HIPAA Final Rule: Prohibited Uses and Disclosures–Sale of Protected Health Information

March 7, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Our focus today is on the second of two prohibited uses and disclosures of protected health information in the General rules regulatory provisions of 45 CFR 164.502(a)(5): (ii) Sale of protected health information at 78 Federal Register 5696-5697:

(A) Except pursuant to and in compliance with 45 CFR 164.508(a)(4) [Standard—Authorization Required: Sale of protected health information], a covered entity or business associate may not sell protected health information.

(B) For purposes of this paragraph, sale of protected health information means:

(1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.

(2) Sale of protected health information does not include a disclosure of protected health information:

(i) For public health purposes pursuant to 45 CFR 164.512(b) [Standard: Uses and disclosures for public health activities] or 164.514(e) [Standard:  Limited data set];

(ii) For research purposes pursuant to 45 CFR 164.512(i) [Standard:  Uses and disclosures for research purposes] or 164.514(e) [Standard:  Limited data set], where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;

(iii) For treatment and payment purposes pursuant to 45 CFR164.506(a) [Standard:  Permitted uses and disclosures];

(iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph 45 CFR 164.501(6)(iv) of the definition of health care operations [(iv):  The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity], and pursuant to 45 CFR 164.506(a) [Standard:  Permitted uses and disclosures];

(v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to 45 CFR 164.502(e) [Standard:  Disclosures to business associates] and 164.504(e) [Standard:  Business associate contracts], and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;

(vi) To an individual, when requested under 45 CFR 164.524 [Access of individuals to protected health information] or 164.528 [Accounting of disclosures of protected health information];

(vii) Required by law as permitted under 45 CFR 164.512(a) [Standard:  Uses and disclosures required by law]; and

(viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.

We provide here the content of the Final Rule preamble that underpins the prohibited use and disclosure regulatory provision above:

“The final rule adopts the HITECH Act’s prohibition on the sale of protected health information but makes certain changes to the provisions in the proposed rule to clarify the scope of the provisions and otherwise address certain of commenters’ concerns. First, we have moved the general prohibition on the sale of protected health information by a covered entity or business associate to 45 CFR 164.502(a)(5)(ii) and created a definition of  ‘sale of protected health information.’ Numerous commenters requested that the Privacy Rule include a definition of sale to better clarify what types of transactions fall within the scope of the provisions. Accordingly, 164.502(a)(5)(ii)(B)(1) defines ‘sale of protected health information’ to generally mean ‘a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.’  Section 164.502(a)(5)(ii)(B)(2) then excludes from the definition the various exceptions that were in the proposed rule (discussed further below).

“We do not limit a ‘sale’ to those transactions where there is a transfer of ownership of protected health information as some commenters suggested. The HITECH Act does not include such a limitation and the Privacy Rule rights and protections apply to protected health information without regard to ownership interests over the data. Thus, the sale provisions apply to disclosures in exchange for remuneration including those that are the result of access, license, or lease agreements.

“In addition, we do not consider sale
 of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct
 a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes. (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.) Similarly, we clarify that the exchange of protected health information through a health information exchange (HIE) that is paid for through fees assessed on HIE participants is not a sale of protected health information; rather the remuneration is for the services provided by the HIE and not for the data itself. (Such disclosures may also be exempt from these provisions under the exception for disclosures to or by a business associate that is being compensated by a covered entity for its services.) In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). Thus, such disclosures require the individual’s authorization unless they otherwise fall within an exception at 45 CFR 164.502(a)(5)(ii)(B)(2). For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below).

“In response to questions by commenters, we also clarify the scope of the term ‘remuneration.’ The statute uses the term ‘remuneration,’ and not ‘payment,’ as it does in the marketing provisions at section 13406(a) [of the HITECH Act]. Because the statute uses different terms, we do not believe that remuneration as applied to the sale provisions is limited to financial payment in the same way it is so limited in the marketing provisions. Thus, the prohibition on sale of protected health information applies to the receipt of nonfinancial as well as financial benefits. In response to commenters who indicated that the statute’s terms ‘direct and indirect’ apply to how the remuneration is received rather than the remuneration itself, we agree and have moved the terms in the definition to further make clear that the provisions prohibit the receipt of remuneration not only from the third party that receives the protected health information but also from another party on behalf of the recipient of the protected health information. However, this does not change the scope of the term ‘remuneration.’ As discussed above, we interpret the statute to mean that nonfinancial benefits are included in the prohibition. Thus, a covered entity or business associate may not disclose protected health information in exchange for in kind benefits, unless the disclosure falls within one of the exceptions discussed below. Consider, for example, a covered entity that is offered computers in exchange for disclosing protected health information. The provision of protected health information in exchange for the computers would not be considered a sale of protected health information if the computers were solely used for the purpose of preparing and transmitting protected health information to the person collecting it and were returned when such disclosure was completed. However, if the covered entity is permitted to use the computers for other purposes or to keep the computers even after the disclosures have been made, then the covered entity has received in kind remuneration in exchange for the protected health information above what is needed to make the actual disclosures.

“We retain in the final rule the broad exception for disclosures for public health purposes made pursuant to
 45 CFR 164.512(b) and 164.514(e). Based on the concerns from the public comment that narrowing the exception could discourage voluntary public health reporting, we do not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data.

“With respect to the exception for research disclosures, the final rule adopts the language as proposed, including the cost-based fee limitation provided for in the HITECH Act. Thus, disclosures for research purposes are excepted from the remuneration prohibition to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. We do not remove the fee limitation as requested by some commenters; the statutory language included in Section 13405(d)(2)(B) of the HITECH Act clearly states that any remuneration received in exchange for research disclosures must reflect only the cost of preparation and transmittal of the data for such purpose.

“In response to comments about the types of costs that are permitted in the reasonable cost-based fee to prepare and transmit the data, we clarify that this may include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. We believe allowing a profit margin would not be consistent with the language contained in Section 13405 of the HITECH Act. We intend to work with the research community to provide guidance and help the research community reach a common understanding of appropriate cost-based limitations on remuneration.

“We retain the exceptions proposed for treatment and payment disclosures without modification and agree with commenters that these exceptions are necessary to make clear that these core health care functions may continue. Similarly, we retain the exception to the remuneration prohibition for disclosures for the transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity, and related due diligence, to ensure that such disclosures may continue to occur in accordance with the Privacy Rule. We retain the proposed exception for disclosures that are otherwise required by law to ensure a covered entity can continue to meet its legal obligations without imposing an authorization requirement. We also retain the exception for disclosures to the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so are in accord with the Privacy Rule.

“We adopt the exceptions for remuneration paid by a covered entity to a business associate for activities performed on behalf of a covered entity, as well as the general exception permitting a covered entity to receive remuneration in the form of a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for any disclosure otherwise permitted by the Privacy Rule. However, we make a number of clarifications to address commenters questions and concerns regarding the ability of a business associate rather than a covered entity to receive the permitted remuneration. First, we add the term ‘business associate’ in the general exception permitting reasonable, cost-based fees to prepare and transmit data (or fees permitted by State laws) to make clear that business associates may continue to recoup fees from third party record requestors for preparing and transmitting records on behalf of a covered entity, to the extent such fees are reasonable, cost-based fees to cover the cost to prepare and transmit the protected health information or otherwise expressly permitted by other law. Second, we clarify in the business associate exception that the exception would also cover remuneration by a business associate to its subcontractor for activities performed by the subcontractor on behalf of the business associate. Finally, we add the term ‘business associate’ to the general prohibition on sale of protected health information for consistency, even though, without the addition, a business associate still would not be permitted to sell protected health information as a business associate may generally only make uses and disclosures of protected health information in manners in which a covered entity would be permitted under the Privacy Rule.

“With respect to the types of costs that would be permitted as part of a reasonable, cost-based fee under this provision, we clarify that the final rule permits the same types of costs under this exception as the research exception, as well as costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin. We intend to continue to work with interested stakeholders to develop more guidance on direct and indirect costs and on remuneration.”  78 Federal Register 5606-5608

Tomorrow, we look at modifications to 45 CFR 164.502(e):  Standard: Disclosures to business associates.

2 comments on “HIPAA Final Rule: Prohibited Uses and Disclosures–Sale of Protected Health Information”

  1. The dentist where my husband and I have spent $10,000 for implants. The one worker is a so called mngr. Where my elderly mother resides. My husband was in an emergency need of dental repairs. I had gave this woman my husbands number to be able to let him know of a scheduled visit, down the line, this woman calls my husband at work and tells him a fairy tale of a story which was ” your wife’s sister put a loaded gun to someones head and stole their Lincoln navigator ” which was a total lie. Also told my husband that some guy was driving my brand new BMW with me and was behind the wheel, another lie. My mom is 76 years old is getting evicted over no reason other than you people don’t fit in there. Her brother owns the 6 plex. In fact it was my mother and I that we’re robbed by the other tenants daughter.

Leave a Reply

Your email address will not be published. Required fields are marked *