HIPAA/HITECH Update

HIPAA/HITECH HIPAA/HITECH UpdateUpdate

By

LYNDA M. JOHNSON

Friday, Eldredge & Clark

HITECH Act – Privacy and SecurityHITECH Act – Privacy and Security

Extended the reach of the HIPAA Privacy and Security Rules to business associates (BAs)

Imposed breach notification requirements on HIPAA covered entities (CEs) and BAs

Limited certain uses and disclosures of protected health information (PHI)

Increased individuals’ rights with respect to PHI maintained in EHRs

Increased enforcement of, and penalties for, HIPAA violations

The HIPAA Omnibus Final RuleThe HIPAA Omnibus Final Rule

On July 14, 2010, HHS published a notice of proposed rulemaking (the “Proposed Rule”) that would modify the HIPAA Privacy, Security and Enforcement Rules

After much delay, HHS published the HIPAA Omnibus Final Rule on January 25, 2013

• Amends the Privacy, Security, Enforcement and Breach Notification Rules

• Also makes conforming changes pursuant to the Genetic Information Nondiscrimination Act of 2008 (GINA)

The Final Rule implements the requirements of the HITECH Act and largely adopts the Proposed Rule without major changes.

Compliance DatesCompliance Dates

Final Rule became effective March 26, 2013

Compliance was required by September 23, 2013

Business AssociatesBusiness Associates

HITECH imposes new privacy and security obligations on BAs and personal health record companies

To increase consumer confidence in EHRs and PHRs, companies that provide those products and aid in electronic transmission of PHI are subject to more direct privacy and security regulation

Business Associates Business Associates Satisfactory AssurancesSatisfactory Assurances

A covered entity may disclose protected health information to business associates if it obtains “satisfactory assurances” that business associates will appropriately safeguard the information

Business associate contract required

Use and Disclosure — Who Is a Use and Disclosure — Who Is a Business Associate?Business Associate?

• A person acting on behalf of a covered entity who —

• Creates, receives, maintains or transmits PHI

• For a function or activity regulated by HIPAA (a covered entity function)

• Provides certain identified services to a covered entity

• BAs may also be covered entities

• This is the Final Rule’s newly tweaked definition

Covered Entity

Billing Firms Lawyers, Actuaries

Outsourcing Vendors

ClearinghousesAccountants,

AuditorsFinancial Services

Management Firms

Consultants, Vendors

Accreditation Organizations

No Business Associate RelationshipNo Business Associate Relationship

• Workforce• Provider and plan• Provider and provider for treatment• Hospital and medical staff member• Group health plan and plan sponsor• Financial institutions• Due diligence activities

Members of “organized health care arrangements”

“Conduits” (mail services and electronic equivalents) that only access PHI on a “random or infrequent” basis

The “Conduit” ExceptionThe “Conduit” Exception

• OCR notes that exception is limited to services that transmit PHI

• Even when there is temporary storage of the transmitted data related to the transmission

• A company that only maintains PHI on behalf of a covered entity is a BA, even if the entity does not actually view the PHI

• Examples: Data storage company, cloud computing provider

Expanded Definition of Business Expanded Definition of Business AssociatesAssociates

Definition of “business associate” now includes:

• Patient safety organizations under the Patient Safety and Quality Improvement Act of 2005

• Organizations that provide data transmission of PHI to a covered entity, such as Health Information Organizations and E-prescribing Gateways and that require routine access to PHI

• PHR vendors acting on behalf of a CE

• Subcontractors to a BA that create, receive, maintain or transmit PHI on behalf of a BA

Security Rule ComplianceSecurity Rule Compliance

Necessary steps for Security Rule compliance: Necessary steps for Security Rule compliance:

1.Conducting a formal security risk assessment;

2.Implementing written policies and procedures with respect to Security Rule standards;

3.Providing security training to workforce members;

4.Amending BAAs to include provisions required by the Security Rule; and

5.Appointing a Security Officer to oversee Security Rule compliance efforts

BUSINESS ASSOCIATEBUSINESS ASSOCIATE

BA LiabilityBA LiabilityBAs may be directly liable for:Uses and disclosures of PHI in violation a BAA or the Privacy Rule (including more than minimum necessary)

Failing to comply with the Security Rule

Failing to provide breach notification to a CE

Failing to disclose PHI to the Secretary of HHS to investigate compliance

Failing to disclose PHI to comply with an individual’s request for an electronic copy of PHI

Failing to contract with subcontractors

BA Privacy Rule ComplianceBA Privacy Rule Compliance

Written privacy policies and procedures addressing BA privacy obligations are not strictly required, but are prudent

• Addressing minimum necessary standard, storing paper PHI, faxing and document destruction practices, etc.

Given the significant liability risks associated with security breaches, a written breach response plan tracking HIPAA/HITECH requirements is also recommended

• Prior to HITECH, BAs were required to “ensure” that a subcontractor “agree” to the same privacy and security obligations that apply to a BA with respect to PHI

• Written agreements between BAs and subcontractors are common, but not strictly required

• Final Rule requires that a BA enter into a written agreement with a subcontractor ensuring compliance with applicable Privacy and Security Rule requirements

Subcontractor BAAsSubcontractor BAAs

• Obligation to enter into a BAA with a subcontractor rests solely with the BA, not the CE

• The form of a “downstream” subcontractor BAA is identical to an “upstream” BAA between a CE and a BA

Subcontractor BAAs (cont.)Subcontractor BAAs (cont.)

““Downstream” Business Associate Downstream” Business Associate AgreementsAgreements

Each downstream subcontractor BAA must be at least as stringent as the primary BAA between a BA and the CE

BAA Transition PeriodBAA Transition Period

• If a BAA compliant with prior HIPAA requirements was entered into prior to the publication date of the Final Rule (Jan. 25, 2013) AND

• The BAA is not renewed or modified between March 26-Sept. 23, 2013 THEN

• The BAA will be deemed compliant until the EARLIER of:

• The date the contract is renewed or modified on or after Sept. 23, 2013 OR Sept. 23, 2014

• Final Rule amends the Enforcement Rule to provide that BAs may be directly liable for civil money penalties for violations of the Privacy and Security Rules

• BAs will be liable, in accordance with the federal common law of agency, for violations based upon the acts or omissions of agents

• Includes workforce members and subcontractors

• But must be acting within the scope of agency

BAA LiabilityBAA Liability

The Final Rule makes CEs liable for actions of BAs acting as agents under the federal common law of agency, just as BAs will be liable for actions of subcontractor

• For BAs that are “independent contractors,” rather than “agents,” CEs will have an affirmative defense to these liabilities if they can show no willful neglect and timely corrective action

• Hard to apply the agency principle with certainty because it requires evaluating the degree of control that the CE exercises over the BA’s conduct

CE Liability – Final RuleCE Liability – Final Rule

• In commentary to the Final Rule, OCR states that the “essential factor” in determining whether an agency relationship exists is the right of the CE to control the conduct of the BA in performing its services

• OCR says that the ability of a CE to give interim instructions or directions suggests an agency relationship

When Is a BA an Agent?When Is a BA an Agent?

• If a BA performs it duties strictly in accordance with the terms of its agreement and any change in duties requires a contract amendment, then the BA is probably not an agent

• CE can be liable for the actions of an agent BA even in the absence of a business associate contract

When Is a BA an Agent? (cont.)When Is a BA an Agent? (cont.)

Accretive Health Settlement

• January 2012: Minnesota AG brings enforcement action against Accretive Health, Inc., a business associate, using authority under HITECH statute

• Accretive had a laptop stolen containing approx. 23,500 patients’ records

• In capacity as BA to two Minnesota health systems

• AG sought to use authority under HITECH statute in the first such action against at BA

• July 30, 2012: Minnesota AG and Accretive reach settlement

• Accretive ceases doing business in Minn. for two years

• And for the next four years, Accretive can reenter state only with permission of AG and after entering into a consent decree

• $2.5 million settlement payment placed in restitution fund for patients

The SettlementThe Settlement

• Some state AGs may take a similarly aggressive approach to enforcement and BAs should be prepared

• A formal HIPAA security compliance program is not required of a BA today according to OCR

• But an AG may take a different view

• An AG HIPAA enforcement action can lead to a more wide-ranging investigation and charges under state laws

• In Accretive, this included charges under Minn. consumer protection laws over alleged aggressive collection practices

• AGs may interpret HIPAA and HITECH in novel ways – such as asserting a current, affirmative duty of a BA to enter into a BAA

The TakeawaysThe Takeaways

HIPAA Pilot Audit ProgramHIPAA Pilot Audit Program

• HITECH required that HHS conduct periodic audits to ensure compliance with HIPAA

• OCR implemented the requirement through a pilot program of 115 audits from November 2011 through December 2012

• First wave of audits applied to CEs only

• BAs will be subject to future audits

• It will be interesting to see how BAs are selected for audit, given the wide variety of businesses that qualify as BAs

The Rest of the HITECH Story

“Protected health information” is defined to exclude information about a person who has been deceased for more than 50 years.

Deceased PersonsDeceased Persons

If an individual is deceased, a covered entity may disclose PHI about the decedent to a family member, relative, close personal friend, or other person involved in the decedent’s healthcare or payment for care prior to the decedent’s death if:

Disclosure is not inconsistent with prior expressed wishes of the decedent known to the covered entity, and

PHI is relevant to the recipient’s involvement in the decedent’s healthcare or payment for care.

Deceased Persons (cont.)Deceased Persons (cont.)

“Family member” means Dependent.

Person who is first, second, third or fourth- degree to the individual or of a dependent of the individual.

Applies to both relatives by blood and by marriage.

Applies to step-relatives as with full relatives.

Deceased Persons (cont.)Deceased Persons (cont.)

School ImmunizationsSchool Immunizations• Covered entity may disclose proof of immunization to a

school if:

PHI disclosed is limited to proof of immunization;

School is required by state or other law to have such proof of immunization prior to admitting the individual;

• Covered entity obtains agreement to disclosure from either:

The individual, if emancipated or an adult; or

A parent, guardian or other person acting in loco parentis if the individual is an unemancipated minor.

• Covered entity documents the agreement.

Restrictions on Disclosure of PHI to Restrictions on Disclosure of PHI to Health InsurersHealth Insurers

Covered entity must agree to an individual’s request to restrict disclosure of PHI to a health plan if:

The PHI pertains solely to a health care item or service for which the individual, or another person on the individual’s behalf, paid the covered entity in full; and

Disclosure is for the purpose of carrying out the health plan’s payment or health care operations and is not otherwise required by law.

Restrictions on Disclosure of PHI to Restrictions on Disclosure of PHI to Health Insurers (cont.)Health Insurers (cont.)

HHS acknowledged the operational problems with the new rule, but concluded providers should already have methods to flag records under minimum necessary standard.

Only applies to disclosures to health plans, not others.

Does not apply if disclosure is otherwise required by law, e.g., Medicare audits, payment conditions, etc.


Provider may require payment in full before the individual may invoke the requirement.

If cannot unbundle, notify individual that they must pay entire bill to trigger rule.

Individual is responsible for notifying downstream providers.


The restriction only applies if the individual requests the restriction.

Must include a statement advising the individual of the restriction in the notice of privacy practices, but most individual’s don’t read the notice.

Don’t ask the individual!

Sale of PHISale of PHI

Covered entity or business associate may not sell PHI unless:

They obtain individual’s prior written authorization, and

Authorization discloses that the covered entity will receive remuneration in exchange for PHI.

•“Sale of PHI” means disclosure of PHI by a covered entity or business associate if they receive directly or indirectly any remuneration, financial or otherwise, from or on behalf of the recipient of the PHI in exchange for the PHI.

Sale of PHI (cont.)Sale of PHI (cont.)“Sale of PHI” does not include disclosures:

To the individual who is the subject of the PHI.For treatment or payment purposes.Required by law.As part of the sale, transfer, merger, or consolidation of the covered entity and related due diligence.To or by a business associate and the remuneration is to pay for the business associate’s activities.For certain public health purposes.For purposes permitted by HIPAA if the only remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI for such purposes or a fee otherwise expressly permitted by other law.

Sale of PHI (cont.)Sale of PHI (cont.)

Sale of PHI does not include payments per arrangements to perform services where disclosure of PHI is a byproduct of the service, e.g.,

Grants for program or perform activities.

Research studies.

Participation in health insurance exchange.

Sale of accounts receivable to collection agency.

Marketing

Covered entity and business associate must obtain an authorization for any use or disclosure of PHI for marketing.

• “Marketing” means a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

Marketing (cont.)

If marketing involves financial remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

• “Financial remuneration” means direct or indirect payment by the third party whose product or service is being described.

Marketing (cont.)

“Marketing” does not include a communication made:

To provide refill reminders or communicate about a drug that is currently being prescribed for the individual.

• Any financial remuneration must be reasonably related to the cost of making the communication.

Marketing (cont.)

For the following treatment and health care operations purposes unless the covered entity receives financial remuneration for the communication:

• Treatment, including case management, care coordination, or recommend treatment alternatives; or

• To describe health related product or service provided by the covered entity.

Marketing (cont.)

No authorization is required for the following marketing communications even if financial remuneration is received for making the communication:

Face-to-face communication made by a covered entity to an individual.

• Not via telephone, text, internet, fax, etc.

A promotional gift of nominal value provided by the covered entity.

Marketing (cont.)

No authorization is required for communications:

• Promoting health in general, not a product or service.

• About government-sponsored programs.

Fundraising

Subject to certain conditions, a covered entity may disclose the following PHI to a business associate or institutionally related foundation for purpose of raising funds for its own benefit without an authorization:

• Name, address, contact info, age, gender and birthdate;• Dates of healthcare provided to the individual;• Department of service information;• Treating physician;• Outcome information; and• Health insurance status.

Fundraising (cont.)

To use PHI for fundraising, covered entity:

• Must include statement notifying individual of fundraising in covered entity’s notice of privacy practices.

• With each fundraising communication, must provide clear and conspicuous opportunity to opt out of fundraising.

Method for opting out cannot cause undue burden or more than nominal cost (e.g., toll-free number, e-mail).

Fundraising (cont.)

• May not condition treatment or payment on participation in fundraising.

• May not make fundraising communications to individuals who opt out.

• May notify individuals of method to opt back in

Research: Compound Authorizations

May combine authorizations to use or disclose PHI for a research study with any other type of permission for the same or another research study (i.e., may use a compound authorization), including:

Consent to participate in research,

Another authorization for the same research study, or

An authorization for the creation or maintenance of a research database or repository.

Research: Compound Authorizations

If compound authorization conditions treatment on participation in research, must clearly identify conditioned components and give individual an opportunity to opt in to the unconditioned research activities.

Research: Authorizing Future Research

Research authorization may allow use or disclosure of PHI for purposes of future research.

• Authorization “purpose” need not be limited to the current study.

This is a change in HHS interpretation.

Individual Access to PHI

Extension for off-site records is deleted.

Covered entities must generally respond to request for access within 30 days.

May obtain one 30-day extension.

Individual Access to PHI (cont.)

If PHI is maintained in electronic form and individual requests electronic copy of the PHI:

Covered entity must provide access to the PHI in form and format requested by the individual if it is readily producible.

If PHI is not readily producible in the requested form and format, covered entity must provide it in a form as agreed by the covered entity and individual.

Individual Access to PHI (cont.)

If covered entity requests that PHI be sent to another person, covered entity must comply. Request must be in writing, signed by individual and clearly identify the recipient.

May charge reasonable cost-based fee, including labor and supplies for portable media.

Notice of Privacy Practices

Must add certain items to notice of privacy practices.

Authorizations are required for most uses and disclosures of psychotherapy notes (if applicable), marketing purposes, and sale of PHI.

Uses and disclosures not described in notice require authorizations.

Individual may opt out of receiving fundraising communications.

Notice of Privacy Practices (cont.)

Individual may restrict disclosures to health insurers if individual pays for the treatment.

Covered entity must notify the individual of breach of unsecured PHI.

For health plans, may not use or disclose genetic info for underwriting.


May delete certain items from notice of privacy practices.

Covered entity may contact individual to provide appointment reminders or info about treatment alternatives or other health related benefits an services that may be of interest to the individual.


Changes will require publication of new notice of privacy practices.

Post new notice in prominent location at facility. May post summary if full notice is otherwise available to individual without individual having to request notice.

Post new notice on website.


Provide copy of notice to new individuals.

Provide copy of new notice to other individuals upon request.

Comply with discrimination laws, e.g., may need to provide copy in other languages, Braille, etc.

New requirements for health plans.

Not Included in Final Rule, but …

Coming soon?

Individuals Recovery for Fines and Individuals Recovery for Fines and PenaltiesPenalties

HITECH Act requires HHS to establish a methodology under which an individual who is harmed by a violation of the privacy or security rules may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

Subject to future rulemaking.

Accounting of Disclosures for e-PHIAccounting of Disclosures for e-PHI HITECH Act requires HHS to issue

regulations allowing individuals to obtain an accounting of disclosures made for purposes of treatment, payment and healthcare operations if the disclosure is through an electronic health record.

HHS issued a proposed rule that would entitle individuals to obtain a broad report concerning those who accessed their PHI or to whom their PHI was disclosed.

Subject to future rulemaking.

Take Aways:Take Aways:

If you are business associate:

Make sure you comply with rules, e.g.,• Protect PHI consistent with HIPAA rules and

business associate agreement.• Conduct security risk assessment.• Implement safeguards required by the

Security Rule.• Notify covered entity of breaches.

Enter business associate agreements with subcontractors.

Omnibus Rule Action ItemsOmnibus Rule Action Items

If you are a covered entity, make sure your business associate agreements comply.

Obtain agreements for new business associates, including covered data transmission services.

Review existing agreements to ensure they comply with operative rules.

Omnibus Rule Action Items (cont.)Omnibus Rule Action Items (cont.)

As new agreements are written or renewed, ensure they comply with new rules.

Ensure all agreements comply by 9/23/14.

Ensure business associates are not your agents unless you are willing to risk vicarious liability.


Update your notice of privacy practices

• Compliance Deadline was 9/23/13.

• Post updated notice and make available to individuals.


Update policies and processes to comply with new rules.

• Restrictions on disclosures to health insurers.• Disclosures regarding deceased persons.• Marketing, fundraising, and sale of PHI.• Individual access to electronic PHI.• Breach notification requirements.

Train your employees concerning the new rules.


If you have a potential breach of PHI use new “low probability that data has been compromised” standard.

Given new rules and breach notification standard, it is a good time to review your entire HIPAA compliance.


Access to Lab Test ReportsAccess to Lab Test Reports

On February 6, 2014, CMS published a final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports upon request of the patient or the patient’s personal representative.

Access to Lab Test Reports (cont.)Access to Lab Test Reports (cont.)

At the same time, this rule eliminates the exception under the HIPAA Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory.


While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.


Under the HIPAA Privacy Rule, patients, patient’s designees and patient’s personal representatives can see or be given a copy of the patient’s protected health information, including an electronic copy, with limited exceptions.


In doing so, the patient or the personal representative may have to put their request in writing and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive. In most cases, copies must be given to the patient within 30 days of his or her request.

Published February 6, 2014

Compliance Deadline October 6, 2014

QUESTIONSQUESTIONS

Lynda M. JohnsonLynda M. Johnson

Friday, Eldredge & Clark, LLPFriday, Eldredge & Clark, LLP

[email protected]@fridayfirm.com

501-370-1553501-370-1553

Documents

HIPAA/HITECH Update