long-awaited hitech final rule: addressing the impact on ...€¦ · compliance dates hipaa...

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities

and Business Associates

March 7, 2013

Brad M. RostolskyPartnerReed Smith [email protected]

Nancy E. BonifantAssociateReed Smith LLP [email protected]

Agenda

Compliance Dates

HIPAA Enforcement

Breach Notification Rule

Marketing Communications

Sale of Protected Health Information

Business Associate Compliance

Individual Rights

2

Key Dates for Compliance

Final Rule published on

January 25, 2013

Effective Date –March 26, 2013

Breach Notification Rule being enforced under Interim Final Rule until General Compliance Date

General Compliance Date – September 23,

2013Exceptions

3

Key Dates for Compliance

• Enforcement Rule• March 26, 2013

• Business Associate Agreements• Grandfather period - through

September 22, 2014 unless BAA is modified or renewed

• New BAAs executed (or those modified/renewed) must meet Final Rule requirements by September 23, 2013

4

HIPAA Enforcement

• Global Considerations

Say Goodbye to Voluntary Compliance!

Security Rule Risk Assessment is a key component to successfully surviving an OCR investigation/inquiry

This is reflected through direct statements and enforcement trends

Final Rule mostly imports earlier changes from 2009 Interim Enforcement Final Rule and the 2010 HITECH Proposed Rule

5

HIPAA Enforcement

6

Violation Category Each Violation All Identical Violations per Calendar Year

Did Not Know $100 -$50,000

$1,500,000

Reasonable Cause $1,000 -$50,000

$1,500,000

Willful NeglectCorrected

$10,000 -$50,000

$1,500,000

Willful NeglectNot Corrected

$50,000* $1,500,000

HITECH Enforcement CMP Levels

HIPAA Enforcement

• For Violations due to Willful Neglect• Investigation or compliance review will always be

triggered whenever OCR’s preliminary review indicates possible violation due to willful neglect

• OCR may now proceed immediately to penalties (no longer must try to first resolve noncompliance through informal means)

• Business associates now directly liable for CMPs

7

HIPAA Enforcement

• Agency Relationships • Covered entities now liable for the acts of their business associate

agents

• Business associates liable for acts of their subcontractor agents

• OCR: Key consideration is control

• Affirmative Defenses

• Old Rule: • No CMP where a violation is criminally punishable

• New Rule• No CMP where a violation is criminally punished

8

HIPAA Enforcement• OCR (maybe) has less discretion in determining CMP amount

• Based on nature and extent of the violation and extent of the harm resulting from the violation

• OCR Guidelines for calculating CMPs• Number of violations = number individuals affected• Number of violations = number of days safeguard not in place• $1.5 million limit for identical violations in a calendar year applies to the “legal

entity” constituting the covered entity• Important when various business units within a covered entity suffer

enforcement for identical violations• Enforcement Perspective of OCR (relating to Breaches)

• The government appreciates that loss and theft will occur• Ultimately, when it does occur, OCR will focus on what was done preventively to

best protect the involved PHI• Does a covered entity/business associate have a good (and documented)

reason as to why encryption was not used?9


• History• 2009 HITECH Act

• 2009 Interim Final Rule

• HITECH Final Rule• Bulk of the Breach Notification rule has been left unchanged

• Notification of breach of unsecured PHI

• Media notice requirements (500+ individuals)

• Notice to OCR (including annual notice for less than 500 individuals)

• Content requirements of notice

• Timing of notice to individuals (without unreasonable delay but in no event later than 60 days after discovery)

10


Significant Change – Definition of Breach

HITECH Act definition Acquisition, access, use, or disclosure of PHI in a manner not permitted by

the Privacy Rule that compromises the privacy or security of PHI

Interim Final Breach Notification RuleFurther defined “compromise”

Risk of harm analysis (financial, reputational, other harm)

OCR (and industry) have noted challenges in applying this standard

HITECH Final Rule Impermissible access, use, or disclosure under the Privacy Rule now

presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised

11


• Determination that there is a low probability that PHI has been compromised

• OCR provides 4 factors that must be weighed in making this determination1. Nature and extent of the PHI involved (including the types of identifiers

involved), and likelihood of re-identification Risk of Harm component?

2. The unauthorized person who used the PHI or to whom the disclosure was made

3. Whether the PHI was actually acquired or viewed

4. The extent to which the risk to the PHI has been mitigated Satisfactory Assurances

• Additional OCR guidance to be published – possibly within the next month

12


• Important Clarifications and Emphasis in Final Rule• Limited Data Set exception removed

• Trigger for annual notification is date of discovery (not date of incident)

Important for incidents that occur (but are not discovered) at the end of a calendar year

• Media notice does not require covered entities to buy ad space

• Notification time period is not “within 60 days of discovery”

This absolute latest a notification may be deemed compliant

13


14

• Existing Privacy Rule. • To make a communication about a product or service that

encourages recipients of the communication to purchase or use the product or service

• Treatment and certain health care operations communications excluded

• Final Rule.• Eliminates exceptions for financially remunerated treatment and

health care operations communications.Prior Authorizations required when a covered entity receives

financial remuneration in exchange for making a treatment communication.


• Financial Remuneration.

• Defined as monetary direct or indirect payments from the third party whose product or service is being described.

Notably, financial remuneration does not include in-kind benefits.

• Financial Remuneration and Business Associates.

• If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization.

15


• Two Critical Questions:

1. Is the covered entity or business associate receiving financial remuneration?

2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication?

16


• Scope of Authorizations.

• Need not be limited to communications describing a single product or service or services of a single third party.

A single authorization may apply to subsidized communications generally.

• Exceptions to Authorization Requirement Remain:

• Face-to-face communications

• Promotional gifts of nominal value

17


• Financially Remunerated Prescription Refill Reminders Remain Excluded:

• Communications about a drug or biologic that is currently being prescribed;

• Communications regarding generic equivalents;

• Communications that encourage individuals to take their prescribed medications as directed; and

• For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system.

Financial Remuneration Must Be Limited to Reasonable Costs of Making the Communication

18

Sale of Protected Health Information• Sale of PHI Defined.

• The disclosure of PHI by a covered entity (or business associate, if applicable) where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.

• Financial Remuneration.

• Unlike marketing communications, “remuneration” includes financial payments as well as nonfinancial, in-kind benefits.

• In Exchange For PHI.

• Covered entity primarily being compensated to supply PHI.

• Excludes remuneration in the form of grants and contracts to perform programs or activities that also involve the disclosure of PHI. 19


• General Prohibition: Sale of PHI is prohibited in the absence of an authorization that states the disclosure of PHI will result in remuneration to the covered entity.

• Notable Exceptions - Regardless of the Amount of Remuneration:

• For public health purposes;

• For treatment and payment purposes;

• For the sale, transfer, merger or consolidation of all or part of the covered entity and for related due diligence; and

• As required by law. 20


• Notable Exceptions With Limits On Remuneration:

• For research purposes (provided the remuneration is limited to the covered entity’s reasonable cost to prepare and transmit the PHI);

• To the individual to prove him/her with access to PHI or an accounting of disclosures (remuneration limited to permissible charges under Privacy Rule);

• To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor (remuneration must be for the actual performance of activities); and

• For any other purpose permitted by or in accordance with the Privacy Rule (limited to a reasonable cost-based fee).

21


• Definition of Business Associate Expanded• Health Information Organizations

• E-Prescribing Gateways

• Patient Safety Organizations

• Cloud Providers

• Business associate subcontractors• Requires delegation of a function, activity, or service that involve the creation,

receipt, maintenance, or transmission of PHI

• All the way down the chain

22


• Direct Liability: Security Rule.

• September 23, 2013: Business associate are directly liable for a failure to comply with the requirements of the Security Rule.

• Direct Liability: Impermissible Uses and Disclosures of PHI and Business Associate Agreements. • Business associate’s Privacy Rule obligations are tied to the uses and

disclosures permitted and prohibited in the BAA.

• But, a business associate’s liability exposure is not tied to the existence of a BAA – liability attaches when a person creates, receives, maintains or transmits PHI on behalf of a covered entity.

23


• Direct Liability: Additional HITECH Statutory Requirements.

• For a failure to provide breach notification to the covered entity;

• For a failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement);

• For a failure to disclose PHI where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules; or

• For a failure to provide an accounting of disclosures.

24

Individual Rights

• Statutory Requirement for Accounting of Disclosures Not Addressed.

• May 2011 Proposed Rule

• HITECH Act requires accounting of disclosures of PHI made by a covered entity over the past three years to carry out treatment, payment, and health care operations

• Omnibus HITECH Final Rule Addresses:

1. An individual’s right to restrict certain disclosures of PHI; and

2. An individual’s right to access their PHI maintained in designated record sets.

25

Individual Rights

• Right to Request a Required Restriction. Covered entities are required to comply with an individual’s request to restrict disclosure of the individual’s PHI to a health plan where:

1. The disclosure is for payment or health care operations purposes;

2. Is not otherwise required by law; and

3. The PHI pertains solely to health care services or items for which the individual, or another person on the individual’s behalf, has paid the covered entity in full.

26

Individual Rights

• Right to Access PHI. Individuals now have the right to obtain an electronic copy of PHI that is maintained in any electronic system.

• Readable Electronic Format. Covered entities must be able to provide a “readable electronic form.” For example, MS Word or Excel, text, HTML, or text-based PDF.

• Time to Respond to Request. 30-days to take action and one 30-day extension.

• Fees. Reasonable, cost-based fees may be charged. Such fees may not include labor costs for locating the PHI, but may include labor costs for creating and copying the electronic file.

27

Questions?

28

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities

and Business Associates

March 7, 2013

Brad M. RostolskyPartnerReed Smith [email protected]

Nancy E. BonifantAssociateReed Smith LLP [email protected]

29

long-awaited hitech final rule: addressing the impact on ...€¦ · compliance dates hipaa...

Documents