HIPAA/HITECH Update: The Waiting Is the Hardest Part
As we approach the three-year mark since the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), and still do not have most of the regulations implementing the privacy and security provisions of this law, the simple passage of time by itself is creating confusion and ambiguity in the health care industry. What are the important issues on the horizon, and what should companies be doing now?
The Regulatory Update
The primary proposed rule resulting from the HITECH law was published in July 2010. Given that the proposed rule did little more than transfer to the regulations the required statutory provisions, it is not at all clear (a) why it took so long to issue the proposed rule and (b) why it is taking even longer to issue the final rule. (See Nahra, "What's Important about the HITECH NPRM?," Privacy In Focus (August 2010.)
The latest quasi-official projection (in a string of so-far incorrect predictions) contemplates issuance of a final HITECH rule (along with several other Health Insurance Portability and Accountability Act (HIPAA)-connected regulations) by the end of 2011. If this proves correct, it will mean that the expected compliance deadline for these new provisions will be in roughly July 2012 (with some minor variations from this date for specific provisions). Regardless of the final publication date, covered entities and business associates can anticipate a reasonable compliance period of essentially seven months from publication of the final rule (30 days before the regulation becomes final, plus six months thereafter to comply).
The Notification Update
One component of this final regulation will address security-breach notification. It is clear that this particular HITECH provision is the one having the most impact on the health care industry overall. Breaches, both large and small, are being reported on almost a daily basis.
Unlike the core HITECH regulation, which is not in effect yet, the breach-notification provisions apply now, through the existing "Interim Final Regulation." See Nahra, "Understanding and Implementing the New Health Care Breach Notification Rules," BNA's Health Law Reporter (September 17, 2009). The drama with this regulation, to date, has involved the somewhat controversial "withdrawal" of a final rule. While the reason for this withdrawal remains somewhat of a mystery (see Nahra, "The Mystery of the HIPAA Breach Notice Rule," Privacy In Focus (September, 2010), it means the final language (particularly the definition of the "risk of harm" threshold) is still up in the air. Covered entities and business associates need to investigate and report security breaches under the interim standard.
Accordingly, covered entities and business associates must meet the current obligations of this breach notification rule, with all of its challenges and ambiguities. For better or worse, this regulation is forcing the health care industry to be more proactive about security breaches and to take aggressive steps to respond to and mitigate breaches, as well as to satisfy notification requirements and obligations. We continue to see a wide variety of questions relating to mitigation, risk, notification and related compliance issues. Even though this regulation has been in effect for more than a year, we encourage covered entities to treat each potential breach situation individually, and focus on the particular facts of each incident, rather than trying to generalize from other situations.
The Accounting Rule
While both the HITECH rule and the breach notification rule have generated debate and discussion, the most controversial Health and Human Services (HHS) proposal under HIPAA stems from what has been (to date) one of the least noticed and least interesting provisions of HIPAA, the accounting right. With a proposal published on May 31, 2011 (see 76 Fed. Reg. 31426), however, HHS unleashed a flood of commentary about its dramatic proposed changes to this rule, with almost universal criticism of the approach suggested by HHS. Typically, the various HIPAA regulations that have been proposed over the years receive many comments, with a mixture of positives and negatives and virtually everything in between. By contrast, the accounting proposal generated almost universal criticism. See Nahra, "The HIPAA Accounting NPRM and the Future of Health Care Privacy," BNA's Health IT Law & Industry Report (July 4, 2011). As HHS evaluates comments on this proposal, no one expects that the final accounting rule will be incorporated into the regulation to be issued by the end of 2011.
So what does this all mean? Where should companies go from here?
Preparing for the Final Rule
The proposed HITECH rule contained little new or unexpected information. While we can expect more explanation and interpretation in the final regulation, and there is always the possibility of unexpected changes, for the most part, companies know what the final rule will say, at least in the big picture. While there clearly will be at least six months for a compliance period, companies should begin now to evaluate the areas where there likely will need to be business changes. For example, the HIPAA marketing rules will be modified to significantly restrict marketing efforts that involve payment from a third party. Companies do not need to change their practices yet, but should begin today to consider how this proposal would affect current marketing efforts. Similarly, to the extent that a company discloses protected health information for payment, the company should begin to evaluate now where this new proposal will have an effect and what will need to be changed about these practices. Planning and identification of problem areas should not wait. You may be able to wait on identifying potential solutions (until the details of the rules are finalized) but it is recommended to begin now to identify the areas that require change.
A Business Associate Strategy
One result of the regulatory delays is that business associates know they will need to be in compliance with the HITECH requirements (and have known so since 2009) but do not yet have to comply. That creates a key challenge for covered entities - what do I ask of my business associates today, and how do I address my business associate contracting obligations now? There isn't necessarily a "right" answer to these questions, but it is critical for covered entities to evaluate how they want to proceed on these issues. At a minimum, covered entities need to have an approach to contracting issues, since every relationship with a business associate requires an appropriate contract today, with the significant likelihood of additional requirements in the next few months. We also are seeing numerous situations where business associates are having security breaches that trigger notification obligations for covered entities, so it is particularly important to monitor the activities of business associates.
A Strategy for Business Associates
On the flip side, all business associates should be addressing these same issues. The contract requirements are not new, but business associates need an approach for dealing with covered-entity clients, both today and in the future. In addition, it is vital for business associates to recognize two critical facts about the HITECH environment.
Compliance with the breach notification requirement is required now.
- Even though business associates do not yet have to comply with most HITECH requirements, they do currently have to comply with the breach-notification rules. This means an obligation to investigate breaches, conduct risk assessments and make reports to covered entity clients. Business associates should be careful to ensure that they are up front with their clients about "close-call" situations - it may not be appropriate for business associates to fail to notify a covered entity in a close situation, even if the business associate ultimately believes that notification to individuals is not required. Remember - notifying the covered entity about a situation does not automatically mean that notice to individuals is appropriate. Business associates should always consider whether to give notice even if it is not legally required - so that the covered entity has a fair and reasonable basis on which to evaluate risk to its patients or members. (The same issue arises for covered entities, who may decide to give notice to individuals even where not required.)
The biggest change will arise from the Security Rule.
- While HITECH actually changes little about the details of the HIPAA Security Rule, this Rule will create the biggest compliance challenges for business associates when the HITECH regulations become final. Business associates will have (approximately) seven months to move from the current HIPAA contractual standard (requiring "reasonable and appropriate" security practices) to compliance with the full HIPAA Security Rule. This is a significant new obligation and one that likely will take many business associates more than the seven-month compliance period. Business associates should assess their security obligations now.
- By contrast, the impact of the HITECH Privacy Rule changes should not be significant. Absent some unexpected change in the final regulation, the HITECH obligation for business associates will be simply to follow the current provisions of a standard business associate contract - with new enforcement risks if these obligations are not met. This doesn't mean that it isn't also appropriate to evaluate privacy controls - just that business associates should recognize that most privacy rule requirements are in place now, as required by existing business associate contracts. The substance of the Privacy Rule obligations does not change for the most part, assuming that business associates are complying with their contractual obligations today.
For all participants in the health care industry, whether covered entities or business associates, one security risk stands out from the rest - the risk of inappropriate internal access to information. Whether it is the "celebrity patient" risk, the "neighbor down the street" issue or more malicious risks related to identity theft or health care fraud, we are seeing widespread and repeated problems related to how employees misuse their access to sensitive information. This is an actual problem with actual impact. In addition, the HHS interpretation of the HIPAA Security Rule set forth in the accounting rule Notice of Proposed Rulemaking increases the need for emphasis on this issue, by setting forth an interpretation of the Security Rule that requires complete tracking of how all individuals use and access health care information. It is clear that health care industry participants need to explore how they control and monitor internal access and investigate and enforce potential violations and operating procedures. This is a critical need for anyone dealing with protected health information.
While the HITECH era has been long in coming, it is (finally) about to be here. 2012 promises to be an important and challenging year for the health care industry and its business partners, even before the potentially dramatic changes from the accounting rule kick in. We know what many of the changes will be, and can reasonably expect when the industry will need to meet these new requirements. While there clearly are some open areas, the general parameters are relatively clear. Moreover, because some of the clearer elements (such as the Security Rule) also require the most significant efforts, it is critical for the health care industry to begin evaluating these changes now, with an eye toward meeting compliance obligations and avoiding or reducing the exposure to enforcement, audits and potential litigation.