HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1
Finally! On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services ("HHS") has finally issued major omnibus revisions to HIPAA's privacy and security regulations. HIPAA Compliance: PART I 2
Overview of the New Omnibus HIPAA Privacy and Security Regulations In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions: Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now the entire food chain that deals with PHI falls under HIPAA s privacy and security regulations; and Ramping up the regulations on data breach, including shifting of the burden on breach notification, so that it squarely now sits on the covered entity/business associate to prove a low probability that PHI will be compromised. HIPAA Compliance: PART I 3
The Business Associate as Covered Entity HIPAA's privacy and security requirements will now directly apply to business associates: Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate. 45 C.F.R. 160.102. Business associates now created by regulation as well as by contract. Elements of the Privacy Rule now apply to business associates Business associates don t have to do a Notice of Privacy Practices All elements of the Security Rule apply OCR has provided a new model business associate agreement. This change also includes subjecting business associates to compliance reviews. 45 C.F.R. 160.308. HIPAA Compliance: PART I 4
The definition of business associate The definition of business associate itself has been expanded to include: Entity that creates, receives, maintains or transmits PHI. Was formerly use or disclosure A subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. 45 C.F.R. 160.103. Solves the awkward undefined third party agreement problem between BA and subs. Clarifies who else is a business associate: A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to PHI to a covered entity and that requires access on a routine basis to such PHI. Entities involved in data transmission, if the data transmission requires access to the PHI on a routine basis (this does not mean your ISP). A person that offers a personal health record to one or more individuals on behalf of a covered entity. HIPAA Compliance: PART I 5
Uses of PHI by the Business Associates Only as permitted by the business associate agreement or required by law (not as permitted by law) Business associates can t use PHI in a way that would violate the privacy rule Subcontractors of business associates will automatically become business associates themselves, and business associates will be required to obtain satisfactory assurances that the subcontractors are complying with HIPAA. 45 C.F.R. 164.308(b)(2). Subcontractors are subject to the business associate agreement with covered entity How do you know what the business associate agreement says? Business associate agreement must follow minimum necessary rules. HIPAA Compliance: PART I 6
Breach the New Rule The definition of breach is changed, with the burden now on the covered entity to prove there was not a breach. In particular, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised, based on the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The identify/role of the unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI was actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. 45 C.F.R. 164.402(2). Comments indicate an excessive internal use can also be a breach. Risk of re-identification also has to be accounted for. Encrypted data is still outside the definition of a breach under this rule (but not Massachusetts law) HIPAA Compliance: PART I 7
Review and Investigations Requirement if possible violation from willful neglect; discretionary otherwise Every complaint will investigated preliminarily. HHS OCR may disclose PHI to other agencies on request. FTC, HHS OCR and DoJ are working together and can assist state AGs Levels of penalties remain the same from prior interim final rule: $100-$50,000 did not know $1,000-$50,000 reasonable cause $10,000-$50,000 willful neglect, corrected $50,000 willful neglect, NOT corrected Reasonable cause -- knew it was a violation but committed without willful neglect: Is this the stupid mistake? Willful neglect standard remains the same: conscious, intentional failure or reckless indifference HIPAA Compliance: PART I 8
Breach Notification New Rule Penalties The factors that are taken into account for imposing civil penalties have been revised to include: The number of individuals affected ; The time period during which the violation occurred ; financial harm to the affected individuals; harm to an [affected] individual s reputation ; hinder[ing] an [affected] individual s ability to obtain health care. In other words, breaches that impact more people over a longer time with resulting harm will be punished more severely. A history of previous indications of non-compliance also will be factored into this HIPAA civil penalty analysis. 45 C.F.R. 160.408. HIPAA Compliance: PART I 9
Breach Notification New Rule Penalties Business associates (and subcontractors) may also be liable for the increased penalties for noncompliance based on the level of culpability, up to a maximum penalty of $1.5 million, as HHS OCR can: Receive and investigate complaints; Submit reports to HHS OCR, cooperate with investigations Perform compliance reviews on them They must abide by whistleblower protections Liability for CMPs by covered entity for business association agreements and subcontractors is based on federal common law of agency law: did the covered entity control or have the right to control or direct the agent s conduct in performing the contracted service? If there is a business associate agreement, isn t the answer always yes? HIPAA Compliance: PART I 10
Marketing Under the new rules, prior authorization from the patient is required for using or disclosing PHI, if the covered entity or business associate receives remuneration for making a marketing communication from the third party whose product or service is being marketed. Marketing is now defined to exclude: Refill reminders; and For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment. 45 C.F.R. 164.501. Face to face communications are still outside authorization requirements. Authorization must disclose that the communication is a paid one. Covered entities can use a general authorization for all communications in advance, or secure authorization on a case-by-case basis. HIPAA Compliance: PART I 11
Fundraising Defined as using PHI to promote your own entity (not for a third party that s marketing) Some new elements of PHI can be used without patient authorization: Name Address and other contact information Age and date of birth Gender Department of service information Treating physician Outcome information; and Health insurance status. Patients can opt-out of fundraising, and must be provided with the opportunity to opt out Opt out in advance Opt out with each communication. 45 C.F.R. 164.502(f)(1). Cannot discriminate against those who opt out. HIPAA Compliance: PART I 12
Sale of PHI The sale of PHI without authorization is prohibited. The rules also clarify that the prohibitions on the sale of health information do not apply to public health or research purposes, or treatment, or sale of an entity, or to a business associate. 45 C.F.R. 164.502(a)(5)(ii). You can sell PHI, with authorization and notice that discloses that payment is being made or that non-financial benefits are being provided. Exceptions where sale of PHI is permitted: Public health Research (FMV costs for preparation and transfer are ok) Treatment and payment Corporate transactions Business associates Required by law HIPAA Compliance: PART I 13
Research As noted under the fundraising discussion previous, remuneration for transfer of PHI for research is allowed (costs must be reasonable) Compound patient authorizations are now allowed. Authorizations can be for future and present research, as long as the future research is something that the individual would reasonably expect the future use. HIPAA Compliance: PART I 14
Genetic Information Huh? Strangely, these revised regulations also include an expansion of very specific genetic privacy protections (which have no basis in the original 1996 HIPAA statute). In particular, the definition of health information now includes genetic information. The final rule prohibits using or disclosing protected health information that is genetic information for underwriting purposes by all health plans that are covered entities under the HIPAA Privacy Rule, including those to which GINA does not expressly apply. Exception with regard to issuers of long term care policies, who can still use genetic information for underwriting purposes. 45 C.F.R. 164.502(a)(5)(i). This would have to be in a notice of privacy practices for a health plan. HIPAA Compliance: PART I 15
Patient Access Issues Patients can request a copy of their electronic medical record in an electronic format. 45 C.F.R. 164.524(c)(3). Must be in the requested format, if readily producible If not in requested form, must be in an agreed-upon form between covered entity and patient. No requirement to buy new software to comply with this requirement but have to be able to provide something to the patient. If cannot agree, then hard copy may be an acceptable default. Not required to accept a patient s storage device. Unsecure transfers to patients are permitted if the patient requests. If the patient asks for an email to the gmail account without encryption, and you advise them of the risks, you can do this. Need a standard form of disclosure, like informed consent. Now 60 days (formerly 90 days) to respond to such a request. In any event, sooner is always better HIPAA Compliance: PART I 16
Other Changes of Interest There are several provisions that make patient interactions with the health care system simpler and easier: Patient Safety Organizations are now included within the scope of health care operations. The definition of family member is given greater specificity and breadth. It also should be easier for family members to access records of a deceased, if they were involved in the care of that period before death. 45 C.F.R. 164.510(b)(5). It will be easier for parents and others to give permission to share proof of a child s immunization with a school; 45 C.F.R. 164.512(b)(1)(vi). HIPAA won't protect the information of individuals who have been deceased for over 50 years, as the definition of PHI has been changed to exclude such information. 45 C.F.R. 164.502(f). HIPAA Compliance: PART I 17
Limiting Data to Payors When individuals pay for their care themselves, they can instruct their provider not to share information about their treatment with their health plan. 45 C.F.R. 164.522(a)(1)(vi)(B). Payment in full for particular service Annual deductible not met. This is can be done by the patient service by service: Can foresee mental health services paid in cash by many. HIPAA Compliance: PART I 18
What is NOT in the New Rules No increase in civil monetary penalties. It remains at $1.5 million. Definition of psychotherapy notes still under study. OCR s report on personal health records that are not within the definition of PHI under HIPAA. This also is under FTC jurisdiction. Any private cause of action or damages awards to those harmed by HIPAA violations. Guidance on accounting for disclosures. HIPAA Compliance: PART I 19
Effective Dates The Omnibus Rule is generally effective March 26, 2013. Enforcement rule changes are effective March 26, 2013. Compliance date for everything else is September 23, 2013, EXCEPT for existing business associate agreements, which must be changed by September 23, 2014. Business associate agreements amended before September 23, 2014 must be amended per the new rules. HIPAA Compliance: PART I 20