Tuesday, April 16, :00-2:15 pm Eastern. Presenters. Melissa Markey, Esquire Hall Render Killian Heath & Lyman PC Troy, MI

Transcription

1 HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part VI: Academic Medicine, Research, and Life Sciences Perspectives on the HITECH Final Omnibus Rule This bootcamp webinar and roundtable discussion series is brought to you by the Health Information and Technology (HIT) Practice Group, and is co-sponsored by the Business Law and Governance (BLG); Healthcare Liability and Litigation (HCL); Hospitals and Health Systems (HHS); In-House Counsel (In-House); Labor and Employment (Labor); Life Science (LS); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Medical Staff, Credentialing and Peer Review (MSCPR); Payors, Plans, and Managed Care (PPMC); Physician Organization (Physicians); Regulation, Accreditation and Payment (RAP); and Teaching Hospitals and Academic Medical Centers (TH/AMC) Practice Groups and the Healthcare Reform Educational (HRE) Task Force. Tuesday, April 16, :00-2:15 pm Eastern Presenters Melissa Markey, Esquire Hall Render Killian Heath & Lyman PC Troy, MI Susan Stayn, Esquire Senior University Counsel Office of the General Counsel Stanford University Stanford, CA

2 Today s Omnibus Topics Overview of Final HITECH Omnibus Rule on Genetic Information, Decedent s Information, Compound Research Authorizations, Sale of Protected Health Information (PHI), and Healthcare Operations vs. Research De-identification of PHI under Office of Civil Rights guidance and changes to limited data sets Operational issues and overlap with the Common Rule 2

3 HITECH ACT includes Increased Enforcement and Penalties Expansion of Definition and Regulation of Business Associates (and their subcontractors) Restrictions on Fundraising, Marketing and Sale of PHI Reporting to HHS, individuals and potentially media for a Breach of Unsecured PHI 3

4 Effective Date and Compliance Dates January 25, 2013 Final HITECH Omnibus Rule published in Federal Register (78 Fed. Reg. 5566) March 26, 2013 Omnibus Rule Effective Date Enforcement Rule changes effective this date and require compliance September 23, 2013 Omnibus Rule Compliance Date 4

5 Genetic Information Privacy Pre-GINA: Genetic information already was protected under the HIPAA Privacy Rule as Protected Health Information (PHI) when it was individually identifiable and held by a covered entity (per preamble to Privacy Rule). GINA required revisions to the Privacy Rule: To be explicit that health information includes genetic information. To prohibit health plans, health insurance issuers (including HMOs), and issuers of Medicare supplemental policies from using/disclosing genetic information for underwriting purposes. 5

6 Genetic Information Privacy HITECH Omnibus Final Rule: Explicitly defines health information to include genetic information. Adds several related new terms and definitions to HIPAA: Genetic information Genetic test Genetic services Family member Manifestation or manifested Prohibits all health plans that are HIPAA covered entities, except issuers of long-term care policies, from using or disclosing genetic information for underwriting purposes. 6

7 Genetic Information Privacy: New Terms Genetic information [paraphrased from 45 CFR ]: (1) Subject to para. (2) and (3), with respect to an individual, information about: (i) The individual s genetic tests; (ii) The genetic tests of the individual s family members; (iii) Manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or family member; (2) Genetic information of individual or family member includes genetic information of (i) a fetus carried by the individual or family member who is a pregnant woman; and (ii) any embryo legally held by the individual or family member using ART; (3) Genetic information excludes information about sex or age of the individual. 7

8 Genetic Information Privacy: New Terms Genetic services: (i) genetic test; (ii) genetic counseling; or (iii) genetic education. Genetic test: analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if analysis detects genotypes, mutations, or chromosomal changes. Doesn t include analysis of proteins or metabolites directly related to a manifested disease, disorder, or pathological condition. Doesn t include HIV tests, CBCs, cholesterol or liver function tests, or tests to detect presence of drugs or alcohol. Family member (broad!): includes dependents, first- through fourthdegree relatives, half-siblings, adoptions, and more CFR

9 Genetic Information Privacy: New Terms Manifestation or manifested: means, with respect to a disease, disorder, or pathological condition: Individual has been, or could reasonably be, diagnosed by health care professional with appropriate training and expertise in field. In contrast, if diagnosis is based principally on genetic information, then the disease, disorder, or pathological condition is not manifested CFR

10 Genetic Information Privacy: Practical Considerations While aimed at health plans, the new genetic information provisions may affect health care providers. Areas for consideration include, for example: Patient right to request restrictions - Example: Adult children involved in ill parent s care request genetic information of parent. Has parent requested a restriction, and has entity agreed to such restriction? What is the scope of such restriction? Minimum necessary standard -Example: Disclosure to a health plan for payment. Participation in clinical research -Example: Do consent/authorization forms refer to genetic information, and what is the intended scope and meaning? Manifested or not manifested? 10

11 Genetic Information Privacy Practical Considerations Intersection with other existing genetic privacy laws (e.g., state laws) Compare terminology and definitions Compare scope of laws (e.g., some state laws may apply only to clinical genetic tests and not genetic information in research) Possible implications for policies, procedures, consent/authorization forms, informational brochures and materials Potential for new state legislation DNA is still not identifiable alone under Privacy Rule 11

12 Decedent Information Original Privacy Rule protected decedents PHI indefinitely Omnibus Final Rule defines PHI to include decedent PHI for 50 years after death Not a record retention requirement Omnibus Final Rule permits, but does not require, disclosure of decedent PHI to a family member or friend who is involved in the care or payment for care before the individual s death, unless disclosing is inconsistent with a prior expressed preference of the individual that is known to the covered entity Disclosure limited to area of family member/friend s involvement (not past, unrelated medical problems) Covered entity needs reasonable assurance the person is a family member or friend who was involved in the care May arise if family member or friend requesting the information is not the personal representative with right of access 12

13 Decedent Information Research effects: Researchers may still provide written assurances to access decedent information for research (no change) 50-year cut-off is intended to ease prior restrictions and facilitate work of archivists, biographers, and historians who need old medical records or historical files of value Practical considerations: Changes are permissive, not required If uncomfortable disclosing decedent s information to family/friend, entity is not required to (unless it s a personal representative) State law or professional obligations may require longer period of confidentiality 13

14 Research Compound Authorizations Compound authorizations those that combine any other legal permission with authorization for PHI disclosure Privacy Rule prohibited compound authorizations and conditioned and non-conditioned authorization in same document Exception for research study authorization with other written permission for the same study 14

15 Compound Research Authorizations - HITECH Permits combining conditioned and non-conditioned authorizations for research in same document, with caveats, and no longer requires PHI use/disclosure for research purposes to be study-specific, with caveats: Conditioned and non-conditioned components must be clearly indicated; Individual must be able to opt-in to research activities in unconditioned authorization; Authorization revocations clearly state which authorization is revoked; Uses/disclosures of PHI for future research purposes must be adequately described. Result: flexibility to clinical researchers and harmony of authorization provisions with Common Rule regulations Permits combining authorizations for clinical trials, optional sub-studies, biospecimen banking 15

16 Compound Research Authorizations - HITECH Practical Considerations: Sample study: Drug trial plus tissue banking Informed consent to drug trial and tissue banking needed. - Consent still may be combined with a HIPAA authorization (unless state law or other source requires separation). Authorization for use/disclosure of PHI in drug trial may be combined with authorization for use/disclosure of PHI in banking (if it is clear that these are separate activities, and opt-in to banking is included) Authorization for use/disclosure of PHI in drug trial may remain separate from authorization for use/disclosure of PHI in banking Authorization for use/disclosure of PHI in drug trial may be all that is needed, if no PHI (or only a limited data set) will be used or disclosed for tissue banking Waiver of authorization also remains an option (e.g., researchers decide later on a data or tissue bank) 16

17 Compound Research Authorizations - HITECH Practical Considerations: How to revise research authorizations? SACHRP Public Comment Letter described three possible approaches, which were all deemed appropriate by HHS - Combined consent/authorization for clinical trial and optional tissue bank, with opt-in to optional bank, and one signature - Combined consent/authorization for clinical trial and optional tissue bank, with separate signatures - Combined consent/authorization for clinical trial and optional tissue bank, with opt-in to bank, and one signature, but detailed brochure with the banking information, as referenced in consent/authorization SACHRP Letter/Attachment A: sample mark-up of a compound authorization: entalettertothesec.html 17

18 Compound Research Authorizations - HITECH Practical Considerations: What about pre-existing studies? Previously approved, ongoing studies may continue to rely on the separate authorization forms that were obtained under the prior provisions. (78 Fed. Reg. 5611) For new studies, option to use newly permitted compound authorizations or continue separate authorizations. Revisions to policies, procedures, and forms. Training: Given enforcement climate, important to ensure researchers are using an appropriate HIPAA authorization in ongoing and new studies. 18

19 Future Research - HITECH Under prior HHS interpretation of HIPAA Privacy Rule, no authorization for future research (authorization had to be study-specific). In Omnibus HITECH final rule, HHS modifies its prior interpretation and now allows authorizations to use or disclose PHI for future research. Must still meet required elements of an authorization Must adequately describe the research purposes so an individual understands the possible future research (i.e., more harmonized with IRB consent practices under the Common Rule) 19

20 Future Research - HITECH Practical considerations: Permissive approach: covered entities may continue to use studyspecific authorizations, or may obtain authorizations for future research after effective date of new rule (3/26/2013). What about pre-existing studies? May rely upon IRB-approved consent obtained prior to 3/26/2013 if it reasonably informed individuals of the future research, provided consent was combined with a HIPAA authorization (even though authorization was specific to original study or to creation/maintenance of a repository). What about revocation of authorization? Privacy Rule requires revocation to be in writing, but covered entity may cease using or disclosing PHI pursuant to an authorization based on individual s oral request if it chooses to do so. 20

21 Sale of PHI Even where HIPAA permits a disclosure of PHI, a covered entity (or business associate) is prohibited from disclosing PHI (without individual authorization) in exchange for remuneration. Includes remuneration received directly or indirectly from recipient Not limited to financial remuneration If authorization obtained, authorization must state that disclosure will result in remuneration. 21

22 Sale of PHI Exceptions: Treatment & payment Sale of business Remuneration to BA for services rendered Disclosure required by law Providing access or accounting to individual Public health Research, if remuneration limited to cost to prepare and transmit PHI Any other permitted disclosure where only receive reasonable, cost-based fee to prepare and transmit PHI 22

23 Sale of PHI Practical Considerations: Sale is broad: not limited to transfer of ownership Includes licenses, leases, and other arrangements Includes receipt of financial or non-financial benefits Example: payment for a limited data set for research purposes is a sale of PHI, which may be done either with authorization, or without authorization if an exception is met (e.g., payment limited to a reasonable cost-based fee to prepare and transmit the data) What costs are permitted in reasonable cost-based fee? Direct and indirect costs, labor and supplies, capital, overhead Operational challenge: identifying arrangements; inserting check mechanism into workflow; training. 23

24 OCR Guidance: De-identification of PHI Safe Harbor - Remove or code required data elements and CE does not have any actual knowledge that the information could be used alone or with other information to identify the individual. Statistician's certification - Person with appropriate expertise renders information "not identifiable" if s/he Determines very small risk that information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual AND Documents the methods & results of the analysis that justify this determination. * See OCR De-Identification Guidance dated November 26, 2012, available at 24

25 OCR Guidance: De-identification of PHI Expert Determination Method: Practical Considerations Who is an expert? - No specific professional degree or certification program - Professional experience + academic or other training would be reviewed from an enforcement perspective. What is a very small risk of identification? - [N]o explicit numerical level of identification risk - Document method (Guidance Sec ) 25

26 OCR Guidance: De-identification of PHI Safe Harbor: Practical Considerations Derivatives of identifiers: guidance reiterates that initials and parts of SSN are identifiable. - Think about researchers codes, study spreadsheets Dates: guidance reiterates dates are identifiable (except year) - Think about specimen labels, repository records, chronologies, outcome data Other unique identifying characteristics - Think about how to help researchers and IRB identify these less well-defined characteristics Actual knowledge - Includes, for ex., rare or well-publicized clinical events Ongoing dialogue: OCR welcomes further comments 26

27 Changes Affecting Limited Data Sets Breach notification Removal of safe harbor for narrow limited data sets (those that excluded date of birth and ZIP) - So, any breach involving a limited data set must be analyzed using same analysis as other breaches. Must report breaches or document rationale for not reporting. Data use agreements: Recipient of limited data set should quickly report to data owner any incident that could give rise to a breach. Coordination of data use agreements: who signs? Greater centralization within academic medical centers? 27

28 Operational issues and overlap with the Common Rule Reportability HIPAA/HITECH: Breach analysis and reporting Common Rule: Unanticipated problems reporting Other sources of required reporting Identifiability under HIPAA vs. Common Rule Authorizations and consents 28

29 Notice of Privacy Practices Content must now include: Statements regarding sale of PHI, marketing, and other purposes that require authorization Fundraising opt out and restrictions on health plan disclosures if individual pays out of pocket in full for health care service Statement about individual s right to receive breach notifications For plans that underwrite, statement that genetic information may not be used for such purposes 29

30 QUESTIONS??????????

31 HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part VI: Academic Medicine, Research, and Life Sciences Perspectives on the HITECH Final Omnibus Rule 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 31