HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

Closely Monitoring the 26.5% Medicare Physician Payment Threat

Via HCMA, SGR Advocacy Alert from the AMA – – – –  The negotiations between Speaker Boehner and President Obama on the Lame Duck tax and deficit reduction package are at an impasse. There is a very real threat of the 26.5 percent Medicare physician payment cut taking effect on January 1, 2013, at least temporarily.

If Congress does adjourn without addressing the payment cut being induced by the sustainable growth rate (SGR) formula, the Administration announced today that the Centers for Medicare and Medicaid Services will follow normal claims processing procedures.

That is, claims will not be held and Medicare carriers will process payments for physician services provided after December 31 under the normal 14-day cycle required by law.  Payment for these claims would be based on the new, lower fee schedule conversion factor of $25.0008, as opposed to the current rate of $34.0376.

At this time, it is impossible to predict whether the 112th Congress will find a way to pass a stop-gap measure before adjourning, how long such a measure would last, or how long payment cuts will be in effect before legislation can be passed after the 113th Congress convenes in January.  It is highly unusual for a new Congress to enact significant legislation in the first month of its session, but the circumstances facing our nation today are far from typical.

It is inexcusable that Congress is once again putting the 47 million Medicare patients and the practices of physicians who provide them needed health care at significant risk.  The Medicare program has become unreliable and its instability undermines efforts by physicians to implement new health care delivery models that stand to improve value for seniors and other beneficiaries through better care coordination, chronic disease management, and keeping patients healthy.

The AMA believes that the financial disruption this situation will cause for physicians and their practices is unacceptable, and we will continue to fervently convey this message in the strongest possible terms to Congress and the Administration, as we have for the past several weeks.  Our patient and physician grassroots networks have been activated, and we are seeking your voices to tell Congress just how deeply its inaction will affect you.

Despite these efforts, at this time we feel compelled to advise physicians to start making plans for steps they can take to mitigate this disruption and meet their own financial obligations in January, in case the 26.5 percent cut actually takes effect.  Given the potential impact on practice revenue in early January, physicians should be certain adequate arrangements are in place to sustain their practices.  For those physicians who are forced into the untenable position of limiting their involvement with the Medicare program because it threatens the viability of their practices, we urge that patients be notified promptly so that they, too, can explore other options to seek health care and medical treatment.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

Perceived Risk Outweighs Actual Harm in Assessing $1.5M HIPAA Fine

The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information.  The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).

Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country.  However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether.  For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost.  In this case, it was the incident itself that caused the organization to formalize and take responsive measures.  The barn door was closed after the horse got out.  To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.

The facts are fairly simple.  A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area.  A personal laptop, containing health information of several thousand patients, was in the backpack.  The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered.  The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.

This is an instructive case for a number of reasons.  For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider.  The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule.  Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization.  Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices.  Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed.  Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet.  In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure.  Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.

The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach.  In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization.  Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm.  This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported