WHAT IS HB 300? HOW DOES IT AFFECT MY PRACTICE AND WHAT DO I DO TO FOLLOW THE RULES?

Transcription

1 WHAT IS HB 300? HOW DOES IT AFFECT MY PRACTICE AND WHAT DO I DO TO FOLLOW THE RULES? SUSAN R. SULLIVAN Atlas & Hall 818 Pecan McAllen, Texas Ph: Fax: ssullivan@atlashall.com State Bar of Texas WHAT YOUR CLIENTS NEED YOU TO KNOW ABOUT HEALTH LAW COURSE February 13-14, 2014 Dallas CHAPTER 1.2

2

3 Susan Sullivan Susan Sullivan Partner 818 Pecan McAllen, Texas Phone Fax Susan Sullivan is a litigator and has represented plaintiffs and defendants in civil suits throughout South Texas. Her areas of practice include personal and catastrophic injury, products liability, construction defects, premise liability, transportation/trucking, toxic torts, insurance defense and commercial litigation. Susan graduated from the University of Texas at San Antonio with a Bachelor of Arts degree in Political Science in Susan obtained her law degree from St. Mary s University School of Law in 1989 where she was a member of the National Order of the Barristers and the St. Mary s Board of Advocates. After graduating with her law degree, Susan moved to the Rio Grande Valley to work as the first female law clerk to the Honorable Filemon B. Vela, United States District Judge, Southern District of Texas, Brownsville. Since leaving the court, she has practiced, almost exclusively, as a trial attorney for the defense bar of South Texas.

4 Areas of Practice: Personal and Catastrophic Injury Commercial Litigation Construction Defect Transportation/Trucking Law Toxic Torts Insurance Defense Litigation Percentage: 100% of Practice Devoted to Litigation Bar Admissions: Texas U.S. District Court Southern District of Texas Education: St. Mary s University School of Law, San Antonio, Texas, 1989 J.D. Honors: National Order of the Barristers Honors: Board of Advocates, University of Texas at San Antonio, San Antonio, TX, 1984 B.A. in Political Science Professional Associations and Memberships: Hidalgo County Bar Association former Director, former Secretary Cameron County Bar Association

5 How Does it Affect My Practice and What Do I Do to Follow the Rules? TABLE OF CONTENTS I. HIPPA AND HITECH... 1 A. Enforcement of Privacy and Security Rules... 1 B. Definition of Covered Entity and Business Associate... 1 C. Lawyers as HITECH Business Associates When are Lawers BAs? Law Firm Management of BA Compliance... 3 D. Ethical Issues Arising After a Breach... 3 II. HOUSE BILL A. What is it and What Were They Thinking?... 4 B. Everything is Bigger in Texas Broader Definition of Covered Entities Expanded Training Requirements Increased Patient Rights and Remedies Over Electronic Health Records Increased Enforcement Penalties... 7 C. Standards for Electronic Sharing of PHI... 8 D. Broad Notification Requirements... 8 E. Audits of Covered Entities... 9 i

6

7 I. HIPPA and HITECH A. Enforcement of Privacy and Security Rules The U.S. Department of Health and Human Services (HHS) through the Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. The HIPAA privacy rule gives individual rights over their protected health care information and sets rules and limitations on who can look at and receive that health information. The HIPAA security rule protects health information in electronic form by requiring entities that are covered by HIPAA to use physical, technical, and administrative safeguards to ensure that protected health information remains private and secure. Enforcement of the HIPAA privacy and security rules is made effective through the Health Information Technology for Economic and Clinical Act (HITECH), which became law on February 17, HITECH significantly expanded the privacy and security requirements of HIPAA. Before HITECH, the HIPAA privacy and requirements applied only indirectly to Business Associates (BA) that had in place a Business Associates Contract (BAC) between themselves and a Covered Entity (CE). Under HITECH, many HIPAA privacy and security requirements now apply directly to BAs even where there is no BAC. The HITECH Act further established mandatory breach notification requirements and imposed enhanced civil and criminal penalties. The HITECH Breach Notification Rule (HITECH Rule) requires CEs to report any impermissible use or disclosure of Protected Health Information (PHI). Specifically, if the breach involves 500 or more individuals, it is reported to both HHS and the media. If the breach involves less than 500 individuals, it must be reported to HHS secretary. of the HIPAA. In addition to reporting, financial punishments may be imposed to encourage compliance. For example, on February 22, 2011, the OCR fined Cignet Health and its affiliates 4.3 million dollars where confidential data was leaked. Two days later, on February 24, 2011, General Hospital Corp. and Massachusetts General Physicians Organization, Inc. settled potential HIPAA violations for $1, These two instances demonstrate the seriousness of HIPAA violations and how they are being enforced through the HITECH Rule. More recently, on March 13, 2012, Blue Cross Blue Shield of Tennessee agreed to pay the HHS $1,500,000 to settle potential violations of the HIPAA privacy and security rules. Blue Cross Blue Shield also agreed to implement a new stricter plan designed to tighten its HIPAA compliance program. Since the HITECH Rule requires CEs to report an impermissible use or disclosure of PHI, it is imperative to determine who or what constitutes a CE and BA. B. Definition of Covered Entity and Business Associate Initially, under HIPAA, CEs were entities subject to HIPAA jurisdiction because they engaged in claims transactions involving electronically transmitted PHI. CEs could be directly required to comply with HIPAA privacy and security rules in the protection and use of PHI, and penalized if they did not. However, CEs frequently needed to use other kinds of entities which were not subject to HIPAA jurisdiction to perform a wide 1

8 range of functions and activities involving the use of PHI. It became impossible to require CEs to conduct all functions and activities themselves, but the privacy and security rules would be rendered meaningless if they were lost as soon as PHI was obtained by someone who not a CE. The Privacy and Security Rules therefore adopted the following definitions: A covered entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with certain transactions for which the HHS has adopted standards. 1 Some examples of health plans that are considered covered entities include health, dental, HMOs, Medicare, and Medicaid. Health care clearinghouses include a public or private entity, such as a billing service, repricing company, community health management information system or community health information system, or value-added networks. Health care providers include institutional providers such as hospitals, non-institutional providers such as physicians and dentists, and any other person or organization that furnishes, bills, or is paid for health care. A business associate is a person or organization that, on behalf of a covered entity or organized health care arrangement, (1) performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information or any other function or activity regulated by HIPAA or (2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. C. Lawyers as HITECH Business Associates 2 1. When Are Lawyers BAs? The first question in deciding whether a law firm is a BA is whether the practice needs to obtain PHI on behalf of a CE in order to render legal services. If there is any issue or question, the law firm will have to analyze their specific practice. Although not an exhaustive list, some of the times a law firm would obtain PHI on behalf of a CE would include: Privacy or security compliance support for CEs; Fraud and abuse/false claims defense; Healthcare professional disciple defense; 1 45 C.F.R Portions of B are obtained through ABA Health Law Section EMI Conference 2011; Business Associates in a HITECH World by Christiansen, Noronha & Rostolsky citing Lawyers in Compliance Crosshairs: Avoiding New Penalties and Ethical Pitfalls When Using Health and Medical Information, Washington State Bar Association (November 4, 2009). 2

9 Risk management for CEs; Due diligence for some types of CE transactions; Representing a CE in any case involving individual patient diagnosis or treatment, individual health benefits. Although not an exhaustive list, examples of when a law firm may not be obtaining PHI on behalf of a CE may include: When it is representing a party which is not a CE; In workers compensation cases which are excluded from HIPAA by statute; In social security cases; In employment law matters. 2. Law Firm Management of BA Compliance Some law firms whose health law departments need to act as BAs, particularly firms that do not specialize in health law, may want to manage HITECH compliance risks by compartmentalizing PHI-related functions. While this would not relieve the firm of BA status, it may be easier to administer compliance-related policies and procedures which apply to a specific group which appreciates the need for them, rather than trying to impose them on unrelated departments which do not need and may not understand them. D. Ethical Issues Arising After A Breach A breach occurs when someone acquires, uses or discloses PHI in a manner not permitted under HIPAA and which compromises the security or privacy of the information. For purposes of this definition, there is a compromise when the breach poses a significant risk of financial, reputational, or other harm to the individual. A BA which experiences a breach is required to report that breach to the CE, which will be required to report it to HHS for publication, and if the breach is substantial may be required to report it to individuals directly and through the media. Ethically, it would seem that breach issues and potential resolution should be considered as matters potentially affecting representation. If a law firm breach does occur, especially if the parties have not agreed on its management in advance, the law firm may not be able to represent the client in resolving the breach issues, and it is conceivable that under some conditions it could adversely affect representation in the underlying matter(s). There is also the question of the law firm s duty if it discovers a client is in breach of its own duties under a BAC. The BAs must be required to terminate their CE engagements or report the CE to HHS if the BA discovered the CE was violating the 3

10 BAC, and the CE could not or would not stop the violation. A violation by a client is by definition a HIPAA violation, which may expose the client to liability. If a law firm discovers it therefore should at least raise the issue at the appropriate level with the client. If the matter is not resolved, the law firm may have to withdraw its representation. One further ethical issue may arise if HHS requests access to your law firm books and records. This may be problematic since the production of law firm records for purposes of government agency audit may waive attorney-client privilege. Some suggestions for dealing with this type of issue might include: Raising the issue with the client. Avoiding or limiting information access rights of subject individuals. Limit or condition HHS access rights to records for investigation of a CE client by internal policy. Limit or condition HHS access rights to investigate BA law firm by certain policy. Design practice scope and processes to wall matters potentially subject to investigation from other matters. II. HOUSE BILL 300 A. What Is It and What Were They Thinking? H.B. 300 was passed during the 2011 Texas legislative session and was signed into law by Governor Rick Perry. The new legislation which will take effect September 1, 2012, expands the Federal HIPPA requirements, therefore, under the HIPPA preemption provisions, the stricter requirements under Texas law will be applied. Although the purpose of the new law was to strengthen security and privacy of protected health information (PHI) that is exchanged electronically, the law will also result in increased mandates on covered entities, give certain state enforcement agencies greater authority over enforcement of the new mandates and will increase penalties for the wrongful electronic disclosure of PHI, including possible criminal charges for wrongfully accessing or reading electronic health. B. Everything Is Bigger in Texas 1. Broader Definition of Covered Entities H.B. 300 requires covered entities, as that term is defined under Texas law, to abide by a number of new requirements concerning the privacy and security of PHI. Many individuals and organizations that are not considered covered entities under 4

11 HIPAA will be considered covered entities under Texas law regarding the privacy of medical records. Under HIPAA a covered entity is defined as: A health plan; A health care clearinghouse; or A health care provider who transmits any health information in electronic form in connection with a transaction covered in this subchapter. 3 Texas law defines a covered entity much more broadly, to include many more individuals and organizations who: For commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, non-profit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site; Comes in possession of protected health information; Obtains or stores protected health information under this chapter; or Is an employee, agent, or contractor of a person described by above, insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information. 4 The difference between these two definitions of covered entity will provide many challenges to businesses and individuals, especially those that are only covered entities for state law purposes. Individuals and businesses that are not covered under HIPAA may not realize they will now have obligations under H.B. 300 because previously they have been exempt. For example, the Texas definition of covered entity will now include any person who comes into possession of PHI. This could include law firms, mail carriers, record retrieval businesses, and inadvertent recipients of PHI. All of these entities now are faced with H.B. 300 requirements and will be subject to enforcement under H.B Although some may deny H.B. 300 will have such a broad application, the law states very clearly that a covered entity is any person who comes into possession of 3 45 CFR Tex. Health and Safety Code, (b)(2). 5

12 PHI. 5 There is no exception for the types of businesses that have been exempted from HIPAA. Moreover, given that H.B. 300 was enacted in large part due to concerns that HIPAA did not grant enough protection of patient privacy, it is unlikely that Texas courts will adopt more limited definitions to govern H.B Consequently, there is likely to be confusion about the exact extent of the broad language in the Texas law. 2. Expanded Training Requirements The HIPAA Privacy Rule, does not require ongoing training, but merely requires that employees be trained within a reasonable period of time after being hired and after any material changes in privacy policies or procedures. 6 Although H.B. 300 is not effective until Sept. 1, 2012, Texas covered entities should begin planning now to provide the required training for their employees. Such training will have to be customized to reflect each employee s scope of employment. Under H.B. 300, Texas covered entities must provide ongoing training to their employees regarding state and federal law concerning PHI. 7 The training must be customized as to the entity s particular course of business and each employee s scope of employment. An employee must complete the training no later than 60 days after the employee is hired, and such training must be repeated at least once every two years. Additionally, all Texas covered entities must maintain records documenting an employee s attendance at training programs, which may be maintained either electronically or in writing. 8 Questions are likely to arise regarding how far the training requirement in H.B. 300 will be extended. It is unclear whether all employees in a Texas covered entity must receive training or only those that have access to PHI. For example, it would not seem within the intent of H.B. 300 if a law firm, which is a Texas covered entity if it possesses PHI, were required to train all its employees, including receptionists, runners, accounts receivable personnel or maintenance staff, on the federal and state laws concerning PHI. An argument could be made that only the employees of the law firm that had access to PHI would be required to take the training. It is likely that questions of this type will be resolved only after the law becomes effective and the courts, legislators, or the Texas Attorney General s office are asked to opine on this provision in the law. 3. Increased Patient Rights and Remedies Over Electronic Health Records Through H.B. 300, the Texas Legislature granted patients additional rights and remedies concerning their electronic health records (EHRs), placing stricter requirements on Texas covered entities than currently exist under HIPAA. Under H.B. 5 Tex. Health and Safety Code (b)(2)(B) C.F.R. Section (b)(2). The federal Privacy Rule also requires covered entities to document that training has been provided. 7 H.B. 300, Section 3, to be codified at Tex. Health and Safety code, Id. 6

13 300, Texas covered entities must provide patients their EHRs in electronic format within 15 business days of receiving a written request. 9 This is consistent with current state regulations and law, which require physicians to provide patients with a copy of a patient s medical record within 15 business days. 10 Hospitals must provide access to a patient s medical record as promptly as circumstances require, but not later than the 15 th day after they receive a written request and payment (if copies are requested). 11 Under HIPAA, covered entities must respond to a request for access to PHI within 30 days. Because the Texas law is stricter, covered entities in Texas must respond to requests for access to PHI within the 15 business day period. Additionally, the Texas Attorney General is required to establish a website containing information for patients regarding patients medical privacy rights under federal and state law, a list of state agencies that regulate Texas covered entities, detailed information regarding each agency s complaint enforcement process and contact information for each such agency. The Attorney General must also report annually to the Texas Legislature the number and types of complaints, regarding medical privacy issues received by state. H.B. 300 also prohibits the sale of PHI, except for treatment, payment, health care operations, performing an insurance function, or as otherwise allowed by federal law which is consistent with HIPAA. 12 Texas covered entities also will have to provide notice to, and obtain authorization from, patients regarding the electronic disclosure of their PHI, except in instances for treatment, payment or health care operations. The Texas Attorney General will adopt a standard for authorization of such disclosures, consistent with HIPAA and the federal Privacy Rule. Again, there will be questions regarding how this provision of H.B. 300 will be implemented for Texas covered entities. For example, under Section 7 of H.B. 300, law firms, if they possess PHI, will be required to provide notice to an individual for whom they receive PHI. The law firm would have to provide notice in its place of business, on its internet site, or in an area where the individual whose PHI is disclosed would likely see it. In the instance where a law firm receives a large amount of PHI to resolve a billing or coding audit, or a physician peer review, it is very likely the patient will never know that the law firm has the PHI and the law firm will never be able to provide the individual patient with actual notice. Again, questions about whether this is the intent of H.B. 300 likely will be resolved only after the law takes effect in Increased Enforcement Penalties Individuals and organizations that are covered entities under HIPAA and Texas law will face potential enforcement action by state and federal enforcement agencies for violating H.B. 300, HIPAA, or both. The Texas Attorney General, under H.B. 300, may institute penalties against Texas covered entities that violate state laws regarding electronic medical records. Penalties can range from $5,000 to $25,000 for each knowing or intentional violation, and if the violations occur with frequency as to constitute a pattern or practice, the Court will be able to assess a civil penalty of up to 9 Tex. Health and Safety Code, Tex. Occupational Code, and 22 Tex. Admin. Code, Tex. Health and Safety Code, Tex. Health and Safety Code,

14 $1.5 million annually (prior to H.B. 300, the penalty could not exceed $250,000 annually) for providers that wrongfully disclose a patient s PHI. 13 In determining the amount of penalty, the law provides that a court may consider: The seriousness of the violation; The covered entity s compliance history; Whether the violation poses a significant risk of financial, reputational, or other harm to the patient; The amount necessary to deter future violations, and; The covered entity s efforts to correct the violation. Additionally, the Texas Attorney General may request that the secretary of the Department of Health and Human Services audit a HIPAA covered entity s compliance with the HIPAA Privacy Rule. If the audit shows egregious violations that constitute a pattern or practice, a covered entity may be required to conduct a risk analysis as required under the Privacy Rule, 14 and submit the results to the Texas Health and Human Services Commission. The Attorney General also will have to report annually to the Legislature the number of federal audits of covered entities. C. Standards for Electronic Sharing of PHI In earlier legislative sessions, the Texas Health Services Authority (THSA) was created as a public-private collaborative to implement state-level health information technology functions and to serve as a catalyst for the development of a seamless electronic health information infrastructure. H.B. 300 adds to the duties of the THSA by requiring it to develop privacy and security standards for the electronic sharing of PHI. 15 The THSA also will establish a process by which a covered entity can be certified for compliance with the standards it develops. D. Broad Notification Requirements Currently, any business that owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any resident of the state whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. 16 Texas is one of the handful of states that also includes PHI under its definition of sensitive personal information. Under H.B. 300, any business (not just a Texas covered entity) that conducts business in Texas and owns or licenses 13 Tex. Health and Safety Code, C.F.R Section (a)(1)(iii)(A). 15 Tex. Health and Safety code, Texas Business and Commercial Code

15 computerized data that includes sensitive personal information must provide notification to Texas residents if their sensitive personal information was wrongfully acquired by an unauthorized person. 17 This notification requirement is broader than the corresponding requirement in the HITECH Act that subjects vendors of personal health records and their service providers to the same security breach notification requirements as covered entities. Because it includes any sensitive personal information, and not just PHI, more businesses will be subject to these breach notification requirements. Any business that fails to make the required notification is subject to state penalties not exceeding $250,000 for a single breach. Moreover, H.B. 30 makes it a state felony if an individual, without the consent of the patient, accesses, reads, scans, stores, or transfers PHI via a scanning device or electronic payment card. Under the new law, businesses in Texas will also have to comply with a new requirement. Those businesses that suffer a data breach of any of these types of sensitive personal information must provide notification to any individual whose sensitive personal information was, or is reasonably believed to have been acquired by an unauthorized person. In effect, this means that in the event of a breach, the business must notify Texas residents, as well as non-residents if the non-residents live in a state that does not require notification to be provided to the individual in the event of a data breach. E. Audits of Covered Entities Finally, the Commission of Health and Human Services ( Commission ), in coordination with the Texas Attorney General, the Texas Health Services Authority, and the Texas Department of Insurance (i) may ask the U.S. Secretary of Health and Human Services to conduct audits of various covered entities to determine compliance with HIPAA; and (ii) shall monitor and review periodically the results of such audits. 18 In addition, if the Commission merely has evidence that a covered entity committed violations of the Texas law that are egregious and constitute a pattern or practice, the Commission may require the covered entity to submit to the Commission the results of a risk analysis conducted by the covered entity (if such risk analysis was required under the HIPAA Security Standards); or request a licensing agent, as applicable, to conduct an audit of the covered entity s system to determine compliance with the Texas law. 19 So, not only is the new Texas law stricter than HIPAA, it requires Texas agencies to coordinate privacy and security law enforcement efforts with federal agencies as well as other states. 17 H.B. 300, Section 14, to be codified at Tex. Bus. & Com. Code, Texas Health and Safety Code, Id. 9

16