HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

 Minnesota Attorney General Lori Swanson has filed a civil lawsuit in federal court against HIPAA business associate Accretive Health, Inc. (“Accretive”) for alleged violations of HIPAA, Minnesota medical privacy law, and consumer debt collection practices laws.  The lawsuit was filed in part through the powers granted to state attorneys general (“AGs”) under HITECH provisions that expanded the enforcement powers and civil penalties available for violations of HIPAA.

Accretive had been hired by two hospitals to perform revenue cycle management services, including scheduling, registration, admissions, billing, collection, and payment functions.  These activities were performed by Accretive employees working on-site in various departments of the hospitals.  The lawsuit followed the theft of an unencrypted, password-protected laptop from an Accretive employee’s car that contained the individually identifiable health information of approximately 17,000 to 23,000 patients.

• Email This
• Print

Today the U.S. Department of Health and Human Services (HHS) issued a voluntary privacy notice for Personal Health Records (PHRs) as well as new proposed rules that would expand the rights of patients to access test result reports directly from clinical laboratories covered by HIPAA.  Both announcements were part of a HHS Consumer Health IT Summit.  

The PHR model privacy notice is intended for use by PHR companies. HHS describes the notice as like the nutrition labeling information required on food in the U.S., in that it is designed to present complex information in an understandable format. HHS provides a template that PHR companies can use to populate with its own data practices. The goal is to provide transparency about privacy practices. HHS expects that companies will continue to make a more in-depth privacy notice available as well.

HHS also has issued a proposed rule (PDF) to allow patients to directly access their own lab results.  This proposed rule would amend the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon a patient’s request, the laboratory may provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. This proposed rule will be published in the federal register on September 14 with an expected 60 day comment period. 

• Email This
• Print

The U.S. Department of Health and Human Services (HHS) today extended the public comment period for its new proposed requirements for human subjects research under the Common Rule. HHS’ proposal includes significant new data privacy and security obligations on research entities, including the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data, as well as potential new standards for de-identified data.  HHS also proposes to categorize biospecimen research as identifiable information.  HHS has extended the comment period by one month, making comments due by October 26, 2011. Read the notice of the extension here. For more information about the privacy and security components of the proposal, view our Health Privacy archive.

• Email This
• Print

The U.S. Department of Health and Human Services (HHS) published new proposed requirements for human subjects research under the Common Rule that, if adopted, would include significant new data privacy and security obligations on research entities.  HHS is considering the creation of mandatory data security and information protection standards for all studies involving identifiable or potentially identifiable data.  This could include adopting the HIPAA Privacy Rule standards for when data is deemed de-identified, as well as categorizing biospecimen research as identifiable information.  HHS also proposes to re-evaluate the HIPAA de-identification standard to ensure it reflect emerging technology and evolving informational risks.  HHS requests comment on these proposals.

HHS also proposes data security requirements for research information.  This could include a requirement that research involving the collection and use of identifiable data adhere to the HIPAA Security Rule standards as well as breach notification standards modeled on the HIPAA requirements.  For research using limited data sets or de-identified information, re-identification of individuals would be strictly prohibited. HHS would provide for additional enforcement as well as periodic random audits of research institutions.  HHS poses a number of specific questions regarding implementation of data privacy and security requirements for research entities.  This HHS issuance is in the form of an Advance Notice of Proposed Rulemaking (ANPRM), Human Subjects Research Protections: Enhancing Protections for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators.  Comments will be accepted for 60 days following publication of the ANPRM in the federal register.  The ANPRM and related information can be accessed at http://www.hhs.gov/ohrp/humansubjects/anprm2011page.html.

• Email This
• Print

Springboarding off our earlier report on the Supreme Court's decision in Sorrell v. IMS Health, Hogan Lovells Privacy and Information Management practice co-leader Marcy Wilder and associate Eric Bukstein have published a more detailed look at the case. Read their BNA Privacy & Security Law Report for analysis of the decision.

• Email This
• Print

The U.S. Supreme Court struck down today a Vermont law prohibiting pharmaceutical companies from buying or using prescription data for marketing. The decision, Sorrell v. IMS Health, holds that the state law prohibiting the sale or disclosure for marketing purposes of prescription data that identifies prescribers (but not patients) is an unconstitutional infringement on the free speech rights of pharmaceutical and data mining companies. The case was decided primarily on First Amendment grounds with privacy addressed only as a secondary issue. 

• Email This
• Print

The Department of Health and Human Services (HHS) has issued a proposed rule implementing changes to the HIPAA Privacy Rule’s standard for accounting of disclosures of protected health information. This proposed rule addresses the changes required by the HITECH Act, which requires HIPAA covered entities and business associates to account for disclosures of protected health information made through an electronic health record that are for treatment, payment, and health care operations purposes.

The proposed rule divides the accounting rights into two distinct individual rights. The first right follows the long-standing accounting of disclosure rules, modifying the existing rule to require an accounting for three years prior to an individual’s request instead of the current six years. The second provides a individuals with a new right to receive a written “access report” that describes uses and disclosures of their PHI made through an “electronic designated record set.” This new access report would include information on a covered entity’s workforce members who have accessed information and would apply to information in an electronic designated record set, not only information in an electronic health record, as required by HITECH. 

The proposed rule is available today at http://www.ofr.gov/OFRUpload/OFRData/2011-13297_PI.pdfand will be published in the Federal Register on Tuesday, May 31.

• Email This
• Print

The U.S. Department of Health and Human Services Office of the Inspector General issued two reports yesterday criticizing the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health IT (“ONC”) for doing too little to protect the security of patient health information. The first report, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services HIPAA Oversight, found that CMS oversight and enforcement "were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the Security Rule."

• Email This
• Print

On April 26, the Supreme Court heard oral arguments in Sorrell v. IMS Health – the first case heard by the Court that considers the limitations that a state may put on mining health data for commercial purposes. Specifically, this case raises the issue of how the government regulation of data mining practices impacts both the privacy rights of individuals and the speech rights of companies – both data mining companies and their customers. 

• Email This
• Print

Today the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) imposed a civil monetary penalty (CMP) in the amount of $4.3 million on Cignet Health for violations of the HIPAA Privacy Rule. This represents the first CMP imposed by HHS for HIPAA privacy violations.  

When Congress enacted the HITECH law in 2009, it significantly expanded HHS’ enforcement authority and made clear that the agency was expected to use it.   HHS seems to be taking that directive seriously. 

The OCR investigation began in response to complaints filed by Cignet patients attempting to access their medical records in order to seek care from physicians outside the Cignet network. Part of the penalty -- $1.3 million -- was imposed for denying these 41 patients access to their medical records when requested between September 2008 and October 2009. Under the Privacy Rule covered entities are required to provide individuals with access to their medical records within 30 days (and no later than 60 days) of a request.  

An additional $3 million in penalties was assessed against Cignet for its profound failure to cooperate during the agency’s investigation. Specifically, OCR found that Cignet did not cooperate with OCR’s investigations into the complaints and failed to respond to OCR’s demands to produce the records, including failure to respond to a subpoena.  When Cignet did finally respond by providing the records relating to the individuals who had filed complaints, they also produced to OCR medical records for an additional 4,500 individuals for whom the agency had made no request or demand. According to OCR, Cignet had no legitimate basis on which to disclose these records to the agency. 

OCR found that Cignet’s failure to comply with the Privacy Rule and its refusal to cooperate with the investigation amounted to willful neglect, which appears to have led to the imposition of the maximum penalties permitted by law. 

• Email This
• Print

Shining a new spotlight on health data breaches, the Federal Trade Commission recently posted a frequently asked questions guide to medical identity theft for health care providers and insurers. Medical identity theft occurs when one person obtains health care services or prescription drugs using the identity of someone else, or when those working in a health care provider setting use an individual's personal information to submit false bills to an insurer. People victimized by medical identity theft often realize the theft has occurred when they get a bill for a service they did not receive, are contacted by a debt collector for medical bills for services thy never obtained or from doctors they never saw, or are denied insurance because their records are incorrect. The guide makes clear that if a patient reports being a victim of medical identity theft, providers and insurers are expected to conduct an investigation and correct any incorrect information, follow the applicable rules of the Fair Credit Reporting Act, review their data security practices, and provide notification as required under HIPAA or other federal or state security breach notification laws. The guidance for health care providers and insurers follows on guidance posted last month for consumers on how to prevent and detect medical identity theft. 

• Email This
• Print

On November 17th, just six weeks before the Red Flags Rule is slated for FTC enforcement, a bipartisan bill (H.R. 6420) seeking to limit the scope of the Red Flags Rule was introduced. The bill, entitled the “Red Flag Program Clarification Act of 2010,” seeks to amend the definition of “creditor” under the Fair Credit Reporting Act and, hopefully, finally put to rest the scope of coverage issue that has been the source of great controversy.

The law establishing the Red Flags Rule was passed in January 2008, with a scheduled effective date of November 1, 2008.  For financial institutions, the Rule is operative, but due to confusion and concerns over the scope of the rule – over what entities qualify as covered “creditors” -- the FTC has delayed enforcement five times. The current date for FTC enforcement to commence is December 31, 2010.  In announcing the most recent enforcement delay, the FTC stated that it was delaying enforcement of the Rule while “Congress considers legislation that would affect the scope of entities covered by the Rule.”  

The Red Flags Rule aims to prevent identity theft by ensuring that entities are aware of possible signs of identity theft. The Rule requires “financial institutions” and “creditors” who maintain “covered accounts” to develop written identity theft prevention programs. Under the current Rule, a “creditor” is broadly defined as any person or entity that (a) regularly extends, renews, or continues credit; (b) regularly arranges for the extension, renewal, or continuation of credit; or (c) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit for a covered account. The broad definition of “creditor” adopted under the Rule encompasses a wide variety of organizations, including many health care entities, law firms, and accountants.

H.R. 6420 seeks to narrow the scope of the Rule by exempting from the definition of “creditor” a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition of “creditor” would also include any other creditors deemed (through rulemaking) by their appropriate regulating authority to offer or maintain “accounts that are subject to a reasonably foreseeable risk of identity theft.’’

The new legislation comes while the FTC’s application of the Rule is facing several challenges in federal court from organizations such as the American Bar Association (ABA), American Medical Association and the American Institute of Certified Public Accountants. Most recently, on November 15, 2010, the U.S. Court of Appeals for the D.C. Circuit heard oral arguments regarding the ABA’s challenge to the FTC’s application of the Rule to attorneys.

• Email This
• Print

On September 22, the U.S. Senate Commerce Committee's Consumer Protection, Product Safety, and Insurance Subcommittee held a hearing on S.3742, The Data Security and Breach Notification Act of 2010.  This Act would give the Federal Trade Commission the authority to require a wide range of commercial and nonprofit entities to establish security practices to protect personal information, including social security numbers and certain financial information.  Entities also would be required to notify individuals in the event of a breach of such information.  Hogan Lovells US LLP partner Melissa Bianchi testified before the Subcommittee about the effect this legislation would have on HIPAA covered entities, on behalf of the American Hospital Association.  A link to the hearing and video is available at http://commerce.senate.gov/public/index.cfm?p=Hearings.

• Email This
• Print

On July 27th, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced settlements with Rite Aid Corporation for the improper disposal of personal information -- including prescriptions and labeled pill bottles containing identifiable information about Rite Aid customers, and employment applications -- in publicly accessible dumpsters behind Rite Aid stores in a number of cities across the country.  In addition to improperly disposing of personal information, HHS and the FTC also claimed that Rite Aid failed to:

• implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal;
• adequately train employees to dispose securely of such information;
• use reasonable measures to assess compliance with its established policies and procedures for disposing such information; and
• employ a reasonable process for discovering and remedying risks to such information.

Under the HHS resolution agreement, Rite Aid agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule.  Rite Aid also agreed to distribute policies and procedures for protecting protected health information (such as the patient information improperly disposed in this case), train employees on the policies and procedures, monitor for violations, sanction employees who commit violations, and hire a third-party auditor to conduct periodic compliance reviews.  The HHS resolution agreement applies for three years.

In its consent order, the FTC accused Rite Aid of committing both unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  Specifically, the FTC claimed that Rite Aid committed unfair trade practices when it failed to employ reasonable and appropriate measures to prevent unauthorized access to the personal information, and committed deceptive trade practices when it recklessly disposed of customers' health information despite making claims it would responsibly protect such information. 

In addition to the penalties imposed by HHS, the FTC ordered Rite Aid to cease misrepresenting its information security practices to consumers, establish a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers and employees, and obtain biannual audits of its information security program for the next 20 years.

These settlements were similar to those imposed on CVS Caremark in February of 2009, which also stemmed from a joint investigation of the HHS and the FTC into reports of improperly disposed patient and employee information into publicly accessible dumpsters.  While many of the procedural requirements of the settlements are similar, in that case HHS required CVS Caremark to pay $2.25 million to settle the charges.

These cases reaffirm the agencies' commitment to investigating and punishing improper data disposal practices, especially in light of high-profile media reports discovering sensitive consumer information in dumpsters and boxes left by the side of the road.  In order to avoid these types of high-profile investigations, organizations should implement and enforce data retention policies and always destroy sensitive customer and employee data prior to disposal.

• Email This
• Print

The Department of Health and Human Services (HHS) introduced sweeping changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Enforcement Rules in its Notice of Proposed Rulemaking issued on July 8. 

Some of the major changes introduced under the Proposed Rule include:

·         Business Associates and Business Associate Agreements— HHS modifies the current definition of business associates to explicitly include several new entities, most importantly sub-contractors who create, receive or transmit protected health information (PHI) on behalf of business associates. Subcontractors who meet this criterion are now business associates and consequently required to enter into business associate agreements with business associates and subject to direct liability under the HIPAA Rules.

The Proposed Rule also makes a number of modifications to the business associate agreement contractual requirements, including (but not limited to) requiring that business associate agreements include language that require business associates to report breaches of unsecured PHI to covered entities, and to the extent a business associate is carrying out any covered entity Privacy Rule obligations, comply with the relevant Privacy Rule requirements that apply to the covered entity.

The Proposed Rule proposes a one year transition period for compliance with the new business associate agreement requirements for certain existing contracts. 

·         Security Rule— The Proposed Rule makes § 164.306 of the Security Rule, which sets out general rules that apply to all standards and implementation sections of the Security Rule, apply to business associates. HHS also introduces several other changes to the Security Rule with respect to business associates in the Proposed Rule.

·         Marketing— HHS proposes significant, complex revisions to the exceptions to the definition of “marketing” and solicits comments on a number of its proposals, including the distinction it draws in the Proposed Rule between treatment and health care operations communications.

• Email This
• Print

This morning the Office of Civil Rights (OCR) issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules.  The proposed modifications would extend parts of the HIPAA Privacy Rule and virtually all of the Security Rule to the business associates of HIPAA covered entities, impose new limits on the use and disclosure of protected health information for marketing, prohibit the sale of protected health information without patient consent, expand individuals’ rights to access their information and permit patients to restrict the disclosure of certain information to health plans.  In addition, the proposed rule will strengthen and expand HIPAA’s enforcement provisions.  Comments will be accepted on the new rule for 60 days following publication in the Federal Register, which is currently scheduled for July 14, 2010.  Hogan Lovells attorneys are reviewing the proposed rule and will post highlights shortly.

• Email This
• Print

The Federal Communications Commission and the Food and Drug Administration jointly announced this week an upcoming public forum to discuss the review process for “Life-Saving Wireless Medical Technology.” The joint public forum is scheduled for July 26-27, 2010 and written comments in advance of the meeting are due June 25, 2010.

The FCC and FDA share joint regulatory authority over wireless-enabled medical devices, most notably those relying upon commercial broadband wireless networks to relay patient information back to providers. As described in the FCC news release, “[t]he joint public meeting . . . reflects a commitment by the two agencies to work even more closely to ensure the safety and reliability of [these] devices while increasing their availability to consumers and health care providers. This collaboration is a critical step in the development and approval of new wireless medical devices . . . .” The two agencies expressed a desire to develop a collaborative, streamlined process for review of new devices.

The accompanying Public Notice included a list of questions on which the agencies are seeking written comments in advance of the public forum. These topics include:

• Data integrity and reliability issues arising from the use of allocated spectrum, the use of unlicensed devices, and the use of commercial networks and applications, and needs, uses, and risks for ‘medical-grade’ wireless technology and communications.

• Medical device and system security issues including inadvertent and intentional intrusion.

• View on current FDA and FCC regulatory requirements, including the relationship between FDA approval/clearance and FCC certification of applications, and post market and compliance requirements

The request also solicited comments on additional topics appropriate for inclusion in the forum.

• Email This
• Print

The Office of the National Coordinator for Health IT (ONC) has organized a workgroup under the auspices of the HIT Policy Committee to move forward on and maintain consistency with respect to a range of privacy and security issues. This new “Privacy & Security Tiger Team” will be co-chaired by Deven McGraw, Center for Democracy & Technology, and Paul Egerman, a health IT consultant, and comprised of members of the Health IT Policy and Standards Committees, as well as of the National Committee on Vital and Health Statistics (NCVHS).

The Tiger Team will work over the next few months to address the privacy and security requirements of the HITECH Act, as well as the needs of the new organizations – such as state health information exchanges and regional health IT extension centers – created under that law. The group held its first meeting June 9 and at it discussed: at what level its policy recommendations should be; the overarching issues raised by NHIN Direct; and what privacy and security frameworks should be in place.

The group met again on June 10 to continue its discussions. ONC expects the Tiger Team’s work to be completed by late fall 2010.
 

• Email This
• Print

The Health IT Policy Committee’s Privacy and Security workgroup has recommended that patient data exchanged between providers for treatment purposes be governed by policies that “at least” include encryption. The HIT Policy Committee is a federal advisory committee established to provide guidance to the Office of the National Coordinator for Health IT (ONC) on health IT policy issues, and its privacy and security workgroup is charged with addressing the privacy and security issues involved in developing a framework for the exchange of health information.

According to the workgroup’s recommendations, encryption ideally should be required when there is potential for transmitted data to be exposed. The workgroup proposed that the encryption mandate come through either the meaningful use and certification criteria; or through modification of the HIPAA security rule.

In addition to encryption, the group recommended that provider-to-provider exchange be governed by policies that include “limits on identifiable (or potentially identifiable) information in the message” and “identification and authentication.” According to the workgroup, “if strong policies are in place and enforced, we don’t think that the above scenario needs any additional individual consent beyond what is required by current law."

If such recommendations are adopted and an encryption mandate imposed, this would have significant and far-reaching consequences for providers. We will continue to track the status of these recommendations as they evolve.

• Email This
• Print

On Friday, May 7, 2010, the Office for Civil Rights (“OCR”) issued guidance related to the HIPAA Security Rule’s risk analysis requirement.  Under HITECH, OCR is responsible for issuing annual guidance on provisions of the HIPAA Security Rule.  This guidance is the first in a series of documents aimed at helping covered entities and business associates implement effective and appropriate administrative, physical, and technical security safeguards. 

This guidance document is generally consistent with the materials provided by the Centers for Medicare and Medicaid Services (“CMS”) prior to the introduction of HITECH.  For example, like the recently released OCR guidance, CMS historically directed covered entities to refer to the National Institute of Standards and Technology’s Special Publication 800-66 Rev.1, An Introductory Resource Guide for Implementing the HIPAA Security Rule (October 2008) (“NIST 800-66”).  NIST 800-66 frequently directs readers to consult NIST SP 800-30, Risk Management Guide for Information Technology Systems (July 2002), which is also quoted extensively in the recently released OCR guidance.  Moreover, the OCR guidance is quite similar to the HIPAA Security Series, Paper 6: Basics of Risk Analysis and Risk Management which was most recently revised by CMS in March 2007. 

OCR encourages the public to offer feedback on the risk analysis guidance. Comments can be submitted to OCR at OCRPrivacy@hhs.gov

• Email This
• Print

In today’s Federal Register, the Department of Health and Human Services (“HHS”) published a request for information (“RFI”) regarding the HITECH accounting of disclosures provisions.  The Department is collecting information to help inform its rulemaking. Building on the current HIPAA accounting of disclosure requirements, HHS is required to issue regulations concerning what information should be collected about disclosures for treatment, payment, and health care operations made through an electronic health record.  

In the RFI, HHS requests comments on nine questions, including whether the compliance deadline should be extended. Comments are due on or before May 18, 2010. A detailed listing of all questions and additional background information is available in the Federal Register.

• Email This
• Print

The U.S. Department of Health and Human Services (“HHS”) published its regulatory agenda (“Agenda”) in today’s Federal Register.  The Agenda presents a forecast of expected HHS rulemaking activities and suggests that in May of this year HHS will issue proposed rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of HITECH. The Department is also scheduled to issue a final rule in May of this year, addressing the certification standards and implementation criteria for electronic health record technology.

• Email This
• Print

OCR posted the following announcement on its website suggesting that information regarding specific compliance and enforcement dates will be included in the rulemaking.  The Department did not provide any information on when to expect a proposed privacy regulation.

*****

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.  New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009.  Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

• Email This
• Print

Today as the HHS Office of Civil Rights begins to enforce the federal health data breach notification rule, the agency publicly posted the list of reported breaches affecting 500 or more individuals. The list is available on the  HHS’ website and includes the following information:

• the entity’s name
• state
• approximate number of affected individuals
• date of breach
• type of breach (e.g. theft, misdirected e-mail)
• location of information at time of breach (e.g. desktop computer, laptop, paper, mailing).

• Email This
• Print

Enforcement of the Department of Health and Human Services’ (“HHS’”) and the Federal Trade Commission’s (“FTC’s”) Breach Notification rules begin today. Both agencies initially exercised their enforcement discretion and delayed enforcement until February 22, 2010, to provide entities subject to the rules with time to implement compliance processes and procedures.

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA and their business associates to provide notification following discovery of a breach of security involving an individual’s unsecured protected health information.  Under the rule, covered entities are also required to notify the HHS Secretary. For breaches affecting fewer than 500 individuals that occurred during calendar year 2009 and after the September effective date of the HHS breach rule, notification to the Secretary must be submitted by March 1, 2010. 

The FTC breach rule, issued on August 17, 2009, applies to vendors of personal health records, PHR-related entities and third-party service providers. 

• Email This
• Print

Health care providers, health plans, clearinghouses and their business associates face deadline for implementation of significant new compliance obligations.

 February 17, 2010 marks the compliance date for significant new obligations under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009, adopted one year ago. It appears the date may come and go without the regulatory guidance that many HIPAA covered entities and business associates expected to inform their compliance decisions.

Many of the new obligations require significant resources for implementation (e.g., amending business associate agreements, adopting new systems for limiting disclosures to health plans and providing copies in electronic formats that can be securely delivered). Yet, the HITECH provisions are unclear in many places. Thus, expending resources without clarifying guidance creates a Catch-22 for many covered entities and business associates subject to the new requirements (e.g., the definition of an Electronic Health Record is opaque, at best, with its dependence on the undefined term “clinician”).

New Requirements

Covered entities must now comply with most of the new privacy requirements introduced under HITECH including, among other requirements:

·        additional requirements regarding “minimum necessary” uses and disclosures of protected health information (PHI);

·        new limitations on uses and disclosures of PHI for marketing;

·        new individual rights related to electronic access to PHI maintained in an electronic health record; and

·        new individual rights allowing individuals the right to restrict their providers from sending PHI to the individuals’ health plan if the individuals pay in full for the product or service at issue.

Business associates also now face substantial new compliance obligations under HITECH.Prior to HITECH, business associates were not directly subject to HIPAA and were subject only to the contractual obligations imposed on them by covered entities through business associate agreements (BAAs). HITECH changes the regulatory landscape by imposing a direct statutory obligation on business associates to comply with the new privacy and security requirements. These include such things as:

·        compliance with the bulk of the HIPAA Security Rule requirements;

·        compliance with the new HITECH data breach provisions; and

·        compliance with the new individual rights provisions related to access to PHI and restrictions on certain disclosures of PHI.

 BAA Challenges

HITECH further requires that the new privacy and security requirements “shall be incorporated” into BAAs. The amendment of BAAs has been one of the most troublesome and challenging issues for both covered entities and business associates. While some have hoped that HITECH “by law” amends existing BAAs (an argument that may raise constitutional issues given that private contracts and assets are at stake), most, if not all, have struggled with the decision whether to amend existing BAAs prior to the February 17, 2010 compliance date or rely upon a “transition period” that has been hinted at by the Department of Health and Human Services (HHS) and was provided in the Privacy Rule when compliance was required in 2003.

New Enforcement Framework

In addition to the new compliance challenges faced by covered entities and business associates under HITECH, several notable changes to HIPAA enforcement were also introduced under HITECH. Although many of the new enforcement provisions were effective upon enactment of HITECH (e.g., enforcement by state attorneys general, increased civil monetary penalties), several other enforcement provisions are now effective, including:

·        business associates are now subject to direct enforcement actions; and

·        covered entities and business associates are now subject to mandatory, periodic audits by HHS.

Beginning February 22, 2010 HHS also will begin enforcement of the new HITECH data breach regulations issued in September 2009.

Members of the Hogan & Hartson HIPAA Privacy practice are available to assist clients in working through these legal issues to implement compliance with HITECH efficiently and effectively—both before and after regulatory guidance is issued.

• Email This
• Print

 The Department of Health and Human Services (“HHS”) announced that it will host an in-person workshop to address and collect stakeholders’ views regarding how to best implement the Privacy Rule’s current requirements for the de-identification of protected health information (“PHI”). The American Recovery and Reinvestment Act of 2009 (“ARRA”) requires HHS, in consultation with stakeholders, to issue guidance on methods for de-identifying PHI. The workshop, which will consist of multiple panel sessions, is open to the public and will be held on March 8-9 in Washington, DC. Following the workshop, HHS will synthesize the input it receives from the workshop and general comments, and issue guidance on its Web site for public comment.

The deadline to register for the workshop is March 1, 2010. Additional details about the workshop can be found on HHS’ Health Information Privacy Web site.

• Email This
• Print

In the first HIPAA action filed by a state attorney general, Connecticut Attorney General Richard Blumenthal filed a lawsuit yesterday against Health Net of Connecticut for failing to secure private medical and financial information concerning 446,000 of its Connecticut enrollees, and for subsequently neglecting to promptly notify affected individuals. Blumenthal is also seeking a court order to prevent Health Net from continued violations by requiring the company to encrypt any protected health information (“PHI”) contained on portable electronic devices. The lawsuit is the first action by a state attorney general to enforce HIPAA since the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provided state attorneys general with the power to initiate civil actions on behalf of state residents for violations of HIPAA.

In May 2009, Health Net discovered that a portable computer disk drive containing social security numbers, health claim forms and bank account numbers for approximately 446,000 Connecticut enrollees was missing. According to Blumenthal, Health Net subsequently failed to promptly notify appropriate authorities and consumers of the incident. Blumenthal further alleges that Health Net failed to comply with its own policies and federal law regarding the protection of personal information, and failed to effectively train and supervise its workforce on the proper policies for maintaining, using, and disclosing PHI.

• Email This
• Print

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA).  Both rules have public comment periods of 60 days and are scheduled to be published in the Federal Register on January 13, 2010.  Final rules are expected to be issued in the spring of 2010.

EHR Incentives for “Meaningful Use”

The CMS Proposed Rule defines the criteria for “meaningful use” of certified electronic health record (EHR) technology. “Eligible professionals” (EPs) and hospitals that meet this criteria will be eligible for incentive payments beginning in 2011.

CMS proposes to phase in meaningful use criteria in three stages. The Proposed Rule focuses on the Stage 1 criteria, and CMS plans to propose Stage 2 and Stage 3 criteria in future rulemaking, with a goal of issuing proposed Stage 2 standards by the end of 2011 and proposed Stage 3 standards by the end of 2013. 

For Stage 1, which begins in 2011, CMS has proposed 25 objectives, or measures, for EPs and 23 objectives for eligible hospitals, all of which must be met in order for a provider to be deemed a meaningful EHR user.

Standards, Implementation and Certification Criteria

The ONC Interim Final Rule sets forth initial standards, implementation specifications and certification criteria for EHR technology.  These provisions specify the capabilities and related standards that certified EHR technology must include in order to support the proposed Stage 1 requirements for meaningful use.  This Rule goes into effect 30 days after publication in the Federal Register.

According to ONC, the standards set forth in the Rule “rely heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7 (HL7), the National Institute of Standards and Technology (NIST) and Integrating the Healthcare Enterprise (IHE).”  The standards, which fall into the categories of vocabulary, content exchange, transport and privacy/security, also rely upon classification and nomenclature systems such as SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP and RxNorm. 

ONC will issue a separate Notice of Proposed Rulemaking relating to the testing and certification process for EHRs and EHR Modules in early 2010. 

• Email This
• Print

The Office of the National Coordinator for Health IT (ONC) has announced that it will establish a new Office of the Chief Privacy Officer as part of a reorganization to better support the adoption and implementation of health IT.  This office will be lead by a Chief Privacy Officer, which will be named by the Secretary, and will advise the national coordinator for health IT and others on issues related to data privacy and security.

The changes to ONC’s operational structure became effective December 1, and in addition include the creation of four new offices:

·         (1) The Office of Economic Modeling and Analysis – This office will apply statistical and economic approaches to health IT investments and policies.

·         (2) The Office of the Chief Scientist – This office will evaluate health IT grant programs, track innovations, lead research efforts and develop education programs. It replaces the interoperability and standards group.

·         (3) The Office of the Deputy National Coordinator for Programs and Policy – Replacing ONC’s programs and coordination division, this office will oversee health IT grant programs.

·         (4) The Office of the Deputy National Coordinator for Operations – This office will replace ONC’s policy and research group and will perform activities such as budget formulation, facilities management, contract and grants management, and financial strategic planning.

All offices will report directly to David Blumenthal, the National Coordinator for Health IT.   

• Email This
• Print

Today, the U.S. Department of Health and Human Services (HHS) released a pre-publication copy of an interim final regulation with a request for comments.  The regulations are being promulgated under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted earlier this year.  HITECH enhanced and expanded the enforcement and penalty provisions of the HIPAA Privacy Rule and this rule implements those changes.  The interim final regulations will be officially published in the Federal Register October 30th and will be effective on November 30, 2009.  Public comments will be accepted by HHS until December 29, 2009.

• Email This
• Print

Several federal agencies released new rules yesterday implementing the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA prohibits discrimination based on genetic information in health coverage and employment. The Departments of Labor, Treasury, and Health and Human Services (HHS) issued Interim Final Rules, and HHS separately, through the Office of Civil Rights (OCR), issued a Proposed Rule.

The interim final rules prohibit group health plans and issuers in the group health insurance market from: (1) increasing premiums for the group based on genetic information, (2) requesting or requiring individuals to undergo a genetic test, and (3) requesting requiring or purchasing genetic information prior to or in connection with enrollment, or at anytime for underwriting. In general, individual health insurers are subject to the same or similar prohibitions, with certain exceptions. Comments are due on these interim final rules within 90 days of each rule’s publication in the Federal Register.

The OCR proposed rule seeks to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by including genetic information within the definition of health information and prohibiting covered health plans from using or disclosing genetic information for underwriting purposes (i.e., eligibility determinations, premium and contribution computations, applications of pre-existing condition exclusions and other activities relating to creation, renewal or replacement of health insurance). Comments are due 60 days from publication of the proposed rule in the Federal Register. 

• Email This
• Print

The Department of Health & Human Services (“HHS”) published an electronic notification form for covered entities to submit notice of a breach of security to the Secretary. The electronic form, available on HHS’ website, is for notification of breaches affecting 500 or more individuals and for breaches affecting fewer than 500 individuals.

The on-line form includes all of the elements required by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the related HHS breach regulations. The form also requires covered entities to include contact information for a business associate (where the breach occurred at or by the business associate), the type of breach, the location of the breach, safeguards in place prior to the breach, and the date(s) individual notifications were provided.

If a covered entity discovers additional information related to a breach after submitting notification to the Secretary, the covered entity may submit an updated notification form using the on-line form.

• Email This
• Print

The health breach notification rule issued by the Federal Trade Commission (“FTC”) went into effect on Thursday, September 24, 2009.

The FTC final rule, issued on August 17, 2009, applies to vendors of personal health records (“PHR vendors”), PHR-related entities and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities and instead are subject to a separate breach notification rule issued by the Department of Health and Human Services. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice of smaller breaches can be provided to the agency on an annual basis.

While the Rule is now in effect, the FTC has announced it will delay enforcement of its rule until February 22, 2010 in order to give entities time to come into compliance.

• Email This
• Print

The breach notification rule issued by the Department of Health and Human Services (“HHS”) goes into effect on Wednesday, September 23, 2009. 

HHS’ interim final rule on breach notifications, issued on August 24, 2009, requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Covered entities do not need to provide breach notification if the PHI was secured through methodologies and technologies specified by HHS in recent Guidance.  Notice also is not required if the breach does not pose a significant risk of financial, reputational or other harm to the individuals whose information was breached or in limited other exceptions for internal disclosures or involving limited health information. 

While HIPAA covered entities are expected to comply with this rule effective September 23, HHS has stated that it will not impose sanctions for failure to provide breach notifications until February 22, 2010 in order to give covered entities time to come into compliance. HHS is accepting comments on the provisions of the rule until October 23, 2009.

• Email This
• Print

Hogan & Hartson's Marcy Wilder will be presenting on "HITECH's Impact on Business Associate Agreements with Healthcare Providers: Complying With New HIPAA Requirements and Preparing for Touger Enforcement" in a CLE Teleconference on Thursday, September 24, 2009, at 1pm EDT.

The Health Information Technology for Economic and Clinical Health Act (HITECH) dramatically expands the scope and application of the HIPAA Privacy and Security Rules. These changes have the greatest impact on business associates and on agreements that providers reach with them. For the first time, business associates will be directly subject to many of the HIPAA rules. To ensure compliance with the new requirements, counsel to healthcare providers and business associates must examine the implications of HITECH for all existing and future agreements. This program will examine the new HITECH requirements as they relate to business associates and business associate agreements, discusses evaluating existing agreements, and offers best practices for developing and negotiating new agreements.

• Email This
• Print

This summer New Hampshire enacted two laws that increase protection for health information. The first, H.B. 619, restricts the use of health data for marketing and fundraising purposes, and imposes new state data breach notification requirements on health care providers, including pharmacists.  The second, H.B. 542, establishes a framework for health information exchange entities (HIEs) and requires that individuals be permitted to opt out of sharing their protected health information with HIEs.  

The new law will be more protective than HIPAA because it requires the covered entity to seek an opt-out before the initial fundraising material is disseminated. It also includes a private right of action that will permit patients to bring a civil action in response to violations of the new marketing and fundraising restrictions. 

H.B. 619 also establishes a data breach notification requirement mandating that providers and business associates notify individuals in writing upon the unauthorized use or disclosure of their protected health information if such uses or disclosures violate New Hampshire law, even if the same uses or disclosures are “allowed under federal law”.  This law differs from New Hampshire’s general breach notification law in a number of ways, most notably that the health information law does not require any risk of harm threshold to be met before notification is mandated. Individuals may sue for violations of the breach notice requirements. 

H.B. 542 presents a framework for future health information exchange entities that permits providers to share information with HIEs but limits access to the information to providers and permits access for treatment purposes only.  HIEs also must maintain audit logs, documenting provider access to patient information, and must meet federal certification standards once these are finalized.

Both laws take effect January 1, 2010. 

• Email This
• Print

The Department of Health and Human Services (“HHS”) and the Federal Trade Commission (“FTC”) have both issued data breach notification rules. The rules implement provisions of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and are aimed at providing increased protection of individuals’ health information.

The HHS interim final breach rule was issued August 26, 2009 and  requires entities covered by HIPAA to notify individuals, the HHS Secretary, and, in limited circumstances, the media following discovery of a breach of security involving an individual’s protected health information (“PHI”). Notification need not be provided if the information was secured through methodologies and technologies specified by HHS in recent Guidance. Importantly, the HHS breach rule introduces a risk of harm standard under which notification is not required if a breach does not pose a significant risk of financial, reputational, or other harm to an individual. Limited exceptions are also provided for certain internal disclosures and breaches involving limited health information. Under the Rule, business associates are required to provide notice to covered entities following the discovery of a breach of unsecured PHI at or by the business associate. The Rule specifies timing, method, and content of notification requirements. The Rule is effective on September 23, 2009. HHS is accepting comments on the provisions of the Rule until October 23, 2009.

The FTC also issued its final breach rule, the Health Breach Notification Rule. The Rule applies to vendors of personal health records (“PHR vendors”), PHR-related entities, and third-party service providers. HIPAA covered entities and business associates (when engaging in business associate activities) are excluded from the definition of PHR vendor and PHR-related entities. The FTC Rule requires PHR vendors and PHR-related entities to notify consumers following discovery of a breach involving unsecured identifiable health information that is in a personal health record. The Rule also specifies timing, method, and content of notification requirements. Of particular importance, for all breaches involving 500 or more consumers, the Rule requires notice to the FTC within 10 business days of discovery of the breach. Notice to the agency of smaller breaches can be done on annual basis. The Rule which was issued on August, 17, 2009 has an effective date of September 24, 2009.

Both HHS and the FTC have decided to delay enforcement of their rules until 180 days after publication of their respective rules in the Federal Register. Full compliance with both rules will likely be required by February 22, 2010.

• Email This
• Print