What You Need to Know About Recent Proposed Changes to HIPAA Privacy, Security and Enforcement Rules

Transcription

1 What You Need to Know About Recent Proposed Changes to HIPAA Privacy, Security and Enforcement Rules September 22, 2010 Pillsbury Winthrop Shaw Pittman LLP

2 General Overview Health Information Technology for Economic and Clinical Health Act, the HITECH Act Notice of Proposed Rulemaking ( NPRM ) Published in Federal Register July 14 Comment period ended September 13 Overall Effects Payors, physicians, hospitals, vendors, contractors, subcontractors, employers, individuals Changes in the areas of: Regulation of business associates Marketing Sale of protected health information ( PHI ) HIPAA Enforcement Rule 1

3 Business Associates Clarifications NPRM conforms HIPAA regulations to HITECH Act changes Before HITECH, business associates ( BAs ) regulated through business associate agreements ( BAAs ) After HITECH, BAAs are regulated directly under HIPAA NPRM clarifies definition of business associate Included: Patient Safety Organizations Health information exchange organizations, e-prescribing gateways, covered entities personal health record vendors Data transmission providers that require access to PHI on a routine basis Excluded: Health care provider receiving disclosures for treatment Plan sponsor receiving disclosures from group health plan, insurer or HMO Others 2

4 Business Associates Expanded Regulation Expanded Definition of business associate Business associate now also means subcontractor of business associate Status as BA based upon role and responsibilities, not upon who are the parties to the contract Implications for subcontractor relationships Contract between the covered entity s BA and that BA s subcontractor must satisfy the business associate agreement ( BAA ) requirements Subcontractor of subcontractor is also a BA, and so on As a result, HIPAA/HITECH obligations apply to subcontractors directly Secretary of HHS authorized to receive and investigate complaints against business associates (including subcontractors), and to take action regarding complaints and noncompliance 3

5 Business Associates Consequences BAs (incl. subcontractors) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information BAs (incl. subcontractors) forbidden to intimidate, discriminate against, etc. those who make complaints, cooperate with regulators or oppose unlawful actions BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations Uses of PHI BAs may use or disclose PHI only as permitted by BAA or required by law BAs may not use or disclose PHI in manner that would violate Privacy Rule, if done by the covered entity BA does not comply if it knows of subcontractor s material noncompliance and does not take reasonable steps to cure the breach or, if such steps fail, to terminate the relationship 4

6 Business Associates Transition Provisions Generally, compliance required 180 days following new rules effective date Additional time offered to enter into conforming business associate agreements If BAAs comply with current rule, parties have 1 additional year to bring their BAAs into compliance with the new rules If BAAs do not comply with current rule, must enter into BAAs that comply with new rules within 180 days Compliance with new rules required when existing BAAs renew or are modified But all BAAs must be brought into compliance by end of additional 1 year, even if not scheduled for renewal Additional time for BAAs only; no extension to comply with new rules other requirements In the light of all this, why not eliminate or scale back BAA requirements? 5

7 Marketing Background Concerns of efficacy of current Privacy Rule to regulate subsidized health care marketing Close potential loopholes that may permit unauthorized communications to patients motivated by commercial purposes Approach the concept of financial remuneration Payment from a third party whose product or service is being described in a communication to a patient Payment from a party unrelated to the product or service is disregarded Nonfinancial remuneration is disregarded 6

8 Marketing - Definition Three categories of communications Communications for treatment that are not subsidized are not marketing Communications for treatment that are subsidized are not marketing if Notice of privacy practices spells it out Communication states it is subsidized Unburdensome method to opt out of future communications Communications for health care operations that are subsidized require an authorization from the patient How do you tell the difference between treatment and operations? Is it personalized, then it s arguably treatment Comments have been requested 7

9 Marketing Refill Reminders, Fundraising Refill reminders exception Subsidy allowed for currently prescribed drug or biologic Subsidy must be reasonably related to cost of making the communication Comments requested on communications involving alternatives or new drugs and biologics Comments requested on types of costs that could be subsidized Fundraising uses of limited PHI permitted Covered by notice of privacy practices There is an opt out No condition of treatment 8

10 Sale of PHI Authorization generally required notice that disclosure of PHI is in exchange for payment Exceptions Public health Research purposes remuneration must be reasonably related to the cost of preparing and transmitting information Treatment and payment disclosure of PHI to receive payment is not a sale of PHI Corporate transactions Disclosures to business associates Disclosures to the individual Disclosures required by law Other situations, provided remuneration is related to cost of making the disclosure 9

11 Right to Request Restrictions on Use and Disclosures Mandatory nondisclosure of PHI if Full out-of-pocket payments for particular health services Not disclosable unless required by law Not applied to annual deductable requirements under health plan coverage This is problematic HMOs, application to follow on care, implications for services/goods that are paid (e.g., drugs) HHS requesting comments on the scope of this regulation 10

12 Access to Information Contained in an Electronic Health Record Individual entitled to own PHI maintained by covered entity Entity must provide PHI to another designated person when requested by individual Entity can only charge labor, supply and media costs to provide data Information in a designated record set, regardless whether electronic or otherwise, must be furnished when requested in an agreeable format Potential for the blue button 11

13 Access to Information Contained in an Electronic Health Record (2) Information must be provided in a timely manner Current regulations allot up to 90 days Third party requests must be in writing and signed by individual Covered entities are required to ensure security of information provided, particularly through web-based applications or portals 12

14 Changes to the Enforcement Rule Changes to compliance, investigations and penalties Civil monetary penalties can be assessed directly to business associates Tiered penalty structure More serious violations equate to higher penalties 13

15 Changes to the Enforcement Rule OCR will consider the following when assessing penalties: 1. Nature and extent of violation 2. Nature and extent of any physical, financial or reputational harm 3. Covered entity or business associates history or prior compliance with statute 4. The financial condition of covered entity or business associate 5. Other factors as required for justice 14

16 Affirmative Defenses No civil monetary penalties will be assessed for violations occurring prior to February 18, 2011 If violations are punishable under HIPAA s criminal penalties provisions For violations occurring after February 18, 2011, civil monetary penalties may not be assessed If a penalty has been imposed under HIPAA s criminal penalties provisions 15

17 Affirmative Defenses (2) For violations occurring prior to February 18, 2009, civil monetary penalties may not be imposed on a covered entity if The covered entity can establish that it did not have knowledge of the violation, and would not even if by exercise of reasonable diligence The violation is due to circumstances that: Make it unreasonable to comply Not due to willful neglect Corrected within 30 days of when learned, or should have learned, of the violation Similar standards for violations occurring on or after February 18, 2009, with broadened application to business associates 16

18 Implementation Majority took effect on February 18, 2010 Covered entities and business associates have 180 days from effective date of final rule to come to compliance Proposed general 180-day compliance period for all future HIPAArelated rulemakings 17

19 Questions? 18

20 The purpose of this presentation is to inform and comment upon transactions in the health care industry. It is not intended, nor should it be used, as a substitute for specific legal advice inasmuch as legal counsel may only be given in response to inquiries regarding particular situations. (c) Pillsbury Winthrop Shaw Pittman LLP 2010 reprints with attribution permitted 19

21 Contact: Gerry Hinkley Co-Chair, Health Care Industry Team, Pillsbury, San Francisco Allen E. Briskin Counsel, Health Care practice, Pillsbury, San Francisco Douglas A. Grimm Senior Associate, Health Care practice, Pillsbury, Washington, DC Pillsbury Winthrop Shaw Pittman LLP