HITECH Act

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule includes a number of changes that will significantly affect business associates.  Business associates are now directly subject to various aspects of the HIPAA Privacy, Security, and Breach Notification Rules.  Furthermore, liability now extends much further down the chain, as the new rule also applies these requirements to subcontractors of business associates.

We discuss these and other changes affecting business associates, and their subcontractors, below.Continue Reading HITECH Update # 7: New HIPAA Requirements for Business Associates and Their Subcontractors

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule addresses several changes to business associate agreements as a result of the new obligations imposed upon business associates by HITECH.

Continue Reading HITECH Update # 6: New Requirements for Business Associate Agreements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization–unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.Continue Reading HITECH Update #5: HHS Tightens HIPAA Marketing Requirements

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule contains major changes to the HIPAA requirements for research authorizations.  Specifically, as described below, HHS has loosened the current restrictions on “compound authorizations” for research purposes, and is now interpreting the HIPAA Privacy Rule to allow authorizations for future research.  These changes could have a tremendous impact on the manner in which  informed consent for clinical trials is documented in the United States and on the availability of clinical trial data for future research.

Compound Authorizations.  The HIPAA Privacy Rule generally prohibits “compound authorizations,” which are authorizations that are combined with any other legal permission.  An exception allows the combining of an authorization for a research study with written permission for the same study, usually found in an informed consent form.  But under the current rules, this exception is not available if one authorization conditions treatment, payment, enrollment in a health plan, or eligibility for benefits on the individual providing an authorization (conditioned authorization) and the other authorization does not contain such conditions (unconditioned authorization).  This prevents a covered entity from, for example, using a single authorization for a research study that covers both treatment as part of a clinical study and tissue banking of specimens for future research.  Many groups have informed HHS that this lack of integration is inconsistent with the Common Rule (45 C.F.R. Part 46) and creates unnecessary documentation burdens.Continue Reading HITECH Update #4: HHS Relaxes HIPAA Requirements for Research Authorizations

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The HITECH omnibus rule establishes a new standard for determining whether an unauthorized use or disclosure of unsecured protected health information (“PHI”) is a “breach” requiring notification.   Under the current Breach Notification Rule, covered entities are required to notify individuals of a breach involving their unsecured PHI, and business associates have a corresponding obligation to notify covered entities. The current rule states that an unauthorized use or disclosure of PHI is a “breach” if it poses a significant risk of financial, reputational, or other harm to the individuals affected.

The omnibus rule replaces the “risk of harm” test with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the covered entity or business associate “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.”  HHS stated that the omnibus rule establishes a presumption that uses or disclosures of PHI in violation of the Privacy Rule are “breaches” because HHS believes that many covered entities and business associates have construed the existing “risk of harm” standard as setting a higher bar than HHS intended.  Covered entities and business associates now have the burden of proving that there is a “low probability” that PHI has been compromised through a risk assessment that accounts for at least the following factors:

  1.  The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

All of these factors must be considered in combination.  If a covered entity or business associate determines that an unauthorized use or disclosure of PHI is not a breach, it will need to maintain documentation sufficient to overcome the presumption that PHI was compromised.  HHS suggests that these risk assessments allow for a more “objective” evaluation than the current “risk of harm” standard, and plans to provide further guidance on risk assessments that addresses “frequently occurring scenarios.”Continue Reading HITECH Update #3: HHS Revises Breach Notification Rule

By Anna Kraus

The U.S. Department of Health and Human Services has issued its long-awaited final omnibus rule modifying the privacy, security, enforcement, and breach notification regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rule is based on statutory changes under the Health Information Technology
Continue Reading HHS Issues Long-Awaited Final HITECH Regulations

Earlier this month, the federal district court in Minnesota dismissed a lawsuit brought earlier this year by the Minnesota Attorney General (AG) against Accretive Health, Inc., a business associate of hospitals, after the parties reached a settlement.  In the lawsuit, which we previously discussed here, the Minnesota AG alleged that the company violated various provisions of HIPAA as well as Minnesota privacy and consumer protection law.

Accretive Health had contracted with two Minnesota hospitals, primarily to perform services related to debt collection and “care coordination” services.  Through these services, Accretive required access to protected health information of the hospitals’ patients, and thus was acting as a  business associate under HIPAA.  The Minnesota AG’s case was notable because it was the first time that an enforcement action had been brought against a HIPAA business associate since the enactment of the HITECH Act in 2009, which imposed direct obligations on business associates to comply with certain HIPAA requirements, including breach notification and provisions of the HIPAA Security Rule.

The Minnesota AG’s HIPAA-related allegations arose out of a data breach, when the laptop of an Accretive Health employee was stolen out of his rental car.  The laptop contained protected health information of approximately 24,000 patients, including individually identifiable information and whether the patient had any one of 22 health conditions.  While the laptop was password protected, the data was not encrypted.  The complaint alleged that Accretive Health violated eight separate provisions of HIPAA.Continue Reading Court Dismisses Minnesota AG’s HIPAA Enforcement Action Against Business Associate Following Settlement

By Anna Kraus

The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule.  This is HHS’s first HIPAA enforcement action against a State agency, and HHS stated in the press release that it “expect[s] organizations to comply with their obligations under [the HIPAA rules] regardless of whether they are private or public entities.”

HHS’s Office for Civil Rights (OCR) began investigating Alaska Medicaid after receiving a breach report from the agency in October 2009.  The report indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a computer technician employed by the State.  HHS subsequently determined through its investigation that Alaska Medicaid had not complied with HIPAA Security Rule requirements to:

  • complete a risk analysis;
  • implement sufficient risk management measures;
  • complete security training for its workforce members;
  • implement device and media controls; and
  • address device and media encryption.

Continue Reading Alaska Medicaid Agrees to Pay $1.7 Million to Settle HIPAA Security Case

By Anna Kraus

The long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act has been delayed once again.  Although the rule was expected by July, the Office of Management and Budget (OMB) has updated its website to note that the review period for the rule has been extended.

OMB had received the rule from the Department of Health and Human Services (HHS) on March 24, 2012, and was expected to complete its review within 90 days, as required by Executive Order 12866.   According to the OMB website, however, the 90-day review period “may be extended indefinitely by the head of the rulemaking agency; alternatively, the OMB Director may extend the review period on a one-time basis for no more than 30 days.”  It is not known whether HHS or OMB extended the review period for the HIPAA/HITECH Rule.Continue Reading OMB Extends Review of HIPAA/HITECH Rule