|
|
|
|
|
Health Care Law
Alert July 15, 2010
|
|
|
Health Care
Practice Group Leaders
248.988.5842
480.684.1102
|
|
|
|
|
The Ever Evolving World of HIPAA
Compliance
The Latest Round of Modifications to the HIPAA
Privacy, Security, and Enforcement Rules Under HITECH
Among all the
discussions, debates and forecasts involving health reform laws,
HIPAA has taken somewhat of a backseat. However, protecting the
privacy and security of individually identifiable health information
remains at the forefront for many health care providers and health
plans engaged in managing the day-to-day issues involving the use,
disclosures, access and storage of protected health information.
On July 14,
2010, the Department of Health and Human Services ("HHS")
published its notice of proposed rulemaking ("Proposed
Rule") implementing changes to the HIPAA Privacy, Security, and
Enforcement Rules pursuant to the Health Information Technology for
Economic and Clinical Health Act ("HITECH Act").
The Proposed
Rule addresses a number of changes to the HIPAA Privacy, Security,
and Enforcement Rules including the following key modifications:
· Making clear that certain
Privacy and Security Rule requirements apply to business associates
of covered entities;
· Expanding the definition of
business associate to explicitly include a Health Information
Organization, E-prescribing Gateway and other persons that provide
data transmission services;
· Establishing a new category of
business associate - "subcontractors." Subcontractors
that perform functions for or provide services to a business
associate are also considered business associates to the extent such
subcontractor requires access to protected health information
("PHI");
· Requiring
business associates to enter into written contracts with
subcontractors. (Historically, business associates were only
required to "ensure" that subcontractors agree to the same
restrictions on the use and disclosure of PHI);
· Revising
the definition of PHI to exclude individually identifiable health
information regarding a person who has been deceased for more than 50
years;
· Establishing new limitations
regarding the use and disclosure of PHI for purposes of marketing and
fundraising. Such limitations require "opt-out" provisions
for certain marketing and fundraising communications;
· Requiring authorization for the
sale of PHI in exchange for direct or indirect remuneration, unless
an exception applies;
· Specifying
that a covered entity must restrict disclosure of PHI about an
individual to a health plan if the disclosure is for payment or
health care operations and the PHI pertains to health care
items or services for which the individual paid the covered entity in
full;
· Creating
an individual's right to access their PHI in a form and format
requested by the individual (e.g., electronic format), provided that
the PHI may be produced in such form or format and if not, in a
readable form and format as agreed by the covered entity and
individual;
· Expanding
the enforcement provisions by specifying that business associates are
subject to civil monetary penalties ("CMPs") for violations
of HIPAA; covered entities are liable, pursuant to Federal common law
agency principles, for a CMP for HIPAA violations based on the act or
omission of any agent of the covered entity including a workforce
member or business associate; and
· Identifying
factors to determine the amount of a CMP as well as including the
application of penalties against business associates; increasing the
penalty cap to $1.5 million depending on level of culpability, plus
providing examples of violations that fall into the different penalty
levels; and imposing vicarious liability based on common law
"agency" principles.
For purposes of
addressing compliance issues involving current written business
associate agreements between covered entities and business
associates, the Proposed Rule provides a transition period (e.g.,
grandfather clause) for existing business associate agreements ("BAAs").
The Proposed Rule would permit covered entities and business
associates (and business associates and business associate
subcontractors) to continue operating under certain existing BAAs for
up to one (1) year beyond the compliance date set forth in the future
final rule. The transition period would be available to a
covered entity or business associate if, prior to the publication
date of the final rules, the covered entity or business associate had
an existing written BAA in place that complied with the prior
provisions of HIPAA and such BAA was not renewed or modified between
the effective date and the compliance date of the final
rule.(1) Importantly, however, the transition provision
only pertains to amending BAAs. Thus, according to HHS, such
transition provision does not affect any other compliance obligations
under the HIPAA Rules.
Accordingly,
covered entities and business associates with current written BAAs
will be deemed compliant with HIPAA requirements so long as the
conditions described in the Proposed Rule are met.
Compliance
Dates and Comment Period
Following
promulgation of the final rule, covered entities and business
associates will have 180 days to come into compliance with most of
the Proposed Rule provisions. For future modifications to
HIPAA, covered entities and business associates will have 180 days
from the effective date of such future rule
modifications.(2) Therefore, we recommend that covered
entities and business associates take advantage of this time period
to evaluate compliance with the modifications set forth in the
Proposed Rule.
HHS will
be accepting comments regarding the Proposed Rule until September 13,
2010.
|
|
|
|
|
To find out
more about Clark Hill and our Health Care Practice Group, visit clarkhill.com
or call 800.949.3124
|
|
|
