Updates on Developments in Data Privacy and Cybersecurity
By Anna Kraus
The Department of Health and Human Services (HHS) has submitted to the Office of Management and Budget (OMB) the long-awaited final rule implementing changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. …
Continue Reading Final HIPAA/HITECH Rule Expected by July
The Senate Judiciary Subcommittee on Privacy, Technology, and Law recently held a hearing to discuss federal enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, entitled “Your Health and Your Privacy: Protecting Health Information in a Digital World.” In that hearing, Subcommittee Chairman Al Franken (D-MN) told officials from the Department of Health and Human Services (HHS) and the Department of Justice (DOJ) that “the overall record of [HIPAA] enforcement is simply not satisfactory,” and asked why so few HIPAA complaints are actually prosecuted. Franken and other panelists also emphasized the need for a final rule to implement the HITECH Act’s amendments to the HIPAA Privacy and Security Rules.
Franken’s opening statement outlined the benefits of electronic health records, but emphasized that “we need to do more to protect this data and that is what this hearing is all about.”
The first panel included U.S. Attorney Loretta Lynch, who also serves on the Health Care Fraud Working Group of the Attorney General’s Advisory Committee, and Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR). Both officials underscored their agencies’ commitment to enforcing medical privacy laws through HIPAA’s Privacy and Security Rules and the new HITECH Act. Lynch testified about recent DOJ efforts to enforce HIPAA’s criminal provisions, while Rodriguez cited OCR cases against Massachusetts General Hospital and CVS/Rite Aid that led to substantial fines.Continue Reading Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule
Last week, Sue McAndrew, deputy director for health information privacy at the Office of Civil Rights in the Health and Human Services Department, said that OCR was “quite far along” on its efforts to adopt a final rule implementing changes to the HIPAA regulations pursuant to the HITECH Act. She…
Continue Reading HIPAA Privacy, Security Rules Are “Quite Far Along”
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule. HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.
The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously. In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:
Continue Reading HHS Imposes $4.3 Million Civil Money Penalty for HIPAA Privacy Violations
A total of 225 breaches of protected health information (PHI) affecting 6,067,751 individuals have been recorded since the HIPAA breach notification rule was issued in August 2009 pursuant to the HITECH Act, according to a report by Redspin, a provider of HIPAA risk analysis and IT assessment services.
According to…
Continue Reading Report: Over 6 Million Individuals Affected by PHI Breaches Since August 2009
In our final post on what pharmaceutical companies should know about the forthcoming HIPAA/HITECH regulations, we will discuss provisions in the proposed rule relating to the sale of protected health information. We previously covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, authorizations for future research, and compound authorizations.
Sale of Protected Health Information
The HITECH Act added a new circumstance where a covered entity must obtain authorization: the sale of protected health information. (The HIPAA Privacy Rule also requires authorizations for uses and disclosures for marketing and most uses and disclosures of psychotherapy notes.)Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 5 of 5)
This is the fourth in our series on provisions of the Department of Health and Human Services (HHS) proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies. We previously covered HHS’s proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, and authorizations for future research.
Today we will address how HHS may relax the current restrictions on “compound authorizations” for research purposes.
Compound Authorizations
HHS is proposing to amend the compound authorization requirements under the HIPAA Privacy Rule, which currently prohibit combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be condition. HHS recognized that the excess paperwork that results from this restriction has been found to be burdensome and potentially confusing to patients, as well as administratively burdensome for clinical researchers.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 4 of 5)
In this third post on the forthcoming HIPAA/HITECH regulations, we will discuss potential modifications to the rules regarding authorization for future research. In earlier posts, we covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs and remunerated treatment communications.
Future Research
In the proposed rule issued last July, HHS stated that it is “considering whether to modify its interpretation that an authorization for the use or disclosure of protected health information for research be research-study specific.” The agency was prompted to revisit this issue after hearing concerns from covered entities and researchers about how the current interpretation encumbers secondary research, results in individuals being re-contacted to sign multiple authorization forms at different points in the future, and is inconsistent with the Common Rule.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 3 of 5)
This is the second in our series on provisions of the HHS proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies. We previously covered HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs. HHS has indicated that the final rule will be issued in March.
Today, we will look at the new requirements contained in the HHS proposed rule issued last July for what HHS is calling “remunerated treatment communications.”
Remunerated Treatment Communications
The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes. Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing. But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization. As we previously reported, the HITECH Act contains one limited exception for communications about currently-prescribed drugs.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 2 of 5)
As we previously reported, the Office for Civil Rights within the Department of Health and Human Services (HHS) has indicated that the final rule implementing changes to the HIPAA regulations under the HITECH Act will be issued in March. The proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA. In this and four subsequent blog posts, we will explore aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information. These changes, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies. (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)
Communications About Currently Prescribed Drugs
The first topic we will address is HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs. The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes. Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing. But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 1 of 5)
