this presentation
play

This Presentation Key elements of the new HITECH rules Take a - PowerPoint PPT Presentation

Aug 29, 2022 •397 likes •773 views

The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013 This Presentation Key elements of

  1. The New HIPAA Era: What's New, What's Different and What's Actually Important Presented by: Kirk J. Nahra Wiley Rein LLP Washington, D.C. 202.719.7335 KNahra@wileyrein.com @kirkjnahrawork March 13, 2013

  2. This Presentation Key elements of the new HITECH rules • Take a deep breath – they are important, and will • involve change, but are not earth shattering. We have known for four years most of what this • regulation was going to say Will try to focus on what’s most important for most • of you. Page 2

  3. The Omnibus Regulation Published in the Federal Register on January • 25, 2013 Effective on March 26, 2013 • Requires compliance by September 23, 2013 • One question during this period – what will • you do for situations where the rules are changing? Page 3

  4. Background The interim final regulation clarified that the • statute incorporated a “risk of harm” threshold – notice is required where there is a “significant risk of financial, reputational or other harm.” Covered entities have been reporting breaches • under this standard for two plus years Page 4

  5. The Big News Two significant changes • Modified the “presumption” for breach • reporting so that it is clear that notification is required to the affected individuals unless the covered entity “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.” Page 5

  6. The Risk Assessment HHS has removed the “risk of harm” element • Instead of the risk of harm standard, there is a • “risk assessment” to determine if there is a low probability of a “compromise” of the PHI. If the risk assessment reveals a low probability • of compromise, notification is not required. Covered entity can provide notice without a risk • assessment. Page 6

  7. The Risk Assessment The nature and extent of the protected health • information involved, including types of identifiers and likelihood of re-identification; The unauthorized person who used the protected • health information or to whom the disclosure was made; Whether the protected health information was • actually acquired or viewed; and The extent to which the risk to the protected health • information has been mitigated. Page 7

  8. Other Elements Most of the rest of the rule remains largely the • same General exceptions to “breach” do not change • Reporting to HHS stays the same (except for • timing on reporting of some smaller breaches) Notice to media does not change • Details of notification do not change • Page 8

  9. Next Steps Current rule is in effect until September • 23, 2013 Follow the current “interim final” • standard until then Each time you have a potential breach, • evaluate using both standards. Spend some time figuring out if any results are different Page 9

  10. Business Associate Issues The biggest overall development for • this regulation is the impact on business associates Business associates have always had • contractual obligations Now they are subject to legal • obligations and enforcement risk Page 10

  11. Business Associate Issues Business associates will now have a legal obligation • to follow the privacy provisions of a standard business associate agreement (and the new HITECH provisions) This is not everything in the privacy rule (e.g., • providing a privacy notice) This should not impact behavior because the “legal” • obligations are the same as the current contracts Page 11

  12. Business Associate Issues Business associates now must follow the entire • HIPAA Security Rule This is a big deal. • The current contracts require “reasonable and • appropriate” security standards Complying with the Security Rule is much more • involved and detailed Page 12

  13. Business Associate Issues Business associates need to get moving now • on security compliance These rules also apply to downstream • contractors – on down the line indefinitely This is a big expansion – and to some • companies who may not even be aware of their BA obligations Page 13

  14. Business Associate Issues (For CEs) Evaluate what you want to do with • your business associate contracts – substance and process Plan on the timing – you have time, but • how long do you want “old” contracts in place? Page 14

  15. Business Associate Issues (For CEs) HHS has created categories of business • associates – those who are “agents” and those who are not Applies primarily in notice and enforcement • contexts Explicitly a “fact specific” assessment • Consider how you are going to handle this – • real questions as to whether to address at all. Page 15

  16. Enforcement Lots of new provisions for the HIPAA • Enforcement Rule These do not create compliance obligations, • but define a process for a formal enforcement proceeding Bottom line – HHS has LOTS of discretion, on • how it does enforcement and issues penalties and other resolutions Page 16

  17. Enforcement Discussion of “agents” in context of • enforcement Clearly states that HHS can take action • against CEs for actions of “agents” Unclear what they can/will do for others • This is very much a “formality” issue – • investigations still will be mostly negotiations Page 17

  18. Enforcement Remember what HHS is doing on • enforcement these days They are starting investigations in lots of • situations – based on notices, complaints, media reports, etc. They are asking lots of questions, and then • broadening out from the starting point Page 18

  19. Enforcement Be very careful in the early stages of • investigations Documentation of policies and • procedures is critical It is always better to have fixed the • problem already (if there is one) Take them seriously at all times • Page 19

  20. Marketing Provision Current HIPAA rules impose significant • restrictions on how PHI can be used and disclosed for marketing purposes HITECH statute mandated that marketing be • further restricted in situations where there is “payment” to make the communication Omnibus regulation now implements this • provision Page 20

  21. Marketing Provision What does this do? • Does not change the situations where • “marketing” has been permitted so far. If it is permitted under the rules today, • BUT the covered entity receives “remuneration,” a member authorization will be required. Page 21

  22. Marketing Provision What kinds of communications may be • affected? Presumably when a covered entity is • “marketing” someone else’s products or services Be careful if you are getting paid in any way • – think about why you are doing this Page 22

  23. Sale Issue Similar point as with marketing – PHI • cannot be sold without a patient authorization Many exceptions • Covered entities and business • associates need to evaluate any situation where PHI is sold Page 23

  24. Sale Issue So what’s really changed? • There still has to be a permitted basis for • disclosure (even before sale issue) Since treatment and payment are still • “exceptions,” then is this really (only?) eliminating “sales” for “health care operations” purposes? How much of that is there? Page 24

  25. Authorizations The Rule makes certain changes about the • substance of authorizations In addition to the “sale” and “marketing” • issues Simplify authorizations in the research • context – both allowing compound authorizations and for future research Page 25

  26. Privacy Notices Covered entities will need to issue new • privacy notices HHS recognizes the cost elements of this, • and has taken some steps to moderate financial impact Have not simplified notices in any way • Their cost estimate is 1/3 of an hour at a • cost in legal fees of $28 – good luck with that Page 26

  27. Miscellaneous No more HIPAA protection for records of • people dead for more than 50 years GINA provisions impact how genetic • information can be used by health plans for underwriting purposes Mainly reinforces existing principles • Page 27

  28. Miscellaneous Confusing provision about requiring • providers to restrict disclosure to health plans where patient requests and pays for services out of pocket Imposes no compliance obligations on • health plans Consider where (if at all) this will be • relevant Page 28

  29. What’s Not Here? Few new changes to HIPAA beyond HITECH • No final accounting rule changes – separate • timeframe. Highly controversial, most comments were exceedingly critical Additional guidance on minimum necessary • coming Parallel developments on de-identification • issues Page 29

  30. Next Steps The omnibus regulation affects only a small • portion of the HIPAA provisions No material changes to the substance of the • Security Rule (just the application to BAs) And we have known almost all of this since • HITECH law – this just starts the real clock running Page 30

Recommend

More recommend