Feldman Kieffer Newsletter

HIPAA Omnibus Rule: Higher Penalties, More Exposure

The HIPAA Omnibus Rule incorporates the tiered civil monetary penalty scheme provided by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.[1] The rule increases monetary penalties for violations and makes business associates subject to these penalties. The rules clarify that a covered entity may be penalized for a violation by an agent or a business associate, and that business associates may be penalized for violations by agents or business associates, including subcontractors.[2]

Violation

Penalty

Covered entity or Business Associate didn’t know of violation and wouldn’t have known of violation even if reasonable diligence was exercised At least $100 and not more than $50,000 per violation
Violation was due a to reasonable cause, and not to willful neglect At least $1000 and not more than $50,000 per violation
Violation was due to willful neglect and was corrected within 30 days from when they knew of the violation (or should have known by the exercise of reasonable diligence) At least $10,000 and not more than $50,000 per violation
Violation was due to willful neglect and was not corrected within 30 days from At least $50,000 and not more than $1.5 million

Penalties in excess of $1.5 million may not be assessed for identical violations within a calendar year.[3] It bears emphasizing that this $1.5 million cap applies only to identical violations, and does not apply to all violations for a given year. Therefore, the maximum amount an entity may be fined will depend upon the number of different types of violations found by the department of Health and Human Services.

To schedule a time to speak with one of our Health Law attorneys about compliance with the new HIPAA rules, contact Feldman Kieffer today via email or at (716) 852-5875.



[1] 45 CFR § 160.400 et seq (2013).

[2]Id. § 160.402.

[3]Id. § 160.406.

Read More

I-STOP and the New York Prescription Monitoring Program

Beginning August 27, 2013, New York State practitioners became responsible to  review a patient’s prescription history before prescribing certain medications. The Internet System for Tracking Over-Prescribing (I-STOP) Act was enacted in 2012 to address the growing problem of prescription drug abuse by eliminating “doctor shopping” and identifying patterns of abuse in patients, doctors, and pharmacists.[1] I-STOP requires the online Prescription Monitoring Program (PMP) to be updated in “real time,” to give practitioners and pharmacists access to accurate and up-to-date prescription drug history.[2]

Under the law, practitioners must consult the PMP and review a patient’s prescription drug history before prescribing a Schedule II, III or IV controlled substance.[3] Alternately, practitioners may designate and train an employee to consult the registry; however, the practitioner is ultimately responsible for determining whether to prescribe the substance.[4] There are limited exceptions to the requirement to consult the PMP.[5] For example, there is no duty to consult the PMP if the substance is administered in the prescriber’s office or in a hospital or clinic, or if technological failure prevents access to the PMP. An exception will also apply if a practitioner cannot access the PMP in a timely manner and there is no other practitioner or designee who can consult on the practitioner’s behalf, as long as the prescription is for no more than a five day supply of the substance.[6]

Practitioners must document the consultation in the patient’s chart. If one of the exceptions applies, the practitioner must document the reasons why the consultation was not performed.[7]

To access the PMP, practitioners need to establish an account with the Health Commerce System.[8] The large influx of applicants for accounts may result in delays in processing.[9] The Department of Health has indicated that “practitioners who are making a good faith effort to apply but are unable to establish HCS accounts, should continue to provide treatment to their patients in the same manner as they currently do, including the prescribing of controlled substances without accessing PMP Registry.” This transition period may last through October.

Please contact Feldman Kieffer by email or at (716) 852-5875 if you have questions or concerns about your responsibilities under I-STOP.

 


[1] N.Y. Office of the Attorney General, Internet System for Tracking Over-Prescribing Act: A Proposal Addressing New York’s Prescription Drug Abuse and Drug Diversion Epidemic, http://www.ag.ny.gov/sites/default/files/press-releases/2012/ISTOP%20REPORT%20FINAL%201.10.12.pdf.

[2] NY CLS Pub. Health. L. § 3343-a(1)(a).

[3]Id. § 3343-a(2)(a).

[4]Id. § 3343-a(2)(b).

[5]Id. § 3343-a(2)(a).

[6] For a complete list of exceptions, see NY CLS Pub. Health L. § 3343-a(2)(a).

[7] 10 NYCRR § 80.63(c)(1).

[8] A Health Commerce System Account can be established at the New York State Department of Health’s website, https://apps.health.ny.gov/pub/top.html.

[9] Dep’t of Health, I-STOP/PMP, “Prescription Monitoring Program Registry” http://www.health.ny.gov/professionals/narcotic/prescription_monitoring/.

Read More

Who is a Business Associate?

Under the Health Information Privacy and Accountability Act (HIPAA) Omnibus Rule, business associates of covered entities are now primarily and directly liable for compliance with HIPAA requirements and are subject to enforcement by the Department of Health and Human Services.[1] Covered entities may also be liable for the HIPAA violations of their business associates. So, whom does HIPAA consider to be a “business associate”?

The statute defines a “business associate” as a someone who 1) creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA-covered entity; or 2) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that involve the disclosure of PHI.

A “business associate” can include:

  • A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
  • A person that offers a personal health record to one or more individuals on behalf of a covered entity.
  • A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

A “business associate” is not defined as:

  • A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
  • A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor.
  • A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
  • A covered entity participating in an organized health care arrangement that creates, receives, maintains, or transmits protected health information (PHI) on behalf of the entity or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services that involve the disclosure of PHI.

A covered entity may be the business associate of another covered entity.  For more information and to answer any questions you may have about compliance with the new, stricter HIPAA rules, contact Feldman Kieffer today via email or at 716-852-5875.



[1] 45 CFR § 160.300 (2013).

Read More

HIPAA Omnibus Rule: An Overview

The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act brought about significant changes to the Health Information Privacy and Accountability Act (HIPAA) Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule.[1] The HIPAA Omnibus Rule finalizes these changes, and the deadline for compliance with most provisions was September 23, 2013. Penalties are becoming more strict, and enforcement is getting more vigorous.

Some of the most significant provisions of the new HIPAA rules involve business associates:

  • The new rule expands the definition of “business associate”; entities that were not considered business associates under the old rule may be under the Omnibus Rule.[2]
  • Business associates of covered entities and certain subcontractors of business associates will be directly liable for compliance with and subject to penalties for violations of many HIPAA Privacy and Security requirements.[3]
  • HIPAA Privacy and Security Rules will now apply to the “workforce” of business associates as well as to covered entities.[4]
  • Business associates must execute Business Associate Agreements with certain “downstream” subcontractors, and “downstream” subcontractors must comply with many HIPAA provisions.[5]
  • Covered entities and business associates may be liable for the acts of some business associates.[6]

The new rule also includes increased protections for individual rights:

  • Sale of PHI without individual authorization is prohibited.[8]
  • Individuals’ ability to get electronic copies of their health information has been increased.[9]
  • Individuals who pay for treatments out of pocket can restrict disclosures of those treatments to a health care plan.[10]
  • Individual authorization requirements have been changed to allow easier research and disclosure of proof of child immunization to schools.[11]

The Omnibus Rule changes requirements regarding breaches of unsecured PHI:

  • Any impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate can demonstrate, using a risk analysis, that there is a low probability that the PHI has been compromised.[12]
  • The risk analysis must consider at least four factors: 1) to whom the information was disclosed, 2) whether the information was actually accessed or viewed, 3) the potential ability of the unauthorized recipient to identify the subject of the data and 4) whether the recipient took appropriate mitigating actions.[13]

The Omnibus Rule also increases civil money penalties and implements a tiered scheme for violations[14] and prohibits most health plans from using or disclosing genetic information for underwriting purposes.[15]

Business Associate Agreements, Notice of Privacy Practices and Policies and Procedures must be reviewed and revised to reflect these changes. Contact Feldman Kieffer today for a HIPAA compliance review.



[1] 78 Fed. Reg. 5565, 5566 (Jan. 25, 2013) (codified at 45 C.F.R. pts. 160 & 164).

[2] 46 C.F.R  § 160.103 (2013).

[3]Id. § 160.402.

[4]Id.

[5]Id. § 164.308(b)(1).

[6]Id. § 160.402.

[7]Id. § 164.508(a)(3).

[8]Id. § 164.508(a)(4).

[9]Id. § 164.524.

[10]Id. § 164.522(a)(vi).

[11] Id. § 164.512(b)(vi).

[12]Id. § 164.402.

[13]Id.

[14]Id. §§ 160.404, 406, 408, 412.

[15]Id. § 164.502(a)(5)(i).

Read More

HHS Aggressively Enforcing HIPAA Rules

As of July, the Department of Health and Human Services (HHS) had investigated and resolved over 20,674 violations of the Health Information Privacy and Accountability Act (HIPAA) Security and Privacy Rules for 2013.[1] HHS reports that the most frequently investigated issues are:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Uses or disclosures of more than the minimum necessary protected health information;
  • Lack of administrative safeguards of electronic protected health information.

Private Practices are the covered entities that are most often required to take corrective actions by HHS.

HHS has also announced a number of high-dollar settlements this year.

WellPoint Inc., a managed care company, agreed to a $1.7 million settlement with HHS following an investigation into violations of HIPAA. The company reported security weaknesses that rendered the PHI of 612,402 individuals vulnerable to unauthorized access. The investigation found that WellPoint failed to implement adequate technical safeguards as required by HIPAA.

Penalties have been assessed even when security weaknesses do not result in actual unauthorized access to patient information. In May, IdahoStateUniversity was found to have failed to maintain adequate security at a university clinic after it failed to restore a firewall that was disabled for maintenance.  The lapse was not discovered for at least ten months, and left the information of 17,500 patients unsecured during that time. The University agreed to pay a $400,000 penalty for the breach, even though it was determined that the lapse resulted in no improper access to patient records.

In August, Affinity Health Plan, Inc., a not-for-profit managed care plan, settled with HHS for over $1.2 million after Affinity failed to erase confidential medical information from the hard drives of leased photocopiers prior to returning the copiers to leasing agents. The breach resulted in the impermissible disclosure of the PHI of up to 344,579 individuals. An investigation by HHS revealed that Affinity did not account for PHI stored on photocopier hard drives when they analyzed risks and vulnerabilities of electronically stored data and that they did not implement policies and procedures to safeguard the information.

These significant penalties show that HHS is acting aggressively to hold covered entities accountable for breaching HIPAA, even when violations are unintentional and result in no actual unauthorized access to PHI. The increased penalties under the Final Omnibus Rule will make it possible for HHS to seek even larger settlements. Covered entities and business associates of covered entities should work with an attorney to update their policies and procedures to comply with new HIPAA requirements in order to avoid being subjected to these large penalties.


[1] U.S. Dep’t of Health and Human Services, Enforcement Highlights (Aug. 8, 2013) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html.

Read More

Are You Ready for the HIPAA Omnibus Rule?

As of Septemer 2013, covered entities and business associates must take action to come into compliance with the new Omnibus Rule.

COVERED ENTITIES

To comply with the HIPAA Omnibus Rule requirements, covered entities (health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses) should consult with an attorney to:

1.         Review, Revise and Update Business Associate Agreements (BAAs)

  • Covered entities must have BAAs with their business associates. These BAAs must contain “satisfactory assurances” that the business associate will appropriately safeguard PHI.[1]
  • Because the HIPAA Omnibus Rule includes new types of entities in the definition of “business associate,” covered entities should review their existing business relationships to determine whether BAAs will be necessary.
  • Terms of BAAs should be revised to reflect new requirements.
  • Most BAAs must be revised or updated by September 23, 2013. However, the deadline is extended to September 22, 2014 if certain requirements are met.

2.         Revise and Redistribute Notice of Privacy Practices

  • Notice of Privacy Practices must be revised to contain statements reflecting permissible disclosures of PHI, individuals’ rights with respect to PHI, and covered entities’ duties. The Notice must also contain instructions for filing complaints.
  • Revisions must be made, and copies of revised notices must be posted and made available to patients, by September 23, 2013.
  • Covered entities that have websites must post the revised notice prominently on the site and make it available electronically through the site.

3.         Review, Revise, and Implement Privacy and Security Policies and Procedures

  • Covered entities must implement policies and procedures to insure compliance with provisions regarding breach notifications, use and disclosure of PHI, expanded protection for individual rights, and other Omnibus Rule provisions.
  • Employees must be trained to follow and implement revised policies and procedures.

BUSINESS ASSOCIATES

Under the Omnibus Rule, business associates of covered entities are directly liable for HIPAA compliance and are subject to penalties for violations. Business associates should do the following to ensure compliance with the new rule:

1.         Review, Revise, and Update Business Associate Agreements (BAAs)

  • Business associates must have BAAs with 1) covered entities and 2) certain “downstream” subcontractors. These BAAs must contain “satisfactory assurances” that the business associate or the downstream subcontractor will appropriately safeguard PHI.
  • Because the HIPAA Omnibus Rule includes new types of entities in the definition of “business associate,” entities that have business relationships with covered entities, or entities that are “downstream” from business associates, should determine whether they are “business associates” according to the Omnibus Rule.
  • Entities become business associates by virtue of their actions, not by virtue of signing a BAA. Therefore, if an entity fits the definition of business associate, but does not have a BAA in place, the entity is in violation of HIPAA.
  • Terms of existing BAAs should be revised to reflect requirements of the Omnibus Rule.

2.         Review, Revise, and Implement Privacy and Security Policies and Procedures

  • Business associates must implement policies and procedures to insure compliance with provisions regarding breach notifications, use and disclosure of PHI, expanded protection for individual rights, and other Omnibus Rule provisions
  • Workforce members must be trained to follow and implement revised policies and procedures.

If you need help or have any questions about compliance with – and implementation of – the new, more stringent HIPAA Omnibus Rule, call Feldman Kieffer today at 716-852-5875, or email us at this link.


[1] 45 CFR § 164.308(b) (2013).

Read More