Archive for category: HIPAA

by Kim Stanger, Holland & Hart LLP

The new HIPAA omnibus rule modifies the privacy and security rules for covered entities (including health care providers and health plans), and their business associates. Although the new rules are effective March 26, 2013, covered entities and business associates generally have until September 23, 2013 to comply.¹ Before then, covered entities and business associates need to do the following:

1. Business Associates: Implement HIPAA Policies, Procedures and Safeguards. The HIPAA privacy and security rules now apply directly to business associates of covered entities.² “Business associates” are those outside entities that create, receive, maintain or transmit protected health information in the course of performing functions on behalf of a covered entity, including contractors, consultants, data storage companies, health information organizations, and subcontractors of business associates.³ Business associates must now implement many of the same policies, procedures and safeguards that have been required of covered entities for years, including the following:
   1. Security Rule. Business associates will need to conduct and document a risk assessment of their information technology systems and implement the specific administrative, technical and physical safeguards specified in the Security Rule.⁴ The Office of Civil Rights’ website contains helpful guidance for Security Rule compliance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.
   2. Privacy Rule. Most of the privacy rule provisions do not apply directly to business associates, but because business associates cannot use or disclose protected health information in a manner contrary to the limits placed on covered entities,⁵ business associates will need to implement many of the same policies and safeguards that the Privacy Rule mandates for covered entities, including rules governing uses and disclosure of protected health information and patient rights concerning their information.⁶ Those are typically outlined in the business associate’s agreement with the covered entity. Since business associates are now directly liable for HIPAA violations, they should ensure they understand and train their employees concerning HIPAA Privacy and Security Rule requirements.
   3. Breach Notification. If a business associate becomes aware of a breach of unsecured health information, they must notify the covered entity and assist the covered entity in responding to the breach.⁷
      
2. Identify New Business Associates and Execute Agreements. Covered entities are required to have business associate agreements with their business associates before allowing them to use or disclose protected health information. The omnibus rule expanded the definition of “business associates” to include entities that provide data transmission services and require routine access to information such as health information organizations.⁸ Covered entities should identify any such business associates and execute appropriate agreements with them. Business associates must execute appropriate business associate agreements with their own subcontractors if the subcontractor creates, receives, maintains or transmits protected health information for the business associate.⁹
3. Review and, If Necessary, Amend Business Associate Agreements. Covered entities and business associates must ensure that their existing and future agreements contain the elements required by 45 CFR § 164.314(a) and .504(e). In addition to previous requirements, the agreement must require the business associate to:
   1. Comply with the security rule.
   2. Execute business associate agreements with their subcontractors.
   3. To the extent the business associate carries out on obligation of a covered entity, comply with any HIPAA rule applicable to such obligation.
   4. Report breaches of unsecured protected health information to the covered entity.

   The OCR has published updated sample business associate language at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. The omnibus rule confirms that covered entities are liable for the misconduct of business associates if the business associate is acting as the agent of the covered entity.¹⁰ To minimize their exposure, covered entities and business associates should ensure their agreements confirm that their business associates and subcontractors are acting as independent contractors and not as the agents of the covered entity or business associate, and that the agreements do not give the covered entity too much control over day-to-day operations of the business associate.¹¹ Covered entities may also want to include indemnification or similar clauses to protect themselves. Covered entities have up to September 22, 2014 to modify business associate agreements if (1) the agreement they had in place on January 25, 2013, complied with the HIPAA rules as of that date, and (2) the agreement does not expire or renew (other than through evergreen clauses) prior to September 22, 2014.¹²

4. Update Privacy Policies. Covered entities should update their privacy policies to comply with the new omnibus rules, including the following as applicable to the covered entity:
   1. Deceased Persons. Covered entities may now disclose protected health information to family members or others who were involved in the decedent’s health care or payment for their care prior to the decedent’s death so long as the disclosure is relevant to the person’s involvement and is not inconsistent with the decedent’s prior expressed wishes.¹³
   2. Patient Access to Electronic Information. If a patient requests an electronic copy of their information, covered entities must generally produce it in the form requested if readily producible.¹⁴ If the patient directs the covered entity in writing to transmit a copy of the electronic information to another person, the covered entity must generally comply.¹⁵
   3. Response to Request for Access. Covered entities must generally respond to a patient’s request to access their information within 30 days; the omnibus rule eliminated the provision that gave covered entities extra time to respond if records were maintained offsite.¹⁶
   4. Limits on Disclosures to Insurers. Covered entities cannot disclose information about a patient’s care to an insurer if (1) the insurer seeks the information for treatment or payment purposes; (2) the patient or someone on the patient’s behalf paid for the care to which the information pertains; and (3) the patient requests that the information be withheld from the insurer.¹⁷ Good luck implementing this requirement. Developing a workable solution may take some advance preparation. Fortunately, the limit only applies if a patient requests nondisclosure; most patients will not request this restriction unless asked, so covered entities should not raise the issue with the patient. If a patient does request nondisclosure, covered entities should require that such requests be directed to a central person who can coordinate the efforts among billing, medical records, IT, and other relevant departments to ensure the protected data is sequestered.
   5. School Immunizations. Covered entities may now disclose information about immunizations to a school if (1) state law requires such information for school enrollment; and (2) the patient or their personal representative consents to the disclosure. The consent may be oral.¹⁸
   6. Sale of Information. Covered entities must obtain written authorization to sell a patient’s information, and the authorization must disclose that the sale will result in remuneration to the covered entity.¹⁹
   7. Marketing. Covered entities must obtain written authorization to use the patient’s information for marketing purposes, including most non-face-to-face communications for treatment purposes if the covered entity receives financial remuneration to make the communication.²⁰ If remuneration is involved, the marketing authorization must disclose that fact.
   8. Fundraising. The new rule allows covered entities to disclose more information to institutionally related foundations to assist with fundraising, but fundraising communications must explain how the recipient may opt out of receiving such communications and the opt out method cannot be burdensome.²¹
   9. Research. If the covered entity engages in research, it should review new standards applicable to research as described in 45 CFR § 164.508(b).
5. Update Breach Notification Policies. The omnibus rule modified the standard for reporting breaches of unsecured health information. Under the new standard, the unauthorized acquisition, access use or disclosure of protected health information in violation of the Privacy Rule is presumed to be a reportable breach unless (1) the covered entity or business associate demonstrates there is a low probability that the information has been compromised based on a risk assessment of certain factors, or (2) the breach fits within certain exceptions.²² Covered entities must ensure that their policies incorporate and that they apply this new, arguably lower standard. For more information about the breach notification standard, see my recent Healthcare Update at http://www.hollandhart.com/pubs/uniEntity.aspx?xpST=PubDetail&pub=2094. Given the lower standard, covered entities and business associates may want to consider encrypting records to the extent possible to avoid reportable breaches.
6. Modify Notice of Privacy Practices. Covered entities must update their notices of privacy practices to add the following:
   1. A description of the types of information that require an authorization, i.e., psychotherapy notes, marketing, and sale of information.²³
   2. A statement that other uses or disclosures not described in the notice will require an authorization.²⁴
   3. A statement that the recipient of fundraising materials may opt out.²⁵
   4. A description of the individual’s right to limit disclosures to insurers if the patient paid for the relevant care.²⁶
   5. A statement that the covered entity must notify the patient of a breach of unsecured protected health information.²⁷
7. Train Employees. Covered entities and business associates must train their employees concerning the new rules.²⁸
8. Review HIPAA Compliance. Given the new, lower breach notification standard, covered entities will likely to be required to self-report more breaches. Those reports may result in more patient complaints and government investigations. Accordingly, it is a good time to review and, as necessary, improve your compliance with all the HIPAA rules, not just the new omnibus rules. Doing so may help you avoid reportable breaches and, if a breach occurs, sidestep HIPAA penalties, which can range from $100 to more than $50,000 per violation. Having the required policies and safeguards in place coupled with prompt action to correct any breach will likely establish an affirmative defense to any penalties. For suggested steps to avoid penalties, see my recent Healthcare Update at http://www.hollandhart.com/pubs/uniEntity.aspx?xpST=PubDetail&pub=1898.

Resources. To assist clients in complying with the new omnibus rule and HIPAA in general, I have prepared sample Privacy Rule policies, forms, and agreements. If you would like to obtain a set of the sample documents, please contact me at kcstanger@hollandhart.com.

¹45 CFR § 160.105
²Id. at § 164.104(b)
³Id. at § 164.103
⁴Id. at §§ 164.302 to .316
⁵Id. at § 164.502(a)(3)
⁶Id. at § 164.502 to .528
⁷Id. at § 164.410
⁸Id. at § 164.103
⁹Id. at § 164.314(a)(2) and .502(e)(1)
¹⁰Id. at § 164.402(c)
¹¹See 78 FR 5581
¹²45 CFR § 164.532(e)
¹³Id. at § 164.510(b)(5)
¹⁴Id. at § 164.524(c)(2)(ii)
¹⁵Id. at § 164.524(c)(3)(ii)
¹⁶Id. at § 164.524
¹⁷Id. at § 164.522(a)(1)(vi)
¹⁸Id. at § 164.512(b)(1)(vi)
¹⁹Id. at § 164.502(a)(5)(ii) and .508(a)(4)
²⁰Id. at § 164.501 and .508(c)
²¹Id. at § 164.514(f)
²²Id. at § 164.402
²³ Id. at § 164.520(b)(1)(ii)(E)
²⁴Id. at § 164.520(b)(1)(ii)(E)
²⁵Id. at § 164.520(b)(1)(iii)
²⁶Id. at § 164.520(b)(1)(iv)(A)
²⁷Id. at § 164.520(b)(1)(V)(A)
²⁸ Id. at § 164.530(b)

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Most healthcare providers are acutely aware of and generally comply with the HIPAA Privacy Rule; however, they and their business associates may be less familiar with and likely fail to satisfy HIPAA Security Rule requirements. The Privacy Rule generally prohibits covered entities from using or disclosing a patient’s protected health information (“PHI”) without authorization. (45 C.F.R. § 164.500 et seq.). In contrast, the Security Rule applies to electronic health information (“e-PHI”). It requires covered entities and their business associates to implement specific administrative, technical, and physical safeguards to protect the integrity, availability, and confidentiality of e-PHI, e.g., by ensuring that computers and other electronic devices satisfy regulatory standards pertaining to passwords, firewalls, backups, transmission security, etc. (45 C.F.R. § 164.300 et seq.).

In the past, the Office of Civil Rights (“OCR”) seemed not to actively enforce the Security Rule, but that is changing:

• In March, Blue Cross Blue Shield of Tennessee (“BCBS”) agreed to pay $1.5 million for security rule violations arising out of the theft of unencrypted laptops. Among other things, BCBS failed to conduct the required security assessment and implement access controls required by the Security Rule.
• In April, a Phoenix cardiology group agreed to pay $100,000 for, among other things, failing to designate a security officer, conduct the required security assessment, implement safeguards required by the Security Rule, or execute business associate agreements with vendors who stored or accessed e-PHI.
• In June, the Alaska Department of Health and Social Services (“DHSS”) agreed to pay $1.7 million after a USB hard drive was stolen. The OCR’s investigation showed that DHSS did not have adequate policies and procedures in place to safeguard ePHI, and had not completed the required risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the Security Rule.

These actions sound a wake up call to all providers and business associates—large, small, or public—who have ignored or become lax with Security Rule compliance. As OCR Director Rodriguez stated, “We hope that health care providers pay careful attention to [these] resolution agreement[s] and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The OCR is now required to impose mandatory penalties of $10,000 to $50,000 per violation if a provider is determined to have acted with willful neglect. Based on the recent cases, failing to implement safeguards required by the Security Rule may evidence willful neglect.

If they have not done so recently, providers and their business associates should review their Security Rule compliance. Among other things, they should conduct a security assessment to determine their system vulnerabilities, and implement the safeguards specified in the Security Rule regulations. To obtain a checklist for Security Rule compliance, please click here. In addition, the OCR has published several tools to help entities comply:

• The OCR’s recently published HIPAA Audit Protocol is a good roadmap for compliance; it is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html.
• The OCR’s Final Guidance on Risk Analysis is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalintro.html.
• The OCR’s series of technical guides for implementing the security rule is available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.

Putting in place the required policies and practices and documenting appropriate training will go a long way to avoiding Security Rule penalties. More importantly, they will help providers avoid potentially devastating consequences of a security failure, system crash, or the loss of electronic data which the Security Rule is designed to protect. In that regard, Security Rule compliance is not just a regulatory mandate; it is a prudent business practice.

For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.