Brian M. Murray is a partner in Calfee, Halter and Griswold’s Employee Benefits and Executive Compensation and Health Care & Life Sciences practice groups.
Several years ago, hospitals, health care practitioners, pharmacies, insurance companies and health plan sponsors spent an enormous amount of time and money bringing their medical practices, claims administration procedures and group health plans into compliance with HIPAA’s privacy, security and electronic transaction rules.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
Third-party service providers that created or handled their protected health information of covered entities also spent an enormous amount of time and money figuring out their obligations as “business associates” under those rules. But with the onset of “HIPAA fatigue,” and as it became apparent that the government’s short-term focus would be on education and voluntary compliance rather than strict enforcement, many covered entities and business associates have become complacent.
Thanks to the Health Information Technology for Economic and Clinical Health Act, which is often referred to as the “HITECH Act” due to Congress’s penchant for groan-inducing acronyms, the time has come to revisit HIPAA and your privacy and security practices. While the new privacy and security rules in the HITECH Act are generally effective on Feb. 17, a few changes become effective much sooner and deserve your immediate attention.
Raising the stakes
The HIPAA compliance stakes have been raised considerably. If imminent audits and formal investigations of complaints do not get your attention, Congress also authorized state attorneys general to sue for breaches of privacy and security requirements — with harmed individuals being entitled to share in the judgment or settlement amounts under rules yet to be issued, provided enhanced civil monetary penalties for those breaches and “clarified” (clarification by Congress rarely being a good thing) that criminal penalties may be applied to employees of covered entities. Since these changes are already effective, we could soon witness the emergence of a HIPAA crusading, politically ambitious state attorney general not unlike the one Wall Street had a few years ago.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
Against this background, the federal government is clearly stepping-up its enforcement efforts. In January, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) teamed up to investigate the privacy practices of a national pharmacy chain. Apparently they concluded that nefarious elements, if they were so inclined, could infiltrate the company’s trash dumpsters and recover prescriptions and prescription bottles. The company paid a hefty fine and agreed to implement a Corrective Action Plan. More recently, on July 16, 2009, HHS announced that it is expanding its health information privacy enforcement team through the addition of two “health information privacy specialists” (read:Â investigators and auditors).
Alert the media!
If you accidentally disclosed individuals’ medical records, your first response would probably not be to make a public announcement about it on local radio and television stations and in the local newspaper. Nor, we suspect, would you be inclined to prominently display information about the disclosure on your company’s home page or notify HHS so that it could do likewise on its website and highlight your improper disclosure in its annual report to Congress. Well, you may be surprised to learn that, under certain circumstances involving improper disclosures of protected health information, you may have to do just that. These notice requirements become effective not later than September 15, 2009, and possibly earlier depending on the timing of agency action.
!#&%@&*$!# (Encryption)
Fortunately, these disclosure requirements can be avoided by using prescribed methods to secure protected health information. In April, HHS announced that these methods are “encryption and destruction.” Encryption must be performed in a manner consistent with the HIPAA security regulations. Since there are many ways to encrypt data, and there are safe harbor processes based on publications of the National Institute of Standards and Technology (NIST), even entities which already use encryption should review this guidance to ensure that all of the requirements are being satisfied. As my children will gladly demonstrate, there are also many ways to destroy things. So HHS has prescribed specific NIST standards for that too.
Administrative requirements
A very significant change under the stimulus bill is that business associates are directly subject to the privacy and security rules. So business associates and covered entities should revisit and, if necessary, dust off, their business associate contracts. Business associates will have a keener interest in ensuring that they have business associate contracts in place with their clients and customers.
Companies will need to amend their privacy practices and procedures to conform to several new requirements. For example, individuals are entitled to accountings of electronic disclosures of their protected health information made to carry out treatment, payment and health care operations in the three years preceding the request. Previously, these disclosures were excluded from the accounting requirement. Since there is a strong governmental push to have all health records be in electronic form, this could become a significant undertaking for health care providers, insurance companies and group health plans.
Material changes to privacy practices and procedures necessitated by the rule changes will require the revision of Notices of Privacy Practices (and, at least for self-insured group health plans, their distribution within 60 days of the changes). Workforce training must be performed within a reasonable period of time after the changes to privacy practices and procedures.
Stay tuned
The HITECH Act is just the tip of the iceberg as far as regulation of electronic medical records and the privacy and security of health information are concerned. There will be frequent and significant legislative and regulatory changes in this area over the next few years and compliance will remain a moving target. HIPAA privacy and security officers and others responsible for the privacy and security of their business’ health information should educate themselves about these rules because more voluminous and complex rules will quickly follow.
<a href=”http://www.calfee.com/Bio.aspx?ContentKey=124″>Brian M. Murray</a> is a partner in <a href=”Calfee,”>Calfee, Halter and Griswold’s</a> Employee Benefits and Executive Compensation and Health Care & Life Sciences practice groups.
