Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
Earlier today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS imposed a civil money penalty (CMP) of $4.3 million for the violations, representing what OCR said was "the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule." The CMP is based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
According to the HHS press release, in a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations was$1.3 million.
HHS also concluded that during the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations was $3 million.
On July 8, 2010, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking (“NPRM” or “proposed rule”)1 modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Enforcement Rules2 pursuant to the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which was enacted February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, Pub. L. 111-5. The NPRM will be published in the Federal Register on July 14. Stakeholders will have 60 days from the date of publication to submit comments on the proposed rule to HHS.
Overview
The proposed modifications in this NPRM are intended to implement recent amendments made under the HITECH Act and to “improve the workability and effectiveness” of the HIPAA Rules. In the NPRM, HHS describes section-by-section how the proposed regulatory changes would implement provisions of the HITECH Act. In addition, HHS has proposed technical corrections and other modifications to enhance the effectiveness of the Rules.3In summary, the proposed changes include:
Proposed Amendments to the Privacy Rule
With specific regard to “business associates,” HHS’s proposed rules confirm the extension of HIPAA privacy and security rules to them (essentially making “business associates” into “covered entities.”) HHS also seeks to modify the definition of “business associate” to conform with its statutory definition and to provide clarification on circumstances that would give rise to a business associate relationship. For example, HHS proposes to add patient safety activities to the list of functions and activities that would give rise to a business associate relationship if a person undertook those activities on behalf of a covered entity. Id. at 19. In addition, several types of organizations that did not exist when the HIPAA regulations were finalized a decade ago, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, will be treated as business associates. Id. at 20.
In an expansion of HIPAA beyond even the provisions of HITECH, HHS proposes to add that subcontractors (“those persons that perform functions for or provide services to a business associate”) to the definition of a business associate. Id. at 22. This has the potential to extent HIPAA to many entities not covered previously.
HHS discusses the new HITECH Act requirements affecting the Privacy Rule and proposes further regulatory changes including changes related to the definition of “marketing” and use and disclosure rules for PHI applicable to business associates. See id. at 64-82. To address the concern by covered entities and business associates regarding administrative burdens and costs related to implementing revised contracts around new proposed regulations, HHS proposes to allow covered entities and business associates (and their subcontractors) to continue operating under their existing contracts for up to one year beyond the compliance date of the revisions to the Rules. See id. at 87-88.
Regarding the use and disclosure of PHI where valid authorization is required, the proposed rule would add an addition circumstance to the existing two circumstances in current regulations where such authorization is necessary. Currently, authorization is required for (1) most uses and disclosures of psychotherapy notes; and (2) uses and disclosures for marketing. In accordance with the third circumstance added by the HITECH Act – the sale of PHI – HHS proposes to add a new section to the regulations that would require a covered entity (or business associate) to obtain authorization for disclosure of PHI that is in exchange for director or indirect remuneration, unless a specified exception applies. See id. at 91-99.
Proposed Amendments to the Security Rule
HHS proposes a number of changes to the Security Rule including technical modifications as well as modifications to references to business associates, administrative safeguards, and organizational requirements. See id. at 56-64.
Effective Date and Compliance Period
Although most of the provisions of the HITECH Act already became effective February 18, 2010, HHS recognized that it will be difficult for covered entities and business associates to comply with the statutory provisions until after HHS has finalized its changes to the HIPAA Rules. As such, HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with “most of the rule’s provisions.” Id. at 13. This proposed 180-day compliance period, however, will not apply to the HIPAA Enforcement Rule “because such provisions are not standards or implementation specifications,” and thus, these provisions will be in effect and apply at the time the final rule becomes effective or as otherwise provided. Id. at 15.
1 HHS “Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act” (July 8, 2010) Display copy, available here [hereafter, “HHS NPRM”].
2 Note: “Privacy Rule” refers to the Standards for Privacy of Individually Identifiable Health Information; the “Security Rule” refers to the Security Standards for the Protection of Electronic Protected Health Information; and the “Enforcement Rule” refers to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings, issued under HIPAA.
3 Several sections of the HITECH are not discussed in detail in these regulations either because they have been the subject of previous rulemakings (e.g., breach notification), or will be the subject of future rulemakings (e.g., accounting for disclosures requirement, and the penalty distribution methodology requirement.)
I shared some of my initial thoughts about the new HITECH/HIPAA regulations with Melissa Klein Aguilar for her blog, "The Filing Cabinet," in today's on-line edition of Compliance Week.
Earlier today, the Department of Health and Human Services announced proposed modifications to the HIPAA Privacy Rules, calling them the most significant changes in HIPAA since 2003, when the HIPAA Security Rules were adopted. The propose changes include:
HHS intends to provide covered entities and business associates with 180 days beyond the effective date of the final rule to come into compliance with most of the rule’s standards (but apparently that additional time does not extend to its proposed enforcement provisions).
The public is invited to comment on the provisions of the proposed rule for 60 days following publication in the Federal Register at Regulations.gov.
We are still reviewing the 234 pages of proposed regulations and will have more to say about them shortly.
On July 6, 2010, Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates (Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.) of a suit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.
The settlement marks the first action by a state attorney general for violations of HIPAA since the Health Information Technology for Economic and Clinical Health ("HITECH") Act authorized state attorneys general to enforce HIPAA. The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:
· A “Corrective Action Plan” in which Health Net is implementing several measures to protect health information and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.
· A $250,000 payment to the state representing statutory damages.
· An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members.
In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements. Those regulations are now a month overdue and from OCR's language, they do not appear imminent:
OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.
(Emphasis added.) What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.
At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals. OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a laptop to 501 individuals impacted by the theft of a portable USB device).
This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act. In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009.
Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form. Training materials and related guidance on breach notification can be found on the OCR web site.
In the past several days, three important information privacy and security deadlines have arrived. To recap, they are:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...