[Med-privacy] " New HIPAA Era"

[peter marshall]

  	 	=09
A New HIPAA Era Emerges
By Kirk J. Nahra
March 2009 | Privacy In Focus

After years of debate with little progress, a new Health Insurance=20
Portability and Accountability Act (HIPAA) era has become a reality=20
through the economic stimulus legislation. As part of the American=20
Recovery and Reinvestment Act of 2009, Congress has created a wide=20
range of new incentives for health care providers to develop and=20
utilize electronic medical records. While there had been a substantial=20=

debate about whether such incentives (or the use of electronic medical=20=

records in general) required changes to the HIPAA privacy and security=20=

rules, that debate has now ended.

New Statutory Requirements
In fact, this legislation now imposes the most significant set of=20
privacy and security changes for the health care industry and its=20
business partners since the initial adoption of the HIPAA Privacy Rule.=20=

These changes go far beyond any issues related to electronic medical=20
records=97by providing substantial new authority for enforcement and=20
significant additional penalties for HIPAA violations, extending the=20
effective reach of HIPAA coverage to business associates, changing=20
certain use and disclosure rules and creating additional individual=20
rights. While debate will continue=97and many of the provisions require=20=

additional rulemaking activities=97the health care privacy world is=20
changed substantially by these new legislative provisions. Health care=20=

companies across the board=97and all of the companies that provide=20
services to the health care industry=97must pay close attention to these=20=

new rules, and should begin developing strategies to meet their=20
requirements and deal with a substantially stronger enforcement=20
environment.

What Are the Key Provisions of the Legislation?
Enforcement Strengthened
It was widely anticipated that the Obama Administration would be more=20
aggressive about HIPAA enforcement than its predecessor. Independent of=20=

this inclination, the new legislation creates significant new tools for=20=

aggressive enforcement of the HIPAA rules. Over the course of the next=20=

few years, we can expect these changes to produce a fundamental shift=20
in the overall enforcement of the HIPAA Privacy and Security Rules.

First, the legislation increases substantially the penalties that may=20
be imposed for violations of the rules, from the current high of=20
$25,000 to as much as $1.5 million. Fines are mandatory in situations=20
involving "willful neglect." Some of these new penalty amounts may even=20=

be paid to "harmed" individuals in the future.

Second, state Attorneys General (AGs) now have clear and explicit=20
authority to enforce the HIPAA rules. While state AGs have initiated=20
HIPAA-related actions in the past, relying on their inherent authority=20=

to act to protect citizens of a state, this new provision effectively=20
creates a parallel enforcement environment for violations. On the one=20
hand, this enforcement is limited in meaningful ways, mainly in terms=20
of amounts that can be sought by the state AGs. On the other hand,=20
however, this approach creates realistic risks of differing standards=20
and inconsistent action from state to state. Moreover, while the=20
Department of Health and Human Services (HHS) Office of Civil Rights is=20=

severely constrained by the detailed procedures of the HIPAA=20
enforcement rule, it is not at all clear that the state AGs are bound=20
by these procedural protections.

Third, correcting what many saw as an oversight in the current HIPAA=20
provisions, the legislation now permits enforcement actions against=20
individuals employed by health care entities. Even though the=20
Department of Justice has creatively pursued a limited number of=20
criminal cases against individual employees (mainly where identity=20
theft, health care fraud or some other serious criminal activity is=20
combined with the HIPAA issue), the new legislation creates broader and=20=

more explicit authority for enforcement against individuals.

Security Breach Notification
At the same time that enforcement actions are given new strength, the=20
legislation also creates a new federal security breach notification=20
requirement for the health care industry, mandating that most breaches=20=

be reported not only to affected consumers but also to the government,=20=

and even to the media in some situations.

This new breach reporting requirement becomes the first significant=20
national reporting statute. It is much broader than virtually all of=20
the state notification laws. This provision creates a new notification=20=

standard for the health care industry=97whether the breach has anything=20=

to do with an electronic health record or not. While there clearly are=20=

open questions about details of the legislation, this provision is=20
broader than most relevant state notification laws, because it (1)=20
applies to breaches involving any kind of personal information held by=20=

health care companies (rather than only specific categories=97such as=20
Social Security Numbers), and (2) does not include any "risk of harm"=20
threshold. Therefore, this provision will require reporting of a wide=20
range of security breaches, regardless of the sensitivity of the=20
information involved or the degree of risk that harm will result from=20
the breach.

For the health care industry at large, this breach notification=20
requirement may be the single most significant new requirement of this=20=

legislation=97and the one that is likely to affect a large number of=20
companies most quickly and publicly. Because the notice requirement=20
applies only to "unsecured" information, this legislation also may=20
accelerate the movement toward encryption of a wider range of health=20
care data.

As with many of the state laws, the obligation of a "business=20
associate" under this statute is to report a breach to the covered=20
entity=97much like the current reporting structure for "security=20
incidents" under the Security Rule. Because there are some complexities=20=

about the timing of this reporting, covered entities should consider=20
whether to put specific timing obligations for reporting into their=20
business associate agreements.

This provision will be applicable for breaches that occur 30 days or=20
more after the implementing regulation is issued=97which regulation is=20=

required to be issued within 180 days of passage of the law. So, this=20
requirement will take effect before most of the others.

Extension of HIPAA Requirements to Business Associates
Another requirement that will generate enormous work for the health=20
care industry and its business partners arises from a series of=20
provisions that essentially extend full compliance responsibility for=20
the HIPAA Privacy and Security Rules to the business associate=20
category=97the companies that provide services to the health care=20
industry. Today, these vendors must sign a contract with their health=20
care clients that extends certain HIPAA provisions by contract to the=20
business associate. The new provisions will obligate these business=20
associates by law to follow all HIPAA provisions, rather than just the=20=

handful previously required to be included in business associate=20
contracts. Again, this requirement is not limited to electronic health=20=

records. It clearly extends HIPAA coverage to most business associates,=20=

whether they have anything to do with electronic health records or not.

Accordingly, coupled with the new enforcement provisions, the risks for=20=

business associates are now magnified substantially. For health=20
care-covered entities, these rules also create an apparent large-scale=20=

obligation -- the need to revise all existing business associate=20
contracts to incorporate these new requirements.  Health care companies=20=

-- with full memory of the difficulties of compliance with the initial=20=

HIPAA business associate contracting requirements in 2003 -- should=20
promptly begin to develop model language and an approach to overall=20
modification of thousands of business associate contracts.

Restrictions on Sharing Health Care Information for Self-Pay Situations
The new law also creates some potential fraud concerns. One new=20
provision permits individuals to request of their health care provider=20=

that the provider not disclose information to an insurer for payment or=20=

health care operations purposes, if the patient has paid for the=20
service out of pocket. While there are no direct compliance obligations=20=

for health plans (and only limited responsibilities for health care=20
providers), health plans will need to analyze how these provisions=20
could impact their claims payment and underwriting activities, as this=20=

provision does nothing more than permit individuals to hide information=20=

from their insurers. The challenge will be to identify how this kind of=20=

action could encourage or facilitate fraud or other inappropriate=20
activity by the patient, and develop appropriate countermeasures.

Limited Data Sets and Minimum Necessary
Although more restrictive provisions were rejected, the legislation=20
begins to take steps toward redefining some of the core uses and=20
disclosures permitted under the Privacy Rule. The legislation mandates=20=

that HIPAA-covered entities examine "to the extent practicable" whether=20=

a "limited data set" can be used for the disclosure of health care=20
information. A limited data set is, essentially, health care=20
information that has been almost (but not quite) de-identified. While=20
there are no particular details to this component of the legislation,=20
it appears to insert a new administrative step for all uses and=20
disclosures=97to determine whether a limited data set could be used.=20
Clearly, most uses and disclosures of information involve an=20
individual=97the typical claims submission/claims payment transaction,=20=

for instance. Covered entities will need to expend little effort to=20
determine that a limited data set cannot be used for such purposes.=20
However, covered entities will need to expand their procedures for=20
considering whether limited data sets may be appropriate for other=20
disclosures.

Next, if a covered entity determines that it cannot use a "limited data=20=

set," the legislation mandates that the covered entity follow the=20
"minimum necessary" rule. Obviously, this rule is in place today, so=20
the primary effect of this provision will be to dictate de facto a=20
re-evaluation of current minimum necessary practices. On a more=20
troubling note, the legislation also requires HHS to initiate=20
rulemaking in the future=97including an evaluation of whether there is a=20=

category of disclosures for which a limited data set should be required=20=

for a disclosure to be permitted without an authorization, and for the=20=

particular information that is the "minimum necessary" in specific=20
situations. While it is hard to see how HHS will develop a "one size=20
fits all" minimum necessary standard suitable for all specific=20
treatment or payment purposes, regardless of the situation or the=20
company involved, the legislation requires that HHS issue this guidance=20=

within 18 months of the passage of the legislation.

The Accounting and Access Rules
While most of these new provisions are not limited to electronic health=20=

records, two specific components are confined to situations in which an=20=

electronic health record is used. Nothing in the legislation pretends=20
to reconcile the apparent contradiction in creating new legal=20
obligations at the same time that it is creating incentives to utilize=20=

these records.

First, the legislation expands the (so far) little-used accounting=20
rule. If a company uses an electronic health care record, it now will=20
have to track for accounting reasons all disclosures of information for=20=

treatment, payment and health care operations purposes. This will be a=20=

significant expansion in the overall burden for health care=20
companies=97but only if they use an electronic health record. The=20
assumption of the legislation appears to be that electronic health=20
records will have easy means of tracking these disclosures, but that=20
clearly is not the case today with all (or even most) electronic health=20=

records.

In addition, the individual right to access is expanded by this=20
legislation, again where an electronic health record is used. While=20
this access provision is more limited and less burdensome than the=20
accounting provision, it is another example of imposing new obligations=20=

on companies that undertake to create and use electronic health=20
records.

Marketing Provisions
The legislation also alters the substance of the marketing provisions=20
of the HIPAA Privacy Rule. First, the legislation clarifies that=20
"marketing" communications will be considered "health care operations"=20=

only if they meet the specific criteria set forth in the Rule. As with=20=

certain other provisions (such as the minimum necessary provision),=20
this seems to be simply a restatement of the existing regulation.=20
Beyond this provision, however, the legislation requires an=20
authorization even for communications that were permitted by the HIPAA=20=

Privacy Rule, if the covered entity receives "direct or indirect"=20
payment for the communication. While the clear intent of this provision=20=

is to cut back on "paid" marketing communications, the most likely=20
impact will involve a statutory ambiguity -- what constitutes=20
"indirect" payment for a communication. Covered entities should=20
evaluate promptly their ongoing marketing programs, to determine=20
whether there are situations where payment arguably is involved.

Personal Health Records Issues
While the privacy provisions clearly were driven by the push for=20
electronic medical records (even though most provisions are not limited=20=

to electronic health records), the legislation also punts on one of the=20=

key HIPAA "gaps" that has emerged in the health care field in recent=20
years=97the role under HIPAA of personal health records and the vendors=20=

that offer personal health records products, most of which are outside=20=

the current HIPAA structure. Rather than creating specific rules for=20
these entities, Congress has dictated a study of personal health=20
records issues going forward, to identify appropriate rules. It also=20
created a "temporary" security breach notification standard for these=20
entities.

State Law and Privileges
The legislation does nothing to alter the current "preemption" status=20
of the HIPAA Rules. Essentially, state laws will continue to govern if=20=

they are "more stringent" than the relevant HIPAA provision. While many=20=

electronic health record advocates have identified state law=20
disparities as a significant hurdle to widespread adoption of=20
electronic health records, this legislation does nothing to "fix" this=20=

problem. Instead, it preserves the status quo. Moreover, by focusing=20
attention on specific state law "privileges," the legislation may in=20
fact exacerbate this problem. For example, in certain recent cases,=20
state law "physician-patient privileges" have been used to stonewall=20
health care fraud investigations, where HIPAA would have permitted the=20=

relevant information about the fraud perpetrated by a health care=20
provider to be disclosed. This preemption issue will continue to create=20=

confusion and concern across the health care industry.

Effective Dates
Most of the provisions of this legislation take effect 12 months=20
following enactment; however, the increased penalties for HIPAA=20
violations essentially are effective with the enactment of the statute.=20=

There also are various requirements for the issuance of new regulations=20=

on specified timetables, often with separate effective dates, depending=20=

on when a regulation is issued. The breach notification provision is=20
effective for breaches that take place 30 days or more after the=20
issuance of the HHS implementing rule, which is required to be issued=20
within 180 days of passage of the legislation. As the HIPAA legislation=20=

implementation progresses and companies analyze their obligations, it=20
will be important to focus attention on the required timetable for=20
bringing a health care company into compliance with these new=20
requirements.

Major Challenges
This legislation creates an entirely new environment for health care=20
privacy and security. Enforcement will be more significant and more=20
substantial. Security breaches=97even those without any discernible risk=20=

of harm=97will be more broadly publicized across the country. And=20
companies face a variety of new requirements that will affect their=20
day-to-day operations. Three challenges stand out from the rest:

Developing a Business Associate Contracting Strategy
Without any articulated rationale, the legislation appears to require=20
that all business associate agreements be amended to incorporate the=20
new requirements imposed by the legislation. Those who went through the=20=

2003 business associate contracting process may remember this was an=20
enormous task, where volume concerns often predominated over substance.=20=

Here, with the required addition of certain terms, health care=20
companies essentially must revisit and renegotiate their overall=20
business associate portfolio. Accordingly, it will be critical to=20
promptly develop an overall strategy for revising existing and=20
establishing new business associate arrangements.

Upgrading Overall Compliance
The second challenge is more contextual. There are significant new=20
requirements in this legislation. More importantly, however, we can=20
expect a significantly enhanced enforcement environment. Accordingly,=20
covered entities need to focus attention on overall compliance=97because=20=

the enforcement risks if something goes wrong are now much greater.=20
Companies should be re-evaluating their HIPAA privacy and security=20
plans, focusing on high-risk areas and other areas where companies=20
(including peers and competitors) have had problems.

Developing a Broader Breach Notification plan
Similarly, virtually all health care companies have "breaches" that=20
will trigger notification under these new provisions. Most of these=20
"breaches" cause no harm and present no risk of harm. Under today's=20
HIPAA rules, such a company is required to take steps to mitigate=20
potential harm, and to evaluate whether changes need to be made to=20
prevent future problems, but often nothing significant is done in=20
response to many minor breach events. Now, these breaches will require=20=

notification -- to patients, customers, the government and perhaps the=20=

media. This places a much higher priority not only on effective=20
security strategies to prevent breaches, but also on an effective=20
breach notification and mitigation plan.

Conclusions
The new legislation is only a first step=97and lots of questions still=20=

remain unanswered=97but it is clear that these new provisions have=20
significantly altered the overall health care privacy and security=20
environment. Health care companies and their business partners need to=20=

begin studying these provisions promptly, and to develop appropriate=20
strategies to ensure compliance and mitigate the growing risk of=20
security and privacy enforcement.

For answers to questions on any aspect of the new health care privacy=20
and security legislation, or for assistance in understanding and=20
meeting its requirements, please contact:


For more information, please contact Kirk J. Nahra at 202.719.7335 or=20
knahra@wileyrein.com.