-
VOL. 61, NO. 3 SPRING, 2011
UARTERLYFDCCQ
HealtH Care reform In tHe UnIted StateS: HIteCH aCt and HIPaa
PrIvaCy, SeCUrIty, and enforCement ISSUeS
AmyE.KempfertandBenjaminD.ReedBaIlIng oUt medICare: defenSe
CoUnSel’S medICare rePortIng and Set-aSIde oBlIgatIonS
MatthewY.BiscanandGeralynM.PassarolIaBIlIty ClaImS In tHe medICare
SeCondary Payer arena: PlannIng tHe medICare Set-aSIde
CharlesD.JoynerandChristineE.HarperInSUrerS’ ClaImS for legal
malPraCtICe agaInSt defenSe CoUnSel HIred for tHeIr InSUredS
JohnS.Wilkerson,IIIandJeffreyT.StoverProfeSSIonal lIaBIlIty
InSUranCe Coverage for law fIrmS: UnderStandIng Key PolICy
ProvISIonS and edUCatIng yoUr fIrm’S attorneyS
CharlesJ.BakerIIIlandfall: troPICal StormS and ProdUCer PItfallS
JamesD.EbanksandChristianR.JohnsonSKyroCKetIng lItIgatIon CoStS
ComPel Broad revISIon of tHe federal rUleS of CIvIl ProCedUrea
revIew of ProPoSed rUle CHangeS SUBmItted By tHe fdCC, lCJ and
otHer defenSe groUPS to StandIng CommIttee on rUleS of PraCtICe and
ProCedUre HowardMertenandAlexandraW.Pezzello
-
FEDERATION OF DEFENSE
& CORPORATE COUNSEL
federatIon of defenSe & CorPorate CoUnSelPRESIDENTF. THOMAS
CORDELLFrailey, Chaffin, Cordell, Perryman, Sterkel, Mccalla &
Brown LLPChickasha, [email protected]
PRESIDENT-ELECTMICHAEL I. NEILNeil, Dymott, Frank, McFall &
Trexler, APLCSan Diego, [email protected]
SECRETARY-TREASUREREDWARD M. KAPLANSulloway & Hollis,
PLLCConcord, [email protected]
BOARD CHAIRMICHAEL T. LUCEY Gordon & Rees, LLPSan Francisco,
CA415-986-5900 [email protected]
BRUCE D. CELEBREZZESedgwick, Detert, Moran & Arnold, LLPSan
Francisco, CA [email protected]
WALTER DUKESDukes Dukes Keating Faneca PAGulfport,
[email protected]
SUSAN B. HARWOODBoehm, Brown, Fischer, Harwood, Kelly &
Scheihing, PAOrlando, [email protected]
2009-2011
STEVEN E. FARRARSmith Moore Leatherwood Greenville,
[email protected] ROBERT W. FOSTER, JR. Nelson
Mullins Riley & Scarborough, LLPColumbia,
[email protected] TIMOTHY A. PRATTBoston Scientific
Corporation Natick, [email protected] VICTORIA H.
ROBERTSCentury Surety Company Scottsdale,
[email protected]
2010-2012
HELEN JOHNSON ALFORDAlford, Clausen & McDonald, LLCMobile,
[email protected] H. MILLS GALLIVANGallivan, White &
Boyd, PAGreenville, SC [email protected] KENNETH J.
NOTADryvit Systems West Warwick, [email protected] GALE WHITEWhite
and Williams, LLPPhiladelphia, [email protected]
BOARD OF DIRECTORS
VICE PRESIDENTSJ. SCOTT KREAMERBaker, Sterchi, Cowden &
Rice, LLCKansas City, [email protected]
DEBORAH D. KUCHLERKuchler Polk Schell Weiner & Richeson
LLCNew Orleans, [email protected]
DONALD L. MYLES, JR.Jones, Skelton & HochuliPhoenix,
[email protected]
EXECUTIVE DIRECTORMARTHA (MARTY) J. STREEPER 11812 N 56th Street
Tampa, FL 33617 813-983-0022 813-988-5837 Fax
[email protected]
PUBLICATIONS COMMITTEE CHAIRLATHA RAGHAVEN8 Southwoods Blvd,
#300Albany, NY [email protected]
EDITOR-FLYERGREGORY A. WITKE 801 Grand Avenue, Suite 3700 Des
Moines, IA 50309 [email protected]
CLE COORDINATORFRANCIE BERG3714 22nd Avenue SouthMinneapolis, MN
55407612-339-5863612-339-1529 [email protected]
EDITORS-WEBSITEDAVID M. FUQUAFuqua Campbell, PA425 West Capitol
Avenue, Suite 400Little Rock, AR
[email protected] J. SCOTT KREAMER2400
Pershing Road, Suite 500Kansas City, MO
[email protected]
LIAISON-QUARTERLYJAMES A. GALLAGHER, JR.350 Fifth Avenue, Suite
4810New York, NY [email protected]
FDCC QUARTERLY EDITORIAL OFFICEMarquette University Law
SchoolEckstein HallPO Box 1881Milwaukee, WI 53201-1881414-288-5375
/ 414-288-5914 Fax
Co-EditorsPatricia [email protected]
[email protected]
Student EditorsPhilip C. Babler, Brian M. Borkowiczand Kristin
L. Boyle
MICHAEL R. NELSONNelson Levine De Luca & Horst, LLCNew York,
[email protected]
DEBRA TEDESCHI VARNERMcNeer, Highland, McMunn & Varner,
LCClarksburg, [email protected]
GREGORY A. WITKEBradshaw, Fowler, Proctor & Fairgrave, PCDes
Moines, [email protected]
-
Spring, 2011 Volume 61, number 3
Contents
QUARTERLYFDCC
Cite as: 61 FED’N DEF. & CORP. COUNS. Q. ___ (2011).The
Federation of Defense & Corporate Counsel Quarterly is
published quarterly by the
Federation of Defense & Corporate Counsel, Inc., 11812 North
56th Street, Tampa, FL 33617. Readers may download articles
appearing in the FDCC Quarterly from the FDCC website for their
personal use; however, reproduction of more than one copy of an
article is not permitted
without the express written permission of the FDCC and the
author.Copyright, 2011, by the Federation of Defense &
Corporate Counsel, Inc.
239
HealtH Care reform in tHe united StateS: HiteCH aCt and Hipaa
priVaCy, SeCurity, and enforCement iSSueS Amy E. Kempfert and
Benjamin D. Reed
................................................................240
bailing out mediCare: defenSe CounSel’S mediCare reporting and
Set-aSide obligationS Matthew Y. Biscan and Geralyn M. Passaro
.............................................................274
liability ClaimS in tHe mediCare SeCondary payer arena: planning
tHe mediCare Set-aSide Charles D. Joyner and Christine E. Harper
...............................................................288
inSurerS’ ClaimS for legal malpraCtiCe againSt defenSe CounSel
Hired for tHeir inSuredS John S. Wilkerson, III and Jeffrey T.
Stover
.............................................................305
profeSSional liability inSuranCe CoVerage for law firmS:
underStanding Key poliCy proViSionS and eduCating your firm’S
attorneyS Charles J. Baker III
...................................................................................................315
landfall: tropiCal StormS and produCer pitfallS James D. Ebanks
and Christian R. Johnson
..............................................................330
SKyroCKeting litigation CoStS Compel broad reViSion of tHe
federal ruleS of CiVil proCedure a reView of propoSed rule CHangeS
Submitted by tHe fdCC, lCJ and otHer defenSe groupS to Standing
Committee on ruleS of praCtiCe and proCedure Howard Merten and
Alexandra W. Pezzello
.............................................................346
-
FDCC Quarterly/Spring 2011
240
Health Care Reform In the United States:HITECH Act and HIPAA
Privacy, Security, and Enforcement Issues†
Amy E. KempfertBenjamin D. Reed
i. introDuCtion
The Health Insurance Portability and Accountability Act
(“HIPAA”) was enacted on August 21, 1996.1 The Act encompasses five
separate Titles. Title II of HIPAA, known as the Administrative
Simplification provisions, requires the Secretary of the U.S.
Department of Health and Human Services (“HHS”) to promulgate
standards for the electronic exchange of health care transactions,
as well as privacy and security standards for safeguarding and
protecting the privacy of an individual’s personal health
information. The Administrative Simplification provisions have been
codified at 45 C.F.R. §§ 160, 162, and 164. The standards are meant
to improve the efficiency and effectiveness of the nation’s health
care system by encouraging the widespread use of electronic data
interchange, while providing appropriate safeguards to protect the
privacy of individuals’ health information by placing limits on the
access, use, and disclosure of protected health information
(“PHI”). HIPAA has historically applied only to health plans,
health care clearinghouses, and health care providers, otherwise
known as “covered entities.”2 However, few—if any—cov-ered entities
carry out each health care function, service, or activity
themselves; rather, they
† Submitted by the authors on behalf of the FDCC Healthcare
Practice section.1 Health Insurance Portability and Accountability
Act, Pub. L. No. 104–191, 110 Stat. 1936 (1996).2 45 C.F.R. §§
160.102–.103 (2010).
-
HealtH Care reForm in tHe uniteD StateS
241
Amy E. Kempfert is a shareholder in the law firm of Best &
Sharp P.C. in Tulsa, Oklahoma where she focuses her practice in the
areas of medical negligence, health care law, employ-ment law, and
products liability. She is admitted to practice in Oklahoma and
before the United States Supreme Court, the United States Court of
Appeals for the Tenth Circuit, and the United States District
Courts for the Eastern, Western and Northern Districts of Oklahoma.
Ms. Kempfert is a Fellow of the American College of Trial Lawyers.
She is a member of the Tulsa County Bar Association, the Oklahoma
Bar Association, the American Bar Association, the Federation of
Defense and Corporate Counsel, the American Society of Law,
Medicine
and Ethics, Defense Research Institute, and the Oklahoma
Association of Defense Counsel. Ms. Kempfert is a founding member
(Master) of the Hudson-Hall-Wheaton Chapter of the American Inns of
Court.
enlist the services of numerous third-party businesses and
individuals, termed “business associates.”3 HIPAA requires covered
entities to enter into contractual agreements with business
associates, called “business associate agreements.”4 These
agreements expressly define the permitted uses and disclosures of
PHI and mandate the use of specified proce-dures to adequately
safeguard PHI. Technically, covered entities are permitted to
disclose an individual’s PHI to a business associate only if the
covered entity obtains the proper as-surances (through the
agreement) that the business associate will safeguard and not
misuse the information. However, many covered entities do not even
know about this requirement, let alone have such agreements in
place. Because HIPAA did not apply directly to business associates,
they were not directly liable for failing to comply with its
provisions. Rather, if a business associate violated HIPAA, the
only applicable remedy was for the covered entity to sue for breach
of contract. HIPAA’s privacy, security, and enforcement provisions
have been widely criticized for providing inadequate protections
against improper access, use, and disclosure of PHI and for
providing inadequate individual rights governing access, use, and
disclosure of one’s PHI. Additionally, HIPAA has been attacked for
casting too narrow of a compliance net to include third-party
business associates, who often have equivalent access to PHI
without
3 Id. § 160.103.4 Id. § 164.504(e).
-
FDCC Quarterly/Spring 2011
242
the threat of an enforcement action for a HIPAA violation. By
the same token, enforcement under HIPAA has historically been lax
at best. Coupled with the low monetary penalties for
non-compliance, HIPAA enforcement regulations were considered to be
undeterring, failing to result in any meaningful compliance and
providing credence to the view that HIPAA was merely a “paper
tiger.”5 On February 17, 2009 Congress passed the Health
Information Technology for Economic and Clinical Health (“HITECH”)
Act as part of the American Recovery and Reinvestment Act
(“ARRA”).6 Among other provisions, one of the major purposes of the
HITECH Act is to improve the nation’s health care through Health
Information Technology (“HIT”)7 by promoting the “meaningful use”
of electronic health records (“EHR”) through various incentives.
The HITECH Act provides financial incentives to health care
providers to adopt an EHR system prior to the end of 2015, and
financial disincentives for failing to do so. The HITECH Act also
provides funding for a national EHR infrastructure, state
collaboration, effectiveness research, as well as HIT training and
education for health care professionals.
Benjamin D. Reed is an attorney with the law firm of Best &
Sharp P.C. in Tulsa, Oklahoma where he focuses his prac-tice in the
areas of medical malpractice defense and general insurance defense.
Mr. Reed received his J.D. with honors in 2009 from University of
Tulsa College of Law. During his law school career, Mr. Reed served
as an Editor on the Tulsa Law Review. He was also the recipient of
five CALI Excel-lence for the Future Awards and the George and Jean
Price Award for Legal Reasoning, Analysis and Writing II. Mr. Reed
is admitted to practice in Oklahoma and before the United States
District Courts for the Eastern, Western and Northern Districts of
Oklahoma. He is a member of the Tulsa County,
Oklahoma and American Bar associations.
5 Karen Southwick, Health Care’s Paper Tiger: Doctors, Companies
Lag Behind Technology Mandate, Cnet newS (Feb. 26, 2004, 4:00 AM),
http://news.cnet.com/Health-cares-paper-tiger/2009-1012_3-5165294.html.6
American Recovery and Reinvestment Act of 2009, Pub. L. No. 111–5,
123 Stat. 115. 7 The HIT provisions of the ARRA are found primarily
in Title XIII, Division A, Health Information Technology, and in
Title IV, Division B, Medicare and Medicaid Health Information
Technology. These titles together comprise the HITECH Act.
-
HealtH Care reForm in tHe uniteD StateS
243
Precisely because this legislation anticipates a substantial
increase and expansion in the exchange of electronic protected
health information (“ePHI”), the HITECH Act provides significant
modifications to HIPAA privacy, security, and enforcement
provisions and creates new notification requirements for breaches
of unsecured PHI (“uPHI”). The modifications and additions to HIPAA
will inevitably cause covered entities and business associates to
substantially and dramatically alter current practices. Among other
things, the HITECH Act (1) extends the applicability of the HIPAA
security and privacy rule provisions to business associates; (2)
requires covered entities and business associates to provide
notification of breaches of uPHI; (3) establishes new limitations
and opt-out provisions governing the use and disclosure of PHI for
marketing and fundraising communications; (4) prohibits the sale of
PHI; (5) restricts the uses and disclosures of PHI to the “minimum
necessary”; (6) expands individuals’ rights to access their PHI, to
receive an accounting of disclosures of their PHI, and to obtain
certain restrictions on the disclosures of their PHI; (7) increases
the potential civil and criminal liability for non-compliance; and
(8) provides for greater enforcement. The HITECH Act makes certain
HIPAA provisions directly applicable to business as-sociates. For
instance, the Act establishes that business associates must now
comply with the HIPAA Security Rule provisions and certain Privacy
Rule provisions; it provides that the violation of an applicable
Privacy or Security Rule provision by the business associate is
considered a HIPAA violation for which the business associate is
subject to civil and criminal penalties and fines;8 it modifies the
definition of business associate to include additional
organizations not previously covered under the definition; it adds
mandatory provisions to all business associate agreements; and it
imposes new notification requirements in the event of a security
breach. The majority of the HITECH Act provisions related to HIPAA
technically went into effect on February 17, 2010 (although some
effective dates were earlier or later). However, HHS has not yet
promulgated final rules for a majority of the HITECH Act’s
provisions. For instance, on July 14, 2010 HHS submitted its Notice
of Proposed Rulemaking (“NPRM”) to modify the Standards for Privacy
of Individually Identifiable Health Information (the “Privacy
Rule”), the Security Standards for the Protection of Electronic
Protected Health Information (the “Security Rule”), and the rules
pertaining to Compliance and Investigations, Imposition of Civil
Money Penalties, and Procedures for Hearings (the “Enforcement
Rule”) issued under HIPAA.9 During the sixty-day period in which
comments could be submitted regarding the proposed rules, HHS
received thousands of pages of comments from hundreds of different
organizations. HHS recently announced in its semi-annual regulatory
update10 that the proposed deadline for issuing the final rule on
modifications to HIPAA Privacy,
8 These penalties and fines have increased dramatically. See
infra Part V.9 Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology for
Economic and Clinical Health Act, 75 Fed. Reg. 40,868 (proposed
July 14, 2010).10 Unified Agenda, 75 Fed. Reg. 79,708 (Dec. 20,
2010).
-
FDCC Quarterly/Spring 2011
244
Security, and Enforcement Rules is March, 2011. As of February
2011, most industry experts predict that the final rule will be
issued sometime in the third or fourth quarter of 2011, along with
the updated final rules on breach notification requirements. While
final agency rules do not typically vary dramatically from the
NPRM, the copious comments from divergent organizations could
result in changes to the final rules, although it is impossible to
predict what changes, if any, will be made. Hopefully, final
regulations will come sooner rather than later, given the
ever-increasing alterations to the health and information privacy
and security landscape in the United States.11 Regardless of when
the “actual” date arrives, it cannot be overemphasized that these
changes will have far-reaching and dramatic implications for both
medical and legal practices throughout the country. This Article
will attempt to provide a summary of HIPAA as it exists, a concise
summary of how it has changed through the passage of the HITECH Act
and the attendant federal regulations that are currently in effect,
and notable tidbits of the foreseeable changes to the HIPAA
landscape as best estimated from the provisions of the proposed
rules that are not yet in effect.
ii.privaCy rule
A. Introduction The Privacy Rule12 represents national standards
to protect the private health informa-tion of individuals by
mandating appropriate safeguards and restrictions on the access,
use, and disclosure of PHI without prior authorization from those
individuals. The Privacy Rule also attempts to vest certain
individual rights and established procedures for people to
understand, and, to some degree, control how their health
information is utilized. One of the goals in drafting the Privacy
Rule was to strike a balance between protecting private health
information and enabling the exchange of health information
essential for quality of care and vital public purposes. The
Privacy Rule attempts to be comprehensive in its scope insomuch as
it attempts to cover the gamut of potential uses and disclosures of
PHI with the understanding that a certain amount of flexibility is
necessary as a result of the diverse health care market in the
United States.
11 Although federal agencies will have their hands full with the
onslaught of legislation passed in the last several years,
including, in addition to the HITECH Act, the much-debated “health
care reform” legisla-tion (which is more aptly characterized as
“health insurance reform”), from the Patient Protection and
Af-fordable Care Act, Pub. L. No. 111–148, 124 Stat. 119 (2010),
along with the Health Care and Education Reconciliation Act of
2010, Pub. L. No. 111–152, 124 Stat. 1029.12 The Privacy Rule
provisions are located in 45 C.F.R. Part 160 and Subparts A and E
of Part 164.
-
HealtH Care reForm in tHe uniteD StateS
245
B. Who is “Covered” by the HIPAA Privacy Rule? The Privacy (and
Security) Rule provisions apply to health plans,13 health care
provid-ers,14 and health care clearinghouses,15 aptly termed
“covered entities.”16 However, the vast majority of covered
entities do not carry out each health care function, service, or
activity themselves; rather, they enlist the services of numerous
third-party business associates. The drafters of the Privacy Rule
thus required covered entities to enter contractual “busi-ness
associate agreements” with any third party who performs certain
functions, activities, or services for, or on behalf of, the
covered entity, when such function, activity, or service involves
the use or disclosure of “individually identifiable health
information.”17
1. What is a Business Associate under HIPAA? A business
associate is defined as a third-party individual or entity (who is
not a member of the covered entity’s “workforce”18) that performs
certain functions or activities19 involving the use or disclosure
of PHI on behalf of a covered entity, or who provides certain
services20 to the covered entity.21 Some examples of business
associates include
13 Health plans include health insurance companies, HMOs,
company health plans, and government pro-grams such as Medicare,
Medicaid, and the military and veterans’ health care programs. See
45 C.F.R. § 160.103 (2010). There are certain exclusions that
apply. Id.14 Health care providers include providers of services
(such as hospitals), providers of medical or health services (such
as doctors or dentists), and any other person or organization that
furnishes, bills, or is paid for health care in the normal course
of business. See id. The definition of covered entity, however, is
restricted to only those health care providers who transmit health
information in electronic form in connection with a transaction
covered by HIPAA. See id. § 160.102. “Transaction” is defined in 45
C.F.R. § 160.103, and includes eleven types of transactions. The
transaction standards (“Administrative Requirements”) are located
in 45 C.F.R. Part 162. 15 Health care clearinghouses include
entities that process health information they receive from another
entity into a standard transaction (i.e., standard electronic
format or data content), and entities that receive a standard
transaction from another entity and process the health information
into a non-standard format for that entity. See 45 C.F.R. § 160.103
(2010).16 See id. §§ 160.102–.103.17 Id. § 160.103. 18 “Workforce”
means a person or entity whose conduct in working for the covered
entity is under the direct control of the covered entity, whether
or not they are paid by the covered entity. See id.19 The functions
and activities include claims processing, data analysis,
utilization review, and billing. See id.20 The services are limited
to legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services.
See id.21 See id. A covered entity can be considered the business
associate of another covered entity. Id.
-
FDCC Quarterly/Spring 2011
246
• An accountant who requires access to PHI to perform an audit
or other financial accounting service to the covered entity;
• A defense attorney who will need to access and use PHI to
provide legal services to a doctor in a medical malpractice
lawsuit;
• Claims processing services;• Consultants who perform
utilization reviews for hospitals; and• Patient billing
services.
In addition, there are exceptions to who or what qualifies as a
business associate neces-sitating a business associate agreement,
including (1) a person or entity whose function or service provided
to the covered entity does not involve the use or disclosure of PHI
and where any access to PHI is incidental (such as a cleaning
service); (2) a health care provider who receives disclosures from
other covered entities for treatment of the individual; and (3)
disclosures of PHI for research purposes (with certain
limitations).
2. Business Associate Agreements Business associate agreements
expressly define the permitted uses and disclosures of PHI and
mandate the use of specified procedures to adequately safeguard
individuals’ PHI.22 The business associate agreement must contain
certain specified elements and contractual language.23 The covered
entity is permitted to disclose PHI to the business associate only
after obtaining the necessary assurances—through the business
associate agreement—that the business associate will properly
safeguard and not misuse the PHI.24 As previously dis-cussed, the
original Privacy and Security Rule provisions were applicable only
to “covered entities.” Business associates were not directly
covered under HIPAA. Instead, they were covered indirectly through
their contractual agreements with the covered entity. This means
that business associates were not directly liable to the government
for violating HIPAA, and the only remedy against a business
associate for a HIPAA violation was an action for breach of
contract on the part of the covered entity.
22 Id. §§ 164.502(e), 164.504(e).23 Id. § 164.504(e)(2).24
However, when a covered entity knows a business associate committed
a material breach or violation of the business associate agreement,
the covered entity is required to take reasonable steps to cure the
breach or end the violation in order to be considered “in
compliance” with HIPAA. If such steps are unsuccess-ful, the
covered entity must terminate the contract, if feasible. Id. §
164.504(e)(1)(ii)(a). If terminating the contract is not feasible,
a covered entity is required to report the problem to the Office of
Civil Rights (“OCR”), the agency given the task of administering
and enforcing the Privacy and Security Rules. Id. §
164.504(e)(1)(ii)(b).
-
HealtH Care reForm in tHe uniteD StateS
247
3. Who is “Covered” by the HIPAA Privacy Rule after the HITECH
Act? Pursuant to the HITECH Act, effective February 17, 201025
business associates must now comply with the Privacy Rule
provisions made applicable to them via their business associate
agreements.26 Furthermore, any additional privacy provisions
contained in the business associate agreement that apply to covered
entities also directly apply to busi-ness associates. These new
requirements must be incorporated into the business associate
agreements between the covered entity and business associate.
Finally, a violation of any applicable Privacy Rule provision by
the business associate is now a HIPAA violation for which business
associates are directly accountable. The HITECH Act also modifies
the definition of business associate to include additional
organizations or entities that are not covered under the existing
definition.27 For example, any organization that transmits PHI data
to a covered entity or business associate and that requires access
to such PHI on a routine basis (such as a Health Information
Exchange Or-ganization, Regional Health Information Organization,
or E-prescribing Gateway) is now considered a business associate
for purposes of the Privacy and Security Rules and must enter a
business associate agreement28 with a covered entity or other
business associate. The same holds true for any vendor that
contracts with a covered entity to allow the covered entity to
offer a personal health record (“PHR”) to patients as part of its
EHR system. Given the strengthened enforcement provisions under the
HITECH Act, which include enhanced monetary fines and require
mandatory compliance audits, it would appear that the business
associate agreement will be a relatively simple audit issue: Is
there a business associate agreement in place where one is
required, and if so, does it contain the necessary provisions?
C. What Type of Health Information Is Protected? 1. Protected
Health Information HIPAA applies to and protects PHI. PHI is
defined as “individually identifiable health information”
transmitted or maintained by a covered entity or its business
associate, in any
25 While February 17, 2010 was the technical compliance date set
forth in the statute for applying the Privacy Rule to business
associates, HHS has advised that the actual compliance date will be
180 days after the final rules are published, which will be
sometime in 2011.26 42 U.S.C.A. § 17934 (West 2010).27 Id. § 17938.
28 As described in the Privacy and Security Rules, 45 C.F.R. §§
164.502(e) and 164.308(b), respectively.
-
FDCC Quarterly/Spring 2011
248
form or media.29 “Individually identifiable health information”
(“IIHI”) is a subset of “health information” (“HI”),30 and includes
demographic data collected from the individual that
1) is created or received by a covered entity; and
2) relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care
to an individual; or the past, present, or future payment for the
provision of health care to an individual; and
a) that identifies the individual; or
b) provides a reasonable basis to believe the information can be
used to identify the individual.31
D. Rules for Use and Disclosure of Protected Health
Information
1. General Principles The Privacy Rule sets forth general
limitations on the use and disclosure of PHI by al-lowing PHI to be
used and disclosed (1) as permitted, (2) as required, and (3) as
authorized by the individual (or his or her personal
representative).32 A covered entity is required to disclose PHI in
the following circumstances: (1) to individuals when they request
access to their PHI, or when they request an accounting of
disclosures of their PHI;33 and (2) to the Secretary of HHS when he
or she is undertaking an enforcement action or compliance
investigation or review.34
29 45 C.F.R. § 160.103 (2010). Employment records that a covered
entity maintains in its capacity as an employer, and education and
certain other records subject to, or defined in, the Family
Educational Rights and Privacy Act, 20 U.S.C. § 1232g, are excluded
from the definition of PHI.30 Health Information means any
information, whether oral or recorded in any form or medium, that
(1) is created or received by a health care provider, health plan,
public health authority, employer, life insurer, school or
university, or health care clearinghouse; and (2) relates to the
past, present, or future physical or mental health or condition of
an individual, the provision of health care to an individual, or
the past, present, or future payment for the provision of health
care to an individual. 45 C.F.R. § 160.103 (2010).31 Id. There are
no restrictions, however, on the use or disclosure of deidentified
health information. Id. §§ 164.502(d)(2), 164.514(a)–(b). HI that
does not identify an individual or provide a reasonable basis to
identify an individual is considered deidentified health
information.32 Id. § 164.502(a). An overarching principle is that a
covered entity should use and disclose only the minimum amount of
PHI necessary to achieve the desired the purpose. Id. §
164.502(b)(1). The HITECH Act makes this a fundamental requirement
for access, use, and disclosure of PHI.33 Id. § 164.502(a)(2)(i).
Requests for access to or accounting of disclosures are discussed
infra Part II.E.2–.3.34 45 C.F.R. § 164.502(a)(2)(ii) (2010); see
also id. § 160.300–.316.
-
HealtH Care reForm in tHe uniteD StateS
249
2. Permitted Disclosure of PHI Without an Authorization The
Privacy Rule permits a covered entity to use or disclose PHI (1) to
the individual (unless required); (2) for treatment, payment, and
health care operations; (3) incident to an otherwise permitted or
required use or disclosure; (4) pursuant to an agreement where the
individual has received the opportunity to agree or object; (5) for
specified important public interest or public benefit activities;
and (6) pursuant to a limited data set for the purposes of
research, public health, or health care operations.35
a. To the Individual Depending on the circumstances, a covered
entity may be either permitted or required to disclose an
individual’s PHI to that individual.
b. Treatment, Payment, and Health Care Operations36 A covered
entity is permitted to use and disclose PHI for its own treatment,
payment, and health care operations activities.37 A covered entity
is also permitted to disclose PHI for (1) any health care
provider’s treatment activities; (2) payment activities of another
covered entity or any health care provider; or (3) health care
operations of another covered entity that involve quality or
competency assurance activities or fraud and abuse detection and
compliance activities, provided both covered entities have or had a
relationship with the individual and the PHI relates to that
relationship.38 The covered entity is not obligated to obtain the
consent of the individual whose PHI is being disclosed.39 The
Privacy Rule does not contain provisions on how to obtain consent,
or what information must be included in a consent form.
c. Incidental Use and Disclosure Uses or disclosures of PHI that
are merely incident to an otherwise permitted use or disclosure are
permitted, so long as reasonable safeguards (as specified in the
regulations) have been adopted.40
d. Uses and Disclosures with Opportunity to Agree or Object A
covered entity is permitted to use and disclose an individual’s PHI
for facilities di-rectories and notification purposes, so long as
the person is informed in advance of his or her right to agree or
object. If the individual is incapacitated or in an emergency
situation
35 Id. § 164.502(a)(1)(i)–(vi).36 Treatment, payment, and health
care operations are defined in 45 C.F.R. § 164.501.37 Id. §
164.506(c)(1).38 Id. § 164.506(c)(2)–(4).39 Id. § 164.506(b)(1).40
Id. § 164.502(a)(1)(iii).
-
FDCC Quarterly/Spring 2011
250
and an opportunity to agree or object cannot practicably be
provided, a covered entity is permitted to use and disclose PHI if,
in the exercise of its professional judgment, the use or disclosure
is in the best interests of the individual.41
e. Public Interest and Benefit Activities A covered entity is
permitted to use or disclose an individual’s PHI without the
indi-vidual’s authorization or permission for twelve specified
public purposes.42 These include (1) uses and disclosures required
by law; (2) uses and disclosures for public health activities; (3)
disclosures about victims of abuse, neglect, or domestic violence;
(4) uses and disclosures for health oversight activities; (5)
disclosures for judicial and administrative proceedings;43 (6)
disclosures for law enforcement purposes;44 (7) uses and
disclosures about decedents; (8) uses and disclosures for cadaveric
organ, eye, or tissue donation purposes; (9) uses and disclosures
for research purposes;45 (10) uses and disclosures to avert a
serious threat to health or safety;46 (11) uses and disclosures for
specialized government functions; and (12) disclosures for workers’
compensation.47
f. Limited Data Set This is HI from which specified identifying
information of individuals, their relatives, household members, and
employers (such as names, addresses, social security numbers,
license or vehicle numbers, etc.) has been removed.48 A covered
entity may use or disclose PHI in a limited data set for certain
purposes, such as research, health care operations, and public
health purposes,49 provided a data use agreement has been entered
into.50
41 Id. § 164.510(a)(3).42 Id. § 164.512. This section is
extremely long and, while the use or disclosure is permitted, there
are specific requirements that must be met for each public purpose
delineated.43 Such disclosures are permitted only through a valid
court order or subpoena, and only if a protective order or other
adequate safeguards are provided. Id. § 164.512(e).44 Law
enforcement disclosures are permitted under six circumstances, such
as to identify or locate a suspect or to notify law enforcement of
possible criminal activity, subject to specified conditions. Id. §
164.512(f).45 But only under specified conditions, and subject to
appropriate assurances and safeguards. Id. § 164.512(i). A covered
entity may also use or disclose, without an individual’s
authorization, a limited data set of protected health information
for research purposes. See infra Part II.D.2.f.46 If believed
necessary to prevent or lessen a serious and imminent threat to a
person or the public, and when made to someone the covered entity
believes can prevent or lessen the threat. 45 C.F.R. § 164.512(j)
(2010).47 See id. § 164.512(a)–(l).48 Id. § 164.514(e).49 Id. §
164.514(e)(3)(i). 50 Id. § 164.514(e)(4).
-
HealtH Care reForm in tHe uniteD StateS
251
3. Disclosure of HI that Requires an Authorization In general,
the Privacy Rule requires a covered entity to obtain a valid,
written authori-zation from the affected individual for any use or
disclosure of psychotherapy notes or PHI for marketing.51
a. Psychotherapy Notes A covered entity must obtain a written
authorization for any use or disclosure of psy-chotherapy notes
except
• the originator of the psychotherapy notes may use them for
treatment;• the covered entity may use them in its own training
program in counseling;• to defend itself in legal proceedings
brought by the individual;• for disclosures to HHS for compliance
investigation or review;• for disclosures to a health oversight
agency for lawful oversight of the originator
of the psychotherapy notes; and
• as required by law.52
b. Marketing Marketing is defined as any communication about a
product or service that encourages recipients to purchase or use
the product or service.53 However, there are certain health-related
communications that are carved out from this definition. Marketing
also includes an arrangement between a covered entity and another
individual or business in which the covered entity discloses PHI in
exchange for direct or indirect remuneration to allow the other
party to communicate about its products or services, and that
encourage the recipient to use or purchase those products or
services. The individual must authorize the use or dis-closure of
his or her PHI for marketing, except for face-to-face marketing
communications and for a covered entity’s provision of promotional
gifts of nominal value. No authorization is needed, however, to
make a communication that falls within one of the exceptions to the
marketing definition. If marketing involves the covered entity
receiving direct or indirect remuneration from a third party, the
authorization must disclose that remuneration. The HITECH Act
alters the Privacy Rule provisions regarding marketing.54 Pursuant
to the HITECH Act, a communication by a covered entity or business
associate about a product or service that encourages recipients of
the communication to purchase or use the product
51 Id. § 164.508(a)(2)–(3).52 Id. § 164.508(a)(2)(i)–(ii).53 Id.
§§ 164.501, 164.508(a)(3).54 42 U.S.C.A. § 17936(a) (West
2010).
-
FDCC Quarterly/Spring 2011
252
or service is no longer considered a “health care operation.”
Furthermore, if a third party pays direct or indirect
remuneration55 to send marketing communications to an individual,
it is no longer considered to be a “health care operation” except
where
1) the communication describes ONLY a drug or biologic currently
being pre-scribed for or administered to the patient, AND any
payment received by the covered entity is “reasonable in
amount”;56
2) the communication is from the covered entity AND the covered
entity obtains a proper authorization from the individual; or
3) the communication is from a business associate on behalf of a
covered entity AND the communication complies with the requirements
of the business as-sociate agreement.57
4. Minimum Necessary Standard Under the Privacy Rule, covered
entities may access, use, and disclose only the mini-mum amount of
PHI necessary to achieve the desired purpose.58 The HITECH Act
requires a covered entity to use a “limited data set”59 to the
extent it can do so practically, but a cov-ered entity is permitted
to use the old “minimum necessary” standard in lieu of the limited
data set if necessary to accomplish its intended purpose.60 The
Secretary is required to issue guidance no later than eighteen
months after the Act’s enactment on what constitutes the “minimum
necessary” amount of PHI for purposes of the Privacy Rule
provisions.61 Effec-tive February 17, 2010 a covered entity may no
longer rely on the entity requesting the data in determining what
constitutes the “minimum necessary” amount of PHI;62 it must
make
55 Under the HITECH Act, the term “direct or indirect
remuneration” does NOT include payment for an individual’s
treatment. Id. § 17936(a)(4).56 The term “reasonable in amount”
will be determined and defined in upcoming final rules.57 Id.58 45
C.F.R. § 164.502(b) (2010).59 As defined in 45 C.F.R. §
164.514(e)(2). This is health information that excludes a number of
categories of information identifying the patient (and the
patient’s relatives) and that can be used pursuant to a data use
agreement for research, public health, or public health care
operations purposes. 60 42 U.S.C.A. § 17935(b)(1)(A) (West 2010).61
Id. § 17935(b)(2).62 45 C.F.R. § 164.514(d)(3)(iii) (2010).
-
HealtH Care reForm in tHe uniteD StateS
253
that determination for itself.63 Also, if a covered entity has
agreed to a requested restriction by the individual,64 it may not
use or disclose that individual’s PHI in a manner inconsistent with
the agreement.65 The Privacy Rule provides certain exceptions where
a covered entity is not required to limit its use or disclosure to
the minimum necessary requirement. These exceptions are expressly
continued under the HITECH Act, as well. The minimum necessary
requirement is not imposed in any of the following
circumstances:
1) disclosure to or a request by a health care provider for
treatment;
2) disclosure to the individual (or his or her personal
representative);
3) use or disclosure made with the individual’s
authorization;
4) disclosure to HHS for complaint investigation, compliance
review, or enforce-ment;
5) use or disclosure that is required by law; or
6) use or disclosure required for compliance with the HIPAA
Transactions Rule or other HIPAA Administrative Simplification
Rules.66
E. Privacy Protections and Individual Rights The Privacy Rule
also provides certain protections and rights to individuals
regarding the use and disclosure of their PHI. In addition, the
HITECH Act expands the scope of some of these rights, and provides
additional protections to the individual.
1. Privacy Practices Notice Subject to certain exceptions, the
Privacy Rule provides individuals with the right to adequate notice
of a covered entity’s potential uses and disclosures of the
individual’s PHI, and of his or her rights and the covered entity’s
rights.67 Covered entities must develop, implement, and provide
notice written in plain language regarding certain required
ele-ments.68 The notice must provide
63 42 U.S.C.A. § 17935(b)(1)(B) (West 2010). The HITECH Act
contains a sunset provision providing that this section shall no
longer apply beginning on the effective date of the forthcoming
guidance on minimum necessary. Id.64 Pursuant to 45 C.F.R. §
164.522(a)(1).65 45 C.F.R. § 164.522(a)(3) (2010).66 Id. §
164.502(b)(2).67 Id. § 164.520(a)(1).68 Id. § 164.520(b)(1). A
covered entity is also permitted to limit the uses and disclosures
it is legally permitted to make, and include this in its notice.
Id. § 164.520(b)(2).
-
FDCC Quarterly/Spring 2011
254
1) a general description of how the covered entity may use and
disclose PHI;
2) a separate description of the uses and disclosures the
covered entity is going to make, if those uses or disclosures are
specified by statute;
3) a description of the individual’s rights with respect to PHI
and how the individual may exercise those rights;
4) a statement saying (A) the covered entity is required by law
to protect the pri-vacy of an individual’s PHI and provide notice
of its legal duties and privacy practices; (B) that the covered
entity must abide by the terms of the current notice; and (C) how
the covered entity will provide notice of any amendments or
revisions to its privacy practices;
5) a statement informing individuals of their right to complain
to the covered entity and to HHS if they believe their privacy
rights have been violated, a descrip-tion of how to file a
complaint, and a statement that the individual will not be
retaliated against for filing a complaint;
6) contact information for how to receive additional
information; and
7) the notice’s effective date.
Covered entities are required to promptly revise and
re-distribute their notice in the event of a material change in any
of the applicable notice provisions.69 A covered entity must make
its notice available to any person who requests it.70 In addition,
if a covered entity maintains a website that provides information
about the entity’s customer services or benefits, it is required to
prominently post the notice on its website.71 There are additional
notice requirements applicable to health plans and health care
providers with a direct treat-ment relationship with the
individual.72 A covered entity may also send notice via email if
the individual agrees to electronic notice.73 Except in an
emergency, health care providers with a direct treatment
relationship with the individual must make a good-faith effort to
obtain a written acknowledgment of receipt of the notice, and if
not obtained, document its good-faith efforts to obtain the
acknowledg-
69 Id. § 164.520(b)(3). After the final rules implementing the
modifications to HIPAA Privacy, Security, and Enforcement
provisions are published, covered entities will have to revise and
re-distribute their notices of privacy practices. Id.70 Id. §
164.520(c).71 Id. § 164.520(c)(3)(i).72 See id. §
164.520(c)(1)–(2).73 Id. § 164.520(c)(3)(ii).
-
HealtH Care reForm in tHe uniteD StateS
255
ment and the reasons it was unable to do so.74 Covered entities
are permitted to develop more than one notice in situations where
they may perform separate covered functions and the privacy
practices between the various functions differ. Covered entities
that participate in an organized health care arrangement are
permitted to produce a joint notice, so long as each covered entity
agrees to adhere to the notice content provisions with respect to
PHI created or received pursuant to their participation in the
arrangement.75 Covered entities must document their compliance with
the notice requirements, as required by their general
administrative requirements, by retaining copies of the notices
provided.76
2. Access In general, an individual has a right of access to
inspect and obtain a copy of his or her PHI in a “designated record
set” (“DRS”)77 for as long as it is maintained in the DRS, except
for certain enumerated exclusions of PHI, such as psychotherapy
notes and information compiled for use in civil, criminal, or
administrative proceedings.78 If the requested PHI is located
onsite, the covered entity typically has thirty days to grant (in
whole or in part) or deny the request, and sixty days if it is
located offsite.79 There are different requirements depending on
whether the covered entity grants or denies the request. An
individual may obtain a review of a denial or partial denial if the
denial is “reviewable” under the statute.80 If the covered entity
grants the request, it must provide a copy of the PHI in the format
requested by the individual, if the designated record set is
“readily producible” in that format. The Rule also permits the
covered entity to charge certain fees for assembling or summarizing
a copy of the PHI.81
74 Id. § 164.520(c)(2)(ii).75 Id. § 164.520(d). If one of the
covered entities provides the notice, then all are deemed to be in
compli-ance. Id. § 164.520(d)(3).76 Id. § 164.520(e). The general
administrative requirements concerning documentation are found in
45 C.F.R. § 164.530(j). In the case of a health care provider with
a direct treatment relationship with the individual, the covered
entity must also retain copies of any written acknowledgment of
receipt or docu-mentation of good-faith efforts to obtain such
written acknowledgment.77 A designated record set is defined in 45
C.F.R. § 164.501 and means a group of medical, billing,
enroll-ment, payment, or claims records maintained by or for a
covered entity and used, in whole or in part, by or for the covered
entity in rendering decisions about individuals.78 Id. §
164.524(a)(1).79 Id. § 164.524(b)(2).80 Id. § 164.524(d). A denial
is reviewable if it meets the requirements set forth in 45 C.F.R. §
164.524(a)(3).81 Id. § 164.524(c)(4).
-
FDCC Quarterly/Spring 2011
256
The HITECH Act supplements the Rule as follows: if a covered
entity has implemented an EHR system, individuals now have a right
to obtain a copy of their PHI in an electronic format.82 The HITECH
Act does not alter the timeframe within which the covered entity
must comply with the request. An individual can also designate that
a third party be the recipient of the ePHI so long as the
designation is “clear, conspicuous, and specific.”83 Under the
HITECH Act, a covered entity may not charge a fee greater than its
labor costs for provid-ing a copy or summary of an individual’s PHI
in electronic form. Finally, consistent with a covered entity’s
general administrative requirements, covered entities must
document84 the designated record sets that are subject to access by
individuals and the titles of the persons or offices responsible
for receiving and processing requests for access by
individuals.85
3. Accounting of Disclosures Under the Privacy Rule, individuals
have the right to an accounting of the disclosures of their PHI
made by a covered entity or its business associates over the six
years immedi-ately preceding the request.86 However, there are
numerous disclosures that are specifically exempted from accounting
requirements, including disclosures made
1) for treatment, payment, or health care operations;
2) to the individual or the individual’s personal
representative;
3) to persons involved in an individual’s health care or payment
for health care, for disaster relief, or for facility
directories;
4) with the individual’s authorization;
5) for national security or intelligence purposes;
6) to correctional institutions or law enforcement officials for
certain purposes regarding inmates or individuals in lawful
custody; or
7) incident to otherwise permitted or required uses or
disclosures.87
82 Health Information Technology for Economic and Clinical
Health Act (HITECH Act), Pub. L. No. 111–5, § 13405(e), 123 Stat.
115 (2009). The rules regarding modifications to access are
contained in the NPRM issued on July 14, 2010. The final rules
should be published sometime in 2011.83 HITECH Act § 13405(e)(1).84
And retain such documentation, as required by 45 C.F.R. §
164.530(j).85 45 C.F.R. § 164.524(e) (2010).86 Id. § 164.528.87 Id.
§ 164.528(a)(1). The covered entity’s accounting for disclosures to
health oversight agencies and law enforcement officials must be
temporarily suspended upon receipt of their written representation
that an accounting would likely impede their activities. Id. §
164.528(a)(2).
-
HealtH Care reForm in tHe uniteD StateS
257
The HITECH Act changes the accounting requirements for any
covered entity that “uses or maintains an electronic health care
record” with respect to PHI.88 Most significantly, there is no
longer an exception for disclosures for “treatment, payment, and
health care operations.” Moreover, the accounting period is limited
to the previous three years. The Act requires the Secretary to
promulgate regulations89 to define what information needs to be
collected about each disclosure, taking into account (1) the
interests of individuals in learning under what circumstances their
PHI is being disclosed, and (2) the administrative burden of
accounting for such disclosures. These regulations must be
promulgated within six months after the Secretary adopts standards
on accounting for disclosures.90 The HITECH Act provides that
covered entities using or maintaining an EHR system now have the
following options in responding to an individual’s request for an
accounting:
1) Covered entities may include the disclosures they made, as
well as the disclo-sures made by their business associates; or
2) Covered entities may include the disclosures they made, and
provide a list of all business associates acting on their behalf,
which must include contact informa-tion for each (such as mailing
address, phone number, or email address).
Upon receiving a list of business associates from a covered
entity, the individual must then request an accounting of
disclosures directly from the business associate, and the business
associate must comply with the request. For covered entities that
acquired an EHR as of January 1, 2009, the accounting provi-sions
apply to disclosures of PHI from the EHR on and after January 1,
2014. For covered entities that acquired an EHR after January 1,
2009, the accounting provisions apply to disclosures of PHI from
the EHR on and after the later of (1) January 1, 2011; or (2) the
date the covered entity acquires an EHR. The Secretary has the
authority to change the ap-plicable effective date, if he or she
determines that a later date is necessary, but in no case may the
date be later than
1) 2016 for pre-January 1, 2009 EHR acquisitions; and
2) 2013 for post-January 1, 2009 EHR acquisitions.
88 HITECH Act § 13405(5)(c). The term “electronic health record”
means an electronic record of healthre-lated information on an
individual that is created, gathered, managed, and consulted by
authorized health care clinicians and staff. Id. § 13400(5).89 The
proposed rule on accounting for disclosures of EHRs was sent by the
OCR on February 9, 2011 to the Office of Management and Budget
(“OMB”) for final review prior to publication.90 See 42 U.S.C.A. §
300jj–11 (West 2010).
-
FDCC Quarterly/Spring 2011
258
4. Request for Restrictions The Privacy Rule provides
individuals with the right to request that a covered entity
restrict certain uses and disclosures of PHI for treatment,
payment, or health care operations, and restrict certain permitted
disclosures to notify family and other specified individuals
regarding the individual’s condition, location, or death.91 Covered
entities are under no legal duty to agree to the restrictions, but
if the covered entity does agree, it must comply with the
restrictions except for purposes of medical treatment in the case
of an emergency.92 The HITECH Act now provides that there are
certain circumstances when a covered entity is obligated to comply
with an individual’s request for restrictions.93 The Act now
mandates that covered entities and their business associates comply
with an individual’s request to restrict their PHI if (1) except as
otherwise required by law, the disclosure is to a health plan for
purposes of carrying out (i) payment, or (ii) healthcare
operations, and (iii) not for purposes of carrying out treatment;
AND (2) the PHI pertains solely to a health care item or service
for which the health care provider involved has been paid
out-of-pocket in full.94
5. Request for Amendment The Privacy Rule provides individuals
with the right to request that covered entities amend their PHI
maintained in a DRS, typically when such information is alleged to
be inaccurate or incomplete.95 The covered entity has sixty days to
respond to the request. If the covered entity agrees to the
amendment, it is required to make reasonable efforts to provide the
amended information to those who the individual has identified, as
well as to business associates and others the covered entity knows
may rely on the previous information to the individual’s detriment.
If the request is denied,96 covered entities must provide the
individual with a written denial and allow the individual to submit
a statement of disagreement for inclusion in the record. If the
covered entity receives notice to amend from another covered
entity, it must amend the PHI maintained in its designated record
set.
91 45 C.F.R. § 164.522(a) (2010).92 Id. It should be noted that
such an agreement is not effective to prevent uses or disclosures
permitted or required under 45 C.F.R. §§ 164.502(a)(2)(ii),
164.510(a), or 164.512. See id. § 164.522(a)(1)(v).93 HITECH Act §
13405(a).94 Id.95 45 C.F.R. § 164.526 (2010). There are specific
processes provided for requesting an amendment and responding to
such request.96 Covered entities may deny an individual’s request
for amendment only under certain circumstances where the covered
entity (1) may exclude the information from access by the
individual; (2) did not create the information (unless the
individual provides a reasonable basis to believe the originator is
no longer available); (3) determines that the information is
accurate and complete; or (4) does not hold the informa-tion in its
designated record set. Id. § 164.526(a)(2).
-
HealtH Care reForm in tHe uniteD StateS
259
6. Confidential Communications Requests In general, covered
entities must accommodate reasonable requests to receive
commu-nications by alternate means or to a location other than that
typically utilized by the covered entity.97 Covered entities may
condition their compliance on the individual specifying an
alternative address or method of contact and explaining how any
payment will be handled.
F. Administrative Requirements Covered entities are required to
comply with certain administrative requirements set forth in the
Privacy Rule, which are divided into “Standards” and
“Implementation Speci-fications.”98 For instance, covered entities
must develop and implement written policies and procedures with
respect to PHI that are designed to be consistent with the Privacy
Rule.99 Covered entities must also designate a privacy official
responsible for implementing the rules, and a contact person or
office for receiving and handling complaints.100 Covered entities
must provide training to all members of their workforce regarding
PHI as it may apply to them and as necessary to appropriately
perform their jobs, and such training must be documented.101
Covered entities must also have in place appropriate
administrative, technical, and physical safeguards to protect the
privacy of PHI.102 Covered entities must also provide a process for
individuals to make complaints, and complaints must be
documented.103 Covered entities must enforce appropriate sanctions
against members of their workforce who do not comply with the
rules, and document such sanctions.104 Covered entities must
mitigate, to the extent practicable, any harmful effects caused by
the inappropriate disclosure of PHI.105 Covered entities must
refrain from intimidating or retaliating against an individual for
exercising an established individual right.106 Covered entities may
not require individuals to waive their rights under the rules as a
condition to providing treatment, payment, enrollment in a health
plan, or eligibility for benefits.107
97 Id. § 164.522(b).98 Id. § 164.530.99 Id. § 164.530(i).100 Id.
§ 164.530(a).101 Id. § 164.530(b).102 Id. § 164.530(c). This
requirement in the Privacy Rule, while vague, is discussed in
greater detail under the Security Rule requirements.103 Id. §
164.530(d).104 Id. § 164.530(e).105 Id. § 164.530(f).106 Id. §
164.530(g).107 Id. § 164.530(h).
-
FDCC Quarterly/Spring 2011
260
The most important aspect of the Privacy Rule’s administrative
requirements, given the HITECH Act’s new provisions for mandatory
auditing, would appear to be the documenta-tion requirement.108
Among other things, a covered entity must (1) maintain the policies
and procedures in written or electronic form; (2) maintain a
written or electronic copy of any communication that is required to
be documented; and (3) maintain a written or electronic record of
any action, activity, or designation that is required to be
documented.109 This requirement would likely be a fairly easy
auditable issue going forward under the HITECH Act’s new mandatory
auditing requirements, as it is relatively simple to ascertain
whether a covered entity has maintained the required
documentation.
iii.SeCurity rule
To address the data security threats associated with the
electronic storage and trans-mission of private health information,
HHS enacted the Security Rule under HIPAA. The Security Rule is
part of the larger Privacy Rule established in the Privacy Rule
administrative safeguards provision. The Security Rule delineates
administrative, physical, and technical safeguards to protect the
confidentiality, integrity, and availability of ePHI.
A. Who is “Covered” Under the HIPAA Security Rule? HIPAA
Security Rule provisions governing administrative safeguards,110
physical safe-guards,111 technical safeguards,112 and policy and
procedure documentation requirements113 now apply to business
associates in the same manner as they do to covered entities.114
Moreover, all new Security provisions contained in the HITECH Act
that are imposed upon covered entities are also imposed upon
business associates. As with the new Privacy Rule provisions
contained in the HITECH Act, all additional Security Rule
requirements must likewise be implemented into the business
associate agreement between the covered entity and the business
associate. As mentioned several times, business associates are now
directly accountable to the federal government (and perhaps to
state governments)115 for applicable HIPAA Security Rule provision
violations.
108 Id. § 164.530(j).109 Id.110 Id. § 164.308.111 Id. §
164.310.112 Id. § 164.316.113 Id. 114 42 U.S.C.A. § 17931 (West
2010).115 See State Attorney General Enforcement, infra Part
V.F.
-
HealtH Care reForm in tHe uniteD StateS
261
B. What Type of Health Information is Protected? Whereas the
Privacy Rule protects HI contained in any form or media, the
Security Rule focuses on protecting IIHI created, received,
maintained, or transmitted in electronic form (i.e., ePHI).116
C. How to Protect: Safeguards 1. General Requirements The
Security Rule establishes four general requirements for the covered
entity or business associate: (1) ensure the “confidentiality,
integrity, and availability”117 of electronic health information
created, received, maintained, or transmitted; (2) protect against
reasonably anticipated threats to the information’s security or
integrity; (3) safeguard against impermis-sible uses and
disclosures; and (4) ensure workforce compliance with the Rule.118
Because HIPAA applies to such a broad spectrum of covered entities
(and now through the HITECH Act, business associates), the Rule
provides a certain amount of flexibility in choosing how to
“reasonably and appropriately” implement standards, so long as the
following are taken into account: (1) the size, complexity, and
capabilities of the covered entity or business associate; (2) the
technical infrastructure, hardware, and software security
capabilities of the covered entity or business associate; (3) the
financial costs of implementing security measures; and (4) the
probability and criticality of potential risks to ePHI security
breaches.119 The Security Rule provides mandatory “standards” along
with “implementation speci-fications” on how to satisfactorily
comply with the outlined standards.120 Implementation
specifications are either “required” or “addressable.”121 Required
implementation specifica-tions must be implemented. Addressable
implementation specifications must be assessed and implemented as
specified if reasonably appropriate. If not implemented, the reason
why must be documented and an “equivalent alternative measure” must
be implemented if reasonably appropriate.122 Security measures
implemented must be reviewed and modified as needed to ensure
continued protection of ePHI and compliance with the Security
Rule.123
116 45 C.F.R. § 160.103 (2010).117 “Confidentiality means the
property that data or information is not made available or
disclosed to un-authorized persons or processes.” Id. at § 164.304.
“Integrity means the property that data or information have not
been altered or destroyed in an unauthorized manner.” Id.
“Availability means the property that data or information is
accessible and useable upon demand by an authorized person.” Id.118
Id. § 164.306(a).119 Id. § 164.306(b). 120 Id. § 164.306(c)–(d).121
Id. § 164.306(d)(1).122 Id. § 164.306(d)(3). If no alternative
measure is implemented, justification must also be provided for why
no alternative was feasible. 123 Id. § 164.306(e).
-
FDCC Quarterly/Spring 2011
262
2. Administrative Safeguards The Security Rule provides the
following Administrative Safeguard Standards and implementation
specifications for covered entities and business associates.
• Security Management Process.124 Implement policies and
procedures to prevent, detect, contain, and correct security
violations. This Standard has four required implementation
specifications:
1) Risk analysis: conduct and assess the potential risks and
vulnerabilities to ePHI;
2) Risk management: implement security measures that reduce
identified risks and vulnerabilities to a reasonable and
appropriate level;
3) Sanction policy: establish and apply appropriate sanctions
against noncom-pliant workforce members;
4) Information system activity review: implement procedures to
regularly review records of information system activity.
• Assigned Security Responsibility.125 Identify the security
official responsible for developing and implementing appropriate
security policies and procedures.
• Workforce Security.126 Implement policies and procedures to
ensure that only appropriate members of the workforce have access
to ePHI. This should include, where appropriate, authorization and
supervision procedures for employees who access ePHI, workforce
clearance procedures to ensure ePHI access by employees is
appropriate, and termination procedures to ensure employee access
to ePHI is appropriately cut off at the end of employment.
• Information Access Management.127 Implement policies and
procedures for authorizing, limiting, and modifying access to ePHI
that are consistent with the applicable requirements of the Privacy
Rule.
• Security Awareness and Training.128 Implement a security
awareness and training program for all employees, and also
implement appropriate security measures such as periodic security
reminders and updates, virus and other malicious software
protection, log-in monitoring, and password management.
124 Id. § 164.308(a)(1).125 Id. § 164.308(a)(2).126 Id. §
164.308(a)(3).127 Id. § 164.308(a)(4).128 Id. § 164.308(a)(5).
-
HealtH Care reForm in tHe uniteD StateS
263
• Security Incident Procedures.129 Implement policies and
procedures to identify and respond to known or suspected security
incidents, to mitigate harmful ef-fects of security incidents, and
to properly document incidents and outcomes. This will include the
new Breach Notification standards.130
• Contingency Plan.131 Establish (and implement as needed)
policies and proce-dures for responding to an emergency or other
type of occurrence (such as fire, vandalism, system failure, or
natural disaster) that might damage systems that contain ePHI. This
includes having a data backup plan, disaster recovery plan, and
emergency mode operation plan, and may include periodic testing and
revi-sion procedures, and applications and data criticality
analysis procedures.
• Evaluation.132 Perform a periodic assessment of how well its
security policies and procedures meet the requirements of the
Security Rule.
• Business Associate Agreements.133 Standards and implementation
specifications are the same as those required under the Privacy
Rule.
3. Physical Safeguards134
• Facility Access Controls.135 Implement policies and procedures
to limit physical access to its facilities while ensuring that
properly authorized access is permitted.
• Workstation Use.136 Implement policies and procedures that
specify appropriate workstation use.
• Workstation Security.137 Implement physical safeguards on
workstations to restrict access to authorized users.
• Device and Media Controls.138 Implement policies and
procedures governing the transfer, removal, disposal, and re-use of
electronic media to ensure appropriate protection of ePHI into,
within, and out of a facility.
129 Id. § 164.308(a)(6).130 See infra Part IV.C.131 45 C.F.R. §
164.308(a)(7) (2010).132 Id. § 164.308(a)(8).133 Id. §
164.308(a)(9).134 Id. § 164.310.135 Id. § 164.310(a).136 Id. §
164.310(b).137 Id. § 164.310(c).138 Id. § 164.310(d).
-
FDCC Quarterly/Spring 2011
264
4. Technical Safeguards139
• Access Control.140 Implement technical policies and procedures
for electronic information systems that maintain ePHI to ensure
only authorized personnel have access to ePHI. These include
safeguards for assigning unique user iden-tification names or
numbers, establishing emergency access procedures, having an
automatic logoff for inactivity, and encryption and decryption
mechanism implementation.
• Audit Controls.141 Implement hardware, software, or procedural
mechanisms that record and examine access and activity in
information systems that contain or use ePHI.
• Integrity.142 Implement policies and procedures to ensure that
ePHI is protected from improper alteration or destruction.
• Person or Entity Authentication.143 Implement procedures to
verify that an entity wanting access to ePHI is who it claims to
be.
• Transmission Security.144 Implement technical security
measures to guard against unauthorized access to ePHI being
transmitted over an electronic communica-tions network.
D. Organizational Requirements145
The organizational requirements tend to parallel those found in
the Privacy Rule with regard to business associate contracts.146
For instance, the standard mandates that a covered entity that
knows a business associate is engaging in an activity or practice
that constitutes a material breach or violation of the obligations
of the business associate under the Privacy or Security Rule must
take reasonable steps to cure the breach or end the violation.147
As
139 Id. § 164.312.140 Id. § 164.312(a).141 Id. § 164.312(b).142
Id. § 164.312(c).143 Id. § 164.312(d).144 Id. § 164.312(e).145 Id.
§ 164.314.146 Id.147 Id. § 164.314(a).
-
HealtH Care reForm in tHe uniteD StateS
265
previously mentioned, an NPRM was issued on July 14, 2010 and
included business associ-ate obligations and business associate
contracts as described in the HITECH Act.148
E. Policies and Procedures Documentation149
This requirement mirrors the documentation requirement of the
Privacy Rule insofar as it relates to ePHI. Reasonable and
appropriate policies and procedures must be adopted to comply with
the provisions of the Security Rule. These written security
policies and proce-dures and written records of required actions,
activities, or assessments must be documented and must be
maintained for a specified period of time.150 In addition,
documentation must be periodically reviewed and updated in response
to environmental or organizational changes that affect the security
of ePHI.151
iv. BreaCH notiFiCation
The HITECH Act created new requirements for covered entities and
business associates to provide appropriate notification in the
event of a security breach of PHI.152 Regulations implementing the
HITECH Act’s new breach notification requirements are currently in
effect and cover breaches occurring on or after September 23,
2009.153 Depending on the circumstances of the breach and number of
affected individuals, covered entities are required to notify (1)
the individual, (2) the media, or (3) the Secretary of HHS.
Business associates
148 Significantly, the NPRM would not only extend applicability
of HIPAA Privacy and Security Rules to business associates, but
also to “subcontractors” of business associates. And business
associates would be required to enter into “subcontractor
agreements” ensuring the same types of safeguards and assurances
contained in business associate agreements with the covered entity
are entered into with the subcontractor. 75 Fed. Reg. 40868, 40873
(July 14, 2010).149 Id. § 164.316.150 Id. § 164.316(b).151 Id. §
164.316(b)(2)(iii).152 42 U.S.C.A. §17932 (West 2010).153 45 C.F.R.
§§ 164.400–.414 (2010). The Interim Final Rule was published on
August 24, 2009 and became effective September 23, 2009. HHS
received and reviewed public comments on the rule and developed a
final rule that was submitted to the OMB for Executive Order on May
14, 2010. HHS withdrew its final rule from OMB review to allow for
further consideration. Until the final rule is published, the
Interim Final Rule that went into effect on September 23, 2009
remains in effect.
-
FDCC Quarterly/Spring 2011
266
are also required to notify the covered entity to enable the
covered entity to provide the appropriate notification as required
under the new laws.154
A. What is a “Breach”? A breach is defined as an impermissible
or unauthorized “acquisition, access, use, or disclosure” of PHI
pursuant to the Privacy Rule that compromises the security or
privacy of the PHI such that the “acquisition, access, use, or
disclosure” poses a “significant risk of financial, reputational,
or other harm to the individual.”155 However, using or disclosing
PHI that does not include the identifiers of a limited data set,
date of birth, and zip code is not considered a breach. There are
three exceptions to the definition of “breach.” The first exception
applies to the “unintentional acquisition, access, or use of [PHI]
by a workforce member or person acting under the authority of a
covered entity or business associate, if . . . made in good faith
and within the scope of authority.”156 Second, “[a]ny unintentional
acquisition, access or use of [PHI] by a workforce member or person
acting under the authority of a covered entity or a business
associate” is not a breach if made in good faith and within the
person’s scope of authority.157 The final exception to breach
applies if the covered entity or business associate has a
good-faith belief that the unauthorized individual to whom the
impermissible disclosure was made would not have been able to
retain the information.158
B. “Unsecured Protected Health Information” and Guidance Covered
entities and business associates are only required to provide
notification of a breach that involves “unsecured protected health
information” (“uPHI”). This is PHI that has not been rendered
unusable, unreadable, or indecipherable to unauthorized individuals
through the use of a technology or methodology specified by the
Secretary in guidance.
154 From the effective date of the Interim Final Rules
(September 23, 2009) until the end of 2010, ap-proximately 225
entities reported breaches of uPHI affecting 500 or more
individuals, amounting to ap-proximately thirteen reports per
month, or 0.44 per day. A recent report by Redspin, Inc., a
provider of HIPAA risk analysis and IT security assessment
services, found that the 225 breaches affected 6,067,751
individuals, that forty-three states plus the District of Columbia
and Puerto Rico had suffered at least one breach affecting more
than 500 individuals, that 61% of breaches were the result of
malicious intent and that 40% of records breached involved business
associates. reDSpin, BreaCH report 2010: proteCteD HealtH
inFormation 1–4 (2011), available at
http://www.redspin.com/docs/WP_Redspin_2010_Pro-tected_Health_Information_Breach_Report.pdf.155
45 C.F.R. § 164.402 (2010).156 Id. § 164.402(2)(i) (emphasis
added). 157 Id. § 164.402(2)(ii). In the first and second
exception, there can be no further use or disclosure in a manner
not permitted by the Privacy Rule.158 Id. § 164.402(2)(iii).
-
HealtH Care reForm in tHe uniteD StateS
267
Guidance was issued in April 2009159 with a request for public
comment, and was later reissued specifying encryption and
destruction as the technologies and methodologies for rendering PHI
unusable, unreadable, or indecipherable to unauthorized
individuals.160
C. Breach Notification Requirements Notification requirements
kick in for covered entities and business associates following the
“discovery” of a breach of uPHI. A breach is treated as
“discovered” by a covered entity as of the first day on which the
breach is known (or, by exercising reasonable diligence, would have
been known) to the covered entity. A covered entity shall be deemed
to have knowledge of a breach if the breach is known, or by
exercising reasonable diligence would have been known, to any
person, other than the person committing the breach, who is a
workforce member or agent of the covered entity (determined in
accordance with the federal common law of agency). Covered entities
are required to comply with the administrative requirements
contained in the Privacy Rule with respect to the requirements for
breach notification.161 In addition, both covered entities and
business associates have the burden of demonstrating that
notifications were properly provided or that the use or disclosure
of uPHI did not constitute a breach.
1. Individual Notice A covered entity is required to notify each
individual whose uPHI has been, or is reason-ably believed to have
been, accessed, acquired, used, or disclosed as a result of a
breach. Notice should be in written form sent by first-class mail,
or alternatively, by e-mail if the affected individual has agreed
to receive such notices electronically.162 The notifications must
be provided by the covered entity without unreasonable delay and in
no case later than sixty calendar days following the discovery of
the breach.163 These notices must be written in plain language and
must include, to the extent possible, a description of the breach,
a description of the type of information that was involved in the
breach, the steps affected
159 It should be noted that this guidance will be updated
annually.160 Id.; Health Information Technology for Economic and
Clinical Health Act (HITECH Act), Pub. L. No. 111–5, § 13402(h)(2),
123 Stat. 115 (2009). Additionally, the guidance also applies to
unsecured IIHI under the FTC regulations. Covered entities,
business associates, and entities regulated by the FTC that secure
information as specified by the guidance are relieved from
providing notifications following the breach of such
information.161 45 C.F.R. § 164.414(a) (2010). In particular, the
requirements in § 164.530(b), (d)–(e), and (g)–(j).162 There are
additional requirements for substitute notice if the covered entity
has insufficient or out-of-date contact information on the
individual, and an additional notice requirement when “imminent
misuse” is possible.163 There is an exception to the time
requirements when a covered entity or business associate is
provided notice that its breach notification would impede a
criminal investigation or endanger national security. Id. §
164.412.
-
FDCC Quarterly/Spring 2011
268
individuals should take to protect themselves from potential
harm, a brief description of what the covered entity is doing to
investigate the breach, mitigate the harm, and prevent further
breaches, as well as contact information for additional information
from the covered entity.
2. Media Notice Covered entities that experience a breach
affecting more than 500 residents of a state or jurisdiction must,
in addition to individual notification, provide notice to prominent
me-dia outlets serving the state or jurisdiction, typically through
a press release. Similar to the individual notice, the media
notification must be provided without unreasonable delay and in no
case later than sixty calendar days following the discovery of the
breach. The content of the notice must include the same information
as individual notifications.
3. Notice to the Secretary In addition to notifying affected
individuals and the media (where appropriate), covered entities
must notify the Secretary of HHS of breaches of uPHI. The form and
content of the notice can be found on the HHS website. If a breach
affects 500 or more individuals, cov-ered entities must notify the
Secretary without unreasonable delay and in no case later than
sixty days following a breach. If, however, a breach affects fewer
than 500 individuals, the covered entity must document or maintain
a log of such breaches and provide notification to the Secretary of
HHS annually through the HHS website.
4. Notification by Business Associates Following the discovery
of a breach of uPHI, the business associate must notify the covered
entity of the breach without unreasonable delay and no later than
sixty days from the discovery of the breach. To the extent
possible, the business associate should provide the covered entity
with the identification of each individual whose uPHI has been, or
is reasonably believed to have been, accessed, acquired, used, or
disclosed during the breach, as well as any information the covered
entity is required to provide in its notification.164
5. Time Delay Exception for Law Enforcement There is an
exception to the notification deadline if a law enforcement
official informs the covered entity or business associate “that a
notification, notice, or posting required under this subpart would
impede a criminal investigation or cause damage to national
security.”165 If the statement by law enforcement is provided in
writing and specifies the length of the delay required, then the
covered entity or business associate shall delay their applicable
notice
164 Id. § 164.410.165 Id. § 164.412.
-
HealtH Care reForm in tHe uniteD StateS
269
for the time period specified. If the statement is made orally,
the covered entity or business associate shall “document the
statement, including the identity of the official making the
statement, and delay the notification, notice, or posting
temporarily and no longer than 30 days from the date of the oral
statement, unless a written statement . . . is submitted during
that time.”166
6. Administrative Requirements and Burden of Proof Covered
entities are required to comply with the administrative
requirements for breach notification contained in the Privacy
Rule.167 In addition, both covered entities and business associates
have the burden of demonstrating that required notifications have
been provided or that a use or disclosure of uPHI did not
constitute a breach.
v.enHanCeD enForCement anD penaltieS
The biggest complaints by critics of HIPAA are that there is
insufficient oversight and that penalties apply to too narrow a
scope of persons and entities. The HITECH Act has brought business
associates within the scope of HIPAA Security Rule provisions, some
Pri-vacy Rule provisions, and also expands the definition of
“business associate” for specified entities who perform certain
functions.168
A. Accountability As previously discussed, business associates
are now directly accountable under HIPAA for failure to comply with
Security Rule provisions and certain Privacy Rule provisions.
B. Application of Criminal Penalties Failure to comply with
HIPAA can result in criminal penalties. Covered entities and
business associates who knowingly obtain or disclose PHI in
violation of HIPAA can face fines of up to $50,000 and imprisonment
for up to one year. For offenses committed under false pretenses,
the fine can reach $100,000 with up to five years in prison, and
for offenses committed with the intent to sell, transfer, or use
PHI for commercial advantage, personal gain, or malicious harm, the
fine can reach $250,000 and the maximum imprisonment is ten years.
The HITECH Act permits these criminal penalties to be enforced
against individuals who obtain or disclose PHI from a covered
entity “without authorization.”169
166 Id. § 164.412(b).167 Id. § 164.414(a). In particular, the
requirements in § 164.530(b), (d)–(e), and (g)–(j).168 And, as
noted supra note 148, the NPRM appears to extend these same HIPAA
privacy, security, and enforcement provisions to “subcontractors”
of business associates.169 42 U.S.C.A. § 1320d-6 (West 2010).
-
FDCC Quarterly/Spring 2011
270
C. Compliance and Enforcement The HITECH Act clarifies the
following issues regarding HIPAA compliance and en-forcement:
• HHS and state attorneys general can now pursue civil HIPAA
violations in cases where the Department of Justice declines to
pursue a criminal case, even though criminal penalties would have
applied.
• A formal investigation is now required after any complaint
where preliminary investigation of the facts indicates possible
violation through “willful neglect.”
• Imposition of a civil monetary penalty is now mandated if a
violation is found to constitute “willful neglect.”170
D. Distribution of Civil Monetary Penalties Money collected for
HIPAA violations will no longer go to the treasury. Instead, these
funds must be transferred directly to OCR to be used for
enforcement purposes.171 The HITECH Act requires the comptroller
general to develop a methodology whereby persons harmed by HIPAA
violations will receive a percentage of the penalty (or settlement)
col-lected. The Secretary must establish the GAO’s methodology
report via regulation within three years of the Act’s enactment
(that being February 17, 2012). The effective date for penalty or
settlement amounts to go to OCR is supposed to begin February 17,
2011. The methodologies to provide affected individuals with a
percentage will apply on and after the effective date of the
regulation implementing the methodology.
E. Tiered Penalties Effective February 17, 2009 the HITECH Act
revised section 1176(a) of the Social Security Act by establishing
(1) four categories of violations that reflect increasing levels of
culpability; (2) four corresponding tiers of penalty amounts that
significantly increase the minimum penalty amount for each
violation; and (3) a maximum penalty amount of $1.5 million for all
violations of an identical provision.172
170 Health Information Technology for Economic and Clinical
Health Act (HITECH Act), Pub. L. No. 111–5, § 13410(a), 123 Stat.
115 (2009). Willful neglect is defined in 45 C.F.R. § 160.401 as
“conscious, intentional failure or reckless indifference to the
obligation to comply with the administrative simplification
provision violated.”171 HITECH Act § 13410(c).172 Id. § 13410(d).
The HITECH Act provisions are implemented by 45 C.F.R. §
160.404.
-
HealtH Care reForm in tHe uniteD StateS
271
173 45 C.F.R. § 160.408 (2010).174 In February 2011, HHS issued
its first ever civil monetary penalty against a covered entity for
violating HIPAA and refusing to comply with HHS’ investigation. The
amount: $1.3 million for failing to provide forty-one patients
access to their medical records and $3 million for failing to
comply with HHS’ investi-gation. Colin J. Zick, HHS Fines Cignet
Health $4.3 Million for HIPAA Violations, SeCurity, privaCy anD