1

HIPAA Challenges Ahead in Mining Patient-Centric

Data

Kristen B. RosatiCoppersmith Schermer & Brockelman, PLC

PRISM ForumSIG on Clinical Informatics

October 19, 2010

Agenda

A bit of backgroundUpcoming prohibition on “sale” of protected

health information (PHI)New restrictions on using or disclosing PHI

for marketingChanges in research authorizationsUpcoming guidance on de-identification

An Overview of the HITECH Act

American Recovery and Reinvestment Act of 2009 (ARRA) -- Division A, Title XIII and Division B, Title IV: Health Information Technology for Economic and Clinical Health Act (HITECH Act) Medicare and Medicaid payment incentives for

adoption of electronic health records by hospitals and physicians

Grant funding and loans to support health information technology (HIT) and health information exchange (HIE)

Changes to the HIPAA Privacy and Security Rules

Privacy and Security in a HITECH World

Key privacy and security elements in the HITECH Act Created new HIPAA privacy requirements Applied most HIPAA Privacy and Security Rules directly to

business associates Established mandatory breach reporting for covered entities

and their business associates Established new civil and criminal penalties for noncompliance

and expands enforcement authority to the states

Proposed amendments to the HIPAA Privacy Rule to implement the HITECH Act: 75 Fed. Reg. at 40868 (July 14, 2010)

Enforcement in a HITECH World

Establishes new civil and criminal penalties for noncompliance Applies criminal penalties to individuals who without

authorization obtain or disclose individually identifiable health information that is maintained by a covered entity (enforceable on 2/18/10)

Increases amount of civil penalties from $100 per violation and a total of $25,000 per year, to a tiered penalty system that can go to $50,000 per violation and total penalties of up to $1,500,000 per year

Gives State Attorneys General authority to bring civil action to enjoin a violation, seek statutory damages for individuals and obtain attorneys fees

6

Current rule: CE may receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for health care operations or research)

HITECH Act prohibits indirect or direct receipt of remuneration in exchange for a disclosure of PHI without the individual’s authorization (with exceptions)

Proposed rule would prohibit indirect or direct remuneration in exchange for a disclosure of PHI without authorization (with exceptions on the next slide)

[HITECH Act § 13405(d); Proposed 45 CFR § 164.508]

No Sale of PHI

7

For public health purposes For research, “where the only remuneration received by the covered entity

is a reasonable cost-based fee to cover the cost to prepare and transmit” the PHI

For treatment and payment For the sale, transfer, merger or consolidation of the covered entity and

related due diligence To or by a business associate to perform activities for the covered entity,

where “the only remuneration provided is by the covered entity to the business associate for the performance of such activities”

To an individual for access or accounting Where required by law to disclose PHI Where the only remuneration received is a reasonable cost-based fee to

cover the cost to prepare and transmit the PHI, or a fee is otherwise expressly permitted by another law[Proposed 45 CFR § 164.508]

No Sale of PHI-- Exceptions

8

Current rule: “marketing” is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” except: “To describe a health-related product or service (or payment for such

product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of or enhancements to a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits;

For treatment of the individual; or For case management or care coordination for the individual, or to

direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual”

Marketing

9

HITECH Act prohibits covered entity’s receipt of direct or indirect payment for any communication permitted on the previous slide, except where: The communication is regarding a drug currently

prescribed for the recipient and such payment is “reasonable”;

The communication is made by a business associate on behalf of the covered entity, and is consistent with business associate agreement; or

The covered entity obtains a valid authorization

[HITECH Act § 13406]

Marketing

10

Proposed rule: Marketing does not include communications “[f]or treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, provided, however, that if the communication is in writing and the health care provider receives financial remuneration in exchange for making the communication, the requirements of § 164.514(f)(2) are met.” Financial remuneration: “direct or indirect payment from or on

behalf of a third party whose product or service is being described,” not including payment for treatment

[Proposed 45 CFR § 164.501]

Marketing

11

§ 164.514(f)(2): If a health care provider will receive payment for making treatment communications, the health care provider must: Amend its Notice of Privacy Practices to explain that

the provider receives financial remuneration in exchange for making such communications, and that the individual has the right to opt-out of receiving such communications

Must disclose in the communication itself the fact that the provider is receiving financial remuneration in exchange for making the communication, and must provide the individual with a “clear and conspicuous opportunity to elect not to receive further such communications”• Opt-out cannot impose undue burden

Marketing

12

Proposed rule continued: Permits refill reminders paid for by third parties, if drug is

currently prescribed, if the payment is reasonable related to the costs

Permits the following communication unless the CE receives “financial remuneration” in exchange for making the communications: “(A) To describe a health-related product or service (or payment for such

product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or

(B) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.”

Marketing

13

Proposed rule: Would permit “compound authorizations” in research, that combine authorization for a clinical trial and authorization to contribute PHI to a research repository, as long as the form provides the individual with an opportunity opt-in to the research repository [Proposed 45 CFR § 164.508(b)]

Solicits comments on changing the present OCR interpretation that an authorization may not seek permission for use of PHI in future, unspecified research

Research Authorizations

14

HIPAA does not regulate de-identified informationCurrent rule on de-identification:

Remove or code all HIPAA identifiers; or Have a qualified statistician document that there

is a statistically “very small” risk that information could be used to identify a participant (despite the presence of identifiers)

Current HIPAA De-Identification Rule

HIPAA “Identifiers”

Name; Street address, city, county, precinct, or zip code (unless only the first three

digits of the zip code are used and the area has more than 20,000 residents); The month and day of dates directly related to an individual, such as birth date,

admission date, discharge date, dates of service, or date of death; Age if over 89 (unless aggregated into a single category of age 90 and older); Telephone numbers; Fax numbers; Email addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers, serial numbers, and license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses; Biometric identifiers, such as fingerprints Full-face photographs and any comparable images; or Any other unique identifying number, characteristic, or code.

15

16

HITECH Act requires HHS to issue guidance on methods for de-identification of PHI

OCR solicited stakeholder input from experts with practical technical and policy experience to inform the creation of guidance materials, and collected views regarding de-identification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns

March 2010 2-day conference on de-identification – see http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/deidentificationworkshop2010.html

Treatment of De-Identified Information

17

Questions?

Kristen B. RosatiCoppersmith Schermer & Brockelman PLC2800 North Central Avenue, Suite 1200Phoenix, Arizona 85004tel (602) 381-5464/fax (602) 772-3764Email: krosati@csblaw.com www.csblaw.com