HIPAA Privacy Regulations: Transition Provisions - § 164.532
As Contained in the HHS HIPAA Privacy Rules
|
HHS Regulations as Amended January 2013 |
(a) Standard: Effect of prior authorizations. Notwithstanding §§164.508 and 164.512(i), a covered entity may use or disclose protected health information, consistent with paragraphs (b) and (c) of this section, pursuant to an authorization or other express legal permission obtained from an individual permitting the use or disclosure of protected health information, informed consent of the individual to participate in research, a waiver of informed consent by an IRB, or a waiver of authorization in accordance with §164.512(i)(1)(i).
(b) Implementation specification: Effect of prior authorization for purposes other than research. Notwithstanding any provisions in §164.508, a covered entity may use or disclose protected health information that it created or received prior to the applicable compliance date of this subpart pursuant to an authorization or other express legal permission obtained from an individual prior to the applicable compliance date of this subpart, provided that the authorization or other express legal permission specifically permits such use or disclosure and there is no agreed-to restriction in accordance with §164.522(a).
(c) Implementation specification: Effect of prior permission for research. Notwithstanding any provisions in §§164.508 and 164.512(i), a covered entity may, to the extent allowed by one of the following permissions, use or disclose, for research, protected health information that it created or received either before or after the applicable compliance date of this subpart, provided that there is no agreed-to restriction in accordance with §164.522(a), and the covered entity has obtained, prior to the applicable compliance date, either:
(1) An authorization or other express legal permission from an individual to use or disclose protected health information for the research;
(2) The informed consent of the individual to participate in the research;
(3) A waiver, by an IRB, of informed consent for the research, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain authorization in accordance with §164.508 if, after the compliance date, informed consent is sought from an individual participating in the research; or
(4) A waiver of authorization in accordance with §164.512(i)(1)(i).
(d) Standard: Effect of prior contracts or other arrangements with business associates. Notwithstanding any other provisions of this part, a covered entity, or business associate with respect to a subcontractor, may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf pursuant to a written contract or other written arrangement with such business associate that does not comply with §§164.308(b), 164.314(a), 164.502(e), and 164.504(e), only in accordance with paragraph (e) of this section.
(e) Implementation specification: Deemed compliance. (1) Qualification. Notwithstanding other sections of this part, a covered entity, or business associate with respect to a subcontractor, is deemed to be in compliance with the documentation and contract requirements of §§164.308(b), 164.314(a), 164.502(e), and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if:
(i) Prior to January 25, 2013, such covered entity, or business associate with respect to a subcontractor, has entered into and is operating pursuant to a written contract or other written arrangement with the business associate that complies with the applicable provisions of §164.314(a) or §164.504(e) that were in effect on such date; and
(ii) The contract or other arrangement is not renewed or modified from March 26, 2013, until September 23, 2013.
(2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section shall be deemed compliant until the earlier of:
(i) The date such contract or other arrangement is renewed or modified on or after September 23, 2013; or
(ii) September 22, 2014.
(3) Covered entity responsibilities. Nothing in this section shall alter the requirements of a covered entity to comply with part 160, subpart C of this subchapter and §§164.524, 164.526, 164.528, and 164.530(f) with respect to protected health information held by a business associate.
(f) Effect of prior data use agreements. If, prior to January 25, 2013, a covered entity has entered into and is operating pursuant to a data use agreement with a recipient of a limited data set that complies with §164.514(e), notwithstanding §164.502(a)(5)(ii), the covered entity may continue to disclose a limited data set pursuant to such agreement in exchange for remuneration from or on behalf of the recipient of the protected health information until the earlier of:
(1) The date such agreement is renewed or modified on or after September 23, 2013; or
(2) September 22, 2014.
| HHS Description and Commentary from the January 2013 Amendments Transition Provisions |
Proposed Rule
We understand that covered entities and business associates are concerned with the anticipated administrative burden and cost to implement the revised business associate agreement provisions of the Privacy and Security Rules.
Covered entities may have existing contracts that are not set to terminate or expire until after the compliance date of the modifications to the Rules, and we understand that a six month compliance period may not provide enough time to reopen and renegotiate all contracts. In response to these concerns, we proposed to relieve some of the burden on covered entities and business associates in complying with the revised business associate provisions by adding a transition provision to grandfather certain existing contracts for a specified period of time. The Department’s authority to add the transition provision is set forth in § 160.104(c), which allows the Secretary to establish the compliance date for any modified standard or implementation specification, taking into account the extent of the modification and the time needed to comply with the modification.
The proposed transition period would prevent rushed and hasty changes to thousands of on-going existing business associate agreements. We addressed the issue of the business associate transition provisions as follows.
We proposed new transition provisions at § 164.532(d) and (e) to allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the revisions to the Rules. The additional transition period would be available to a covered entity or business associate if, prior to the publication date of the modified Rules, the covered entity or business associate had an existing contract or other written arrangement with a business associate or subcontractor, respectively, that complied with the prior provisions of the HIPAA Rules and such contract or arrangement was not renewed or modified between the effective date and the compliance date of the modifications to the Rules. The proposed provisions were intended to allow those covered entities and business associates with valid contracts with business associates and subcontractors, respectively, to continue to disclose protected health information to the business associate or subcontractor, or to allow the business associate or subcontractor to continue to create or receive protected health information on behalf of the covered entity or business associate, for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the modifications to the Rules. With respect to business associates and subcontractors, the proposal would grandfather existing written agreements between business associates and subcontractors entered into pursuant to § 164.504(e)(2)(ii)(D) (which requires the business associate to ensure that its agents with access to protected health information agree to the same restrictions and conditions that apply to the business associate). The Department proposed to deem such contracts to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until the date that is one year after the compliance date, whichever is sooner.
In cases where a contract renews automatically without any change in terms or other action by the parties (also known as “evergreen contracts”), the Department intended that such evergreen contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts automatically rolled over.
These transition provisions would have applied to covered entities and business associates only with respect to written contracts or other written arrangements as specified above, and not to oral contracts or other arrangements.
These transition provisions would have only applied to the requirement to amend contracts; they would not affect any other compliance obligations under the HIPAA Rules. For example, beginning on the compliance date of this rule, a business associate may not use or disclose protected health information in a manner that is contrary to the Privacy Rule, even if the business associate’s contract with the covered entity has not yet been amended.
Overview of Public Comments
Many commenters supported the 1-year extended timeframe for compliance with the business associate agreement provisions. Some commenters suggested longer timeframes, citing cost and resource limitations. Some commenters suggested that the Department should deem compliant all business associate agreements that have been renegotiated in good faith to meet the February 2010 effective date of the applicable provisions in the HITECH Act. Some commenters suggested that the Department recognize as compliant business associate agreements with provisions requiring compliance with all applicable laws.
Final Rule
The final rule adopts the proposal, adding new transition provisions at § 164.532(d) and (e) to allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the revisions to the Rules.
We decline to provide a longer time for compliance with the business associate agreement provisions. We provided a similar transition period for revising agreements in the 2002 modifications to the HIPAA Rules, and it was our experience that such time was sufficient to ease burden on the entities and allow most agreements to be modified at the time they would otherwise come up for renewal or renegotiation.
With respect to those business associate agreements that already have been renegotiated in good faith to meet the applicable provisions in the HITECH Act, covered entities should review such agreements to determine whether they meet the final rule’s provisions. If they do not, these covered entities then have the transition period to make whatever additional changes are necessary to conform to the final rule. The transition period is also available to those agreements that require compliance with all applicable laws (to the extent the agreements were otherwise in compliance with the HIPAA Rules prior to this final rule), but that do not fully meet the new requirements in this final rule.
However, we do not deem such contracts as compliant beyond the transition period because they would not sufficiently reflect the new requirements.
| HHS Description of and Commentary on August 2002 Revisions Business Associate Agreement Transition |
December 2000 Privacy Rule. The Privacy Rule at § 164.502(e) permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of, or provides a service to, the covered entity that involves the creation, use, or disclosure of, protected health information, provided that the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. The Department recognizes that most covered entities do not perform or carry out all of their health care activities and functions by themselves, but rather use the services of, or receive assistance from, a variety of other persons or entities. Given this framework, the Department intended these provisions to allow such business relationships to continue while ensuring that identifiable health information created or shared in the course of the relationships was protected.
The Privacy Rule requires that the satisfactory assurances obtained from the business associate be in the form of a written contract (or other written arrangement, as between governmental entities) between the covered entity and the business associate that contains the elements specified at § 164.504(e). For example, the agreement must identify the uses and disclosures of protected health information the business associate is permitted or required to make, as well as require the business associate to put in place appropriate safeguards to protect against a use or disclosure not permitted by the contract or agreement.
The Privacy Rule also provides that, where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or arrangement is not feasible, a covered entity is required to report the problem to the Secretary of HHS. A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity is in noncompliance with the Privacy Rule.
The Privacy Rule’s definition of “business associate” at § 160.103 includes the types of functions or activities, and list of services, that make a person or entity who engages in them a business associate, if such activity or service involves protected health information. For example, a third party administrator (TPA) is a business associate of a health plan to the extent the TPA assists the health plan with claims processing or another covered function. Similarly, accounting services performed by an outside consultant give rise to a business associate relationship when provision of the service entails access to the protected health information held by a covered entity.
The Privacy Rule excepts from the business associate standard certain uses or disclosures of protected health information. That is, in certain situations, a covered entity is not required to have a contract or other written agreement in place before disclosing protected health information to a business associate or allowing protected health information to be created by the business associate on its behalf. Specifically, the standard does not apply to: disclosures by a covered entity to a health care provider for treatment purposes; disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan, to the extent that the requirements of § 164.504(f) apply and are met; or to the collection and sharing of protected health information by a health plan that is a public benefits program and an agency other than the agency administering the health plan, where the other agency collects protected health information for, or determines eligibility or enrollment with respect to, the government program, and where such activity is authorized by law. See § 164.502(e)(1)(ii).
March 2002 NPRM. The Department heard concerns from many covered entities and others about the business associate provisions of the Privacy Rule. The majority expressed some concern over the anticipated administrative burden and cost to implement the business associate provisions. Some stated that many covered entities have existing contracts that are not set to terminate or expire until after the compliance date of the Privacy Rule. Others expressed specific concern that the two-year compliance period does not provide enough time to reopen and renegotiate what could be hundreds or more contracts for large covered entities. These entities went on to urge the Department to grandfather in existing contracts until such contracts come up for renewal instead of requiring that all contracts be in compliance with the business associate provisions by the compliance date of the Privacy Rule.
In response to these concerns, the Department proposed to relieve some of the burden on covered entities in complying with the business associate provisions by both adding a transition provision to grandfather certain existing contracts for a specified period of time, as well as publishing sample contract language in the proposed Rule. The following discussion addresses the issue of the business associate transition provisions. A discussion of the business associate sample contract language is included in Part X of the preamble.
The Department proposed new transition provisions at § 164.532(d) and (e) to allow covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date of the Privacy Rule. The additional transition period would be available to a covered entity, other than a small health plan, if, prior to the effective date of the transition provision, the covered entity had an existing contract or other written arrangement with a business associate, and such contract or arrangement was not renewed or modified between the effective date of this provision and the Privacy Rule’s compliance date of April 14, 2003. The proposed provisions were intended to allow those covered entities with contracts that qualified as described above to continue to disclose protected health information to the business associate, or allow the business associate to create or receive protected health information on its behalf, for up to one year beyond the Privacy Rule’s compliance date, regardless of whether the contract meets the applicable contract requirements in the Privacy Rule. The Department proposed to deem such contracts to be compliant with the Privacy Rule until either the covered entity had renewed or modified the contract following the compliance date of the Privacy Rule (April 14, 2003), or April 14, 2004, whichever was sooner. In cases where a contract simply renewed automatically without any change in terms or other action by the parties (also known as “evergreen contracts”), the Department intended that such evergreen contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts automatically rolled over.
These transition provisions would apply to covered entities only with respect to written contracts or other written arrangements as specified above, and not to oral contracts or other arrangements. In addition, the proposed transition provisions would not apply to small health plans, as defined in the Privacy Rule. Small health plans would be required to have all business associate contracts be in compliance with the Privacy Rule’s applicable provisions, by the compliance deadline of April 14, 2004, for such covered entities.
In proposed § 164.532(e)(2), the Department provided that the new transition provisions would not relieve a covered entity of its responsibilities with respect to making protected health information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance. Similarly, these provisions would not relieve a covered entity of its responsibilities with respect to an individual’s rights to access or amend his or her protected health information held by a business associate, or receive an accounting of disclosures by a business associate, as provided for by the Privacy Rule’s requirements at '§ 164.524, 164.526, and 164.528. Covered entities still would be required to fulfill individuals’ rights with respect to their protected health information, including information held by a business associate of the covered entity. Covered entities would have to ensure, in whatever manner effective, the appropriate cooperation by their business associates in meeting these requirements.
The Department did not propose modifications to the standards and implementation specifications that apply to business associate relationships as set forth at '§ 164.502(e) and 164.504(e), respectively, of the Privacy Rule.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, “Response to Other Public Comments.”
Most commenters on this issue expressed general support for a transition period for business associate contracts. Of these commenters, however, many requested that the Department modify the proposal in a number of different ways. For example, a number of commenters urged the Department to modify which contracts qualify for the transition period, such as by making the transition period available to contracts existing as of the compliance date of the Privacy Rule, rather than as of the effective date of the transition modification. Others requested that the Department apply the transition period to all business associate arrangements, even those arrangements for which there was no existing written contract.
Some commenters urged the Department to modify the end date of the transition period. A few of these commenters requested that the transition period apply to existing business associate contracts until they expired or were renewed, with no specified end date in the regulation. It was also suggested that the Department simply provide one extra year, until April 14, 2004, for compliance with the business associate contract provisions, without the provision that a renewal or modification of the contract would trigger an earlier transition period end date. A few commenters requested further guidance as to the types of actions the Department would or would not consider to be a “renewal or modification” of the contract.
Additionally, numerous commenters requested that the Department further clarify a covered entity’s responsibilities with regard to their business associates during the transition period. Commenters expressed concerns with the proposal’s requirement that the transition provisions would not have relieved a covered entity of its responsibilities with respect to an individual’s rights to access or amend his or her protected health information held by business associates, or receive an accounting of disclosures by a business associate. Similarly, commenters raised concerns that the transition provisions would not have relieved a covered entity of its responsibilities to make information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance. Commenters also expressed concerns about the fact that it appeared that covered entities still would have been required to obtain satisfactory assurances from a business associate that protected health information not be used improperly by the business associate, or that the covered entity still would have been required to mitigate any known harmful effects of a business associate’s improper use or disclosure of protected health information during the transition period. It was stated that cooperation by a business associate with respect to the covered entity’s obligations under the Rule would be difficult, if not impossible, to secure without a formal agreement.
A few commenters opposed the proposal, one of whom raised concerns that the proposed transition period would encourage covered entities to enter into “stop gap” contracts instead of compliant business associate contracts. This commenter urged that the Department maintain the original compliance date for business associate contracts.
Final Modifications. In the final Rule, the Department adopts the transition period for certain business associate contracts as proposed in the NPRM. The final Rule’s transition provisions at § 164.532(d) and (e) permit covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date of the Privacy Rule. The transition period is available to covered entities who have an existing contract (or other written arrangement) with a business associate prior to the effective date of this modification, provided that the contract is not renewed or modified prior to the April 14, 2003, compliance date of the Privacy Rule. (See the “Dates” section above for the effective date of this modification.) Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner. During the transition period, such contracts are deemed to be compliant with the Privacy Rule regardless of whether the contract meets the Rule’s applicable contract requirements at '§ 164.502(e) and 164.504(e).
The transition provisions are intended to address the concerns of covered entities that the two-year period between the effective date and compliance date of the Privacy Rule is insufficient to reopen and renegotiate all existing contracts for the purposes of bringing them into compliance with the Rule. These provisions also provide covered entities with added flexibility to incorporate the business associate contract requirements at the time they would otherwise modify or renew the existing contract.
Given the intended purpose of these provisions, the Department is not persuaded by the comments that it is necessary to modify the provision to make the transition period available to those contracts existing prior to the Rule’s compliance date of April 14, 2003, rather than the effective date of the modification, or, even less so, to any business associate arrangement regardless of whether a written contract currently exists.
A covered entity that does not have a written contract with a business associate prior to the effective date of this modification does not encounter the same burdens described by other commenters associated with having to reopen and renegotiate many existing contracts at once. The Department believes that such a covered entity should be able to enter into a compliant business associate contract by the compliance date of the Rule. Further, those covered entities whose business associate contracts come up for renewal or modification prior to the compliance date have the opportunity to bring such contracts into compliance by April 14, 2003. Thus, a covered entity that enters into a business associate contract after the effective date of this modification, or that has a contract that is renewed or modified prior to the compliance date of the Rule, is not eligible for the transition period and is required to have a business associate contract in place that meets the applicable requirements of '§ 164.502(e) and 164.504(e) by the Privacy Rule’s compliance date of April 14, 2003. Further, as in the proposed Rule, the transition provisions apply only to written contracts or other written arrangements. Oral contracts or other arrangements are not eligible for the transition period. The Department clarifies, however, that nothing in these provisions requires a covered entity to come into compliance with the business associate contract provisions prior to April 14, 2003.
Similarly, in response to those commenters who requested that the Department permit existing contracts to be transitioned until April 14, 2004, regardless of whether such contracts are renewed or modified prior to that date, the Department considers a renewal or modification of the contract to be an appropriate, less burdensome opportunity to bring such contracts into compliance with the Privacy Rule. The Department, therefore, does not modify the proposal in such a way. Further, in response to commenters who requested that the Rule grandfather in existing business associate contracts until they expire or are renewed, with no specified end date in the regulation, the Department believes that limiting the transition period to one year beyond the Rule’s compliance date is the proper balance between individuals’ privacy interests and alleviating burden on the covered entity. All existing business associate contracts must be compliant with the Rule’s business associate contract provisions by April 14, 2004.
As in the proposal, evergreen or other contracts that renew automatically without any change in terms or other action by the parties and that exist by the effective date of this modification are eligible for the transition period. The automatic renewal of such contracts itself does not terminate qualification for, or deemed compliance during, the transition period. Renewal or modification for the purposes of these transition provisions requires action by the parties involved. For example, the Department does not consider an automatic inflation adjustment to the price of a contract to be a renewal or modification for purposes of these provisions. Such an adjustment will not trigger the end of the transition period, nor make the contract ineligible for the transition period if the adjustment occurs before the compliance date of the Rule.
The transition provisions do not apply to “small health plans,” as defined at § 160.103. Small health plans are required to have business associate contracts that are compliant with '§ 164.502(e) and 164.504(e) by the April 14, 2004, compliance date for such entities. As explained in the proposal, the Department believes that the additional year provided by the statute for these entities to comply with the Privacy Rule provides sufficient time for compliance with the Rule’s business associate provisions. In addition, the sample contract provisions provided in the Appendix to the preamble will assist small health plans and other covered entities in their implementation of the Privacy Rule’s business associate provisions by April 14, 2004.
Like the proposal, the final Rule at § 164.532(e)(2) provides that, during the transition period, covered entities are not relieved of their responsibilities to make information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance by the covered entity. Similarly, the transition period does not relieve a covered entity of its responsibilities with respect to an individual’s rights to access or amend his or her protected health information held by a business associate, or receive an accounting of disclosures by a business associate, as provided for by the Privacy Rule’s requirements at '§ 164.524, 164.526, and 164.528. In addition, unlike the proposed Rule, the final Rule at § 164.532(e)(3) explicitly provides that with respect to those business associate contracts that qualify for the transition period as described above, a covered entity is not relieved of its obligation under § 164.530(f) to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information by its business associate in violation of the covered entity’s policies and procedures or the requirements of this subpart, as required by § 164.530(f).
The Department does not believe that a covered entity should be relieved during the transition period of its responsibilities with respect to cooperating with the Secretary or fulfilling an individual’s rights with respect to protected health information held by the business associate, or mitigating any harmful effects of an inappropriate use or disclosure by the business associate. The transition period is intended to alleviate some of the burden on covered entities, but not at the expense of individuals’ privacy rights. Eliminating these privacy protections and rights would severely weaken the Rule with respect to those covered entities with contracts that qualify for the transition period.
Further, the Rule provides covered entities some discretion in implementing these requirements with respect to their business associates. For example, a covered entity does not need to provide an individual with access to protected health information held by a business associate if the only information the business associate holds is a duplicate of what the covered entity maintains and to which it has provided the individual access. Covered entities are required to ensure, in whatever manner deemed effective by the covered entity, the appropriate cooperation by their business associates in meeting these requirements.
In response to other concerns from commenters, the Department clarifies that a covered entity is not required to obtain satisfactory assurances (in any form), as required by § 164.502(e)(1), from a business associate to which the transition period applies. The transition period effectively deems such qualified contracts to fulfill the requirement for satisfactory assurances from the business associate.
The Department is aware that the transition provisions may encourage some covered entities to enter into contracts before the effective date of the modification solely to take advantage of the transition period, rather than encourage such entities to execute fully compliant business associate contracts. However, the Department believes that the provision appropriately limits the potential for such misuse by requiring that qualified contracts exist prior to the modification effective date rather than the Privacy Rule’s compliance date. Further, the transition provisions do not relieve the covered entity of its obligations with respect to protected health information held by the business associate and, therefore, ensures that an individual’s rights, as provided for by the Rule, remain intact during the transition period.
Response to Other Public Comments.
Comment: One commenter requested that the transition period also be applied to the requirement that a group health plan amend plan documents pursuant to § 164.504(f) before protected health information may be disclosed to the plan sponsor.
Response: The Department does not make such a modification. The intent of the business associate transition provisions is to alleviate burden on those covered entities with many existing contracts, where as a result, the two-year period between the effective date and compliance date of the Privacy Rule may be insufficient to reopen and renegotiate all such contracts for the purposes of bringing them into compliance with the Rule. The Privacy Rule does not require a business associate contract for disclosure of protected health information from a group health plan to a plan sponsor. Rather, the Rule permits a group health plan to disclose protected health information to a plan sponsor if, among other requirements, the plan documents are amended to appropriately reflect and restrict the plan sponsor’s uses and disclosures of such information. As the group health plan should only have one set of plan documents that must be amended, the same burdens described above do not exist with respect to this activity. Thus, the Department expects that group health plans will be able to modify plan documents in accordance with the Rule by the Rule’s compliance date.
| HHS Description of and Commentary on August 2002 Revisions Research Transition |
December 2000 Privacy Rule. The December 2000 Privacy Rule at § 160.532 contained different transition requirements for research being conducted with an individual’s legal permission that included treatment, and for research being conducted with an individual’s legal permission that did not include treatment. However, the Rule did not explicitly address transition provisions for research studies ongoing after the compliance date where the legal permission of the individual had not been sought.
March 2002 NPRM. Several commenters found the transition provisions for research to be confusing, and further noted that December 2000 Privacy Rule did not address research ongoing after the compliance date where the legal permission of the individual had not been sought. To address these concerns, the Department proposed several revisions to the Privacy Rule’s transition provisions. In particular, the Department proposed that there be no distinction in the transition provisions between research that includes treatment and research that does not, and no distinction between the requirements for research conducted with a patient’s legal permission and research conducted with an IRB-approved waiver of a patient’s informed consent. In sum, the NPRM proposed that covered entities be permitted to use or disclose protected health information created or received for a specific research study before the compliance date (if there was no agreed-to restriction in accordance with § 160.522(a)), if the covered entity has obtained, prior to the compliance date, any one of the following: (1) an authorization or other express legal permission from an individual to use or disclose protected health information for the research study; (2) the informed consent of the individual to participate in the research study; or (3) a waiver, by an IRB of informed consent for the research study in accordance with the Common Rule or FDA’s human subject protection regulations. However, even if the researcher obtained, from an IRB, a waiver of informed consent, an authorization would be required if informed consent is later obtained. This may occur if there is a temporary waiver of informed consent for emergency research under the Food and Drug Administration human subject protection regulations.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.
Most commenters supported the proposed revisions to the Privacy Rule’s transition provisions for research. However, a few commenters requested that the transition provisions be broadened to permit covered entities to rely on an express legal permission or informed consent approved by an IRB before the compliance date, even if the permission or consent had not been signed by the individual prior to the compliance date. Consequently, a researcher could use the same forms throughout their study, decreasing the chance of introducing error into the research through the use of multiple recruitment procedures, disruption to the research, and the burden for the IRBs and researchers. A few other commenters suggested that covered entities be permitted to use and disclose protected health information with consent forms approved by an IRB prior to the compliance date until the next review by the IRB, as required by the Common Rule. They argued that this would result in all informed consent forms being in compliance with the Privacy Rule’s authorization regulations within a one-year period, and it would avoid disruption to ongoing research, as well as a flood of consent form revision requests to the IRBs.
Final Modifications. The Department agrees with the majority of comments that supported the modifications to the transition provisions, and has therefore adopted the research transition modifications as proposed in the NPRM. The Department disagrees with the comments that suggest broadening the transition provisions to permit covered entities to rely on an express legal permission or informed consent that had not been signed by the individual before the compliance date. The Department understands that this provision may disrupt some ongoing research; however, the recruitment periods for some studies may continue long after the compliance date, and it would be unreasonable to grandfather-in existing informed consent documents indefinitely. While the commenter’s suggestion to only grandfather-in such informed consent documents until the next review by the IRB would address this concern, the Privacy Rule does not require initial or continuing IRB or Privacy Board review of authorization forms or informed consent documents. Therefore, the Department does not adopt this change to its proposal.
However, the Department understands that some existing express legal permissions, informed consents, or IRB-approved waivers of informed consents are not study specific. Therefore, the final Rule permits covered entities to rely on an express legal permission, informed consent, or IRB-approved waiver of informed consent for future unspecified research, provided the legal permission, informed consent or IRB-approved waiver was obtained prior to the compliance date.
Response to Other Public Comments.
Comment: A commenter requested that the transition provision be narrowed by requiring research that received a waiver of informed consent from an IRB prior to the compliance date but that begins after the compliance date be re-evaluated under the Privacy Rule’s waiver criteria.
Response: The Department disagrees. Given that the Privacy Rule’s waiver criteria for an individual’s authorization generally are consistent with the same types of considerations currently applied to a waiver of an individual’s informed consent, this suggestion would impose unnecessary burdens on researchers, IRBs, and Privacy Boards, with respect to the few research studies that would fall in this category.
| HHS Description from Original Rulemaking Transition Provisions |
In the NPRM, we did not address the effect of the regulation on consents and authorizations covered entities obtained prior to the compliance date of the regulation.
In the final rule, we clarify that, in certain circumstances, a covered entity may continue to rely upon consents, authorizations, or other express legal permissions obtained prior to the compliance date of this regulation to use or disclose protected health information even if these consents, authorizations, or permissions do not meet the requirements set forth in §§ 164.506 or 164.508.
We realize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the compliance date of this regulation which permits the use or disclosure of individually identifiable health information for activities that come within treatment, payment, or health care operations (as defined in § 164.501), but that do not meet the requirements for consents set forth in § 164.506. In the final rule, we permit a covered entity to rely upon such consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation to carry out the treatment, payment, or health care operations as long as it meets two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not require a covered entity to obtain a consent that meets the requirements of § 164.506 to use or disclose this previously obtained protected health information as long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain a consent that meets the requirements of § 164.506 to the extent that it is required to obtain a consent under § 164.506 from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule.
Similarly, we recognize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the applicable compliance date of this regulation that specifically permits the covered entity to use or disclose individually identifiable health information for activities other than to carry out treatment, payment, or health care operations. In the final rule, we permit a covered entity to rely upon such a consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation for the specific activities described in the consent, authorization, or permission as long as the covered entity complies with two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not required a covered entity to obtain an authorization that meets the requirements of § 164.508 to use or disclose this previously obtained protected health information so long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain an authorization that meets the requirements of § 164.508, to the extent that it is required to obtain an authorization under this rule, from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule.
Additionally, the final rule acknowledges that covered entities may wish to rely upon consents, authorizations, or other express legal permission obtained from an individual prior to the applicable compliance date for a specific research project that includes the treatment of individuals, such as clinical trials. These consents, authorizations, or permissions may specifically permit a use or disclosure of individually identifiable health information for purposes of the project. Alternatively, they may be general consents to participate in the project. A covered entity may use or disclose protected health information it created or received before or after to the applicable compliance date of this rule for purposes of the project provided that the covered entity complies with all limitations expressed in the consent, authorization, or permission.
If, pursuant to this section, a covered entity relies upon a previously obtained consent, authorization, or other express legal permission and agrees to a request for a restriction by an individual under § 164.522(a), any subsequent use or disclosure under that consent, authorization, or permission must comply with the agreed upon restriction as well.
We believe it is necessary to grandfather in previously obtained consents, authorizations, or other express legal permissions in these circumstances to ensure that important functions of the health care system are not impeded. We link the effectiveness of such consents, authorizations, or permissions in these circumstances to the applicable compliance date to give covered entities sufficient notice of the requirements set forth in §§ 164.506 and 164.508.
The rule does not change the past effectiveness of consents, authorizations, or other express legal permissions that do not come within this section. This means that uses or disclosures of individually identifiable health information made prior to the compliance date of this regulation are not subject to sanctions, even if they were made pursuant to documents or permissions that do not meet the requirements of this rule or were made without permission. This rule alters only the future effectiveness of the previously obtained consents, authorizations, or permissions. Covered entities are not required to rely upon these consents, authorizations, or permissions and may obtain new consents or authorizations that meet the applicable requirements of §§ 164.506 and 164.508.
When reaching this decision, we considered requiring all covered entities to obtain new consents or authorizations consistent with the requirements of §§ 164.506 and 164.508 before they would be able to use or disclose protected health information obtained after the compliance date of these rules. We rejected this option because we recognize that covered entities may not always be able to obtain new consents or authorizations consistent with the requirements of §§ 164.506 and 164.508 from all individuals upon whose information they rely. We also refrained from impeding the rights of covered entities to exercise their interests in the records they have created. We do not require covered entities with existing records or databases to destroy or remove the protected health information for which they do not have valid consents or authorizations that meet the requirements of §§ 164.506 and 164.508. Covered entities may rely upon the consents, authorizations, or permissions they obtained from individuals prior to the applicable compliance date of this regulation consistent with the constraints of those documents and the requirements discussed above.
We note that if a covered entity obtains before the applicable compliance date of this regulation a consent that meets the requirements of § 164.506, an authorization that meets the requirements of § 164.508, or an IRB or privacy board waiver of authorization that meets the requirements of § 164.512(i), the consent, authorization, or waiver is effective for uses or disclosures that occur after the compliance date and that are consistent with the terms of the consent, authorization, or waiver.
| HHS Response to Comments Received from Original Rulemaking Transition Provisions |
Comment: Commenters urged the Department to clarify whether the “reach of the transition requirement” is limited to a particular time frame, to the provider’s activities in a particular job, or work for a particular employer. For example, one commenter questioned how long a nurse is a covered entity after she moves from a job reviewing files with protected health information to an administrative job that does not handle protected health information; or whether an occupational health nurse who used to transmit first reports of injury to her company’s workers’ compensation carrier last year but no longer does so this year because of a carrier change still is a covered entity.
Response: Because this comment addresses a question of enforcement, we will address it in the enforcement regulation.
Comment: Several commenters sought clarification as to the application of the privacy rule to research already begun prior to the effective date or compliance date of the final rule. These commenters argued that applying the privacy rule to research already begun prior the rule’s effective date would substantially overburden IRBs and that the resulting research interruptions could harm participants and threaten the reliability and validity of conclusions based upon clinical trial data. The commenters recommended that the rule grandfather in any ongoing research that has been approved by and is under the supervision of an IRB.
Response: We generally agree with the concerns raised by commenters. In the final rule, we have provided that covered entities may rely upon consents, authorizations, or other express legal permissions obtained from an individual for a specific research project that includes the treatment of individuals to use or disclose protected health information the covered entity obtained before or after the applicable compliance date of this rule as long as certain requirements are met. These consents, authorizations, or other express legal permissions may specifically permit a use or disclosure of individually identifiable health information for purposes of the project or be a general consent of the individual to participate in the project. A covered entity may use or disclose protected health information it created or received before or after the applicable compliance date of this rule for purposes of the project provided that the covered entity complies with all limitations expressed in the consent, authorization, or permission.
In regard to research projects that include the treatment of individuals, such as clinical trials, covered entities engaged in these projects will have obtained at least an informed consent from the individual to participate in the project. In some cases, the researcher may also have obtained a consent, authorization, or other express legal permission to use or disclose individually identifiable health information in a specific manner. To avoid disrupting ongoing research and because the participants have already agreed to participate in the project (which expressly permits or implies the use or disclosure of their protected health information), we have grandfathered in these consents, authorizations, and other express legal permissions.
It is unlikely that a research project that includes the treatment of individuals could proceed under the Common Rule with a waiver of informed consent. However, to the extent such a waiver has been granted, we believe individuals participating in the project should be able to determine how their protected health information is used or disclosed. Therefore, we require researchers engaged in research projects that include the treatment of individuals who obtained an IRB waiver of informed consent under the Common Rule to obtain an authorization or a waiver of such authorization from an IRB or a privacy board under § 164.512(i) of this rule.
If a covered entity obtained a consent, authorization, or other express legal permission from the individual who is the subject of the research, it would be able to rely upon that consent, authorization, or permission, consistent with any limitations it expressed, to use or disclose the protected health information it created or received prior to or after the compliance date of this regulation. If a covered entity wishes to use or disclose protected health information but no such consent, authorization, or permission exists, it must obtain an authorization pursuant to § 164.508 or obtain a waiver of authorization under § 164.512(i). To the extent such a project is ongoing and the researchers are unable to locate the individuals whose protected health information they are using or disclosing, we believe the IRB or privacy board under the criteria set forth in § 164.512(i) will be able to take that circumstance into account when conducting its review. In most instances, we believe this type of research will be able to obtain a waiver of authorization and be able to continue uninterrupted.
Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. A drug manufacturer asked what would be the effect of the rule on research on records compiled before the effective date of the rule.
Response: We disagree with the commenter’s suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation.
Consistent with the definition of individually identifiable health information in HIPAA, of which protected health information is a subset, we do not distinguish between protected health information in research records and protected health information in other records. Thus, a covered entity’s research records are subject to this regulation to the extent they contain protected health information.