Header graphic for print

HealtHITechLaw

HIPAA, HITECH and Beyond

Telehealth Legislation Would Provide Financial Incentives for Adoption, Increased Use

Posted in Legislation, Telehealth/Telemedicine

Many thanks to our colleague, Sylvia Brown, for submitting the following guest post.

Healthcare providers will be able to receive financial incentives under Medicare and Medicaid for providing telehealth services to patients if recently proposed federal legislation becomes law.  The Telehealth Enhancement Act of 2013, H.R. 3600, contains financial incentives tied to some of the Medicare and Medicaid programs’ most costly services, such as hospital readmissions and labor and delivery services.

The bi-partisan group sponsoring the legislation includes Reps. Gregg Harper (R-MS), Mike Thompson (D-CA), Devin Nunes (R-CA) and Peter Welch (D-VT).  The sponsors’ stated goal is to reduce unnecessary costs and achieve better health outcomes through promoting and expanding the application of telehealth under both Medicare and Medicaid.

Many of the legislation’s financial incentives are built on existing payment models found in the Medicare and Medicaid programs.

Under the proposed Medicare program changes, certain hospitals will be able to share in the savings produced if the hospital’s readmissions ratio (risk adjusted, expected readmissions in relation to its actual readmissions) is positive.  In addition, Medicare accountable care organizations will be permitted to cover telehealth and remote patient monitoring services as supplemental health care benefits to the same extent as a Medicare Advantage plan.  Telehealth and remote patient services also will be added to the list of applicable services available through the Bundled Payments for Care Improvement initiative, the Affordable Care Act’s national pilot program on payment bundling.

Changes to the Medicaid program would include permitting states to change their existing programs to include payments to health care professionals that operate as a “birthing network.”  Payments to “birthing networks” that provide medical assistance for maternal-fetal and neonatal care can be made up of bundled payments, performance incentives and shared savings.

If the bill is enacted, these new financial incentives will make it easier for Medicare and Medicaid telehealth providers to create innovative service delivery lines for existing and new patients.  The ability to secure these federal incentives will be critical to furthering the growth in the remote delivery of healthcare services.

We will continue to monitor the legislation, and provide any updates as they occur.

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted living facility patient records.

Since the enactment of HITECH in 2009, the vast majority of HIPAA enforcement has been initiated by the Department of Health and Human Services Office of Civil Rights, resulting in civil penalties and corrective action plans.  This prosecution serves as a reminder that HIPAA contains severe criminal penalties as well.  A person who knowingly uses, obtains, or discloses individually identfiable health ifnormation with the intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm shall be fined not more than $250,000 and/or imprisoned for up to 10 years.  42 USC 1320d-6.

You can read the entire article from the Tampa Bay Times here.

HIPAA Security Risk Analysis: Fact or Fiction?

Posted in Meaningful Use, Security

Leading up to the recent compliance date for the Final HIPAA Rule, much was made about the need for providers to perform a security risk analysis.  Quite a bit of dialogue around the increased security compliance obligations centered on the security risk analysis as a foundational requirement of HIPAA.   Although this is not a new requirement, heightened HIPAA enforcement and increased penalties, movement toward EHRs, and Meaningful Use requirements have forced providers to focus more resources on assessing their security risks.

To assist providers in performing their risk analyses, we thought it would be helpful to share some recent guidance from the Office of the National Coordinator for Health Information Technology (“ONCHIT”) which helps clarify some misperceptions surrounding this HIPAA security compliance requirement.  Set forth below are the ONCHIT’s “Top Ten” myths of security risk analysis.

Continue Reading

OCR Issues Guidance on Refill Reminder Exception to HIPAA Marketing Rule

Posted in Enforcement, Rulemaking

Prompted by litigation filed by Adheris[1] as well as concerns raised by consumer advocates and health care stakeholders regarding the viability of prescription refill reminder programs under HIPAA’s stricter marketing prohibitions, on September 19, 2013, OCR issued additional guidance regarding the scope of HIPAA’s refill reminder exception.  Notably, OCR also delayed enforcement on this issue until November 7, 2013.

The Final Omnibus HIPAA Rule finalized HITECH’s limitations on the use and disclosure of PHI for marketing purposes.  With limited exceptions, HIPAA requires an individual’s written authorization before his or her PHI can be used or disclosed for marketing.  HIPAA defines marketing to mean communications that are paid for by the manufacturer of the product or service being promoted in the communication.  45 C.F.R. § 164.501.

Refill reminders, which were expressly excluded from HIPAA’s definition of “marketing,” have been defined as reminders or other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication.  See 45 CFR 164.501.   Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described.  Financial remuneration does not include non-financial or in-kind benefits. 78 Federal Register at 5596.

Thus, there is a two-step analysis in determining whether a communication falls within the refill reminder exception to marketing:

  • Is the communication about a currently prescribed drug or biologic
  • Does the communication involve financial remuneration, and if so, is the financial remuneration “reasonably related” to the cost of making the communication?

Notwithstanding this refill reminder exception to HIPAA’s marketing definition, concerns arose following issuance of the Final Omnibus HIPAA Rule in January 2013 that HHS commentary on the refill reminder exception had construed it too narrowly, and thus would render refill reminder programs financially untenable to the detriment of patients.  In its commentary, HHS had stated that any financial remuneration received by a covered entity for conducting a refill reminder program that covered anything other than the cost of “drafting, printing and mailing refill reminders” could trigger HIPAA’s authorization requirement.  78 Federal Register at 5597.

The guidance issued by OCR on September 19, 2013, however, expands and clarifies the scope of the refill reminder exception, and specifically authorizes covered entities to outsource their prescription refill reminder and medication adherence programs to third parties, and to pay them for these services.  Below is a summary of the guidance which OCR has issued related to each of these aspects of the exception:

1.         Is the Communication about a Currently Prescribed Drug or Biologic?

WITHIN EXCEPTION

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  •  Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

NOT WITHIN EXCEPTION

  • Communications about specific new formulations of a currently prescribed medicine.
  •  Communications about specific adjunctive drugs related to the currently prescribed medicine.
  • Communications encouraging an individual to switch from a prescribed medicine to an alternative medicine.

2.         Does the Communication Involve Financial Remuneration, and If So, Is It Reasonable?

WITHIN EXCEPTION

  • Communication does not involve remuneration.
  • Communication involves only non-financial or in-kind remuneration, such as supplies, computers, or other materials.
  • Communication involves only payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.
  • Remuneration involves payments to the covered entity by a pharmaceutical manufacturer or other third party whose product is being described that cover the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.
  • Remuneration involves payments to a business associate assisting a covered entity in carrying out a refill reminder or medication adherence program, or to make other excepted communications, up to the fair market value of the business associate’s services.  The payments may be made by a third party whose product is being described directly to the business associate or through the covered entity to the business associate.

NOT WITHIN EXCEPTION

  • Communication involves financial remuneration other than as described above.

In addition to this framework, HHS also provided specific examples of permitted communications and thoughtful answers to a list of “Frequently Asked Questions.”  This guidance (as well as the delayed enforcement date) should put the refill reminder exception concerns to rest, as well as ensure that these programs – many which have a very positive impact on patient care – will continue.

 


[1]In Adheris, Inc. v Kathleen Sebelius et al., filed in the United States District Court for the District of Columbia on September 6, 2013, Adheris, a provider of prescription adherence and refill communications, had sought a preliminary injunction against the enforcement of the HIPAA Omnibus Final Rule’s refill reminder exception to HIPAA’s marketing rule.  Adheris claimed that OCR’s regulations limiting remuneration to “reasonably related costs” of making such communication violated its First Amendment rights and misconstrued provisions of the HITECH Act.

 

One Month and Counting: HIPAA’s Compliance Date is September 23, 2013

Posted in Enforcement

We are in the home stretch in the race to the September 23 compliance deadline.  With only one month to go, whether you are a covered entity or a business associate, you should be nearly finished with your HIPAA compliance checklists.  These checklists should look something like this:

To Do

  • Perform or update a risk analysis to assess the potential risks and vulnerabilities of electronic PHI.  This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security Rule.
  • Review and update your HIPAA policies and procedures, including encryption policies, portable electronic device policies, texting policies, BYOD policies, social media policies and telecommuting policies.
  • Update your Notice of Privacy Practices.
  • Train (and re-train) all employees regularly to comply with your HIPAA policies and procedures.
  • Encrypt, encrypt, encrypt.
  • Develop a breach response plan to ensure a uniform and effective response to any data incident.
  •  In the event of an incident involving the unauthorized access or disclosure of PHI, timely correct the issue, document every step of your investigation into the incident, and critically analyze and document your decision whether or not the incident has a low probable  risk of harm based upon HIPAA’s  four factor risk assessment.
  • Clearly define breach notification obligations (i.e. reporting, notification, monitoring, indemnification) in all business associate relationships.
  • Update all new business associate agreements (in place after January 26, 2013) before the September 23, 2013 deadline.
  • Update all existing business associate agreements (in place prior to January 26, 2013) before the September 23, 2014 extended deadline.
  •  Purchase data breach insurance and include data breach insurance obligations in your business associate agreements.

If you are well underway, finish strong!  If you have not started, get started!  Making a reasonable effort to comply will go a long way with OCR; burying your head in the sand will not.

The Photocopier: A Vulnerability Hidden in Plain Sight

Posted in Breach, Enforcement

The U.S. Department of Health and Human Services (“HHS”) announced last week that Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for more than $1.2 Million because it failed to wipe the hard drives when it returned leased photocopiers.

This settlement is the most recent in a long line of breaches which triggered self-reporting obligations.  By now, HIPAA covered entities are certainly familiar with the concept of media notification.  This settlement, however, highlights a different type of media notification — one which is to be avoided. Continue Reading

Webinar: HIPAA Privacy and Security Rules: The New Breach Standard

Posted in Webinar

Join us for a complimentary webinar to further discuss the release of the final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.

Tuesday, May 21, 2013
Noon – 12:30 p.m. (Eastern Time)

  • Analysis of unauthorized access, use, or disclosure
    • Meaning of “breach”
    • Documentation requirements
  • Notification requirements – affected individuals, media, and HHS
  • Breach prevention
    • Encryption
    • Robust compliance efforts
    • Insurance products

Click here to register or for more information.

EMR Privacy Issues Unique to Children

Posted in Behavioral Health, Children, Electronic Health Record

Many thanks to our colleague, Robin Canowitz, for submitting the following guest post.

Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution.  These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges.  Questions often arise regarding who should have access to records, how to limit access to portions of the medical record involving alcohol and drug abuse, mental health issues, sexually transmitted diseases, and other sensitive categories of PHI.  When treatment of minors is involved, the issues become even more complicated.  Set forth below is a discussion of a few such issues we frequently encounter. Continue Reading

HIPAA Webinar: Updates to The Privacy Rule

Posted in Rulemaking, Webinar

Please join us this Tuesday, March 19, 2013 for a complimentary webinar to further discuss the release of the Final Omnibus HIPAA Rule by the U.S. Department of Health and Human Services.  This is the first in a three-part miniseries following last month’s webinar, where we focused generally on the sweeping changes to the HIPAA Privacy and Security Rules.

On Tuesday from noon until 12:30, we will explore the changes to the Privacy Rule, including:

  • Greater restrictions on provider use and disclosure of PHI;
  • Increased individual rights to PHI; and
  • What must be done by September.

The webinar will probe into marketing and fundraising involving PHI, how providers can best respond to patients’ requests for their health information, and how your organization should address these changes both internally (via employee training and updating policies and procedures) and externally (by revising the notice of privacy practices).

To RSVP, or for more information, contact Kayla Allen at ksallen@vorys.com.

Who Are My Business Associates, and Why the HIPAA Should I Care?

Posted in Rulemaking

Much has been made about business associates in HITECH and the HIPAA Final Omnibus Rule.  In a previous post and in our webinar we hit on the high points – that much of HIPAA applies directly to business associates, and that business associates themselves have obligations relative to their business associates.  Indeed, not only do “traditional” business associates have increased compliance obligations, but so do their vendors – many of whom might be entirely unaware of this fast-moving train barreling down the tracks.

With compliance deadlines around the corner, providers are likely wondering what this means for them.  Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates.   For many, this has historically been nothing more than a low-priority fomality.  Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI.  More fundamentally, providers will need to be more vigilant in identifying their business associates.  And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance.  As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations. Continue Reading