The New HIPAA Era: What's New, What's Different and What's Actually Important

Kirk J. Nahra

Wiley Rein LLP

Washington, D.C.

202.719.7335

KNahra@wileyrein.com

@kirkjnahrawork

(March 8, 2013)

My Presentation

• My take on the key elements of the new HITECH rules

• Take a deep breath – they are important, and will involve change, but are not earth shattering.

• We have known for four years most of what this regulation was going to say

• Will try to focus on what’s most important for most of you.

Page 2

3

New HIPAA (the HITECH Act)

• New HIPAA provisions passed as part of the economic stimulus package

• Rationale – Giving health care providers economic incentives to develop and use electronic medical records “requires” “improved” privacy and security rules for the health care industry

• Most of the provisions have nothing to do with electronic medical records

• Most of the provisions of this new law appeared to take effect in February 2010 – but didn’t really.

4

Proposed HITECH Rule

• NPRM published in Federal Register on July 14, 2010

• HHS has been evaluating comments since then, until publication of this final regulation

• Reminder - Despite the wording of the HITECH statute, these new provisions are not yet in effect (Caveat on state AGs)

Page 5

The Breach Rule – Current Status

• An Interim Final Regulation • Lots of remaining confusion and ambiguities about

details and justifications• Remember the standard under this interim rule – a

significant risk of financial, reputational or other harm.

• Notice must include steps individual should take to “protect themselves from potential harm resulting from the breach.”

Page 6

The Accounting NPRM

• Separate NPRM addressing the HITECH language on the accounting rule – Is not part of the “big” HITECH Rule

• Significant proposed changes to the accounting obligation that could create substantial additional burden

• HHS does not yet know what to do about this rule – and is just now starting to work on it.

Page 7

The Accounting NPRM

• Lots of comments were submitted, essentially all of them highly critical of the NPRM

• Virtually no one supported the proposed rule• Implications for now - Important to evaluate

what your company actually does with audit logs and similar oversight efforts. Do not start building an access report.

• You will need to have a plan for this issue.

The Omnibus Regulation

• Published in the Federal Register on January 25, 2013

• Effective on March 26, 2013• Requires compliance by September 23, 2013• One question during this period – what will

you do for situations where the rules are changing?

Page 8

Page 9

The Breach Basics • HITECH Law required notification to individuals in

the event of specific kinds of security breaches• HHS implemented an “interim final regulation” that

has been in effect since September 2009• Now, HHS has modified for a “final” breach

notification regulation• What does this mean and what should we be

watching?

Page 10

Background

• The interim final regulation clarified that the statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.”

• Covered entities have been reporting breaches under this standard for two plus years

Page 11

The Big News

• Two significant changes• Modified the “presumption” for breach

reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”

Page 12

The Risk Assessment

• HHS has removed the “risk of harm” element• Instead of the risk of harm standard, there is a “risk

assessment” to determine if there is a low probability of a “compromise” of the PHI.

• If the risk assessment reveals a low probability of compromise, notification is not required.

• Covered entity can provide notice without a risk assessment.

The Risk Assessment

• The nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification;

• The unauthorized person who used the protected health information or to whom the disclosure was made;

• Whether the protected health information was actually acquired or viewed; and

• The extent to which the risk to the protected health information has been mitigated.

Page 13

Other Elements

• Most of the rest of the rule remains largely the same.

• General exceptions to “breach” do not change• Reporting to HHS stays the same (except for

timing on reporting of some smaller breaches)• Notice to media does not change • Details of notification do not change

Page 14

Next Steps

• Current rule is in effect until September 23, 2013

• Follow the current “interim final” standard until then

• Each time you have a potential breach, evaluate using both standards. Spend some time figuring out if any results are different

Page 15

Business Associate Issues

• The biggest overall development for this regulation is the impact on business associates

• Business associates have always had contractual obligations

• Now they are subject to legal obligations and enforcement risk

Page 16

Business Associate Issues

• Business associates will now have a legal obligation to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions)

• This is not everything in the privacy rule (e.g., providing a privacy notice)

• This should not impact behavior because the “legal” obligations are the same as the current contracts

Page 17

Business Associate Issues

• Business associates now must follow the entire HIPAA Security Rule

• This is a big deal.

• The current contracts require “reasonable and appropriate” security standards

• Complying with the Security Rule is much more involved and detailed

Page 18

Business Associate Issues

• Business associates need to get moving now on security compliance

• These rules also apply to downstream contractors – on down the line indefinitely

• This is a big expansion – and to some companies who may not even be aware of their BA obligations

Page 19

Business Associate Issues (For CEs)

• Evaluate what you want to do with your business associate contracts – substance and process

• Evaluate the “agent” issue – including whether you want to address it at all

• Plan on the timing – you have time, but how long do you want “old” contracts in place?

Page 20

Business Associate Issues (For CEs)

• HHS has created categories of business associates – those who are “agents” and those who are not

• Applies primarily in notice and enforcement contexts

• Explicitly a “fact specific” assessment• Consider how you are going to handle this –

real questions as to whether to address at all.

Page 21

Enforcement

• Lots of new provisions for the HIPAA Enforcement Rule

• These do not create compliance obligations, but define a process for a formal enforcement proceeding

• Bottom line – HHS has LOTS of discretion, on how it does enforcement and issues penalties and other resolutions.

Page 22

Enforcement

• Discussion of “agents” in context of enforcement

• Clearly states that HHS can take action against CEs for actions of “agents”

• Unclear what they can/will do for others• This is very much a “formality” issue –

investigations still will be mostly negotiations

Page 23

Enforcement

• Remember what HHS is doing on enforcement these days

• They are starting investigations in lots of situations – based on notices, complaints, media reports, etc.

• They are asking lots of questions, and then broadening out from the starting point

Page 24

Enforcement

• Be very careful in the early stages of investigations

• Documentation of policies and procedures is critical

• It is always better to have fixed the problem already (if there is one)

• Take them seriously at all times

Page 25

Page 26

Marketing Provision• Current HIPAA rules impose significant restrictions

on how PHI can be used and disclosed for marketing purposes.

• HITECH statute mandated that marketing be further restricted in situations where there is “payment” to make the communication

• Omnibus regulation now implements this provision

Page 27

Marketing Provision

• What does this do?

• Does not change the situations where “marketing” has been permitted so far.

• If it is permitted under the rules today, BUT the covered entity receives “remuneration,” a member authorization will be required.

Marketing Provision

• What kinds of communications may be affected?

• Presumably when a covered entity is “marketing” someone else’s products or services

• Be careful if you are getting paid in any way – think about why you are doing this.

Page 28

Page 29

Sale Issue

• Similar point as with marketing – PHI cannot be sold without a patient authorization

• Many exceptions• Covered entities and business associates

need to evaluate any situation where PHI is sold

Page 30

Sale Issue

• Exceptions include (among others): • (a) public health activities; • (b) research purposes, but only where the only

remuneration received by is a reasonable cost-based fee to cover the cost to preparation and transmission of data;

• (c) treatment and payment purposes; • (d) sale or transfer of all or part of the covered

entity and for related due diligence.

Sale Issue

• So what’s really changed? • There still has to be a permitted basis for

disclosure (even before sale issue)• Since treatment and payment are still

“exceptions,” then is this really (only?) eliminating “sales” for “health care operations” purposes? How much of that is there?

Page 31

Authorizations

• The Rule makes certain changes about the substance of authorizations

• In addition to the “sale” and “marketing” issues

• Simplify authorizations in the research context – both allowing compound authorizations and for future research

Page 32

Privacy Notices

• Covered entities will need to issue new privacy notices

• HHS recognizes the cost elements of this, and has taken some steps to moderate financial impact

• Have not simplified notices in any way• Their cost estimate is 1/3 of an hour at a cost in

legal fees of $28 – good luck with that

Page 33

Miscellaneous

• No more HIPAA protection for records of people dead for more than 50 years

• GINA provisions impact how genetic information can be used by health plans for underwriting purposes

• Mainly reinforces existing principles

Page 34

Miscellaneous

• Confusing provision about requiring providers to restrict disclosure to health plans where patient requests and pays for services out of pocket

• Imposes no compliance obligations on health plans

• Consider where (if at all) this will be relevant

Page 35

What’s Not Here?

• Few new changes to HIPAA beyond HITECH• No final accounting rule changes – separate

timeframe. Highly controversial, most comments were exceedingly critical

• Additional guidance on minimum necessary coming

• Parallel developments on de-identification issues

Page 36

Next Steps

• Take a deep breath • The omnibus regulation affects only a small

portion of the HIPAA provisions• No material changes to the substance of the

Security Rule (just the application to BAs)• And we have known almost all of this since

HITECH law – this just starts the real clock running.

Page 37

Next Steps

• Be aware that enforcement efforts are growing – not enormously, but consistently

• HHS is investigating a lot more (although still very slow and often meandering)

• They start investigations because of one issue, but then look at many more

Page 38

Next Steps

• Be very careful on security breach issues – review everything under both standards.

• Think twice if you reach different results in terms of your approach/response to the breach

• Mitigation quickly and effectively is ALWAYS a good idea

Page 39

Next Steps

• Re-evaluate your business associate contracts – you have time (and there is a transition period) but this takes some thought and planning

• Evaluate “agent” issue

• Look hard for situations where the marketing and sale rules may be implicated

Page 40

Next Steps

• Re-evaluate your security program

• For business associates, this is the biggest compliance issue by far

• Even though the substance of the security rule is not changing, security problems remain high with lots of risk

Page 41

Questions?

• Kirk J. Nahra• Wiley Rein LLP• 202.719.7335• knahra@wileyrein.com• @kirkjnahrawork • Subscribe (for free) to Privacy in Focus -

http://www.wileyrein.com/publications.cfm?sp=newsletters.

Page 42