Stay tuned for many further developments – The Health Law Partners will be providing numerous valuable educational resources for its clients.
The announcement and links are below.
January 17, 2013
The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the privacy and security requirements to business associates that receive protected health information, such as contractors and subcontractors. Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual’s health information without their permission.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Rulemaking announced today may be viewed in the Federal Register at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf.
A press release from the U.S. Department of Health and Human Services (“HHS”) published on January 2, 2013 announced that the Department had reached its first settlement with a covered entity for a breach of the Health and Information Portability and Accountability Act (“HIPAA”) Privacy Rule affecting fewer than 500 individuals. The settlement agreement with the Hospice of North Idaho (“HONI”) was the result of an investigation into HONI’s privacy practices initiated after the entity self-reported to the HHS Office of Civil Rights (“OCR”) that a laptop containing the unencrypted electronic protected health information (“ePHI”) of 441 individuals was stolen in June of 2010.
During its investigation, OCR found that HONI had failed:
• To conduct an adequate risk analysis of the unencrypted ePHI on portable devices that HONI used for the entity’s field work;
• To subsequently adopt, implement, and maintain appropriate security measures to ensure the confidentiality of the ePHI on the portable devices that it used to create, maintain, and transmit the ePHI; and
• To document the decisions it made with regards to security measures.
As a result of the settlement, HONI agreed to pay HHS $50,000 and enter into a Correct Action Plan. While the settlement resolves the investigation under the privacy and security rule, it does not absolve HONI of liability under other provisions that may apply such as section 1177 of the Social Security Act for knowing or intentional releases of PHI.
For breaches involving 500 or more individuals, the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report the breach within 60 days after the discovery. Smaller breaches under 500 individuals, such as the one involving the settlement with HONI, must be reported to the Secretary on an annual basis.
Given the increased enforcement activity in the HIPAA area, providers are well advised to ensure that they have appropriate HIPAA privacy and security measures in place.
Continue reading →
The Massachusetts Attorney General’s Office announced Thursday that it has settled, for $750,000, a data breach lawsuit filed against South Shore Hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA).
The alleged HIPAA violation arose from unencrypted back-up tapes that South Shore sent offsite to a data archiving company to be erased and re-sold as blank media. However, the hospital did not inform the data company that the tapes contained protected health information (PHI), did not determine whether the data company had appropriate safeguards in place to protect the PHI, and did not enter into a business associate agreement with the company. In shipment, two of three boxes containing the PHI were lost and have not been recovered.
The lawsuit, brought by the Massachusetts Attorney General’s Office, is only the third of its kind. Through the Health Information Technology for Economic and Clinical Health (HITECH), passed in 2009, Congress: (i) dramatically increased the HIPAA monetary penalties that could be levied against providers; (ii) granted authority to state attorneys general to prosecute HIPAA privacy and security violations; and (iii) perhaps most importantly, allows state attorney generals to share in any monetary penalties that they are able to collect (e.g., a “bounty sharing” provision). The changes were in response to a perceived lack of enforcement of the HIPAA regulations by the Office for Civil Rights of the Department of Health and Human Services (HHS).
While only the Vermont and Connecticut Attorneys General have initiated lawsuits under HITECH, the legislation is expected to add serious teeth to healthcare privacy laws. Under HITECH, an attorney general receiving a complaint from a resident may sue in federal district court for an injunction and monetary damages. In all three cases, the attorneys general have brought suit under both HIPAA and state privacy laws, and HHS has actively supported the initiative by offering in-person and computer-based training to state attorneys generals nationwide, and even assisting the Connecticut Attorney General’s Office in its prosecution.
South Shore Hospital, which settled for $750,000, was the largest of the three AG-initiated lawsuits. As the size of HIPAA violation settlements continue to grow, so too will the interest of states in exercising their new-found authority. Attorneys general may also be more inclined to initiate HIPAA lawsuits because of the positive impression such actions will make on constituents.
As the HITECH incentives catalyze the shift toward electronic health records, privacy issues will be at the forefront, attracting much greater attention than in the past. Hospitals, physicians, health care providers, Business Associates, and all other parties subject to HIPAA regulations are well advised to ensure that they have appropriate HIPAA policies, procedures, and safeguards in place to protect patient privacy, avoid violating HIPAA, and avoid attracting the attention of a much more aggressive, financially incentivized, state attorneys general corps.
Continue reading →
On November 17, 2011, the Centers for Medicare and Medicaid Services (“CMS”) announced that it will delay enforcement action until March 31, 2012 for those Health Information Portability and Accountability Act (“HIPAA”) covered entities that are not in compliance with the ASC X12 Version 5010, NCPDP Telecom D.0 and NCPDP Medicaid Subrogation 3.0 standards. CMS stated, however, that the compliance date remains January 1, 2012, but it will have discretionary application of its enforcement authority. In fact, according to an FAQ posted on the CMS website:
What will be the level of enforcement during the enforcement discretion period for X12 Version 5010 (Version 5010), NCPDP Telecom D.0 (NCPDP D.0) and NCPDP Medicaid Subrogation 3.0 (NCPDP 3.0) implementation?
The compliance date for implementation of these updated standards remains January 1, 2012. Because trading partner testing has not reached a threshold whereby a majority of covered entities may be able to comply by the compliance date, the Centers for Medicare & Medicaid Services’ Office of E-Health Standards and Services (OESS), has announced that it would exercise its enforcement discretion with respect to any HIPAA covered entity that a complaint is filed against for violation of compliance with Version 5010, NCPDP D.0 and NCPDP 3.0 standards. The enforcement discretionary period is for 90 days after the January 1, 2012 compliance date.
If a complaint is received by CMS after January 1, 2012, the entity against which the complaint has been filed will be evaluated to determine its level of compliance. An assessment will be made of the filed-against entity’s efforts to test and become compliant. OESS will take appropriate actions as permitted under the authority of the HIPAA enforcement rule, but will not assess any penalties and/or civil monetary penalties during this 90-day period.
Please note: this requirement applies to everyone who is covered by HIPAA, not just those who submit Medicare or Medicaid claims.
In August, we posted an entry regarding the newly announced Health Information Portability and Accountability Act of 1996 (“HIPAA”) audits that would be underway, pursuant to Section 13411 of the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Section 13411 provides, in its entirety:
SEC. 13411. AUDITS.
The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.
In implementing this provision, the Office of Civil Rights (“OCR”) is conducting a pilot program (“Pilot”) in which it will “perform up to 150 audits of covered entities to assess privacy and security compliance. Audits conducted during the Pilot will begin November 2011 and conclude by December 2012.” Business associates will not be audited at this time.
The OCR has promulgated a 3-step process for the Pilot:
(1) Developing audit protocols,
(2) Conducting a limited number of audits (20) to test the protocols, which includes the following four steps:
a. Auditee selection b. Auditee notification c. Test of protocol d. Period of review and adjustment of protocols
(3) Conducting a full range of audits using revised protocol materials
The OCR aims at auditing a wide range of types and sizes of covered entities, including covered individual and organizational providers, health plans and healthcare clearing houses.
Covered entities being audited by the OCR can generally expect the following:
- Written notification by OCR that the covered entity has been selected for an audit and a request to provide documentation of the covered entity’s privacy and security compliance efforts (OCR provides this sample Initial Notification Letter on its website)
- The covered entity will have 10 business days to supply the requested information
- Within 30-90 days from the date of the initial written notification, the OCR will conduct a site visit (lasting between 3 and 10 business days) involving interviews of key personnel and observations of processes and operations to determine compliance
- The auditors will develop a draft audit report and share it with the covered entity
- The covered entity will have 10 business days to discuss the identified concerns and describe corrective actions it has implemented to address the identified concerns
- Within 30 business days after receipt of the covered entity’s response, the OCR will submit a final audit report, which will incorporate the steps the covered entity has already taken to resolve compliance issues
According to the OCR, “[a]udits are primarily a compliance improvement activity….Generally, OCR will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.”
Continue reading →
On September 14, 2011, the Centers for Medicare and Medicaid Services (“CMS”) published in the Federal Register a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to specify that, upon request, a patient may gain access to his/her completed test reports directly from a laboratory (“Proposed Rule”).
Currently, CLIA provides that a laboratory may only disclose test results to three categories of individuals: (1) an “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the referring lab (42 CFR 493.1291(f)). “Authorized person” is defined as “the individual authorized under State law to order or receive test results, or both.” Moreover, even though HIPAA requires patients have access to their protected health information (“PHI”), this right of access does not extend to PHI maintained by a covered entity that is subject to CLIA or exempt from CLIA (this exception can be found at 45 CFR 164.524(a)(1)(iii)).
Under the Proposed Rule, CMS proposes to remove such restrictions in the patient-access rules thereby allowing patients to obtain the laboratory testing results directly from the laboratory. CMS proposes to amend CLIA to allow patients, upon request, to have direct access to their laboratory test reports. In the preamble to the regulations, CMS stated that it would not dictate under CLIA how patients could request such access:
[T]he CLIA regulations would not spell out the mechanism by which patient requests for access would be submitted, processed, or responded to by the laboratories. In providing this latitude, we intend to allow patients and their personal representatives’ access to patient test reports in accordance with the requirements of the HIPAA Privacy Rule.
CMS likewise proposes amending the HIPAA Privacy Rule to require covered entities that are laboratories subject to CLIA and those that are CLIA-exempt to have the same obligations as other covered entities with respect to providing individuals access to their PHI in accordance with the requirements 45 CFR 164.524. In other words, CLIA laboratories and CLIA-exempt laboratories would no longer be excepted from the requirement to give patients access to their PHI upon request.
CMS also notes that even though there may be a number of state laws prohibiting laboratories from releasing test reports directly to patients, the new regulations, if adopted, would preempt such laws.
Continue reading →
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) requires the Office of Civil Rights (“OCR”) to conduct periodic audits of covered entities in connection with complying with the privacy and security requirements set forth in Health Insurance Portability and Accountability Act (“HIPAA”). In June, the OCR awarded KPMG, LLP (the “Contractor”) a $9.2 million contract to administer HIPAA audits. During the first phase of audits, the OCR plans to visit 150 covered entities.
According to the Federal Business Opportunities website, after developing the audit protocol, the Contractor must meet the entities and perform the following audit activities:
• Site Visits – Site visits include interviewing with leadership (e.g., CIO, Privacy Officer, legal counsel, health information management director, etc.), examining physical features and operations, evaluating the consistency of process to policy, and observing compliance with regulatory requirements;
• Audit Report – Submitting an audit report after each site visit consisting of the following:
o A timeline and methodology of the audit, best practices, raw data collection materials (e.g., completed checklists and interview notes), a certification indicating the audit is complete;
o Specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan;
o Recommendations to the contracting officer’s technical representative (“COTR”) regarding continued need for corrective action, if any, and description of future oversight recommendations; and
o A final report including, at a minimum:
– Identification and description of the audited entity–full name, address, EIN and contact person;
– Methods used to conduct the audit; and
– For each finding:
• Condition: The defect or non-compliant status observed, and evidence of each;
• Criteria: A clear demonstration that each negative finding is a potential violation of the Privacy or Security Rules;
• Cause: The reason that the condition exists, along with identification of supporting documentation used;
• Effect: The risk or non-compliant status that results from the finding;
• Recommendations for addressing each finding;
• Entity corrective actions taken, if any;
• Acknowledgement of any best practice(s) or success(es); and
• Overall conclusion paragraph.
In an August 1, 2011 letter to the U.S. Department of Health and Human Services Secretary, Kathleen Sebelius, the American Hospital Association (“AHA”) urges the Centers for Medicare and Medicaid Services (“CMS”) to reevaluate its HIPAA Privacy Rule Accounting of Disclosures Proposed Rulemaking (“Proposed Rule”). The AHA is the latest healthcare organization to urge the reconsideration of the Proposed Rule.
In its plea, AHA writes that the Proposed Rule is unable to “appropriately balance the relevant privacy interests of individuals with the substantial burdens on covered entities, including hospitals.” Further, AHA points out that the potential length of the reports required under the Proposed Rule would likely create a large burden for the covered entities without much benefit to the patients.
In conclusion, the AHA letter includes the organization’s recommendations for improvements to the disclosure rule. The AHA requests that HHS:
• “clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions” and preserve “a 60-day response requirement and limit an accounting to three years,”
• “reissue a request for information aimed at better reflecting the statutory requirements, the technological realities, and better alignment of the regulation’s effectiveness with the compliance burdens” instead of creating the “new individual right to an access report,”
• withdraw “the preamble discussion in order to reflect longstanding department guidance,”
• adopt other changes in the event that it does not to abandon the access report.
On May 31, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“Proposed Rule”) in relation to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (“Privacy Rule”). The Proposed Rule concerns changes to the accounting disclosures requirement of the Privacy Rule.
The Proposed Rule intends to divide §164.528 of the Privacy Rule (the accounting of disclosures of protected health information provision) to provide two distinct, but complementary, rights for individuals. These rights would include an individual’s expanded accounting of disclosures right and an individual’s right to a report revealing who has accessed his or her protected health information contained in an electronic designated record set.
The revised accounting of disclosures right, to be modified by HHS under HIPAA authority, intends to improve the workability and effectiveness of the provision. This right would provide information about hardcopy and electronic disclosures made from a designated record set to outside persons and the covered entity’s business associates for specific purposes (e.g., legal actions, workers’ compensation). The full accounting of disclosures would provide more detailed information for certain disclosures that would most likely impact an individual. The information would be maintained for a three-year period (a reduction from the current six-year requirement). HHS proposes that all covered entities and business associates implement the modified requirements of the accounting of disclosures provision starting 180 days from the final date of the regulation (240 days after publication).
As part of its authority under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), HHS is proposing to create the right to an access report. This right intends to give individuals information about others’ access to the patients’ protected health information contained in an electronic designated record set. The right would cover a three-year period as well, but it would only provide individuals with a report of who accessed the electronic record and would not include the reasons for the access. The date, time, and name of person accessing the information (or the entity if the individual’s name is unavailable) would be included in the report; the description of the type of information disclosed and the user’s action would also be included if available. No distinction would be made between “uses” and “disclosures” of the information in the report. HHS proposes that business associates and covered entities provide individuals with the access report right under the provision beginning January 1, 2013 (for electronic designated record set systems acquired after January 1, 2009) or January 1, 2014 (for electronic designated record set systems acquired as of January 1, 2009).
Since the rights within the provision are limited to protected health information within a designated record set, some business associates will not be affected by the requirement that covered entities include the applicable disclosures and uses of their business associates.