Good News, Bad News: Bush Administration Issues Revised Privacy Rules (Continued)

The Privacy Rules provide research recruitment is neither a marketing nor a health care operations activity. While, HHS notes that covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an IRB or Privacy Board waiver of patient authorization, if a covered entity wants to disclose an individual’s PHI to a third party for purposes of recruitment in a research study, the covered entity first must obtain either authorization from that individual or a waiver of authorization must apply. This appears to leave the "reviews preparatory to research exception" as the only viable exception for covered health care providers seeking assistance in identifying candidates for clinical research. Under this limited exception, a researcher may conduct on-site reviews of PHI preparatory to a research protocol so long as the PHI is not removed from the covered entity in the course of their review.

On the other hand, there is some confusion in this area owing to the fact that a covered entity may engage a business associate to create a limited data set, in the same way it can use a business associate to create de-identified data. HHS notes that the business associate also may be the intended "recipient" of the limited data set (who uses the data for research purposes). If this is true, then the Revised Privacy Rules appear to be somewhat contradictory with respect to the use of "business associates" in certain instances.

Whereas the Privacy Rule only allows disclosure where "required or directed" by the Food and Drug Administration (the "FDA"), the Revised Privacy Rule clarifies that disclosure may be made to "a person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity." Such purposes "include" collection of reports or adverse events, tracking FDA-regulated products, post-market surveillance, and so-called "lookback" activities (which include locating or notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback). The Revised Privacy Rules clarify that a "Person" includes FDA representatives and representatives of manufacturers identified on the product label.

Importantly, disclosure under this expanded FDA-exception is limited to disclosures related to "public health activities and purposes." HHS notes that, while a disclosure related to the safety, quality or effectiveness of an FDA-regulated product is a permissible disclosure, it is not permissible for a covered entity to disclose PHI to a manufacturer to allow the manufacturer to evaluate the effectiveness of a marketing campaign for a prescription drug. Where the disclosure is made for commercial purposes, this would not meet the public health purpose underlying this exception.

Further, the minimum necessary standard also applies to public health disclosures, including those made to "persons" subject to the jurisdiction of the FDA. Accordingly, health care providers must assess what types of information need to be given to a manufacturer or FDA-representative so as to meet this standard. This is likely ripe for problems as most manufacturers and the FDA typically claim that a substantial amount of PHI is necessary to evaluate a drug or device problem which may leave health care providers attempting to sort out whether a disclosure will meet this exception. HHS appears to recognize that in the areas of device tracking or blood lookback situations, it is essential for the manufacturer to have PHI in order to carry out its responsibilities under the Food, Drug, and Cosmetic Act.

In general, the Privacy Rule permits a covered entity to de-identify PHI so that such information can be freely disclosed without being subject to the rules limitations (e.g., authorization requirements). The Privacy Rule includes a so-called safe-harbor provision allowing disclosure if 18 enumerated identifiers have been removed. The Revised Privacy Rules do not modify the safe-harbor; however they do clarify a number of provisions including the use of so-called ‘re-identification’ codes. Specifically, the Privacy Rule permits a covered entity to remove the 18 data-identifiers and to assign a code or other record information so that it may be re-identified by the covered entity at a later date.

HHS clarifies that it did not intend such a re-identification code to be considered one of the unique, identifying numbers or codes that prevented the information from being de-identified and therefore makes a technical modification to the safe-harbor provision. Importantly, HHS clarifies that the re-identification code cannot be derived from the individual’s social security number, birth date, or hospital record number. Additionally, for those into the nuances of nuances of data, HHS indicates that the keyed-hash message authentication code (HMAC) does not meet the conditions for use as re-identification code. Lastly, using 2000 Census data, the Revised Rule identifies 17 restricted zip codes that have a population fewer than 20,000 persons. These 17 three-digit zip codes must be replaced with a "OOO" in order to meet the safe-harbor’s de-identification standard.

In response to many commenters' requests for a less stringent standard of de-identification—particularly in the research area—HHS adds a new standard and implementation specification for a limited data set for research, public health or health care operations purposes if the covered entity (1) uses or discloses only a "limited data set" and obtains from the recipient of the limited data set a "data use agreement." As with the de-identification safe-harbor, the covered entity must remove certain direct identifiers including all of the facial identifiers such as (1) name; (2) street address (renamed postal address information, other than city, State and zip code); (3) telephone and fax numbers; (4) e-mail address; (5) social security number; (6) certificate/license numbers; (7) vehicle identifiers and serial numbers; (8) URLs and IP addresses; and (9) full face photos and any other comparable images. In addition to these direct identifiers, the following information must also be removed: (1) medical record numbers, health plan beneficiary numbers, and other account numbers; (2) device identifiers and serial numbers; and (3) biometric identifiers, including finger and voice prints.

However, a limited data set may include (1) any dates related to the individual or (2) any geographic subdivision other than street address. Accordingly, researchers and others involved in public health studies will have access to dates of admission and discharge, as well as dates of birth and death for the individual. HHS further clarifies that that the Privacy Rule allows the age of an individual to be expressed in years or in months, days, or hours as appropriate; moreover, the limited data set may include the five-digit zip code or any other geographic subdivision, such as State, county, city, precinct and their equivalent geocodes.

In order to receive the information, the recipient must enter into a data use agreement—a quasi business associate type agreement designed to ensure the confidentiality of the information received by such individual. Although the Revised Privacy Rules make clear that HHS does not specify the form of the data use agreement (which may be a formal agreement and/or a memorandum of understanding), the rule provides that a data use agreement must establish the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research, public health, or health care operations; must limit who can use or receive the data; and must require the recipient to agree not to re-identify the data or contact the individuals. In addition, the data use agreement must contain adequate assurances that the recipient use appropriate safeguards to prevent use or disclosure of the limited data set other than as permitted by the Privacy Rules and the data use agreement, or as required by law. These provisions are substantially similar to the business associate agreement provisions between covered entities and third-parties and, indeed, one would expect that many data use agreements will be modeled substantially on the sample business associate provisions.

As with business associate-type agreements, the Revised Privacy Rules clarify that that the disclosing covered entity is not liable for breaches of the data use agreement by the recipient of the limited data set. However, if a covered entity knows of a pattern of activity or practice of the data recipient that constitutes a material breach or violation of the data use agreement, then the covered entity must take reasonable steps to cure the breach or end the violation, as applicable, and, if unsuccessful, discontinue disclosure of the limited data set to the recipient and report the problem to the Secretary. Further, as with business associates, the recipient of a limited data set is required to report to the covered entity any improper uses or disclosures of limited data set information of which it becomes aware and that the data use agreement requirements apply to disclosures of the limited data set to agents and subcontractors of the original recipient.

HHS makes clear that a covered entity may engage a business associate to create a limited data set, in the same way it can use a business associate to create de-identified data. HHS notes that the business associate also may be the intended "recipient" of the limited data set. Presumably, a business associate contract would suffice for the "data use agreement" requirements although special provisions may need to be included in agreements with third parties that effectively mine PHI to create a limited data set for subsequent research purposes.

Importantly, the limited data set exception applies to research, public health or health care operations purposes. HHS clarifies that, while they recognize the important role of journalists on reporting on public health issues, limited data may not be furnished to such individuals. Notes HHS, "a key element of the limited data set is that the recipient enter into a data use agreement that would limit access to the limited data set, prohibit any attempt to identify or contact any individual, and limit further use or disclosure of the limited data set. These limitations are inherently at odds with journalists asserted need for access to patient information."

Generally, the Privacy Rule requires that individuals have a right to receive an accounting of disclosures of PHI made by covered entities over a six (6) year period of time with certain exceptions. Accountings must be provided, upon request, once a year without charge. The Revised Privacy Rules contain a number of favorable clarifications and exceptions from a covered health care provider’s perspective.

The Revised Privacy Rules clarify that covered health care providers need not furnish an accounting of any disclosures pursuant to a valid authorization. Under this revised exception, covered entities are no longer responsible for providing an accounting for any disclosures authorized by the individual. HHS clarifies that nothing in this provision prevents a mental health professional from including authorized disclosures of psychotherapy notes in an accounting requested by their patients if they so choose to do so--the modification adopted by HHS simply no longer requires such an accounting.

The Revised Privacy Rules makes clear that the covered entity does not need to include disclosures of PHI furnished in limited data sets to recipients under a data use agreement in any accounting of disclosures provided to the individual. The Revised Privacy Rules also except disclosures that are merely incidental to another permissible use or disclosure will not require an accounting.

While the Privacy Rule permits disclosures of PHI for a number of public-health purposes without authorization, HHS provides that these are "non-routine" disclosures of the individual’s PHI. Accordingly, HHS rejected commenters requests to provide an exception from the accounting requirements for any public health disclosures. These must be provided to the individual if an accounting is requested.

Although HHS rejected commenters requests to exempt all research disclosures made pursuant to a waiver of authorization (IRB or Privacy Board waiver), HHS acknowledges that the rule’s disclosure obligations could have the undesired effect of causing covered entities to halt disclosures of PHI for research purposes. As a result, HHS revised the accounting requirements to permit covered entities to meet its obligations for research disclosures if they provide individuals with a list of all protocols for which the patient’s PHI may have been disclosed for research pursuant to a waiver of authorization (IRB or Privacy Board waiver), as well as the researcher’s name and contact information. This procedure is available if the research disclosure involves more than 50 or more records. The accounting must include the name of the study or protocol, a description of the purpose of the study and the type of PHI sought, and the timeframe of disclosures in response to the request. In addition, when requested by the individual, the covered entity must provide assistance in contacting those researchers to whom it is likely that the individual’s PHI was actually disclosed.

HHS recognizes the sensitivity of reporting certain types of information such as reports regarding victims of neglect, abuse, or domestic violence. Here HHS gives the covered health care provider discretion in notifying the victim and/or the individual’s personal representative at the time of the disclosure. However, HHS believes that "these concerns become more attenuated in the context of an accounting for disclosures, which must be requested by the individual and for which the covered entity has a longer timeframe to respond." HHS further states that, if the individual is requesting the accounting, even after being warned of the potential dangers, the covered entity should honor that request. However, HHS provides one exception to the general rule—"if the request is by the individual’s personal representative and the covered entity has a reasonable belief that such person is the abuser or that providing the accounting to such person could endanger the individual, the covered entity continues to have the discretion to decline such a request."

The Revised Privacy Rule reiterates that covered health care providers are not required to provide an accounting of any disclosure to or by a business associate that is for any exempt purpose, including disclosures for treatment, payment, and health care operations.

The Revised Privacy Rules adopt the revisions from the proposed rule with respect to the business associate transition provisions. Those revisions generally provide that a covered entity, other than a small health plan, may receive a one year extension until April 14, 2004 for certain contracts with third parties who receive PHI from the covered entity. Specifically, agreements entered into prior to October 15, 2002 (the effective date of the Revised Privacy Rules) that are not modified or renewed before April 14, 2003, including so-called "evergreen" agreements which merely renew automatically without any action of the parties, will qualify for this one-year extension. For purposes of this extension, HHS clarifies that automatic inflation clauses are not considered a "renewal or modification." Accordingly, written agreements with business associates that are entered into after October 15, 2002, that are amended or modified after this date, or that are newly executed after April 14, 2003 will have to comply with the business associate provisions.

While certain qualifying contracts need not be amended to include the business associate provisions, HHS still requires covered entities to comply with several aspects of the formal business associate agreement. Those include the requirement for covered entities to make information available to the Secretary of HHS (including that held by business associates in a designated record set) as necessary for the Secretary to determine its compliance with the Revised Privacy Rules; to comply with an individual’s rights to access or amend PHI maintained by a business associate; and to comply with an individual’s right to request an accounting of all disclosures of PHI by the covered entity and business associate. In addition, the Revised Privacy Rules add a new requirement that covered entities taking advantage of the one year extension must also mitigate, to the extent practicable, any harmful effect of a known use or disclosure of PHI by the business associate in violation of the covered entities policies or the Revised Privacy Rules. Importantly, however, in response commenters’ concerns, HHS clarifies that that "a covered entity is not required to obtain satisfactory assurances (in any form), as required by § 164.502(e)(1) from a business associate to which the transition period applies. The transition period effectively deems such qualified contracts to fulfill the requirement for satisfactory assurances from the business associate." Notwithstanding this favorable comment, because some of the business associate requirements apply on April 14, 2002, many covered entities may elect to make the contractual modifications now, where feasible, or provide certain third-party vendors with notice of the business associate requirements that apply to the contract by operation of law.

In the Revised Privacy Rules HHS makes clear that covered entities are not required to actively monitor the actions of their business associates. HHS expressly states that covered entities are not liable for the actions of their business associates; rather, it is only when a covered entity "knows" of a "pattern of activity or practice that constitutes a material breach or violation" of the business associates duties and obligations under the business associate agreement that the covered entity has any obligations. Even then, in the event of such a known breach of the business associate agreement, the covered entity only must take steps to cure the breach by the business associate or end the violation. HHS also resolves lingering concerns for many business associates—the agency does not have the statutory authority to hold business associates, that are not covered entities, liable under the Privacy Rule.

HHS has again included a sample business associate agreement and a number of clarifications. For example, HHS states that a covered entity need not provide access to information held by a business associate if the only information held by the business associate is a duplicate of what the covered entity maintains and to which it has provided the individual access. HHS also clarifies that disclosures from a covered entity to a researcher for research purposes do not require a business associate contract (although, of course, a data use agreement may be required if the covered entity is furnishing the researcher with the limited data set).

With regard to the revised ‘model’ agreement, HHS makes clear that the form is only guidance and does not substitute for legal advice. HHS notes that other contractual provisions may be necessary under State or other law and that contracts will vary based upon the relationship between the covered entity and the business associate. HHS rejects commenters’ requests that the form be considered a compliance "safe harbor." HHS also makes clear that the time and manner with which a business associate must make PHI, maintained on behalf of a covered entity, available for purposes of individual requests of access, amendment and accounting may be determined by the parties themselves. Further, HHS clarifies that in each instance, it is up to the covered entity and not the business associate to comply with such requests by individuals for amendments to PHI or an accounting of PHI disclosed. Accordingly, the default rule would only require the business associate to make PHI maintained by the business associate to the covered entity itself and not to the individual, unless the business associate agrees to provide access and amendment directly to the individuals. On the other hand, HHS clarifies that business associates must permit the Secretary of HHS direct access to the business associate’s practices, books and records for purposes of determining the covered entity’s compliance with the Revised Privacy Rules.

Finally, the new sample agreement clarifies that business associates are only required to notify the covered entity of uses and disclosures of PHI not permitted or required by the agreement of which it becomes "aware." Such a standard is, lower than the "knowing" standard required by other aspects of the Revised Privacy Rules.

As a result of the revisions to the Final Privacy Rules, the use or disclosure of PHI in connection with the change of ownership of a covered entity (e.g., merger, acquisition, consolidation, etc.) is now considered to be a health care operation. This includes due diligence activities undertaken in connection with such a change in ownership and the transfer of records containing PHI. Accordingly, under the new definition of health care operations a covered entity may use or disclose PHI in connection with the sale, or transfer of assets (or other change of ownership transaction) with an entity that is, or will become a covered entity. This specifically includes due diligence reviews of PHI and the transfer of records containing PHI. Any uses or disclosures of PHI in connection with a change in ownership that do not meet the specifics of this definition would still require an individual’s authorization or express exception in the Revised Privacy Rules. Moreover, HHS indicates that the rule is not violated if the transaction does not go through; rather, HHS notes, "it is standard practice for parties contemplating such transactions to enter into confidentiality agreements." Although the rule does not require a "confidentiality agreement" for transaction purposes, the commentary indicates that HHS would expect the parties to have such provisions prior to engaging in a sharing of PHI for due diligence purposes.

By way of example, if the assets of a physician’s clinic (including the medical records) are sold to a hospital, PHI may be exchanged between the parties for purposes of conducting due diligence without an individual’s authorization. Further, once the transaction is complete and the assets, including the medical records, are transferred, the hospital becomes responsible for protecting the security and confidentiality of the PHI within those records in accordance with the Revised Privacy Rules. Accordingly, the hospital must respect individuals’ rights to access, amend or request accountings with respect to their PHI. However, the hospital may immediately begin to use and/or disclose any PHI contained within those records to provide health care services to the individuals and/or seek payment or conduct other health care operations. HHS’ views do not, however, take into consideration State law requirements which may require notification to the individuals whose medical records may be acquired.

The Revised Privacy Rules exclude employment records from the definition of PHI so long as the covered entity maintaining them is doing so in its capacity as an employer and not as a health care provider, health plan or health care clearinghouse. According to the Revised Privacy Rules, what matters is not the nature of the information itself, but how that information is obtained or created. If the information is obtained or created by a covered entity as an employment record in its capacity as an employer it is not considered to be PHI. However, if that same information is obtained or created by a covered entity while acting as a health care provider, health plan or health care clearinghouse, that same information will be considered to be PHI and afforded all the protections of the Privacy Rules and its recent revisions.

By way of example, the medical record of a hospital employee who is receiving treatment at the hospital is considered to be PHI because the hospital created the information contained within the medical record when it documented the services rendered to the employee. Thus, with the exception of worker’s compensation situations, the hospital in its provider capacity may not disclose PHI to the hospital in its employer capacity. Of course, if that employee authorizes that copies of the medical information be transferred to his/her employment record (maintained by the hospital’s human resources department) it will no longer be considered PHI. It should be noted that the information contained in the medical record has not lost its status as PHI simply because copies of it were provided to the hospital as an employer. Rather, the same information now has a dual status, it is treated as PHI when maintained in the medical record and not PHI when maintained in the employment record. This rule also would apply to PHI held by an employer’s health plan. Health plan issues are addressed separately in a client alert dedicated to these issues.

The Privacy Rules provide that each individual has a right of access to inspect and obtain a copy of PHI about the individual which is maintained in a designated record set, unless an exception applies (e.g., psychotherapy notes). The Privacy Rules provide that the covered health care provider may only charge a reasonable cost-based fee, provided the fee includes only the cost of: (i) copying, including the costs of supplies for and labor of copying, the PHI; (ii) postage (if mailed); and (iii) preparing an explanation, if agreed to by the individual.

Because some hospitals outsource this function to third-parties (who would likely become business associates) and because some state laws establish copy fees, at least one commenter was concerned that this provision would drive-out the outsourcing industry. HHS responded that the copy-fee limitation provisions only limits the fees that may be charged to individuals or their personal representatives when records are requested in accordance with the right of access provisions. The fee limitations do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment or health care operations, disclosures that are based on an individual’s valid authorization, or other disclosures to third-parties permitted without the individual’s authorization (e.g., public health sources, clinical researchers under an authorization waiver, or researches receiving limited data sets).

Legal Alert is a bulletin of new developments and is not intended as legal advice or as an opinion on specific facts. For more information on Health Care law issues, please call any of the attorneys in the Health Care Practice Group or contact us through our website, www.KilpatrickStockton.com.