The New HIPAA Era: What's New, What's Different and What's Actually Important Kirk J. Nahra Wiley Rein LLP Washington, D.C. (March 8, 2013)
My Presentation My take on the key elements of the new HITECH rules Take a deep breath – they are important, and will involve change, but are not earth shattering. We have known for four years most of what this regulation was going to say Will try to focus on what’s most important for most of you. Page 2
3 New HIPAA (the HITECH Act) New HIPAA provisions passed as part of the economic stimulus package Rationale – Giving health care providers economic incentives to develop and use electronic medical records “requires” “improved” privacy and security rules for the health care industry Most of the provisions have nothing to do with electronic medical records Most of the provisions of this new law appeared to take effect in February 2010 – but didn’t really.
4 Proposed HITECH Rule NPRM published in Federal Register on July 14, 2010 HHS has been evaluating comments since then, until publication of this final regulation Reminder - Despite the wording of the HITECH statute, these new provisions are not yet in effect (Caveat on state AGs)
Page 5 The Breach Rule – Current Status An Interim Final Regulation Lots of remaining confusion and ambiguities about details and justifications Remember the standard under this interim rule – a significant risk of financial, reputational or other harm. Notice must include steps individual should take to “protect themselves from potential harm resulting from the breach.”
Page 6 The Accounting NPRM Separate NPRM addressing the HITECH language on the accounting rule – Is not part of the “big” HITECH Rule Significant proposed changes to the accounting obligation that could create substantial additional burden HHS does not yet know what to do about this rule – and is just now starting to work on it.
Page 7 The Accounting NPRM Lots of comments were submitted, essentially all of them highly critical of the NPRM Virtually no one supported the proposed rule Implications for now - Important to evaluate what your company actually does with audit logs and similar oversight efforts. Do not start building an access report. You will need to have a plan for this issue.
The Omnibus Regulation Published in the Federal Register on January 25, 2013 Effective on March 26, 2013 Requires compliance by September 23, 2013 One question during this period – what will you do for situations where the rules are changing? Page 8
Page 9 The Breach Basics HITECH Law required notification to individuals in the event of specific kinds of security breaches HHS implemented an “interim final regulation” that has been in effect since September 2009 Now, HHS has modified for a “final” breach notification regulation What does this mean and what should we be watching?
Page 10 Background The interim final regulation clarified that the statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.” Covered entities have been reporting breaches under this standard for two plus years
Page 11 The Big News Two significant changes Modified the “presumption” for breach reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”
Page 12 The Risk Assessment HHS has removed the “risk of harm” element Instead of the risk of harm standard, there is a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI. If the risk assessment reveals a low probability of compromise, notification is not required. Covered entity can provide notice without a risk assessment.
The Risk Assessment The nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. Page 13
Other Elements Most of the rest of the rule remains largely the same. General exceptions to “breach” do not change Reporting to HHS stays the same (except for timing on reporting of some smaller breaches) Notice to media does not change Details of notification do not change Page 14
Next Steps Current rule is in effect until September 23, 2013 Follow the current “interim final” standard until then Each time you have a potential breach, evaluate using both standards. Spend some time figuring out if any results are different Page 15
Business Associate Issues The biggest overall development for this regulation is the impact on business associates Business associates have always had contractual obligations Now they are subject to legal obligations and enforcement risk Page 16
Business Associate Issues Business associates will now have a legal obligation to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions) This is not everything in the privacy rule (e.g., providing a privacy notice) This should not impact behavior because the “legal” obligations are the same as the current contracts Page 17
Business Associate Issues Business associates now must follow the entire HIPAA Security Rule This is a big deal. The current contracts require “reasonable and appropriate” security standards Complying with the Security Rule is much more involved and detailed Page 18
Business Associate Issues Business associates need to get moving now on security compliance These rules also apply to downstream contractors – on down the line indefinitely This is a big expansion – and to some companies who may not even be aware of their BA obligations Page 19
Business Associate Issues (For CEs) Evaluate what you want to do with your business associate contracts – substance and process Evaluate the “agent” issue – including whether you want to address it at all Plan on the timing – you have time, but how long do you want “old” contracts in place? Page 20
Business Associate Issues (For CEs) HHS has created categories of business associates – those who are “agents” and those who are not Applies primarily in notice and enforcement contexts Explicitly a “fact specific” assessment Consider how you are going to handle this – real questions as to whether to address at all. Page 21
Enforcement Lots of new provisions for the HIPAA Enforcement Rule These do not create compliance obligations, but define a process for a formal enforcement proceeding Bottom line – HHS has LOTS of discretion, on how it does enforcement and issues penalties and other resolutions. Page 22
Enforcement Discussion of “agents” in context of enforcement Clearly states that HHS can take action against CEs for actions of “agents” Unclear what they can/will do for others This is very much a “formality” issue – investigations still will be mostly negotiations Page 23
Enforcement Remember what HHS is doing on enforcement these days They are starting investigations in lots of situations – based on notices, complaints, media reports, etc. They are asking lots of questions, and then broadening out from the starting point Page 24
Enforcement Be very careful in the early stages of investigations Documentation of policies and procedures is critical It is always better to have fixed the problem already (if there is one) Take them seriously at all times Page 25
Page 26 Marketing Provision Current HIPAA rules impose significant restrictions on how PHI can be used and disclosed for marketing purposes. HITECH statute mandated that marketing be further restricted in situations where there is “payment” to make the communication Omnibus regulation now implements this provision
Page 27 Marketing Provision What does this do? Does not change the situations where “marketing” has been permitted so far. If it is permitted under the rules today, BUT the covered entity receives “remuneration,” a member authorization will be required.
Marketing Provision What kinds of communications may be affected? Presumably when a covered entity is “marketing” someone else’s products or services Be careful if you are getting paid in any way – think about why you are doing this. Page 28
Page 29 Sale Issue Similar point as with marketing – PHI cannot be sold without a patient authorization Many exceptions Covered entities and business associates need to evaluate any situation where PHI is sold
Page 30 Sale Issue Exceptions include (among others): (a) public health activities; (b) research purposes, but only where the only remuneration received by is a reasonable cost- based fee to cover the cost to preparation and transmission of data; (c) treatment and payment purposes; (d) sale or transfer of all or part of the covered entity and for related due diligence.
Sale Issue So what’s really changed? There still has to be a permitted basis for disclosure (even before sale issue) Since treatment and payment are still “exceptions,” then is this really (only?) eliminating “sales” for “health care operations” purposes? How much of that is there? Page 31
Authorizations The Rule makes certain changes about the substance of authorizations In addition to the “sale” and “marketing” issues Simplify authorizations in the research context – both allowing compound authorizations and for future research Page 32
Privacy Notices Covered entities will need to issue new privacy notices HHS recognizes the cost elements of this, and has taken some steps to moderate financial impact Have not simplified notices in any way Their cost estimate is 1/3 of an hour at a cost in legal fees of $28 – good luck with that Page 33
Miscellaneous No more HIPAA protection for records of people dead for more than 50 years GINA provisions impact how genetic information can be used by health plans for underwriting purposes Mainly reinforces existing principles Page 34
Miscellaneous Confusing provision about requiring providers to restrict disclosure to health plans where patient requests and pays for services out of pocket Imposes no compliance obligations on health plans Consider where (if at all) this will be relevant Page 35
What’s Not Here? Few new changes to HIPAA beyond HITECH No final accounting rule changes – separate timeframe. Highly controversial, most comments were exceedingly critical Additional guidance on minimum necessary coming Parallel developments on de-identification issues Page 36
Next Steps Take a deep breath The omnibus regulation affects only a small portion of the HIPAA provisions No material changes to the substance of the Security Rule (just the application to BAs) And we have known almost all of this since HITECH law – this just starts the real clock running. Page 37
Next Steps Be aware that enforcement efforts are growing – not enormously, but consistently HHS is investigating a lot more (although still very slow and often meandering) They start investigations because of one issue, but then look at many more Page 38
Next Steps Be very careful on security breach issues – review everything under both standards. Think twice if you reach different results in terms of your approach/response to the breach Mitigation quickly and effectively is ALWAYS a good idea Page 39
Next Steps Re-evaluate your business associate contracts – you have time (and there is a transition period) but this takes some thought and planning Evaluate “agent” issue Look hard for situations where the marketing and sale rules may be implicated Page 40
Next Steps Re-evaluate your security program For business associates, this is the biggest compliance issue by far Even though the substance of the security rule is not changing, security problems remain high with lots of risk Page 41
Questions? Kirk J. Nahra Wiley Rein LLP Subscribe (for free) to Privacy in Focus - =newsletters. Page 42