September 11, 2018
Author: W. Bradley Gilmer
Organization: The Hardison Law Firm
I. A Refresher on the Basics
A. The History
In 1996, President Clinton signed the The Health Insurance Portability and Accountability Act of 1996 into law. Commonly referred to as “HIPAA,” the purpose of the Act was to establish standards and requirements for transmitting certain personal information to improve the efficiency and effectiveness of the health care system while protecting patient privacy. The preamble to the act stated that the act was designed to “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long?term care services and coverage, to simplify the administration of health insurance, and for other purposes.”
When in conflict with state law, HIPAA preempted less stringent requirements and attempted to create uniform standards for the health care industries across the nation. It created certain civil and criminal penalties for noncompliance.
B. Title I
Title I of HIPAA set forth standards for the insurance industry in the way it conducts business. It made insurance more accessible to many Americans and defined when an insurance company may decline certain coverage. The biggest effect was on group health plans. Title I made it harder for insurance companies to decline coverage to certain individuals and protected workers and their families following a job change.
C. Title II
Title II of HIPAA required the U.S. Department of Health and Human Services (DHHS) to develop uniform standards for the storing and dissemination of electronically stored “protected heath care information” (PHI) as well as other PHI. These Rules went into effect in April 2003 causing a nationwide overhaul of medical records departments and heath care providers’ practices with respect to how patient privacy was treated by covered entities. “Covered entities” include health plans, health care clearinghouses, and health care providers.
Rules governing privacy, security, breach notification, and Rule enforcement were enacted. These rules ranged from the simple to the complex and caused many sleepless nights for medical records administrators. Over the past 10 years, the nation’s health care providers and patients have adjusted to these rules and regulations, but they continue to evolve as technology evolves.
2. Who must comply?
a. Health plans: Includes individual and group plans.
b. Health care clearinghouses: Third party billing companies, repricing companies, management systems companies, etc.
c. Health care providers: Include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non?institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.
d. Business associates: A person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity.
II. Title II and The New Omnibus Rule
Just as everyone had gained a comfort level with HIPAA, new changes went into effect in March 2013. The next section will discuss the changes to these Rules where applicable to Title II’s core requirements.
A. The HIPAA Omnibus Rule
On March 26, 2013, the new Omnibus Rules proposed by the federal government over the past few years into effect for the most part. Some portions of the new Rule will be phased in over the next year. The reform is designed to strengthen security and enforcement measures associated with HIPAA as the nation moves to implantation of universal standards for the use of electronic medical records under the HITECH Act. Under the new Rule, the government has tied HIPAA enforcement with incentive payments tied to the adoption of electronic medical record systems. The core measures require hospitals and other healthcare providers to \"protect health information created or maintained by the certified electronic healthcare records technology through the implementation of appropriate technical capabilities.\" The Centers for Medicare and Medicaid Services has interpreted this requirement as mandating that providers \"conduct or review a security risk analysis\" in accordance with the HIPAA requirements \"implementing security updates as necessary\" and correcting \"identified deficiencies as part of [its] risk management processes.\"
It would be impossible to summarize the entire Omnibus Rule and HITECH in the time allotted. Therefore, we will discuss some of the bigger changes and the basics of the core provisions of Title II: the privacy Rule, the security Rule, the breach notification Rule, and Rule enforcement.
B. HITECH ACT
Most of the privacy rules for PHI have been around since 1996 enactment of Hipaa, but were rarely enforced—Hitech puts teeth into the “paper tiger” of Hipaa. The Health Information Technology for Economic and Clinical Health Act (HITECH or the “Act”) was contained in the American Recovery and Reinvestment Act of 2009, which has incentives encouraging all health care providers to move to electronic data and medical records in such a manner so as to make both security and electronic dissemination paramount. The Act includes financial incentives to health care providers which we touch on only briefly, as that is a topic for an entirely separate seminar (see brief tables and links at the end of these materials touching on those incentives). But for our purposes today, we will focus on Hitech’s widening of the scopes of both Hipaa’s privacy and security measures.
Some commentators have referred to Hitech as “Hipaa on steroids” or “Hipaa 2.0.” But one thing is for certain, Hipaa / the OMNIBUS rule / Hitech’s provisions are intertwined and best viewed by the health care provider and business associate as one massive (some might say overly complicated and bloated) law.
As with any new governmental rule, time will tell how rigorously its provisions (specifying enforcement of Hipaa’s provisions) will be enforced. One thing is certain, Hitech has mandatory penalties for “willful neglect” for healthcare providers (and business associates) who do not attempt to implement its procedures. What “willful neglect” means will likely be determined on a case by case basis—and will likely vary widely based upon the particular governmental auditors who are examining your company’s compliance schemes. The better your compliance package “story,” the less likely your entity will be found in violation. …but certainly having “no story” will come across as a brazen disregard on the part of your company and subject you to potential civil and even criminal penalties. After discussing the privacy rules’ and Act’s various provisions on security, breach notification, etc….we provide some basic checklists towards the end of these materials to provide your entity with a framework on creating your organizations “story” to ensure you are aware of and implement the Act’s provisions.
Although like Hipaa, Hitech does not have a provision allowing a patient to directly sue a provider or business associate, but it does allow the state attorney general to bring an action on behalf of its citizens. Also, there are new provisions requiring the US Department of Health and Human Services (“HHS”) to conduct periodic audits of both covered entities and their business associates. Prior to Hitech, business associates could only create liability for their “covered entities”…but under Hitech…now there is direct potential civil and criminal liability for the business associates directly. As we will discuss below, a service provider / vendor to a covered entity is automatically a business associate….whether there is an executed Business Associates Agreement in place or not!
C. The Privacy Rule
1. What is protected?
PHI: All \"individually identifiable health information\" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information \"protected health information.”
2. The Basic Principle.
The purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
4. Uses and Disclosures
i. Permitted Disclosures
a. To the individual.
b. Treatment, payment, and heath care operations.
c. Informal permissions such as to a family member.
d. The public interest exception.
• Required by Law (statute, regulation, court order)
o Victims of Abuse, Neglect or Domestic Violence.
o Judicial and Administrative Proceedings.
o Serious Threat to Health or Safety.
o Workers’ Compensation.
o Law Enforcement Purposes.1
• Public Health Activities (FDA, CDC)
• Health Oversight Activities. (Government audits)
• Decedents?(Funeral directors, coroners or medical examiners)
• Cadaveric Organ, Eye, or Tissue Donation.
• Essential Government Functions (Military, security, and intelligence)
ii. Authorized Disclosures
a. Written authorization
Must contain the following:
• What health information will be disclosed.
• Who will disclose the information.
• Who will receive the information.
• The purpose(s) for disclosing the information.
• A statement informing the patient of (1) his or her right to revoke the authorization in writing, (2) how to revoke the authorization, and (3) any exceptions to the right to revoke.
• A statement that the hospital cannot require the patient to sign the authorization in order to receive treatment or payment or to enroll or be eligible for benefits.
• A statement that information disclosed pursuant to the authorization may be redisclosed by the recipient and no longer protected by the federal
• A statement that the authorization will expire: (1) on a specific date, (2) after a specific amount of time (e.g., 5 years), or (3) upon the occurrence of some event related to the patient.
• The signature of the patient and the date. Note: If the patient’s personal representative signs the authorization, the authorization also must include a description of that person’s authority to act for the patient.
b. Psychotherapy Records
Require a separate authorization or statement permitting this disclosure by the individual.
If the authorization is for marketing purposes and the hospital will receive direct or indirect remuneration from a third party, the authorization also must include a statement that the hospital will receive direct or indirect remuneration in connection with the use or disclosure of the patient’s information for marketing.
The Omnibus Rule imposes stricter limitations on marketing communications made in exchange for financial remuneration. Specifically, written communications promoting purchase or use of a third party’s products or services require prior individual authorization if the covered entity receives financial remuneration in exchange for sending the communication. Limited exceptions exist to permit faceto? face marketing communications, certain promotional gifts and refill reminders so long as the remuneration is reasonably related to the cost of the communication.
The new Rule provides a limited set of circumstances in which a covered entity can use and disclose certain PHI for fundraising without an authorization. Regardless of whether an authorization for fundraising was required or obtained, covered entities must provide an individual with an opportunity to opt?out of receiving future fundraising communications.
e. Sale of PHI
The Omnibus Rule prohibits the sale of PHI unless the individual has authorized it. The requisite authorization must acknowledge that the covered entity will receive remuneration in exchange for PHI.
Hitech includes new provisions dealing with the dissemination of PHI upon a patient’s death. The Act specifies that the privacy requirements only extend until fifty years after the patient’s death. Also, the Act includes new provisions allowing covered entities to release the decedent’s PHI to the decedent’s immediate family members and those who were substantial caregivers to the decedent without a written authorization, unless the decedent made a request prior to the death that this information not be released.
iii. Minimum necessary requirement
A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. A covered entity must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.
iv. Minors and personal representatives
A personal representative is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or the estate. He or she is entitled to obtain the same PHI as the individual except if the covered entity suspects abuse or neglect. In the cases of minors, generally a parent is the legal representative, but there may be state or federal laws that limit a parent’s access to a child’s PHI.
5. Miscellaneous rights
i. Privacy practices notice
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Omnibus Rule requires a statement that the individual has a right to or will receive notification of any breach. The new Rule also removes the requirement that a statement be given that the entity may contact the individual for appointment reminders or alternatives related to their treatment. The Rule also requires notification of any changes in privacy practices. The new privacy practices requirements become effective September 23, 2013.
ii. Access and accounting to disclosures
Individuals may access and audit permitted and authorized disclosures. A covered entity must provide an individual with an accounting of dissemination of their PHI at no cost once per year upon that individual’s request. Any additional audit requests may be provided at the actual costs of that covered entity for creating the audit report.
iii. Restriction request
Individuals have the right to request that a covered entity restrict use or disclosure of PHI or to notify family members or others about the individual’s general condition, location, or death. A covered entity is under no obligation to agree to requests for restrictions except as otherwise required by law. A covered entity that does agree must comply with the agreed restrictions, except for purposes of treating the individual in a medical emergency.
The Omnibus Rule gives individuals the right to have their provider restrict certain PHI from disclosure to health plans where the individual pays for the care out?of?pocket in full and requests such a restriction.Pati
iv. Confidential communications
Covered health care providers must permit individuals to request an alternative means or location for receiving communications of protected health information by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address
or phone number.
D. The Security Rule
1. The General Rules
a. Ensure the confidentiality, integrity, and availability of all PHI a covered entity creates, receives, maintains or transmits;
b. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
c. Protect against reasonably anticipated, impermissible uses or disclosures; and
d. Ensure compliance by the entity’s workforce.
2. Risk Analysis
A covered entity must regularly conduct risk analysis of its security procedures.
a. Evaluate the likelihood and impact of potential risks to e?PHI;
b. Implement appropriate security measures to address the risks identified in the risk analysis;
c. Document the chosen security measures and, where required, the rationale for adopting those measures; and
d. Maintain continuous, reasonable, and appropriate security protections.
i. Must take reasonable steps to correct violations, including developing appropriate safeguards.
ii. Must designate a security officer.
iii. Must develop adequate policies.
iv. Must train and discipline workforce.
v. Must evaluate.
i. Limit physical access to facilities.
ii. Safeguard workstations, computers, and mobile devices.
i. Must implement technical policies and procedures that allow only authorized persons to access PHI.
ii. Must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e? PHI.
iii. Must implement policies and procedures to ensure that e?PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e?PHI has not been improperly altered or destroyed.
iv. Must implement technical security measures that guard against unauthorized access to e?PHI that is being transmitted over an electronic network.
E. Business Associates
We defined “business associates” in section 2(d) above. These are third parties who perform certain services for covered entities and come into contact with PHI. The Omnibus Rule expands the liability and obligations of business associates, such that:
• Business associates and their subcontractors who have access to PHI are directly liable for compliance with the HIPAA Privacy and Security
Rules, and thus, may be assessed civil monetary penalties and criminal penalties for violations, this includes lawyers and law firms;
• Business associates and their direct subcontractors that access PHI must enter compliant Business Associate Agreements all the way “down the chain” of the information flow; (in other words, a law firm providing legal services to health care providers must not only sign a Business Associate Agreement, but must also obtain Business Associate Agreements from the law firm’s vendors and service providers (such as copy services, medical experts, court reporters…) and also have a system in place to ensure that the law firm’s service providers are complying with the Business Associate Agreements.
Then in turn, these service providers to the law firm must also implement Business Associate Agreements with their service providers!
• Business Associate Agreements must be updated to include specific new provisions; however, existing Business Associate Agreements entered before January 25, 2013 that are compliant with the interim Rules may operate until the agreement is amended or renewed, or until September 22, 2014, whichever is earlier.
Since vendors pose one of the major risks for PHI, the Omnibus Rule eliminates an exception under the previous Rule that shielded covered entities from civil penalties stemming from the conduct of their business associates if certain conditions were met. Under the Omnibus Rule, covered entities and business associates are liable for the acts of their respective business associate agents. Whether a business associate is an agent is based on the federal common law of agency and depends on the principal’s right or authority to control the business associate’s conduct in the course of performing services. Covered entities and business associates should consider how best to allocate risk related to any agency relationship through the use of indemnity provisions in the underlying services agreement or their Business Associate Agreement.
Covered entities and business associates will want to modify their business associate agreement forms not only to include new legal requirements, but also to allocate risk through the use of insurance requirements and indemnity provisions.