Q FDCC UARTERLY · 2018. 4. 14. · VOL. 61, NO. 3 SPRING, 2011 Q FDCC UARTERLY HealtH Care reform...

VOL. 61, NO. 3 SPRING, 2011

UARTERLYFDCCQ

HealtH Care reform In tHe UnIted StateS: HIteCH aCt and HIPaa PrIvaCy, SeCUrIty, and enforCement ISSUeS AmyE.KempfertandBenjaminD.ReedBaIlIng oUt medICare: defenSe CoUnSel’S medICare rePortIng and Set-aSIde oBlIgatIonS MatthewY.BiscanandGeralynM.PassarolIaBIlIty ClaImS In tHe medICare SeCondary Payer arena: PlannIng tHe medICare Set-aSIde CharlesD.JoynerandChristineE.HarperInSUrerS’ ClaImS for legal malPraCtICe agaInSt defenSe CoUnSel HIred for tHeIr InSUredS JohnS.Wilkerson,IIIandJeffreyT.StoverProfeSSIonal lIaBIlIty InSUranCe Coverage for law fIrmS: UnderStandIng Key PolICy ProvISIonS and edUCatIng yoUr fIrm’S attorneyS CharlesJ.BakerIIIlandfall: troPICal StormS and ProdUCer PItfallS JamesD.EbanksandChristianR.JohnsonSKyroCKetIng lItIgatIon CoStS ComPel Broad revISIon of tHe federal rUleS of CIvIl ProCedUrea revIew of ProPoSed rUle CHangeS SUBmItted By tHe fdCC, lCJ and otHer defenSe groUPS to StandIng CommIttee on rUleS of PraCtICe and ProCedUre HowardMertenandAlexandraW.Pezzello

FEDERATION OF DEFENSE

& CORPORATE COUNSEL

federatIon of defenSe & CorPorate CoUnSelPRESIDENTF. THOMAS CORDELLFrailey, Chaffin, Cordell, Perryman, Sterkel, Mccalla & Brown LLPChickasha, [email protected] PRESIDENT-ELECTMICHAEL I. NEILNeil, Dymott, Frank, McFall & Trexler, APLCSan Diego, [email protected]

SECRETARY-TREASUREREDWARD M. KAPLANSulloway & Hollis, PLLCConcord, [email protected]

BOARD CHAIRMICHAEL T. LUCEY Gordon & Rees, LLPSan Francisco, CA415-986-5900 [email protected]

BRUCE D. CELEBREZZESedgwick, Detert, Moran & Arnold, LLPSan Francisco, CA [email protected]

WALTER DUKESDukes Dukes Keating Faneca PAGulfport, [email protected]

SUSAN B. HARWOODBoehm, Brown, Fischer, Harwood, Kelly & Scheihing, PAOrlando, [email protected]

2009-2011

STEVEN E. FARRARSmith Moore Leatherwood Greenville, [email protected] ROBERT W. FOSTER, JR. Nelson Mullins Riley & Scarborough, LLPColumbia, [email protected] TIMOTHY A. PRATTBoston Scientific Corporation Natick, [email protected] VICTORIA H. ROBERTSCentury Surety Company Scottsdale, [email protected]

2010-2012

HELEN JOHNSON ALFORDAlford, Clausen & McDonald, LLCMobile, [email protected] H. MILLS GALLIVANGallivan, White & Boyd, PAGreenville, SC [email protected] KENNETH J. NOTADryvit Systems West Warwick, [email protected] GALE WHITEWhite and Williams, LLPPhiladelphia, [email protected]

BOARD OF DIRECTORS

VICE PRESIDENTSJ. SCOTT KREAMERBaker, Sterchi, Cowden & Rice, LLCKansas City, [email protected]

DEBORAH D. KUCHLERKuchler Polk Schell Weiner & Richeson LLCNew Orleans, [email protected]

DONALD L. MYLES, JR.Jones, Skelton & HochuliPhoenix, [email protected]

EXECUTIVE DIRECTORMARTHA (MARTY) J. STREEPER 11812 N 56th Street Tampa, FL 33617 813-983-0022 813-988-5837 Fax [email protected]

PUBLICATIONS COMMITTEE CHAIRLATHA RAGHAVEN8 Southwoods Blvd, #300Albany, NY [email protected]

EDITOR-FLYERGREGORY A. WITKE 801 Grand Avenue, Suite 3700 Des Moines, IA 50309 [email protected]

CLE COORDINATORFRANCIE BERG3714 22nd Avenue SouthMinneapolis, MN 55407612-339-5863612-339-1529 [email protected]

EDITORS-WEBSITEDAVID M. FUQUAFuqua Campbell, PA425 West Capitol Avenue, Suite 400Little Rock, AR [email protected] J. SCOTT KREAMER2400 Pershing Road, Suite 500Kansas City, MO [email protected]

LIAISON-QUARTERLYJAMES A. GALLAGHER, JR.350 Fifth Avenue, Suite 4810New York, NY [email protected]

FDCC QUARTERLY EDITORIAL OFFICEMarquette University Law SchoolEckstein HallPO Box 1881Milwaukee, WI 53201-1881414-288-5375 / 414-288-5914 Fax

Co-EditorsPatricia [email protected] [email protected]

Student EditorsPhilip C. Babler, Brian M. Borkowiczand Kristin L. Boyle

MICHAEL R. NELSONNelson Levine De Luca & Horst, LLCNew York, [email protected]

DEBRA TEDESCHI VARNERMcNeer, Highland, McMunn & Varner, LCClarksburg, [email protected]

GREGORY A. WITKEBradshaw, Fowler, Proctor & Fairgrave, PCDes Moines, [email protected]

Spring, 2011 Volume 61, number 3

Contents

QUARTERLYFDCC

Cite as: 61 FED’N DEF. & CORP. COUNS. Q. ___ (2011).The Federation of Defense & Corporate Counsel Quarterly is published quarterly by the

Federation of Defense & Corporate Counsel, Inc., 11812 North 56th Street, Tampa, FL 33617. Readers may download articles appearing in the FDCC Quarterly from the FDCC website for their personal use; however, reproduction of more than one copy of an article is not permitted

without the express written permission of the FDCC and the author.Copyright, 2011, by the Federation of Defense & Corporate Counsel, Inc.

239

HealtH Care reform in tHe united StateS: HiteCH aCt and Hipaa priVaCy, SeCurity, and enforCement iSSueS Amy E. Kempfert and Benjamin D. Reed ................................................................240

bailing out mediCare: defenSe CounSel’S mediCare reporting and Set-aSide obligationS Matthew Y. Biscan and Geralyn M. Passaro .............................................................274

liability ClaimS in tHe mediCare SeCondary payer arena: planning tHe mediCare Set-aSide Charles D. Joyner and Christine E. Harper ...............................................................288

inSurerS’ ClaimS for legal malpraCtiCe againSt defenSe CounSel Hired for tHeir inSuredS John S. Wilkerson, III and Jeffrey T. Stover .............................................................305

profeSSional liability inSuranCe CoVerage for law firmS: underStanding Key poliCy proViSionS and eduCating your firm’S attorneyS Charles J. Baker III ...................................................................................................315

landfall: tropiCal StormS and produCer pitfallS James D. Ebanks and Christian R. Johnson ..............................................................330

SKyroCKeting litigation CoStS Compel broad reViSion of tHe federal ruleS of CiVil proCedure a reView of propoSed rule CHangeS Submitted by tHe fdCC, lCJ and otHer defenSe groupS to Standing Committee on ruleS of praCtiCe and proCedure Howard Merten and Alexandra W. Pezzello .............................................................346

FDCC Quarterly/Spring 2011

240

Health Care Reform In the United States:HITECH Act and HIPAA Privacy, Security, and Enforcement Issues†

Amy E. KempfertBenjamin D. Reed

i. introDuCtion

The Health Insurance Portability and Accountability Act (“HIPAA”) was enacted on August 21, 1996.1 The Act encompasses five separate Titles. Title II of HIPAA, known as the Administrative Simplification provisions, requires the Secretary of the U.S. Department of Health and Human Services (“HHS”) to promulgate standards for the electronic exchange of health care transactions, as well as privacy and security standards for safeguarding and protecting the privacy of an individual’s personal health information. The Administrative Simplification provisions have been codified at 45 C.F.R. §§ 160, 162, and 164. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange, while providing appropriate safeguards to protect the privacy of individuals’ health information by placing limits on the access, use, and disclosure of protected health information (“PHI”). HIPAA has historically applied only to health plans, health care clearinghouses, and health care providers, otherwise known as “covered entities.”2 However, few—if any—cov-ered entities carry out each health care function, service, or activity themselves; rather, they

† Submitted by the authors on behalf of the FDCC Healthcare Practice section.1 Health Insurance Portability and Accountability Act, Pub. L. No. 104–191, 110 Stat. 1936 (1996).2 45 C.F.R. §§ 160.102–.103 (2010).

HealtH Care reForm in tHe uniteD StateS

241

Amy E. Kempfert is a shareholder in the law firm of Best & Sharp P.C. in Tulsa, Oklahoma where she focuses her practice in the areas of medical negligence, health care law, employ-ment law, and products liability. She is admitted to practice in Oklahoma and before the United States Supreme Court, the United States Court of Appeals for the Tenth Circuit, and the United States District Courts for the Eastern, Western and Northern Districts of Oklahoma. Ms. Kempfert is a Fellow of the American College of Trial Lawyers. She is a member of the Tulsa County Bar Association, the Oklahoma Bar Association, the American Bar Association, the Federation of Defense and Corporate Counsel, the American Society of Law, Medicine

and Ethics, Defense Research Institute, and the Oklahoma Association of Defense Counsel. Ms. Kempfert is a founding member (Master) of the Hudson-Hall-Wheaton Chapter of the American Inns of Court.

enlist the services of numerous third-party businesses and individuals, termed “business associates.”3 HIPAA requires covered entities to enter into contractual agreements with business associates, called “business associate agreements.”4 These agreements expressly define the permitted uses and disclosures of PHI and mandate the use of specified proce-dures to adequately safeguard PHI. Technically, covered entities are permitted to disclose an individual’s PHI to a business associate only if the covered entity obtains the proper as-surances (through the agreement) that the business associate will safeguard and not misuse the information. However, many covered entities do not even know about this requirement, let alone have such agreements in place. Because HIPAA did not apply directly to business associates, they were not directly liable for failing to comply with its provisions. Rather, if a business associate violated HIPAA, the only applicable remedy was for the covered entity to sue for breach of contract. HIPAA’s privacy, security, and enforcement provisions have been widely criticized for providing inadequate protections against improper access, use, and disclosure of PHI and for providing inadequate individual rights governing access, use, and disclosure of one’s PHI. Additionally, HIPAA has been attacked for casting too narrow of a compliance net to include third-party business associates, who often have equivalent access to PHI without

3 Id. § 160.103.4 Id. § 164.504(e).


242

the threat of an enforcement action for a HIPAA violation. By the same token, enforcement under HIPAA has historically been lax at best. Coupled with the low monetary penalties for non-compliance, HIPAA enforcement regulations were considered to be undeterring, failing to result in any meaningful compliance and providing credence to the view that HIPAA was merely a “paper tiger.”5 On February 17, 2009 Congress passed the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as part of the American Recovery and Reinvestment Act (“ARRA”).6 Among other provisions, one of the major purposes of the HITECH Act is to improve the nation’s health care through Health Information Technology (“HIT”)7 by promoting the “meaningful use” of electronic health records (“EHR”) through various incentives. The HITECH Act provides financial incentives to health care providers to adopt an EHR system prior to the end of 2015, and financial disincentives for failing to do so. The HITECH Act also provides funding for a national EHR infrastructure, state collaboration, effectiveness research, as well as HIT training and education for health care professionals.

Benjamin D. Reed is an attorney with the law firm of Best & Sharp P.C. in Tulsa, Oklahoma where he focuses his prac-tice in the areas of medical malpractice defense and general insurance defense. Mr. Reed received his J.D. with honors in 2009 from University of Tulsa College of Law. During his law school career, Mr. Reed served as an Editor on the Tulsa Law Review. He was also the recipient of five CALI Excel-lence for the Future Awards and the George and Jean Price Award for Legal Reasoning, Analysis and Writing II. Mr. Reed is admitted to practice in Oklahoma and before the United States District Courts for the Eastern, Western and Northern Districts of Oklahoma. He is a member of the Tulsa County,

Oklahoma and American Bar associations.

5 Karen Southwick, Health Care’s Paper Tiger: Doctors, Companies Lag Behind Technology Mandate, Cnet newS (Feb. 26, 2004, 4:00 AM), http://news.cnet.com/Health-cares-paper-tiger/2009-1012_3-5165294.html.6 American Recovery and Reinvestment Act of 2009, Pub. L. No. 111–5, 123 Stat. 115. 7 The HIT provisions of the ARRA are found primarily in Title XIII, Division A, Health Information Technology, and in Title IV, Division B, Medicare and Medicaid Health Information Technology. These titles together comprise the HITECH Act.


243

Precisely because this legislation anticipates a substantial increase and expansion in the exchange of electronic protected health information (“ePHI”), the HITECH Act provides significant modifications to HIPAA privacy, security, and enforcement provisions and creates new notification requirements for breaches of unsecured PHI (“uPHI”). The modifications and additions to HIPAA will inevitably cause covered entities and business associates to substantially and dramatically alter current practices. Among other things, the HITECH Act (1) extends the applicability of the HIPAA security and privacy rule provisions to business associates; (2) requires covered entities and business associates to provide notification of breaches of uPHI; (3) establishes new limitations and opt-out provisions governing the use and disclosure of PHI for marketing and fundraising communications; (4) prohibits the sale of PHI; (5) restricts the uses and disclosures of PHI to the “minimum necessary”; (6) expands individuals’ rights to access their PHI, to receive an accounting of disclosures of their PHI, and to obtain certain restrictions on the disclosures of their PHI; (7) increases the potential civil and criminal liability for non-compliance; and (8) provides for greater enforcement. The HITECH Act makes certain HIPAA provisions directly applicable to business as-sociates. For instance, the Act establishes that business associates must now comply with the HIPAA Security Rule provisions and certain Privacy Rule provisions; it provides that the violation of an applicable Privacy or Security Rule provision by the business associate is considered a HIPAA violation for which the business associate is subject to civil and criminal penalties and fines;8 it modifies the definition of business associate to include additional organizations not previously covered under the definition; it adds mandatory provisions to all business associate agreements; and it imposes new notification requirements in the event of a security breach. The majority of the HITECH Act provisions related to HIPAA technically went into effect on February 17, 2010 (although some effective dates were earlier or later). However, HHS has not yet promulgated final rules for a majority of the HITECH Act’s provisions. For instance, on July 14, 2010 HHS submitted its Notice of Proposed Rulemaking (“NPRM”) to modify the Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”), the Security Standards for the Protection of Electronic Protected Health Information (the “Security Rule”), and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (the “Enforcement Rule”) issued under HIPAA.9 During the sixty-day period in which comments could be submitted regarding the proposed rules, HHS received thousands of pages of comments from hundreds of different organizations. HHS recently announced in its semi-annual regulatory update10 that the proposed deadline for issuing the final rule on modifications to HIPAA Privacy,

8 These penalties and fines have increased dramatically. See infra Part V.9 Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, 75 Fed. Reg. 40,868 (proposed July 14, 2010).10 Unified Agenda, 75 Fed. Reg. 79,708 (Dec. 20, 2010).


244

Security, and Enforcement Rules is March, 2011. As of February 2011, most industry experts predict that the final rule will be issued sometime in the third or fourth quarter of 2011, along with the updated final rules on breach notification requirements. While final agency rules do not typically vary dramatically from the NPRM, the copious comments from divergent organizations could result in changes to the final rules, although it is impossible to predict what changes, if any, will be made. Hopefully, final regulations will come sooner rather than later, given the ever-increasing alterations to the health and information privacy and security landscape in the United States.11 Regardless of when the “actual” date arrives, it cannot be overemphasized that these changes will have far-reaching and dramatic implications for both medical and legal practices throughout the country. This Article will attempt to provide a summary of HIPAA as it exists, a concise summary of how it has changed through the passage of the HITECH Act and the attendant federal regulations that are currently in effect, and notable tidbits of the foreseeable changes to the HIPAA landscape as best estimated from the provisions of the proposed rules that are not yet in effect.

ii.privaCy rule

A. Introduction The Privacy Rule12 represents national standards to protect the private health informa-tion of individuals by mandating appropriate safeguards and restrictions on the access, use, and disclosure of PHI without prior authorization from those individuals. The Privacy Rule also attempts to vest certain individual rights and established procedures for people to understand, and, to some degree, control how their health information is utilized. One of the goals in drafting the Privacy Rule was to strike a balance between protecting private health information and enabling the exchange of health information essential for quality of care and vital public purposes. The Privacy Rule attempts to be comprehensive in its scope insomuch as it attempts to cover the gamut of potential uses and disclosures of PHI with the understanding that a certain amount of flexibility is necessary as a result of the diverse health care market in the United States.

11 Although federal agencies will have their hands full with the onslaught of legislation passed in the last several years, including, in addition to the HITECH Act, the much-debated “health care reform” legisla-tion (which is more aptly characterized as “health insurance reform”), from the Patient Protection and Af-fordable Care Act, Pub. L. No. 111–148, 124 Stat. 119 (2010), along with the Health Care and Education Reconciliation Act of 2010, Pub. L. No. 111–152, 124 Stat. 1029.12 The Privacy Rule provisions are located in 45 C.F.R. Part 160 and Subparts A and E of Part 164.


245

B. Who is “Covered” by the HIPAA Privacy Rule? The Privacy (and Security) Rule provisions apply to health plans,13 health care provid-ers,14 and health care clearinghouses,15 aptly termed “covered entities.”16 However, the vast majority of covered entities do not carry out each health care function, service, or activity themselves; rather, they enlist the services of numerous third-party business associates. The drafters of the Privacy Rule thus required covered entities to enter contractual “busi-ness associate agreements” with any third party who performs certain functions, activities, or services for, or on behalf of, the covered entity, when such function, activity, or service involves the use or disclosure of “individually identifiable health information.”17

1. What is a Business Associate under HIPAA? A business associate is defined as a third-party individual or entity (who is not a member of the covered entity’s “workforce”18) that performs certain functions or activities19 involving the use or disclosure of PHI on behalf of a covered entity, or who provides certain services20 to the covered entity.21 Some examples of business associates include

13 Health plans include health insurance companies, HMOs, company health plans, and government pro-grams such as Medicare, Medicaid, and the military and veterans’ health care programs. See 45 C.F.R. § 160.103 (2010). There are certain exclusions that apply. Id.14 Health care providers include providers of services (such as hospitals), providers of medical or health services (such as doctors or dentists), and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. See id. The definition of covered entity, however, is restricted to only those health care providers who transmit health information in electronic form in connection with a transaction covered by HIPAA. See id. § 160.102. “Transaction” is defined in 45 C.F.R. § 160.103, and includes eleven types of transactions. The transaction standards (“Administrative Requirements”) are located in 45 C.F.R. Part 162. 15 Health care clearinghouses include entities that process health information they receive from another entity into a standard transaction (i.e., standard electronic format or data content), and entities that receive a standard transaction from another entity and process the health information into a non-standard format for that entity. See 45 C.F.R. § 160.103 (2010).16 See id. §§ 160.102–.103.17 Id. § 160.103. 18 “Workforce” means a person or entity whose conduct in working for the covered entity is under the direct control of the covered entity, whether or not they are paid by the covered entity. See id.19 The functions and activities include claims processing, data analysis, utilization review, and billing. See id.20 The services are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. See id.21 See id. A covered entity can be considered the business associate of another covered entity. Id.


246

• An accountant who requires access to PHI to perform an audit or other financial accounting service to the covered entity;

• A defense attorney who will need to access and use PHI to provide legal services to a doctor in a medical malpractice lawsuit;

• Claims processing services;• Consultants who perform utilization reviews for hospitals; and• Patient billing services.

In addition, there are exceptions to who or what qualifies as a business associate neces-sitating a business associate agreement, including (1) a person or entity whose function or service provided to the covered entity does not involve the use or disclosure of PHI and where any access to PHI is incidental (such as a cleaning service); (2) a health care provider who receives disclosures from other covered entities for treatment of the individual; and (3) disclosures of PHI for research purposes (with certain limitations).

2. Business Associate Agreements Business associate agreements expressly define the permitted uses and disclosures of PHI and mandate the use of specified procedures to adequately safeguard individuals’ PHI.22 The business associate agreement must contain certain specified elements and contractual language.23 The covered entity is permitted to disclose PHI to the business associate only after obtaining the necessary assurances—through the business associate agreement—that the business associate will properly safeguard and not misuse the PHI.24 As previously dis-cussed, the original Privacy and Security Rule provisions were applicable only to “covered entities.” Business associates were not directly covered under HIPAA. Instead, they were covered indirectly through their contractual agreements with the covered entity. This means that business associates were not directly liable to the government for violating HIPAA, and the only remedy against a business associate for a HIPAA violation was an action for breach of contract on the part of the covered entity.

22 Id. §§ 164.502(e), 164.504(e).23 Id. § 164.504(e)(2).24 However, when a covered entity knows a business associate committed a material breach or violation of the business associate agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation in order to be considered “in compliance” with HIPAA. If such steps are unsuccess-ful, the covered entity must terminate the contract, if feasible. Id. § 164.504(e)(1)(ii)(a). If terminating the contract is not feasible, a covered entity is required to report the problem to the Office of Civil Rights (“OCR”), the agency given the task of administering and enforcing the Privacy and Security Rules. Id. § 164.504(e)(1)(ii)(b).


247

3. Who is “Covered” by the HIPAA Privacy Rule after the HITECH Act? Pursuant to the HITECH Act, effective February 17, 201025 business associates must now comply with the Privacy Rule provisions made applicable to them via their business associate agreements.26 Furthermore, any additional privacy provisions contained in the business associate agreement that apply to covered entities also directly apply to busi-ness associates. These new requirements must be incorporated into the business associate agreements between the covered entity and business associate. Finally, a violation of any applicable Privacy Rule provision by the business associate is now a HIPAA violation for which business associates are directly accountable. The HITECH Act also modifies the definition of business associate to include additional organizations or entities that are not covered under the existing definition.27 For example, any organization that transmits PHI data to a covered entity or business associate and that requires access to such PHI on a routine basis (such as a Health Information Exchange Or-ganization, Regional Health Information Organization, or E-prescribing Gateway) is now considered a business associate for purposes of the Privacy and Security Rules and must enter a business associate agreement28 with a covered entity or other business associate. The same holds true for any vendor that contracts with a covered entity to allow the covered entity to offer a personal health record (“PHR”) to patients as part of its EHR system. Given the strengthened enforcement provisions under the HITECH Act, which include enhanced monetary fines and require mandatory compliance audits, it would appear that the business associate agreement will be a relatively simple audit issue: Is there a business associate agreement in place where one is required, and if so, does it contain the necessary provisions?

C. What Type of Health Information Is Protected? 1. Protected Health Information HIPAA applies to and protects PHI. PHI is defined as “individually identifiable health information” transmitted or maintained by a covered entity or its business associate, in any

25 While February 17, 2010 was the technical compliance date set forth in the statute for applying the Privacy Rule to business associates, HHS has advised that the actual compliance date will be 180 days after the final rules are published, which will be sometime in 2011.26 42 U.S.C.A. § 17934 (West 2010).27 Id. § 17938. 28 As described in the Privacy and Security Rules, 45 C.F.R. §§ 164.502(e) and 164.308(b), respectively.


248

form or media.29 “Individually identifiable health information” (“IIHI”) is a subset of “health information” (“HI”),30 and includes demographic data collected from the individual that

1) is created or received by a covered entity; and

2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

a) that identifies the individual; or

b) provides a reasonable basis to believe the information can be used to identify the individual.31

D. Rules for Use and Disclosure of Protected Health Information

1. General Principles The Privacy Rule sets forth general limitations on the use and disclosure of PHI by al-lowing PHI to be used and disclosed (1) as permitted, (2) as required, and (3) as authorized by the individual (or his or her personal representative).32 A covered entity is required to disclose PHI in the following circumstances: (1) to individuals when they request access to their PHI, or when they request an accounting of disclosures of their PHI;33 and (2) to the Secretary of HHS when he or she is undertaking an enforcement action or compliance investigation or review.34

29 45 C.F.R. § 160.103 (2010). Employment records that a covered entity maintains in its capacity as an employer, and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, are excluded from the definition of PHI.30 Health Information means any information, whether oral or recorded in any form or medium, that (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103 (2010).31 Id. There are no restrictions, however, on the use or disclosure of deidentified health information. Id. §§ 164.502(d)(2), 164.514(a)–(b). HI that does not identify an individual or provide a reasonable basis to identify an individual is considered deidentified health information.32 Id. § 164.502(a). An overarching principle is that a covered entity should use and disclose only the minimum amount of PHI necessary to achieve the desired the purpose. Id. § 164.502(b)(1). The HITECH Act makes this a fundamental requirement for access, use, and disclosure of PHI.33 Id. § 164.502(a)(2)(i). Requests for access to or accounting of disclosures are discussed infra Part II.E.2–.3.34 45 C.F.R. § 164.502(a)(2)(ii) (2010); see also id. § 160.300–.316.


249

2. Permitted Disclosure of PHI Without an Authorization The Privacy Rule permits a covered entity to use or disclose PHI (1) to the individual (unless required); (2) for treatment, payment, and health care operations; (3) incident to an otherwise permitted or required use or disclosure; (4) pursuant to an agreement where the individual has received the opportunity to agree or object; (5) for specified important public interest or public benefit activities; and (6) pursuant to a limited data set for the purposes of research, public health, or health care operations.35

a. To the Individual Depending on the circumstances, a covered entity may be either permitted or required to disclose an individual’s PHI to that individual.

b. Treatment, Payment, and Health Care Operations36 A covered entity is permitted to use and disclose PHI for its own treatment, payment, and health care operations activities.37 A covered entity is also permitted to disclose PHI for (1) any health care provider’s treatment activities; (2) payment activities of another covered entity or any health care provider; or (3) health care operations of another covered entity that involve quality or competency assurance activities or fraud and abuse detection and compliance activities, provided both covered entities have or had a relationship with the individual and the PHI relates to that relationship.38 The covered entity is not obligated to obtain the consent of the individual whose PHI is being disclosed.39 The Privacy Rule does not contain provisions on how to obtain consent, or what information must be included in a consent form.

c. Incidental Use and Disclosure Uses or disclosures of PHI that are merely incident to an otherwise permitted use or disclosure are permitted, so long as reasonable safeguards (as specified in the regulations) have been adopted.40

d. Uses and Disclosures with Opportunity to Agree or Object A covered entity is permitted to use and disclose an individual’s PHI for facilities di-rectories and notification purposes, so long as the person is informed in advance of his or her right to agree or object. If the individual is incapacitated or in an emergency situation

35 Id. § 164.502(a)(1)(i)–(vi).36 Treatment, payment, and health care operations are defined in 45 C.F.R. § 164.501.37 Id. § 164.506(c)(1).38 Id. § 164.506(c)(2)–(4).39 Id. § 164.506(b)(1).40 Id. § 164.502(a)(1)(iii).


250

and an opportunity to agree or object cannot practicably be provided, a covered entity is permitted to use and disclose PHI if, in the exercise of its professional judgment, the use or disclosure is in the best interests of the individual.41

e. Public Interest and Benefit Activities A covered entity is permitted to use or disclose an individual’s PHI without the indi-vidual’s authorization or permission for twelve specified public purposes.42 These include (1) uses and disclosures required by law; (2) uses and disclosures for public health activities; (3) disclosures about victims of abuse, neglect, or domestic violence; (4) uses and disclosures for health oversight activities; (5) disclosures for judicial and administrative proceedings;43 (6) disclosures for law enforcement purposes;44 (7) uses and disclosures about decedents; (8) uses and disclosures for cadaveric organ, eye, or tissue donation purposes; (9) uses and disclosures for research purposes;45 (10) uses and disclosures to avert a serious threat to health or safety;46 (11) uses and disclosures for specialized government functions; and (12) disclosures for workers’ compensation.47

f. Limited Data Set This is HI from which specified identifying information of individuals, their relatives, household members, and employers (such as names, addresses, social security numbers, license or vehicle numbers, etc.) has been removed.48 A covered entity may use or disclose PHI in a limited data set for certain purposes, such as research, health care operations, and public health purposes,49 provided a data use agreement has been entered into.50

41 Id. § 164.510(a)(3).42 Id. § 164.512. This section is extremely long and, while the use or disclosure is permitted, there are specific requirements that must be met for each public purpose delineated.43 Such disclosures are permitted only through a valid court order or subpoena, and only if a protective order or other adequate safeguards are provided. Id. § 164.512(e).44 Law enforcement disclosures are permitted under six circumstances, such as to identify or locate a suspect or to notify law enforcement of possible criminal activity, subject to specified conditions. Id. § 164.512(f).45 But only under specified conditions, and subject to appropriate assurances and safeguards. Id. § 164.512(i). A covered entity may also use or disclose, without an individual’s authorization, a limited data set of protected health information for research purposes. See infra Part II.D.2.f.46 If believed necessary to prevent or lessen a serious and imminent threat to a person or the public, and when made to someone the covered entity believes can prevent or lessen the threat. 45 C.F.R. § 164.512(j) (2010).47 See id. § 164.512(a)–(l).48 Id. § 164.514(e).49 Id. § 164.514(e)(3)(i). 50 Id. § 164.514(e)(4).


251

3. Disclosure of HI that Requires an Authorization In general, the Privacy Rule requires a covered entity to obtain a valid, written authori-zation from the affected individual for any use or disclosure of psychotherapy notes or PHI for marketing.51

a. Psychotherapy Notes A covered entity must obtain a written authorization for any use or disclosure of psy-chotherapy notes except

• the originator of the psychotherapy notes may use them for treatment;• the covered entity may use them in its own training program in counseling;• to defend itself in legal proceedings brought by the individual;• for disclosures to HHS for compliance investigation or review;• for disclosures to a health oversight agency for lawful oversight of the originator

of the psychotherapy notes; and

• as required by law.52

b. Marketing Marketing is defined as any communication about a product or service that encourages recipients to purchase or use the product or service.53 However, there are certain health-related communications that are carved out from this definition. Marketing also includes an arrangement between a covered entity and another individual or business in which the covered entity discloses PHI in exchange for direct or indirect remuneration to allow the other party to communicate about its products or services, and that encourage the recipient to use or purchase those products or services. The individual must authorize the use or dis-closure of his or her PHI for marketing, except for face-to-face marketing communications and for a covered entity’s provision of promotional gifts of nominal value. No authorization is needed, however, to make a communication that falls within one of the exceptions to the marketing definition. If marketing involves the covered entity receiving direct or indirect remuneration from a third party, the authorization must disclose that remuneration. The HITECH Act alters the Privacy Rule provisions regarding marketing.54 Pursuant to the HITECH Act, a communication by a covered entity or business associate about a product or service that encourages recipients of the communication to purchase or use the product

51 Id. § 164.508(a)(2)–(3).52 Id. § 164.508(a)(2)(i)–(ii).53 Id. §§ 164.501, 164.508(a)(3).54 42 U.S.C.A. § 17936(a) (West 2010).


252

or service is no longer considered a “health care operation.” Furthermore, if a third party pays direct or indirect remuneration55 to send marketing communications to an individual, it is no longer considered to be a “health care operation” except where

1) the communication describes ONLY a drug or biologic currently being pre-scribed for or administered to the patient, AND any payment received by the covered entity is “reasonable in amount”;56

2) the communication is from the covered entity AND the covered entity obtains a proper authorization from the individual; or

3) the communication is from a business associate on behalf of a covered entity AND the communication complies with the requirements of the business as-sociate agreement.57

4. Minimum Necessary Standard Under the Privacy Rule, covered entities may access, use, and disclose only the mini-mum amount of PHI necessary to achieve the desired purpose.58 The HITECH Act requires a covered entity to use a “limited data set”59 to the extent it can do so practically, but a cov-ered entity is permitted to use the old “minimum necessary” standard in lieu of the limited data set if necessary to accomplish its intended purpose.60 The Secretary is required to issue guidance no later than eighteen months after the Act’s enactment on what constitutes the “minimum necessary” amount of PHI for purposes of the Privacy Rule provisions.61 Effec-tive February 17, 2010 a covered entity may no longer rely on the entity requesting the data in determining what constitutes the “minimum necessary” amount of PHI;62 it must make

55 Under the HITECH Act, the term “direct or indirect remuneration” does NOT include payment for an individual’s treatment. Id. § 17936(a)(4).56 The term “reasonable in amount” will be determined and defined in upcoming final rules.57 Id.58 45 C.F.R. § 164.502(b) (2010).59 As defined in 45 C.F.R. § 164.514(e)(2). This is health information that excludes a number of categories of information identifying the patient (and the patient’s relatives) and that can be used pursuant to a data use agreement for research, public health, or public health care operations purposes. 60 42 U.S.C.A. § 17935(b)(1)(A) (West 2010).61 Id. § 17935(b)(2).62 45 C.F.R. § 164.514(d)(3)(iii) (2010).


253

that determination for itself.63 Also, if a covered entity has agreed to a requested restriction by the individual,64 it may not use or disclose that individual’s PHI in a manner inconsistent with the agreement.65 The Privacy Rule provides certain exceptions where a covered entity is not required to limit its use or disclosure to the minimum necessary requirement. These exceptions are expressly continued under the HITECH Act, as well. The minimum necessary requirement is not imposed in any of the following circumstances:

1) disclosure to or a request by a health care provider for treatment;

2) disclosure to the individual (or his or her personal representative);

3) use or disclosure made with the individual’s authorization;

4) disclosure to HHS for complaint investigation, compliance review, or enforce-ment;

5) use or disclosure that is required by law; or

6) use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules.66

E. Privacy Protections and Individual Rights The Privacy Rule also provides certain protections and rights to individuals regarding the use and disclosure of their PHI. In addition, the HITECH Act expands the scope of some of these rights, and provides additional protections to the individual.

1. Privacy Practices Notice Subject to certain exceptions, the Privacy Rule provides individuals with the right to adequate notice of a covered entity’s potential uses and disclosures of the individual’s PHI, and of his or her rights and the covered entity’s rights.67 Covered entities must develop, implement, and provide notice written in plain language regarding certain required ele-ments.68 The notice must provide

63 42 U.S.C.A. § 17935(b)(1)(B) (West 2010). The HITECH Act contains a sunset provision providing that this section shall no longer apply beginning on the effective date of the forthcoming guidance on minimum necessary. Id.64 Pursuant to 45 C.F.R. § 164.522(a)(1).65 45 C.F.R. § 164.522(a)(3) (2010).66 Id. § 164.502(b)(2).67 Id. § 164.520(a)(1).68 Id. § 164.520(b)(1). A covered entity is also permitted to limit the uses and disclosures it is legally permitted to make, and include this in its notice. Id. § 164.520(b)(2).


254

1) a general description of how the covered entity may use and disclose PHI;

2) a separate description of the uses and disclosures the covered entity is going to make, if those uses or disclosures are specified by statute;

3) a description of the individual’s rights with respect to PHI and how the individual may exercise those rights;

4) a statement saying (A) the covered entity is required by law to protect the pri-vacy of an individual’s PHI and provide notice of its legal duties and privacy practices; (B) that the covered entity must abide by the terms of the current notice; and (C) how the covered entity will provide notice of any amendments or revisions to its privacy practices;

5) a statement informing individuals of their right to complain to the covered entity and to HHS if they believe their privacy rights have been violated, a descrip-tion of how to file a complaint, and a statement that the individual will not be retaliated against for filing a complaint;

6) contact information for how to receive additional information; and

7) the notice’s effective date.

Covered entities are required to promptly revise and re-distribute their notice in the event of a material change in any of the applicable notice provisions.69 A covered entity must make its notice available to any person who requests it.70 In addition, if a covered entity maintains a website that provides information about the entity’s customer services or benefits, it is required to prominently post the notice on its website.71 There are additional notice requirements applicable to health plans and health care providers with a direct treat-ment relationship with the individual.72 A covered entity may also send notice via email if the individual agrees to electronic notice.73 Except in an emergency, health care providers with a direct treatment relationship with the individual must make a good-faith effort to obtain a written acknowledgment of receipt of the notice, and if not obtained, document its good-faith efforts to obtain the acknowledg-

69 Id. § 164.520(b)(3). After the final rules implementing the modifications to HIPAA Privacy, Security, and Enforcement provisions are published, covered entities will have to revise and re-distribute their notices of privacy practices. Id.70 Id. § 164.520(c).71 Id. § 164.520(c)(3)(i).72 See id. § 164.520(c)(1)–(2).73 Id. § 164.520(c)(3)(ii).


255

ment and the reasons it was unable to do so.74 Covered entities are permitted to develop more than one notice in situations where they may perform separate covered functions and the privacy practices between the various functions differ. Covered entities that participate in an organized health care arrangement are permitted to produce a joint notice, so long as each covered entity agrees to adhere to the notice content provisions with respect to PHI created or received pursuant to their participation in the arrangement.75 Covered entities must document their compliance with the notice requirements, as required by their general administrative requirements, by retaining copies of the notices provided.76

2. Access In general, an individual has a right of access to inspect and obtain a copy of his or her PHI in a “designated record set” (“DRS”)77 for as long as it is maintained in the DRS, except for certain enumerated exclusions of PHI, such as psychotherapy notes and information compiled for use in civil, criminal, or administrative proceedings.78 If the requested PHI is located onsite, the covered entity typically has thirty days to grant (in whole or in part) or deny the request, and sixty days if it is located offsite.79 There are different requirements depending on whether the covered entity grants or denies the request. An individual may obtain a review of a denial or partial denial if the denial is “reviewable” under the statute.80 If the covered entity grants the request, it must provide a copy of the PHI in the format requested by the individual, if the designated record set is “readily producible” in that format. The Rule also permits the covered entity to charge certain fees for assembling or summarizing a copy of the PHI.81

74 Id. § 164.520(c)(2)(ii).75 Id. § 164.520(d). If one of the covered entities provides the notice, then all are deemed to be in compli-ance. Id. § 164.520(d)(3).76 Id. § 164.520(e). The general administrative requirements concerning documentation are found in 45 C.F.R. § 164.530(j). In the case of a health care provider with a direct treatment relationship with the individual, the covered entity must also retain copies of any written acknowledgment of receipt or docu-mentation of good-faith efforts to obtain such written acknowledgment.77 A designated record set is defined in 45 C.F.R. § 164.501 and means a group of medical, billing, enroll-ment, payment, or claims records maintained by or for a covered entity and used, in whole or in part, by or for the covered entity in rendering decisions about individuals.78 Id. § 164.524(a)(1).79 Id. § 164.524(b)(2).80 Id. § 164.524(d). A denial is reviewable if it meets the requirements set forth in 45 C.F.R. § 164.524(a)(3).81 Id. § 164.524(c)(4).


256

The HITECH Act supplements the Rule as follows: if a covered entity has implemented an EHR system, individuals now have a right to obtain a copy of their PHI in an electronic format.82 The HITECH Act does not alter the timeframe within which the covered entity must comply with the request. An individual can also designate that a third party be the recipient of the ePHI so long as the designation is “clear, conspicuous, and specific.”83 Under the HITECH Act, a covered entity may not charge a fee greater than its labor costs for provid-ing a copy or summary of an individual’s PHI in electronic form. Finally, consistent with a covered entity’s general administrative requirements, covered entities must document84 the designated record sets that are subject to access by individuals and the titles of the persons or offices responsible for receiving and processing requests for access by individuals.85

3. Accounting of Disclosures Under the Privacy Rule, individuals have the right to an accounting of the disclosures of their PHI made by a covered entity or its business associates over the six years immedi-ately preceding the request.86 However, there are numerous disclosures that are specifically exempted from accounting requirements, including disclosures made

1) for treatment, payment, or health care operations;

2) to the individual or the individual’s personal representative;

3) to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories;

4) with the individual’s authorization;

5) for national security or intelligence purposes;

6) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or

7) incident to otherwise permitted or required uses or disclosures.87

82 Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111–5, § 13405(e), 123 Stat. 115 (2009). The rules regarding modifications to access are contained in the NPRM issued on July 14, 2010. The final rules should be published sometime in 2011.83 HITECH Act § 13405(e)(1).84 And retain such documentation, as required by 45 C.F.R. § 164.530(j).85 45 C.F.R. § 164.524(e) (2010).86 Id. § 164.528.87 Id. § 164.528(a)(1). The covered entity’s accounting for disclosures to health oversight agencies and law enforcement officials must be temporarily suspended upon receipt of their written representation that an accounting would likely impede their activities. Id. § 164.528(a)(2).


257

The HITECH Act changes the accounting requirements for any covered entity that “uses or maintains an electronic health care record” with respect to PHI.88 Most significantly, there is no longer an exception for disclosures for “treatment, payment, and health care operations.” Moreover, the accounting period is limited to the previous three years. The Act requires the Secretary to promulgate regulations89 to define what information needs to be collected about each disclosure, taking into account (1) the interests of individuals in learning under what circumstances their PHI is being disclosed, and (2) the administrative burden of accounting for such disclosures. These regulations must be promulgated within six months after the Secretary adopts standards on accounting for disclosures.90 The HITECH Act provides that covered entities using or maintaining an EHR system now have the following options in responding to an individual’s request for an accounting:

1) Covered entities may include the disclosures they made, as well as the disclo-sures made by their business associates; or

2) Covered entities may include the disclosures they made, and provide a list of all business associates acting on their behalf, which must include contact informa-tion for each (such as mailing address, phone number, or email address).

Upon receiving a list of business associates from a covered entity, the individual must then request an accounting of disclosures directly from the business associate, and the business associate must comply with the request. For covered entities that acquired an EHR as of January 1, 2009, the accounting provi-sions apply to disclosures of PHI from the EHR on and after January 1, 2014. For covered entities that acquired an EHR after January 1, 2009, the accounting provisions apply to disclosures of PHI from the EHR on and after the later of (1) January 1, 2011; or (2) the date the covered entity acquires an EHR. The Secretary has the authority to change the ap-plicable effective date, if he or she determines that a later date is necessary, but in no case may the date be later than

1) 2016 for pre-January 1, 2009 EHR acquisitions; and

2) 2013 for post-January 1, 2009 EHR acquisitions.

88 HITECH Act § 13405(5)(c). The term “electronic health record” means an electronic record of healthre-lated information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Id. § 13400(5).89 The proposed rule on accounting for disclosures of EHRs was sent by the OCR on February 9, 2011 to the Office of Management and Budget (“OMB”) for final review prior to publication.90 See 42 U.S.C.A. § 300jj–11 (West 2010).


258

4. Request for Restrictions The Privacy Rule provides individuals with the right to request that a covered entity restrict certain uses and disclosures of PHI for treatment, payment, or health care operations, and restrict certain permitted disclosures to notify family and other specified individuals regarding the individual’s condition, location, or death.91 Covered entities are under no legal duty to agree to the restrictions, but if the covered entity does agree, it must comply with the restrictions except for purposes of medical treatment in the case of an emergency.92 The HITECH Act now provides that there are certain circumstances when a covered entity is obligated to comply with an individual’s request for restrictions.93 The Act now mandates that covered entities and their business associates comply with an individual’s request to restrict their PHI if (1) except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out (i) payment, or (ii) healthcare operations, and (iii) not for purposes of carrying out treatment; AND (2) the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out-of-pocket in full.94

5. Request for Amendment The Privacy Rule provides individuals with the right to request that covered entities amend their PHI maintained in a DRS, typically when such information is alleged to be inaccurate or incomplete.95 The covered entity has sixty days to respond to the request. If the covered entity agrees to the amendment, it is required to make reasonable efforts to provide the amended information to those who the individual has identified, as well as to business associates and others the covered entity knows may rely on the previous information to the individual’s detriment. If the request is denied,96 covered entities must provide the individual with a written denial and allow the individual to submit a statement of disagreement for inclusion in the record. If the covered entity receives notice to amend from another covered entity, it must amend the PHI maintained in its designated record set.

91 45 C.F.R. § 164.522(a) (2010).92 Id. It should be noted that such an agreement is not effective to prevent uses or disclosures permitted or required under 45 C.F.R. §§ 164.502(a)(2)(ii), 164.510(a), or 164.512. See id. § 164.522(a)(1)(v).93 HITECH Act § 13405(a).94 Id.95 45 C.F.R. § 164.526 (2010). There are specific processes provided for requesting an amendment and responding to such request.96 Covered entities may deny an individual’s request for amendment only under certain circumstances where the covered entity (1) may exclude the information from access by the individual; (2) did not create the information (unless the individual provides a reasonable basis to believe the originator is no longer available); (3) determines that the information is accurate and complete; or (4) does not hold the informa-tion in its designated record set. Id. § 164.526(a)(2).


259

6. Confidential Communications Requests In general, covered entities must accommodate reasonable requests to receive commu-nications by alternate means or to a location other than that typically utilized by the covered entity.97 Covered entities may condition their compliance on the individual specifying an alternative address or method of contact and explaining how any payment will be handled.

F. Administrative Requirements Covered entities are required to comply with certain administrative requirements set forth in the Privacy Rule, which are divided into “Standards” and “Implementation Speci-fications.”98 For instance, covered entities must develop and implement written policies and procedures with respect to PHI that are designed to be consistent with the Privacy Rule.99 Covered entities must also designate a privacy official responsible for implementing the rules, and a contact person or office for receiving and handling complaints.100 Covered entities must provide training to all members of their workforce regarding PHI as it may apply to them and as necessary to appropriately perform their jobs, and such training must be documented.101 Covered entities must also have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.102 Covered entities must also provide a process for individuals to make complaints, and complaints must be documented.103 Covered entities must enforce appropriate sanctions against members of their workforce who do not comply with the rules, and document such sanctions.104 Covered entities must mitigate, to the extent practicable, any harmful effects caused by the inappropriate disclosure of PHI.105 Covered entities must refrain from intimidating or retaliating against an individual for exercising an established individual right.106 Covered entities may not require individuals to waive their rights under the rules as a condition to providing treatment, payment, enrollment in a health plan, or eligibility for benefits.107

97 Id. § 164.522(b).98 Id. § 164.530.99 Id. § 164.530(i).100 Id. § 164.530(a).101 Id. § 164.530(b).102 Id. § 164.530(c). This requirement in the Privacy Rule, while vague, is discussed in greater detail under the Security Rule requirements.103 Id. § 164.530(d).104 Id. § 164.530(e).105 Id. § 164.530(f).106 Id. § 164.530(g).107 Id. § 164.530(h).


260

The most important aspect of the Privacy Rule’s administrative requirements, given the HITECH Act’s new provisions for mandatory auditing, would appear to be the documenta-tion requirement.108 Among other things, a covered entity must (1) maintain the policies and procedures in written or electronic form; (2) maintain a written or electronic copy of any communication that is required to be documented; and (3) maintain a written or electronic record of any action, activity, or designation that is required to be documented.109 This requirement would likely be a fairly easy auditable issue going forward under the HITECH Act’s new mandatory auditing requirements, as it is relatively simple to ascertain whether a covered entity has maintained the required documentation.

iii.SeCurity rule

To address the data security threats associated with the electronic storage and trans-mission of private health information, HHS enacted the Security Rule under HIPAA. The Security Rule is part of the larger Privacy Rule established in the Privacy Rule administrative safeguards provision. The Security Rule delineates administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of ePHI.

A. Who is “Covered” Under the HIPAA Security Rule? HIPAA Security Rule provisions governing administrative safeguards,110 physical safe-guards,111 technical safeguards,112 and policy and procedure documentation requirements113 now apply to business associates in the same manner as they do to covered entities.114 Moreover, all new Security provisions contained in the HITECH Act that are imposed upon covered entities are also imposed upon business associates. As with the new Privacy Rule provisions contained in the HITECH Act, all additional Security Rule requirements must likewise be implemented into the business associate agreement between the covered entity and the business associate. As mentioned several times, business associates are now directly accountable to the federal government (and perhaps to state governments)115 for applicable HIPAA Security Rule provision violations.

108 Id. § 164.530(j).109 Id.110 Id. § 164.308.111 Id. § 164.310.112 Id. § 164.316.113 Id. 114 42 U.S.C.A. § 17931 (West 2010).115 See State Attorney General Enforcement, infra Part V.F.


261

B. What Type of Health Information is Protected? Whereas the Privacy Rule protects HI contained in any form or media, the Security Rule focuses on protecting IIHI created, received, maintained, or transmitted in electronic form (i.e., ePHI).116

C. How to Protect: Safeguards 1. General Requirements The Security Rule establishes four general requirements for the covered entity or business associate: (1) ensure the “confidentiality, integrity, and availability”117 of electronic health information created, received, maintained, or transmitted; (2) protect against reasonably anticipated threats to the information’s security or integrity; (3) safeguard against impermis-sible uses and disclosures; and (4) ensure workforce compliance with the Rule.118 Because HIPAA applies to such a broad spectrum of covered entities (and now through the HITECH Act, business associates), the Rule provides a certain amount of flexibility in choosing how to “reasonably and appropriately” implement standards, so long as the following are taken into account: (1) the size, complexity, and capabilities of the covered entity or business associate; (2) the technical infrastructure, hardware, and software security capabilities of the covered entity or business associate; (3) the financial costs of implementing security measures; and (4) the probability and criticality of potential risks to ePHI security breaches.119 The Security Rule provides mandatory “standards” along with “implementation speci-fications” on how to satisfactorily comply with the outlined standards.120 Implementation specifications are either “required” or “addressable.”121 Required implementation specifica-tions must be implemented. Addressable implementation specifications must be assessed and implemented as specified if reasonably appropriate. If not implemented, the reason why must be documented and an “equivalent alternative measure” must be implemented if reasonably appropriate.122 Security measures implemented must be reviewed and modified as needed to ensure continued protection of ePHI and compliance with the Security Rule.123

116 45 C.F.R. § 160.103 (2010).117 “Confidentiality means the property that data or information is not made available or disclosed to un-authorized persons or processes.” Id. at § 164.304. “Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.” Id. “Availability means the property that data or information is accessible and useable upon demand by an authorized person.” Id.118 Id. § 164.306(a).119 Id. § 164.306(b). 120 Id. § 164.306(c)–(d).121 Id. § 164.306(d)(1).122 Id. § 164.306(d)(3). If no alternative measure is implemented, justification must also be provided for why no alternative was feasible. 123 Id. § 164.306(e).


262

2. Administrative Safeguards The Security Rule provides the following Administrative Safeguard Standards and implementation specifications for covered entities and business associates.

• Security Management Process.124 Implement policies and procedures to prevent, detect, contain, and correct security violations. This Standard has four required implementation specifications:

1) Risk analysis: conduct and assess the potential risks and vulnerabilities to ePHI;

2) Risk management: implement security measures that reduce identified risks and vulnerabilities to a reasonable and appropriate level;

3) Sanction policy: establish and apply appropriate sanctions against noncom-pliant workforce members;

4) Information system activity review: implement procedures to regularly review records of information system activity.

• Assigned Security Responsibility.125 Identify the security official responsible for developing and implementing appropriate security policies and procedures.

• Workforce Security.126 Implement policies and procedures to ensure that only appropriate members of the workforce have access to ePHI. This should include, where appropriate, authorization and supervision procedures for employees who access ePHI, workforce clearance procedures to ensure ePHI access by employees is appropriate, and termination procedures to ensure employee access to ePHI is appropriately cut off at the end of employment.

• Information Access Management.127 Implement policies and procedures for authorizing, limiting, and modifying access to ePHI that are consistent with the applicable requirements of the Privacy Rule.

• Security Awareness and Training.128 Implement a security awareness and training program for all employees, and also implement appropriate security measures such as periodic security reminders and updates, virus and other malicious software protection, log-in monitoring, and password management.

124 Id. § 164.308(a)(1).125 Id. § 164.308(a)(2).126 Id. § 164.308(a)(3).127 Id. § 164.308(a)(4).128 Id. § 164.308(a)(5).


263

• Security Incident Procedures.129 Implement policies and procedures to identify and respond to known or suspected security incidents, to mitigate harmful ef-fects of security incidents, and to properly document incidents and outcomes. This will include the new Breach Notification standards.130

• Contingency Plan.131 Establish (and implement as needed) policies and proce-dures for responding to an emergency or other type of occurrence (such as fire, vandalism, system failure, or natural disaster) that might damage systems that contain ePHI. This includes having a data backup plan, disaster recovery plan, and emergency mode operation plan, and may include periodic testing and revi-sion procedures, and applications and data criticality analysis procedures.

• Evaluation.132 Perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.

• Business Associate Agreements.133 Standards and implementation specifications are the same as those required under the Privacy Rule.

3. Physical Safeguards134

• Facility Access Controls.135 Implement policies and procedures to limit physical access to its facilities while ensuring that properly authorized access is permitted.

• Workstation Use.136 Implement policies and procedures that specify appropriate workstation use.

• Workstation Security.137 Implement physical safeguards on workstations to restrict access to authorized users.

• Device and Media Controls.138 Implement policies and procedures governing the transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of ePHI into, within, and out of a facility.

129 Id. § 164.308(a)(6).130 See infra Part IV.C.131 45 C.F.R. § 164.308(a)(7) (2010).132 Id. § 164.308(a)(8).133 Id. § 164.308(a)(9).134 Id. § 164.310.135 Id. § 164.310(a).136 Id. § 164.310(b).137 Id. § 164.310(c).138 Id. § 164.310(d).


264

4. Technical Safeguards139

• Access Control.140 Implement technical policies and procedures for electronic information systems that maintain ePHI to ensure only authorized personnel have access to ePHI. These include safeguards for assigning unique user iden-tification names or numbers, establishing emergency access procedures, having an automatic logoff for inactivity, and encryption and decryption mechanism implementation.

• Audit Controls.141 Implement hardware, software, or procedural mechanisms that record and examine access and activity in information systems that contain or use ePHI.

• Integrity.142 Implement policies and procedures to ensure that ePHI is protected from improper alteration or destruction.

• Person or Entity Authentication.143 Implement procedures to verify that an entity wanting access to ePHI is who it claims to be.

• Transmission Security.144 Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communica-tions network.

D. Organizational Requirements145

The organizational requirements tend to parallel those found in the Privacy Rule with regard to business associate contracts.146 For instance, the standard mandates that a covered entity that knows a business associate is engaging in an activity or practice that constitutes a material breach or violation of the obligations of the business associate under the Privacy or Security Rule must take reasonable steps to cure the breach or end the violation.147 As

139 Id. § 164.312.140 Id. § 164.312(a).141 Id. § 164.312(b).142 Id. § 164.312(c).143 Id. § 164.312(d).144 Id. § 164.312(e).145 Id. § 164.314.146 Id.147 Id. § 164.314(a).


265

previously mentioned, an NPRM was issued on July 14, 2010 and included business associ-ate obligations and business associate contracts as described in the HITECH Act.148

E. Policies and Procedures Documentation149

This requirement mirrors the documentation requirement of the Privacy Rule insofar as it relates to ePHI. Reasonable and appropriate policies and procedures must be adopted to comply with the provisions of the Security Rule. These written security policies and proce-dures and written records of required actions, activities, or assessments must be documented and must be maintained for a specified period of time.150 In addition, documentation must be periodically reviewed and updated in response to environmental or organizational changes that affect the security of ePHI.151

iv. BreaCH notiFiCation

The HITECH Act created new requirements for covered entities and business associates to provide appropriate notification in the event of a security breach of PHI.152 Regulations implementing the HITECH Act’s new breach notification requirements are currently in effect and cover breaches occurring on or after September 23, 2009.153 Depending on the circumstances of the breach and number of affected individuals, covered entities are required to notify (1) the individual, (2) the media, or (3) the Secretary of HHS. Business associates

148 Significantly, the NPRM would not only extend applicability of HIPAA Privacy and Security Rules to business associates, but also to “subcontractors” of business associates. And business associates would be required to enter into “subcontractor agreements” ensuring the same types of safeguards and assurances contained in business associate agreements with the covered entity are entered into with the subcontractor. 75 Fed. Reg. 40868, 40873 (July 14, 2010).149 Id. § 164.316.150 Id. § 164.316(b).151 Id. § 164.316(b)(2)(iii).152 42 U.S.C.A. §17932 (West 2010).153 45 C.F.R. §§ 164.400–.414 (2010). The Interim Final Rule was published on August 24, 2009 and became effective September 23, 2009. HHS received and reviewed public comments on the rule and developed a final rule that was submitted to the OMB for Executive Order on May 14, 2010. HHS withdrew its final rule from OMB review to allow for further consideration. Until the final rule is published, the Interim Final Rule that went into effect on September 23, 2009 remains in effect.


266

are also required to notify the covered entity to enable the covered entity to provide the appropriate notification as required under the new laws.154

A. What is a “Breach”? A breach is defined as an impermissible or unauthorized “acquisition, access, use, or disclosure” of PHI pursuant to the Privacy Rule that compromises the security or privacy of the PHI such that the “acquisition, access, use, or disclosure” poses a “significant risk of financial, reputational, or other harm to the individual.”155 However, using or disclosing PHI that does not include the identifiers of a limited data set, date of birth, and zip code is not considered a breach. There are three exceptions to the definition of “breach.” The first exception applies to the “unintentional acquisition, access, or use of [PHI] by a workforce member or person acting under the authority of a covered entity or business associate, if . . . made in good faith and within the scope of authority.”156 Second, “[a]ny unintentional acquisition, access or use of [PHI] by a workforce member or person acting under the authority of a covered entity or a business associate” is not a breach if made in good faith and within the person’s scope of authority.157 The final exception to breach applies if the covered entity or business associate has a good-faith belief that the unauthorized individual to whom the impermissible disclosure was made would not have been able to retain the information.158

B. “Unsecured Protected Health Information” and Guidance Covered entities and business associates are only required to provide notification of a breach that involves “unsecured protected health information” (“uPHI”). This is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance.

154 From the effective date of the Interim Final Rules (September 23, 2009) until the end of 2010, ap-proximately 225 entities reported breaches of uPHI affecting 500 or more individuals, amounting to ap-proximately thirteen reports per month, or 0.44 per day. A recent report by Redspin, Inc., a provider of HIPAA risk analysis and IT security assessment services, found that the 225 breaches affected 6,067,751 individuals, that forty-three states plus the District of Columbia and Puerto Rico had suffered at least one breach affecting more than 500 individuals, that 61% of breaches were the result of malicious intent and that 40% of records breached involved business associates. reDSpin, BreaCH report 2010: proteCteD HealtH inFormation 1–4 (2011), available at http://www.redspin.com/docs/WP_Redspin_2010_Pro-tected_Health_Information_Breach_Report.pdf.155 45 C.F.R. § 164.402 (2010).156 Id. § 164.402(2)(i) (emphasis added). 157 Id. § 164.402(2)(ii). In the first and second exception, there can be no further use or disclosure in a manner not permitted by the Privacy Rule.158 Id. § 164.402(2)(iii).


267

Guidance was issued in April 2009159 with a request for public comment, and was later reissued specifying encryption and destruction as the technologies and methodologies for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals.160

C. Breach Notification Requirements Notification requirements kick in for covered entities and business associates following the “discovery” of a breach of uPHI. A breach is treated as “discovered” by a covered entity as of the first day on which the breach is known (or, by exercising reasonable diligence, would have been known) to the covered entity. A covered entity shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity (determined in accordance with the federal common law of agency). Covered entities are required to comply with the administrative requirements contained in the Privacy Rule with respect to the requirements for breach notification.161 In addition, both covered entities and business associates have the burden of demonstrating that notifications were properly provided or that the use or disclosure of uPHI did not constitute a breach.

1. Individual Notice A covered entity is required to notify each individual whose uPHI has been, or is reason-ably believed to have been, accessed, acquired, used, or disclosed as a result of a breach. Notice should be in written form sent by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.162 The notifications must be provided by the covered entity without unreasonable delay and in no case later than sixty calendar days following the discovery of the breach.163 These notices must be written in plain language and must include, to the extent possible, a description of the breach, a description of the type of information that was involved in the breach, the steps affected

159 It should be noted that this guidance will be updated annually.160 Id.; Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111–5, § 13402(h)(2), 123 Stat. 115 (2009). Additionally, the guidance also applies to unsecured IIHI under the FTC regulations. Covered entities, business associates, and entities regulated by the FTC that secure information as specified by the guidance are relieved from providing notifications following the breach of such information.161 45 C.F.R. § 164.414(a) (2010). In particular, the requirements in § 164.530(b), (d)–(e), and (g)–(j).162 There are additional requirements for substitute notice if the covered entity has insufficient or out-of-date contact information on the individual, and an additional notice requirement when “imminent misuse” is possible.163 There is an exception to the time requirements when a covered entity or business associate is provided notice that its breach notification would impede a criminal investigation or endanger national security. Id. § 164.412.


268

individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for additional information from the covered entity.

2. Media Notice Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction must, in addition to individual notification, provide notice to prominent me-dia outlets serving the state or jurisdiction, typically through a press release. Similar to the individual notice, the media notification must be provided without unreasonable delay and in no case later than sixty calendar days following the discovery of the breach. The content of the notice must include the same information as individual notifications.

3. Notice to the Secretary In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of HHS of breaches of uPHI. The form and content of the notice can be found on the HHS website. If a breach affects 500 or more individuals, cov-ered entities must notify the Secretary without unreasonable delay and in no case later than sixty days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity must document or maintain a log of such breaches and provide notification to the Secretary of HHS annually through the HHS website.

4. Notification by Business Associates Following the discovery of a breach of uPHI, the business associate must notify the covered entity of the breach without unreasonable delay and no later than sixty days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual whose uPHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed during the breach, as well as any information the covered entity is required to provide in its notification.164

5. Time Delay Exception for Law Enforcement There is an exception to the notification deadline if a law enforcement official informs the covered entity or business associate “that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security.”165 If the statement by law enforcement is provided in writing and specifies the length of the delay required, then the covered entity or business associate shall delay their applicable notice

164 Id. § 164.410.165 Id. § 164.412.


269

for the time period specified. If the statement is made orally, the covered entity or business associate shall “document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement . . . is submitted during that time.”166

6. Administrative Requirements and Burden of Proof Covered entities are required to comply with the administrative requirements for breach notification contained in the Privacy Rule.167 In addition, both covered entities and business associates have the burden of demonstrating that required notifications have been provided or that a use or disclosure of uPHI did not constitute a breach.

v.enHanCeD enForCement anD penaltieS

The biggest complaints by critics of HIPAA are that there is insufficient oversight and that penalties apply to too narrow a scope of persons and entities. The HITECH Act has brought business associates within the scope of HIPAA Security Rule provisions, some Pri-vacy Rule provisions, and also expands the definition of “business associate” for specified entities who perform certain functions.168

A. Accountability As previously discussed, business associates are now directly accountable under HIPAA for failure to comply with Security Rule provisions and certain Privacy Rule provisions.

B. Application of Criminal Penalties Failure to comply with HIPAA can result in criminal penalties. Covered entities and business associates who knowingly obtain or disclose PHI in violation of HIPAA can face fines of up to $50,000 and imprisonment for up to one year. For offenses committed under false pretenses, the fine can reach $100,000 with up to five years in prison, and for offenses committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, the fine can reach $250,000 and the maximum imprisonment is ten years. The HITECH Act permits these criminal penalties to be enforced against individuals who obtain or disclose PHI from a covered entity “without authorization.”169

166 Id. § 164.412(b).167 Id. § 164.414(a). In particular, the requirements in § 164.530(b), (d)–(e), and (g)–(j).168 And, as noted supra note 148, the NPRM appears to extend these same HIPAA privacy, security, and enforcement provisions to “subcontractors” of business associates.169 42 U.S.C.A. § 1320d-6 (West 2010).


270

C. Compliance and Enforcement The HITECH Act clarifies the following issues regarding HIPAA compliance and en-forcement:

• HHS and state attorneys general can now pursue civil HIPAA violations in cases where the Department of Justice declines to pursue a criminal case, even though criminal penalties would have applied.

• A formal investigation is now required after any complaint where preliminary investigation of the facts indicates possible violation through “willful neglect.”

• Imposition of a civil monetary penalty is now mandated if a violation is found to constitute “willful neglect.”170

D. Distribution of Civil Monetary Penalties Money collected for HIPAA violations will no longer go to the treasury. Instead, these funds must be transferred directly to OCR to be used for enforcement purposes.171 The HITECH Act requires the comptroller general to develop a methodology whereby persons harmed by HIPAA violations will receive a percentage of the penalty (or settlement) col-lected. The Secretary must establish the GAO’s methodology report via regulation within three years of the Act’s enactment (that being February 17, 2012). The effective date for penalty or settlement amounts to go to OCR is supposed to begin February 17, 2011. The methodologies to provide affected individuals with a percentage will apply on and after the effective date of the regulation implementing the methodology.

E. Tiered Penalties Effective February 17, 2009 the HITECH Act revised section 1176(a) of the Social Security Act by establishing (1) four categories of violations that reflect increasing levels of culpability; (2) four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and (3) a maximum penalty amount of $1.5 million for all violations of an identical provision.172

170 Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111–5, § 13410(a), 123 Stat. 115 (2009). Willful neglect is defined in 45 C.F.R. § 160.401 as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.”171 HITECH Act § 13410(c).172 Id. § 13410(d). The HITECH Act provisions are implemented by 45 C.F.R. § 160.404.


271

173 45 C.F.R. § 160.408 (2010).174 In February 2011, HHS issued its first ever civil monetary penalty against a covered entity for violating HIPAA and refusing to comply with HHS’ investigation. The amount: $1.3 million for failing to provide forty-one patients access to their medical records and $3 million for failing to comply with HHS’ investi-gation. Colin J. Zick, HHS Fines Cignet Health $4.3 Million for HIPAA Violations, SeCurity, privaCy anD

Q FDCC UARTERLY · 2018. 4. 14. · VOL. 61, NO. 3 SPRING, 2011 Q FDCC UARTERLY HealtH Care reform...

Documents

Transcript of Q FDCC UARTERLY · 2018. 4. 14. · VOL. 61, NO. 3 SPRING, 2011 Q FDCC UARTERLY HealtH Care reform...