Header graphic for print


HIPAA, HITECH and Beyond

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened HIPAA enforcement and increased penalties, movement toward EHRs, and Meaningful Use requirements have forced providers to focus more resources on assessing their security risks.

To assist providers in performing their risk analyses, we thought it would be helpful to share some recent guidance from the Office of the National Coordinator for Health Information Technology (“ONCHIT”) which helps clarify some misperceptions surrounding this HIPAA security compliance requirement.  Set forth below are the ONCHIT’s “Top Ten” myths of security risk analysis.

Continue Reading

OCR Issues Guidance on Refill Reminder Exception to HIPAA Marketing Rule

Posted in Enforcement, Rulemaking

Prompted by litigation filed by Adheris[1] as well as concerns raised by consumer advocates and health care stakeholders regarding the viability of prescription refill reminder programs under HIPAA’s stricter marketing prohibitions, on September 19, 2013, OCR issued additional guidance regarding the scope of HIPAA’s refill reminder exception.  Notably, OCR also delayed enforcement on this issue until November 7, 2013.

The Final Omnibus HIPAA Rule finalized HITECH’s limitations on the use and disclosure of PHI for marketing purposes.  With limited exceptions, HIPAA requires an individual’s written authorization before his or her PHI can be used or disclosed for marketing.  HIPAA defines marketing to mean communications that are paid for by the manufacturer of the product or service being promoted in the communication.  45 C.F.R. § 164.501.

Refill reminders, which were expressly excluded from HIPAA’s definition of “marketing,” have been defined as reminders or other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication.  See 45 CFR 164.501.   Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.  Financial remuneration does not include non-financial or in-kind benefits. 78 Federal Register at 5596.

Thus, there is a two-step analysis in determining whether a communication falls within the refill reminder exception to marketing:

  • Is the communication about a currently prescribed drug or biologic
  • Does the communication involve financial remuneration, and if so, is the financial remuneration “reasonably related” to the cost of making the communication?

Notwithstanding this refill reminder exception to HIPAA’s marketing definition, concerns arose following issuance of the Final Omnibus HIPAA Rule in January 2013 that HHS commentary on the refill reminder exception had construed it too narrowly, and thus would render refill reminder programs financially untenable to the detriment of patients.  In its commentary, HHS had stated that any financial remuneration received by a covered entity for conducting a refill reminder program that covered anything other than the cost of “drafting, printing and mailing refill reminders” could trigger HIPAA’s authorization requirement.  78 Federal Register at 5597.

The guidance issued by OCR on September 19, 2013, however, expands and clarifies the scope of the refill reminder exception, and specifically authorizes covered entities to outsource their prescription refill reminder and medication adherence programs to third parties, and to pay them for these services.  Below is a summary of the guidance which OCR has issued related to each of these aspects of the exception:

1.         Is the Communication about a Currently Prescribed Drug or Biologic?


  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  •  Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.


  • Communications about specific new formulations of a currently prescribed medicine.
  •  Communications about specific adjunctive drugs related to the currently prescribed medicine.
  • Communications encouraging an individual to switch from a prescribed medicine to an alternative medicine.

2.         Does the Communication Involve Financial Remuneration, and If So, Is It Reasonable?


  • Communication does not involve remuneration.
  • Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.
  • Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.
  • Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.
  • Remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services.  The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.


  • Communication involves financial remuneration other than as described above.

In addition to this framework, HHS also provided specific examples of permitted communications and thoughtful answers to a list of “Frequently Asked Questions.”  This guidance (as well as the delayed enforcement date) should put the refill reminder exception concerns to rest, as well as ensure that these programs – many which have a very positive impact on patient care – will continue.


[1]In Adheris, Inc. v Kathleen Sebelius et al., filed in the United States District Court for the District of Columbia on September 6, 2013, Adheris, a provider of prescription adherence and refill communications, had sought a preliminary injunction against the enforcement of the HIPAA Omnibus Final Rule’s refill reminder exception to HIPAA’s marketing rule.  Adheris claimed that OCR’s regulations limiting remuneration to “reasonably related costs” of making such communication violated its First Amendment rights and misconstrued provisions of the HITECH Act.


One Month and Counting: HIPAA’s Compliance Date is September 23, 2013

Posted in Enforcement

We are in the home stretch in the race to the September 23 compliance deadline.  With only one month to go, whether you are a covered entity or a business associate, you should be nearly finished with your HIPAA compliance checklists.  These checklists should look something like this:

To Do

  • Perform or update a risk analysis to assess the potential risks and vulnerabilities of electronic PHI.  This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security Rule.
  • Review and update your HIPAA policies and procedures, including encryption policies, portable electronic device policies, texting policies, BYOD policies, social media policies and telecommuting policies.
  • Update your Notice of Privacy Practices.
  • Train (and re-train) all employees regularly to comply with your HIPAA policies and procedures.
  • Encrypt, encrypt, encrypt.
  • Develop a breach response plan to ensure a uniform and effective response to any data incident.
  •  In the event of an incident involving the unauthorized access or disclosure of PHI, timely correct the issue, document every step of your investigation into the incident, and critically analyze and document your decision whether or not the incident has a low probable  risk of harm based upon HIPAA’s  four factor risk assessment.
  • Clearly define breach notification obligations (i.e. reporting, notification, monitoring, indemnification) in all business associate relationships.
  • Update all new business associate agreements (in place after January 26, 2013) before the September 23, 2013 deadline.
  • Update all existing business associate agreements (in place prior to January 26, 2013) before the September 23, 2014 extended deadline.
  •  Purchase data breach insurance and include data breach insurance obligations in your business associate agreements.

If you are well underway, finish strong!  If you have not started, get started!  Making a reasonable effort to comply will go a long way with OCR; burying your head in the sand will not.

The Photocopier: A Vulnerability Hidden in Plain Sight

Posted in Breach, Enforcement

The U.S. Department of Health and Human Services (“HHS”) announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers.

This settlement is the most recent in a long line of breaches which triggered self-reporting obligations.  By now, HIPAA covered entities are certainly familiar with the concept of media notification.  This settlement, however, highlights a different type of media notification — one which is to be avoided. Continue Reading

Webinar: HIPAA Privacy and Security Rules: The New Breach Standard

Posted in Webinar

Join us for a complimentary webinar to further discuss the release of the final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.

Tuesday, May 21, 2013
Noon – 12:30 p.m. (Eastern Time)

  • Analysis of unauthorized access, use, or disclosure
    • Meaning of “breach”
    • Documentation requirements
  • Notification requirements – affected individuals, media, and HHS
  • Breach prevention
    • Encryption
    • Robust compliance efforts
    • Insurance products

Click here to register or for more information.

EMR Privacy Issues Unique to Children

Posted in Behavioral Health, Children, Electronic Health Record

Many thanks to our colleague, Robin Canowitz, for submitting the following guest post.

Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution.  These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges.  Questions often arise regarding who should have access to records, how to limit access to portions of the medical record involving alcohol and drug abuse, mental health issues, sexually transmitted diseases, and other sensitive categories of PHI.  When treatment of minors is involved, the issues become even more complicated.  Set forth below is a discussion of a few such issues we frequently encounter. Continue Reading

HIPAA Webinar: Updates to The Privacy Rule

Posted in Rulemaking, Webinar

Please join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services.  This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy and Security Rules.

On Tuesday from noon until 12:30, we will explore the changes to the Privacy Rule, including:

  • Greater restrictions on provider use and disclosure of PHI;
  • Increased individual rights to PHI; and
  • What must be done by September.

The webinar will probe into marketing and fundraising involving PHI, how providers can best respond to patients’ requests for their health information, and how your organization should address these changes both internally (via employee training and updating policies and procedures) and externally (by revising the notice of privacy practices).

To RSVP, or for more information, contact Kayla Allen at ksallen@vorys.com.

Who Are My Business Associates, and Why the HIPAA Should I Care?

Posted in Rulemaking

Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule.  In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates.  Indeed, not only do “traditional” business associates have increased compliance obligations, but so do their vendors – many of whom might be entirely unaware of this fast-moving train barreling down the tracks.

With compliance deadlines around the corner, providers are likely wondering what this means for them.  Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates.   For many, this has historically been nothing more than a low-priority fomality.  Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI.  More fundamentally, providers will need to be more vigilant in identifying their business associates.  And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance.  As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations. Continue Reading

The Final Omnibus HIPAA Rule: Are You Ready?

Posted in Enforcement, Rulemaking

As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules.  For those entities that have already taken steps following the release of the HITECH interim rules, the task may be a little less daunting (although policies, procedures, and NPPs must also be updated following release of the final rule), but for covered entities and business associates that have taken a “wait and see” approach to the final rule, the compliance clock is now running.  September 23, 2013 is just 219 days away.

Here is a list of the key issues that every covered entity and business associate must address before September 23, 2013:

  • Perform or update a Security Rule risk assessment to identify the potential risks and vulnerabilities of electronic PHI (a similar gap analysis should be performed to identify the risks and vulnerabilities of all PHI, i.e. paper files, x-rays, etc.).  This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security and Privacy Rules.
  • Encrypt, encrypt, encrypt.
  • Develop or update HIPAA policies and procedures, including policies and procedures that address mobile devices and social media.
  • Update and distribute Notice of Privacy Practices to reflect the provisions in the final Omnibus HIPAA rule.
  • Review and update all business associate agreements to include and/or clarify breach notification provisions, indemnification obligations, and  cyber-insurance requirements.
  • Business associates must enter into business associate agreements with their downstream vendors who handle PHI.  Covered entities, when contracting with their business associates, should review their business associates’ downstream vendor business associate agreements as part of their own due diligence.
  • Develop or update breach response plan to include Final Rule’s new objective test for determining whether you have a reportable breach.
  • Ensure that all employees are trained regularly to comply with your HIPAA policies and procedures.  Consistently discipline employees who violate HIPAA policies and procedures.
  • Consider procuring data breach/cyber insurance to cover the costs of a breach (which could include the following costs: investigation — including a forensic analysis, mitigation, notification, legal, PR, credit monitoring, fines and penalties).

We will begin a series of blog posts next week which will further analyze each of the changes in the Final Omnibus HIPAA Rule.

Webinar: HHS Releases Long-Awaited Final Omnibus HIPAA Rule

Posted in Rulemaking

Presented by Vorys, Sater, Seymour and Pease LLP

On Thursday, Feb. 7, at noon, HealtHITech Law bloggers Lisa Reisz and Liam Gruzs will host a webinar discussing the release of the long-awaited final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.

The omnibus final rule is comprised of the following four final rules:

  • Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH
  • Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH
  • Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard
  • Final rule modifying the HIPAA Privacy Rule as required by GINA

February 7, 2013

Noon – 1 p.m.

RSVP to ksallen@vorys.com.