Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Nancy E. Bonifant Partner Associate Reed Smith LLP Reed Smith LLP brostolsky@reedsmith.com nbonifant@reedsmith.com
Agenda Compliance Dates HIPAA Enforcement Breach Notification Rule Marketing Communications Sale of Protected Health Information Business Associate Compliance Individual Rights 2
Key Dates for Compliance Final Rule published January 25, 2013 Breach Notification Rule enforced Effective Date – under Interim Final March 26, 2013 Rule until General Compliance Date General Exceptions: Exceptions: Compliance Date Prescription Refill Business Associate – September 23, Reminders Agreements 2013 3
Key Dates for Compliance (cont.) • Enforcement Rule: March 26, 2013 • Business Associate Agreements • Grandfather period - through Sept. 22, 2014 unless BAA is modified or renewed • New BAAs executed (or those modified/renewed) must meet Final Rule requirements by Sept. 23, 2013 • Prescription Refill Reminders • Grandfather period - through Sept. 23, 2014 if patient already enrolled in program, provided that patient has not opted out and the prescription has not been renewed 4
HIPAA Enforcement • Global Considerations • Say Goodbye to Voluntary Compliance! • Security Rule Risk Assessment is a key component to successfully surviving an OCR investigation/inquiry This is reflected through direct statements and enforcement trends • Final Rule mostly imports earlier changes from 2009 Interim Enforcement Final Rule and the 2010 HITECH Proposed Rule 5
HIPAA Enforcement (cont.) HITECH Enforcement CMP Levels Violation Category Each Violation All Identical Violations per Calendar Year Did Not Know $100 - $1.5 million $50,000 Reasonable Cause $1,000 - $1.5 million $50,000 Willful Neglect $10,000 - $1.5 million Corrected $50,000 Willful Neglect $50,000 $1.5 million Not Corrected 6
HIPAA Enforcement (cont.) • For Violations due to Willful Neglect • Investigation or compliance review will always be triggered whenever OCR’s preliminary review indicates possible violation because of willful neglect • OCR may now proceed immediately to penalties (no longer must try to first resolve noncompliance through informal means) • Business associates now directly liable for CMPs 7
HIPAA Enforcement (cont.) • Agency Relationships • Covered entities now liable for the acts of their business associate agents • Business associates liable for acts of their subcontractor agents • OCR: Key consideration is control • Affirmative Defenses • Old Rule: • No CMP where a violation is criminally punishable • New Rule • No CMP where a violation is criminally punished 8
HIPAA Enforcement (cont.) • OCR (maybe) has less discretion in determining CMP amount • Based on nature and extent of the violation and extent of the harm resulting from the violation • OCR Guidelines for calculating CMPs • Number of violations = number of individuals affected • Number of violations = number of days safeguard not in place • $1.5 million limit for identical violations in a calendar year applies to the “legal entity” constituting the covered entity • Important when various business units within a covered entity suffer enforcement for identical violations • Enforcement Perspective of OCR (relating to breaches) • The government appreciates that loss and theft will occur • Ultimately, when it does occur, OCR will focus on what was done preventively to best protect the involved PHI • Does a covered entity/business associate have a good (and documented) reason as to why encryption was not used? 9
Breach Notification Rule • History • 2009 HITECH Act • 2009 Interim Final Rule • HITECH Final Rule • Bulk of the Breach Notification rule has been left unchanged • Notification of breach of unsecured PHI • Media notice requirements (500+ individuals) • Notice to OCR (including annual notice for less than 500 individuals) • Content requirements of notice • Timing of notice to individuals (without unreasonable delay but in no event later than 60 days after discovery) 10
Breach Notification Rule (cont.) Significant Change – Definition of Breach • HITECH Act definition • Acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the privacy or security of PHI • Interim Final Breach Notification Rule • Further defined “compromise” • Risk of harm analysis (financial, reputational, other harm) • OCR (and industry) have noted challenges in applying this standard • HITECH Final Rule • Impermissible access, use, or disclosure under the Privacy Rule now presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised 11
Breach Notification Rule (cont.) • Determination that there is a low probability that PHI has been compromised • OCR provides four factors that must be weighed in making this determination 1. Nature and extent of the PHI involved (including the types of identifiers involved), and likelihood of re-identification Risk of Harm component? Not really – consider the likelihood of re-identification based on PHI involved and the identity of recipient 2. The unauthorized person who used the PHI or to whom the disclosure was made 3. Whether the PHI was actually acquired or viewed 4. The extent to which the risk to the PHI has been mitigated Satisfactory assurances • Additional OCR guidance to be published – timing is unclear 12
Breach Notification Rule (cont.) • Important Clarifications and Emphasis in Final Rule • Limited Data Set exception removed • Trigger for annual notification is date of discovery (not date of incident) Important for incidents that occur (but are not discovered) at the end of a calendar year • Media notice does not require covered entities to buy ad space • Notification time period is not “within 60 days of discovery” This is absolute latest a notification may be deemed compliant 13
Marketing Communications • Former Privacy Rule • To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service • Treatment and certain health care operations communications excluded • Final Rule • Eliminates exceptions for financially remunerated treatment and health care operations communications Prior authorizations required when a covered entity receives financial remuneration in exchange for making a treatment communication 14
Marketing Communications (cont.) • Financial Remuneration • Defined as monetary direct or indirect payments from the third party whose product or service is being described • Notably, financial remuneration does not include in-kind benefits • Financial Remuneration and Business Associates • If a business associate (or subcontractor) receives financial remuneration from a third party in exchange for making a communication about a product or service, that communication is marketing and requires an authorization 15
Marketing Communications (cont.) • Two Critical Questions : 1. Is the covered entity or business associate receiving financial remuneration? 2. Is the covered entity or business associate receiving the financial remuneration for the purpose of making the communication? 16
Marketing Communications (cont.) • Scope of Authorizations • Need not be limited to communications describing a single product or service or services of a single third party • A single authorization may apply to subsidized communications generally • Exceptions to Authorization Requirement Remain • Face-to-face communications • Promotional gifts of nominal value 17
Marketing Communications – Prescription Refill Reminder Exception • Financially remunerated prescription refill reminders remain excluded if financial remuneration limited to reasonable costs of making the communication • Recent Guidance from OCR – Two-and-a-Half Critical Questions: 1. Is the communication about a currently prescribed drug or biologic? 2. Does the communication involve financial remuneration, and if so, is it reasonable? 18
Marketing Communications – Prescription Refill Reminder Exception (cont.) • Is the communication about a currently prescribed drug or biologic? • Within Exception: • Refill reminders about a drug or biologic that is currently being prescribed • Communications regarding generic equivalents • Communications about a recently lapsed prescription (i.e., within past 90 calendar days) • Adherence communications • For individuals who are prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system • Not Within Exception: • Communications about specific new formulations of a currently prescribed medicine • Communications about specific adjunctive drugs related to the currently prescribed medicine • Communications encouraging an individual to switch from a prescribed medicine to an alternative 19
Recommend
More recommend