HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part V: GINA and Health

Plan Perspectives on the HITECH Rule

This bootcamp webinar and roundtable discussion series is brought to you by the Health Information and Technology (HIT) Practice Group, and is co-sponsored by the Business Law and Governance (BLG); Healthcare Liability and Litigation (HCL); Hospitals and Health Systems (HHS); In-

House Counsel (In-House); Labor and Employment (Labor); Life Science (LS); Long Term Care, Senior Housing, In-Home Care, and Rehabilitation (LTC-SIR); Medical Staff, Credentialing and Peer Review (MSCPR); Payors, Plans, and Managed Care (PPMC); Physician

Organization (Physicians); Regulation, Accreditation and Payment (RAP); and Teaching Hospitals and Academic Medical Centers (TH/AMC) Practice Groups and the Healthcare Reform Educational (HRE) Task Force.

April 9, 2013 1:00-2:15 pm Eastern

Presenters:

Christina M. Heide, JD

Senior Health Information Privacy Policy Specialist • Office for Civil Rights •

U.S. Department of Health & Human Services • Washington, DC • christina.heide@hhs.gov

Kirk Nahra, Esquire

Partner • Wiley Rein LLP • Washington, DC • knahra@wileyrein.com

Leah Stewart, Esquire

Shareholder • Beatty Bangle Strama PC • Austin, TX • lstewart@bbsfirm.com

2013 1:00-2:15 p.m. Eastern

Presentation Overview

Overview of major provisions impacting health plans and

their business associates

OCR perspective

Practical observations from counsel on major challenges

and open issues

2

Intro Issues

One question during this period – what will you do for

situations where the rules are changing?

Are you worried about state AGs at all?

Rule does not include the accounting provisions – but

are you doing anything on audit trails?

3

OCR

Breach Notification

• Harm standard removed

• New standard – impermissible use/disclosure of

(unsecured) PHI presumed to require notification,

unless CE/BA can demonstrate low probability that

PHI has been compromised based on risk

assessment of at least:

– Nature & extent of PHI involved

– Who received/accessed the information

– Potential that PHI was actually acquired or viewed

– Extent to which risk to the data has been mitigated

4

OCR

Breach Notification

• Exceptions for inadvertent, harmless mistakes

remain

• Exception for limited data sets without dates of birth

& zip codes removed

• Makes permanent the other provisions of the 2009

IFR, with only minor changes/clarifications

– E.g., clarifies that notification to Secretary of smaller

breaches to occur within 60 days of end of calendar year

in which breaches were discovered (versus occurred)

5

The Risk Assessment

HHS has removed the “risk of harm” element

Instead of the risk of harm standard, there is a “risk assessment” to determine if there is a low probability of a “compromise” of the PHI.

If the risk assessment reveals a low probability of compromise, notification is not required.

Covered entity can provide notice without a risk assessment.

6

Breach Notification Next Steps

Current rule is in effect until September 23, 2013

Follow the current “interim final” standard until then

Each time you have a potential breach, evaluate using

both standards. Spend some time figuring out if any

results are different

7

OCR

Business Associates

• BAs must comply with the technical, administrative, and

physical safeguard requirements under the Security Rule;

directly liable for violations

• BAs must comply with the use or disclosure limitations expressed in BA contract and those in the Privacy Rule; directly liable for violations

• BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities

• Subcontractors of BA are now defined as BAs

– BA liability flows to all subcontractors

8

Business Associate Issues

Business associates will now have a legal obligation to

follow the privacy provisions of a standard business

associate agreement (and the new HITECH provisions)

This is not everything in the privacy rule (e.g., providing

a privacy notice)

This should not impact behavior because the “legal”

obligations are the same as the current contracts

9

Business Associate Issues

Business associates now must follow the entire HIPAA

Security Rule

This is a big deal.

The current contracts require “reasonable and

appropriate” security standards

Complying with the Security Rule is much more involved

and detailed

10

Business Associate Issues

(For CEs)

Evaluate what you want to do with your business

associate contracts – substance and process

Evaluate the “agent” issue – including whether you want

to address it at all

Plan on the timing – you have time, but how long do you

want “old” contracts in place?

11

OCR

Marketing

• Communications about health-related

products/services to individuals now marketing &

require authorization if paid for by third party

– Limited exception for refill reminders (and similar

communications)

• Applies to receipt of financial remuneration only, not

non-financial benefits

• Face to face marketing communications and

promotional gifts of nominal value still permitted

without authorization

12

OCR

Marketing

• Broad authorizations can be obtained

– Scope need not be limited to single product/service

or products/services of one third party

• Authorization must state that communication is

paid for

13

Marketing Provision

What does this do?

Does not change the situations where “marketing” has

been permitted so far.

If it is permitted under the rules today, BUT the covered

entity receives “remuneration,” a member authorization

will be required.

14

Marketing Provision

What kinds of communications may be affected?

Presumably when a covered entity is “marketing”

someone else’s products or services

Be careful if you are getting paid in any way – think

about why you are doing this.

15

OCR

Sale of PHI

• Even where disclosure is permitted, CE is

prohibited from disclosing PHI (without individual

authorization) in exchange for remuneration

– Not limited to financial remuneration

• If authorization obtained, authorization must

state that disclosure will result in remuneration

16

OCR

Sale of PHI

• Exceptions:

– Treatment & payment

– Sale of business

– Remuneration to BA for services rendered

– Disclosure required by law

– Public health

– Research, if remuneration limited to cost to prepare

and transmit PHI

– Providing access or accounting to individual

– Any other permitted disclosure where only receive reasonable, cost-based fee to prepare & transmit PHI

17

Sale Issue

Similar point as with marketing – PHI cannot be sold without a patient authorization

Many exceptions

Covered entities and business associates need to evaluate any situation where PHI is sold

18

Sale Issue

So what’s really changed?

There still has to be a permitted basis for disclosure

(even before sale issue)

Since treatment and payment are still “exceptions,” then

is this really (only?) eliminating “sales” for “health care

operations” purposes? How much of that is there?

19

OCR

Right to Request Restrictions

• CE must agree to individual’s request to restrict

disclosure of PHI to health plan if:

– PHI pertains solely to health care for which individual

(or person on behalf of individual other than health

plan) has paid CE in full out of pocket

– Disclosure is not required by other law

• Preamble guidance on various implementation

and operational questions

20

Restrictions

Confusing provision about requiring providers to

restrict disclosure to health plans where patient

requests and pays for services out of pocket

Imposes no compliance obligations on health

plans

Consider where (if at all) this will be relevant

21

OCR

Electronic Access

• If individual requests e-copy of PHI maintained

electronically in designated record set, CE:

– Must provide access in electronic form/format requested,

if readily producible, otherwise in readable electronic

form/format as agreed to by CE and individual

• If requested, CE must transmit copy of PHI to

individual’s designee (not limited to electronic

access)

– Request must be in writing, signed, and clearly identify

designated person and where to send

22

OCR

Electronic Access

• CE may charge for:

– Labor for copying

• Time attributable to reviewing request and

producing copy

– Cost of electronic media

• CD, USB drive, or similar portable media/device, if

individual requests copy on portable media

• CE has 30 days (with one 30-day extension) to

act on request for access

– Provision allowing initial 60 days for off-site PHI

removed

23

OCR

GINA

• Expressly provides that genetic information is PHI

• Prohibits the use or disclosure of genetic

information for underwriting purposes by all health

plans, except long-term care plans

• Terms and definitions track regulations prohibiting

discrimination in health coverage based on

genetic information

24

OCR

Notice of Privacy Practices

• Content must now include:

– Statements regarding sale of PHI, marketing, and other

purposes that require authorization

– Statement that individual can opt out of fundraising

communications

– Statement that CE must agree to restrict disclosure to

health plan if individual pays out of pocket in full for

health care service

– Statement about individual’s right to receive breach

notifications

– For plans that underwrite, statement that genetic

information may not be used for such purposes

25

OCR

Notice of Privacy Practices

• Health plans may distribute materially

revised NPPs:

– By posting on web site by effective date of

change and including in next annual mailing to

individuals; or

– Mailing to individuals within 60 days of material

revision

26

Next Steps

Take a deep breath

The omnibus regulation affects only a small

portion of the HIPAA provisions

No material changes to the substance of the

Security Rule (just the application to BAs)

And we have known almost all of this since

HITECH law – this just starts the real clock

running.

27

Next Steps

Be very careful on security breach issues – review

everything under both standards.

Think twice if you reach different results in terms of your

approach/response to the breach

Mitigation quickly and effectively is ALWAYS a good idea

28

Next Steps

Re-evaluate your business associate contracts – you

have time (and there is a transition period) but this takes

some thought and planning

Evaluate “agent” issue

Look hard for situations where the marketing and sale

rules may be implicated

29

Next Steps

Re-evaluate your security program

For business associates, this is the biggest compliance

issue by far

Even though the substance of the security rule is not

changing, security problems remain high with lots of risk

30

Questions?/More Information

Kirk J. Nahra

Wiley Rein LLP

202.719.7335

knahra@wileyrein.com

Christina M. Heide

HHS OCR

202-260-3362

christina.heide@hhs.gov

31

HITECH Final Omnibus Rule Bootcamp Webinar and Roundtable Discussion Series, Part V: GINA and Health Plan Perspectives on the HITECH Rule © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.

Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.

“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association