Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com
Agenda Compliance Dates HIPAA Enforcement Breach Notification Rule Marketing Communications Sale of Protected Health Information Business Associate Compliance Individual Rights 2
Key Dates for Compliance Final Rule published January 25, 2013 Effective Date March 26, 2013 Breach Notification Rule enforced under Interim Final Rule until General Compliance Date General Compliance Date September 23, 2013 Exceptions: Business Associate Agreements Exceptions: Prescription Refill Reminders 3
Key Dates for Compliance (cont.) Enforcement Rule: March 26, 2013 Business Associate Agreements Grandfather period - through Sept. 22, 2014 unless BAA is modified or renewed New BAAs executed (or those modified/renewed) must meet Final Rule requirements by Sept. 23, 2013 Prescription Refill Reminders Grandfather period - through Sept. 23, 2014 if patient already enrolled in program, provided that patient has not opted out and the prescription has not been renewed 4
HIPAA Enforcement Global Considerations Say Goodbye to Voluntary Compliance! Security Rule Risk Assessment is a key component to successfully surviving an OCR investigation/inquiry This is reflected through direct statements and enforcement trends Final Rule mostly imports earlier changes from 2009 Interim Enforcement Final Rule and the 2010 HITECH Proposed Rule 5
HIPAA Enforcement (cont.) HITECH Enforcement CMP Levels Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $50,000 Reasonable Cause $1,000 - $50,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1.5 million $1.5 million $1.5 million $50,000 $1.5 million 6
HIPAA Enforcement (cont.) For Violations due to Willful Neglect Investigation or compliance review will always be triggered whenever OCR s preliminary review indicates possible violation because of willful neglect OCR may now proceed immediately to penalties (no longer must try to first resolve noncompliance through informal means) Business associates now directly liable for CMPs 7
HIPAA Enforcement (cont.) Agency Relationships Covered entities now liable for the acts of their business associate agents Business associates liable for acts of their subcontractor agents OCR: Key consideration is control Affirmative Defenses Old Rule: No CMP where a violation is criminally punishable New Rule No CMP where a violation is criminally punished 8
HIPAA Enforcement (cont.) OCR (maybe) has less discretion in determining CMP amount Based on nature and extent of the violation and extent of the harm resulting from the violation OCR Guidelines for calculating CMPs Number of violations = number of individuals affected Number of violations = number of days safeguard not in place $1.5 million limit for identical violations in a calendar year applies to the legal entity constituting the covered entity Important when various business units within a covered entity suffer enforcement for identical violations Enforcement Perspective of OCR (relating to breaches) The government appreciates that loss and theft will occur Ultimately, when it does occur, OCR will focus on what was done preventively to best protect the involved PHI Does a covered entity/business associate have a good (and documented) reason as to why encryption was not used? 9
Breach Notification Rule History 2009 HITECH Act 2009 Interim Final Rule HITECH Final Rule Bulk of the Breach Notification rule has been left unchanged Notification of breach of unsecured PHI Media notice requirements (500+ individuals) Notice to OCR (including annual notice for less than 500 individuals) Content requirements of notice Timing of notice to individuals (without unreasonable delay but in no event later than 60 days after discovery) 10
Breach Notification Rule (cont.) Significant Change Definition of Breach HITECH Act definition Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the privacy or security of PHI Interim Final Breach Notification Rule Further defined compromise Risk of harm analysis (financial, reputational, other harm) OCR (and industry) have noted challenges in applying this standard HITECH Final Rule Impermissible access, use, or disclosure under the Privacy Rule now presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised 11
Breach Notification Rule (cont.) Determination that there is a low probability that PHI has been compromised OCR provides four factors that must be weighed in making this determination 1. Nature and extent of the PHI involved (including the types of identifiers involved), and likelihood of re-identification Risk of Harm component? Not really consider the likelihood of re-identification based on PHI involved and the identity of recipient 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Satisfactory assurances Additional OCR guidance to be published timing is unclear 12
Breach Notification Rule (cont.) Important Clarifications and Emphasis in Final Rule Limited Data Set exception removed Trigger for annual notification is date of discovery (not date of incident) Important for incidents that occur (but are not discovered) at the end of a calendar year Media notice does not require covered entities to buy ad space Notification time period is not within 60 days of discovery This is absolute latest a notification may be deemed compliant 13
Marketing Communications Former Privacy Rule To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service Treatment and certain health care operations communications excluded Final Rule Eliminates exceptions for financially remunerated treatment and health care operations communications Prior authorizations required when a covered entity receives financial remuneration in exchange for making a treatment communication 14
Marketing Communications (cont.) Financial Remuneration Defined as monetary direct or indirect payments from the third party whose product or service is being described Notably, financial remuneration does not include in-kind benefits Financial Remuneration and Business Associates If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization 15
Marketing Communications (cont.) Two Critical Questions: 1. Is the covered entity or business associate receiving financial remuneration? 2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication? 16
Marketing Communications (cont.) Scope of Authorizations Need not be limited to communications describing a single product or service or services of a single third party A single authorization may apply to subsidized communications generally Exceptions to Authorization Requirement Remain Face-to-face communications Promotional gifts of nominal value 17
Marketing Communications Prescription Refill Reminder Exception Financially remunerated prescription refill reminders remain excluded if financial remuneration limited to reasonable costs of making the communication Recent Guidance from OCR Two-and-a-Half Critical Questions: 1. Is the communication about a currently prescribed drug or biologic? 2. Does the communication involve financial remuneration, and if so, is it reasonable? 18
Marketing Communications Prescription Refill Reminder Exception (cont.) Is the communication about a currently prescribed drug or biologic? Within Exception: Refill reminders about a drug or biologic that is currently being prescribed Communications regarding generic equivalents Communications about a recently lapsed prescription (i.e., within past 90 calendar days) Adherence communications For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system Not Within Exception: Communications about specific new formulations of a currently prescribed medicine Communications about specific adjunctive drugs related to the currently prescribed medicine Communications encouraging an individual to switch from a prescribed medicine to an alternative 19
Marketing Communications Prescription Refill Reminder Exception (cont.) Does the communication involve financial remuneration, and if so, is it reasonable? Within Exception: No financial remuneration involved Only non-financial or in-kind remuneration, such as supplies, computers, or other materials Only payments from a party whose product is not being described (and not on behalf of the party whose product is being described) Financial remuneration covers only the reasonable direct and indirect costs related to the refill reminder (i.e., labor, materials, and supplies, as well as capital and overhead costs) Involves payment to business associate assisting the covered entity, which is limited to the FMV of the business associate s services Not Within Exception: Involved financial remuneration not described above 20
Sale of Protected Health Information Sale of PHI Defined The disclosure of PHI by a covered entity (or business associate, if applicable) where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI Financial Remuneration Unlike marketing communications, remuneration includes financial payments as well as nonfinancial, in-kind benefits In Exchange For PHI Covered entity primarily being compensated to supply PHI Excludes remuneration in the form of grants and contracts to perform programs or activities that also involve the disclosure of PHI 21
Sale of Protected Health Information (cont.) General Prohibition: Sale of PHI is prohibited in the absence of an authorization that states the disclosure of PHI will result in remuneration to the covered entity Notable Exceptions - Regardless of the Amount of Remuneration: For public health purposes For treatment and payment purposes For the sale, transfer, merger or consolidation of all or part of the covered entity and for related due diligence As required by law 22
Sale of Protected Health Information (cont.) Notable Exceptions With Limits On Remuneration: For research purposes (provided the remuneration is limited to the covered entity s reasonable cost to prepare and transmit the PHI) To the individual to provide him/her with access to PHI or an accounting of disclosures (remuneration limited to permissible charges under Privacy Rule) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor (remuneration must be for the actual performance of activities) For any other purpose permitted by or in accordance with the Privacy Rule (limited to a reasonable cost-based fee) 23
Business Associate Compliance Definition of Business Associate Expanded Health Information Organizations E-Prescribing Gateways Patient Safety Organizations Cloud Providers Business associate subcontractors Requires delegation of a function, activity, or service that involve the creation, receipt, maintenance, or transmission of PHI All the way down the chain 24
Business Associate Compliance (cont.) Direct Liability: Security Rule September 23, 2013: Business associates are directly liable for a failure to comply with the requirements of the Security Rule Direct Liability: Impermissible Uses and Disclosures of PHI and Business Associate Agreements Business associate s Privacy Rule obligations are tied to the uses and disclosures permitted and prohibited in the BAA But, a business associate s liability exposure is not tied to the existence of a BAA liability attaches when a person creates, receives, maintains or transmits PHI on behalf of a covered entity 25
Business Associate Compliance (cont.) Direct Liability: Additional HITECH Statutory Requirements For a failure to provide breach notification to the covered entity For a failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual s designee (whichever is specified in the business associate agreement) For a failure to disclose PHI where required by the secretary to investigate or determine the business associate s compliance with the HIPAA Rules, or For a failure to provide an accounting of disclosures 26
Individual Rights Statutory Requirement for Accounting of Disclosures Not Addressed May 2011 Proposed Rule HITECH Act requires accounting of disclosures of PHI made by a covered entity over the past three years to carry out treatment, payment, and health care operations Omnibus HITECH Final Rule Addresses: An individual s right to restrict certain disclosures of PHI An individual s right to access his or her PHI maintained in designated record sets 27
Individual Rights (cont.) Right to Request a Required Restriction. Covered entities are required to comply with an individual s request to restrict disclosure of the individual s PHI to a health plan where: The disclosure is for payment or health care operations purposes Is not otherwise required by law The PHI pertains solely to health care services or items for which the individual, or another person on the individual s behalf, has paid the covered entity in full 28
Individual Rights (cont.) Right to Access PHI: Individuals now have the right to obtain an electronic copy of PHI that is maintained in any electronic system. Readable Electronic Format: Covered entities must be able to provide a readable electronic form. For example, MS Word or Excel, text, HTML, or text-based PDF. Time to Respond to Request: Thirty days to take action and one 30-day extension Fees: Reasonable, cost-based fees may be charged. Such fees may not include labor costs for locating the PHI, but may include labor costs for creating and copying the electronic file 29
Questions? 30
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com 31