HIPAA Privacy Rule

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule requires covered entities to add several new provisions to the Notice of Privacy Practices (“NPP”) that they distribute to patients and beneficiaries.  Generally, an NPP describes how the covered entity may use and disclose protected health information (“PHI”), an individual’s rights with respect to PHI (e.g., the right to access PHI and request restrictions on uses and disclosures), and the covered entity’s legal duties with respect to PHI (e.g., the duty to abide by the terms of the NPP).Continue Reading HITECH Update #8: New Requirements for HIPAA Notices of Privacy Practices

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.Continue Reading HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule addresses several changes to business associate agreements as a result of the new obligations imposed upon business associates by HITECH.

Continue Reading HITECH Update # 6: New Requirements for Business Associate Agreements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization–unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.Continue Reading HITECH Update #5: HHS Tightens HIPAA Marketing Requirements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

In addition to finalizing the HIPAA regulations under HITECH, the omnibus rule finalized modifications to the HIPAA Privacy rule required by the Genetic Information Non-Discrimination Act (GINA).  GINA prohibits discrimination in employment and health insurance coverage based on a person’s genetic information.  Specifically, GINA prohibits health plans from using the genetic information of an individual, for example that he or she is predisposed to develop a certain genetic disorder or carries a specific genetic mutation, for underwriting purposes.

GINA directed HHS to make modifications to the HIPAA Privacy Rule.  In October 2009, HHS promulgated proposed rules to:

  • Clarify that genetic information is health information for purposes of PHI;
  • Prohibit health plans from using or disclosing PHI containing genetic information for underwriting purposes;
  • Revise the provisions related to the Notice of Privacy Practices for health plans that perform underwriting; and
  • Make technical corrections to update the definition of “health plan.”

The structure of the final rules issued by HHS track these proposed rules, while making some modifications to the details of the individual proposals.  We discuss each of the major aspects of the proposed rule below.Continue Reading HITECH Update #2: HHS Finalizes Privacy Rules to Protect Genetic Information

By Anna Kraus

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health

Following the release of the President’s plan to reduce gun violence, the Office for Civil Rights within the Department of Health and Human Services (HHS) issued a “Message to Our Nation’s Health Care Providers” regarding HIPAA and reporting threats of violence. 

In the letter, which was prompted by the recent mass shootings in Newtown, Connecticut, and Aurora, Colorado, HHS states that it wants to ensure that health care providers are aware that the HIPAA Privacy Rule does not prevent them from disclosing necessary information about a patient to law enforcement, family members of the patient, or other persons, when the health care provider believes the patient “presents a serious danger to himself or other people.”Continue Reading HHS Issues Message to Nation’s Health Care Providers About HIPAA and Threats to Health and Safety

By Anna Kraus

Two measures in President Obama’s plan to reduce gun violence, released yesterday, seek to address privacy concerns related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Mental Health Records and Background Checks.  The first measure, which is part of a set of recommendations to strengthen the National Instant Criminal Background Check System (NICS), is to address “unnecessary legal barriers that prevent states from reporting information [to NICS] about those prohibited from having guns.”  The President’s plan references a July 2012 Government Accountability Office (GAO) report on gun control, which found that although the number of mental health records available to the NICS has increased, there were still 17 states that  have made fewer than 10 mental health records available to the system.  One reason for this, according to the GAO, may be concerns under HIPAA.  The HIPAA Privacy Rule allows covered entities to use or disclose protected health information without the individual’s authorization under certain specified circumstances, such as when required by law.  A few state officials reported to GAO that the “absence of explicit state statutory authority to share mental health records was an impediment to making such records available to NICS.”

To address this issue, the President’s plan states that the “Administration will begin the regulatory process to remove any needless barriers, starting by gathering information about the scope or extent of the problem.”  (Interestingly, the GAO report states that the Department of Justice asked the Department of Health and Human Services to address this problem by amending the Privacy Rule to specifically allow disclosure of mental health records for NICS reporting purposes; however, as of the date of the report, HHS had not yet decided whether to pursue an amendment.)Continue Reading President’s Gun Plan Addresses HIPAA Concerns, Clarifications

By Anna Kraus

On Monday, the U.S. Department of Health and Human Services (HHS) released guidance on methods for de-identification of protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.  The guidance, which was required under Section 13424(c) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, answers questions about the two methods that can be used to satisfy the HIPAA de-identification standard in  45 C.F.R. § 164.514.  It also incorporates input from stakeholders that HHS received at a workshop held in March 2010.

As summarized in the figure below, the two methods by which health information can be designated as de-identified under HIPAA are (1) the “expert determination” method and (2) the “safe harbor” method.

de-identification chart 1.pngSource: HHS Guidance Regarding Methods for De-identification of PHI in Accordance with the HIPAA Privacy RuleContinue Reading HHS Releases Guidance on HIPAA De-Identification Standard

By Anna Kraus

The Department of Health and Human Services (HHS) announced on Tuesday that Phoenix Cardiac Surgery, P.C. (Phoenix) agreed to pay $100,000 and implement a corrective action plan to come into full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HHS had been investigating the Arizona physician practice for potential violations of the HIPAA Privacy and Security Rules.

The investigation began when HHS received a report that Phoenix was posting clinical and surgical appointments for patients on an Internet-based calendar that was accessible by the public.  Upon further investigation, HHS determined that the physician practice had, among other things, failed to:

  • implement appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI)
  • identify a security officer and conduct the risk assessment required by the HIPAA Security Rule
  • enter into business associate agreements with its Internet-based calendar provider and Internet-based public e-mail provider
  • document that it trained any employees on HIPAA policies and procedures

Continue Reading HHS Settles HIPAA Case With Heart Surgery Center