Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Some of the major changes to the HIPAA Rules include:

• Adding “subcontractors” to the definition of “business associate” to provide that subcontractors that perform functions for or provide services to a business associate are also business associates to the extent they require access to protected health information (“PHI”);
• Requiring business associates to enter into written contracts with those subcontractors (previously, business associates were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI);
• Applying the Security Rule and the Enforcement Rule penalty provisions directly to business associates;
• Revising the definition of “marketing” in the Privacy Rule to delineate which specific activities constitute marketing of PHI;
• Clarifying that a business associate is not making a permitted use or disclosure under the Privacy Rule if it does not apply the minimum necessary standard, where appropriate; and
• Requiring covered entities to obtain an authorization from an individual for any disclosure of the individual’s PHI in exchange for direct or indirect remuneration (with a few exceptions such as exchanges for public health activities).

HHS will be accepting comments to the notice of proposed rulemaking for a period of 60 days after the notice of proposed rulemaking is published in the Federal Register on July 14, 2010.

In addition to the changes to the HIPAA Rules, HHS announced a new privacy website designed to “provide further confidence in the expectations Americans have for the privacy of their personal information” and to “inspire added trust in HHS’ efforts to improve our nation’s health through safe and secure health information exchanges.”  HHS also announced enhancements to its breach notification website that will provide consumers with more information regarding breaches involving PHI and ongoing breach investigations.  Currently, the HHS breach notification website lists only basic details about breaches, such as the name of the covered entity at issue and the number of individuals affected by the relevant breach.
 

Holtzman stated that OCR is conducting compliance reviews for all HIPAA data breaches involving data for more than 500 individuals, and is working with covered entities to identify compliance issues that led to those breaches.  Marilou King, a senior attorney at the HHS Office of General Counsel, also mentioned that HHS is working to with a contractor to develop a process to audit coved entities for compliance with the HIPAA Privacy and Security Rules, and could utilize informal resolution agreements to address violations of the HIPAA Privacy and Security Rules.  Ms. King also mentioned that HHS intends to finalize soon the interim enforcement rule it released last year and issue a proposed rule regarding covered entities and business associates, as mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.

The recent comments by HHS officials followed OCR’s issuance of draft guidance on May 7, 2010, regarding the risk analysis requirement in the HIPAA Security Rule.  The guidance defines several key terms that are not expressly defined in the Security Rule, including “vulnerability,” “threat” and “risk,” although the guidance noted that the terms “do not modify or update the Security Rule and should not be interpreted inconsistently with the terms used in the Security Rule.”  More critically, the guidance “explains several elements a risk analysis must incorporate, regardless of the method employed.”  Those elements include: (1) defining the scope of the analysis, (2) identifying where electronic protected health information is stored, received, maintained or transmitted, (3) identifying and documenting potential threats and vulnerabilities, (4) assessing current security measures, (5) determining the likelihood of threat occurrence, (6) determining the potential impact of threat occurrence, (7) determining the level of risk, (8) finalizing the risk analysis documentation and (9) periodically reviewing and updating the risk analysis.

The Office for Civil Rights (“OCR”), which enforces HIPAA’s Privacy and Security Rules, has stated publicly that it is carefully evaluating how to proceed with HIPAA enforcement.  For example, Section 13411 of the HITECH Act requires HHS to “provide for periodic audits to ensure that covered entities and business associates” are complying with the HITECH Act and its implementing regulations.  At the 18th Annual National HIPAA Summit in early February, Sue McAndrew, the OCR’s Deputy Director for Health Information Privacy, explained that there are “1,000 ways” to conduct HIPAA audits and that OCR is working with a HIPAA expert to “map out essentially the range of options” to determine how best to effectively conduct HIPAA audits.

Despite the delay in enforcement, covered entities and business associates should take necessary actions to comply with the HITECH Act’s requirements.  Please see our client alert on HITECH compliance for more information.

A.B. 211 requires any provider of health care to “establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information” and to “reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure.”  “Unauthorized access” is defined as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use” as permitted under California law.  A.B. 211 establishes a new state agency, the Office of Health Information Integrity, to enforce the law and impose fines that can range from $1,000 up to a maximum of $250,000 per violation.

S.B. 541 applies to “any clinic, health facility, home health agency, or hospice” and, much like A.B. 211, requires those facilities to “prevent unlawful or unauthorized access to, and use or disclosure of patient’s medical information.”  S.B. 541 also requires those facilities to report any unlawful or unauthorized access to patient medical information to the California Department of Public Health (“CDPH”) within five days after such unlawful or unauthorized access has been detected and empowers the CDPH to levy fines that range from $25,000 up to a maximum of $250,000 per violation.

Because of the new legal obligations and stiff penalties for noncompliance, health care providers and health facilities in California should carefully review their existing security procedures to (1) ensure that access to patient medical information is strictly controlled, and (2) verify that they are capable of quickly detecting and reporting any security breaches to state officials.