1 September 22, 2010 Carole D. Christian Erin Brisbay McMahon HITECH’s Changes to HIPAA

1

September 22, 2010

Carole D. Christian

Erin Brisbay McMahon

HITECH’s Changes to HIPAA

2

DISCLAIMER

The information in the following slides is a summary, and is not intended to cover all the fine points of HIPAA, the HITECH Act, or their implementing regulations. Accordingly, it is not intended to be legal advice, which should always be obtained in direct consultation with an attorney.


3

Health Information Technology for Economic and Clinical Health Act (HITECH)

Enacted February 17, 2009 Many changes to HIPAA’s (Health

Insurance Portability and Accountability Act) Privacy and Security Rules


4

Important to understand the hierarchy of: Statutes (U.S.C.) (e.g., HITECH, HIPAA) Final Rules (C.F.R.) (e.g., HIPAA Privacy

Rule, HIPAA Security Rule) Interim Final Rule (e.g., Data Breach Rule,

Enforcement Rule) Notice of Proposed Rulemaking (e.g.,

HITECH Rule)


5

New HIPAA/HITECH Rules1) Data Breach Rule -

http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

2) Enforcement Rule - http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

3) Proposed HITECH Rule - http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf




http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/nprmhitech.pdf

6

Increased Penalties – February 18, 2009 Data Breach Regulations – effective date of September 23,

2009 Enforcement Regulations – effective date of November 30,

2009 HITECH statutory requirements with an effective date of

February 18, 2010 – HHS representatives have said they won’t enforce until six months after effective date of the final HITECH rule (yet to be issued) – HHS only?

Willful neglect mandatory penalties – February 18, 2011 (reachback to February 18, 2009)


When Are These Changes Effective?

7

ENHANCED ENFORCEMENT

OF

HIPAA


8

Stiffer Enforcement Program & Penalties Historically, HIPAA enforcement has been complaint

driven. To date, no civil monetary penalties have been imposed. Three “resolution agreements” have been reached

ARRA appropriated $24.3 billion to the privacy and security goals. Of this amount, $9.5 billion is set aside to fund proactive HIPAA compliance audits by the Office for Civil Rights and CMS.


9

Stiffer Enforcement Program & Penalties (cont’d) Under HITECH, potential civil monetary penalties are

increased significantly, but are tiered to take into account the intent of the violator. The tiers are as follows: Tier A: if the violator did not know (and by exercising

reasonable diligence would not have known) that its actions violated the HIPAA laws or regulations, a penalty of at least $100 per violation (except that the total amount of a fine cannot exceed $25,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition).


10

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier A Example:

A Covered Entity (CE) with a direct treatment relationship with an individual patient failed to provide the patient a complete Notice of Privacy Practices (NPP).

HHS’s investigation revealed that the CE had a compliant NPP in place along with proper policies and procedures and had appropriately trained its workforce.

The violation resulted from an isolated incident (a printing error) affecting only a small number of patients.


11

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier A Example:

A Business Associate (BA) failed to terminate a former employee’s access privileges to electronic protected health information (EPHI).

HHS’s investigation revealed that the BA’s policies and procedures were properly drafted, and that the BA attempted to terminate the former employee’s access, but it accidentally terminated access of a current employee with the same last name.


12

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Example of Tier A:

A hospital employee accessed the paper medical records of his ex-spouse while he was on duty to discover her current address for a personal reason, knowing that access was not permitted by the Privacy Rule and was contrary to hospital policies and procedures.

HHS’s investigation revealed that the CE had appropriate and reasonable safeguards regarding employee access to medical records, and that it had delivered appropriate training to the employee.

Therefore, this is a Tier A violation. The employee’s knowledge is not imputed upon the hospital because the employee was acting outside the scope of his employment.


13

Stiffer Enforcement Program & Penalties (cont’d) Tier B: If the violation was due to reasonable cause and not

willful neglect, a penalty of at least $1,000 per violation (except that the total amount of a fine cannot exceed $100,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition).

Proposed Rule further defines “reasonable cause” Includes situations where it is unreasonable for the CE or BA to

comply, despite the exercise of ordinary business care and prudence.

Includes situations where a CE or BA has knowledge of the violation but lacks the conscious intent or reckless indifference associated with willful neglect.


14

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier B Example:

CE received an individual’s request for access but did not respond within the appropriate time period.

HHS’s investigation revealed that the CE had compliant access policies and procedures in place, but that it received an unusually high volume of requests for access within the time period in question.

While the CE responded to the majority of access requests in the time period within a timely manner, it failed to respond to several requests in time.

The CE responded in a timely manner to all subsequent requests it received subsequent to the time period in which the violations occurred.


15

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier B Example:

CE presented an authorization form to a patient for signature to permit a disclosure for marketing purposes that did not contain the core elements required under HIPAA.

HHS’s investigation revealed that the CE was aware of the requirement for an authorization for a use or disclosure of PHI for marketing and had attempted to draft a compliant authorization.

Unless resolved by informal means, HHS would have grounds to find that this violation was due to “reasonable cause”


16

Stiffer Enforcement Program & Penalties (cont’d) Tier C: If the violation was due to willful neglect and is

corrected, a penalty of at least $10,000 per violation (except that the total amount of a fine cannot exceed $250,000 for multiple violations of any one requirement or prohibition), not to exceed $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations of any one requirement or prohibition).

Willful neglect – conscious, intentional failure or reckless indifference to the obligation to comply with the provision violated. Actual knowledge that a violation occurred, not just knowledge about the facts of a violation.


17

Stiffer Enforcement Program & Penalties (cont’d) Tier D: If the violation was due to willful neglect

and is not corrected, a fine of $50,000 per violation (except that the total amount of a fine cannot exceed $1,500,000 for multiple violations or any one requirement or prohibition).


18

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier C or D Example of “Willful

Neglect”: CE disposed of several hard drives containing ePHI in an

unsecured dumpster in violation of HIPAA’s Security and Privacy Rules.

HHS’s investigation revealed that the CE failed to implement any policies and procedures to reasonably and appropriately safeguard ePHI during the disposal process.


19


Neglect” CE failed to respond to an individual’s request that it

restrict its uses and disclosures of the individual’s PHI. HHS’s investigation revealed that the CE did not have

any policies and procedures in place for consideration of the restriction requests it received and refused to accept any requests for restrictions from individual patients who inquired.

The refusal to accept any requests would be grounds for a separate finding of a violation due to willful neglect.


20


Neglect”: CE’s employee lost an unencrypted laptop that contained

unsecured PHI. HHS’s investigation revealed that the CE feared its

reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required under the Data Breach Notification Rule.


21

Stiffer Enforcement Program & Penalties (cont’d) Proposed Rule, Tier C Example of “Correction”

CE or BA has inadequate safeguards, policies and procedures and this results in an impermissible disclosure.

The disclosure violation itself cannot be fully corrected. However, the safeguards violation can be corrected if the

noncompliant policies and procedures are brought into compliance.

Corrective action will always be required of a CE or BA.


22

Criminal Penalties Criminal penalties of up to $50,000 and up to one

year in prison, or both, must be imposed if a person knowingly and in violation of the HIPAA security rule, privacy rule, or data breach rule wrongfully obtains individually identifiable health information relating to an individual or wrongfully discloses individually identifiable information to another person.


23

Criminal Penalties (cont’d) These penalties increase to up to $100,000 and up

to five years in prison or both if the information was obtained under false pretenses, and up to $250,000 and up to ten years in prison or both if the violation involves commercial advantage, personal gain, or malicious harm.


24

State Attorney General Actions State Attorneys General may now file a civil action

against HIPAA violators on behalf of residents of their state for statutory damages determined by multiplying the number of violations by an amount up to $100. The total amount of damages imposed for all violations of an identical requirement or prohibition in one calendar year may not exceed $25,000.

Connecticut’s Attorney General is aggressively pursuing HIPAA violations.


25

In January 2010, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach. The parties settled in July 2010.

Health Net of Connecticut’s settlement included: two years of consumer credit monitoring $1 million of identity theft insurance and reimbursement for the costs of

security freezes “Corrective Action Plan” in which Health Net is implementing several

measures to protect health information and other private data in compliance with HIPAA

$250,000 payment to the state in statutory damages Additional $500,000 contingent payment to the state should it be

established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Attorney General Blumenthal has since announced investigations of Griffin Hospital, Yale University Medical School, and the University of Connecticut.


26

“Qui Tam” Actions The GAO is directed to prepare a report within 18

months of HITECH’s enactment establishing a method for allowing affected individuals to share in civil monetary penalties imposed under HIPAA or settlements.

HHS must adopt such methodology within 3 years of HITECH’s enactment. This will increase incentives to file complaints for violations of HIPAA—much like whistleblower suits under the False Claims Act.


27

We are already seeing increased criminal enforcement October 2008—an Arkansas physician and two hospital

employees accessed the medical records of a high profile patient at the hospital where they worked.

After hearing the patient’s story on the news, Dr. Jay Holland, the Medical Director of Select Specialty Hospital, accessed the patient’s records from his home computer. The hospital suspended his privileges for 2 weeks and required on-line HIPAA training.

One hospital employee (ER coordinator - fired) accessed the patient’s records 3 times in one day after being told to set up an alias for the patient and the other accessed them 12 times (patient registration person at offsite clinic - fired).


28

Increased criminal enforcement (cont’d) The doctor and employees had all been trained on

HIPAA privacy laws (KEY for you). Can you document attendance for each of your employees?

They each admitted that they had no legitimate purpose for accessing the records.

Each stated that they accessed the patient’s files out of curiosity.


29

Stiffer Penalties Are Now Being Enforced Each pled guilty to a misdemeanor violation of

HIPAA Each faced a maximum penalty of 1 year in prison,

a fine of up to $50,000 or both. Judge sentenced all to one years’ probation.

Doctor was fined $5,000 and ordered to perform 50 hours community service; one employee was fined $2500, the other was fined $1500.


30

Prison time for just snooping A former UCLA Health System researcher, Huping Zhou,

was sentenced to four months in prison for illegally perusing the medical records of co-workers and celebrities.

Zhou is licensed as a cardiothoracic surgeon in China and worked as a research assistant at one of UCLA's facilities. In October 2003, Zhou was notified that he would be terminated. Over the next three weeks he abused his access to the computer system to look up health information of patients, most of them celebrities and people Zhou worked with, he admitted in a plea agreement with prosecutors.

An investigation by the California Center for Health Care Quality indicated that the peeking was widespread, concluding that UCLA workers inappropriately accessed the records of 1,041 patients, and 165 employees were terminated, suspended or warned.


31

Data Breach Notification

Law and Regulations

(In Effect)


32

Affirmative breach notification obligations Effective Date of Final Interim Rule was

September 23, 2009. The HHS Final Rule on breach notification was

submitted to the OMB on May 14, 2010 However, HHS has withdrawn the Final Rule

because of its disagreement with Congress about whether to include the harm analysis in the Rule (HHS wants it, Congress doesn’t).

Interim Final Rule remains in effect, including the harm analysis, until a final rule is published.


33

Affirmative breach notification obligations (cont’d) OLD LAW: HIPAA did not explicitly require breach

notification. Under HITECH, Covered Entities & Business

Associates must develop a notification process to deal with breaches of unsecured protected health information (PHI).

Unsecured PHI is information that is not encrypted or has not been destroyed.


34

Affirmative Breach Notification Obligations HITECH is broader than most relevant state notification laws

because: Applies to breaches (violation of HIPAA privacy rule)

involving any kind of PHI held by covered entities (rather than specific categories—such as social security number); and

Requires Covered Entities to determine if the breach poses a significant risk of financial, reputational, or other harm to the individual – if not, no breach has occurred. Must keep documentation of determination 6 years from the date the determination is finalized.


35

PRACTICAL TIPS: Develop a data breach response plan before something

happens Assign compliance responsibility with a backup team Develop internal investigation procedures (involve legal

immediately for privilege purposes) and don’t let an investigation languish

Decide in what situations law enforcement will be called Develop a PR strategy Decide whether to set up a call center for large data

breaches Develop a form letter for informing patients


36

Exceptions to Affirmative Breach Notification Obligations If a Limited Data Set (stripped of 16 identifiers) is

improperly used or disclosed, that does not constitute a breach if zip codes or dates of birth were also removed.

Covered Entity must document that the lost information did not include any of these identifiers.


37

Exceptions to Affirmative Breach Notification Obligations – must document why you qualify An unintentional acquisition, access or use of PHI by a

workforce member acting under the authority of a covered entity or a business associate, if the acquisition, access, or use was made in good faith, within the course and scope of employment or other professional relationship, and does not result in a further use or disclosure not permitted by the Privacy Rule.

Example: Nurse mistakenly sends an e-mail containing PHI to a billing employee. Billing employee recognizes she/he is not the intended recipient, deletes the e-mail, and alerts the nurse of the misdirected e-mail.


38

Exceptions to Affirmative Breach Notification Obligations– must document why you qualify An inadvertent disclosure of PHI from a person authorized to

access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity, business associate, or OHCA in which the covered entity participates, as long as the recipient does not further use or disclose the PHI in violation of the Privacy Rule.

Example: A physician who has authority to use or disclose PHI at a hospital by virtue of participating in the OHCA is similarly situated to a nurse or billing employee at the hospital who also has authority to use or disclose PHI at that hospital.


39

Exceptions to Affirmative Breach Notification Obligations - must document why you qualify The Covered Entity has a good faith belief that the

person to whom the inappropriate disclosure was made would not reasonably been able to retain the information.

Example: A nurse mistakenly hands a patient the discharge papers belonging to another patient, but she quickly realizes her mistake and retrieves the papers. If the nurse can reasonably conclude that the patient could not have read or otherwise retained the information, no breach has occurred.


40

PRACTICAL TIPS: Must develop a data breach notification policy and

update other policies (training, complaints, etc.) Must train physicians and staff to recognize

violations of HIPAA and report them so that you can document investigation and determination of whether there is a breach that requires notification

Suggest making not reporting a possible breach a sanctionable violation subject to progressive discipline because if you should have known of the breach, that starts your clock for notification


41

Breaches Treated As Discovered Breaches are treated as discovered by the covered entity as

of the first day the breach is known to the covered entity OR by exercising reasonable diligence would have been known to the covered entity through any workforce member or agent (including a business associate) of the covered entity other than the individual committing the breach. HHS will look to the federal common law of agency.

Must implement reasonable systems for discovery of breaches (e.g., system activity review after high-profile patient has been discharged)

If business associate is an agent of covered entity, time to notify runs from BA’s discovery. If BA is an independent contractor, then CE must provide notification based on the time the BA notifies the CE of the breach.

PRACTICAL TIP: – put independent contractor clauses in all BAAs


42

When Individuals Must Be Notified All notifications must be made without

unreasonable delay. PRACTICAL TIP: – Get notices out ASAP. Delays will

cause media outlets, the FBI, and the Secret Service to question why you delayed.

In no case may the notification be made later than 60 days after the discovery of the breach, unless law enforcement provides a written statement specifying the delay time (oral request – no longer than 30 days – document the statement and identity of official).

CEs and BAs have the burden of proving that all notifications were made properly


43

What The Notification Must Contain Regardless of the method of notification, the

following information must be written in plain language (may need to be available in other languages, Braille, large print, or audio):

A brief description of what happened, including date(s) of breach and discovery;

A description of the types of unsecured PHI that were involved in the breach (such as name, SS #, DOB, address, account #, diagnosis or disability code);

The steps individuals should take to protect themselves from potential harm;


44

Contents of Notification (cont’d) A brief description of what the covered entity is

doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches; and

contact procedures for individuals to ask questions or get additional information.

Must include a toll-free number, an e-mail address, a Web site, or a postal address.

Avoid including sensitive information in the notification itself


45

Method of Notification First class mail to last known address OR e-mail if

individual has consented to electronic notification and consent hasn’t been withdrawn

minors, incompetents – send to personal representative

deceased (if CE knows of death and has the address of next of kin or personal representative)– send to next of kin or personal representative


46

Method of Notification, cont’d Substitute notice – if CE doesn’t have contact info or if

notices returned undeliverable: Less than 10 people – e-mail, telephone 10 or more people

conspicuous posting for 90 days on home page of website (can do hyperlink that is noticeable given its size, color and graphic treatment) or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected likely reside AND

toll-free phone number, active for 90 days, where an individual can learn whether his/her unsecured PHI may be included in the breach. Phone number must be in the conspicuous posting or notice.


47

Method of Notification, cont’d If concerned that misuse is imminent, may make

an additional telephone notification, but still must notify in writing.


48

Media Notice In some instances, notice to media outlets is

required. If the unsecured PHI of more than 500 residents of a

state or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during a breach, notice must be provided to prominent media outlets in that area. This is in addition to written notice to the individuals affected.


49

HHS Notification Notice shall be provided to the Secretary by covered entities

of unsecured PHI that has been involved in a breach. If the breach involves more than 500 individuals (no matter which

state), notice must be given immediately (concurrently with the notices sent to individuals).

Under the rule, if the breach involves less than 500 individuals, the covered entity may maintain a log and annually submit the log to the Secretary (within 60 days after Dec. 31). For 2009, submit information for breaches occurring on or after September 23.

As a practical matter, HHS’s website requires that breaches involving less than 500 people be reported one at a time, so it’s easier just to report as events happen; however, you might want to consider holding your breach reports until Feb. 28 – Mar. 1 every year so that they blend in with the others filed on those dates. Address: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

Maintain a record of investigation for six years from the date investigation closes


http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html

50

Safe Harbors – Encryption and Destruction The breach notification provisions only apply to

“unsecured protected health information.” If your PHI is secured by encryption or destruction, then there is no need to report a breach to anyone.

Unsecured PHI is not secured by a technology that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals.

Thus, covered entities have a significant incentive to encrypt PHI or take other steps to ensure it is not “unsecured.”


51

How to “secure” PHI Encryption – use an algorithmic process to

transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key

the process or key has not been breached – should be stored on a device or at a location separate from the data

Data at Rest – NIST Special Pub. 800-111 Data in Motion – NIST Special Pub. 800-52, -77, or

-113


52

How to “secure” PHI, cont’d Destruction – The media on which the PHI is

stored or recorded has been destroyed in one of the following ways:

paper, film, or other hard copy media have been shredded or destroyed so that the PHI cannot be read or otherwise reconstructed.

Redaction is not destruction Electronic media have been cleared, purged, or

destroyed consistent with NIST Special Pub. 800-88 so that the PHI cannot be retrieved


53

Type of Breach Number of Individuals Number of Breaches

Theft 2,836,823 65

Unauthorized Access 67,751 14

Loss 63,899 12

Improper Disposal 9,012 4

Hacking/IT Incident 2,957 2

Phishing Scam 610 1

Misdirected Email 676 1

Other 530,488 14

Health Data Breaches Reported to OCR

Note: Data as of June 2010. Some breaches are included in multiple categories.Source: HHS OCR, courtesy of Dennis Melamed


54

Business

Associates


55

Reevaluation of Business Associate Agreements Effective Date in statute is February 18, 2010. However, representatives of HHS have verbally confirmed that

HHS will not enforce the HITECH Act or its regulations, except for the Data Breach and Enforcement Rules, until 6 months after the final HITECH Rule is effective.

Proposed HITECH rule says that, if your current BAAs comply with the current HIPAA Privacy and Security Rule requirements AND those BAAs aren’t renewed or amended between 60 and 240 days after the date the final HITECH rule is published, you will have up to 1 year, 240 days after the publication of the final HITECH rule to amend the BAA to comply with new BAA requirements of the final HITECH rule.


56

PRACTICAL TIPS: If you have BAAs in place with your current

vendors that comply with the current HIPAA Privacy and Security Rules, might want to wait to amend (but what about data breaches)?

Check your BAA log to make sure it’s accurate and up to date, and review current BAAs for compliance with current requirements.


57

A Brave New World for Business Associates “Business Associates” are now squarely within the regulatory

reach of HIPAA, not merely bound by the contractual terms of a Business Associate Agreement. Business Associates must now comply with many of the HIPAA privacy and security rules.

Business associates must implement standards and “required” implementation specifications set forth in the Security Rule.

BAs must analyze whether to adopt “addressable” implementation specifications in the Security Rule and, if not, must document their rationale.

BAs will have to expend considerable time and money to satisfy these requirements. [TRANSLATED: START NOW]


58

Business Associates HITECH will require:

BAs to comply directly with provisions directing implementation of administrative, physical and technical safeguards of electronic PHI.

BAs to develop and ensure compliance with policies, procedures, and documentation standards.

BAs to comply directly with HIPAA’s BA safeguards, including limiting use and disclosure of PHI per the BA agreement or as required by law, facilitating access, amendment and accounting of disclosures, etc.


59

Business Associates (cont’d) Providers do not have a duty to police their business

associates’ safeguards and policies. BUT under the Proposed HITECH Rule, if a Covered Entity

has contracted out an obligation under the HIPAA Privacy or Security Rule, such as providing the Notice of Privacy Practices to patients, the Covered Entity remains liable for the failure of the Business Associate to perform that obligation on the Covered Entity’s behalf

PRACTICAL TIP: Educate your Business Associates about the new “teeth” that HIPAA/HITECH has in terms of penalties/enforcement.


60

New Obligations for Subcontractors of Business Associates Treated as business associates if they create,

receive, maintain, or transmit PHI on behalf of a business associate.

Business Associates must have Business Associate Agreements in place with subcontractors (Covered Entities do not).

Question: Will this survive into the final rule? (not in the statute)


61

Examples of Business Associates Patient Safety Organizations RHIOs, e-prescribing gateways, Personal Health Record vendors Accounting firms that need patient information from a hospital,

physician practice, or health care insurer to render accounting or auditing services;

Law firms that provide medical malpractice defense services or other services requiring the use of patient information;

Software vendors who need patient information to test and fix programs for health care providers and insurers;

Third-party administrators of health plans; Quality assurance consultants or consultants who perform utilization

reviews; Medical transcriptionists; Interpreters who contract with hospitals; and Collection agencies.


62

Uses and Disclosures of

Protected HealthInformation


63

Constriction of the “Minimum Necessary” Standard Applies to non-treatment uses and disclosures of

and requests for PHI HIPAA’s “minimum necessary” standard mandates that a

use or disclosure of, or request for, PHI (other than for treatment purposes) may only contain the minimum amount of PHI necessary to achieve the purpose. This “standard” has very little structure and affords covered entities quite a bit of discretion.


64

“Minimum Necessary” Standard (cont’d) Effective: February 18, 2010. Representatives of HHS have verbally confirmed that HHS will not

enforce the HITECH Act or its regulations, except for the Data Breach and Enforcement statutory provisions and Rules, until 6 months after the final rule is effective.

Under HITECH, uses, disclosures and requests must, “to the extent practicable,” be limited to a “limited data set” (LDS). An LDS is PHI with 16 direct identifiers (set forth in the HIPAA Privacy Rule) such as the patient’s name, address and social security number, removed.

Guidance was slated for August 17, 2010 as to what constitutes “minimum necessary” but no guidance has been issued. Instead, HHS asked for comments in the proposed rule.

After additional minimum necessary guidance is issued, this provision of HITECH sunsets and the HHS guidance will control.


65

“Minimum Necessary” Standard (cont’d) Discretion as covered entity is limited. If use of an

LDS is sufficient to achieve the purpose of the disclosure, use it. If it is not, be prepared to justify why use of an LDS would not have been practicable.

Guidance on such a “gray area” issue will hopefully eliminate some confusion.


66

Notice of Privacy Practices Changes to NPPs under HITECH and the

Proposed Rule: Statement about sale of PHI Statement about subsidized treatment communications

and ability to opt out Statement that individual can opt out of fundraising

communications Statement that CE must agree to restrict disclosure to

health plan if individual pays in full out of pocket for health care services


67

Patient Requests for Restrictions on Disclosures of PHI Patients may restrict non-treatment disclosures to a health plan if they paid out-

of-pocket for the service in question. Effective Date: February 18, 2010. Representatives of HHS have verbally

confirmed that HHS will not enforce the HITECH Act or its regulations, except for the Data Breach and Enforcement statutory provisions and Rules, until 6 months after the final rule is effective.

OLD LAW: HIPAA did not require that a covered entity comply with a patient’s requested restriction on disclosure of his/her PHI for treatment, payment or health care operations.

Under HITECH, a covered entity must comply with a patient’s requested restriction on disclosure (for payment or health care operations—not treatment) to a health plan if the patient paid entirely out-of-pocket for the service. [example—genetic testing]

Under the Proposed Rule, if the CE cannot resolve payment with the individual (e.g., check bounces) after a reasonable attempt to resolve the issue, CE may submit PHI to health plan for payment.

If already revised NPP, follow it


68

Accounting for Disclosures of PHI Broader disclosure accounting requirement for

EHR users—i.e., you must account for “TPO” disclosures.

Effective: If a covered entity acquired an electronic health record (EHR) system on or before January 1, 2009, this requirement becomes effective January 1, 2014. For covered entities acquiring an EHR system after January 1, 2009, the requirement takes effect on January 1, 2011, or the date the EHR system is acquired, whichever is later.

Not addressed in the HITECH Proposed Rule – will be the subject of future rulemaking


69

Accounting for Disclosures of PHI (cont’d) OLD LAW: Covered entities under HIPAA did not have to

render an accounting of uses and disclosures of PHI made for purposes of treatment, payment or health care operations—so called “TPO” disclosures.

HITECH’s new accounting standards require that when a covered entity uses or maintains an electronic health record, an individual will have the right to receive an accounting of disclosures of PHI (including TPO disclosures) occurring during the 3 years prior to the request by the covered entity and its business associates.

May charge a reasonable fee for complying with the request.


70

Restrictions on Sale of PHI Prohibition on unauthorized sale of PHI

Guidance was supposed to be issued by August 17, 2010 but it has not yet been issued.

The prohibition will apply to exchanges occurring on or after the date that is 6 months after the date of the final regulations.

HITECH prohibits a covered entity (or business associate) from selling PHI without a valid authorization and statement from the individual or whether the PHI can be further sold by the entity that receives it. The HITECH Proposed Rule tracks the statute.


71

Exceptions to the Prohibition If the purpose of the exchange is for:

Research or public health activities. Treatment of the individual. Health care operations related to the sale, merger, or

consolidation of the covered entity. Payment by a covered entity to a business associate for

activities covered under the Business Associate Agreement.

Providing the individual with a copy of his/her PHI. Other reasons determined necessary and appropriate by

the Secretary – required by law, permitted under Privacy Rule and the amount charged is a reasonable cost-based fee


72

Marketing Tightening of the prohibition on unauthorized use of PHI for

“marketing.” Effective February 18, 2010. Representatives of HHS have verbally

confirmed that HHS will not enforce the HITECH Act or its regulations, except for the Data Breach and Enforcement statutory provisions and Rules, until 6 months after the final rule is effective.

“Marketing” communications require patient authorization under HIPAA. Proposed Rule adds that all marketing communications must

include clear and conspicuous opt out HITECH establishes that a communication by a covered entity (or

business associate) that is about a product or service, and encourages the purchase or use of a product or service, does not qualify as a “health care operation” but instead is marketing.

Practical Tip: If you revised your Notice of Privacy Practices (NPP) already, best practices indicate that you should honor it.


73

Exceptions to classification as “marketing”: Communication pertains to:

a health related product or service (or payment for the same) that is provided by, or included in a plan of benefits of the covered entity making the communication (e.g. communications about a provider network or health plan network, replacements or enhancement of a plan, and health related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits);

treatment of the individual; or case management or care coordination for the individual,

or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.


74

Exception to the Exceptions Even if the communication falls within one of these

exceptions, it will not be considered to be for health care operations if the communication is made in exchange for direct or indirect payment.

E.g., communication by a pharmacy regarding a certain drug the patient is not currently taking and the pharmacy receives payment from the drug manufacturer for such communication.

Proposed HITECH Rule redefines marketing in accordance with the statute


75

Fundraising Before HITECH, a covered entity was required to include in

any fundraising materials the steps an individual could take to opt out of receiving any further fundraising communications.

Under HITECH, a covered entity must provide such notice in a clear and conspicuous manner.

The HITECH Act makes the opt-out provisions for fundraising a statutory requirement, as opposed to only a regulatory requirement. The HITECH Proposed Rule requires an opt-out on every communication and the opt-out must not be unduly burdensome (could not require opt-out by snail mail only)

Practical Tip: If you revised your Notice of Privacy Practices (NPP) already, best practices indicate that you should honor it.


76

Patient Access to PHI in Electronic Format OLD LAW: individuals have the right to obtain a

copy of their PHI maintained in a designated record set.

Effective February 18, 2010, individuals will have the right to obtain a copy of their PHI in electronic format if the covered entity uses an EHR. Proposed HITECH Rule confirms this right. HHS representatives have said Covered Entities may protect their own security in making copies, e.g., they won’t be required to use media given to them by patients


77

Additional Changes in the HITECH Proposed Rule to the HIPAA Privacy and Security Rules If a person has been deceased more than 50

years, his/her PHI would no longer be protected. If a person is deceased, a Covered Entity may

disclose PHI to a family member or another person involved in that person’s care or payment for that care, unless doing so would be expressly contrary to a desire expressed by the person during life

Compound research authorizations/future research


78

THANK YOU!Wyatt, Tarrant & Combs, LLP

Carole D. Christian Erin Brisbay McMahon500 West Jefferson Street 250 West Main StreetSuite 2800 Suite 1600Louisville, KY 40202 Lexington, KY 40507502-562-7588 [email protected] [email protected]

mailto:[email protected]

mailto:[email protected]

Documents

1 September 22, 2010 Carole D. Christian Erin Brisbay McMahon HITECH’s Changes to HIPAA