California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.

1California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com

NEW OBLIGATIONS UNDER HIPAA

STEPHANIE WINER-SCHREIBERMay 19, 2011


OVERVIEW

I. RECENT DEVELOPMENTS – HITECH ACT

II. NEW OBLIGATIONS FOR COVERED ENTITIES

III. NEW OBLIGATIONS FOR BUSINESS ASSOCIATES

IV. ENFORCEMENT CHANGES

V. July 14, 2010 Proposed Rule


WHAT’S NEW? HITECH ACT OF 2009: HEALTH

INFORMATION TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT Effective February 17, 2010

Proposed Rule – July 14, 2010• Modifications to the HIPAA Privacy, Security, and

Enforcement Rules• NOT FINAL RULE• Comment period through September 13, 2010• Final Rule – Any time now!


KEY POINTS Extends the reach of privacy and security

protections beyond covered entities Imposes additional obligations on Business

Associates Authorizes greater access and rights to individuals Imposes State Attorney General oversight and

additional tiered penalties Proposed Rule attempts to clarify obligations for

both Covered Entities and Business Associates


NEW OBLIGATIONS FOR COVERED ENTITIES Notice Obligations in the event of a

“breach” Even if not a “breach” it may still be a HIPAA

violation Individuals may request additional

restrictions: May request that a covered entity not

disclosure PHI to a health plan if the disclosure is for payment or healthcare operations (not treatment) AND the PHI pertains solely to a healthcare item or service for which the provider has been paid in full

• Issue for comment in Proposed Rule


NEW OBLIGATIONS FOR COVERED ENTITIES

Further limitations on use of PHI – Minimum Necessary Requirements Safe Harbor Limited Data Set Retains current carve outs for

treatment HHS guidance pending comments

on Proposed Rule


NEW OBLIGATIONS FOR COVERED ENTITIES Electronic Health Records and

Accountings Accountings will be required for

treatment, payment and healthcare operations for disclosures made through an electronic health record

Accountings 3 years prior to request Compliance date dependent on date

of electronic health record



Accountings – Cont. Current electronic health record users (as of

1/1/09) – applies to disclosures on or after 1/1/14

Others (acquire electronic health records after 1/1/09) later of 1/1/11 or date of acquisition

Secretary can set later effective date, but no later than 2016 or 2013 respectively



Electronic Health Records and Accountings – Cont. Covered Entity may provide

accountings for itself and all BAs or May provide list of all BAs and their

contact information Possible modifications/expansions

based on Proposed Rule



Accountings – Cont. Individuals may request information in an

electronic format if the covered entity uses or maintains an electronic health record

Fee may not be greater than the covered entity’s labor costs in responding to the request

May request to have it sent electronically to third party

Effective February 17, 2010


NEW OBLIGATIONS FOR COVERED ENTITIES A covered entity and business associate

may not directly or indirectly receive remuneration in exchange for protected health information of an individual unless the covered entity obtains from the individual a valid authorization Effective 6 months following issuance of

HHS Rule There are proposed modifications in the

Proposed Rule There are exceptions ---


NEW OBLIGATIONS FOR COVERED ENTITIES Exceptions:

public health activities research and the price charged reflects the costs of

preparation and transmittal of the data for such purpose

treatment (subject to future regulations by the Secretary)

Healthcare operations (Proposed Rule clarifications) activities pursuant to a business associate

agreement provision of information to an individual (in

accordance with a valid request) other exchanges approved by the Secretary



New Marketing Requirements

Definition of Marketing – “A communication about a product or service that encourages recipients of the communication to purchase or use the product or service”


NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions:

Communications that encourage recipients to purchase or use the product will not be considered to be healthcare operations unless the communication is made: (i) to describe a health related product or service that is provided by or included in a plan of benefits of the covered entity making the communication, replacement of or enhancements to a health plan; and health related product or services available only to a health plan enrollee that add value to, but are not part of a plan of benefits; (ii) for treatment; or (iii) for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, healthcare providers or settings of care for the individual


NEW OBLIGATIONS FOR COVERED ENTITIES Communications that fall within the

marketing exception: Are not marketing Still need to be permissible under the

Privacy Rule Typically characterized as healthcare

operations or treatment Are the only types of communications to

encourage the use or purchase of a product or service that can be considered healthcare operations


NEW OBLIGATIONS FOR COVERED ENTITIES Marketing Exceptions Cont.

These communications cannot be healthcare operations if the Covered Entity received direct or indirect payment, unless:

The communication describes only a current prescribed drug or biologic and any payment is reasonable in amount – or

Covered Entity receives an authorization – or The communication is made by a BA on behalf of

a Covered Entity within the scope of the Business Associate Agreement


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES HIPAA Security Rule Regulations under

Sections 164.308, 164.310, 164.312, and 164.316 will become applicable to Business Associates These sections relate to administrative

safeguards, physical safeguards, technical safeguards, and documentation requirements

Potentially broader requirements under Proposed Rule


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES

Security Rule Examples: Administrative Safeguards:

Develop policies and procedures Appoint a security officer Establish sanctions for violations Provide security training Perform evaluations of effectiveness of

policies and procedures



Security Rule Examples: Physical Safeguards:

Implement policies and procedures to limit physical access to information systems

Implement safeguards for workstation security

Develop policies for disposition of PHI on workstations

Develop policies and procedures for removal of hardware from facility



Security Rule Examples: Technical Safeguards:

Assign unique names and/or numbers for tracking user identity

Establish mechanisms for auditing activity

Establish means of verifying users Establish means of restricting PHI

transmissions over an electronic network


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Security Rule Examples:

Documentation Requirements: Policies must be in writing (or in electronic

format) Reports of actions and activities must be

maintained in writing or electronically Required documentation must be retained for at

least 6 years from the later of date of creation or date last in effect

Documentation must be periodically reviewed and modified as necessary



Even if appropriate safeguards are in place, Business Associates should document compliance with each aspect of the Security Rule

Will require a risk assessment and appropriate policies and procedures


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Non Compliance –

Under HIPAA, if Covered Entity had knowledge that BA was not complying, then Covered Entity had obligation to cure, terminate contract or if not feasible, report to HHS

HITECH makes this obligation reciprocal If BA is aware of non compliance by Covered

Entity – BA has obligation to cure, terminate contract or if not feasible, report to HHS

Proposed Rule potentially modifies this further


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates may become directly

responsible for responding to requests for accountings Covered Entities may not want Business

Associates to take on this responsibility Business Associates – Increased obligations

for reporting breaches Business Associates – may want to encrypt PHI Will need to establish policies and protocols Proposed Rule includes additional obligations


NEW OBLIGATIONS FOR BUSINESS ASSOCIATES Business Associates will need to develop

policies and procedures regarding minimum necessary obligations

Business Associates and individuals (i.e. employees) may be held liable for violations No longer just a contractual breach Under Proposed Rule – greater overall

obligation to comply with Privacy Rule and increased definition of workforce


ENFORCEMENT CHANGES State Attorney Generals can bring civil

HIPAA actions A percentage of civil monetary penalties

will go to victims Civil monetary penalties are tiered and

the cap raised from $25,000 to $1.5 million annually per type of violation

Fines are mandatory if caused due to “willful neglect”

Extensive proposals in Proposed Rules


ENFORCEMENT CHANGES

HIPAA criminal penalties apply to individuals

Business Associates can be held liable

HHS may bring civil enforcement actions where the violation may be criminal but no criminal action is pursued


PROPOSED RULE Remember they are just PROPOSED

RULES and may change significantly Highlights thought process of HHS Significant areas of potential change

• Definition of Business Associate• Requirements for new Business Associate

Agreements• Obligations for Business Associates• Timeframes for compliance (including new Business

Associate Agreements)• Content for Privacy Notices• Changes with respect to marketing and fundraising


Questions?

Stephanie W. Schreiber, Esq. Buchanan Ingersoll & Rooney PC 20th Floor, One Oxford Centre Pittsburgh, PA 15219 Phone: 412-392-2148 FAX: 412-392-2128 email: [email protected]

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.

Documents

new obligations

new york

new jersey

whats new

proposed rule slide

additional obligations

covered entity

accountings accountings