Senior Communications Manager
Wiley Rein’s Kirk Nahra Comments on Delayed Health Care Privacy Rules
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was quoted extensively in a Compliance Week article on the U.S. Department of Health and Human Services’ (HHS) delayed implementation of health care privacy rules.
HHS was expected to finalize changes to the Health Insurance Portability and Accountability Act’s (HIPAA) privacy rules by the end of last summer, but the agency has yet to do so and hasn’t issued a projected timeline, according to the article. The revisions are required under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act.
“I can't give any explanation for why it has taken so long,” said Mr. Nahra, who specializes in health care, and privacy and information security issues. “It really is astonishing at this point.”
The final rule is “overwhelmingly clerical” in nature, making the delay all the more befuddling, Mr. Nahra told Compliance Week. “It is a regulation implementing a statute, but the statute didn't just create a rule, it explicitly said, ‘Here's what the rule needs to say.’ It is impossible at this point to explain the delay except that it just isn't a priority.”
One controversial change requires health care providers’ business associates and subcontractors to comply with HIPAA rules. The biggest impact of that policy will be on “companies that don't think of themselves as being in the health care industry, they just happen to have clients in the health care industry,” Mr. Nahra said.
“The reach is potentially enormous if it is going to apply to everybody downstream from a company that contracts with the hospital,” he said. “If you are three tiers downstream and you aren't really in the healthcare industry, I don't think you even know about this.”
For example, an accounting firm hired to conduct an information technology (IT) company’s audit could be affected by the rule change if a hospital turns out to be among the IT company’s clients, and the accounting firm is exposed to patient information, Mr. Nahra explained.
“The reality for a sophisticated hospital is that they have hundreds, if not thousands, of business associates they work with,” Mr. Nahra told Compliance Week. “You are asking someone else to comply and that becomes a point of tension. Service providers are saying they will do it when they have to, but they are not going to agree in advance.”
The Compliance Week article also featured the following excerpt from “HIPAA’s Unanswered Questions,” a September 2012 client advisory authored by Mr. Nahra:
One of the key “new” provisions of the HITECH statute involved marketing and the desire of Congress to preclude marketing that involves “remuneration.”
While written in a convoluted manner, the statute appeared to alter the existing marketing provisions of HIPAA by imposing a new restriction in situations where the previous rule permitted individual information to be used or disclosed in connection with marketing. Under HITECH, if the entity received “direct or indirect remuneration” for the marketing, now an authorization would be required.
This statutory provision cried out for a regulatory interpretation, primarily as to the meaning of “direct or indirect” remuneration. However, the proposed regulation did little to clarify the statutory terms. The language of the final rule will be important to significant segments of the health care industry (including pharmaceuticals and wellness programs), by defining the scope of these new limitations.
The HITECH law also included similar language about the “sale” of protected health information. As with the marketing provisions, while HHS “clarified” some exceptions to this prohibition, it did not address some of the statutory ambiguities. While there is little blatant sale of information that is permitted today, consistent with the current rules, this provision does have an impact on certain practices that involve cooperative treatment efforts, research and other adjacent activities to core treatment and payment actions. Again, to the extent that HHS clarifies or expands on this language, this provision will have an important impact on a wide range of health care activities.