Final Rule Gives Patients a New Right under HIPAA to Access Completed Test Reports Directly from Labs

This post was written by Nan Bonifant, Brad Rostolsky, and John Wyand

On February 6, 2014, the U.S. Department of Health & Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights jointly published a final rule amending the HIPAA Privacy Rule and the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to provide patients with direct access to laboratory test reports. HHS believes that a right to access these test reports under HIPAA is crucial to provide patients with vital information to empower them to better manage their health and take action to prevent and control disease. The amendments to both regulations become effective April 7, 2014, and HIPAA-covered laboratories must comply with the new right by October 6, 2014.

Under the currently enforced Privacy Rule, a patient’s right to access his or her protected health information (PHI) is limited with respect to PHI maintained by a CLIA laboratory or a CLIA-exempt laboratory. This limitation was included in the Privacy Rule because the existing CLIA regulations may prohibit such laboratories from disclosing this information. Currently, a CLIA laboratory may only disclose laboratory test results to three categories of individuals or entities: (1) the “authorized person,” (2) the health care provider who will use the test results for treatment purposes, and (3) the laboratory that initially requested the test. An “authorized person” is the individual authorized under state law to order or receive test results. If a state does not authorize patients to receive their test results, the patients must receive this information from their health care providers.

The final rule modifies the CLIA regulations to allow laboratories subject to CLIA, upon the request of a patient (or the patient’s personal representative), to provide access to completed test reports that – using the laboratory’s authentication process – can be identified as belonging to that patient. With respect to the Privacy Rule, the final rule removes the exceptions to a patient’s right of access related to CLIA and CLIA-exempt laboratories. Therefore, as of October 6, 2014, HIPAA-covered laboratories will be required to provide a patient or his or her personal representative with access, upon request, to the patient’s completed test reports, as well as to other PHI maintained in a designated record set. For purposes of the final rule, test reports are not part of a designated record set until they are “complete.” A test report is considered complete when all results associated with an ordered test are finalized and ready for release. These changes to the Privacy Rule preempt any contrary state laws that prohibit a HIPAA-covered laboratory from providing patients direct access to their completed test results.

In order to comply with the amended Privacy Rule, HIPAA-covered laboratories should develop and implement a policy and procedure to receive and respond to patient requests. Processing a request for a test report, either manually or electronically, will require completion of the following steps: (1) receipt of the request from the individual; (2) authentication of the identification of the individual; (3) retrieval of test reports; (4) verification of how and where the individual wants the test report to be delivered and provision of the report by mail, fax, email or other electronic means; and (5) documentation of test report issuance. Additionally, HIPAA-covered laboratories must revise their notice of privacy practices to inform patients of their right to access completed test reports, including a brief description of how to exercise the right, and removing any statements to the contrary.

This amendment to the regulations is consistent with OCR’s focus on improving patients’ rights under the Privacy Rule, and represents another important aspect of policy change and documentation efforts for HIPAA-covered entity providers.

ONC Tiger Team Takes a Bite Out of the Proposed Access Report Rule

This post was written by Jennifer Pike and Brad Rostolsky

The Privacy and Security Tiger Team (“Tiger Team”), a subcommittee of the Office of the National Coordinator for Health IT’s HIT Policy Committee, has recommended that the Office for Civil Rights of U.S. Department of Health and Human Services (“OCR”) abandon its May 2011 proposed rule to require covered entities to provide patients with a list of workforce members who have accessed protected health information (“PHI”) contained in an electronic designated record set (“access reports”). The proposed rule was meant by OCR to implement a provision of the 2009 HITECH Act requiring HHS to expand the existing accounting of disclosures requirement to include disclosures of PHI for treatment, payment and health care operations through an electronic health record.

After months of study and a day-long hearing in September 2013, the Tiger Team concluded that the proposal, which was widely unpopular from its inception, is overbroad and lacks value. In a meeting held December 4, 2013, the Tiger Team stated that it “does not believe the proposed access report meets the requirements of HITECH to take into account the interests of the patient and administration burden on covered entities.”

The Tiger Team proposed an alternative for implementing the HITECH Act’s accounting of disclosure mandate, urging OCR “to pursue a more focused approach that prioritizes quality over quantity, where the scope of disclosures and related details to be reported to patients provide information that is useful to patients, without overwhelming them or placing undue burden on [covered entities].” The Team further recommended that OCR take a “step-wise” approach to implementing the HITECH Act, and focus on data disclosed outside of a covered entity or organized health care arrangement.

In the December 4 meeting, the Tiger Team also recommended that OCR add two new “addressable” standards to the HIPAA Security Rule related to audit controls:

  1. Audit controls must record PHI-access activities to the granularity of (i) the individual user (e.g., human) accessing PHI and (ii) the individual whose PHI is accessed.
  2. Information recorded by the audit controls must be sufficient to support the information system activity review required by section 164.308(a)(1)(ii)(D) and the investigation of potential inappropriate accesses of PHI.

How HHS will respond to the Tiger Team’s recommendations, and when a final rule will be released, remains to be seen.

OCR Releases HIPAA Guide for Law Enforcement

This post was authored by Brad Rostolsky and Jennifer Pike.

On September 20, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services announced the addition of a new resource on its website to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Among other things, the guide does the following:

  • Describes the Privacy Rule and identifies which entities are required to comply
  • Outlines several examples of when disclosures of health information to law enforcement is allowed

The guide is available online.

OCR Announces Enforcement Delay for CLIA Labs

This post was authored by Brad Rostolsky and Jennifer Pike.

The Office for Civil Rights (OCR) of the Department of Health & Human Services (HHS) announced September 19, 2013 that, until further notice, it is delaying enforcement of the requirement that certain HIPAA-covered labs revise their notice of privacy practices (NPPs) to comply with modifications made by the HITECH Final Rule. The enforcement delay applies to HIPAA-covered labs that are subject to Clinical Laboratory Improvement Act (CLIA), or exempt from CLIA, and that are not required to provide an individual with access to his or her lab test reports, because the reports are subject to the exceptions to the right of access at 45 C.F.R. § 164.524. The delay does not apply to labs that operate as part of a larger legal entity, and by virtue of that relationship do not have their own NPP.

By way of background, under the Privacy Rule, covered entities must promptly revise their NPPs whenever there is a material change to the privacy practices described in the NPP. The HITECH Final Rule made a number of such material changes, necessitating that covered entities revise their NPPs.

The enforcement delay is a result of HHS’ plan to amend the HIPAA Privacy Rule and CLIA regulations regarding the rights of individuals to receive their test reports directly from CLIA and CLIA-exempt labs. If finalized as proposed, the amendment would result in a material change to the labs’ privacy practices. The purpose of the delay is to decrease the burden on and expense to HIPAA-covered labs of having to revise their NPPs twice within a short period of time.
For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Releases Prescription Refill Reminder Guidance

This post was written by Brad M. Rostolsky, Jennifer L. Pike and Nancy E. Bonifant

The Department of Health & Human Services (HHS) released on September 19, 2013 guidance on financially remunerated prescription refill reminders.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, includes a significant exception for communications that also meet the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidizes the covered entity’s communication.

Under the Privacy Rule, determining whether a communication falls within the refill reminder exception depends on (1) whether the communication is about a currently prescribed drug or biologic, and (2) whether the communication involves financial remuneration and, if it does, whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication. HHS now provides guidance on each of these aspects of the refill reminder exception.

Among other points, HHS makes the following notable determinations:

  • Communications about specific formulations of a currently prescribed medicine do not fall within the refill reminder exception
     
  • When remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications - which exceed the fair market value of the business associate’s services - the communication does not fall within the refill reminder exception

The release of the guidance follows an announcement September 11, 2013, that HHS has decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013. HHS’ decision to delay enforcement came on the heels of a lawsuit filed by Adheris, Inc., a Massachusetts company that provides prescription refill reminders. The lawsuit challenges the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders.

Reed Smith’s HIPAA practice is in the process of conducting a full review of the guidance and will release additional analysis shortly.
 

HITECH FINAL RULE DELAYED ENFORCEMENT: PRESCRIPTION REFILL REMINDERS

HHS to Release Guidance on “Reasonable” Financial Remuneration by September 23, 2013; Enforcement to Be Delayed Until November 7, 2013

This post was written by Brad M. Rostolsky, Nancy E. Bonifant and Jennifer L. Pike

On September 5, 2013, Adheris, Inc. (“Adheris”), a Massachusetts company that provides, among other services, prescription refill reminders, filed a lawsuit in the U.S. District Court for the District of Columbia against Kathleen Sebelius, Secretary of Health & Human Services (“Secretary”), and the Department of Health & Human Services (“HHS”), challenging the constitutionality of the HITECH Final Rule’s restrictions on remunerated prescription refill reminders. Contemporaneous with its lawsuit, Adheris filed a Motion for Preliminary Injunction seeking to enjoin the Secretary’s enforcement of these restrictions, which was set to begin on September 23, 2013.

In a joint motion filed by the parties today seeking to suspend the court’s schedule on the Motion for Preliminary Injunction, the Secretary and HHS have informed the court that HHS expects to release guidance by September 23, 2013, on the HITECH Final Rule’s “reasonable in amount” restriction applicable to financially remunerated prescription refill reminders. The Secretary has also decided not to enforce the restrictions on financially remunerated prescription refill reminders until November 7, 2013, 45 days after the general HITECH compliance date of September 23, 2013.

Under the currently enforced Privacy Rule, covered entities must obtain an individual’s valid authorization prior to using and disclosing the individual’s protected health information for “marketing” purposes – which includes communications about a product or service that encourages the recipients of the communication to purchase or use the product or service. This requirement, however, included a significant exception for communications that also met the definition of “treatment” or “health care operations” communications, including prescription refill reminders, even where a third party subsidized the covered entity’s communication.

In a marked departure from the currently enforced Privacy Rule (and the July 2010 HITECH Proposed Rule), the Final Rule generally requires authorizations for all third-party subsidized health care operations and treatment communications, with a limited exception applicable to prescription refill reminders. With respect to prescription refill reminders, a covered entity may still receive some financial remuneration from third parties for making these communications, but this remuneration must be “reasonably related to the covered entity’s cost of making the communication.” In preamble language to the Final Rule, HHS made clear that permissible costs include only the costs of labor, supplies, and postage – where a covered entity generates a profit or receives payment for other costs in exchange for making a prescription refill reminder, the exception would not apply and the covered entity would need to obtain individual authorization.

Ultimately, what remains unknown is whether HHS will explicitly permit covered entities, and their business associates, to make a profit in connection with communicating prescription refill reminders, or if HHS will merely reaffirm its previously stated position in the preamble to the HITECH Final Rule.

For more information about the HITECH Final Rule and its implementation, please see our previous discussion of this topic.
 

HHS Considers Amending the HIPAA Privacy Rule to Encourage Reporting of Mental Health Information to the National Instant Criminal Background Check System

This post was written by Jennifer L. Pike and Nancy E. Bonifant.

The Department of Health and Human Services (“HHS”) is seeking comments on a proposal to amend the HIPAA Privacy Rule to expressly permit covered entities to disclose certain mental health information to the National Instant Background Check System (NICS), the federal government’s background check system for the sale or transfer of firearms by licensed dealers.

Federal law prohibits the following persons from possessing or receiving firearms: (1) individuals who have been involuntarily committed to a mental institution; (2) individuals who have been found incompetent to stand trial or not guilty for reason of insanity; and (3) individuals who have been otherwise determined, through formal adjudication process, to have a severe mental condition that results in the individual presenting a danger to themselves or others or being incapable of managing their own affairs (collectively referred to in the proposed rule as the “mental health prohibitor”).  Federal agencies are required by the NICS Improvement Amendments Act of 2008 to report to NICS the identities of individuals who are subject to the mental health prohibitor.  The Act also authorizes incentives for States to provide such information when it is in their possession.  

HHS issued the proposed rule to address concerns that the HIPAA Privacy Rule may be preventing some States from reporting to NICS the identities of individuals subject to the mental health prohibitor.  Records related to involuntary commitments and mental health adjudications generally originate in entities in the criminal justice system.  Such entities are not HIPAA covered entities, and the records are therefore not subject to HIPAA.  However, there may be State entities outside the criminal justice system that are involved in some involuntary commitments or mental health adjudications, and these entities may be HIPAA covered entities.  Where a record of involuntary commitment or mental health adjudication originates with a HIPAA covered entity, or the HIPAA covered entity is the State repository for such records, those records are subject to HIPAA.  Therefore, the concern is that the individuals identified in such records are not being reported to NICS due to HIPAA compliance considerations.

To address these concerns, HHS is considering whether to amend the Privacy Rule to expressly permit covered entities to disclose limited information to NICS about the identities of individuals who are subject to the mental health prohibitor.  Pursuant to the HHS request for comments, the potential exception may limit the information disclosed to the minimum data necessary for NICS purposes, and limit permission to disclose to covered entities that order involuntary commitments, perform relevant mental health adjudications, or are otherwise designated as State repositories for NICS reporting purposes.

HHS is seeking comments on specific questions related to the proposal.  These questions are listed in HHS’ Advance Notice of Proposed Rulemaking, which is available here.  Comments should be submitted in writing, or electronically at www.regulations.gov, on or before June 7, 2013.

The Scope of HIPAA Preemption in Florida: More Questions than Answers

This post was written by Nancy E. Bonifant and Zachary A. Portin.

On April 9, 2013, the Eleventh Circuit held that HIPAA preempts a Florida statute that requires nursing homes to release medical records of deceased residents to their spouses, attorneys-in-fact and other enumerated parties who request them.  In Opis Management Resources LLC v. Secretary Florida Agency for Health Care Administration, the Florida agency that oversees nursing homes cited Opis Management, an operator of nursing homes, for refusing to release medical records to deceased residents’ spouses and attorneys-in-fact.  Opis Management challenged the citations arguing that the requesting parties were not “personal representatives” under HIPAA.

The HIPAA Privacy Rule requires disclosures of PHI in only two situations: (1) to the individual, and (2) to the Secretary of HHS.  Covered entities must also treat a deceased individual’s “personal representative,” who has authority to act on behalf of the deceased individual or his/her estate, as the individual for purposes of disclosures under the HIPAA Privacy Rule.  While HIPAA does not preempt “more stringent” state laws, it sets a floor for privacy protections and supersedes any contrary provision of state law.

The Eleventh Circuit held that HIPAA preempts the Florida statute because it “impedes the accomplishment and execution of the full purposes and objectives of HIPAA and the Privacy Rule,” particularly keeping an individual’s PHI confidential.  According to Judge Black, the Florida statute authorizes “sweeping disclosures” that made a deceased resident’s PHI available to certain individuals upon request without any need for authorization and “without regard to the authority of the individual making the request to act in the deceased’s stead.”  Interestingly, because the Florida agency failed to timely raise the argument, the court did not consider whether compliance with both laws was possible because HIPAA permits covered entities to disclose PHI as “required by law.”

Opis Management Resources highlights one of the many challenges that covered entities face in trying to achieve compliance under HIPAA and state privacy law.  Although the holding suggests that analogous Florida statutes mandating disclosures may too be preempted, the ruling is limited to licensed Florida nursing homes.  Clearly, the scope of HIPAA preemption remains unsettled and the issue will likely continue to be determined on a case-by-case basis.

Loose Lips Sink... Providers?

This post was written by Zachary A. Portin and Nancy E. Bonifant.

Can a medical corporation be directly liable under New York law for breaching its common law fiduciary duty of confidentiality when a non-physician employee acted outside the scope of his or her employment by making an unauthorized disclosure of an individual’s confidential health information?  This is the question that the U.S. Court of Appeals for the Second Circuit posed to the New York State Court of Appeals last month when it requested an advisory opinion from the state’s highest court in order to resolve Doe v. Guthrie Clinic Ltd. 

Plaintiff Doe sued various Pennsylvania-based entities (the “Guthrie Defendants”) that owned and operated the Guthrie Clinic Steuben (the “Clinic”) located in New York after one of the Clinic’s nurses sent six text messages to Doe’s girlfriend informing her that Doe was being treated for sexually transmitted diseases.  Plaintiff Doe brought several tort claims against the Guthrie Defendants, including a novel claim that the common law cause of action for breach of the fiduciary duty to keep medical records confidential runs directly against medical corporations, even when the employee responsible for the breach is not a physician and acted outside the scope of her employment.

Although HIPAA does not create a private right of action under federal law, an aggrieved patient may avail himself or herself to state law causes of action.  For example, New York imposes a general duty to maintain the confidentiality of personal health information as well as a specific common law cause of action against a physician who improperly discloses confidential information.  In 2000, the Appellate Division of the New York State Supreme Court also held that a patient was permitted to sue a health insurer whose records clerk wrongfully disclosed treatment information.  Nevertheless, the Second Circuit elected to certify the question to the Court of Appeals with regard to the Guthrie Defendants after it concluded that no controlling precedent existed. 

A favorable ruling for Plaintiff Doe threatens to vastly expand the scope of liability faced by providers and other entities involved in the delivery of healthcare.  Perhaps most concerning from the perspective of providers is the prospect of such entities facing liability under New York law for unforeseeable misconduct committed by non-physician employees.  Regardless of the Second Circuit’s ultimate disposition of this legal question, the case underscores the importance of developing and maintaining a robust compliance program to combat such misconduct.

OCR Announces Expansion of its Health Information Privacy Enforcement Team

This post was written by Brad M. Rostolsky and Jennifer Pike.

On February 27, 2013, the HHS Office for Civil Rights (“OCR”) announced the availability of several Health Information Privacy Specialist positions. This expansion of OCR’s health information privacy enforcement team signals that OCR’s increased enforcement activity during 2012 will continue in 2013. In 2012, OCR announced several enforcement actions resulting from a breach self-report required by HITECH’s Breach Notification Rule, including the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September. OCR’s 2012 enforcement actions, and OCR leadership comments subsequent to the release of the HITECH Final Rule, suggest that the agency’s focus will be on Security Rule compliance (specifically with regard to the whether a regulated entity has conducted a Security Rule Risk Assessment), the lack of overall HIPAA compliance that may lead to a breach (as opposed to the breach itself), and issues involving marketing or the sale of Protected Health Information. Covered entities and business associates should expect OCR enforcement, including audits, to continue to increase over the next year.

More information on these positions is available at usajobs.gov

Additional information about OCR’s enforcement activities can be found at hhs.gov

The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived

This post was written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore G. Rotella, Jr., Elizabeth D. O’Brien, Jennifer Pike and Zachary A. Portin.

On January 25, 2013, the Office for Civil Rights of the United States Department of Health and Human Services published the long-awaited final regulation implementing much of the amendments and additions to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules directed by the 2009 Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

Please click here to read our detailed analysis of the HITECH Final Rule. As always, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

 

It's Here: OCR Releases Long Awaited HIPAA/HITECH Final Rule

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules.  The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”).  Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.

Noteworthy provisions of the HITECH Final Rule include:

  • Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
  • Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
  • Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
  • Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
  • Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.

We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule.  In the meantime, please contact Brad M. Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy E. Bonifant (202-414-9353 or nbonifant@reedsmith.com), Salvatore G. Rotella, Jr. (215-851-8123 or srotella@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.

OCR Continues Increased Focus on Enforcement, Announces First HIPAA Breach Settlement Involving Less than 500 Individuals

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

On January 2, 2013, the HHS Office for Civil Rights (“OCR”) announced its first settlement and corrective action plan following a breach affecting fewer than 500 individuals. The Hospice of North Idaho (“HONI”) has agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule following the theft of an unencrypted laptop containing electronic Protected Health Information (“ePHI”) for 441 patients. Significantly, this is the third settlement in six months involving unencrypted portable devices.

In addition to the requirement to report breaches affecting more than 500 patients “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach,” which are publicized on OCR’s website, Covered Entities must also maintain a log of all breaches affecting less than 500 patients and submit this information to OCR within 60 calendar days after the end of each calendar year. On February 16, 2011, HONI reported the theft to OCR, which commenced an OCR investigation on July 22, 2011. According to OCR, its investigation revealed that HONI had failed to conduct a risk analysis to safeguard ePHI and did not have in place policies and procedures to address mobile device security as required by the HIPAA Security Rule.

Following the $1.7 million settlement in June with the Alaska Department of Health and Social Services and the Massachusetts Eye and Ear Infirmary’s $1.5 million settlement in September, this settlement reinforces the practical necessity of encryption, which Leon Rodriguez, Director of OCR, describes as “an easy method for making lost information unusable, unreadable and undecipherable.” Easy or not, as providers face a health care environment that increasingly relies upon portable devices, encryption remains the primary answer to security risks. Furthermore, it remains the best first defense against the expensive and reputation damaging reality of notifying patients and OCR that a breach has occurred.

Beyond emphasizing the importance of encryption, OCR’s recent enforcement trends also make it clear that Covered Entities (and given the import of the forthcoming final HITECH regulation, Business Associates) should consider the Security Rule risk analysis to be the central component to Security Rule compliance. Although a risk analysis may require Covered Entities and Business Associates to spend significant resources, OCR plainly views it to be critical.

In addition to the $50,000 settlement, the Resolution Agreement between HONI and OCR included a corrective action plan, which requires HONI to investigate any report that a workforce member may have failed to comply with HONI’s Privacy and Security policies and procedures and report actual violations to OCR within 30 days. HONI did not admit any liability in the agreement and OCR did not concede that HONI was not liable for civil monetary penalties.

Additional information about OCR’s enforcement activities can be found here.

Preparing for the HITECH Final Rule Release: HURRY UP AND WAIT!

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

It has been almost two and half years since the Department of Health and Human Services, Office for Civil Rights (“OCR”), published a notice of proposed rulemaking to implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and amend the HIPAA Privacy and Security Rules, and almost nine months since the final rule was submitted to the Office of Management and Budget (“OMB”) for final regulatory clearance. While industry speculation, fueled by comments made by Leon Rodriguez, the Director of OCR, at the annual Safeguarding Health Information: Building Assurance through HIPAA Security Conference, suggested that an omnibus final rule would be released by the end of summer, OMB had different ideas.

Now, as we approach HITECH’s four year anniversary in February, the industry is again speculating that release of the final rule will be before year end. As the regulation’s title makes clear, “Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules,” it is expected that this rule will address the July 2010 proposed rule, as well as the interim final rules (regarding both breach notification and enforcement) and, hopefully, the May 2011 proposed accounting and access report rule. Therefore, regardless of the ultimate release date, it remains important for Covered Entities and Business Associates to prepare for the forthcoming changes.

The following is a brief review of some key considerations in anticipation of the publication of the final HITECH omnibus rule.

Business Associates: Direct Enforcement and Expansion

  • What was proposed? Though the specifics remain the purview of the final rule, Business Associates will generally be required to comply directly with the Privacy, Security, and Breach Notification Rules as required by HITECH. The proposed rule also included a significantly expanded definition of “Business Associate,” which would convert the subcontractors of Business Associates into actual Business Associates themselves.
  • Why is this important? In addition to the continuing obligation that Business Associates (and now, potentially, their subcontractors) enter into Business Associate Agreements, they will be directly regulated under the Privacy, Security, Breach Notification, and Enforcement Rules. This will require, for example, that Business Associates and their subcontractors comply with the Security Rule’s administrative, physical, and technical safeguards requirements, as well as the Rule’s policies and procedures and documentation requirements. Additionally, Business Associates and their subcontractors would incur statutory liability for noncompliance. Such a change in the framework of HIPAA’s application, in addition to OCR’s more focused approach to enforcement, will have the potential to require Business Associates to spend considerable time and resources on compliance considerations.
  • What should you be doing now? Covered Entities should identify their current Business Associates and consider what additional subcontractors will now require Business Associate Agreements (for example, patient safety organizations and vendors of personal health records who routinely access PHI). Covered Entities and Business Associates should examine the extent to which their existing relationships with providers and payors, for example, may not properly characterize them as a Business Associate. Business Associates should take stock of their current subcontractors who handle PHI and engage in discussions regarding compliance with the Privacy and Security Rules. Business Associates should also begin assessing their technological capabilities and, at a minimum, begin the process of developing policies and procedures to ensure compliance. Importantly, the proposed rule provides that OCR will not begin enforcing the modified Privacy and Security Rule requirements set forth in the final rule until 180 days after the effective date of the final rule.

Breach Notification Rule: Will OCR say goodbye to the “risk of harm” threshold?

  • What was proposed? At this stage, we have been living the Breach Notification Rule for more than three years. Although no specific changes have been proposed, HHS has made it clear that a final omnibus HITECH rule will include changes to the current interim final regulation.
  • Why is this important? Since the inception of the interim final Breach Notification Rule, there has been speculation that a “final” final regulation may remove the ability of Covered Entities and Business Associates to self-determine whether an “incident” rises to the level of a Breach or is merely impermissible disclosure under the Privacy Rule. Shortly after the release of the interim final Breach Notification Rule, Senator Waxman sent a pointed letter to HHS/OCR indicating his belief that HITECH did not give OCR the authority to include the “risk of harm” analysis in the determination of whether a Breach occurred. Add to that the fact that many state law equivalents of the Breach Notification Rule do not allow the potential risk of harm resulting from a particular incident to impact whether an affected individual must receive notification about the incident, and we are left with an overriding industry concern that all impermissible disclosure under the Privacy Rule (harm or not) may soon become more expensive and logistically challenging to address.
  • What should you be doing now? Regardless of what a “final” final Breach Notification Rule looks like, it seems unlikely that OCR will remove the “encryption safe harbor.” With this in mind, and to the extent not already underway, Covered Entities and Business Associates should strongly consider encrypting PHI (especially in the context of portable devices).

Creation of a New Individual Right: Access Reports

  • What was proposed? In the May 2011 proposed rule, OCR proposed to give individuals the right to know who, during the prior three year period, has accessed their PHI stored in an electronic designated records set maintained by the Covered Entity. Significantly departing from the type of activity covered by the Privacy Rule’s current accounting provisions, this “access report” must include a listing of access by employees of the Covered Entity and access for treatment, payment, and health care operations.
  • Why is this important? The right to receive an “access report” would be a new right under the Privacy Rule. Currently, individuals have a right to access and amend their PHI, as well as to receive an accounting of certain disclosures. While the proposed rule would limit an individual’s right to an access report to only PHI maintained in an electronic designated record set (and for only three years prior to the date of the request), individuals would now have the right to receive a report identifying who has accessed their PHI for treatment, payment, and health care operations.
  • What should you do now? Covered Entities and Business Associates should be engaging their electronic medical records vendors in an open dialogue regarding the capabilities and limitations of their current software programs. Additionally, both types of entities should ensure that they appropriately budget for the potentially significant cost of compliance with a final Access Report Rule.

Marketing and the Sale of Protected Health Information

  • What was proposed? The proposed rule modified the current definition of “marketing” and narrowed the existing exceptions under the Privacy Rule. In particular, the proposed rule distinguished treatment and health care operations communications, and clarified the role “financial remuneration” would play in rendering marketing communications as part of health care operations. Additionally, OCR removed from the current definition of marketing situations where a Covered Entity discloses PHI to another entity in exchange for remunerations. Instead, OCR characterized this as the “sale of PHI,” which would be specifically prohibited without an Authorization.
  • Why is this important? According to OCR, the Privacy Rule’s definition of marketing has not sufficiently addressed concerns about the ability of “a third party to pay a Covered Entity [] for the Covered Entity to send health-related communications to an individual about the third party’s products or services.” OCR is signaling a stricter approach to marketing communications, which would affect certain remunerated communications previously considered to be permissible in furtherance of “health care operations.” It also remains unclear whether existing Authorizations (that do not, as would be required under the proposed rule, specifically describe certain payments made for communications) will be deemed compliant after release of the final rule and, if not, what the timeline for compliance will be.
  • What should you be doing now? Covered Entities should identify and analyze situations where they communicate with individuals and receive financial remuneration, either directly or indirectly, from a third party for doing so. Additionally, Covered Entities should scrutinize any situation where the receive financial remuneration in return for a third party communicating with an individual. It is these situations that are likely to be targeted by OCR and may no longer be permissible, without valid Authorizations, pursuant to a final regulation.

Fundraising

  • What was proposed? OCR proposed to require Covered Entities to provide, with each fundraising communication, a clear and conspicuous opportunity for the individual to opt-out of future fundraising communications. Additionally, this opt-out may not cause the individual to incur an undue burden or more than nominal cost. The proposed rule also prohibits Covered Entities from conditioning treatment or payment on an individual’s decision to opt-out of future fundraising communications.
  • Why is this important? For the most part, the proposed fundraising provisions track HITECH’s statutory language, and will most likely be finalized in their current form. HITECH strengthened an individual’s right under the Privacy Rule to opt-out of fundraising communications by requiring OCR to modify the Privacy Rule so that Covered Entities must treat an opt-out as a revocation of an Authorization. OCR interpreted “shall be treated as a revocation of authorization” as prohibiting the conditioning of treatment or payment on an individual’s decision to allow fundraising communications.
  • What should you be doing now? Covered Entities should consider their current fundraising endeavors and the extent to which such endeavors rely upon the use or disclosure of PHI. It may be prudent to brainstorm cost-effective methods for an individual to opt-out of fundraising communication, such as utilizing existing toll-free numbers and e-mail.

Although the delay in the release of the highly anticipated HITECH final rule has certainly caused Covered Entities and Business Associates to patiently live in a state of flux, it has been clear since 2009 that the final regulation will significantly change portions of Privacy, Security, Breach, and Enforcement Rules. While the specifics remain unclear, the HITECH statutory requirements, including the above discussed considerations, provide a good starting point for meaningful continued preparation.

If you have any questions or would like additional information on the material covered in this alert, please contact Brad Rostolsky (215-851-8195 or brostolsky@reedsmith.com), Nancy Bonifant (202-414-9353 or nbonifant@reedsmith.com), or any other member of the Reed Smith Health Care Group with whom you work.

OCR Releases Overdue Guidance on De-identifying Protected Health Information

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The Office of Civil Rights (OCR) released guidance on Monday, November 26, 2012, regarding methods to de-identify protected health information in compliance with the HIPAA Privacy Rule.  This guidance, which followed a June 2012 Government Accountability Office Report criticizing the delayed publication of this and related guidance, is aimed to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.

Because the HIPAA Privacy Rule does not restrict the use or disclosure of de-identified health information, the process of de-identification allows researchers and policy workers to have access to critical health information while mitigating privacy risks to the individual.  To mitigate privacy risks, the HIPAA Privacy Rule outlines two de-identification methods that ensure the health information does not identify an individual and that an associated covered entity has no reasonable basis to believe the information can be used to identify an individual: (1) The Expert Determination and (2) The Safe Harbor. 

The Expert Determination method requires the services of an expert in statistical and scientific principles and methods to determine that the risk of re-identification is “very small” and document that determination.  This method involves a three-step process of (i) working with the covered entity to determine appropriate statistical or scientific methods of mitigate risk of identification, (ii) applying those methods to mitigate risk, and (iii) assessing the risk.  The guidance also addresses the expert’s qualifications, methods for de-identifying information, and approaches to assessing risk.

The Safe Harbor method involves removing 18 categories of identifiers of the individual or of the individual’s relatives, employers, and household members.  These identifiers include, for example, names, dates (other than year), geographic subdivisions smaller than a State (as well as ZIP codes depending on the population of a particular area), social security number, health plan and account numbers, IP addresses, and “any other unique identifying number, characteristic, or code.”  A covered entity must also not have “actual knowledge” that the remaining information could be used to re-identify the individual.  In addition to considering specific identifiers and providing examples, the guidance explains this “actual knowledge” standard as “clear and direct knowledge” that the information could be re-identified or awareness that the information is not actually de-identified.

While this subregulatory guidance does not have the force of law, it is important to remember that Section 13424(c) of the HITECH Act mandated the guidance’s release.  Therefore, covered entities, and business associate who de-identify protected health information on behalf of covered entities, are advised to consider the guidance carefully and amend their processes to align its requirements.

A copy of the guidance can be found here.