To: Our Clients and Friends January 25, 2013

Transcription

1 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act On January 17, 2013, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued the final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules pursuant to the Health Information Technology For Economic And Clinical Health (HITECH) Act. The rule will be published in the Federal Register on January 25, 2013, and becomes effective on March 26, Compliance with the final rule is required by September 23, A summary of the final regulations are as follows: Definitions Business associate (BA) now includes Health Information Organizations, E-Prescribing Gateways, and other persons that provide data transmission services with respect to protected health information (PHI) to covered entities, and that require routine access to such PHI. It also includes entities that offer personal health records to persons on behalf of a covered entity. Entities that act as mere conduits for the transport of PHI but do not access the PHI other than on a random or infrequent basis are not BAs. However, entities that maintain and/or store PHI on behalf of a covered entity is a BA even if the entity does not actually view the PHI. A subcontractor of a BA that creates, receives, maintains, or transmits PHI on behalf of the BA is also considered a BA. Electronic media is now defined to include electronic storage material on which data is or may be recorded electronically or transmission media used to exchange information already in electronic storage media. To constitute electronic media, the information being exchanged must exist in This Client Alert is published for the clients and friends of Bryan Cave LLP. Information contained herein is not to be considered as legal advice. This Client Alert may be construed as an advertisement or solicitation Bryan Cave LLP. All Rights Reserved.

2 electronic form immediately before the transmission. Therefore, transmissions of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media unless they were in electronic form initially. The preamble also noted that PHI stored in photocopiers, facsimiles, and similar devices is subject to HIPAA. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Rights And Privacy Act (FERPA), in employment records held by a covered entity in its role as employer, and regarding an individual who has been deceased for more than fifty years. Workforce now includes employees, volunteers, trainees, and other persons whose conduct is under the direct control of a covered entity or BA. Investigations by the OCR The OCR must investigate a possible HIPAA violation due to willful neglect. Resolution of Noncompliance If an investigation of a complaint or compliance review indicates noncompliance with HIPAA, the OCR may attempt to resolve the matter by informal means. Imposition of Civil Money Penalties The amount of civil money penalty that may be imposed for a violation of HIPAA is based upon the level of culpability. Reasonable cause is now defined as an act or omission in which a covered entity or BA knew, or by exercising reasonable diligence would have known, that the act or omission violated HIPAA but in which the covered entity or BA did not act with willful neglect A covered entity has liability for the acts of a BA, under the federal common law of agency, and a BA for its subcontractors (right or authority of covered entity to control BA s conduct in the course of performing a service on behalf of the covered entity, or similarly the BA has the right to control the subcontractor s conduct) (c). The following are the categories of violations and their respective penalty amounts that may be imposed: Categories of Violations and Respective Penalty Amounts Available Violation Category Each Violation All Such Violations of an Identical Provision in a Calendar Year (A) Did Not Know $100 - $50,000 $1,500,000 (B) Reasonable Cause $1,000 - $50,000 $1,500,

3 (C)(i) Willful Neglect - Corrected $10,000 - $50,000 $1,500,000 (C)(ii) Willful Neglect - Not Corrected $1,500,000 Privacy Rule Definitions Health care operations has been expanded to include patient safety activities. Marketing means to make a communication about a product or service that encourages individuals to purchase or use the product or service. Marketing does not include communications made: 1. To provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity s cost of making the communication. 2. For the following treatment and healthcare operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication: A. For treatment of an individual by a health care provider; B. To describe a health-related product or service that is provided by or included in a plan of benefits; or C. For case management or care coordination. Financial remuneration means a direct or indirect payment from or on behalf of a third party whose product or service is being described. The OCR clarifies that an authorization is required for all treatment and health care operation communications where the covered entity or BA receives financial remuneration from the third party whose product or service is being marketed for making the communications. However, no authorizations are required for face-to-face communications or if only promotional gifts of nominal value are provided to the individual. Business Associates A BA may not use or disclose PHI except as permitted or required by HIPAA (a). The minimum necessary standard applies to BAs (b). A BA must obtain satisfactory assurances from its subcontractors that the subcontractors will appropriately safeguard the PHI in accordance with HIPAA (e). It is not the duty of the covered entity to obtain the assurances from the BA s subcontractors. BAs must also comply, where applicable, with the HIPAA Security Rule with regard to electronic PHI, report breaches of unsecured PHI to covered entities, and ensure that any subcontractors that create, maintain, or receive PHI on behalf of the BA agrees to the same restrictions and conditions that apply to the BA (e)(2)(ii)(B) through (D). Additionally, a BA must comply with the HIPAA Privacy - 3 -

4 Rule provisions that apply to the contracted covered entity in the performance of the contractual obligations (e)(2)(ii)(H). A BA is not required to have a HIPAA Privacy Officer. Covered entities may operate under existing BA Agreements for up to one year beyond the effective date of these regulations, or until the BA Agreement is modified or renewed, whichever is sooner (d) and (e). BA Agreements that have evergreen clauses are eligible for the extension for up to one year from the effective date of the regulations. Sale of PHI (A)(5)(ii)(B) Sale of PHI means a disclosure of PHI by a covered entity or BA where the covered entity or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. There are a number of exceptions to this regulation delineated. Consents for Research A covered entity may combine conditioned and unconditioned authorizations for research. The consent must clearly differentiate between the research components. It must clearly allow the individual to opt in to the unconditioned research activities (it is not permissible to only allow the individual to opt out of the unconditioned research activities). HHS modified its interpretation that research authorizations must be study specific. However, no modifications were made to the authorization requirements at A HIPAA authorization for future research must still address each of the core elements; however, the HHS will no longer interpret the purpose provision at (c)(1)(iv) as requiring that an authorization for the use or disclosure of PHI for research purposes be study specific. There must be a description of the general purpose that reflects the individual is authorizing PHI to be used or disclosed for future research. The expiration date for the authorization can be end of research study, or none, or designate a specific time limit. Disclosures about a Decedent to Family Members and Others Involved in Care (b) The PHI of a decedent may be disclosed to those family members and others involved in the care or payment for the care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the decedent that is known to the covered entity. Disclosures of Student Immunizations to Schools (b) A covered entity may disclose proof of immunizations to schools upon an oral or written authorization from the student s parent, guardian, or other person acting in loco parentis. An oral request must be documented

5 Fundraising (f) A covered entity may decide what methods individuals can use to opt out of receiving fundraising communications. The methods can t impose an undue burden on, or more than nominal cost to, the individual. The scope of the opt out and how to opt back in is at the discretion of the covered entity. The information that can be used and disclosed for fundraising was expanded and now includes names, addresses, other contact information, age, gender, date of birth, health insurance status, department of service, the treating physician, and outcomes. The covered entity s Notice of Privacy Practices (NPP) must inform individuals that they may be contacted for fundraising and that the individual has the right to opt out of receiving fundraising materials. The opt out requirements apply to fundraising solicitations over the phone as well as by mail. It is to be noted that the notice and opt out requirements for fundraising communications apply only where the covered entity is using or disclosing PHI to target fundraising communications. Notice of Privacy Practices (NPP) The NPP must include a statement that most uses and disclosures of psychotherapy notes, PHI for marketing purposes, and disclosures that constitute a sale of PHI require the individual s authorization. However, if the covered entity does not record or maintain psychotherapy notes, that statement does not have to be included. There must be a statement that fundraising communications may be sent to individuals but they have the right to opt out of receiving such communications. There must be a statement that the individual has the right to restrict disclosures of PHI to a health plan if the individual pays out of pocket in full for that health care item or service. Only health care providers must include this statement. There must be a statement that individuals have the right to be notified of a breach of unsecured PHI. These modifications are determined to be significant and therefore individuals must be notified of the revised NPP. Health plans that post their NPP on their website must: (1) prominently post the material changes or revised NPP by the effective date of the regulations; and (2) provide a revised NPP or the material changes (and how to obtain a revised NPP) in their next annual mailing to plan members, such as at the beginning of the next plan year or during open enrollment. If a health plan does not have a customer service website, it must then provide the revised NPP, or the material changes and how to obtain the revised NPP, to plan members within 60 days of the revisions to the NPP. Right to Request a Restriction of Uses and Disclosures (a) This regulation only applies to covered entity health care providers. Individuals have a right to restrict the disclosure of PHI to a health plan for a service or item that the individual pays out of pocket. Providers may require payment in full at the time of the request for a restriction to avoid payment issues. This may be especially applicable where precertification is required for a health plan to pay for an item or service to avoid a situation where the provider can t seek reimbursement from the health - 5 -

6 plan if the individual fails to pay for the item or service. If the provider is unable to unbundle the item or service that the individual wants to pay out of pocket, the provider must inform the individual and give the individual the opportunity to pay out of pocket for the entire bundle of items or services. It is the obligation of the individual to notify all providers of the request for the restriction and pay those providers out of pocket. Access to PHI If an individual requests an electronic copy of personal PHI that is maintained electronically, the covered entity must provide the PHI in electronic form if it is readily producible or, if not, in a readable electronic form as agreed to by the covered entity and the individual (such as in MS Word or Excel, text, HTML, or text-based PDF). If the individual will not accept any of the electronic formats offered by the covered entity, the individual shall be provided with a hard copy of personal PHI. A covered entity is permitted to send PHI in an unencrypted if the individual is advised of the risks and the individual requests the unencrypted . Fees (c)(4) Reasonable, cost-based fees may be imposed by a covered entity for copies of PHI. Fees may now include costs for labor for copying the PHI, whether paper or electronic, such as: the time required for a skilled technician to create and copy electronic record; compiling, extracting, scanning, and burning PHI to media; distributing media; and preparing a summary of PHI. Fees may also include the cost of supplies for creating a paper copy or electronic media, and charges for postage. Charges cannot be made for labor costs to retrieve PHI. Fees associated with maintaining systems and recouping capital for data access, storage, and infrastructure are not reasonable, cost-based fees, and aren t permissible. However, a fee can be imposed for the preparation of an affidavit to accompany PHI; that is not subject to the cost-based fee limitation. If state law designates the fees that may be imposed for copies of PHI, the covered entity must still comply with HIPAA in that the fees be cost-based. Timeliness of Providing PHI (b) The regulation that permitted an extra 60 days for timely responding to a request for PHI when it was not maintained or accessible onsite has been deleted. PHI must be provided within 30 days of the request. However, the one-time extension of 30 days is still permissible. Organized Health Care Arrangement (c)(5) In an organized health care arrangement (OHCA), PHI may be disclosed to any other participants in the OHCA, not just to other covered entities

7 Disclosures of PHI to Family and Friends (b)(3) Disclosures of PHI to an individual s family and friends when the individual is not present to agree or object can include PHI directly relevant to the person s involvement with the individual s care or payment related to the individual s health care or as needed for notification purposes. Disclosures to Employers for Workplace Medical Surveillance (b)(1)(v)(A) When an employer needs PHI to comply with workplace medical surveillance laws, a covered entity may disclose the PHI to the employer, subject to certain conditions, if the covered entity is a health care provider who provides health care to the individual at the request of the employer. Breach Notification The definition of breach has been revised by deleting the harm standard ( no significant risk of harm to the individual ). The impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or BA demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment that includes the following factors: (1) the nature and extent of the PHI involved, including the types of re-identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated In performing the risk assessment, in analyzing factor number one, the following are questions that should be addressed: (1) whether the PHI is of a more sensitive nature; (2) whether the PHI included financial information (Social Security number, credit card number, or other information that increases the risks of identity theft or financial fraud); (3) the amount of detailed clinical information and the nature of services; and (4) whether the PHI could be used by the recipient in a manner adverse to the individual or used to further the recipient s own interests. In analyzing factor number two, the following questions should be addressed: (1) whether the recipient has obligations to protect the privacy and security of the PHI; (2) whether the recipient has the ability to re-identify the PHI; and (3) whether the use or disclosure of the PHI occurred within the covered entity or BA or external to the covered entity or BA. In analyzing factor number four, determine whether the recipient s satisfactory assurance can be obtained that the PHI will not be further used or disclosed and that the PHI will be destroyed, such as through a confidentiality agreement or other similar means. It is to be noted that uses and disclosures of PHI that violate the minimum necessary standard may qualify as a breach. The OCR takes the position that if a computer is lost or stolen, it is not reasonable to delay breach notification based on the hope that the computer will be recovered

8 There was clarification that there is nothing in the regulations that requires that the notice of a breach include the names of the employees involved with the breach or the specific disciplinary action imposed. If an individual has agreed to only receive communications from the covered entity orally or by telephone, the covered entity can telephone the individual and advise the individual to pick up the breach notice. If the individual does not want to pick up the breach notice, the information contained in the notice can be given to the individual over the telephone, with the telephone call documented. A clarification was made that breaches affecting less than 500 individuals must be reported to the DHHS within 60 days after the end of the calendar year in which the breaches were discovered (previously was occurred ) Modifications under the Genetic Information Nondiscrimination Act of 2008 (GINA) The definition of health information was modified to include genetic information. The following GINA-related definitions were added: family member ; genetic information ; genetic services ; genetic test ; manifestation or manifested ; and underwriting purposes. Health plans, other than health plans that are issuers of long term care policies, are prohibited from using or disclosing genetic information for underwriting purposes (a)(5). Health plans that use or disclose PHI for underwriting must include a statement in their NPP that they are prohibited from using and disclosing genetic information about the individual for underwriting purposes (b)(1)(iii)(D). This is considered a material change to the NPP. Moving Forward For questions or further information, please speak to your regular Bryan Cave contact, a member of our Life Sciences and Health Care Client Service Group, or the author of this client alert: Sheryl Feutz-Harter Kansas City Sheryl.FeutzHarter@bryancave.com - 8 -