HHS Proposes Major Changes to HIPAA Privacy, Security and Enforcement Rules

Posted on July 14, 2010 by Colin J. Zick

We are reproducing here our July 12, 2010, Security & Privacy Alert, written by Colin J. Zick and Maia M. Larsson

 

On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)1 modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules2 pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5. The NPRM will be published in the Federal Register on July 14. Stakeholders will have 60 days from the date of publication to submit comments on the proposed rule to HHS.

Overview

The proposed modifications in this NPRM are intended to implement recent amendments made under the HITECH Act and to “improve the workability and effectiveness” of the HIPAA Rules. In the NPRM, HHS describes section-by-section how the proposed regulatory changes would implement provisions of the HITECH Act. In addition, HHS has proposed technical corrections and other modifications to enhance the effectiveness of the Rules.3In summary, the proposed changes include:

  • Extending to business associates many of the requirements in the Privacy and Security Rules;
  • Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
  • Restricting the disclosure of protected health information (“PHI”) to health plans;
  • Expanding individuals’ rights to access their information; and
  • Expanding HIPAA’s enforcement of privacy and security provisions.

Proposed Amendments to the Privacy Rule

With specific regard to “business associates,” HHS’s proposed rules confirm the extension of HIPAA privacy and security rules to them (essentially making “business associates” into “covered entities.”) HHS also seeks to modify the definition of “business associate” to conform with its statutory definition and to provide clarification on circumstances that would give rise to a business associate relationship. For example, HHS proposes to add patient safety activities to the list of functions and activities that would give rise to a business associate relationship if a person undertook those activities on behalf of a covered entity. Id. at 19. In addition, several types of organizations that did not exist when the HIPAA regulations were finalized a decade ago, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, will be treated as business associates. Id. at 20.

In an expansion of HIPAA beyond even the provisions of HITECH, HHS proposes to add that subcontractors (“those persons that perform functions for or provide services to a business associate”) to the definition of a business associate. Id. at 22. This has the potential to extent HIPAA to many entities not covered previously.

HHS discusses the new HITECH Act requirements affecting the Privacy Rule and proposes further regulatory changes including changes related to the definition of “marketing” and use and disclosure rules for PHI applicable to business associates. See id. at 64-82. To address the concern by covered entities and business associates regarding administrative burdens and costs related to implementing revised contracts around new proposed regulations, HHS proposes to allow covered entities and business associates (and their subcontractors) to continue operating under their existing contracts for up to one year beyond the compliance date of the revisions to the Rules. See id. at 87-88.

Regarding the use and disclosure of PHI where valid authorization is required, the proposed rule would add an addition circumstance to the existing two circumstances in current regulations where such authorization is necessary. Currently, authorization is required for (1) most uses and disclosures of psychotherapy notes; and (2) uses and disclosures for marketing. In accordance with the third circumstance added by the HITECH Act – the sale of PHI – HHS proposes to add a new section to the regulations that would require a covered entity (or business associate) to obtain authorization for disclosure of PHI that is in exchange for director or indirect remuneration, unless a specified exception applies. See id. at 91-99.

Proposed Amendments to the Security Rule

HHS proposes a number of changes to the Security Rule including technical modifications as well as modifications to references to business associates, administrative safeguards, and organizational requirements. See id. at 56-64.

Effective Date and Compliance Period

Although most of the provisions of the HITECH Act already became effective February 18, 2010, HHS recognized that it will be difficult for covered entities and business associates to comply with the statutory provisions until after HHS has finalized its changes to the HIPAA Rules. As such, HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with “most of the rule’s provisions.” Id. at 13. This proposed 180-day compliance period, however, will not apply to the HIPAA Enforcement Rule “because such provisions are not standards or implementation specifications,” and thus, these provisions will be in effect and apply at the time the final rule becomes effective or as otherwise provided. Id. at 15.

 

 

1 HHS “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (July 8, 2010) Display copy, available here [hereafter, “HHS NPRM”].

2 Note: “Privacy Rule” refers to the Standards for Privacy of Individually Identifiable Health Information; the “Security Rule” refers to the Security Standards for the Protection of Electronic Protected Health Information; and the “Enforcement Rule” refers to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings, issued under HIPAA.

3 Several sections of the HITECH are not discussed in detail in these regulations either because they have been the subject of previous rulemakings (e.g., breach notification), or will be the subject of future rulemakings (e.g., accounting for disclosures requirement, and the penalty distribution methodology requirement.)

 

Tags: , , , , ,

Compliance Week's "Must-Read: Major HIPAA Changes Out For Comment"

Posted on July 9, 2010 by Colin J. Zick

I shared some of my initial thoughts about the new HITECH/HIPAA regulations with Melissa Klein Aguilar for her blog, "The Filing Cabinet," in today's on-line edition of Compliance Week.

Tags: , , , , ,

HHS Issues a Notice of Proposed Rulemaking to Modify the HIPAA Privacy, Security, and Enforcement Rules

Posted on July 8, 2010 by Colin J. Zick

Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted.  The propose changes include:

  • provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities;
     
  • establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes;
     
  • prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans; and
     
  • expanding HIPAA’s enforcement provisions to business associates.

HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).

The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.

We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.

Tags: , , , , ,

Connecticut Attorney General Reaches First State HIPAA Settlement with Health Net

Posted on July 7, 2010 by Colin J. Zick

On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.

 

The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA.  The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

 

· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.

· A $250,000 payment to the state representing statutory damages.

· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.

Tags: , , , , , ,

TJX Settles Investor Lawsuit Related to Data Breach

Posted on July 7, 2010 by Colin J. Zick

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breachBloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files.   There is no reference to this suit in TJX's most recent Form 10-Q

Tags: , , , ,

CMS Issues Proposed Rules on Hospital Visitors

Posted on July 6, 2010 by Colin J. Zick

In late June, the Centers for Medicare & Medicaid Services (“CMS”) proposed new rules for hospitals that would entitle  patients to choose their own visitors during a hospital stay, including visitors who are same-sex domestic partners. These proposed rules stem from the April 15, 2010 Presidential Memorandum on Hospital Visitation issued to the Secretary of Health and Human Services. 

The proposed rules would require every hospital to have written policies and procedures detailing patients’ visitation rights, as well as instances when the hospital may restrict patient access to visitors based on reasonable clinical needs. A key provision of the proposed rules specifies that visitors chosen by the patient (or his or her representative) must be able to enjoy visitation privileges that are no more restrictive than those for immediate family members:

    (h) Standard: Patient visitation rights. A hospital must have written policies and procedures regarding the visitation rights of patients, including those setting forth any clinically necessary or reasonable restriction or limitation that the hospital may need to place on such rights and the reasons for the clinical restriction or limitation. A hospital must--

(1) Inform each patient (or representative, where appropriate) of his or her visitation rights, including any clinical restriction or limitation on such rights, when he or she is informed of his or her other rights under this section.

(2) Inform each patient (or representative, where appropriate) of the right, subject to his or her consent, to receive the visitors whom he or she designates, including, but not limited to, a spouse, a domestic partner (including a same-sex domestic partner), another family member, or a friend, and his or her right to withdraw or deny such consent at any time.

(3) Not restrict, limit, or otherwise deny visitation privileges on the basis of race, color, national origin, religion, sex, sexual orientation, gender identity, or disability.

(4) Ensure that all visitors designated by the patient (or representative, where appropriate) enjoy visitation privileges that are no more restrictive than those that immediate family members would enjoy.

Comments on these proposed regulations are due by August 27, 2010.

Tags: , , , , ,

One More Reason to Secure Your Wireless Network

Posted on July 5, 2010 by Colin J. Zick

In a federal court case decided earlier this year, United States v. Ahrndt, the court held that an individual had no reasonable expectation of privacy in the use of an unsecured wireless network.  The details of this decision are instructive for those still looking at questions of network privacy and security.

This case had its start in 2007, when a woman referred to as JH was using her personal computer at her home in Oregon. She was connected to the internet via her own wireless network, but when her wireless network malfunctioned, her computer automatically picked up another nearby wireless network.  JH opened the shared library and found a subfolder called "Dad's Limewire Tunes." JH opened "Dad's Limewire Tunes" and observed files with names that indicated they were child pornography.  That shared library was traced back to the defendant, Mr. Ahrndt, a convicted sex offender.   

Ahrndt moved to surpress much of the evidence that was found on his computer, arguing that the Fourth Amendment provides a reasonable, subjective expectation of privacy in the contents of a shared iTunes library on a personal computer connected to an unsecured home wireless network.  The court held that society recognizes a "lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network."  The opinion went on to note that "[s]ociety's recognition of a lower expectation of privacy in unsecured wireless networks, however, does not alone eliminate defendant's right to privacy under the Fourth Amendment. In order to hold that defendant had no right to privacy, it is also
necessary to find that society would not recognize as reasonable an expectation of privacy in the contents of a shared iTunes library available for streaming on an unsecured wireless network."  And that is precisely what the Court concluded:  "When a person shares files on LimeWire, it is like leaving one's documents in a box marked 'free' on a busy city street."

Tags: , , , ,

Is the Smart Money Chasing Privacy and Security?

Posted on July 5, 2010 by Colin J. Zick

A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months.  This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K.   It seems likely that  were are due for a long-term presence of privacy and security protection in our business and private lives.  While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors. 

Tags: , , , ,

FTC Delays Enforcement of Red Flags Rule Against Doctors & Hospitals Until Appeals Court Rules

Posted on July 2, 2010 by Gabriel M. Helmer

On June 25, 2010, federal district court judge Reggie B. Walton of the United States District Court for the District of Columbia entered a stipulated court order (.pdf) directing the  Federal Trade Commission (FTC) to delay enforcement of the FTC's Red Flags Rule against doctors and medical practices represented by the American Medical Association (AMA) and American Osteopathic Association.  The FTC and AMA agreed to this delay in a Joint Stipulation (.pdf), filed in the lawsuit initiated by the AMA and other medical associations to exclude doctors and other medical professionals from the application of the Red Flags Rule. 

The key issue in the case is whether medical practices should be considered "creditors" under the Red Flags Rule and the Fair and Accurate Credit Reporting Act (FACTA or the FACT Act).  The case follows lawsuits filed beginning in 2009 by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA) to exclude lawyers and accountants from the scope of the new rules.  In October 2009, Judge Walton ruled that lawyers were not "creditors" subject to the Red Flags Rule.  The FTC has appealed the order and the Unites States Court of Appeals for the District of Columbia Circuit is expected to issue a decision clarifying the scope of the law.

In the recently approved stipulation, the AMA and the FTC have agreed to stay their dispute until the Court of Appeals issues its opinion.  The FTC has also agreed to delay enforcement of the Red Flags Rule for 90 days after the Appeals Court issues its ruling.

Tags: , , , , , , , , , ,

Spokeo In Violation of Federal Privacy Laws According to New CDT Complaint Filed With FTC

Posted on July 1, 2010 by Gabriel M. Helmer

This week, the Center for Democracy & Technology (CDT) submitted a complaint (.pdf) to the Federal Trade Commission (FTC) alleging that the data broker website Spokeo was violating federal financial privacy law by not taking adequate safeguards to protect consumers.  Spokeo is a website that bills itself as a search engine that allows users the ability to look up "people-related information from phone books, social networks, marketing lists, business sites, and other public sources." 

According the CDT's complaint, Spokeo is in violation of the Fair Credit Reporting Act, which requires "consumer reporting agencies" to take certain actions to protect consumer privacy, including allowing consumers the right to access information about themselves, to correct mistakes and to be advised of adverse decisions made based on Spokeo's data.  The FCRA also strictly limits the disclosure of consumer data to a limited number of "permissible purposes," yet the CDT complaint does not appear to raise claims regarding Spokeo's disclosure of consumer data to its users.  The complaint does allege that Spokeo's actions amount to unfair and deceptive acts in violation of the FTC Act.

Tags: , , , , ,