Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Sale of PHI


Sale of PHI

 

The HITECH Act adds a new provision to the Privacy Rule that prohibits covered entities and business associates from selling patients’ PHI without authorization.56  The authorization must expressly state that the entity is receiving remuneration in exchange for the PHI.57

 

The following activities are exempt from this authorization requirement:

 

·        Public Health Activities58

·        Research59 (covered entities and business associates may also sell PHI in LDS form for research purposes without obtaining prior authorization if the price charged reflects the cost to prepare and transmit the information.)

·        Treatment and Payment60 (Payment was not a basis for exemption originally listed in the HITECH Act, but HHS included it in the Proposed Rule and declined to impose a restriction on the amount an entity can charge for disclosing the PHI for payment purposes.)

·        Health Care Operations61

·        business associate Activities62 (Disclosures of PHI by a covered entity to a business associate or by a business associate to a third party on behalf of the covered entity are exempted, as long as any remuneration received was for payment of activities performed by the business associate pursuant to a business associate contract.)

·        Patient Requests63 (Disclosures of PHI are exempted when a patient requests access to their medical records or an accounting of disclosures.  A patient’s request for an accounting of disclosures was not an exception originally listed in the HITECH Act, but HHS has decided to include it in the Proposed Rule.  Under the rule, HHS would also impose a restriction on the amount of remuneration the covered entity may receive for such disclosures.  A covered entity would be allowed to charge patients fees that are consistent with the rules governing the specific request.)64

 

The Proposed Rule adds the following exceptions, which were not required by the language of HITECH: 

 

·        Required by Law65  (HHS added this new exception to ensure that covered entities continue to disclose PHI, where required by law, even if the covered entity receives remuneration for the disclosure.)

·        Any Other Purpose Permitted by the Privacy Rule66 (HHS also added an exception for disclosures of PHI for any other purpose permitted by the Privacy Rule as long as the only remuneration received is a reasonable, cost-based fee to cover the cost of preparing and transmitting the PHI.)

 

Footnotes

  • 56. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13405(d)(2), 123 Stat. 264-68 (2009).
  • 57. Id.
  • 58. Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,891-92, 40,921 (to be codified at 45 C.F.R. § 164.508(4)(ii)(A)).
  • 59. Id. (to be codified at 45 C.F.R. § 164.508(4)(ii)(B)).
  • 60. Id. (to be codified at 45 C.F.R. § 164.508(4)(ii)(C)).
  • 61. Id. (to be codified at 45 C.F.R. § 164.508(4)(ii)(D)).
  • 62. Id. (to be codified at 45 C.F.R. § 164.508(4)(ii)(E)).
  • 63. Id. (to be codified at 45 C.F.R. § 164.508(4)(ii)(F)).
  • 64. See 45 C.F.R. § 164.524 (covered entities may only charge a reasonable, cost-based fee); 45 C.F.R. § 164.528 (covered entities may not charge a fee for an accounting of disclosures for any 12-month period).
  • 65. Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,891-92, 40,921 (to be codified at C.F.R. § 164.508(4)(ii)(G)).
  • 66. Id. (to be codified at C.F.R. § 164.508(4)(ii)(H)).