1 / 42

The New HIPAA Era: What's New, What's Different and What's Actually Important

The New HIPAA Era: What's New, What's Different and What's Actually Important. Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork (March 8, 2013). My Presentation. My take on the key elements of the new HITECH rules

martin-foreman
Télécharger la présentation

The New HIPAA Era: What's New, What's Different and What's Actually Important

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The New HIPAA Era: What's New, What's Different and What's Actually Important Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork (March 8, 2013)

  2. My Presentation • My take on the key elements of the new HITECH rules • Take a deep breath – they are important, and will involve change, but are not earth shattering. • We have known for four years most of what this regulation was going to say • Will try to focus on what’s most important for most of you.

  3. New HIPAA (the HITECH Act) New HIPAA provisions passed as part of the economic stimulus package Rationale – Giving health care providers economic incentives to develop and use electronic medical records “requires” “improved” privacy and security rules for the health care industry Most of the provisions have nothing to do with electronic medical records Most of the provisions of this new law appeared to take effect in February 2010 – but didn’t really. 3

  4. Proposed HITECH Rule • NPRM published in Federal Register on July 14, 2010 • HHS has been evaluating comments since then, until publication of this final regulation • Reminder - Despite the wording of the HITECH statute, these new provisions are not yet in effect (Caveat on state AGs) 4

  5. The Breach Rule – Current Status • An Interim Final Regulation • Lots of remaining confusion and ambiguities about details and justifications • Remember the standard under this interim rule – a significant risk of financial, reputational or other harm. • Notice must include steps individual should take to “protect themselves from potential harm resulting from the breach.” Page 5

  6. The Accounting NPRM • Separate NPRM addressing the HITECH language on the accounting rule – Is not part of the “big” HITECH Rule • Significant proposed changes to the accounting obligation that could create substantial additional burden • HHS does not yet know what to do about this rule – and is just now starting to work on it. Page 6

  7. The Accounting NPRM • Lots of comments were submitted, essentially all of them highly critical of the NPRM • Virtually no one supported the proposed rule • Implications for now - Important to evaluate what your company actually does with audit logs and similar oversight efforts. Do not start building an access report. • You will need to have a plan for this issue. Page 7

  8. The Omnibus Regulation • Published in the Federal Register on January 25, 2013 • Effective on March 26, 2013 • Requires compliance by September 23, 2013 • One question during this period – what will you do for situations where the rules are changing?

  9. The Breach Basics HITECH Law required notification to individuals in the event of specific kinds of security breaches HHS implemented an “interim final regulation” that has been in effect since September 2009 Now, HHS has modified for a “final” breach notification regulation What does this mean and what should we be watching?

  10. Background • The interim final regulation clarified that the statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.” • Covered entities have been reporting breaches under this standard for two plus years

  11. The Big News • Two significant changes • Modified the “presumption” for breach reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.”

  12. The Risk Assessment • HHS has removed the “risk of harm” element • Instead of the risk of harm standard, there is a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI. • If the risk assessment reveals a low probability of compromise, notification is not required. • Covered entity can provide notice without a risk assessment.

  13. The Risk Assessment • The nature and extent of the protected health information involved, including types of identifiers and likelihood of re-identification; • The unauthorized person who used the protected health information or to whom the disclosure was made; • Whether the protected health information was actually acquired or viewed; and • The extent to which the risk to the protected health information has been mitigated.

  14. Other Elements • Most of the rest of the rule remains largely the same. • General exceptions to “breach” do not change • Reporting to HHS stays the same (except for timing on reporting of some smaller breaches) • Notice to media does not change • Details of notification do not change

  15. Next Steps • Current rule is in effect until September 23, 2013 • Follow the current “interim final” standard until then • Each time you have a potential breach, evaluate using both standards. Spend some time figuring out if any results are different

  16. Business Associate Issues • The biggest overall development for this regulation is the impact on business associates • Business associates have always had contractual obligations • Now they are subject to legal obligations and enforcement risk

  17. Business Associate Issues • Business associates will now have a legal obligation to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions) • This is not everything in the privacy rule (e.g., providing a privacy notice) • This should not impact behavior because the “legal” obligations are the same as the current contracts

  18. Business Associate Issues • Business associates now must follow the entire HIPAA Security Rule • This is a big deal. • The current contracts require “reasonable and appropriate” security standards • Complying with the Security Rule is much more involved and detailed

  19. Business Associate Issues • Business associates need to get moving now on security compliance • These rules also apply to downstream contractors – on down the line indefinitely • This is a big expansion – and to some companies who may not even be aware of their BA obligations

  20. Business Associate Issues (For CEs) • Evaluate what you want to do with your business associate contracts – substance and process • Evaluate the “agent” issue – including whether you want to address it at all • Plan on the timing – you have time, but how long do you want “old” contracts in place?

  21. Business Associate Issues (For CEs) • HHS has created categories of business associates – those who are “agents” and those who are not • Applies primarily in notice and enforcement contexts • Explicitly a “fact specific” assessment • Consider how you are going to handle this – real questions as to whether to address at all.

  22. Enforcement • Lots of new provisions for the HIPAA Enforcement Rule • These do not create compliance obligations, but define a process for a formal enforcement proceeding • Bottom line – HHS has LOTS of discretion, on how it does enforcement and issues penalties and other resolutions.

  23. Enforcement • Discussion of “agents” in context of enforcement • Clearly states that HHS can take action against CEs for actions of “agents” • Unclear what they can/will do for others • This is very much a “formality” issue – investigations still will be mostly negotiations

  24. Enforcement • Remember what HHS is doing on enforcement these days • They are starting investigations in lots of situations – based on notices, complaints, media reports, etc. • They are asking lots of questions, and then broadening out from the starting point

  25. Enforcement • Be very careful in the early stages of investigations • Documentation of policies and procedures is critical • It is always better to have fixed the problem already (if there is one) • Take them seriously at all times

  26. Marketing Provision Current HIPAA rules impose significant restrictions on how PHI can be used and disclosed for marketing purposes. HITECH statute mandated that marketing be further restricted in situations where there is “payment” to make the communication Omnibus regulation now implements this provision

  27. Marketing Provision • What does this do? • Does not change the situations where “marketing” has been permitted so far. • If it is permitted under the rules today, BUT the covered entity receives “remuneration,” a member authorization will be required.

  28. Marketing Provision • What kinds of communications may be affected? • Presumably when a covered entity is “marketing” someone else’s products or services • Be careful if you are getting paid in any way – think about why you are doing this.

  29. Sale Issue • Similar point as with marketing – PHI cannot be sold without a patient authorization • Many exceptions • Covered entities and business associates need to evaluate any situation where PHI is sold

  30. Sale Issue • Exceptions include (among others): • (a) public health activities; • (b) research purposes, but only where the only remuneration received by is a reasonable cost-based fee to cover the cost to preparation and transmission of data; • (c) treatment and payment purposes; • (d) sale or transfer of all or part of the covered entity and for related due diligence.

  31. Sale Issue • So what’s really changed? • There still has to be a permitted basis for disclosure (even before sale issue) • Since treatment and payment are still “exceptions,” then is this really (only?) eliminating “sales” for “health care operations” purposes? How much of that is there?

  32. Authorizations • The Rule makes certain changes about the substance of authorizations • In addition to the “sale” and “marketing” issues • Simplify authorizations in the research context – both allowing compound authorizations and for future research

  33. Privacy Notices • Covered entities will need to issue new privacy notices • HHS recognizes the cost elements of this, and has taken some steps to moderate financial impact • Have not simplified notices in any way • Their cost estimate is 1/3 of an hour at a cost in legal fees of $28 – good luck with that

  34. Miscellaneous • No more HIPAA protection for records of people dead for more than 50 years • GINA provisions impact how genetic information can be used by health plans for underwriting purposes • Mainly reinforces existing principles

  35. Miscellaneous • Confusing provision about requiring providers to restrict disclosure to health plans where patient requests and pays for services out of pocket • Imposes no compliance obligations on health plans • Consider where (if at all) this will be relevant

  36. What’s Not Here? • Few new changes to HIPAA beyond HITECH • No final accounting rule changes – separate timeframe. Highly controversial, most comments were exceedingly critical • Additional guidance on minimum necessary coming • Parallel developments on de-identification issues

  37. Next Steps • Take a deep breath • The omnibus regulation affects only a small portion of the HIPAA provisions • No material changes to the substance of the Security Rule (just the application to BAs) • And we have known almost all of this since HITECH law – this just starts the real clock running.

  38. Next Steps • Be aware that enforcement efforts are growing – not enormously, but consistently • HHS is investigating a lot more (although still very slow and often meandering) • They start investigations because of one issue, but then look at many more

  39. Next Steps • Be very careful on security breach issues – review everything under both standards. • Think twice if you reach different results in terms of your approach/response to the breach • Mitigation quickly and effectively is ALWAYS a good idea

  40. Next Steps • Re-evaluate your business associate contracts – you have time (and there is a transition period) but this takes some thought and planning • Evaluate “agent” issue • Look hard for situations where the marketing and sale rules may be implicated

  41. Next Steps • Re-evaluate your security program • For business associates, this is the biggest compliance issue by far • Even though the substance of the security rule is not changing, security problems remain high with lots of risk

  42. Questions? • Kirk J. Nahra • Wiley Rein LLP • 202.719.7335 • knahra@wileyrein.com • @kirkjnahrawork • Subscribe (for free) to Privacy in Focus - http://www.wileyrein.com/publications.cfm?sp=newsletters.

More Related