Part 3: OCR Issues Proposed Modifications to HIPAA Privacy and Security Rules

Share

Facebook reddit Newsvine Del.icio.us Digg

Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx

Guest commentary from Daniel F. Gottlieb, Bernadette M. Broccolo, Jennifer S. Geetter, Jerry Tichner, Jeanna Palmer Gunville, Sarah S. Nelson, Edward G. Zacharias and Stephen W. Bernstein, attorneys in the Health Industry Advisory Practice Group of global law firm McDermott, Will & Emery, LLP

[Editor's note: Due to its length, this guest commentary is presented in a series of three blog posts on consecutive days. Part 3 appears below. Part 1 appeared on Aug. 11 and Part 2 appeared on Aug. 12.]

This post addresses significant revisions to the Privacy Rule and the Enforcement Rule.

Proposed revisions to the Privacy Rule
This section addresses proposed changes and guidance to the Privacy Rule's standards regarding minimum necessary PHI, fundraising communications, an individual's right to request restrictions on the disclosure of PHI, notices of privacy practices, and access to PHI in a designated record set.

Minimum necessary standard
For most uses and disclosures of PHI for non-treatment purposes, the Privacy Rule requires covered entities to limit requests for and uses and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the request, use or disclosure. The HITECH Act requires OCR to issue guidance on what constitutes the minimum necessary amount of PHI to accomplish the intended purpose of a use, disclosure or request. The Proposed Rule solicits comments on the aspects of the minimum necessary standard for which covered entities and business associates seek guidance. OCR proposes to leave the current regulatory text unchanged, however, as the guidance they will issue on minimum necessary will obviate the need to make any changes to the current language.

In the interim, the HITECH Act specifies that a covered entity will be in compliance with the minimum necessary standard as long as it limits PHI, to the extent practicable, to either (a) the equivalent of a limited data set, or (b) if a covered entity decides that the limited data set does not meet the needs of the particular use, disclosure or request, it may go beyond the limited data set if it does so according to its then-compliant minimum necessary policies and procedures. This temporary standard sunsets as soon as the guidance regarding minimum necessary is issued.

Fundraising disclosures
Currently, the Privacy Rule permits a covered entity to use or disclose for fundraising purposes an individual's demographic information and the dates health care was provided to that individual. No authorization is required to make such uses and disclosures, but, as discussed in the following subsection, the covered entity's notice of privacy practices must inform individuals that the covered entity may contact them to raise funds. Also, fundraising materials must describe how the individual may opt out, and the covered entity must make reasonable efforts to ensure that individuals who opt out are not sent future fundraising communications. 

The HITECH Act requires a covered entity to provide the recipient of fundraising information a clear and conspicuous opportunity for the individual to opt out of receiving any further fundraising communications. The Proposed Rule would implement this change. The Proposed Rule would make the following additional changes to the fundraising requirements deemed advisable by OCR:

• The method for opting out may not cause the individual to incur an undue burden or more than nominal cost.
• The covered entity must not condition treatment or payment on an individual's choice with respect to receiving fundraising communications.
• The covered entity must ensure that no fundraising communications are sent to an individual who has opted out, rather than only making "reasonable efforts" to do so.

The Proposed Rule requests comments on the following issues related to fundraising communications:

• to what fundraising communications an opt-out requirement should apply;
• how an individual could choose to opt back in to receiving such communications;
• whether the Privacy Rule should allow additional categories of PHI to be used or disclosed for fundraising, and if so, what those categories should be;
• the adequacy of the minimum necessary standard to appropriately limit the amount of PHI that may be used or disclosed for fundraising purposes;
• whether the current limitations to use of PHI for fundraising communications remain unchanged (e.g., dates of treatment, demographic info); and
• whether an opt-out should be offered before the first fundraising communication, and the process for such an opt-out.

Tax-exempt covered entities should consider submitting comments on these important issues. In particular, limitations on the categories of PHI that may be used for fundraising purposes have interfered with targeted fundraising for development initiatives that are more likely to appeal to patients (or their families) with particular conditions or disease states. For example, the current fundraising requirements do not permit a tax-exempt hospital from using cancer diagnosis information to send a targeted fundraising appeal for a new cancer center to cancer patients and their families.

Patient right to request restrictions on disclosures of PHI to health plans
The current Privacy Rule requires a covered entity to permit individuals to request that the covered entity restrict uses or disclosures of PHI for treatment, payment and health care operations purposes, as well as for disclosures to family members and others involved in the patient's care. The covered entity is not required to agree to a requested restriction. 

The HITECH Act amends the right to request additional restrictions to require (unless otherwise required by law) a covered entity to agree to a requested restriction if the request regards disclosures of PHI to a health plan for the purpose of carrying out payment or health care operations and the restriction applies to PHI that pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full. The Proposed Rule would implement the HITECH Act requirement. The Proposed Rule clarifies that where a restriction has been placed on a disclosure to a health plan, the covered entity is also prohibited from making such disclosure to a business associate of the health plan. 

The Proposed Rule provides that an individual may determine for which health care items or services the individual wishes to pay out of pocket and restrict disclosures to a health plan. OCR notes, for example, "an individual who regularly visits the same provider for the treatment of both asthma and diabetes must be able to request, and have the provider honor, a restriction on the disclosure of diabetes-related treatment to the health plan as long as the individual pays out of pocket for this care. The provider cannot require that the individual apply the restriction to all care given by the provider and, as a result, cannot require the individual to pay out of pocket for both the diabetes and asthma-related care in order to have the restriction on the diabetes care honored."

The Proposed Rule provides that the requirement that the covered entity be paid in full for the health care item or service for which the individual requests a restriction is not limited to situations where the patient is the person paying the covered entity. It also applies when a family member or another person pays for the treatment.

OCR requests comments on the types of interactions between individuals and covered entities that would make requesting or implementing a restriction more difficult. 

Downstream health care providers
OCR requests comments on the obligation of health care providers that know of a restriction to inform other health care providers downstream of such restriction. OCR is interested in whether a restriction placed upon certain PHI should apply to, and the feasibility of it continuing to attach to, such information as it moves downstream, or if the restriction should no longer apply until the individual visits a new provider for treatment or services, requests a restriction, and pays out of pocket for the treatment. In conjunction with this request, OCR seeks comments regarding the extent to which technical capabilities exist that would facilitate notification among providers of restrictions on the disclosure of PHI, how widely these technologies are currently utilized, and any limitations in the technology that would require additional manual or other procedures to provide notification of restrictions. In particular, OCR specifically requests suggestions of methods through which a provider, using an automated electronic prescribing tool, could alert a pharmacy that the patient may wish to request that a restriction be placed on the disclosure of PHI to the health plan and that the patient intends to pay out of pocket for the prescription.

Cost-sharing and managed care issues
OCR emphasizes that when a patient requests a restriction of information to a health plan and pays out of pocket, that patient should not expect that this payment will count toward the out of pocket threshold with respect to his or her health plan benefits because the health plan will be unaware of any payment for treatment or services.

OCR requests commentary on how this provision will function with respect to HMOs. Under most current HMO contracts with providers, an individual could not pay the provider for the treatment or service received, and individuals who belong to an HMO may be obligated to use an out-of-network provider if they wish to ensure that certain PHI is not disclosed to the HMO.

Permitted disclosure for unresolved non-payment
The Proposed Rule advises that if an individual fails to honor the promise to make the out of pocket payment for a health care item or service that entitles him or her to request the additional restriction (e.g., the individual's check bounces), the covered entity may then submit the information to the health plan for payment. OCR does make clear, however, that covered entities are expected to attempt to resolve the payment issue with the patient prior to sending the PHI to the health plan. Providers may attempt resolution by notifying the individual that his or her payment did not go through and give the individual an opportunity to submit payment. OCR requests comments with regard to the extent to which covered entities must make reasonable efforts to secure payment from the individual prior to submitting PHI to the health plan for payment.

Notice of privacy practices
The Privacy Rule currently requires a covered entity's notice of privacy practices (NPP) to include a statement that any uses and disclosures other than those permitted by the Privacy Rule will be made only with the written authorization of the individual. The Proposed Rule would make several changes to the Privacy Rule's NPP requirements to ensure that individuals are aware of the types of uses and disclosures that require an authorization or the right to opt-out:

• If a health care provider intends to send written treatment communications to an individual concerning treatment alternatives or other health-related products or services in exchange for financial remuneration, the NPP must include a statement informing individuals of the practice. The NPP must also inform the individual that he or she has the opportunity to opt out of receiving such communications.
• The Proposed Rule would require the NPP to include a notice that the covered entity intends to send fundraising communications and to inform the individual that he or she has the right to opt out of such communications.
• The NPP must include a statement that describes the new requirement that a covered entity must accommodate a request to restrict disclosures of PHI pertaining solely to health care for which the individual or a person other than a health plan has paid in full.

OCR requests comments on whether to require an NPP to include a statement regarding notification requirements following a security breach of unsecured PHI and the method of informing individuals of changes to an NPP that would not unduly burden health plans.

Access
The Privacy Rule currently provides a right for individuals to review or obtain copies of their PHI, with limited exceptions, to the extent such information is maintained in the designated record sets of a covered entity. Designated record sets are medical and billing records of a health care provider, the enrollment, payment, claims adjudication and case or medical management records of a health plan, or other records used by a covered entity to make decisions about an individual. The HITECH Act expands the right of access by requiring a covered entity that maintains an electronic health record (EHR) to provide the individual with a copy of such information in an electronic format. The individual may direct the covered entity to transmit such copy directly to the individual's designee, provided that any such choice is clear, conspicuous and specific. The HITECH Act also provides that any fee imposed by the covered entity for providing such an electronic copy shall not be greater than the entity's labor costs in responding to the request for the copy.

Form or format requested
Under the Proposed Rule, if the PHI requested is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or if not, in a readable electronic form and format as agreed to by the covered entity and the individual.

Access by designees
The Privacy Rule currently requires a covered entity to provide the access requested in a timely manner, which includes arranging with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mailing the copy of PHI at the individual's request. Under the Proposed Rule, a covered entity must transmit the copy of PHI directly to another person designated by the individual, whether or not the PHI is in electronic or paper form, if clearly, conspicuously and specifically requested by the individual.

Timeliness
Under the current Privacy Rule, a request for access must be approved or denied, and if approved, access to or a copy of the information provided, within 30 days of the request. In cases in which the records requested are only accessible from an off-site location, the covered entity has an additional 30 days to respond to the request. In extenuating circumstances in which access cannot be provided within these timeframes, the covered entity may have a one-time 30-day extension if the individual is notified of the need for the extension within the original timeframes.

OCR requests comments with regard to the timeliness requirements for provision of access. OCR desires to address the expectation that, with the advance of EHRs, there is capacity to provide individuals with almost instantaneous electronic access to the PHI in those records through personal health records or similar electronic means.

OCR also requests comments on the following topics related to timeliness for provision of access:

• Whether there is an appropriate, common timeliness standard for the provision of access by covered entities with electronic designated record sets generally. OCR would like to examine aspects of existing systems that would create efficiencies in processing of requests for electronic information, as well as those aspects of electronic systems that would provide little change from the time required for processing a paper record.
• Whether the current standard could be altered for all systems, paper and electronic, such that all requests for access should be responded to without unreasonable delay and not later than 30 days.
• Whether, contrary to OCR's assumption, a variety of timeliness standards based on the type of electronic designated record set is the preferred approach and, if so, how OCR should operationalize such an approach.
• How much time is necessary for covered entities to review access requests and make necessary determinations, such as whether the granting of access would endanger the individual or other persons. OCR wants to better understand how the time needed for these reviews relates to the overall time needed to provide the individual with access.
• Whether the provision which allows a covered entity an additional 30 days to provide access to the individual if the PHI is maintained off-site should be eliminated altogether for both paper and electronic records, or at least for PHI maintained or archived electronically because the physical location of electronic data storage is not relevant to its accessibility.

Modifications to the Enforcement Rule
The HITECH Act significantly modified the categories of HIPAA violations, the range of civil money penalty amounts and the available defenses to a HIPAA action. These HITECH Act provisions became effective for covered entities on Feb. 18, 2009, and made business associates directly subject to HIPAA's enforcement scheme for the first time beginning Feb. 18, 2010.

On Oct. 30, 2009, OCR issued an interim final rule to implement the HITECH Act's amendments to the enforcement provisions of the current Privacy Rule. The Interim Final Enforcement Rule became effective Nov. 30, 2009. The Proposed Rule proposes a number of significant changes to the Enforcement Rule's provisions concerning compliance and investigations and the imposition of civil money penalties to implement HITECH Act provisions that become effective in 2010 and 2011.

Mandatory investigations vs. use of ‘informal means'
Currently, the Enforcement Rule permits, but does not require, OCR to investigate HIPAA violation complaints. The Proposed Regulation would amend the Enforcement Rule, consistent with the HITECH Act, to require OCR to investigate any complaint when a preliminary review of the facts indicates a possible violation due to willful neglect. The Enforcement Rule defines willful neglect to mean "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." The Proposed Rule would maintain OCR's discretion to decline to investigate a complaint where a preliminary investigation does not indicate that the alleged violation is due to willful neglect. However, as a practical matter, the proposed amendment would not alter OCR's current policy of investigating any alleged violation where a preliminary review suggests a potential HIPAA violation.

The Interim Final Enforcement Rule also currently requires OCR to attempt to resolve noncompliance through "informal means." In order to permit OCR to impose a civil money penalty for violations due to willful neglect as required by the HITECH Act, however, the Proposed Rule proposes to amend the Enforcement Rule by permitting, but not requiring, OCR to use "informal means" to resolve noncompliance.

Tiered penalty scheme
The HITECH Act and the Interim Final Enforcement Rule implemented a new tiered civil money penalty structure based on the following culpability levels: (1) the entity did not know (and, by exercising reasonable diligence, would not have known) that it violated the applicable provision; (2) the violation is due to reasonable cause and not to willful neglect; (3) the violation is due to willful neglect and was corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred; or (4) the violation is due to willful neglect and was not corrected during the 30-day period beginning on the first date the entity knew, or, by exercising reasonable diligence, would have known that the violation occurred. The Proposed Rule would further clarify the culpability levels by amending the definition of "reasonable cause." Under the proposed definition, "reasonable cause" means "an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect."

The Proposed Rule also attempts to provide guidance with respect to how OCR intends to apply the terms "reasonable cause," "reasonable diligence," and "willful neglect" used in the tiered penalty scheme by providing hypothetical examples for each tier. For example, the OCR stated that the failure to develop or implement compliant HIPAA policies and procedures "demonstrate[s] either conscious intent or reckless disregard with respect to...compliance obligations," and may be the basis for a finding of a violation due to willful neglect. The OCR also notes that a covered entity's or a business associate's correction of a violation due to willful neglect will not prevent the imposition of a civil money penalty, but may prevent the violation from falling into the highest culpability level. Accordingly, covered entities and business associates should ensure that current policies appropriately implement current requirements and be prepared to amend the current policies once the OCR issues a final rule.

Determining the amount of a penalty
The Enforcement Rule sets forth the factors to be considered by OCR when determining a civil money penalty for a violation within the approved penalty range for the culpability tier. The HITECH Act does not add or delete factors, but requires OCR to base its penalty determination "on the nature and extent of the violation and the nature and extent of the harm resulting from such violation." Accordingly, the Proposed Rule proposes to amend the factors to clarify that the OCR must consider the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Proposed Rule would also permit OCR, when taking into account the nature and the extent of a violation, to consider the number of individuals affected and the time period during which the violation occurred, and, when taking into account the nature and the extent of the harm resulting from a violation, to consider the physical, financial or reputational harm and whether the violation hindered an individual's ability to obtain health care.

Affirmative defenses
The Proposed Rule proposes to revise the Enforcement Rule's affirmative defenses to accommodate a revision to the HIPAA criminal penalties provision, which becomes effective on Feb. 18, 2011. HIPAA currently provides that a civil money penalty may not be imposed with respect to an act "if the act constitutes an offense punishable" under the HIPAA criminal penalties provisions. Effective Feb. 18, 2011, the HITECH Act replaces the italicized phrase with "if a penalty has been imposed" for the act. Accordingly, the Proposed Rule revises the Enforcement Rule's affirmative defenses as follows:

• For violations occurring after Feb. 18, 2009, but prior to Feb. 18, 2011, the OCR may not impose a civil money penalty on a covered entity or business associate if the covered entity or business associate establishes that the violation is an offense punishable under the HIPAA criminal penalties provisions.
• For violations occurring on or after Feb. 18, 2011, the OCR may not impose a civil money penalty on a covered entity or business associate if the covered entity or business associate establishes that a penalty has been imposed under the HIPAA criminal penalties provisions.

HIPAA compliance reviews
The Enforcement Rule authorizes the OCR to conduct discretionary compliance reviews of covered entities and business associates outside of the HIPAA complaint process. ^]The Proposed Rule would amend the provision to require the OCR to conduct compliance reviews to determine whether a covered entity or business associate is complying with the applicable administrative simplification provision when a preliminary review indicates a potential violation due to willful neglect. The Proposed Rule maintains the OCR's discretion where a preliminary review does not indicate willful neglect.

Application of Enforcement Rule to business associates
As required by the HITECH Act, the Proposed Rule makes the Enforcement Rule directly applicable to business associates rather than only indirectly applicable through business associate agreements between covered entities and business associates. To account for the direct application of the regulations to business associates, the Proposed Rule revises a number of sections of the Enforcement Rule by adding the term "business associate" where appropriate.

Vicarious liability for violation by workforce members of agents
Under the current Enforcement Rule, a covered entity is liable for the violations of its workforce members and other agents in accordance with the federal common law of agency,^] except where the agent is a business associate, the relevant business associate agreement requirements have been met, the covered entity did not know of a pattern or practice of the business associate in violation of the contract, and the covered entity did not fail to act as required by the Privacy Rule or Security Rule with respect to such violations. The Proposed Rule would remove this exception so that the covered entity remains liable for the acts of its agents which are business associates, regardless of whether the covered entity has a compliant business associate agreement in place. The Proposed Rule also provides for civil money penalty liability against a business associate for the acts of its workforce members and downstream business associates that are agents acting within the common law scope of agency.

If finalized, this change would significantly heighten the risks of failing to conduct reasonable due diligence on the privacy and security practices of prospective business associates and subcontractors and of inadequate monitoring of retained business associates and subcontractors. Covered entities and business associates should consult with their health information technology team and data privacy and security counsel to determine a prudent level of due diligence on vendors before outsourcing activities involving the use and disclosure of PHI.

A determination of whether a business associate or subcontractor is an agent for whom the principal is vicariously liable under the Proposed Rule or is instead an independent contractor requires a case-by-case inquiry based on the facts of the relationship, including the covered entity's level of control over the vendor's conduct. To avoid vicarious liability, a covered entity or business associate principal needs to walk a narrow line between not having enough control to transform a vendor into an agent and sufficient oversight to be aware of the vendor's noncompliant activities. The right balance can be addressed by conducting a vendor privacy and security assessment in advance and by carefully structuring business associate agreements and downstream subcontractor agreements to provide an appropriate level of oversight.

Mr. Gottlieb represents a wide range of health industry clients, with a focus on advising them on compliance with HIPAA and other health information privacy laws; electronic health information exchanges and data warehouses; health information technology acquisitions; and other transactions involving health information or health information technology. He can be reached at dgottlieb@mwe.com.

Ms. Broccolo serves as chair of the Life Sciences Division of the firm's Health Industry Advisory practice and advises clients on health industry relationship formation and realignments; health information technology acquisitions; electronic health information networks; conflict-of-interest compliance and overall corporate compliance programs. She can be reached at bbroccolo@mwe.com.

Ms. Geetter focuses on emerging biotechnology and safety issues, advising hospital, industry, insurance and provider clients on matters relating to research, drug and device development, off-label use, personalized medicine, formulary compliance, privacy and security, electronic health records and other matters. She can be reached at jgeetter@mwe.com.

Mr. Tichner maintains a general health law practice, focusing on the representation of hospitals, health systems, pharmaceutical companies, durable medical equipment companies and medical device manufacturers, and providing regulatory and transactional representation in connection with acquisitions, joint ventures, strategic affiliations, conversions to tax-exempt status and other transactional matters. He can be reached at jtichner@mwe.com.

Mr. Bernstein is head of the firm's Health Industry Advisory Practice Group, specializing in e-health, deployment of electronic health record systems, health-related matters impacted by the Internet and HIPAA, as well as mergers, acquisitions, affiliations and joint ventures in the hospital and physician areas.  He can be reached at sbernstein@mwe.com.

Ms. Gunville is an associate with the firm. She can be reached at jgunville@mwe.com.

Ms. Nelson is an associate with the firm. She can be reached at snelson@mwe.com.

Mr. Zacharias is an associate with the firm. He can be reached at ezacharias@mwe.com.