Inside Privacy - Updates on Developments in Global Privacy & Data Security

The U.S. Department of Health and Human Services (HHS) issued on April 19 an advance notice of proposed rulemaking (ANPRM) regarding HIPAA and the National Instant Criminal Background Check System (NICS).  This action is based on one of the executive actions in President Obama’s plan to reduce gun violence, which was released in January 2013.

As we previously reported, one of the 23 executive actions in the President’s gun plan is to address unnecessary legal barriers under HIPAA that may prevent States from reporting information to the NICS.  The NICS is the federal government’s background check system for the sale or transfer of firearms by licensed dealers. 

Under federal law, certain persons are disqualified from possessing or receiving firearms, including individuals who have been:

• Involuntarily committed to a mental institution;
• Found incompetent to stand trial or not guilty by reason of insanity;
• Otherwise determined, through a formal adjudication process, to have a severe mental condition that results in the individual’s presenting a danger to themselves or others or being incapable of managing their own affairs.

This is known as the “mental health prohibitor.” 

Continue Reading

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization. 

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule. 

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.

Continue Reading

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule implements provisions in the HITECH Act pertaining to two individual rights: an individual’s right to request a restriction on the disclosure of his or her protected health information (“PHI”) and an individual’s right to access his or her PHI. 

Right to Restrict Uses and Disclosures of PHI

The current Privacy Rule grants individuals the right to request restrictions on the use or disclosure of their PHI, but covered entities are not required to agree to such restrictions.  The HITECH Act strengthens the right to request restrictions on disclosures by requiring covered entities to accept a restriction on disclosing PHI to a health plan where the disclosure is for payment or health care operations purposes and the PHI “pertains solely to a health care item or service for which the health care provider involved as been paid out of pocket.”  The omnibus rule amends the Privacy Rule to account for this provision.  Under this new requirement, if a patient pays her physician in full for a specific blood test and requests that the physician not disclose PHI that pertains solely to that blood test to the health plan, the physician must agree to this restriction unless the disclosure is otherwise required by law.  In these circumstances, the health care provider also may not disclose the relevant PHI to a business associate of the health plan.  The restriction applies only where the service or item has been paid in full out of pocket; it does not apply to follow-up visits if they are not paid for in full out of pocket.

Continue Reading

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.

Continue Reading

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization--unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.

Continue Reading

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.  

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors: 

1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”

Continue Reading

By Anna Kraus and Rachel Grunberger

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act of 2008 (GINA). 

The omnibus rule is comprised of the following four rules:

1. Final modifications to the HIPAA regulations mandated by the HITECH Act, and certain other modifications to improve the HIPAA rules;
2. Final rule adopting changes to the HIPAA Enforcement Rule;
3. Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which, according to HHS, replaces the current rule’s “risk of harm” threshold with a more objective standard; and
4. Final rule modifying the HIPAA Privacy Rule as required by GINA.

This post is the first in a series that we will publish about key aspects of the final rule, including modifications to the HIPAA requirements for research, marketing, breach notification, business associates, and other issues.  Stay tuned for more details…

By Rachel Grunberger and Anna Kraus

Two measures in President Obama’s plan to reduce gun violence, released yesterday, seek to address privacy concerns related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Mental Health Records and Background Checks.  The first measure, which is part of a set of recommendations to strengthen the National Instant Criminal Background Check System (NICS), is to address “unnecessary legal barriers that prevent states from reporting information [to NICS] about those prohibited from having guns.”  The President’s plan references a July 2012 Government Accountability Office (GAO) report on gun control, which found that although the number of mental health records available to the NICS has increased, there were still 17 states that  have made fewer than 10 mental health records available to the system.  One reason for this, according to the GAO, may be concerns under HIPAA.  The HIPAA Privacy Rule allows covered entities to use or disclose protected health information without the individual’s authorization under certain specified circumstances, such as when required by law.  A few state officials reported to GAO that the “absence of explicit state statutory authority to share mental health records was an impediment to making such records available to NICS.”

To address this issue, the President’s plan states that the “Administration will begin the regulatory process to remove any needless barriers, starting by gathering information about the scope or extent of the problem.”  (Interestingly, the GAO report states that the Department of Justice asked the Department of Health and Human Services to address this problem by amending the Privacy Rule to specifically allow disclosure of mental health records for NICS reporting purposes; however, as of the date of the report, HHS had not yet decided whether to pursue an amendment.)

Continue Reading

On January 2, HHS announced that it had entered into a HIPAA breach settlement with the Hospice of North Idaho (HONI) in what it reported as the first such settlement involving a breach of PHI affecting fewer than 500 individuals.  Under the resolution agreement, HONI agreed to pay HHS $50,000 and enter into a corrective action plan requiring HONI to report to HHS any time it determines that a workforce member has failed to comply with its Privacy and Security policies.

The investigation and settlement arose out of a breach notification report submitted by HONI, as required by the HIPAA breach notification rule.  HONI reported the theft of a laptop computer, which contained PHI of 441 patients.  During the subsequent investigation, HHS determined that HONI was not in compliance with two different requirements of the HIPAA security rule: (1) it had not conducted a risk analysis to safeguard ePHI, and (2) it did not have in place policies or procedures to address mobile device security.

HIPAA’s breach notification rules have different requirements for breaches affecting fewer than 500 individuals.  For these smaller breaches, a covered entity need only notify the Secretary on an annual basis and no later than 60 days after the end of the calendar year during which the breach occurred.  However, this settlement should put all covered entities on notice that even small-scale breaches can result in significant liability under HIPAA.

HHS used the announcement of the settlement to remind interested individuals of its new educational initiative on mobile devices, launched by the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology(ONC).  This new initiative instructs health care providers and other health care professionals on best practices to protect patient information when using mobile devices such as laptops, tablets, and smartphones.  The initiative also includes educational materials that providers can use to spread awareness among their organizations of the importance of securing mobile data.

A number of key developments affecting telemarketing emerged over the past week:

1.  The distinction between informational and telemarketing calls was further defined.  The 9th Circuit held that calls intended to impart information about a customer rewards program could be construed as “dual purpose” calls subject to federal and state telemarketing restrictions.  See Chesbro v. Best Buy Co., Inc.

2.  Effective dates were announced for the new requirements on autodialed and prerecorded calls that were adopted by the FCC in February 2012. 

• Effective immediately:  all prerecorded “heath care” messages subject to HIPAA transmitted to residential lines are exempt from the FCC’s consent, identification, time-of-day, opt-out, and call abandonment requirements.
• Effective November 15, 2012:  the FCC’s three percent call abandonment rate must be calculated on a 30-day basis for every telemarketing calling campaign.  (It is possible that the FCC will consider delaying this effective date to January 14, 2013, to align it with the interactive opt-out requirement discussed below.)
• Effective January 14, 2013:  all prerecorded telemarketing calls must include an automated, interactive opt-out mechanism throughout the duration of the call, as well as a toll-free telephone number that can be contacted to opt out when a prerecorded telemarketing message is left on voicemail or an answering machine. 
• Effective October 16, 2013:  prior express written consent is required to transmit prerecorded or autodialed telemarketing calls to wireless numbers, and the established business relationship exception no longer applies to prerecorded telemarketing calls to residential lines.

Continue Reading