GAMABrief: Got HealthTech? Get HIPAA/HITECH Aware

487 views

Published on

This year, the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections afforded protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations took effect on March 26, 2013. Startups, medical organizations and Business Associates had until September 23, 2013 to fully comply.

If your company is still trying to figure out compliance, be aware of the following changes to the law that may affect your business.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
487
On SlideShare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

GAMABrief: Got HealthTech? Get HIPAA/HITECH Aware

  1. 1. GAMABrief: Got HealthTech? Get HIPAA/HITECH Aware This year, the U.S. Department of Health and Human Services (HHS) strengthened the privacy and security protections afforded protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new regulations took effect on March 26, 2013. Startups, medical organizations and Business Associates had until September 23, 2013 to fully comply. If your company is still trying to figure out compliance, be aware of the following changes to the law that may affect your business. Modifica(ons  to  HIPAA  Under  the  HITECH  Act Expanded Definition of Business Associate The definition of a “Business Associate” has been expanded to include a person or entity that “maintains” PHI while performing certain functions or activities on behalf of a Covered Entity (CE). Examples include a data storage company that stores PHI on behalf of a CE or a software provider that stores PHI on its own server on behalf of a CE, regardless of whether the person or entity actually views the PHI. The new definition also adds “patient safety activities” to the list of functions or activities performed on behalf of a CE that give rise to a Business Associate relationship.  The definition of a “Business Associate” now includes the following three categories: ✓ Any person or entity that provides data transmission services of PHI to a CE or another Business Associate and that requires “access on a routine basis” to such PHI, and (2) any person who offers a personal health record (PHR) to one or more individuals on behalf of a CE. ✓ “Access on a routine basis.” Examples of routine access include access to PHI by a software provider when providing troubleshooting services to its CE user or the storage of PHI. Thus, even if the entity doesn’t actually view the PHI, only stores it, it is still a Business Associate. Mere conduits (e.g., ISPs, the postal service or telecommunications service providers) are not considered Business Associates due to the transient manner in which they handle PHI. Many CEs will now need to put Business Associate Agreements in place with vendors who require access to PHI on a routine basis. ✓ The determination of whether a PHR vendor is a Business Associate is a fact-specific inquiry. For example, a vendor that contracts with a CE to allow the vendor to access and then offer a PHR to a patient is considered a Business Associate because the vendor is providing a service on behalf the CE. On the other hand, a vendor that offers PHRs to individuals through its own service, and not on behalf of a CE, is not a Business Associate. ✓ This section also defines health information organizations (HIOs)— organizations that oversee and govern the exchange of health-related information among organizations—as Business Associates. ✓ Public Safety Organizations (PSO) – Any entity that undertakes “patient safety activities” on behalf of a CE. This means any entity that receives reports of patient safety events or concerns from providers and provides analysis of events to reporting providers is a Business Associate. Previously, a PSO would only be treated as a Business Associate during the time that it actually engaged in analysis using PHI. ✓ Sub-contractor – An entity that works at the direction or on behalf of a Business Associate and handles PHI (e.g., companies that shred documents containing PHI) must also comply with applicable Privacy and Security Rule provisions. Sub-contractors will be held liable for violations. Essentially, sub-contractors of Business Associates need to comply with the exact same requirements as the Business Associates. A  GAMA  White  Paper  produced  by  Chris4na  Gagnier  &  Emily  Poole                                            ©  2013.  Gagnier  Margossian  LLP.    All  rights  reserved.  
  2. 2. Application of HIPAA to Business Associates. Business Associates are now directly liable for: ✓ ✓ ✓ ✓ ✓ Impermissible uses or disclosure of PHI; Failure to provide proper breach notification to a CE; Failure to provide appropriate access to an electronic copy of PHI to a CE, individual or individual’s representative; Failure to provide an accounting of disclosures; and Failure to comply with the applicable requirements of the Security Rule. If a Business Associate violates any part of a Business Associate Agreement, such violation is now considered a HIPAA violation. Business Associates must only use, disclose or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. Business Associate Agreements Due to the expanded definition of “Business Associate,” many CEs will have to either put new Business Associate Agreements into place or update agreements they already have. To comply with the HIPAA amendments, Agreements must now require that Business Associates: ✓ ✓ ✓ ✓ Comply with the Security Rule; Report breaches to the CE; Ensure that sub-contractors agree to and comply with all of the provisions that apply to Business Associates; and Comply with the Privacy Rule to the extent that the Business Associate carries out an obligation of the CE that is regulated by the Privacy Rule. Notification CEs must revise and distribute their notice of privacy policies and include a statement that: ✓ Describes the types of uses and disclosures that require authorization under HIPAA; ✓ Informs individuals of their right to opt out of receiving fundraising communications; ✓ Informs individuals of their right to require CEs not to submit treatment information to their health plan if the individual pays in cash; and ✓ Informs individuals of their right to receive notice following a breach affecting their PHI. Marketing and Fundraising Modification This modification strengthens limitations of use and disclosure of PHI for marketing and fundraising purposes and prohibits the sale of PHI without individual authorization. Marketing has been redefined as any patient communication where the provider receives financial remuneration from a third party whose products or services are being marketed. When marketing is based on PHI, patient authorization is required. Individuals’ Rights Modification This modification expands individuals’ rights to receive electronic copies of their health information upon request and to restrict disclosures to a health plan concerning treatment when the individual pays by cash. Individual Authorization Modification This modification facilitates the process for an individual to give authorization for use of PHI for research purposes, for disclosing a child’s immunization records to school and for enabling access to decedent information by family members and others.
  3. 3. Breach  No(fica(on  Modifica(on The breach notification standard has been lowered and breach notification requirements strengthened. When PHI is compromised in some way, there is an automatic presumption of breach. Before the amendments, to determine whether something was a “breach,” the CE assessed whether the use or disclosure posed a significant risk of financial, reputation or other harm to the patient. Now, an improper use or disclosure of PHI is presumed to be a breach unless the CE can demonstrate that there is a low probability that the PHI was compromised. The CE does this through assessing the nature and extent of the PHI involved, the entity who used the PHI or to whom the disclosure was made, whether the PHI was actually obtained or viewed and the extent to which the risk has been mitigated. Increased  Penal(es  for  Viola(ons Penalties have increased for non-compliance based on level of negligence (did not know; reasonable cause; willful neglect— corrected; willful neglect—uncorrected). The maximum penalty is $50K per violation and $1.5M per multiple identical violations. Reasonable lack of knowledge used to be an affirmative defense. Now, a CE can only claim a complete defense if the violation was not due to willful neglect and was corrected within 30 days of being discovered by the CE. Gene(c  Informa(on The Genetic Information Nondiscrimination Act (GINA) amendments prohibit “health plans” from using or disclosing genetic information for “underwriting purposes” and define genetic information as “health information.” ✓ “Health Plan.” Prior to the amendments, HIPAA considered almost any plan that provides or pays for the cost of medical care a health plan. The modifications now expand the definition of health plan and prohibit four specific type of entities—group health plans, health insurance issuers, health maintenance organizations and Medicare supplemental policies—from using genetic information for underwriting purposes. Long-term health care providers are not included in this definition. Health plans that perform underwriting must include a statement in their notice of privacy polices that they are prohibited from using or disclosing genetic information for underwriting purposes. ✓ “Underwriting Purposes.” The amendments define underwriting purposes as anything related to the creation, renewal or placement of a contract for health insurance benefits, such as determining eligibility, cost of premiums or exclusion due to a preexisting condition. ✓ “Genetic Information.” The amendments define genetic information to mean information about the genetic tests of an individual, the genetic test of an individual’s “family members” and genetic information about the manifestation of a disease or disorder of an individual’s family members. Genetic information also includes info about any request for, or receipt of, “genetic services,” as well as info about participation in clinical research that includes genetic services. ✓ “Family member.” The amendments define family members to encompass up to “fourth-degree” blood relatives of the individual and relatives by marriage or adoption. ✓ “Genetic Services.” Such services include a genetic test, genetic counseling or genetic education. For  more  informa(on  or  guidance  on  geBng  your  business  ready  for  these  regulatory  changes,  contact  a  privacy  aHorney  at  Gagnier  Margossian  LLP. Internet Intellectual Property Privacy Social Media Technology The Good Stuff #nerdlawyers Los Angeles Sacramento T: 415.766.4591 F: 909.972.1639 E: consult@gamallp.com gamallp.com @gamallp San Francisco

×