The Health Care Investor : Healthcare Lawyers & Attorneys for Life Science Companies & Investors

On Jan. 17, 2013, the Department of Health and Human Services (HHS) released the much-anticipated omnibus final rule pursuant to the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Genetic Information Non-Discrimination Act of 2008 (GINA).  Our colleagues Kim Kannensohn, Nathan Kottkamp and Amanda Enyeart have particularly deep experience with HIPAA and HITECH issues and have published several pieces on the topic.  They recently provided guidance re the omnibus final rule, which settles some of the questions that remained open after the publication of the proposed regulations on July 14, 2010.

As our colleagues note, the final rule will be effective on March 26, 2013 and covered entities and business associates must comply with the applicable requirements of the final rule by Sept. 23, 2013. Covered entities and business associates will have up to one year following the compliance date to modify business associate agreements in accordance with the requirements of the final rule.

The final rule addresses the following key topics:

1. Privacy Rule and Security Rule:
   1. Direct liability of business associates and subcontractors of business associates for compliance with certain provisions of the HIPAA Privacy Rule and the HIPAA Security Rule.
   2. Activities that render an entity a business associate, including the mere storage or maintenance of PHI.
   3. Required modifications to a covered entity’s notice of privacy practices.
   4. Expansion of the rights of individuals to receive electronic copies of their health information and restriction of disclosures to a health plan for treatment for which the individual has paid out-of-pocket in full.
   5. Expansion of the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibition of the sale of protected health information without individual authorization.
2. The Breach Notification Rule: Replacement of the “harm” threshold in the Breach Notification Interim Final Rule with a more objective standard and replacement of the Interim Final Rule in its entirety with the relevant provisions of the omnibus final rule.
3. The Enforcement Rule: Incorporation of the tiered civil money penalty structure set forth in the HITECH Act, originally published as an interim final rule on Oct. 30, 2009. Penalties are increased for non-compliance based upon the level of negligence, with a maximum penalty of $1.5 million per violation.
4. Protections for Genetic Information: Enhanced privacy protections for genetic information as required by GINA, which was published as a proposed rule on Oct. 7, 2009.

For additional background on legal issues related to the privacy and security of health information as published by our colleagues, please see these previous articles. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Just eighteen months after thefirst major HIPAA enforcement actions by the U.S. DHHS Office for Civil Rights (OCR), the OCR announced that Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) had agreed to pay HHS $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In addition to the settlement, MEEI entered into a Resolution Agreement with HHS that includes a corrective action plan (CAP) requiring it to review and revise its policies and procedures, implement workforce training and hire an independent consultant to monitor its compliance with the CAP.

The settlement relates to a 2010 theft of an unencrypted laptop computer that was taken abroad by a physician affiliated with MEEI and that contained the protected health information (PHI), including prescription and clinical information, of approximately 3,500 MEEI patients and research subjects.   In a recent publication ,our experienced colleagues Kim Kannensohn, Nathan Kottkamp and Amanda Enyeart describe additional circumstances of the breach and settlement.  

It is now more critical than ever for covered entities and business associates, as well as healthcare investors examining a potential investment opportunity, to review the companies' HIPAA compliance efforts.  Diligence on HIPAA compliance for the vast majority of companies involved in the US healthcare system is a vital element when considering investment.  Reviewing the organization’s plan documents, training programs, security systems and preparedness for a HIPAA audit are among the most important elements to evaluate, and investors would be well served to include such review in their diligence process.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes two main components that are administered by the Office of Civil Rights (OCR):  the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information (Protected Health Information, or PHI) and the HIPAA Security Rule, which sets national standards for the security of PHI.  This post discusses some significant recent enforcement efforts and what the increased activity means for healthcare providers and investors.

The Changing Landscape in HIPAA Enforcement Efforts

The healthcare industry received a clear message from HHS in late February with the OCR's announcement of two major enforcement actions.  First, the OCR announced on February 22nd that it had imposed a civil money penalty (CMP) of $4.3 million against Cignet Health of Prince George’s County, MD.  Then two days later, OCR announced that General Hospital Corporation and Massachusetts General Physicians Organization, Inc. (Mass General) had agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule.

This is the first time that the OCR has publicized its enforcement actions involving heavy monetary payments.  Until these CMPs, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut (in a $250,000 settlement with Health Net, Inc.), Indiana (in a $300,000 suit against Wellpoint) and Vermont (in a settlement with Health Net, Inc., and Health Net of the Northeast, Inc.).

McGuireWoods attorneys Kim Kannensohn, Holly Carnell and Amita Sanghvi have published details of these recent OCR enforcement actions.  Essentially, OCR determined that Cignet had violated the rights of 41 patients by denying them access to their medical records in violation of the general requirement that a covered entity provide a patient with a copy of the patient’s medical records within 30 days of the patient’s request.  In addition, OCR also penalized Cignet for its failure to cooperate with OCR’s investigation on a continuing daily basis from March 17, 2009 to April 7, 2010.  The CMP of $4.3 million is comprised of a CMP of $1.3 million for Cignet’s violations of patient privacy rights and a CMP of $3 million for Cignet’s failure to cooperate.

The Mass General settlement stems from an extensive investigation by OCR relating to a 2009 incident in which a hospital employee misplaced documents containing protected health information, including information of patients with HIV/AIDS.  While commuting to work on the subway, the employee had allegedly removed documents containing PHI from her bag and placed them on the seat beside her and upon exiting the train left the documents on the subway.  The documents containing the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients. The documents were not in an envelope, were bound with a rubber band and were never recovered.

What does this Mean for Healthcare & Medical Device Investors?

The message from OCR through these enforcement actions is clear.   HIPAA must be taken seriously and failure to adhere to the requirements can mean heavy penalties and bad press.   This is true not only for "covered entities" but for the multitude of vendors and service providers deemed "business associates" under HIPAA, which entities also have obligations and potential liability under HIPAA/HITECH.  It is now more critical than ever for covered entities and business associates, as well as healthcare investors examining a potential investment opportunity, to review the companies' HIPAA compliance efforts.  Diligence on HIPAA compliance for the vast majority of companies involved in the US healthcare system is a vital element when considering investment.  Reviewing the organization’s plan documents, training programs, security systems and preparedness for a HIPAA audit are among the most important elements to evaluate, and investors would be well served to include such review in their diligence process.

• Email This
• Print
• Comments
• Trackbacks
• Share Link