HITECH Act

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach.
Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of  protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA). 

Background

Under HIPAA’s breach notification rule, covered entities and business associates are required to notify affected individuals, HHS, and, sometimes, the media when they determine that a breach of unsecured PHI has occurred.Continue Reading WEDI Issues Guidance for Assessment of Potential Breaches under HIPAA

Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR).  Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate.  The OIG’s findings may lead to increased enforcement efforts by OCR. 

Background on the Security Rule

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient.

Background

In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under the HITECH Act.  The new rules modified how and when covered entities and business associates may receive financial remuneration from a third party for making communications about a drug or biologic currently prescribed to an individual (i.e., “the refill reminder exception” to the marketing prohibition).  We previously discussed the new restrictions here.  In short, the new rules prohibit any financial remuneration above and beyond what is reasonable.  HHS indicated that reasonable remuneration would include  the costs of labor, supplies, and postage to make the communication.  These restrictions appeared to prohibit a covered entity or business associate from generating a profit to make these subsidized communications.

As we discussed earlier, these new restrictions were challenged in a lawsuit filed earlier this month by Adheris, Inc..  Since the filing of the complaint, HHS announced that it would promulgate additional guidance on the refill reminder exception.

HHS Guidance

The new guidance describes both the scope of communications that fall within the exception and what third party payments are considered “reasonable” under the statute and regulations for making such communications. 

What communications are included in the exception?

HHS explains that the following communications are permitted under the exception:

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  • Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

Continue Reading HHS Issues Guidance on Refill Reminders under HIPAA

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.Continue Reading HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization.

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule.

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.Continue Reading HITECH UPDATE #11: New Restrictions on “Sale” of Personal Health Information

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule implements provisions in the HITECH Act pertaining to two individual rights: an individual’s right to request a restriction on the disclosure of his or her protected health information (“PHI”) and an individual’s right to access his or her PHI.

Right to Restrict Uses and Disclosures of PHI

The current Privacy Rule grants individuals the right to request restrictions on the use or disclosure of their PHI, but covered entities are not required to agree to such restrictions.  The HITECH Act strengthens the right to request restrictions on disclosures by requiring covered entities to accept a restriction on disclosing PHI to a health plan where the disclosure is for payment or health care operations purposes and the PHI “pertains solely to a health care item or service for which the health care provider involved as been paid out of pocket.”  The omnibus rule amends the Privacy Rule to account for this provision.  Under this new requirement, if a patient pays her physician in full for a specific blood test and requests that the physician not disclose PHI that pertains solely to that blood test to the health plan, the physician must agree to this restriction unless the disclosure is otherwise required by law.  In these circumstances, the health care provider also may not disclose the relevant PHI to a business associate of the health plan.  The restriction applies only where the service or item has been paid in full out of pocket; it does not apply to follow-up visits if they are not paid for in full out of pocket.Continue Reading HITECH Update #9: Omnibus Rule Revises Individual Rights to Request Restrictions, Access to Protected Health Information

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule requires covered entities to add several new provisions to the Notice of Privacy Practices (“NPP”) that they distribute to patients and beneficiaries.  Generally, an NPP describes how the covered entity may use and disclose protected health information (“PHI”), an individual’s rights with respect to PHI (e.g., the right to access PHI and request restrictions on uses and disclosures), and the covered entity’s legal duties with respect to PHI (e.g., the duty to abide by the terms of the NPP).Continue Reading HITECH Update #8: New Requirements for HIPAA Notices of Privacy Practices