MEDICAL PRIVACY UPDATE:
New PHI Disclosures Permitted for Firearm Background Checks
Earlier today, HHS published a Final Rule modifying the HIPAA Privacy Rule (45 C.F.R. § 164.512) to allow certain Covered Entities to disclose limited PHI to the FBI’s National Instant Criminal Background Check System (NICS) to help identify individuals subject to the “Federal mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. 81 Fed. Reg. 382 (Jan. 6, 2016). Persons subject to the Federal mental health prohibitor include, for example, individuals who have been: involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs, as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease. 81 Fed. Reg. at 384.
The permissible disclosures themselves are restricted to “limited demographic and certain other information needed for NICS reporting purposes.” Id. at 385. Indeed, the rule specifically prohibits disclosure of any diagnostic or clinical information (whether from medical records or other sources), and any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor. Id. at 386. Moreover, “only covered entities [and their Business Associates (BAs)] with lawful authority to make the adjudications or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, are permitted to disclose the information needed for these purposes.” Id. at 391. That necessarily excludes a wide range of HIPAA Covered Entities (and their BAs) as the vast majority neither have such authority nor serve as information repositories for the FBI’s background check system.
On the whole, therefore, this modification is unlikely to affect most of the healthcare industry. Of course, that has not stopped gun rights advocates from complaining about it or gun control advocates from applauding it. Beyond that, I’ll let my colleagues better informed on Second Amendment policy and jurisprudence take over.
MEDICAL PRIVACY 2015 RETROSPECTIVE:
Following the flurry of activity kicked off by the January 2013 Omnibus HIPAA Rulemaking and subsequent implementation activity of 2013-2014, we saw a bit of a lull in 2015, at least from a federal regulatory and policy guidance perspective. We did, however, see a marked increase in the size and scope of breaches and associated reporting, continued assessment of Civil Monetary Penalties (CMPs) and Resolution Agreements, and a slew of state breach notification legislation. California also issued policy guidance harmonizing state law with the federal HIPAA Privacy Rule. Further, OCR has pledged to jump start its audit program for both Covered Entities and Business Associates in 2016, to release a number of important guidance documents, and to otherwise ramp up enforcement activities. So buckle up.
The Audits Are Coming . . . The Audits Are Coming!! (maybe)
In two recent reports, HHS’s Office of Inspector General (OIG) recommended that HHS’s Office for Civil Rights (OCR) implement a permanent audit program and strengthen its follow up of reported breaches of PHI.
The two OIG reports, OCR Should Strengthen Its Oversight of Covered Entities’ Compliance with the HIPAA Privacy Standards and OCR Should Strengthen Its Followup [sic] of Breaches of Patient Health Information Reported by Covered Entities (collectively OIG Reports), observe that OCR’s oversight and enforcement is, to date, primarily reactive. Notably, OIG found that OCR has not fully implemented its audit program to proactively assess possible noncompliance by Covered Entities (and their Business Associates) as required by the HITECH Act. Rather, OCR investigations primarily respond to complaints or self-reported breaches (i.e., only two-percent of investigations arise in response to tips or media reports).
In its response, OCR indicated that it will begin “Phase II Audits,” which will include HIPAA Business Associates, in 2016. See OCR Responses (Sept. 23, 2015), OIG Reports, Appendices C. Although OCR has not updated its current Audit Protocol, it assessed its 2012-2013 audit pilot and evaluated designs for establishing a permanent program. OCR representations notwithstanding, the agency’s response included the same caveat that it routinely provided over the past four years – i.e., that “the scope and structure of the audit program long-term will ultimately depend upon the availability and allocation of resources for the program.” Indeed, over two years ago, OIG issued a report urging OCR to implement its audit program and, in response, OCR indicated that it did not have sufficient funds for a permanent program. Based on OCR’s historical failure to deliver on promises that “audits are coming,” coupled with the fact that its Audit Protocol has not been updated, it is difficult to conclude that 2016 audits are a sure thing.
The Guidance Is Coming . . . The Guidance Is Coming!! (maybe)
At the September 2015 NIST-OCR annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, OCR Director, Jocelyn Samuels, and newly appointed OCR Deputy Director of Health Information Privacy, Deven McGraw, indicated that guidance on the following topics was and is forthcoming:
- guidance on an “individual’s right to access” was expected at the end of October 2015 but not released;
- guidance on the breach standard of “low probability of compromise” is expected in early 2016;
- guidance on the “minimum necessary” standard for uses and disclosures of PHI is expected in early 2016; and
- guidance on “cloud computing” is also anticipated in the near future.
In years past, OCR would announce a much more aggressive list of guidances, most of which we have yet to see.
OCR’s New Web Portal
On October 5, OCR launched a web-based portal for stakeholders and other interested parties to anonymously submit questions regarding HIPAA privacy and security issues and how current regulations operate at the intersection of health information technology and patient privacy and security. Questions submitted through the portal are made publically available on OCR’s website. OCR specifically asks stakeholders to submit:
- questions that may be addressed in guidance;
- comments on how guidance should look in order to make it more understandable or accessible;
- general questions about HIPAA; and
- “use case” scenarios (e., appropriate actions or steps in particular circumstances).
OCR does not intend to directly respond to all specific questions via the portal. Rather, it intends that stakeholders utilize the portal as a tool to request guidance or to bring other HIPAA-related issues to OCR’s attention. In addition, the portal can be used to create a dialogue among stakeholders and allows users to comment on other stakeholder questions and vote on which topics or use cases are most important.
Federal Legislative and Policy Activity
The 21st Century Cures Act which, in relevant part, has the potential to lower certain privacy protections for human research subjects, last moved on July 13, 2015, when it was passed by the House. At that time it was referred to the Senate Committee on Health, Education, Labor, and Pensions, where it remains stalled without any proposed legislative compromise.
Although FDA and NIH are supportive of the proposed legislation, concerns remain regarding a number of issues that must be resolved in order for the bill to move forward. Many of the issues concerning trial design, collaborative drug development, and device approval have been met with opposition by various consumer groups concerned about patient safety.
Stay tuned in 2016.
Unlike their federal counterparts, the states seem to be in relatively high gear, as 2015 saw them: issuing substantive clarifications regarding the broad permissibility of patient medication adherence and compliance communications; and awash in breach notification legislation and associated rulemaking.
State Policy Activity – California Policy Manual Permits “Refill Reminder” Programs in California
In July 2015, California’s Office of Health Information Integrity (CalOHII) published its long-awaited State Health Information Policy Manual, expressly recognizing that sponsored “refill reminders” do not require patient authorization in California. See Manual at 35-36 (§ 2.2.7 – Marketing). Using language substantially similar to the HIPAA Privacy Rule, the Manual expressly makes clear that “[t]he following . . . do not require an authorization, because they do not meet the definition of marketing: . . . Refill reminders, or other communications about a drug or biologic currently being prescribed to a patient.” Manual at 36.
In recognizing this broad exception to the definition of “marketing,” the Manual also includes numerous useful examples of acceptable sponsored “refill reminders” and other adherence- and compliance-focused communications:
- A pharmacy emails a patient of the need to refill their prescription.
- A pharmacy sends a letter to a patient that the patient is running out of refills and to see their provider for renewal.
- A pharmacy calls a patient to inform them medication is available for pickup.
Id. As CalOHII makes clear, however, the above is not an exhaustive list. Rather, the Manual appears to build on the authority contained in the CMIA to extend to Californians the benefits of sponsored “refill reminders” and other adherence and compliance communications that are permissible across the country pursuant to the federal HIPAA Privacy Rule, and HHS’s “Refill Reminder” Guidance, The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual (Sept. 2013).
Wave Of State Breach Notification Laws
The onslaught of data breaches has wrought breach notification legislation and associated rulemaking continues at the state level. The result, from a compliance standpoint, is what we often get with non-preemptive federal laws such as HIPAA – a state patchwork-induced migraine for regulated industry. Not only do Covered Entities and their Business Associates have to comply with HHS’s federal Breach Notification Rule, but monitor state laws and regulations that are, almost across the board, more onerous (note: state laws that directly conflict with or contradict HIPAA are preempted; more stringent state requirements are not preempted). Some states require the reporting of additional information concerning the breach and nearly all require more expedient reporting than the federal rule. Particularly for larger regulated entities doing business in multiple states, this patchwork approach requires particular diligence and an often complex, multifaceted set of policies and procedures that not only comply with federal HIPAA but satisfy all applicable state requirements.
Of course, encryption is the magic pill for much of this headache. Although it may present operational challenges for some in regulated industry, it is nevertheless prudent. To be clear, although encryption is not required, that does not mean it is “optional.” Rather, it is “addressable.”
HIPAA Enforcement by New York State AG
Just before Thanksgiving, the New York State Office of the Attorney General entered into a Settlement Agreement with the University of Rochester Medical Center (URMC) to settle a number of HIPAA violations. URMC provided breach notification to OCR when it learned that a nurse practitioner provided the PHI of nearly 3,500 patients to a future employer for purposes of announcing the nurse practitioner’s move to another practice. The Settlement Agreement resembles OCR’s Resolution Agreements with corrective action plans discussed above, but includes a CMP of only $15,000.
This action demonstrates and reminds regulated industry of the growing trend among state attorneys general to exercise their authority under federal law to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. We recently have seen HIPAA enforcement cases brought by state AGs in Connecticut and Massachusetts, with penalties reaching as high as $750,000.
So stay tuned as 2016 should be a busy one!