Pierce & Mandell, P.C.

11 Beacon Street, Suite 800
Boston, Massachusetts 02108-3002

Phone: (617) 720-2444
Fax: (617) 720-3693

Facebook Twitter

Health and Dental Law

RSS Grab Health and Dental Law RSS Feed

New HIPAA Regulations Impact Health Care Providers and Business Associates - Boston, MA

Monday, March 18, 2013
The federal HHS Office of Civil Rights recently adopted final HIPAA regulations covering a broad range of topics, to strengthen privacy and security protections for individual health information.  This blog is Part 1 in a series.   

By Dean P. Nicastro, Esq.

Business Associates.

The new HIPAA regulatory amendments make business associates directly liable for various requirements in the HIPAA Privacy and Security Rules.  In particular, the amendment to the general applicability provision at 45 C.F.R. §160.102(b) states: “Where provided, the standards, requirements, and implementation specifications [of HIPAA privacy and security] apply to a business associate.”  Similar language has been added for both the Security Rule and the Privacy Rule (including particularly with respect to the protected health information (PHI) of a covered entity) at 45 C.F.R. §164.104(b) and 45 C.F.R. §164.500(c).  In effect, this means that business associates must implement administrative, physical and technical safeguards, and implement and document reasonable and appropriate policies and procedures, to protect PHI and electronic PHI under both the Security Rule and the Privacy Rule.

The amendments go on to expand the definition of a “business associate.”  The term now includes Health Information Organizations, E-prescribing Gateways, personal health record providers, and, most significantly, subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of the latter.  A definition of “subcontractor” has also been inserted: "a person to whom a business associate delegates a function, activity or service.”  HIPAA obligations thus now reach downstream entities that access or handle PHI of the main covered entity.

Additionally, the amendments add business associates to the HIPAA Enforcement Rule, in order to implement the imposition of liability for civil money penalties (CMPs) upon business associates for various HIPAA violations.

The new rules for business associate compliance become effective on March 26, 2013, and must be complied with by September 23, 2013.  Existing business associate agreements that were compliant with pre-existing regulations are deemed compliant with the new rules until the earlier of September 22, 2014 or the date the agreement is renewed or modified on/after September 23, 2013.

HIPAA Enforcement Rule.

The HIPAA regulatory amendments also strengthen HIPAA enforcement:

  • Private Complaints - HHS will investigate complaints about non-compliance filed by private persons when preliminary review of facts indicates possible violation due to willful neglect
  • Compliance Reviews - HHS will conduct a compliance review when preliminary review of facts indicates possible violation due to willful neglect
  • resolution of such investigations or compliance reviews can result in the imposition of CMPs or a determination of no violation
  • HHS may, for criminal or civil law enforcement activities, share PHI obtained in an investigation or compliance review with other legally-permitted governmental agencies (including state attorneys general)
  • Covered entities liable for violations by their business associates, and vice versa
  • governed by federal common law of agency
  • Increased tiered CMP penalty structure for violations, that takes into account whether the covered entity or business associate would have known of the violation, whether the violation was due to willful neglect or reasonable cause, and was corrected within 30 days
  • HHS will determine CMP amounts, considering mitigating or aggravating factors
    • nature and extent of violation (number of affected individuals, time period)
  • nature and extent of harm (physical, financial, reputation, patient’s ability to obtain health care)
  • prior compliance/violations
  • financial condition
  • other matters as justice may require

Covered entities and their business associates should be moving forward now that these final rules have been issued to review and update their business associate agreement templates and compliance policies accordingly.

Please contact the health law attorneys at Pierce & Mandell for additional information on this subject.

Proposed Changes to Prescription Monitoring Program Would Affect Most Physicians

Monday, February 25, 2013
By Dean P. Nicastro

Massachusetts’ new Prescription Monitoring Program (PMP) Law (Chapter 244 of the Acts of 2012) provides that practitioners who prescribe controlled substances (Schedules II-V) will be automatically registered as participants in the state’s PMP when they obtain or renew their Massachusetts controlled substance registration.  This provision took effect January 1, 2013, and the Massachusetts Department of Public Health (DPH), acting under the PMP Law’s mandate, has issued proposed amendments to its existing PMP regulations to implement the automatic participation requirement and associated provisions.

Highlights of these proposed amendments:

  • Effective January 1, 2013, all practitioners (physicians, dentists, podiatrists) who hold a Massachusetts Controlled Substance Registration (MCSR) are automatically granted authority to “utilize” the PMP
  • “utilize” is defined as accessing or reviewing a patient’s prescription history within the PMP
  • Practitioners must accept the Terms and Conditions of use of the PMP to complete a MCSR
  • PMP participants must utilize the PMP prior to seeing a “new patient” – compliance is met by reviewing the most recent 12-month prescription history of the “new patient”
  • “new patient” means an individual person who has not received any professional services from the participant within the previous 12 months
  • Attending physicians in a hospital or other inpatient facility are subject to this utilization requirement, but not other participants who provide care in the hospital/facility
  • Exceptions are carved out for when acute care is required so as not to result in patient harm, and for instances when the PMP is not reasonably possible to be utilized (e.g., technological or electrical failure)
  • PMP primary account holders may routinely request to delegate up to 2 authorized support staff to utilize the PMP on their behalf – the primary account holder is responsible for all delegate use of the PMP

The proposed regulatory amendments will be up for public hearing before the Public Health Council (PHC) on March 22, 2013.  DPH has stated that the goals of the proposed amendments are to: “(1) increase utilization of the PMP in order to provide prescribers and dispensers with additional information that can inform clinical decision making, and (2) better address the morbidity and mortality resulting from prescription drug misuse and abuse by identifying individuals in need of intervention or treatment.”  Because the proposed amendments will require physicians and other prescribing practitioners to check the PMP database when seeing “new patients,” testimony from organized medicine and other interested parties can be expected.  A final version of the regulations could be adopted as early as the PHC’s April 2013 meeting.

Pierce & Mandell P.C.’s health care lawyers are uniquely qualified to assist medical professionals in understanding, interpreting and complying with the latest PMP regulations. Contact us.

HIPAA “De-Identification Process” is Clarified by Department of Health and Human Services

Thursday, January 10, 2013
By: Rebecca Merrill

Guidance from the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) provides clarity on the available methods of de-identification of protected health information (PHI) as well as the federal government’s scrutiny of such procedures.

The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) established two methods of de-identification: (1) Expert Determination Method and (2) Safe Harbor Method. 45 C.F.R. § 164.514(a).  These de-identification methods are applied to PHI to enable the use of health information for non-treatment purposes (e.g., research and policy development), while protecting the individual’s right to privacy by removing identifiers from the PHI prior to utilizing the data for secondary purposes.

Applying the expert determination method, a covered entity may determine that health information is not identifiable if a qualified expert, applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable, (i) “determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) documents the methods and results of the analysis that justify such determination.”  45 C.F.R. § 164.514(b).

The HHS guidance sets forth factors that the agency will apply when scrutinizing expert qualifications for the purpose of expert de-identification.  These factors will be helpful to health care providers, health plans and business associates in assessing the qualifications of an expert and understanding the de-identification process and risk assessment.  

The HHS guidance also details three primary principles that should guide expert risk assessment.  The first principle, replicability, involves the prioritization of “health information features into levels of risk according to the chance it will consistently occur in relation to the individual.”  For example, low risk replicability would occur when the “results of a patient’s blood glucose level test will vary”; whereas, high risk replicability would exists when the “[d]emographics of a patient (e.g., birth date) are relatively stable.” Id.  Second, the principle of data source availability examines “which external data sources contain the patients’ identifiers and the replicable features in health information, as well as who is permitted access to the data source.” Id.   In it Guidance, HHS indicates that lab reports with identifying information that are often limited to healthcare environments are low risk, while patient name and demographic information often in public sources (e.g., vital records) are high risk.  Third, the principle of distinguishability requires a determination of “the extent to which the subject’s data can be distinguished in the health information.”  Id.

Finally, the HHS guidance addresses the Safe Harbor Method, pursuant to which a covered entity can de-identify PHI by adhering to a de-identification framework that mandates removal of at least 18 identifiers from the health information and requires that the covered entity.  In addition, the Safe Harbor requires that the covered entity have no actual knowledge of potential for an individual to be identified by the de-identified information alone or in combination with other information. 45 C.F.R. § 164.514(b).  The HHS guidance offers clarification on several of these factors, enabling the covered entity to better navigate the de-identification process.  In addition, the guidance provides examples of what constitutes “actual knowledge.”   Finally, the guidance explains that once data is de-identified in accordance with the Safe Harbor, covered entities are not required to enter into data use agreements when sharing the information with third-parties.  

Pierce & Mandell’s health care lawyers can assist in all phases of HIPAA compliance for medical and dental professionals.  Contact us.

Enter your e-mail address below to receive updates on new blog posts!

Recent Posts