Posted on March 17, 2010 by Brad Rostolsky

HITECH Privacy and Security Regulations Currently Being Drafted

The Health Information Privacy page of the U.S. Department of Health and Human Services (HHS) website has formally announced that regulations implementing the privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act will soon be published (along with a comment period) relating to (1) business associate liability; (2) new limitations on the sale of protected health information, marketing and fundraising communications; and (3) stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  Although this posting is certainly welcome news, from a timing perspective the announcement only indicates that "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions." 

Providing further evidence that the HITECH Act provisions relative to covered entities and business associates will not be enforced until after these forthcoming regulations have been finalized, HHS stated that "[a]lthough the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."  The HITECH Act, however, is currently effective, and questions about the effective date for enforcement of the Act's privacy and security requirements may remain until published regulations specifically postpone enforcement.  Additionally, HHS reminds us that the Breach Notification Rule and the revised Enforcement Rule are currently in effect, and that covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.

Tags: , , , , ,
Posted on January 29, 2010 by Lisa Baird

FCC Proposes Tougher Rules on Telemarketing

This post was written by Robert H. Jackson.

The Federal Communications Commission (“FCC”) has proposed changes to its Telephone Consumer Protection Act (“TCPA”) rules that would conform to the Federal Trade Commission’s Telemarketing Sales Rule (“TSR”). The primary change in the regulations would affect the sending of prerecorded messages (a/k/a “robocalls”) by barring them even to existing customers without first obtaining prior written consent. At first blush, this seems routine, but because of differences in the FCC’s and FTC’s statutory jurisdiction, there are complicated implementation issues that could trap unsuspecting companies. Other key issues for the health care industry is whether the FCC should create an exemption for prerecorded messages that are subject to Health Insurance Portability and Accountability Act (“HIPAA”) and, if so, how such exemption should be implemented. For more information about these changes, please read our client alert written by Robert Jackson.

Tags: , , , , ,
Posted on October 30, 2009 by Brad Rostolsky

HHS Rule Implements HITECH Act Changes to HIPAA Enforcement

On Friday, October 30, 2009, the U.S. Department of Health and Human Services ("HHS") published an interim final rule and request for comments that implements certain HIPAA enforcement changes made pursuant to the HITECH ActConsistent with the provisions of the HITECH Act, the new rule amends the HIPAA enforcement regulations applicable to violations of each of HIPAA's Administrative Simplification Rules (i.e., Privacy Rule, Security Rule, Transactions and Code Sets Rules, Standard Unique Identifier for Employers (EIN Rule), and the Standard Unique identifier for Health Care Providers (NPI Rule)) by instituting the below categories of violations and tiered penalty scheme to HIPAA violations that occur on or after February 18, 2009. 

  • Unknown violations (i.e., if a person did not know and by exercising reasonable due diligence would not have known that a violation occurred): The penalty shall be at least $100 for each violation not to exceed $25,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to reasonable cause and not to willful neglect: The penalty shall be at least $1,000 for each violation not to exceed $100,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have been corrected): The penalty shall be at least $10,000 for each violation not to exceed $250,000 for all such identical violations during a calendar year, but may be no more than $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.
  • Violations due to willful neglect (and the violations have not been corrected): The penalty shall be at least $50,000 for each violation not to exceed $1.5 million for all such violations of an identical requirement or prohibition during a calendar year.

Furthermore, the interim final rule generally amends a covered entity's ability to employ an affirmative defense against an action seeking civil monetary penalties if (i) the covered entity did not have knowledge or constructive knowledge of the violation, and (ii) the violation was not due to reasonable cause and not willful neglect. HHS is also given the authority to waive a civil monetary penalty for violations due to reasonable cause and not willful neglect if the covered entity corrects the violation within 30 days of having knowledge that the violation occurred. 

Comments on this interim final rule will be considered if received by December 29, 2009.

Tags: , , , , , , ,
Posted on September 23, 2009 by Brad Rostolsky

New HHS Regulations Impose Federal Security Breach Notification Requirements

The recently enacted Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amends various aspects of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the associated Privacy and Security Rules, marks a significant change in how covered entities and their business associates must respond to security breaches under HIPAA.

On August 24, 2009, the U.S. Department of Health and Human Services (“HHS”) issued its interim final rule (“the Rule”) regarding a covered entity’s obligation to notify individuals when their unsecured protected health information (“PHI”) is breached. Furthermore, and depending on the nature of the security breach, the Rule also requires a more global notification whereby covered entities must post information regarding certain breaches in newspapers and on the HHS website.

The HHS Rule is effective on September 23, 2009, however, HHS will not impose sanctions for failure to provide the required notices for breaches that are discoverable before February 22, 2010.

For additional details, read the full alert

Tags: , , , ,
Posted on September 3, 2009 by Brad Rostolsky

FTC Issues Final Rule on Notifying Consumers About Breaches of Electronic Health Records

This post was written by Mark S. MelodiaMichael K. BrownJ. Ferd Convery, IIISteven J. Boranian, Brad M. Rostolsky, Shana R. Fried and Paul Bond.

Until now, the loss or theft of protected health information rarely resulted in notice to consumers. Very few state data security breach notification laws encompass medical information. The Health Insurance Portability and Accountability Act ("HIPAA") merely required an "accounting" of such events to a patient upon the patient's request.

All that has changed. Congress, in enacting the Health Information Technology for Economic and Clinical Health Act ("HITECH"), imposed breach notification obligations on many of the individuals and business entities that receive, create, or maintain patients' individually identifiable health information. Pursuant to HITECH, on Aug. 17, the Federal Trade Commission ("FTC") issued its Health Breach Notification Rule, governing the breach notification obligations of three new categories of entity: "vendors of personal health records," "PHR related entities" and "third party service providers."

To read the full alert, click here.

Tags: , , , , ,
Posted on March 4, 2009 by Karl A. Thallner

Health Information Privacy and Incentives, Medicaid Funding, and Other Health Care Provisions in the American Recovery and Reinvestment Act

This post was written by Karl A. Thallner, Jr., Carol C. Loepere, Debra A. McCurdy, Brad M. Rostolsky, Jacqueline B. Penrod, and Amie E. Schaadt.

On February 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”). The sweeping $790 billion economic stimulus package includes a number of health care policy provisions. Reed Smith's Health Care Memorandum summarizes the major health policy provisions of the Act.

Tags: , , , , , , , , , , , , ,
Posted on March 2, 2009 by Lisa Baird

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

This post was written by Brad M. Rostolsky, Gina M. Cavalier, Debra L. Hutchings, Kerry A. Kearney, and Mark S. Melodia.

On Feb. 17, 2009, President Obama signed into law H.R. 1, the American Recovery and Reinvestment Act (the “ARRA”).1 This memorandum outlines significant changes and additions to the landscape of federal privacy and security law set forth in Subtitle D of the ARRA. In general, the privacy and security portions of the ARRA become effective 12 months after the enactment of the ARRA, which is approximately February 2010. It is also important to note that the ARRA directs the Secretary of the U.S. Department of Health & Human Services (“HHS”) to amend the HIPAA Privacy and Security Rules to implement the legislative changes. As such, the effective dates associated with the rulemaking process will vary.

Click here to read the full alert.

Tags: , , , , , ,
Posted on November 11, 2008 by Lisa Baird

HIPAA Preemption

In "Ex Parte Talks Allowed Under Georgia Law For Counsel, Doctors Preempted by HIPAA" (password required), the United States Law Week discusses in detail Moreland v. Austin, Georgia Sup. Ct. No. S08G0498, a November 3, 2008 decision holding that defense attorneys who wish to engage in ex parte communications with plaintiffs' treating physicians must comply with HIPAA privacy rules. Since HIPAA affords more patient privacy than a Georgia law that permitted ex parte contact once a plaintiff put his or her medical condition at issue, the Georgia law was preempted.

Preemption giveth, and preemption taketh away.

Tags: , , ,
Posted on November 4, 2008 by Lisa Baird

California's New HIPAA-Like Requirements Impose New Data Privacy & Security Duties - and Create New Potential Liabilities

Data breaches can occur in any industry, but those that involve medical information create unique problems. Starting January 1, they also will carry unique penalties, at least in California. The new California laws, Senate Bill 541 (SB 541) and Assembly Bill 211 (AB 211).

Health care providers clearly need to take heed of the laws' directives that they take additional affirmative steps to prevent “unauthorized access” to patient information. But AB 211 is particularly broad in scope, covering “any person or entity" that "negligently discloses" or "knowingly or willfully obtains, discloses, or uses medical information," which mean other players in the life sciences industry probably should take note as well. A full discussion of SB 541 and AB 211, written by Janet H. Kwuon and Rachel A. Rubin, is here.
 

Tags: , ,
Posted on May 30, 2008 by Catherine A. Durkin

Post-Market Surveillance: FDA's "Sentinel Initiative" and Related CMS Rulemaking

This post was written by Catherine A. Durkin and Areta L. Kupchyk.

On May 22, 2008, the Food and Drug Administration (“FDA”) announced plans for what it is calling the “Sentinel System”—a new, national electronic health information surveillance system to track the performance and safety of medical products once they are on the market. See FDA, “The Sentinel Initiative: National Strategy for Monitoring Medical Product Safety” (May 2008). In addition to a whitepaper on the Sentinel Initiative, FDA has published a “Questions and Answers” document, a fact sheet, and information for the consumer that are all available at fda.gov

The same day, the Centers for Medicare & Medicaid Services (“CMS”) announced a final rule allowing it to share prescription drug claims data for the 25 million Medicare Part D enrollees with other government agencies, as well as with “researchers.” Under the rule, shared data will be available for any purpose “deemed necessary and appropriate by the Secretary,” such as analysis, reporting, and public-health purposes, among other things. See 73 Fed. Reg. 30664 (May 28, 2008); CMS Fact Sheet “Medicare Part D Data Regulation” (CMS-4119-F) (May 22, 2008). The rule becomes effective June 27, 2008.

These coinciding initiatives by the two major federal health regulatory agencies are intended to improve health care quality by using information technology and data mining in new ways. However, numerous policy and strategy questions are still up for debate.

The current system for monitoring drug and device adverse events relies on health professionals and patients to: (1) recognize a potential link between an adverse event and a product; and (2) voluntarily report it, either to the manufacturer or to FDA. In recent years, controversies surrounding certain drug safety issues have contributed to criticisms by members of the public and Congress that the current system is often inadequate. To ensure that FDA would improve its current safety monitoring system, Congress passed legislation in September 2007, the Food and Drug Administration Amendments Act of 2007 (“FDAAA”), Pub. L. No. 110-85 § 905, that required FDA to obtain access to data sources, develop a system to link and analyze product safety data available through these sources, and, using these tools, establish an “active adverse event surveillance” program. The Sentinel System, as its name suggests, is intended to accomplish these goals.

As proposed, the Sentinel System would provide FDA with access to a broad range of publicly and privately maintained health data sources so that FDA could search these sources and gather intelligence on potential safety risks associated with drugs or medical devices as trends emerge. See U.S. Department of Health & Human Services, News Release, New Efforts to Help Improve Medical Products for Patient Safety and Quality of Medical Care (May 22, 2008). Through targeted queries of health information databases (such as the Medicare Part D and other claims databases), FDA claims it would be able to obtain de-identified patient data, perform analyses, and draw conclusions regarding product safety in order to improve the overall quality of medical care. FDA also states that the system would be designed to comply with appropriate security and privacy standards.

The notion that health information technology initiatives (such as electronic health records, e-prescribing, etc.) are the key to improving the quality and reducing the costs of our health care system is a major reason Congress mandated FDA’s expansion of post-approval drug and device surveillance. Although FDA has recognized various efforts (in both the public and private sectors) to collect and make use of electronic safety, performance, and other health/patient data, as listed in the Attachment to FDA’s whitepaper on the Sentinel Initiative entitled “Related Federal/Private Sector Activities,” to date, such efforts have not been coordinated or standardized. The Sentinel Initiative ultimately intends to incorporate these efforts on a national level.

Proposed Mechanics of the Sentinel System

Although FDA is still in the early stages of developing the Sentinel System and specific details are scarce, FDA proposes, at least initially, to capitalize on existing data systems, such as medical claims databases and electronic health record systems, through a “public-private partnership” rather than by creating a new, centralized database. Data sources would continue to be owned and maintained by their current owners. Data owners would either be members of the partnership, or contract with FDA and/or the partnership to provide data. The partnership would be subject to a “defined governance process” and structured according to an “established organizational framework,” both still to be determined. Aside from the Medicare Part D claims database, potential public data sources include Medicare Parts A and B, the Veterans Health Administration, the Department of Defense, and CDC’s National Electronic Injury Surveillance System (“NEISS”).

The multiple data sources would somehow be linked with one another so that they would be interoperable and part of an overall, to-be-developed “information technology architecture.” FDA would thus be able to send queries to a variety of data sources and obtain results quickly, which would be stripped of identifiers to comply with any applicable privacy and security laws and/or standards that protect personal and proprietary information. FDA would then be able to review and analyze the data, observe trends, draw conclusions regarding product safety and performance, and take appropriate measures to address concerns. Accordingly, the system is intended to provide FDA with a stronger, more proactive product safety surveillance capability. The system may also serve as a tool for many other types of research performed by other public health agencies and health researchers; for example, evaluating specific treatment outcomes, or assessing utilization trends.

Open Issues and Next Steps

Based on input from the public during a two-day public workshop FDA held in March 2007 and comment period in early 2007 (see 72 Fed. Reg. 2284 (Jan. 18, 2007)), FDA has identified the following as key issues that must be resolved prior to implementing the Sentinel System:

  • How will private and/or proprietary information be protected?
  • Who will have access to the system?
  • How will the initiative be funded?
  • What about the quality of the data, standards, and system interoperability? How will these be improved?
  • How will risks and adverse events be identified through data analysis?
  • How will a pilot for the system be developed and validated?

Although FDA has touched upon some of these issues in its whitepaper and related publications, and has raised numerous others (for example, the scientific credibility of the data analysis and the integrity and independence of the system’s management/governance structure), they remain largely unanswered. The next phase of the Sentinel Initiative will incorporate a series of discussions on the “scientific and policy issues that must be addressed.”

Further, FDA plans to begin meeting with potential partners to formalize specific action items necessary to establish the Sentinel System.

According to the CMS fact sheet on the final Part D claims data rule, CMS will hold an open door forum in June 2008 to review the new rule and discuss the claims data release process, as well as to answer questions from the public. Once this open door forum is scheduled, information will be posted here. If you would like information on how to participate in this open door forum, please contact Katie Durkin at cdurkin@reedsmith.com.
Tags: , , , , , , , , ,