compound authorizations for research and authorizations for future research studies should be permitted
• Removing from the definition of PHI decedent's health information after 50 years
• Expanding access to a decedent's PHI to family members and others involved in the care of the patient prior to death
• Permitting disclosure of immunization records to schools based on a parent's oral agreement, as opposed to written authorization
• Clarifying an individual's right to access their PHI in the form and format requested by the individual - if it is readily producible in that form or format - and receive an accounting of disclosures of their PHI from an EMR
• Clarifying an individual's right to obtain restrictions on disclosures of PHI to health plans for services paid out-of-pocket in full
• Requiring covered entities to revise their Notice of Privacy Practices to include more information about which uses and disclosures require an authorization, such as for psychotherapy notes and marketing.

The proposed regulations may be accessed at http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf.

Hall Render's HIPAA Impact Series will be covering each of the above topics in detail.  Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.

If you need additional information about HIPAA/HITECH, please contact Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@hallrender.com, Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com, or your regular Hall Render attorney.