by Wyn Staheli, Director of Research
July 19th, 2017
The Omnibus Rule of 2013 added the Sale of Protected Health Information to the list of required disclosures. The following information is taken directly from the Federal Register, Vol. 78, No. 17, Friday, January 25, 2013.
The final rule adopts the HITECH Act’s prohibition on the sale of protected health information but makes certain changes to the provisions in the proposed rule to clarify the scope of the provisions and otherwise address certain of commenters’ concerns. First, we have moved the general prohibition on the sale of protected health information by a covered entity or business associate to § 164.502(a)(5)(ii) and created a definition of ‘‘sale of protected health information.’’ Numerous commenters requested that the Privacy Rule include a definition of sale to better clarify what types of transactions fall within the scope of the provisions. Accordingly, § 164.502(a)(5)(ii)(B)(1) defines ‘‘sale of protected health information’’ to generally mean ‘‘a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.’’ Section 164.502(a)(5)(ii)(B)(2) then excludes from the definition the various exceptions that were in the proposed rule (discussed further below).
We do not limit a ‘‘sale’’ to those transactions where there is a transfer of ownership of protected health information as some commenters suggested. The HITECH Act does not include such a limitation and the Privacy Rule rights and protections apply to protected health information without regard to ownership interests over the data. Thus, the sale provisions apply to disclosures in exchange for remuneration including those that are the result of access, license, or lease agreements.
In addition, we do not consider sale of protected health information in this provision to encompass payments a covered entity may receive in the form of grants, or contracts or other arrangements to perform programs or activities, such as a research study, because any provision of protected health information to the payer is a byproduct of the service being provided. Thus, the payment by a research sponsor to a covered entity to conduct a research study is not considered a sale of protected health information even if research results that may include protected health information are disclosed to the sponsor in the course of the study. Further, the receipt of a grant or funding from a government agency to conduct a program is not a sale of protected health information, even if, as a condition of receiving the funding, the covered entity is required to report protected health information to the agency for program oversight or other purposes. (Certain of these disclosures would also be exempt from the sale requirements, depending on whether the requirement to report data was included in regulation or other law.) Similarly, we clarify that the exchange of protected health information through a health information exchange (HIE) that is paid for through fees assessed on HIE participants is not a sale of protected health information; rather the remuneration is for the services provided by the HIE and not for the data itself. (Such disclosures may also be exempt from these provisions under the exception for disclosures to or by a business associate that is being compensated by a covered entity for its services.) In contrast, a sale of protected health information occurs when the covered entity primarily is being compensated to supply data it maintains in its role as a covered entity (or business associate). Thus, such disclosures require the individual’s authorization unless they otherwise fall within an exception at § 164.502(a)(5)(ii)(B)(2). For example, a disclosure of protected health information by a covered entity to a third party researcher that is conducting the research in exchange for remuneration would fall within these provisions, unless the only remuneration received is a reasonable, cost-based fee to cover the cost to prepare and transmit the data for such purposes (see below).
In response to questions by commenters, we also clarify the scope of the term ‘‘remuneration.’’ The statute uses the term ‘‘remuneration,’’ and not ‘‘payment,’’ as it does in the marketing provisions at section 13406(a). Because the statute uses different terms, we do not believe that remuneration as applied to the sale provisions is limited to financial payment in the same way it is so limited in the marketing provisions. Thus, the prohibition on sale of protected health information applies to the receipt of nonfinancial as well as financial benefits. In response to commenters who indicated that the statute’s terms ‘‘direct and indirect’’ apply to how the remuneration is received rather than the remuneration itself, we agree and have moved the terms in the definition to further make clear that the provisions prohibit the receipt of remuneration not only from the third party that receives the protected health information but also from another party on behalf of the recipient of the protected health information. However, this does not change the scope of the term ‘‘remuneration.’’ As discussed above, we interpret the statute to mean that nonfinancial benefits are included in the prohibition. Thus, a covered entity or business associate may not disclose protected health information in exchange for in kind benefits, unless the disclosure falls within one of the exceptions discussed below. Consider, for example, a covered entity that is offered computers in exchange for disclosing protected health information. The provision of protected health information in exchange for the computers would not be considered a sale of protected health information if the computers were solely used for the purpose of preparing and transmitting protected health information to the person collecting it and were returned when such disclosure was completed. However, if the covered entity is permitted to use the computers for other purposes or to keep the computers even after the disclosures have been made, then the covered entity has received in kind remuneration in exchange for the protected health information above what is needed to make the actual disclosures.
We retain in the final rule the broad exception for disclosures for public health purposes made pursuant to §§ 164.512(b) and 164.514(e). Based on the concerns from the public comment that narrowing the exception could discourage voluntary public health reporting, we do not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data.
With respect to the exception for research disclosures, the final rule adopts the language as proposed, including the cost-based fee limitation provided for in the HITECH Act. Thus, disclosures for research purposes are excepted from the remuneration prohibition to the extent that the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes. We do not remove the fee limitation as requested by some commenters; the statutory language included in Section 13405(d)(2)(B) of the HITECH Act clearly states that any remuneration received in exchange for research disclosures must reflect only the cost of preparation and transmittal of the data for such purpose.
In response to comments about the types of costs that are permitted in the reasonable cost-based fee to prepare and transmit the data, we clarify that this may include both direct and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the protected health information; labor and supplies to ensure the protected health information is disclosed in a permissible manner; as well as related capital and overhead costs. However, fees charged to incur a profit from the disclosure of protected health information are not allowed. We believe allowing a profit margin would not be consistent with the language contained in Section 13405 of the HITECH Act. We intend to work with the research community to provide guidance and help the research community reach a common understanding of appropriate cost-based limitations on remuneration.
We retain the exceptions proposed for treatment and payment disclosures without modification and agree with commenters that these exceptions are necessary to make clear that these core health care functions may continue. Similarly, we retain the exception to the remuneration prohibition for disclosures for the transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity, and related due diligence, to ensure that such disclosures may continue to occur in accordance with the Privacy Rule. We retain the proposed exception for disclosures that are otherwise required by law to ensure a covered entity can continue to meet its legal obligations without imposing an authorization requirement. We also retain the exception for disclosures to the individual to provide the individual with access to protected health information or an accounting of disclosures, where the fees charged for doing so are in accord with the Privacy Rule.
We adopt the exceptions for remuneration paid by a covered entity to a business associate for activities performed on behalf of a covered entity, as well as the general exception permitting a covered entity to receive remuneration in the form of a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for any disclosure otherwise permitted by the Privacy Rule. However, we make a number of clarifications to address commenters questions and concerns regarding the ability of a business associate rather than a covered entity to receive the permitted remuneration. First, we add the term ‘‘business associate’’ in the general exception permitting reasonable, cost-based fees to prepare and transmit data (or fees permitted by State laws) to make clear that business associates may continue to recoup fees from third party record requestors for preparing and transmitting records on behalf of a covered entity, to the extent such fees are reasonable, cost-based fees to cover the cost to prepare and transmit the protected health information or otherwise expressly permitted by other law. Second, we clarify in the business associate exception that the exception would also cover remuneration by a business associate to its subcontractor for activities performed by the subcontractor on behalf of the business associate. Finally, we add the term ‘‘business associate’’ to the general prohibition on sale of protected health information for consistency, even though, without the addition, a business associate still would not be permitted to sell protected health information as a business associate may generally only make uses and disclosures of protected health information in manners in which a covered entity would be permitted under the Privacy Rule.
With respect to the types of costs that would be permitted as part of a reasonable, cost-based fee under this provision, we clarify that the final rule permits the same types of costs under this exception as the research exception, as well as costs that are in compliance with a fee schedule provided by State law or otherwise expressly permitted by other applicable law. Thus, costs may include the direct and indirect costs to prepare and transmit the data, including labor, materials, and supplies, but not a profit margin. We intend to continue to work with interested stakeholders to develop more guidance on direct and indirect costs and on remuneration.
Response to Other Public Comments
Comment: Several commenters suggested that we make clear in the final rule that redisclosures of information by a recipient covered entity or business associate even for remuneration that are set forth in the original authorization are not restricted by this provision. Another commenter argued that the original authorization form should indicate whether the recipient of the protected health information will further exchange the information for remuneration.
Response: It is expected to be the usual case that if a covered entity or business associate that receives protected health information in exchange for remuneration wishes to further disclose that information in exchange for remuneration, then an additional authorization in accordance with § 164.508 must be obtained because such disclosures will not be encompassed by the original authorization. However, it may be possible that redisclosures of information for remuneration by a recipient covered entity or business associate do not require an additional authorization, provided it is sufficiently clear to the individual in the original authorization that the recipient covered entity or business associate will further disclose the individual’s protected health information in exchange for remuneration. In response to the commenter that argued that the original authorization form should indicate whether the recipient of the protected health information will further exchange the information for remuneration, as explained above we believe the language included in Section 13405 of the HITECH Act was to alert the individual as to whether the disclosures he or she was authorizing at the time involved remuneration. Where the recipient of protected health information pursuant to an authorization is a third party that is not a covered entity or business associate, we do not have authority to require that entity to disclose to the disclosing covered entity or business associate whether it plans to further exchange the protected health information for remuneration for purposes of including such information on the authorization form. However, covered entities that are informed of such information may include it on the authorization form if they wish to. In any event, the Privacy Rule retains the requirement that an authorization inform the individual of the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and to no longer be subject to the Privacy Rule.
Comment: Several commenters asked for clarification on the effect the final rule will have on existing research efforts and some suggested that HHS should grandfather in all Privacy Rule authorizations for research obtained under existing law before the effective date of the final rule. These commenters believed addressing current research would be necessary to ensure the rule would not frustrate ongoing research efforts.
Response: We agree that ongoing research studies that are based on a prior permission under the Privacy Rule for the research use or disclosure of protected health information should be grandfathered so as not to disrupt these ongoing studies. We have added a reference to the authorization requirements that apply to the sale of protected health information at § 164.508(a)(4) to make clear that the transition provisions in § 164.532 apply to permissions existing prior to the applicable compliance date of the Rule. Thus, a covered entity may continue to rely on an authorization obtained from an individual prior to the compliance date even if remuneration is involved but the authorization does not indicate that the disclosure is in exchange for remuneration. This would apply to authorizations for any permissible purpose under the Rule and not just for research purposes. Further, in the research context, where a covered entity obtained documentation of a waiver of authorization from an Institutional Review Board or Privacy Board prior to the compliance date for this final rule, the covered entity may continue to rely on that documentation to release protected health information to a researcher, even if the covered entity receives remuneration in the form of more than a reasonable, cost based fee to prepare and transmit the data. Finally, we also provide at new § 164.532(f) that a covered entity may continue to use or disclose a limited data set in accordance with an existing data use agreement that meets the requirements of § 164.514(e), including for research purposes, until the data use agreement is renewed or modified or until one year from the compliance date of this final rule, whichever is earlier, even if such disclosure would otherwise constitute a sale of protected health information upon the effective date of this rule.
Comment: Some commenters were concerned that the sale prohibition would apply to a covered entity’s sale of accounts receivable including protected health information to a collection agency, arguing that such disclosures should remain permissible without authorization as a payment disclosure.
Response: Disclosures of protected health information for payment collection activities are permitted without authorization as a payment disclosure under the Privacy Rule (see §§ 164.501 and 164.506(a)) and thus, are excepted from the remuneration prohibition at § 164.502(a)(5)(ii)(B)(2)(iii).
Comment: A few commenters asked that the final rule clarify that transfers of value among entities under common control does not implicate the authorization requirements. Similarly, some commenters sought clarification on whether business transfers on the books for internal reorganization would also be excluded under the transfer, merger, and consolidation exception to the final rule.
Response: First, we clarify that uses of protected health information within a covered entity that is a single legal entity are not implicated by the remuneration prohibition as the prohibition applies only to disclosures outside of a covered entity. Second, the use of protected health information among legally separate covered entities under common ownership or control that have designated themselves as an affiliated covered entity (i.e., a single covered entity for purposes of compliance with the HIPAA Rules) is not implicated. See the requirements for affiliated covered entities at § 164.105(b). Thus, to the extent that what the commenters contemplate is an otherwise permissible use of protected health information within a single legal entity that is a covered entity or an affiliated covered entity, such use of data is not impacted by these provisions. Third, disclosures of protected health information for the sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or with an entity that following such activity will become a covered entity and due diligence related to such activity are excepted from the definition of sale of protected health information at § 164.502(a)(5)(ii)(B)(2)(iv).
Comment: Some commenters expressed concern over the role the Institutional Review Board will play in determining reasonable costs, and several commenters asked that the final rule clarify that the Institutional Review Board is not responsible for making a determination regarding the permissibility of the fees paid in exchange for a disclosure of protected health information for research purposes.
Response: We clarify that a covered entity, or business associate if applicable, is responsible for determining whether any fees paid to the entity in exchange for protected health information covers the covered entity’s or business associate’s costs to prepare and transmit protected health information for research.
Comment: A few commenters sought clarification on how to differentiate access to protected health information from access to statistical data, particularly when remuneration is provided for access to a database but the party is solely interested in a population study, not an individual’s protected health information.
Response: Disclosures of health information that has been de-identified in accordance with the Privacy Rule at § 164.514(b)–(d) are not subject to the remuneration prohibition as such information is not protected health information under the Rule. However, a covered entity that allows a third party access to a database containing protected health information in exchange for remuneration is subject to these provisions unless an exception applies (e.g., the remuneration received is limited to a reasonable, cost-based fee to prepare and make available the data).
Comment: A number of commenters argued that limited data sets should be exempted entirely from the remuneration prohibition because they are not fully identifiable data sets and are subject to protections under data use agreements.
Response: We decline to completely exempt limited data sets from these provisions as, unlike de-identified data, they are still protected health information. However, disclosures of limited data sets for purposes permitted under the Rule would be exempt from the authorization requirements to the extent the only remuneration received in exchange for the data is a reasonable, cost-based fee to prepare and transmit the data or a fee otherwise expressly permitted by other law. We also provide at new § 164.532(f) that a covered entity may continue to use or disclose a limited data set in accordance with an existing data use agreement that meets the requirements of § 164.514(e), including for research purposes, until the data use agreement is renewed or modified or until one year from the compliance date of this final rule, whichever is earlier, even if such disclosure would otherwise constitute a sale of protected health information upon the effective date of this rule.