HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part V: GINA and Health
Plan Perspectives on the HITECH Rule
This bootcamp webinar and roundtable discussion series is brought to you by the Health Information and Technology (HIT) Practice Group, and is co-sponsored by the Business Law and Governance (BLG); Healthcare Liability and Litigation (HCL); Hospitals and Health Systems (HHS); In-
House Counsel (In-House); Labor and Employment (Labor); Life Science (LS); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Medical Staff, Credentialing and Peer Review (MSCPR); Payors, Plans, and Managed Care (PPMC); Physician
Organization (Physicians); Regulation, Accreditation and Payment (RAP); and Teaching Hospitals and Academic Medical Centers (TH/AMC) Practice Groups and the Healthcare Reform Educational (HRE) Task Force.
April 9, 2013 1:00-2:15 pm Eastern
Presenters:
Christina M. Heide, JD
Senior Health Information Privacy Policy Specialist • Office for Civil Rights •
U.S. Department of Health & Human Services • Washington, DC • [email protected]
Kirk Nahra, Esquire
Partner • Wiley Rein LLP • Washington, DC • [email protected]
Leah Stewart, Esquire
Shareholder • Beatty Bangle Strama PC • Austin, TX • [email protected]
2013 1:00-2:15 p.m. Eastern
Presentation Overview
Overview of major provisions impacting health plans and
their business associates
OCR perspective
Practical observations from counsel on major challenges
and open issues
2
Intro Issues
One question during this period – what will you do for
situations where the rules are changing?
Are you worried about state AGs at all?
Rule does not include the accounting provisions – but
are you doing anything on audit trails?
3
OCR
Breach Notification
• Harm standard removed
• New standard – impermissible use/disclosure of
(unsecured) PHI presumed to require notification,
unless CE/BA can demonstrate low probability that
PHI has been compromised based on risk
assessment of at least:
– Nature & extent of PHI involved
– Who received/accessed the information
– Potential that PHI was actually acquired or viewed
– Extent to which risk to the data has been mitigated
4
OCR
Breach Notification
• Exceptions for inadvertent, harmless mistakes
remain
• Exception for limited data sets without dates of birth
& zip codes removed
• Makes permanent the other provisions of the 2009
IFR, with only minor changes/clarifications
– E.g., clarifies that notification to Secretary of smaller
breaches to occur within 60 days of end of calendar year
in which breaches were discovered (versus occurred)
5
The Risk Assessment
HHS has removed the “risk of harm” element
Instead of the risk of harm standard, there is a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI.
If the risk assessment reveals a low probability of compromise, notification is not required.
Covered entity can provide notice without a risk assessment.
6
Breach Notification Next Steps
Current rule is in effect until September 23, 2013
Follow the current “interim final” standard until then
Each time you have a potential breach, evaluate using
both standards. Spend some time figuring out if any
results are different
7
OCR
Business Associates
• BAs must comply with the technical, administrative, and
physical safeguard requirements under the Security Rule;
directly liable for violations
• BAs must comply with the use or disclosure limitations expressed in BA contract and those in the Privacy Rule; directly liable for violations
• BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities
• Subcontractors of BA are now defined as BAs
– BA liability flows to all subcontractors
8
Business Associate Issues
Business associates will now have a legal obligation to
follow the privacy provisions of a standard business
associate agreement (and the new HITECH provisions)
This is not everything in the privacy rule (e.g., providing
a privacy notice)
This should not impact behavior because the “legal”
obligations are the same as the current contracts
9
Business Associate Issues
Business associates now must follow the entire HIPAA
Security Rule
This is a big deal.
The current contracts require “reasonable and
appropriate” security standards
Complying with the Security Rule is much more involved
and detailed
10
Business Associate Issues
(For CEs)
Evaluate what you want to do with your business
associate contracts – substance and process
Evaluate the “agent” issue – including whether you want
to address it at all
Plan on the timing – you have time, but how long do you
want “old” contracts in place?
11
OCR
Marketing
• Communications about health-related
products/services to individuals now marketing &
require authorization if paid for by third party
– Limited exception for refill reminders (and similar
communications)
• Applies to receipt of financial remuneration only, not
non-financial benefits
• Face to face marketing communications and
promotional gifts of nominal value still permitted
without authorization
12
OCR
Marketing
• Broad authorizations can be obtained
– Scope need not be limited to single product/service
or products/services of one third party
• Authorization must state that communication is
paid for
13
Marketing Provision
What does this do?
Does not change the situations where “marketing” has
been permitted so far.
If it is permitted under the rules today, BUT the covered
entity receives “remuneration,” a member authorization
will be required.
14
Marketing Provision
What kinds of communications may be affected?
Presumably when a covered entity is “marketing”
someone else’s products or services
Be careful if you are getting paid in any way – think
about why you are doing this.
15
OCR
Sale of PHI
• Even where disclosure is permitted, CE is
prohibited from disclosing PHI (without individual
authorization) in exchange for remuneration
– Not limited to financial remuneration
• If authorization obtained, authorization must
state that disclosure will result in remuneration
16
OCR
Sale of PHI
• Exceptions:
– Treatment & payment
– Sale of business
– Remuneration to BA for services rendered
– Disclosure required by law
– Public health
– Research, if remuneration limited to cost to prepare
and transmit PHI
– Providing access or accounting to individual
– Any other permitted disclosure where only receive reasonable, cost-based fee to prepare & transmit PHI
17
Sale Issue
Similar point as with marketing – PHI cannot be sold without a patient authorization
Many exceptions
Covered entities and business associates need to evaluate any situation where PHI is sold
18
Sale Issue
So what’s really changed?
There still has to be a permitted basis for disclosure
(even before sale issue)
Since treatment and payment are still “exceptions,” then
is this really (only?) eliminating “sales” for “health care
operations” purposes? How much of that is there?
19
OCR
Right to Request Restrictions
• CE must agree to individual’s request to restrict
disclosure of PHI to health plan if:
– PHI pertains solely to health care for which individual
(or person on behalf of individual other than health
plan) has paid CE in full out of pocket
– Disclosure is not required by other law
• Preamble guidance on various implementation
and operational questions
20
Restrictions
Confusing provision about requiring providers to
restrict disclosure to health plans where patient
requests and pays for services out of pocket
Imposes no compliance obligations on health
plans
Consider where (if at all) this will be relevant
21
OCR
Electronic Access
• If individual requests e-copy of PHI maintained
electronically in designated record set, CE:
– Must provide access in electronic form/format requested,
if readily producible, otherwise in readable electronic
form/format as agreed to by CE and individual
• If requested, CE must transmit copy of PHI to
individual’s designee (not limited to electronic
access)
– Request must be in writing, signed, and clearly identify
designated person and where to send
22
OCR
Electronic Access
• CE may charge for:
– Labor for copying
• Time attributable to reviewing request and
producing copy
– Cost of electronic media
• CD, USB drive, or similar portable media/device, if
individual requests copy on portable media
• CE has 30 days (with one 30-day extension) to
act on request for access
– Provision allowing initial 60 days for off-site PHI
removed
23
OCR
GINA
• Expressly provides that genetic information is PHI
• Prohibits the use or disclosure of genetic
information for underwriting purposes by all health
plans, except long-term care plans
• Terms and definitions track regulations prohibiting
discrimination in health coverage based on
genetic information
24
OCR
Notice of Privacy Practices
• Content must now include:
– Statements regarding sale of PHI, marketing, and other
purposes that require authorization
– Statement that individual can opt out of fundraising
communications
– Statement that CE must agree to restrict disclosure to
health plan if individual pays out of pocket in full for
health care service
– Statement about individual’s right to receive breach
notifications
– For plans that underwrite, statement that genetic
information may not be used for such purposes
25
OCR
Notice of Privacy Practices
• Health plans may distribute materially
revised NPPs:
– By posting on web site by effective date of
change and including in next annual mailing to
individuals; or
– Mailing to individuals within 60 days of material
revision
26
Next Steps
Take a deep breath
The omnibus regulation affects only a small
portion of the HIPAA provisions
No material changes to the substance of the
Security Rule (just the application to BAs)
And we have known almost all of this since
HITECH law – this just starts the real clock
running.
27
Next Steps
Be very careful on security breach issues – review
everything under both standards.
Think twice if you reach different results in terms of your
approach/response to the breach
Mitigation quickly and effectively is ALWAYS a good idea
28
Next Steps
Re-evaluate your business associate contracts – you
have time (and there is a transition period) but this takes
some thought and planning
Evaluate “agent” issue
Look hard for situations where the marketing and sale
rules may be implicated
29
Next Steps
Re-evaluate your security program
For business associates, this is the biggest compliance
issue by far
Even though the substance of the security rule is not
changing, security problems remain high with lots of risk
30
Questions?/More Information
Kirk J. Nahra
Wiley Rein LLP
202.719.7335
Christina M. Heide
HHS OCR
202-260-3362
31
HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part V: GINA and Health Plan Perspectives on the HITECH Rule © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.
Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.
“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association