Overview of Compliance and HIPAA Experience:

The Health Law Partners, P.C. assists healthcare providers, suppliers, plans and organizations with their compliance needs. For example, our attorneys can assist with:

• Developing and updating billing compliance policies
• Developing training programs and presenting compliance in-service and education sessions with regard to billing, HIPAA privacy and HIPAA security
• Undertaking compliance investigations and responding to identified problems
• Directing auditing and monitoring
• Reviewing contracts and relationships for compliance with the Stark and Anti-kickback laws
• Drafting compliant contracts
• Counseling providers with regard to sensitive refund and disclosure issues
• Drafting and updating HIPAA privacy and security programs and policies
• Reimbursement matters

HIPAA Overview:

Privacy:

The HIPAA privacy rule (45 CFR Part 164) addresses the use and disclosure of health information ("protected health information" or "PHI") by covered entities (i.e., providers, health plans and clearinghouses). It also addresses standards for privacy rights that must be afforded individuals. According to the government, a major goal of the HIPAA privacy rule is to make sure that covered entities appropriately protect health information while allowing the flow of health information needed to provide and promote high quality health care. Given the diversity with regard to types and sizes of the entities covered by HIPAA, the privacy rule is designed to be flexible to cover the variety of uses and disclosures that need to be addressed. In summary, the HIPAA privacy rule:

• Provides restrictions on uses and disclosures of patient health information. The privacy rule sets forth the instances in which protected patient information can be used within the covered entity or disclosed to outside parties;

• Creates individual patient rights to inspect and copy their records, to amend erroneous information, to request certain restrictions on the use and disclosure of their information, to file written complaints, and to receive a notice of the entities' privacy policies;

• Requires covered entities to include certain privacy language in contracts with "Business Associates" regarding safeguarding patient information;

• Requires a covered entity to appoint a HIPAA Privacy Officer;

• Requires implementation of privacy policies and procedures;

• Requires the designation of a contact person or office who is responsible for receiving privacy complaints and who can provide information about the entity's privacy policies and procedures; and

• Requires covered entities to provide HIPAA privacy education to all employees.

Security:

The HIPAA security rule (45 CFR part 164) addresses the integrity, confidentiality, and availability of electronic protected health information ("EPHI"). EPHI means any protected health information that is maintained or transmitted in an electronic medium.

Although PHI that is not considered electronic protected health information (e.g., hardcopy billing records and hardcopy medical records) is not covered by the Security Rule, this information is still protected by the Privacy Rule, which also requires covered entities to "have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information."

The security rule sets forth certain general requirements. The general requirements mandate that covered entities do the following:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains or transmits.

2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and

4. Ensure workforce compliance.

In order to achieve the general requirements set forth above, covered entities are required to meet 18 standards. In order to meet each of these standards, the Security Rule sets forth "implementation specifications" that serve as the "instructions" for compliance with each standard. Some implementation specifications are "required" while others are "addressable." The standards and their related "implementation specifications" are broken down into three broad categories: administrative safeguards, physical safeguards, and technical safeguards.

The administrative safeguard standards require covered entities to analyze the risks of unauthorized disclosure of electronic protected health information within the organization, implement a number of required policies and procedures and maintain certain documentation to manage and minimize risk.

Physical safeguard standards deal with the security measures taken to protect buildings and equipment, which house electronic PHI, from natural and environmental hazards, and unauthorized intrusion.

Technical safeguard standards address the technological measures to safeguard and control access to electronic information, as well as the development and implementation of policies and procedures dealing with the use of technology.

HIPAA Privacy and Security Expanded by the American Recovery and Reinvestment Act: The Health Information Technology for Economic and Clinical Health Act ("HITECH Act" or the "Act") included in the American Recovery and Reinvestment Act significantly expands HIPAA privacy and security provisions. Some of the key aspects of the privacy and security portions of the Act include the following:

• Required Notification for Information Breaches:

Effective 30 days after the Secretary of the Department of Health and Human Services ("HHS") publishes interim final regulations (which regulations are due within 180 days from the enactment of the legislation), covered entities and business associates will be required to follow certain notification protocols when a person's unsecured protected health information has been breached. This includes individual notification to consumers and, depending on the number of individuals whose information is involved, media notification. Notification must also be made to the Department of HHS immediately if the breach involves 500 or more individuals. If the breach involves less than 500 individuals, the provider can maintain such information on a log, which must be provided annually to HHS.

• Required Accounting of Disclosures Involving Electronic Health Records:

As many providers are aware, under the current HIPAA regulations providers need not provide individuals with an accounting of disclosures of their health information if the disclosure is related to treatment, payment activities or health care operations ("TPO") of the provider. Although the implementation date is set into the future, under the HITECH Act, providers who use or maintain electronic health records will be required to account for TPO disclosures. In such cases however, the accounting period is limited to three years prior to the date on which the accounting is requested. The Act directs the Secretary of HHS to implement regulations on what information has to be collected about each disclosure.

• The Minimum Necessary Rule:

With regard to non-treatment situations, the current HIPAA regulations require providers to only use and disclose the minimum amount of PHI necessary to accomplish a permitted task. Until the government issues guidance on the meaning of minimum necessary, the HITECH Act includes a provision that in order for a provider to be in compliance with the minimum necessary rule; (1) to the extent practical, uses and disclosures must be limited to the "limited data set"; or (2) if needed by such entity, to the minimum necessary to accomplish the intended purpose. A limited data set is still considered PHI but involves data that has been stripped of certain identifiers. Note that the current exceptions to the minimum necessary rule still apply (e.g., treatment purposes).

• The Stakes Are Raised - Increased Enforcement:

The Act contains provisions so that penalties that apply to covered entities for violations also apply to business associates. Additionally, the HITECH Act revises and expands the current penalty provisions. The Act contains new provisions related to noncompliance due to "willful neglect" and requires the government to formally investigate any complaint of a violation if a preliminary investigation of the facts indicates a possible violation due to willful neglect. The HITECH Act also replaces the current penalty of $100 per violation with a new tiered-penalty system.

Of particular importance, the Act also includes a provision authorizing enforcement by State Attorney General offices if the attorney general of a State has reason to believe that an interest of one or more residents of that State has been or is threatened or adversely affected. In such cases, the Attorney General can bring a civil action on behalf of the state residents to enjoin any continuing violation or to obtain damages on behalf of the residents. The court may also award costs and reasonable attorney fees to the State.

• Business Associates:

The HITECH Act extended certain HIPAA requirements to business associates. Specifically, the Act applies the administrative, physical and technical safeguard requirements of the HIPAA security regulations to business associates. It also imposes obligations related to policies, procedures and documentation requirements.

• Prohibitions on Sale of Electronic Health Records or PHI:

In general, unless one of six exceptions apply, a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained a valid HIPAA authorization from the individual that includes a specification of whether the PHI can be further exchanged for remuneration by the entity receiving the PHI. The exceptions to the general prohibition include when:

• The purposes of the exchange is for public health activities, as defined by the HIPAA regulations;
• The purpose is for research and the price charged reflects the costs of preparation and transmittal of the data for such purpose;
• The purpose is for treatment, subject to additional protections promulgated by regulation;
• The purpose is in connection with a transaction and due diligence involving the sale, transfer or merger of a Covered Entity;
• The purpose of the exchange is for remuneration that is provided by the Covered Entity to a Business Associate related to the Business Associate's activities involving the exchange of PHI that the BA undertakes on behalf of and at the request of the covered entity pursuant to the BA agreement;
• The purpose of the exchange is to provide an individual with a copy of the individual's PHI.

The Secretary is also authorized to develop additional exceptions. Notably, the effective date applies six months after the date of the promulgation of final regulations (the Secretary is responsible for promulgating regulations no later than 18 months after the enactment date of the Act).

• Access to Information In Electronic Format:

With regard to the current regulation allowing individuals access to their records, in the case that a covered entity uses or maintains an electronic health record, the individual has the right to obtain such information in electronic format, and if the individual so chooses, to direct the covered entity to transmit such copy to a designated person.

Helpful Compliance and HIPAA Links:

Office of Inspector General (OIG) Compliance Guidance - Department of Health and Human Services (HHS)

Centers for Medicare & Medicaid Services (CMS) - Department of Health and Human Services (HHS) - The CMS website provides a summary of the HIPAA requirements and answers to frequently asked questions.

Office of Civil Rights (OCR) - Department of Health and Human Services (HHS) - OCR is charged with enforcing civil penalties under HIPAA. The OCR site provides important information regarding the HIPAA law, regulations, and OCR HIPAA enforcement activities.