HIPAA/HITECH Update

1
HIPAA/HITECH Update
By LYNDA M. JOHNSON Friday, Eldredge Clark
2
HITECH Act Privacy and Security

• Extended the reach of the HIPAA Privacy and
  Security Rules to business associates (BAs)
• Imposed breach notification requirements on HIPAA
  covered entities (CEs) and BAs
• Limited certain uses and disclosures of protected
  health information (PHI)
• Increased individuals rights with respect to PHI
  maintained in EHRs
• Increased enforcement of, and penalties for,
  HIPAA violations

3
The HIPAA Omnibus Final Rule

• On July 14, 2010, HHS published a notice of
  proposed rulemaking (the Proposed Rule) that
  would modify the HIPAA Privacy, Security and
  Enforcement Rules
• After much delay, HHS published the HIPAA Omnibus
  Final Rule on January 25, 2013
• Amends the Privacy, Security, Enforcement and
  Breach Notification Rules
• Also makes conforming changes pursuant to the
  Genetic Information Nondiscrimination Act of 2008
  (GINA)
• The Final Rule implements the requirements of the
  HITECH Act and largely adopts the Proposed Rule
  without major changes.

4
Compliance Dates

• Final Rule became effective March 26, 2013
• Compliance was required by September 23, 2013

5
Business Associates

• HITECH imposes new privacy and security
  obligations on BAs and personal health record
  companies
• To increase consumer confidence in EHRs and PHRs,
  companies that provide those products and aid in
  electronic transmission of PHI are subject to
  more direct privacy and security regulation

6
Business Associates Satisfactory Assurances

• A covered entity may disclose protected health
  information to business associates if it obtains
  satisfactory assurances that business
  associates will appropriately safeguard the
  information
• Business associate contract required

7
Use and Disclosure Who Is a Business Associate?

• A person acting on behalf of a covered entity who
  

• Creates, receives, maintains or transmits PHI
• For a function or activity regulated by HIPAA (a
  covered entity function)
• Provides certain identified services to a covered
  entity

Billing Firms
Lawyers, Actuaries
Outsourcing Vendors
Accountants, Auditors Financial Services
Covered Entity
Clearinghouses
Management Firms
Consultants, Vendors
Accreditation Organizations

• BAs may also be covered entities
• This is the Final Rules newly tweaked definition

8
No Business Associate Relationship

• Workforce
• Provider and plan
• Provider and provider for treatment
• Hospital and medical staff member
• Group health plan and plan sponsor
• Financial institutions
• Due diligence activities
• Members of organized health care arrangements
• Conduits (mail services and electronic
  equivalents) that only access PHI on a random or
  infrequent basis

9
The Conduit Exception

• OCR notes that exception is limited to services
  that transmit PHI
• Even when there is temporary storage of the
  transmitted data related to the transmission
• A company that only maintains PHI on behalf of a
  covered entity is a BA, even if the entity does
  not actually view the PHI
• Examples Data storage company, cloud computing
  provider

10
Expanded Definition of Business Associates

• Definition of business associate now includes
• Patient safety organizations under the Patient
  Safety and Quality Improvement Act of 2005
• Organizations that provide data transmission of
  PHI to a covered entity, such as Health
  Information Organizations and E-prescribing
  Gateways and that require routine access to PHI
• PHR vendors acting on behalf of a CE
• Subcontractors to a BA that create, receive,
  maintain or transmit PHI on behalf of a BA

11
BUSINESS ASSOCIATE
Security Rule Compliance

• Necessary steps for Security Rule compliance
• Conducting a formal security risk assessment
• Implementing written policies and procedures with
  respect to Security Rule standards
• Providing security training to workforce members
• Amending BAAs to include provisions required by
  the Security Rule and
• Appointing a Security Officer to oversee Security
  Rule compliance efforts

12
BA Liability

• BAs may be directly liable for
• Uses and disclosures of PHI in violation a BAA or
  the Privacy Rule (including more than minimum
  necessary)
• Failing to comply with the Security Rule
• Failing to provide breach notification to a CE
• Failing to disclose PHI to the Secretary of HHS
  to investigate compliance
• Failing to disclose PHI to comply with an
  individuals request for an electronic copy of
  PHI
• Failing to contract with subcontractors

13
BA Privacy Rule Compliance

• Written privacy policies and procedures
  addressing BA privacy obligations are not
  strictly required, but are prudent
• Addressing minimum necessary standard, storing
  paper PHI, faxing and document destruction
  practices, etc.
• Given the significant liability risks associated
  with security breaches, a written breach response
  plan tracking HIPAA/HITECH requirements is also
  recommended

14
Subcontractor BAAs

• Prior to HITECH, BAs were required to ensure
  that a subcontractor agree to the same privacy
  and security obligations that apply to a BA with
  respect to PHI
• Written agreements between BAs and subcontractors
  are common, but not strictly required
• Final Rule requires that a BA enter into a
  written agreement with a subcontractor ensuring
  compliance with applicable Privacy and Security
  Rule requirements

15
Subcontractor BAAs (cont.)

• Obligation to enter into a BAA with a
  subcontractor rests solely with the BA, not the
  CE
• The form of a downstream subcontractor BAA is
  identical to an upstream BAA between a CE and a
  BA

16
Downstream Business Associate Agreements
Each downstream subcontractor BAA must be at
least as stringent as the primary BAA between a
BA and the CE
17
BAA Transition Period

• If a BAA compliant with prior HIPAA requirements
  was entered into prior to the publication date of
  the Final Rule (Jan. 25, 2013) AND
• The BAA is not renewed or modified between March
  26-Sept. 23, 2013 THEN
• The BAA will be deemed compliant until the
  EARLIER of
• The date the contract is renewed or modified on
  or after Sept. 23, 2013 OR Sept. 23, 2014

18
BAA Liability

• Final Rule amends the Enforcement Rule to provide
  that BAs may be directly liable for civil money
  penalties for violations of the Privacy and
  Security Rules
• BAs will be liable, in accordance with the
  federal common law of agency, for violations
  based upon the acts or omissions of agents
• Includes workforce members and subcontractors
• But must be acting within the scope of agency

19
CE Liability Final Rule

• The Final Rule makes CEs liable for actions of
  BAs acting as agents under the federal common law
  of agency, just as BAs will be liable for actions
  of subcontractor
• For BAs that are independent contractors,
  rather than agents, CEs will have an
  affirmative defense to these liabilities if they
  can show no willful neglect and timely corrective
  action
• Hard to apply the agency principle with certainty
  because it requires evaluating the degree of
  control that the CE exercises over the BAs
  conduct

20
When Is a BA an Agent?

• In commentary to the Final Rule, OCR states that
  the essential factor in determining whether an
  agency relationship exists is the right of the CE
  to control the conduct of the BA in performing
  its services
• OCR says that the ability of a CE to give interim
  instructions or directions suggests an agency
  relationship

21
When Is a BA an Agent? (cont.)

• If a BA performs it duties strictly in accordance
  with the terms of its agreement and any change in
  duties requires a contract amendment, then the BA
  is probably not an agent
• CE can be liable for the actions of an agent BA
  even in the absence of a business associate
  contract

22
Accretive Health Settlement

• January 2012 Minnesota AG brings enforcement
  action against Accretive Health, Inc., a business
  associate, using authority under HITECH statute
• Accretive had a laptop stolen containing approx.
  23,500 patients records
• In capacity as BA to two Minnesota health systems
• AG sought to use authority under HITECH statute
  in the first such action against at BA

23
The Settlement

• July 30, 2012 Minnesota AG and Accretive reach
  settlement
• Accretive ceases doing business in Minn. for two
  years
• And for the next four years, Accretive can
  reenter state only with permission of AG and
  after entering into a consent decree
• 2.5 million settlement payment placed in
  restitution fund for patients

24
The Takeaways

• Some state AGs may take a similarly aggressive
  approach to enforcement and BAs should be
  prepared
• A formal HIPAA security compliance program is not
  required of a BA today according to OCR
• But an AG may take a different view
• An AG HIPAA enforcement action can lead to a more
  wide-ranging investigation and charges under
  state laws
• In Accretive, this included charges under Minn.
  consumer protection laws over alleged aggressive
  collection practices
• AGs may interpret HIPAA and HITECH in novel ways
  such as asserting a current, affirmative duty
  of a BA to enter into a BAA

25
HIPAA Pilot Audit Program

• HITECH required that HHS conduct periodic audits
  to ensure compliance with HIPAA
• OCR implemented the requirement through a pilot
  program of 115 audits from November 2011 through
  December 2012
• First wave of audits applied to CEs only
• BAs will be subject to future audits
• It will be interesting to see how BAs are
  selected for audit, given the wide variety of
  businesses that qualify as BAs

26
The Rest of the HITECH Story

• Breach notification standards
• Penalty structure and enforcement process
• Business associate requirements
• Limits on disclosures to health insurers
• Sale of PHI limits
• Marketing limits
• Fundraising limits
• Genetic info limits (health insurers)
• Disclosures regarding deceased persons
• Disclosures for school immunizations
• New rules re research authorizations
• Individual rights to electronic PHI
• Notice of privacy practices requirements

27
Deceased Persons
Protected health information is defined to
exclude information about a person who has been
deceased for more than 50 years.
28
Deceased Persons (cont.)

• If an individual is deceased, a covered entity
  may disclose PHI about the decedent to a family
  member, relative, close personal friend, or other
  person involved in the decedents healthcare or
  payment for care prior to the decedents death
  if
• Disclosure is not inconsistent with prior
  expressed wishes of the decedent known to the
  covered entity, and
• PHI is relevant to the recipients involvement in
  the decedents healthcare or payment for care.

29
Deceased Persons (cont.)

• Family member means
• Dependent.
• Person who is first, second, third or fourth-
  degree to the individual or of a dependent of the
  individual.
• Applies to both relatives by blood and by
  marriage.
• Applies to step-relatives as with full relatives.

30
School Immunizations

• Covered entity may disclose proof of immunization
  to a school if
• PHI disclosed is limited to proof of
  immunization
• School is required by state or other law to have
  such proof of immunization prior to admitting the
  individual
• Covered entity obtains agreement to disclosure
  from either
• The individual, if emancipated or an adult or
• A parent, guardian or other person acting in loco
  parentis if the individual is an unemancipated
  minor.
• Covered entity documents the agreement.

31
Restrictions on Disclosure of PHI to Health
Insurers

• Covered entity must agree to an individuals
  request to restrict disclosure of PHI to a health
  plan if
• The PHI pertains solely to a health care item or
  service for which the individual, or another
  person on the individuals behalf, paid the
  covered entity in full and
• Disclosure is for the purpose of carrying out the
  health plans payment or health care operations
  and is not otherwise required by law.

32
Restrictions on Disclosure of PHI to Health
Insurers (cont.)

• HHS acknowledged the operational problems with
  the new rule, but concluded providers should
  already have methods to flag records under
  minimum necessary standard.
• Only applies to disclosures to health plans, not
  others.
• Does not apply if disclosure is otherwise
  required by law, e.g., Medicare audits, payment
  conditions, etc.

33
Restrictions on Disclosure of PHI to Health
Insurers (cont.)

• Provider may require payment in full before the
  individual may invoke the requirement.
• If cannot unbundle, notify individual that they
  must pay entire bill to trigger rule.
• Individual is responsible for notifying
  downstream providers.

34
Restrictions on Disclosure of PHI to Health
Insurers (cont.)

• The restriction only applies if the individual
  requests the restriction.
• Must include a statement advising the individual
  of the restriction in the notice of privacy
  practices, but most individuals dont read the
  notice.
• Dont ask the individual!

35
Sale of PHI

• Covered entity or business associate may not sell
  PHI unless
• They obtain individuals prior written
  authorization, and
• Authorization discloses that the covered entity
  will receive remuneration in exchange for PHI.
• Sale of PHI means disclosure of PHI by a
  covered entity or business associate if they
  receive directly or indirectly any remuneration,
  financial or otherwise, from or on behalf of the
  recipient of the PHI in exchange for the PHI.

36
Sale of PHI (cont.)

• Sale of PHI does not include disclosures
• To the individual who is the subject of the PHI.
• For treatment or payment purposes.
• Required by law.
• As part of the sale, transfer, merger, or
  consolidation of the covered entity and related
  due diligence.
• To or by a business associate and the
  remuneration is to pay for the business
  associates activities.
• For certain public health purposes.
• For purposes permitted by HIPAA if the only
  remuneration received is a reasonable cost-based
  fee to cover the cost to prepare and transmit the
  PHI for such purposes or a fee otherwise
  expressly permitted by other law.

37
Sale of PHI (cont.)

• Sale of PHI does not include payments per
  arrangements to perform services where disclosure
  of PHI is a byproduct of the service, e.g.,
• Grants for program or perform activities.
• Research studies.
• Participation in health insurance exchange.
• Sale of accounts receivable to collection agency.

38
Marketing

• Covered entity and business associate must obtain
  an authorization for any use or disclosure of PHI
  for marketing.
• Marketing means a communication about a product
  or service that encourages recipients of the
  communication to purchase or use the product or
  service.

39
Marketing (cont.)

• If marketing involves financial remuneration to
  the covered entity from a third party, the
  authorization must state that such remuneration
  is involved.
• Financial remuneration means direct or indirect
  payment by the third party whose product or
  service is being described.

40
Marketing (cont.)

• Marketing does not include a communication
  made
• To provide refill reminders or communicate about
  a drug that is currently being prescribed for the
  individual.
• Any financial remuneration must be reasonably
  related to the cost of making the communication.

41
Marketing (cont.)

• For the following treatment and health care
  operations purposes unless the covered entity
  receives financial remuneration for the
  communication
• Treatment, including case management, care
  coordination, or recommend treatment
  alternatives or
• To describe health related product or service
  provided by the covered entity.

42
Marketing (cont.)

• No authorization is required for the following
  marketing communications even if financial
  remuneration is received for making the
  communication
• Face-to-face communication made by a covered
  entity to an individual.
• Not via telephone, text, internet, fax, etc.
• A promotional gift of nominal value provided by
  the covered entity.

43
Marketing (cont.)

• No authorization is required for communications
• Promoting health in general, not a product or
  service.
• About government-sponsored programs.

44
Fundraising

• Subject to certain conditions, a covered entity
  may disclose the following PHI to a business
  associate or institutionally related foundation
  for purpose of raising funds for its own benefit
  without an authorization
• Name, address, contact info, age, gender and
  birthdate
• Dates of healthcare provided to the individual
• Department of service information
• Treating physician
• Outcome information and
• Health insurance status.

45
Fundraising (cont.)

• To use PHI for fundraising, covered entity
• Must include statement notifying individual of
  fundraising in covered entitys notice of privacy
  practices.
• With each fundraising communication, must provide
  clear and conspicuous opportunity to opt out of
  fundraising.
• Method for opting out cannot cause undue burden
  or more than nominal cost (e.g., toll-free
  number, e-mail).

46
Fundraising (cont.)

• May not condition treatment or payment on
  participation in fundraising.
• May not make fundraising communications to
  individuals who opt out.
• May notify individuals of method to opt back in

47
Research Compound Authorizations

• May combine authorizations to use or disclose PHI
  for a research study with any other type of
  permission for the same or another research study
  (i.e., may use a compound authorization),
  including
• Consent to participate in research,
• Another authorization for the same research
  study, or
• An authorization for the creation or maintenance
  of a research database or repository.

48
Research Compound Authorizations
If compound authorization conditions treatment on
participation in research, must clearly identify
conditioned components and give individual an
opportunity to opt in to the unconditioned
research activities.
49
Research Authorizing Future Research

• Research authorization may allow use or
  disclosure of PHI for purposes of future
  research.
• Authorization purpose need not be limited to
  the current study.
• This is a change in HHS interpretation.

50
Individual Access to PHI

• Extension for off-site records is deleted.
• Covered entities must generally respond to
  request for access within 30 days.
• May obtain one 30-day extension.

51
Individual Access to PHI (cont.)

• If PHI is maintained in electronic form and
  individual requests electronic copy of the PHI
• Covered entity must provide access to the PHI in
  form and format requested by the individual if it
  is readily producible.
• If PHI is not readily producible in the requested
  form and format, covered entity must provide it
  in a form as agreed by the covered entity and
  individual.

52
Individual Access to PHI (cont.)

• If covered entity requests that PHI be sent to
  another person, covered entity must comply.
  Request must be in writing, signed by individual
  and clearly identify the recipient.
• May charge reasonable cost-based fee, including
  labor and supplies for portable media.

53
Notice of Privacy Practices

• Must add certain items to notice of privacy
  practices.
• Authorizations are required for most uses and
  disclosures of psychotherapy notes (if
  applicable), marketing purposes, and sale of PHI.
• Uses and disclosures not described in notice
  require authorizations.
• Individual may opt out of receiving fundraising
  communications.

54
Notice of Privacy Practices (cont.)

• Individual may restrict disclosures to health
  insurers if individual pays for the treatment.
• Covered entity must notify the individual of
  breach of unsecured PHI.
• For health plans, may not use or disclose genetic
  info for underwriting.

55
Notice of Privacy Practices (cont.)

• May delete certain items from notice of privacy
  practices.
• Covered entity may contact individual to provide
  appointment reminders or info about treatment
  alternatives or other health related benefits an
  services that may be of interest to the
  individual.

56
Notice of Privacy Practices (cont.)

• Changes will require publication of new notice of
  privacy practices.
• Post new notice in prominent location at
  facility. May post summary if full notice is
  otherwise available to individual without
  individual having to request notice.
• Post new notice on website.

57
Notice of Privacy Practices (cont.)

• Provide copy of notice to new individuals.
• Provide copy of new notice to other individuals
  upon request.
• Comply with discrimination laws, e.g., may need
  to provide copy in other languages, Braille, etc.
• New requirements for health plans.

58
Not Included in Final Rule, but Coming soon?
59
Individuals Recovery for Fines and Penalties

• HITECH Act requires HHS to establish a
  methodology under which an individual who is
  harmed by a violation of the privacy or security
  rules may receive a percentage of any civil
  monetary penalty or monetary settlement collected
  with respect to such offense.
• Subject to future rulemaking.

60
Accounting of Disclosures for e-PHI

• HITECH Act requires HHS to issue regulations
  allowing individuals to obtain an accounting of
  disclosures made for purposes of treatment,
  payment and healthcare operations if the
  disclosure is through an electronic health
  record.
• HHS issued a proposed rule that would entitle
  individuals to obtain a broad report concerning
  those who accessed their PHI or to whom their PHI
  was disclosed.
• Subject to future rulemaking.

61
Take Aways
62
Omnibus Rule Action Items

• If you are business associate
• Make sure you comply with rules, e.g.,
• Protect PHI consistent with HIPAA rules and
  business associate agreement.
• Conduct security risk assessment.
• Implement safeguards required by the Security
  Rule.
• Notify covered entity of breaches.
• Enter business associate agreements with
  subcontractors.

63
Omnibus Rule Action Items (cont.)

• If you are a covered entity, make sure your
  business associate agreements comply.
• Obtain agreements for new business associates,
  including covered data transmission services.
• Review existing agreements to ensure they comply
  with operative rules.

64
Omnibus Rule Action Items (cont.)

• As new agreements are written or renewed, ensure
  they comply with new rules.
• Ensure all agreements comply by 9/23/14.
• Ensure business associates are not your agents
  unless you are willing to risk vicarious
  liability.

65
Omnibus Rule Action Items (cont.)

• Update your notice of privacy practices
• Compliance Deadline was 9/23/13.
• Post updated notice and make available to
  individuals.

66
Omnibus Rule Action Items (cont.)

• Update policies and processes to comply with new
  rules.
• Restrictions on disclosures to health insurers.
• Disclosures regarding deceased persons.
• Marketing, fundraising, and sale of PHI.
• Individual access to electronic PHI.
• Breach notification requirements.
• Train your employees concerning the new rules.

67
Omnibus Rule Action Items (cont.)

• If you have a potential breach of PHI use new
  low probability that data has been compromised
  standard.
• Given new rules and breach notification standard,
  it is a good time to review your entire HIPAA
  compliance.

68
Access to Lab Test Reports
On February 6, 2014, CMS published a final rule
that amends the Clinical Laboratory Improvement
Amendments of 1988 (CLIA) regulations to allow
laboratories to give a patient, or a person
designated by the patient, his or her personal
representative, access to the patients
completed test reports upon request of the
patient or the patients personal representative.
69
Access to Lab Test Reports (cont.)
At the same time, this rule eliminates the
exception under the HIPAA Privacy Rule to an
individuals right to access his or her protected
health information when it is held by a
CLIA-certified or CLIA-exempt laboratory.
70
Access to Lab Test Reports (cont.)
While patients can continue to get access to
their laboratory test reports from their doctors,
these changes give patients a new option to
obtain their test reports directly from the
laboratory while maintaining strong protections
for patients privacy.
71
Access to Lab Test Reports (cont.)
Under the HIPAA Privacy Rule, patients, patients
designees and patients personal representatives
can see or be given a copy of the patients
protected health information, including an
electronic copy, with limited exceptions.
72
Access to Lab Test Reports (cont.)

• In doing so, the patient or the personal
  representative may have to put their request in
  writing and pay for the cost of copying, mailing,
  or electronic media on which the information is
  provided, such as a CD or flash drive. In most
  cases, copies must be given to the patient within
  30 days of his or her request.
• Published February 6, 2014
• Compliance Deadline October 6, 2014

73
QUESTIONS

• Lynda M. Johnson
• Friday, Eldredge Clark, LLP
• Ljohnson_at_fridayfirm.com
• 501-370-1553