SPECIAL EDITION ON THE HIPAA OMNIBUS FINAL RULE PART I

by Rose Willis

The U.S. Department of Health and Human Services (hereinafter referred to as "the Department") released the HIPAA/HITECH final omnibus rule (the "Final Rule") on January 17, 2013, which rule contains long-awaited rules and clarifications regarding the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security and Enforcement Rules and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). Most of the provisions of the Final Rule are effective September 23, 2013.

This Special Edition on the HIPAA Omnibus Final Rule Part I is the first of two parts that contain informative summaries of the major changes resulting from the Final Rule. In this issue, we summarize the rules as to data breach and related topics. Our next issue in February will focus primarily on the changes in the Final Rule regarding Business Associates, Business Associate Agreements and the Security Rule.

REVISIONS TO THE RULES ON BREACH NOTIFICATION

by Rose Willis

The Final Rule significantly modified the HIPAA/HITECH breach notification rules relating to the procedures that covered entities or business associates, as applicable, must take when determining whether a breach of unsecured Protected Health information ("PHI") requires notification to affected individuals, the Secretary of the Department or the media.

The Final Rule creates a presumption that an impermissible use or disclosure of unsecured PHI is a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probabilitythat the PHI has been compromised. This regulatory change represents a significant burden on covered entities and business associates. As a result, for each improper release of PHI, covered entities and business associates, as applicable, will need to document in a detailed and comprehensive fashion their risk assessment review and conclusions regarding impermissible uses or disclosures of unsecured PHI, even if they ultimately determine that the use or disclosure was not a breach.

The new "low probability" standard replaces the previous "harm standard" that was set forth in the Interim Final Rule (issued by the Department on October 30, 2009) (the "IFR"), which called for a more objective approach to the determination of whether a breach has occurred. Under the Final Rule, a covered entity's determination of whether there is a "low probability" that PHI was compromised must address, at the least, the following four factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Further, after addressing each of the above stated factors, the covered entity or business associate must evaluate the overall probability that the PHI was compromised by considering all factors in combination. The Department clarified that a covered entity or business associate may choose to automatically provide the required notification following any impermissible use or disclosure of PHI without performing a risk assessment to determine if one is necessary.

The Final Rule also removed the IFR exception to the breach notification rule that was applicable to "limited data sets". Under that exception, an impermissible use or disclosure of PHI that qualified as a limited data set but excluded dates of birth and zip codes, was not considered a "breach." Now, even in those cases the covered entity must conduct a risk assessment using the above-described criteria to determine whether a breach occurred.

The Final Rule addressed and clarified a number of detailed questions raised by commenters. For example, it clarified that uses or disclosures that impermissibly involve more than the minimum necessary information may qualify as breaches, even though such information if disclosed to a business associate or as an internal use within a covered entity or business associate, may have a low probability that the PHI was compromised since the information was not acquired by a third party. Further, the Department declined to provide an explicit exception to the definition of "breach" in the event a laptop is lost and recovered and a forensic analysis shows that the PHI on the computer was not accessed. Instead, the covered entity will still need to go through its risk assessment and may determine that there is a low probability that the PHI was compromised. The Department noted that if a computer is lost or stolen, it is not reasonable to delay breach notification in hopes that it will be recovered.

As a result of the new "low probability" standard, covered entities and business associates will need to examine and revise their breach notification policies and procedures prior to the September 23, 2013 effective date of the Final Rule.

FINAL RULE REQUIRES GROUP HEALTH PLANS AND PROVIDERS TO UPDATE THEIR NOTICE OF PRIVACY PRACTICES ("NPP")

by Deborah Grace

The Privacy Rule prescribes certain information that must be included in a covered entity's NPP, including a statement advising individuals that any use or disclosure of PHI other than those permitted by the Privacy Rule will be made only with written authorization of the individual, and that the individual has the right to revoke an authorization. The Final Rule expands a covered entity's disclosure obligations by requiring that the NPP specifically state that uses and disclosures of PHI for marketing purposes and the sale of PHI will require an individual's written authorization. Also, if the covered entity records or maintains psychotherapy notes, then its NPP must include a statement that uses and disclosures of psychotherapy notes will require an individual's written authorization.

Besides the specific disclosures regarding written authorization, the Final Rule requires that a covered entity that intends to contact an individual for fundraising purposes must disclose in its NPP that it may contact the individual to raise funds, and that the individual has the right to opt out of receiving such communications. If the covered entity is a health plan uses or discloses PHI for underwriting purposes, then its NPP must state that the covered entity is prohibited from using or disclosing genetic information for such purposes. All covered entities must include in their NPP a statement of the right of affected individuals to be notified following improper disclosure of unsecured PHI. Finally, for a covered entity other than a group health plan, the NPP must inform individuals of their right to restrict certain disclosures of PHI to a health plan where the individual pays out of pocket in full for the health care item or service.

The Department has determined that these changes are material, and each covered entity must take certain actions to advise the individual of the change in the NPP and make available the revised NPPs. If the covered entity is a group health plan that currently posts its NPP on its website, then it must prominently post information about the material changes or its revised NPP on its website by the compliance date, September 23, 2013, and it must provide the revised NPP or information about the material changes and how to obtain the revised NPP in its next annual mailing to the individuals covered by the plan or during the next open enrollment period. Group health plans that do not maintain customer service websites must provide the revised NPP or information describing the material changes and how to obtain the revised NPP to individuals covered by the plan within 60 days of the compliance date.

DISCLOSURES OF PROTECTED HEALTH INFORMATION ("PHI") FOR "MARKETING" PURPOSES.

by Randy Pistor

The HIPAA Privacy Rule, at 45 C.F.R. § 164.508(a)(3) (the "Privacy Rule"), requires that covered entities obtain a valid authorization from individuals before using or disclosing PHI to "market" a product or service. The term "marketing" means "to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service" and generally excepts communications for treatment and health care operations purposes from this definition. The Final Rule changed exceptions to the definition of "marketing", which are now dependent upon the "financial remuneration" received, if any.

The new definition specifies that "marketing" does not include a communication to provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, but only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity's cost of making the communication. Included within this exception are communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed. Where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, also fall under this exception. The Department intends to provide future guidance to address the scope of this exception.

Additionally, the definition of "marketing" does not include a communication made for the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication:

  • For treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;
  • To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
  • For case management or care coordination, contacting individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.

The Privacy Rule defines "financial remuneration" to mean "direct or indirect payment from or on behalf of a third party whose product or service is being described." The definition clarifies that "direct or indirect payment" does not include any payment for treatment of an individual. However, the term "financial remuneration" does not include non-financial benefits, such as in-kind benefits, provided to a covered entity in exchange for making a communication about a product or service. Rather, financial remuneration includes only payments made in exchange for making such communications. In addition, the financial remuneration a covered entity receives from a third party must be for the purpose of making a communication and such communication must encourage individuals to purchase or use the third party's product or service. If the financial remuneration received by the covered entity is for any purpose other than for making the communication, then the marketing provision does not apply.

Finally, permissible costs for which a covered entity may receive remuneration under this exception are those which cover only the costs of labor, supplies, and postage to make the communication. Where the financial remuneration a covered entity receives in exchange for making the communication generates a profit or includes payment for other costs, such financial remuneration would run afoul of the HITECH Act's "reasonable in amount" language.

Combining the new definition of "marketing" with the Privacy Rule's authorization requirement, it follows that for marketing communications that involve financial remuneration, the covered entity must obtain a valid authorization from the individual before using or disclosing PHI for such purposes, and such authorization must disclose the fact that the covered entity is receiving financial remuneration from a third party. Additionally, where a business associate (including a subcontractor), as opposed to the covered entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service, such communication also requires prior authorization from the individual.

DISCLOSURE OF STUDENT IMMUNIZATION RECORDS TO SCHOOLS

by Karolyn Bignotti

Most states have enacted laws that require proof of immunization before a child can be enrolled in school. Previously, schools complied with this requirement by either having legally emancipated students, students over the age of majority, or minor students' parents or legal guardians provide these immunization records directly, or by obtaining a written authorization allowing the school to contact the health care provider directly. The Privacy Rule prohibited schools from contacting a student's health care provider directly without written authorization. As a result, schools in states with required pre-entry immunizations were prevented from admitting potential students where the student, or minor student's parents or legal guardians, delayed in providing the requisite proof of immunization or written authorization.

The Omnibus HIPAA Final Rule amends the Privacy Rule to now allow a covered entity to disclose a student's immunization records to a school in states with pre-entry immunization laws based on written or oral authorization from the student or minor student's parents or legal guardians. Covered entities will be required to document receipt of either the written or oral authorization in the student's records, but will not be required to receive a HIPAA-compliant authorization or obtain a signature. The goal of the amendment is to facilitate enrollment of students in schools, while also protecting the rights of students and parents/guardians to object to disclosure of this information. This amendment finds its basis in an exception already existing in the privacy rule: that disclosure of student immunization records promotes a public health purpose in preventing the spread of communicable diseases.

DW HEALTH CARE TEAM - NEWS & SUCCESS STORIES

Effective January 1, 2013, Dickinson Wright PLLC expanded its practice in the Arizona and Southwestern U.S. legal and business communities, combining with Mariscal Weeks of Phoenix Arizona, creating "Dickinson Wright/Mariscal Weeks" . This combination is part of a strategy that will solidify Dickinson Wright's position as a leader in the North American marketplace and strengthen the resources available to the firm's clients. As stated by our CEO, William T. Burgess, "The Arizona and Southwestern U.S. legal and business communities are key markets for our client base, and our excitement in completing this combination is matched only by our resolve to make excellence in client service the continuing hallmark of our combined firm." New Healthcare attornneys in Phoenix include:

David I. Thompson's practice encompasses a wide variety of corporate, transactional and business matters, including representation of professional medical practices and other healthcare providers; hospitals; and diagnostic imaging centers. He represents clients in sales, acquisitions, and dissolutions of professional corporations and the formation and operation of joint ventures between hospitals and other healthcare providers.

Jerry Gaffaney practices in the areas of healthcare law and personal injury and insurance litigation. Mr. Gaffaney represents all types of health care providers including hospitals, hospital medical staffs, physicians (individually and in various types of groups), outpatient treatment centers and ambulatory surgery centers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.