Long-Awaited HITECH Final Rule: Addressing the Impact on Operations - - PowerPoint PPT Presentation

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013

Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com

Agenda

Compliance Dates HIPAA Enforcement Breach Notification Rule Marketing Communications Sale of Protected Health Information Business Associate Compliance Individual Rights

2

Key Dates for Compliance

Final Rule published January 25, 2013 Effective Date – March 26, 2013

Breach Notification Rule enforced under Interim Final Rule until General Compliance Date

General Compliance Date – September 23, 2013

Exceptions: Business Associate Agreements Exceptions: Prescription Refill Reminders

3

Key Dates for Compliance (cont.)

• Enforcement Rule: March 26, 2013
• Business Associate Agreements
• Grandfather period - through
• Sept. 22, 2014 unless BAA is

modified or renewed

• New BAAs executed (or those

modified/renewed) must meet Final Rule requirements by Sept. 23, 2013

• Prescription Refill Reminders
• Grandfather period - through
• Sept. 23, 2014 if patient already

enrolled in program, provided that patient has not opted out and the prescription has not been renewed

4

HIPAA Enforcement

• Global Considerations
• Say Goodbye to Voluntary Compliance!
• Security Rule Risk Assessment is a key component to

successfully surviving an OCR investigation/inquiry This is reflected through direct statements and enforcement trends

• Final Rule mostly imports earlier changes from 2009 Interim

Enforcement Final Rule and the 2010 HITECH Proposed Rule

5

HIPAA Enforcement (cont.)

6

Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $50,000 $1.5 million Reasonable Cause $1,000 - $50,000 $1.5 million Willful Neglect Corrected $10,000 - $50,000 $1.5 million Willful Neglect Not Corrected $50,000 $1.5 million

HITECH Enforcement CMP Levels

HIPAA Enforcement (cont.)

• For Violations due to Willful Neglect
• Investigation or compliance review will always be

triggered whenever OCR’s preliminary review indicates possible violation because of willful neglect

• OCR may now proceed immediately to penalties

(no longer must try to first resolve noncompliance through informal means)

• Business associates now directly liable for CMPs

7

HIPAA Enforcement (cont.)

• Agency Relationships
• Covered entities now liable for the acts of their business associate

agents

• Business associates liable for acts of their subcontractor agents
• OCR: Key consideration is control
• Affirmative Defenses
• Old Rule:
• No CMP where a violation is criminally punishable
• New Rule
• No CMP where a violation is criminally punished

8

HIPAA Enforcement (cont.)

• OCR (maybe) has less discretion in determining CMP amount
• Based on nature and extent of the violation and extent of the harm resulting from

the violation

• OCR Guidelines for calculating CMPs
• Number of violations = number of individuals affected
• Number of violations = number of days safeguard not in place
• $1.5 million limit for identical violations in a calendar year applies to the “legal

entity” constituting the covered entity

• Important when various business units within a covered entity suffer

enforcement for identical violations

• Enforcement Perspective of OCR (relating to breaches)
• The government appreciates that loss and theft will occur
• Ultimately, when it does occur, OCR will focus on what was done preventively to

best protect the involved PHI

• Does a covered entity/business associate have a good (and documented)

reason as to why encryption was not used?

9

Breach Notification Rule

• History
• 2009 HITECH Act
• 2009 Interim Final Rule
• HITECH Final Rule
• Bulk of the Breach Notification rule has been left unchanged
• Notification of breach of unsecured PHI
• Media notice requirements (500+ individuals)
• Notice to OCR (including annual notice for less than 500 individuals)
• Content requirements of notice
• Timing of notice to individuals (without unreasonable delay but in no event

later than 60 days after discovery)

10

Breach Notification Rule (cont.)

Significant Change – Definition of Breach

• HITECH Act definition
• Acquisition, access, use, or disclosure of PHI in a manner not permitted by

the Privacy Rule that compromises the privacy or security of PHI

• Interim Final Breach Notification Rule
• Further defined “compromise”
• Risk of harm analysis (financial, reputational, other harm)
• OCR (and industry) have noted challenges in applying this standard
• HITECH Final Rule
• Impermissible access, use, or disclosure under the Privacy Rule now

presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised

11

Breach Notification Rule (cont.)

• Determination that there is a low probability that PHI has been

compromised

• OCR provides four factors that must be weighed in making this

determination

1. Nature and extent of the PHI involved (including the types of identifiers involved), and likelihood of re-identification

• Risk of Harm component? Not really – consider the likelihood of re-identification

based on PHI involved and the identity of recipient

2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated

• Satisfactory assurances
• Additional OCR guidance to be published – timing is unclear

12

Breach Notification Rule (cont.)

• Important Clarifications and Emphasis in Final Rule
• Limited Data Set exception removed
• Trigger for annual notification is date of discovery (not date
• f incident)
• Important for incidents that occur (but are not discovered)

at the end of a calendar year

• Media notice does not require covered entities to buy ad

space

• Notification time period is not “within 60 days of discovery”
• This is absolute latest a notification may be deemed

compliant

13

Marketing Communications

14

• Former Privacy Rule
• To make a communication about a product or service that

encourages recipients of the communication to purchase or use the product or service

• Treatment and certain health care operations communications

excluded

• Final Rule
• Eliminates exceptions for financially remunerated treatment and

health care operations communications

• Prior authorizations required when a covered entity receives

financial remuneration in exchange for making a treatment communication

Marketing Communications (cont.)

• Financial Remuneration
• Defined as monetary direct or indirect payments from the third

party whose product or service is being described

• Notably, financial remuneration does not include in-kind benefits
• Financial Remuneration and Business Associates
• If a business associate (or subcontractor) receives financial

remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization

15

Marketing Communications (cont.)

• Two Critical Questions:
• 1. Is the covered entity or business associate receiving

financial remuneration?

• 2. Is the covered entity or business associate receiving the

financial remuneration for the purpose of making the communication?

16

Marketing Communications (cont.)

• Scope of Authorizations
• Need not be limited to communications describing a single product
• r service or services of a single third party
• A single authorization may apply to subsidized communications

generally

• Exceptions to Authorization Requirement Remain
• Face-to-face communications
• Promotional gifts of nominal value

17

Marketing Communications – Prescription Refill Reminder Exception

• Financially remunerated prescription refill reminders remain excluded

if financial remuneration limited to reasonable costs of making the communication

• Recent Guidance from OCR – Two-and-a-Half Critical Questions:

1. Is the communication about a currently prescribed drug or biologic? 2. Does the communication involve financial remuneration, and if so, is it reasonable?

18

Marketing Communications – Prescription Refill Reminder Exception (cont.)

• Is the communication about a currently prescribed drug or biologic?
• Within Exception:
• Refill reminders about a drug or biologic that is currently being prescribed
• Communications regarding generic equivalents
• Communications about a recently lapsed prescription (i.e., within past 90 calendar days)
• Adherence communications
• For individuals who are prescribed a self-administered drug or biologic, communications regarding all

aspects of a drug delivery system

• Not Within Exception:
• Communications about specific new formulations of a currently prescribed medicine
• Communications about specific adjunctive drugs related to the currently prescribed medicine
• Communications encouraging an individual to switch from a prescribed medicine to an alternative

19

Marketing Communications – Prescription Refill Reminder Exception (cont.)

• Does the communication involve financial remuneration, and if so, is it

reasonable?

• Within Exception:
• No financial remuneration involved
• Only non-financial or in-kind remuneration, such as supplies, computers, or other materials
• Only payments from a party whose product is not being described (and not on behalf of the

party whose product is being described)

• Financial remuneration covers only the reasonable direct and indirect costs related to the

refill reminder (i.e., labor, materials, and supplies, as well as capital and overhead costs)

• Involves payment to business associate assisting the covered entity, which is limited to the

FMV of the business associate’s services

• Not Within Exception:
• Involved financial remuneration not described above

20

Sale of Protected Health Information

• Sale of PHI Defined
• The disclosure of PHI by a covered entity (or business associate, if

applicable) where the covered entity directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI

• Financial Remuneration
• Unlike marketing communications, “remuneration” includes financial

payments as well as nonfinancial, in-kind benefits

• In Exchange For PHI
• Covered entity primarily being compensated to supply PHI
• Excludes remuneration in the form of grants and contracts to perform

programs or activities that also involve the disclosure of PHI

21

Sale of Protected Health Information (cont.)

• General Prohibition: Sale of PHI is prohibited in the absence of

an authorization that states the disclosure of PHI will result in remuneration to the covered entity

• Notable Exceptions - Regardless of the Amount of

Remuneration:

• For public health purposes
• For treatment and payment purposes
• For the sale, transfer, merger or consolidation of all or part of the

covered entity and for related due diligence

• As required by law

22

Sale of Protected Health Information (cont.)

• Notable Exceptions With Limits On Remuneration:
• For research purposes (provided the remuneration is limited to the

covered entity’s reasonable cost to prepare and transmit the PHI)

• To the individual to provide him/her with access to PHI or an accounting
• f disclosures (remuneration limited to permissible charges under

Privacy Rule)

• To or by a business associate for activities that the business associate

undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor (remuneration must be for the actual performance of activities)

• For any other purpose permitted by or in accordance with the Privacy

Rule (limited to a reasonable cost-based fee)

23

Business Associate Compliance

• Definition of Business Associate Expanded
• Health Information Organizations
• E-Prescribing Gateways
• Patient Safety Organizations
• Cloud Providers
• Business associate subcontractors
• Requires delegation of a function, activity, or service that involve the creation,

receipt, maintenance, or transmission of PHI

• All the way down the chain

24

Business Associate Compliance (cont.)

• Direct Liability: Security Rule
• September 23, 2013: Business associates are directly liable for a failure

to comply with the requirements of the Security Rule

• Direct Liability: Impermissible Uses and Disclosures of PHI and

Business Associate Agreements

• Business associate’s Privacy Rule obligations are tied to the uses and

disclosures permitted and prohibited in the BAA

• But, a business associate’s liability exposure is not tied to the existence
• f a BAA – liability attaches when a person creates, receives, maintains
• r transmits PHI on behalf of a covered entity

25

Business Associate Compliance (cont.)

• Direct Liability: Additional HITECH Statutory Requirements
• For a failure to provide breach notification to the covered entity
• For a failure to provide access to a copy of electronic PHI to either

the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement)

• For a failure to disclose PHI where required by the secretary to

investigate or determine the business associate’s compliance with the HIPAA Rules, or

• For a failure to provide an accounting of disclosures

26

Individual Rights

• Statutory Requirement for Accounting of Disclosures Not

Addressed

• May 2011 Proposed Rule
• HITECH Act requires accounting of disclosures of PHI made by a

covered entity over the past three years to carry out treatment, payment, and health care operations

• Omnibus HITECH Final Rule Addresses:
• An individual’s right to restrict certain disclosures of PHI
• An individual’s right to access his or her PHI maintained in designated

record sets

27

Individual Rights (cont.)

• Right to Request a Required Restriction. Covered entities

are required to comply with an individual’s request to restrict disclosure of the individual’s PHI to a health plan where:

• The disclosure is for payment or health care operations purposes
• Is not otherwise required by law
• The PHI pertains solely to health care services or items for which

the individual, or another person on the individual’s behalf, has paid the covered entity in full

28

Individual Rights (cont.)

• Right to Access PHI: Individuals now have the right to obtain

an electronic copy of PHI that is maintained in any electronic system.

• Readable Electronic Format: Covered entities must be able

to provide a “readable electronic form.” For example, MS Word

• r Excel, text, HTML, or text-based PDF.
• Time to Respond to Request: Thirty days to take action and
• ne 30-day extension
• Fees: Reasonable, cost-based fees may be charged. Such

fees may not include labor costs for locating the PHI, but may include labor costs for creating and copying the electronic file

29

Questions?

30

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013

Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E. Bonifant Associate Reed Smith LLP nbonifant@reedsmith.com

31