This Presentation Key elements of the new HITECH rules Take a - - PowerPoint PPT Presentation

this presentation
SMART_READER_LITE
LIVE PREVIEW

This Presentation Key elements of the new HITECH rules Take a - - PowerPoint PPT Presentation

Aug 29, 2022 397 likes •776 views

The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013 This Presentation Key elements of

slide-1
SLIDE 1

The New HIPAA Era: What's New,

What's Different and What's Actually Important

Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013

slide-2
SLIDE 2

Page 2

  • Key elements of the new HITECH rules
  • Take a deep breath – they are important, and will

involve change, but are not earth shattering.

  • We have known for four years most of what this

regulation was going to say

  • Will try to focus on what’s most important for most
  • f you.

This Presentation

slide-3
SLIDE 3

Page 3

The Omnibus Regulation

  • Published in the Federal Register on January

25, 2013

  • Effective on March 26, 2013
  • Requires compliance by September 23, 2013
  • One question during this period – what will

you do for situations where the rules are changing?

slide-4
SLIDE 4

Page 4

Background

  • The interim final regulation clarified that the

statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or

  • ther harm.”
  • Covered entities have been reporting breaches

under this standard for two plus years

slide-5
SLIDE 5

Page 5

The Big News

  • Two significant changes
  • Modified the “presumption” for breach

reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”

slide-6
SLIDE 6

Page 6

The Risk Assessment

  • HHS has removed the “risk of harm” element
  • Instead of the risk of harm standard, there is a

“risk assessment” to determine if there is a low probability of a “compromise” of the PHI.

  • If the risk assessment reveals a low probability
  • f compromise, notification is not required.
  • Covered entity can provide notice without a risk

assessment.

slide-7
SLIDE 7

Page 7

The Risk Assessment

  • The nature and extent of the protected health

information involved, including types of identifiers and likelihood of re-identification;

  • The unauthorized person who used the protected

health information or to whom the disclosure was made;

  • Whether the protected health information was

actually acquired or viewed; and

  • The extent to which the risk to the protected health

information has been mitigated.

slide-8
SLIDE 8

Page 8

Other Elements

  • Most of the rest of the rule remains largely the

same

  • General exceptions to “breach” do not change
  • Reporting to HHS stays the same (except for

timing on reporting of some smaller breaches)

  • Notice to media does not change
  • Details of notification do not change
slide-9
SLIDE 9

Page 9

Next Steps

  • Current rule is in effect until September

23, 2013

  • Follow the current “interim final”

standard until then

  • Each time you have a potential breach,

evaluate using both standards. Spend some time figuring out if any results are different

slide-10
SLIDE 10

Page 10

Business Associate Issues

  • The biggest overall development for

this regulation is the impact on business associates

  • Business associates have always had

contractual obligations

  • Now they are subject to legal
  • bligations and enforcement risk
slide-11
SLIDE 11

Page 11

Business Associate Issues

  • Business associates will now have a legal obligation

to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions)

  • This is not everything in the privacy rule (e.g.,

providing a privacy notice)

  • This should not impact behavior because the “legal”
  • bligations are the same as the current contracts
slide-12
SLIDE 12

Page 12

Business Associate Issues

  • Business associates now must follow the entire

HIPAA Security Rule

  • This is a big deal.
  • The current contracts require “reasonable and

appropriate” security standards

  • Complying with the Security Rule is much more

involved and detailed

slide-13
SLIDE 13

Page 13

Business Associate Issues

  • Business associates need to get moving now
  • n security compliance
  • These rules also apply to downstream

contractors – on down the line indefinitely

  • This is a big expansion – and to some

companies who may not even be aware of their BA obligations

slide-14
SLIDE 14

Page 14

Business Associate Issues (For CEs)

  • Evaluate what you want to do with

your business associate contracts – substance and process

  • Plan on the timing – you have time, but

how long do you want “old” contracts in place?

slide-15
SLIDE 15

Page 15

Business Associate Issues (For CEs)

  • HHS has created categories of business

associates – those who are “agents” and those who are not

  • Applies primarily in notice and enforcement

contexts

  • Explicitly a “fact specific” assessment
  • Consider how you are going to handle this –

real questions as to whether to address at all.

slide-16
SLIDE 16

Page 16

Enforcement

  • Lots of new provisions for the HIPAA

Enforcement Rule

  • These do not create compliance obligations,

but define a process for a formal enforcement proceeding

  • Bottom line – HHS has LOTS of discretion, on

how it does enforcement and issues penalties and other resolutions

slide-17
SLIDE 17

Page 17

Enforcement

  • Discussion of “agents” in context of

enforcement

  • Clearly states that HHS can take action

against CEs for actions of “agents”

  • Unclear what they can/will do for others
  • This is very much a “formality” issue –

investigations still will be mostly negotiations

slide-18
SLIDE 18

Page 18

Enforcement

  • Remember what HHS is doing on

enforcement these days

  • They are starting investigations in lots of

situations – based on notices, complaints, media reports, etc.

  • They are asking lots of questions, and then

broadening out from the starting point

slide-19
SLIDE 19

Page 19

Enforcement

  • Be very careful in the early stages of

investigations

  • Documentation of policies and

procedures is critical

  • It is always better to have fixed the

problem already (if there is one)

  • Take them seriously at all times
slide-20
SLIDE 20

Page 20

Marketing Provision

  • Current HIPAA rules impose significant

restrictions on how PHI can be used and disclosed for marketing purposes

  • HITECH statute mandated that marketing be

further restricted in situations where there is “payment” to make the communication

  • Omnibus regulation now implements this

provision

slide-21
SLIDE 21

Page 21

Marketing Provision

  • What does this do?
  • Does not change the situations where

“marketing” has been permitted so far.

  • If it is permitted under the rules today,

BUT the covered entity receives “remuneration,” a member authorization will be required.

slide-22
SLIDE 22

Page 22

Marketing Provision

  • What kinds of communications may be

affected?

  • Presumably when a covered entity is

“marketing” someone else’s products or services

  • Be careful if you are getting paid in any way

– think about why you are doing this

slide-23
SLIDE 23

Page 23

Sale Issue

  • Similar point as with marketing – PHI

cannot be sold without a patient authorization

  • Many exceptions
  • Covered entities and business

associates need to evaluate any situation where PHI is sold

slide-24
SLIDE 24

Page 24

Sale Issue

  • So what’s really changed?
  • There still has to be a permitted basis for

disclosure (even before sale issue)

  • Since treatment and payment are still

“exceptions,” then is this really (only?) eliminating “sales” for “health care

  • perations” purposes? How much of that is

there?

slide-25
SLIDE 25

Page 25

Authorizations

  • The Rule makes certain changes about the

substance of authorizations

  • In addition to the “sale” and “marketing”

issues

  • Simplify authorizations in the research

context – both allowing compound authorizations and for future research

slide-26
SLIDE 26

Page 26

Privacy Notices

  • Covered entities will need to issue new

privacy notices

  • HHS recognizes the cost elements of this,

and has taken some steps to moderate financial impact

  • Have not simplified notices in any way
  • Their cost estimate is 1/3 of an hour at a

cost in legal fees of $28 – good luck with that

slide-27
SLIDE 27

Page 27

Miscellaneous

  • No more HIPAA protection for records of

people dead for more than 50 years

  • GINA provisions impact how genetic

information can be used by health plans for underwriting purposes

  • Mainly reinforces existing principles
slide-28
SLIDE 28

Page 28

Miscellaneous

  • Confusing provision about requiring

providers to restrict disclosure to health plans where patient requests and pays for services out of pocket

  • Imposes no compliance obligations on

health plans

  • Consider where (if at all) this will be

relevant

slide-29
SLIDE 29

Page 29

What’s Not Here?

  • Few new changes to HIPAA beyond HITECH
  • No final accounting rule changes – separate
  • timeframe. Highly controversial, most

comments were exceedingly critical

  • Additional guidance on minimum necessary

coming

  • Parallel developments on de-identification

issues

slide-30
SLIDE 30

Page 30

Next Steps

  • The omnibus regulation affects only a small

portion of the HIPAA provisions

  • No material changes to the substance of the

Security Rule (just the application to BAs)

  • And we have known almost all of this since

HITECH law – this just starts the real clock running

slide-31
SLIDE 31

Page 31

Next Steps

  • Be aware that enforcement efforts are

growing – not enormously, but consistently

  • HHS is investigating a lot more (although

still very slow and often meandering)

  • They start investigations because of one

issue, but then look at many more

slide-32
SLIDE 32

Page 32

Next Steps

  • Be very careful on security breach issues –

review everything under both standards.

  • Think twice if you reach different results in

terms of your approach/response to the breach

  • Mitigation quickly and effectively is

ALWAYS a good idea

slide-33
SLIDE 33

Page 33

Next Steps

  • Re-evaluate your business associate

contracts – you have time (and there is a transition period) but this takes some thought and planning

  • Evaluate “agent” issue
  • Look hard for situations where the

marketing and sale rules may be implicated

slide-34
SLIDE 34

Page 34

  • Re-evaluate your security program
  • For business associates, this is the

biggest compliance issue by far

  • Even though the substance of the

security rule is not changing, security problems remain high with lots of risk

Next Steps

slide-35
SLIDE 35

Page 35

Questions?

Kirk J. Nahra Wiley Rein LLP 202.719.7335 knahra@wileyrein.com @kirkjnahrawork Subscribe (for free) to Privacy in Focus -

http://www.wileyrein.com/publications.cfm?sp=newsletters.

slide-36
SLIDE 36

Tina Olson Grande

  • Sr. Vice President, Policy

Healthcare Leadership Council (on behalf of the Confidentiality Coalition) 750 9th Street, NW, Suite 500 Washington, DC 20001 www.confidentialitycoalition.org