HHS Delays Enforcement of HITECH Act Business Associate Provisions

Posted on February 19, 2010 by Hunton & Williams LLP

We understand that yesterday Adam H. Greene (Office of the General Counsel, Civil Rights Division, U.S. Department of Health & Human Services), speaking at the ABA’s 11th Annual Conference on Emerging Issues in Healthcare Law, indicated that enforcement of the business associate provisions of the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which became effective on February 17, 2010, will be delayed until final rules addressing those provisions are published.  The HITECH Act’s business associate provisions require business associates to implement the information security safeguards specified by the HIPAA Security Rule, and comply with certain requirements of the HIPAA Privacy Rule.  Similarly, the HITECH Act requires covered entities to provide in their business associate agreements that all of the HITECH Act’s security requirements applicable to covered entities are also applicable to business associates.

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement.  For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations.  At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements.  Please see our client alert on HITECH compliance for more information.
Tags: , , , , , , , , , , , ,

Interim Final Rule Implements Increased Penalties for HIPAA Violations

Posted on October 30, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) released an interim final rule to incorporate the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) categories of violations and tiered civil penalty amounts.  The interim final rule is expected to be published in the Federal Register on October 30, 2009 and takes effect on November 30, 2009.  The rule applies to violations of the Health Insurance Portability and Accountability Act of 2003 (“HIPAA”) that occur on or after February 18, 2009.

The interim final rule amends HIPAA’s enforcement regulations.  Specifically, the rule incorporates the HITECH Act’s categories of violations, tiered ranges of civil penalty amounts, and revised limitations on the Secretary of HHS’s authority to impose civil penalties for violations of HIPAA's rules.  Pursuant to the interim final rule, covered entities may be subject to tiers of penalties as described below:

  • If a covered entity did not know and, by exercising reasonable diligence, would not have known that it was in violation, the minimum civil penalty is $100 per violation.
  • If a violation was the result of “reasonable cause” involving circumstances that would make it unreasonable for the covered entity (despite the exercise of ordinary business care and prudence) to comply, the minimum penalty is $1000 per violation.
  • The minimum penalty for a violation that is the result of willful neglect and subsequently corrected is $10,000.
  • The minimum penalty for a violation that is the result of willful neglect and is not corrected is $50,000.
  • The maximum penalty amount for multiple violations is set at $1.5 million per calendar year.

HHS will be accepting comments on the interim final rule until December 29, 2009.  Read our earlier blog posting for further information regarding the HITECH Act.

Access a copy of the interim final rule.
Tags: , , , , , , , , ,

HHS Posts Breach Notice Reporting Form

Posted on October 2, 2009 by Hunton & Williams LLP

The Department of Health and Human Services (“HHS”) has posted to its website a notification form that may be used to report breaches of unsecured protected health information to the agency.  Although some state agencies requiring notice of a breach employ a standard reporting form, the form issued by HHS has several unique features and requests more information than a typical breach reporting form.  Some interesting features of the form include:

  • The form may be used to report both breaches affecting 500 or more individuals, as well as breaches affecting fewer than 500 individuals, although the former must be notified to the agency within 60 days of discovery and the later need only be logged over the course of the year and reported to the agency on an annual basis.
  • The form requires that, if the breach occurred "at or by" a business associate, that business associate must be identified by name and contact information must be provided.  The form is, however, required to be completed by the covered entity.
  • The form requires a description of the breach and provides drop-down lists to facilitate the description of the type of breach (e.g., theft, loss, improper disposal, etc.), the location of the "breached information" (e.g., laptop, desktop computer, network server, etc.) and the type of PHI affected (e.g., demographic information, financial information, clinical information or "other").
  • The form further requests a description of the safeguards that were in place prior to the breach and a description of actions taken in response to the breach, again via selection from a drop-down list.  Actions taken in response to the breach also may be described in narrative form.
  • The form requires completion of an attestation that the information provided is accurate, and acknowledgement that the Office of Civil Rights ("OCR") may be required to release information provided via the form pursuant to the Freedom of Information Act, that some of the information will be posted to HHS's web site, and that OCR will use the information to provide an annual report to Congress, as required by the HITECH Act.
  • The form also may be used to submit an "initial breach report" or an "addendum to previous report," implying that covered entities could submit the form based on then-available information and later file an addendum, which may be necessary in some cases to avoid missing the 60-day reporting deadline.

The form, which is intended to be submitted electronically, includes all of the required elements specified by the HITECH Act and HHS's implementing regulations.  HHS also has provided instructions for completing the form.

Tags: , , , , ,

FTC and HHS Issue Final Breach Notification Rules

Posted on August 28, 2009 by Hunton & Williams LLP

On August 17, the Federal Trade Commission ("FTC") issued a final rule ("FTC Final Rule") addressing security breaches of personal health records ("PHRs").  The FTC Final Rule applies to all breaches discovered on or after September 24, 2009, and to “foreign and domestic vendors of personal health records, PHR related entities, and third party service providers” that “maintain information of U.S. citizens or residents.”  The FTC Final Rule does not apply to covered entities or business associates as defined under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").  Full compliance is required by February 22, 2010.

The FTC Final Rule requires PHR vendors and PHR related entities to notify U.S. citizens and residents if their PHR identifiable health information is subject to a security breach, and requires additional notification of the FTC and prominent media outlets for breaches that affect 500 or more individuals.  Third party service providers must notify the PHR vendor, or PHR related entities to which they provide services, of any breaches they discover.  To facilitate the notification process, the FTC has developed a standard form entitled “Notice of Breach of Health Information” that PHR vendors and PHR related entities can complete and send to the FTC.  Both the form and the FTC Final Rule are available on the FTC’s website.
 
On August 19, 2009, as required by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Department of Health and Human Services ("HHS") issued an interim final rule ("HHS Interim Final Rule") addressing security breaches of unsecured protected health information ("PHI").  The regulations will apply to all breaches occurring on or after September 23, 2009 that are discovered by covered entities and business associates, but the HHS Interim Final Rule indicates that HHS will not impose sanctions for failure to notify with respect to breaches that are discovered within the first 180 days after the effective date. 

Notably, unlike the FTC Final Rule, the HHS Interim Final Rule includes a harm threshold limiting the breach notification requirement to breaches that present a significant risk of harm.  This disparity may be due to the fact that breaches common to HIPAA-covered entities, such as those involving disclosures to other HIPAA-covered entities, are less likely to result in actual harm than the kinds of breaches suffered by the service providers and vendors covered under the FTC's Final Rule.  Similar to the FTC Final Rule, the HHS Interim Final Rule requires covered entities to (1) notify individuals if their PHI is subject to a security breach, and (2) notify the Secretary of HHS and prominent media outlets in the event of a breach that affects 500 or more individuals.  Business associates must notify the covered entity to which they provide services of any breaches they discover.  Finally, the HHS Interim Final Rule updated the  information security guidance issued by HHS in April 2009 to emphasize encryption and destruction as the only methods for securing PHI in a manner consistent with the HITECH Act’s breach notification provisions.  The HHS Interim Final Rule is available on the HHS website.
Tags: , , , , , , , , ,

U.S. Department of Health and Human Services Expands Its Health Information Privacy Enforcement Team

Posted on August 10, 2009 by Hunton & Williams LLP

In a move that portends increased enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule, the Department of Health and Human Services (“HHS”) has created two new positions on its health information privacy enforcement team.  According to the job listings (here and here), the new Health Information Privacy Specialists at the HHS Office for Civil Rights (“OCR”) will be responsible for “reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR’s authority for ensuring compliance with the privacy of health information requirements” of HIPAA and its implementing regulations.  The website indicates that applications for the positions will be accepted through Thursday, August 13, 2009.

Tags: , , , , , ,

CVS Pays $2.25 Million in Record HIPAA Settlement

Posted on February 20, 2009 by Hunton & Williams LLP

CVS Pharmacy (“CVS”), reportedly the largest retail pharmacy chain, has agreed to pay the Department of Health and Human Services (“HHS”) $2.25 million and submit a Corrective Action Plan (“CAP”) to HHS after an extensive nationwide investigation by the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) which revealed that CVS employees disposed of protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule.  In addition, CVS Caremark, the parent company of CVS, simultaneously entered into a Consent Order with the FTC to resolve claims that CVS had engaged in unfair or deceptive trade practices in violation of the FTC Act by failing to use reasonable and appropriate measures to prevent unauthorized access to PHI and by disseminating a false or misleading privacy notice about CVS’s protection of PHI.  In the Consent Order, the FTC specifically highlighted CVS’s failure to render PHI unreadable before disposal as well as its claim in its privacy notice that maintaining the privacy of its customers’ PHI was central to its operations as examples of unfair or deceptive trade practices.  The CVS settlement is noteworthy for two reasons: (1) it is the first joint enforcement action between OCR and the FTC and (2) although it is the second substantial monetary settlement for alleged HIPAA violations, the $2.25 million resolution amount dwarfs the first settlement for $100,000 between HHS and Providence Health in July 2008.

In 2006, media exposés revealed that CVS employees disposed of prescription drug bottles with labels containing patient information, pharmacy orders, and other items potentially containing PHI in unsecured dumpsters that could be accessed by anyone.  These exposés prompted a joint investigation between the OCR and the FTC which the agencies allege confirmed the allegations against CVS and resulted in the payment of the resolution amount, the CAP, and the FTC Consent Order.

The CAP, which applies for three years, requires CVS to: (1) develop privacy policies and procedures that provide for administrative and physical safeguards for the disposal of all non-electronic PHI; (2) implement a training program that instructs employees on how to adequately dispose of PHI; (3) develop plans to monitor compliance and report any noncompliance with the privacy policies and procedures; and (4) engage an independent third-party to conduct an assessment of CVS’s compliance with the privacy policies and procedures.  The CAP also requires CVS to provide an initial “Implementation Report” as well as an annual “Periodic Report” to the OCR and to retain all documents related to compliance with the CAP for six years.  The Consent Order with the FTC, which applies for twenty years, requires CVS to establish and implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of customer personal information and to engage an independent third party to conduct an initial assessment of CVS’ compliance with its privacy procedures (which can be the same assessment required by the CAP) as well as biennial assessments thereafter for the remainder of the twenty-year duration of the Consent Order.

The CVS settlement is just one of several recent developments that may herald the dawn of a new era of increased HIPAA enforcement.  Last November, the HHS Office of Inspector General published a report that encouraged the Centers for Medicare and Medicaid Services (“CMS”), which enforces HIPAA’s Security Rule, to conduct more frequent compliance reviews of HIPAA-covered entities.  This week, President Obama signed the economic stimulus package into law, which requires HIPAA-covered entities to notify affected individuals, HHS and the media of information security breaches, and also substantially revises HIPAA, providing for steeper fines and enabling state Attorneys General to bring enforcement actions for HIPAA violations.
 
Tags: , , , , , ,