Title: HIPAA/HITECH Update
1HIPAA/HITECH Update
By LYNDA M. JOHNSON Friday, Eldredge Clark
2HITECH Act Privacy and Security
- Extended the reach of the HIPAA Privacy and
Security Rules to business associates (BAs) - Imposed breach notification requirements on HIPAA
covered entities (CEs) and BAs - Limited certain uses and disclosures of protected
health information (PHI) - Increased individuals rights with respect to PHI
maintained in EHRs - Increased enforcement of, and penalties for,
HIPAA violations
3The HIPAA Omnibus Final Rule
- On July 14, 2010, HHS published a notice of
proposed rulemaking (the Proposed Rule) that
would modify the HIPAA Privacy, Security and
Enforcement Rules - After much delay, HHS published the HIPAA Omnibus
Final Rule on January 25, 2013 - Amends the Privacy, Security, Enforcement and
Breach Notification Rules - Also makes conforming changes pursuant to the
Genetic Information Nondiscrimination Act of 2008
(GINA) - The Final Rule implements the requirements of the
HITECH Act and largely adopts the Proposed Rule
without major changes.
4Compliance Dates
- Final Rule became effective March 26, 2013
- Compliance was required by September 23, 2013
5Business Associates
- HITECH imposes new privacy and security
obligations on BAs and personal health record
companies - To increase consumer confidence in EHRs and PHRs,
companies that provide those products and aid in
electronic transmission of PHI are subject to
more direct privacy and security regulation
6Business Associates Satisfactory Assurances
- A covered entity may disclose protected health
information to business associates if it obtains
satisfactory assurances that business
associates will appropriately safeguard the
information - Business associate contract required
7Use and Disclosure Who Is a Business Associate?
- A person acting on behalf of a covered entity who
- Creates, receives, maintains or transmits PHI
- For a function or activity regulated by HIPAA (a
covered entity function) - Provides certain identified services to a covered
entity
Billing Firms
Lawyers, Actuaries
Outsourcing Vendors
Accountants, Auditors Financial Services
Covered Entity
Clearinghouses
Management Firms
Consultants, Vendors
Accreditation Organizations
- BAs may also be covered entities
- This is the Final Rules newly tweaked definition
8No Business Associate Relationship
- Workforce
- Provider and plan
- Provider and provider for treatment
- Hospital and medical staff member
- Group health plan and plan sponsor
- Financial institutions
- Due diligence activities
- Members of organized health care arrangements
- Conduits (mail services and electronic
equivalents) that only access PHI on a random or
infrequent basis
9The Conduit Exception
- OCR notes that exception is limited to services
that transmit PHI - Even when there is temporary storage of the
transmitted data related to the transmission - A company that only maintains PHI on behalf of a
covered entity is a BA, even if the entity does
not actually view the PHI - Examples Data storage company, cloud computing
provider
10Expanded Definition of Business Associates
- Definition of business associate now includes
- Patient safety organizations under the Patient
Safety and Quality Improvement Act of 2005 - Organizations that provide data transmission of
PHI to a covered entity, such as Health
Information Organizations and E-prescribing
Gateways and that require routine access to PHI - PHR vendors acting on behalf of a CE
- Subcontractors to a BA that create, receive,
maintain or transmit PHI on behalf of a BA
11BUSINESS ASSOCIATE
Security Rule Compliance
- Necessary steps for Security Rule compliance
- Conducting a formal security risk assessment
- Implementing written policies and procedures with
respect to Security Rule standards - Providing security training to workforce members
- Amending BAAs to include provisions required by
the Security Rule and - Appointing a Security Officer to oversee Security
Rule compliance efforts
12BA Liability
- BAs may be directly liable for
- Uses and disclosures of PHI in violation a BAA or
the Privacy Rule (including more than minimum
necessary) - Failing to comply with the Security Rule
- Failing to provide breach notification to a CE
- Failing to disclose PHI to the Secretary of HHS
to investigate compliance - Failing to disclose PHI to comply with an
individuals request for an electronic copy of
PHI - Failing to contract with subcontractors
13BA Privacy Rule Compliance
- Written privacy policies and procedures
addressing BA privacy obligations are not
strictly required, but are prudent - Addressing minimum necessary standard, storing
paper PHI, faxing and document destruction
practices, etc. - Given the significant liability risks associated
with security breaches, a written breach response
plan tracking HIPAA/HITECH requirements is also
recommended
14Subcontractor BAAs
- Prior to HITECH, BAs were required to ensure
that a subcontractor agree to the same privacy
and security obligations that apply to a BA with
respect to PHI - Written agreements between BAs and subcontractors
are common, but not strictly required - Final Rule requires that a BA enter into a
written agreement with a subcontractor ensuring
compliance with applicable Privacy and Security
Rule requirements
15Subcontractor BAAs (cont.)
- Obligation to enter into a BAA with a
subcontractor rests solely with the BA, not the
CE - The form of a downstream subcontractor BAA is
identical to an upstream BAA between a CE and a
BA
16Downstream Business Associate Agreements
Each downstream subcontractor BAA must be at
least as stringent as the primary BAA between a
BA and the CE
17BAA Transition Period
- If a BAA compliant with prior HIPAA requirements
was entered into prior to the publication date of
the Final Rule (Jan. 25, 2013) AND - The BAA is not renewed or modified between March
26-Sept. 23, 2013 THEN - The BAA will be deemed compliant until the
EARLIER of - The date the contract is renewed or modified on
or after Sept. 23, 2013 OR Sept. 23, 2014
18BAA Liability
- Final Rule amends the Enforcement Rule to provide
that BAs may be directly liable for civil money
penalties for violations of the Privacy and
Security Rules - BAs will be liable, in accordance with the
federal common law of agency, for violations
based upon the acts or omissions of agents - Includes workforce members and subcontractors
- But must be acting within the scope of agency
19CE Liability Final Rule
- The Final Rule makes CEs liable for actions of
BAs acting as agents under the federal common law
of agency, just as BAs will be liable for actions
of subcontractor - For BAs that are independent contractors,
rather than agents, CEs will have an
affirmative defense to these liabilities if they
can show no willful neglect and timely corrective
action - Hard to apply the agency principle with certainty
because it requires evaluating the degree of
control that the CE exercises over the BAs
conduct
20When Is a BA an Agent?
- In commentary to the Final Rule, OCR states that
the essential factor in determining whether an
agency relationship exists is the right of the CE
to control the conduct of the BA in performing
its services - OCR says that the ability of a CE to give interim
instructions or directions suggests an agency
relationship
21When Is a BA an Agent? (cont.)
- If a BA performs it duties strictly in accordance
with the terms of its agreement and any change in
duties requires a contract amendment, then the BA
is probably not an agent - CE can be liable for the actions of an agent BA
even in the absence of a business associate
contract
22Accretive Health Settlement
- January 2012 Minnesota AG brings enforcement
action against Accretive Health, Inc., a business
associate, using authority under HITECH statute - Accretive had a laptop stolen containing approx.
23,500 patients records - In capacity as BA to two Minnesota health systems
- AG sought to use authority under HITECH statute
in the first such action against at BA
23The Settlement
- July 30, 2012 Minnesota AG and Accretive reach
settlement - Accretive ceases doing business in Minn. for two
years - And for the next four years, Accretive can
reenter state only with permission of AG and
after entering into a consent decree - 2.5 million settlement payment placed in
restitution fund for patients
24The Takeaways
- Some state AGs may take a similarly aggressive
approach to enforcement and BAs should be
prepared - A formal HIPAA security compliance program is not
required of a BA today according to OCR - But an AG may take a different view
- An AG HIPAA enforcement action can lead to a more
wide-ranging investigation and charges under
state laws - In Accretive, this included charges under Minn.
consumer protection laws over alleged aggressive
collection practices - AGs may interpret HIPAA and HITECH in novel ways
such as asserting a current, affirmative duty
of a BA to enter into a BAA
25HIPAA Pilot Audit Program
- HITECH required that HHS conduct periodic audits
to ensure compliance with HIPAA - OCR implemented the requirement through a pilot
program of 115 audits from November 2011 through
December 2012 - First wave of audits applied to CEs only
- BAs will be subject to future audits
- It will be interesting to see how BAs are
selected for audit, given the wide variety of
businesses that qualify as BAs
26The Rest of the HITECH Story
- Breach notification standards
- Penalty structure and enforcement process
- Business associate requirements
- Limits on disclosures to health insurers
- Sale of PHI limits
- Marketing limits
- Fundraising limits
- Genetic info limits (health insurers)
- Disclosures regarding deceased persons
- Disclosures for school immunizations
- New rules re research authorizations
- Individual rights to electronic PHI
- Notice of privacy practices requirements
27Deceased Persons
Protected health information is defined to
exclude information about a person who has been
deceased for more than 50 years.
28Deceased Persons (cont.)
- If an individual is deceased, a covered entity
may disclose PHI about the decedent to a family
member, relative, close personal friend, or other
person involved in the decedents healthcare or
payment for care prior to the decedents death
if - Disclosure is not inconsistent with prior
expressed wishes of the decedent known to the
covered entity, and - PHI is relevant to the recipients involvement in
the decedents healthcare or payment for care.
29Deceased Persons (cont.)
- Family member means
- Dependent.
- Person who is first, second, third or fourth-
degree to the individual or of a dependent of the
individual. - Applies to both relatives by blood and by
marriage. - Applies to step-relatives as with full relatives.
30School Immunizations
- Covered entity may disclose proof of immunization
to a school if - PHI disclosed is limited to proof of
immunization - School is required by state or other law to have
such proof of immunization prior to admitting the
individual - Covered entity obtains agreement to disclosure
from either - The individual, if emancipated or an adult or
- A parent, guardian or other person acting in loco
parentis if the individual is an unemancipated
minor. - Covered entity documents the agreement.
31Restrictions on Disclosure of PHI to Health
Insurers
- Covered entity must agree to an individuals
request to restrict disclosure of PHI to a health
plan if - The PHI pertains solely to a health care item or
service for which the individual, or another
person on the individuals behalf, paid the
covered entity in full and - Disclosure is for the purpose of carrying out the
health plans payment or health care operations
and is not otherwise required by law.
32Restrictions on Disclosure of PHI to Health
Insurers (cont.)
- HHS acknowledged the operational problems with
the new rule, but concluded providers should
already have methods to flag records under
minimum necessary standard. - Only applies to disclosures to health plans, not
others. - Does not apply if disclosure is otherwise
required by law, e.g., Medicare audits, payment
conditions, etc.
33Restrictions on Disclosure of PHI to Health
Insurers (cont.)
- Provider may require payment in full before the
individual may invoke the requirement. - If cannot unbundle, notify individual that they
must pay entire bill to trigger rule. - Individual is responsible for notifying
downstream providers.
34Restrictions on Disclosure of PHI to Health
Insurers (cont.)
- The restriction only applies if the individual
requests the restriction. - Must include a statement advising the individual
of the restriction in the notice of privacy
practices, but most individuals dont read the
notice. - Dont ask the individual!
35Sale of PHI
- Covered entity or business associate may not sell
PHI unless - They obtain individuals prior written
authorization, and - Authorization discloses that the covered entity
will receive remuneration in exchange for PHI. - Sale of PHI means disclosure of PHI by a
covered entity or business associate if they
receive directly or indirectly any remuneration,
financial or otherwise, from or on behalf of the
recipient of the PHI in exchange for the PHI.
36Sale of PHI (cont.)
- Sale of PHI does not include disclosures
- To the individual who is the subject of the PHI.
- For treatment or payment purposes.
- Required by law.
- As part of the sale, transfer, merger, or
consolidation of the covered entity and related
due diligence. - To or by a business associate and the
remuneration is to pay for the business
associates activities. - For certain public health purposes.
- For purposes permitted by HIPAA if the only
remuneration received is a reasonable cost-based
fee to cover the cost to prepare and transmit the
PHI for such purposes or a fee otherwise
expressly permitted by other law.
37Sale of PHI (cont.)
- Sale of PHI does not include payments per
arrangements to perform services where disclosure
of PHI is a byproduct of the service, e.g., - Grants for program or perform activities.
- Research studies.
- Participation in health insurance exchange.
- Sale of accounts receivable to collection agency.
38Marketing
- Covered entity and business associate must obtain
an authorization for any use or disclosure of PHI
for marketing. - Marketing means a communication about a product
or service that encourages recipients of the
communication to purchase or use the product or
service.
39Marketing (cont.)
- If marketing involves financial remuneration to
the covered entity from a third party, the
authorization must state that such remuneration
is involved. - Financial remuneration means direct or indirect
payment by the third party whose product or
service is being described.
40Marketing (cont.)
- Marketing does not include a communication
made - To provide refill reminders or communicate about
a drug that is currently being prescribed for the
individual. - Any financial remuneration must be reasonably
related to the cost of making the communication.
41Marketing (cont.)
- For the following treatment and health care
operations purposes unless the covered entity
receives financial remuneration for the
communication - Treatment, including case management, care
coordination, or recommend treatment
alternatives or - To describe health related product or service
provided by the covered entity.
42Marketing (cont.)
- No authorization is required for the following
marketing communications even if financial
remuneration is received for making the
communication - Face-to-face communication made by a covered
entity to an individual. - Not via telephone, text, internet, fax, etc.
- A promotional gift of nominal value provided by
the covered entity.
43Marketing (cont.)
- No authorization is required for communications
- Promoting health in general, not a product or
service. - About government-sponsored programs.
44Fundraising
- Subject to certain conditions, a covered entity
may disclose the following PHI to a business
associate or institutionally related foundation
for purpose of raising funds for its own benefit
without an authorization - Name, address, contact info, age, gender and
birthdate - Dates of healthcare provided to the individual
- Department of service information
- Treating physician
- Outcome information and
- Health insurance status.
45Fundraising (cont.)
- To use PHI for fundraising, covered entity
- Must include statement notifying individual of
fundraising in covered entitys notice of privacy
practices. - With each fundraising communication, must provide
clear and conspicuous opportunity to opt out of
fundraising. - Method for opting out cannot cause undue burden
or more than nominal cost (e.g., toll-free
number, e-mail).
46Fundraising (cont.)
- May not condition treatment or payment on
participation in fundraising. - May not make fundraising communications to
individuals who opt out. - May notify individuals of method to opt back in
47Research Compound Authorizations
- May combine authorizations to use or disclose PHI
for a research study with any other type of
permission for the same or another research study
(i.e., may use a compound authorization),
including - Consent to participate in research,
- Another authorization for the same research
study, or - An authorization for the creation or maintenance
of a research database or repository.
48Research Compound Authorizations
If compound authorization conditions treatment on
participation in research, must clearly identify
conditioned components and give individual an
opportunity to opt in to the unconditioned
research activities.
49Research Authorizing Future Research
- Research authorization may allow use or
disclosure of PHI for purposes of future
research. - Authorization purpose need not be limited to
the current study. - This is a change in HHS interpretation.
50Individual Access to PHI
- Extension for off-site records is deleted.
- Covered entities must generally respond to
request for access within 30 days. - May obtain one 30-day extension.
51Individual Access to PHI (cont.)
- If PHI is maintained in electronic form and
individual requests electronic copy of the PHI - Covered entity must provide access to the PHI in
form and format requested by the individual if it
is readily producible. - If PHI is not readily producible in the requested
form and format, covered entity must provide it
in a form as agreed by the covered entity and
individual.
52Individual Access to PHI (cont.)
- If covered entity requests that PHI be sent to
another person, covered entity must comply.
Request must be in writing, signed by individual
and clearly identify the recipient. - May charge reasonable cost-based fee, including
labor and supplies for portable media.
53Notice of Privacy Practices
- Must add certain items to notice of privacy
practices. - Authorizations are required for most uses and
disclosures of psychotherapy notes (if
applicable), marketing purposes, and sale of PHI. - Uses and disclosures not described in notice
require authorizations. - Individual may opt out of receiving fundraising
communications.
54Notice of Privacy Practices (cont.)
- Individual may restrict disclosures to health
insurers if individual pays for the treatment. - Covered entity must notify the individual of
breach of unsecured PHI. - For health plans, may not use or disclose genetic
info for underwriting.
55Notice of Privacy Practices (cont.)
- May delete certain items from notice of privacy
practices. - Covered entity may contact individual to provide
appointment reminders or info about treatment
alternatives or other health related benefits an
services that may be of interest to the
individual.
56Notice of Privacy Practices (cont.)
- Changes will require publication of new notice of
privacy practices. - Post new notice in prominent location at
facility. May post summary if full notice is
otherwise available to individual without
individual having to request notice. - Post new notice on website.
57Notice of Privacy Practices (cont.)
- Provide copy of notice to new individuals.
- Provide copy of new notice to other individuals
upon request. - Comply with discrimination laws, e.g., may need
to provide copy in other languages, Braille, etc. - New requirements for health plans.
58Not Included in Final Rule, but Coming soon?
59Individuals Recovery for Fines and Penalties
- HITECH Act requires HHS to establish a
methodology under which an individual who is
harmed by a violation of the privacy or security
rules may receive a percentage of any civil
monetary penalty or monetary settlement collected
with respect to such offense. - Subject to future rulemaking.
60Accounting of Disclosures for e-PHI
- HITECH Act requires HHS to issue regulations
allowing individuals to obtain an accounting of
disclosures made for purposes of treatment,
payment and healthcare operations if the
disclosure is through an electronic health
record. - HHS issued a proposed rule that would entitle
individuals to obtain a broad report concerning
those who accessed their PHI or to whom their PHI
was disclosed. - Subject to future rulemaking.
61Take Aways
62Omnibus Rule Action Items
- If you are business associate
- Make sure you comply with rules, e.g.,
- Protect PHI consistent with HIPAA rules and
business associate agreement. - Conduct security risk assessment.
- Implement safeguards required by the Security
Rule. - Notify covered entity of breaches.
- Enter business associate agreements with
subcontractors.
63Omnibus Rule Action Items (cont.)
- If you are a covered entity, make sure your
business associate agreements comply. - Obtain agreements for new business associates,
including covered data transmission services. - Review existing agreements to ensure they comply
with operative rules.
64Omnibus Rule Action Items (cont.)
- As new agreements are written or renewed, ensure
they comply with new rules. - Ensure all agreements comply by 9/23/14.
- Ensure business associates are not your agents
unless you are willing to risk vicarious
liability.
65Omnibus Rule Action Items (cont.)
- Update your notice of privacy practices
- Compliance Deadline was 9/23/13.
- Post updated notice and make available to
individuals.
66Omnibus Rule Action Items (cont.)
- Update policies and processes to comply with new
rules. - Restrictions on disclosures to health insurers.
- Disclosures regarding deceased persons.
- Marketing, fundraising, and sale of PHI.
- Individual access to electronic PHI.
- Breach notification requirements.
- Train your employees concerning the new rules.
67Omnibus Rule Action Items (cont.)
- If you have a potential breach of PHI use new
low probability that data has been compromised
standard. - Given new rules and breach notification standard,
it is a good time to review your entire HIPAA
compliance.
68Access to Lab Test Reports
On February 6, 2014, CMS published a final rule
that amends the Clinical Laboratory Improvement
Amendments of 1988 (CLIA) regulations to allow
laboratories to give a patient, or a person
designated by the patient, his or her personal
representative, access to the patients
completed test reports upon request of the
patient or the patients personal representative.
69Access to Lab Test Reports (cont.)
At the same time, this rule eliminates the
exception under the HIPAA Privacy Rule to an
individuals right to access his or her protected
health information when it is held by a
CLIA-certified or CLIA-exempt laboratory.
70Access to Lab Test Reports (cont.)
While patients can continue to get access to
their laboratory test reports from their doctors,
these changes give patients a new option to
obtain their test reports directly from the
laboratory while maintaining strong protections
for patients privacy.
71Access to Lab Test Reports (cont.)
Under the HIPAA Privacy Rule, patients, patients
designees and patients personal representatives
can see or be given a copy of the patients
protected health information, including an
electronic copy, with limited exceptions.
72Access to Lab Test Reports (cont.)
- In doing so, the patient or the personal
representative may have to put their request in
writing and pay for the cost of copying, mailing,
or electronic media on which the information is
provided, such as a CD or flash drive. In most
cases, copies must be given to the patient within
30 days of his or her request. - Published February 6, 2014
- Compliance Deadline October 6, 2014
73QUESTIONS
- Lynda M. Johnson
- Friday, Eldredge Clark, LLP
- Ljohnson_at_fridayfirm.com
- 501-370-1553