HIPAA/HITECH Act Final Rule: What You Need to Know
Last January, the Department of Health and Human Services (DHHS) issued the Omnibus HIPAA/HITECH Final Rule to implement the HITECH Act and make other changes to the existing HIPAA regulations. The new regulations took effect on March 26, 2013 and health care companies and professionals are given until September 23, 2013 to comply with the changes. As compliance date draws near, companies should have a complete and thorough understanding of the final rule to avoid breaches and penalties.
The Knowledge Group has assembled a panel of key thought leaders to provide the audience with an in-depth analysis of the Omnibus HIPAA/HITECH Final Rule.
In a two-hour live webcast, speakers will discuss:
– Recent Developments and Key Changes on HIPAA/HITECH Rule
– Enforcement of and Compliance with the Final Rule
– Impact of the Final Rule
– Penalties and Exemptions
– Best Practices in Compliance
Nancy L. Perkins, Counsel,
Arnold & Porter LLP
BUSINESS ASSOCIATES AND DATA SECURITY BREACH NOTIFICATIONS: THE NEW RISKS
- Business Associates
- Who is now a “business associate” and who is not?
- When is a data transmitter a “conduit” and not a business associate?
- When is a business associate an agent, and why does that matter?
- What is now newly required in a business associate agreement?
- Must existing business associate agreements be revised and if so, when?
- Data Security Breach Notifications
- What risks do business associate relationships create with respect to security breaches?
- The new presumption in favor of notification: how does that change the trigger for required notifications?
- What mechanisms should be established to implement the new standard for notification?
- How can risks of security breaches be mitigated, and at what stages?
- What are the implications of the notification standards for business associate agreements, particularly with business associates who are agents?
Peter I. Sanborn, Attorney,
Foley & Lardner LLP
Talking Point 1: HIPAA/HITECH’s Reach Has Expanded – Make Sure You Have Identified All Of Your Business Associates
- For health care providers, they need to carefully review their business operations to make sure they’ve identified all of their BAs and have BAAs in place with them.
- For service providers to healthcare companies, they need to (1) determine if they qualify as a BA, and (2) identify all of their subcontractors that create, receive, maintain and/or transmit PHI (and are now BAs)
- With growth of cloud-based service providers in health care space (30% of health care organizations use cloud technology; 71% are either deploying cloud technology or plan to), it will be increasingly important to determine whether these vendors qualify as BAs under the new rule. Many cloud vendors may be unfamiliar with HIPAA/HITECH. Moreover, many cloud vendors have language in their agreements with respect to use of data (often in de-identified and aggregate forms) that will need to be carefully reviewed to ensure it complies with HIPAA (particularly with respect to cloud vendors who are not exclusively dedicated to the health care space).
- Moving forward, CEs and BAs should consider implementing a process to identify potential BAs during the RFP and/or contracting process. We have worked with some clients to develop checklists and/or forms that the business teams fill out when they identify a new vendor that, among other things, states whether the vendor will have access to sensitive information (PHI, PII, etc). This allows the legal teams to understand whether the vendor will be a BA before reviewing and negotiating the agreement.
Talking Point 2: Put The Right Paper In Place – Entering Business Associate Agreements; Implementing Updated Policies
- The new rule has two broad implications for business associate agreements. First, regulated entities will likely need to enter BAAs with new entities (as more entities are now considered BAs. Second, CEs and BAs will need to revisit the language in their template BAAs in order to bring it into compliance with the changes implemented by the new rule.
- I am happy to highlight key changes that need to be made to bring existing BAAs into compliance with the new rule (although I suspect this may be a topic that is touched on by all of the panelists). But I would note a few items related to executing new BAAs, particularly with respect to entities that are newly deemed Business Associates:
- The new rule imposes more demanding requirements with respect to security breach notifications. As part of implementing a BAA (or updating an existing one), CEs should make sure they have language that sets tight time frames for reporting breaches, so that the CE has sufficient time to notify patients in compliance with HIPAA/HITECH (which now sets an outer window of 60 days). Likewise, both CEs and BAs will need to have updated policies in place regarding the breach notification process that aligns with the new rule.
- Business Associate Agreements may address HIPAA/HITECH, but they are not intended to replace other data security/data protection provisions. I’ve heard a lot of vendors argue that as long as the parties have a BAA in place, there is no need for additional data protection provisions in the applicable agreement. That’s almost always NOT the case. Covered Entities likely need to have other provisions in place to address data protection and data security to ensure they are appropriately protected under other federal/state laws and regulations regarding personal information, financial information and other sensitive data.
- The new rule requires changes to CE’s NPPs. I can walk through specific types of changes that will need to be made. Likewise, CEs should consider changes to patient authorization forms to address some of the new aspects of the rule with respect to marketing, fundraising, etc.
- For new business associates, they’ll need to conduct a risk assessment and develop and implement a written HIPAA Security Plan. This is another area where new business associates – and many CEs — may not understand what’s required under HIPAA/HITECH. Having a BAA in place is required, but it does not take the place of the security plan. A study of Corrective Action Plans by the Workgroup for Electronic Data Interchange (WEDI) found that one of the most common issues noted in CAPs was the failure of the entity to conduct a HIPAA risk analysis (or, as noted by the Director of the OCR, an insufficient analysis).
Talking Point 3: Put the Right Practices In Place – Make Sure Your Policies Are Backed By Good Practices
- Although HIPAA/HITECH always required more than contractual documents and policies for compliance, it is particularly important now for both CEs and BAs to make sure they have solid practices in place that comply with HIPAA/HITECH. These include:
- Having a process in place, with appropriate training, to look for security breaches and specify the appropriate response. I have encountered a number of vendors that push back on data breach notification provisions, particularly with respect to the time frames for providing notice of an incident, which I attribute – at least in part – to the concern by vendors that they simply don’t have robust processes in place to detect and report security incidents. This should be a red flag to CEs. If a vendor is hesitant to agree to firm requirements with respect to data breaches, it may be worth getting the IT experts together in a room to talk about the vendors practices and procedures in this area
- Thinking about the full spectrum of systems/devices that contain and/or access PHI. One of the major gaps identified in the WEDI analysis was in the mobile/portable device area. Many organizations had not performed a risk analysis in this space, did not have adequate safeguards in place, and had not implemented encryption. This is an area that will likely grow in coming years, and CEs need to make sure they have procedures and practices that cover the mobile/portable device space in addition to their traditional IT systems. There has also been a lot of buzz about HHS-imposed fines for a health plan’s failure to delete PHI from its photocopiers before returning them to the leasing company – this is another example of the importance of a thorough review of the IT and systems landscape to understand where PHI resides and what must be done to protect/secure it appropriately.
- Training. This is often overlooked, particularly over the long term. At minimum, CEs and BAs will need to update their training programs and materials to reflect the changes made by the new rule. Equally important is to make sure that employees are sufficient trained and re-trained to make sure they understand their role with respect to HIPAA/HITECH compliance.
- For CEs and BAs alike, before engaging a vendor that will handle PHI, it is very useful to perform some form of due diligence. This can be done through questionnaires, on-site inspections, security policy reviews, and discussions with the vendors security personnel. While it may be tempting to rely on the BAA and other contractual provisions alone, it is important to understand as much as you can about how sophisticated the vendor is with respect to security and data protection. The impact of a breach – both on economic terms and from a brand management perspective – can be significant.
- The new rule allows for individuals to withhold disclosure of their PII in certain instances. This one is easy to overlook, but CEs should talk with their IT teams and vendors to determine whether their current IT systems will permit the CE to withhold PHI under the circumstances set forth in the new rule. If not, the CE needs to implement a process to make sure it complies with this new requirements. Note: I have seen vendors that have taken the position that if there is a change in HIPAA/HITECH or other applicable regulation that requires a change to their software/system, they can pass that cost down to the customer. CEs should be careful in reviewing their IT agreements to look for provisions like this, since they could trigger increased licensed fees to address regulatory changes such as this one (which could require changes in the technical architecture of a system).
Brian McGovern, Partner,
Cadwalader, Wickersham & Taft LLP
- C. Notice of Privacy
- What changes to the Notice of Privacy are required under the Final Rule?
- When and how must health plans and providers distribute the revised Notice of Privacy?
D. Use and Disclosure of PHI under the Final Rule – the “do’s and don’ts” in connection with:
- Sale of PHI
E. Enhanced HIPAA Enforcement
How does the final rule increase the nature and risk of investigations of suspected or reported breaches by HHS’ Office of Civil Rights?
Jennifer J. Daniels, Partner,
Blank Rome LLP
- F. Research
- Compound Authorizations
- Future Research Uses
- Sale of PHI
Who Should Attend:
General Counsel in the life sciences and healthcare industries
– Compliance, Privacy and Data Security Officers
– Biotech/Pharma/Healthcare Attorneys & Advisors
– Life Sciences and Health Care Practice Consultants/Advisors
– Consultants & Clients in the Biotech, Pharmaceutical and Healthcare Industries
– Senior Management
Nancy L. Perkins, counsel at Arnold & Porter LLP in Washington, D.C., advises clients on a wide range of data protection issues at the federal and state levels, as well as on cross-border data privacy and security matters. She has particular expertise with the privacy, security, and data breach notification regulations implementing HIPAA and the HITECH Act, and has worked with clients on their HIPAA/HITECH compliance policies and procedures in a wide range of contexts. Nancy also assists clients in responding to data security breaches, including through notifications to individuals and government authorities, as well as in defending against related litigation. A graduate of Harvard Law School and Harvard College, Nancy is the author of numerous articles on medical data privacy regulation, including: New HIPAA Regulations: What Liability Risks Loom Under the Expanded Business Associate and Breach Notification Provisions (Bloomberg/BNA Health Law Reporter, Feb. 21, 2013).
Nancy L. Perkins, counsel at Arnold & Porter LLP in Washington, D.C., advises clients on a wide range of data …
Peter I. Sanborn is an attorney with Foley & Lardner LLP and a member of the firm’s Information Technology & Outsourcing Practice. Mr. Sanborn’s experience as a corporate lawyer includes information technology and outsourcing transactions, information security, international privacy, and information technology.
Mr. Sanborn has experience with transactions relating to outsourcing and information technology, including cloud computing and software development, technology licensing, IT outsourcing, and business process outsourcing.. In addition, his experience encompasses drafting virtually every type of information technology related agreements, including software licenses, information security agreements, master services agreements for IT professional services, and outsourcing. Mr. Sanborn also advises clients on a variety of matters related to compliance with data protection and identity theft regulations.
Mr. Sanborn has also worked on a variety of patent cases and his litigation experience covers products and technologies, including, among other areas, computer software, Internet technologies, electrical technologies, video over IP technology, and antivirus software. He also has experience defending false marking claims, including obtaining orders dismissing false marking allegations.
Peter I. Sanborn is an attorney with Foley & Lardner LLP and a member of the firm’s Information Technology & …
Brian McGovern is a partner with Cadwalader, Wickersham & Taft LLP in New York. His knowledge and experience span the breadth of legal issues that confront the health care provider community, including counseling providers and managed care plans on all aspects of regulatory and HIPAA compliance and advocating on their behalf in a variety of investigations and litigation involving state and federal health care laws. Previously, Brian served for five and one-half years as an Assistant Attorney General for New York State, where he defended the State in Medicaid reimbursement litigation and other legal challenges to statutes, regulations, and agency actions affecting health care providers.
Brian McGovern is a partner with Cadwalader, Wickersham & Taft LLP in New York. His knowledge and experience span the …
Jennifer Daniels concentrates her practice on regulatory and general corporate law matters, with a particular focus on privacy and data security issues. She has extensive experience advising clients in developing data privacy and security compliance programs, cross-border data transfers, responding to data security breaches, drafting privacy policies, creating identity theft prevention programs, and advising on compliance with federal and state regulatory requirements. Ms. Daniels represents a wide range of clients, including multinational pharmaceutical and device manufacturers, wellness and prevention businesses, mobile application developers, website operators, and electronic medical record providers in connection with privacy and security compliance efforts uniquely impacting their business. This includes regularly counseling clients with respect to their clinical research, marketing and advertising functions, online modules and social networking activities, as well as fulfilling certification for electric health record technology to the Office of the National Coordinator for Health Information Technology (ONC). Ms. Daniels earned her J.D., cum laude, from the University of Pennsylvania School of Law and received her B.A., magna cum laude, from the University of Rochester.
Please contact Jennifer Daniels at (212) 885-5575 or email@example.com
Jennifer Daniels concentrates her practice on regulatory and general corporate law matters, with a particular focus on privacy and data …
Print and review course materials
Method of Presentation:
NASBA Field of Study:
Specialized Knowledge and Applications
NY Category of CLE Credit:
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
About Arnold & Porter LLP
Arnold & Porter LLP (A&P) is an Am Law 100 international law firm providing counsel at the intersection of business, law and regulation. With more than 800 attorneys practicing in more than 30 distinct areas of the law, A&P provides strategic, client-focused and innovative legal services. A&P serves a broad range of clients whose business needs include regulatory, litigation, and transactional services. The firm’s integrated teams of corporate and securities, antitrust, data privacy and security, white collar, national security, litigation, and other practice areas assist clients in navigating the complexities of their businesses both domestically and internationally. A&P’s service offerings include proactive compliance counseling, including in areas of industry-specific regulation, anticipating litigation, mitigating potential liability for criminal and civil actions by federal and state and authorities, and litigating at the trial, appellate, and Supreme Court levels.
About Foley & Lardner LLP
With offices throughout the United States and across the globe, Foley & Lardner combines powerful resources and award-winning client services to help its clients achieve their business objectives – efficiently and cost-effectively. Foley & Lardner draws on the legal knowledge and hands-on industry experience of attorneys in more than 60 practice areas to provide the full spectrum of legal services. The firm’s practice areas encompass the full range of corporate legal services, including corporate governance and compliance, securities, mergers and acquisitions, litigation, labor and employment, intellectual property and IP litigation, outsourcing and information technology, and tax and its interdisciplinary industry teams offer total legal solutions in the airport and aviation, automotive, emerging technologies, energy, food and beverage, health care, hospitality, resort and golf, insurance and reinsurance, life sciences, manufacturing, medical devices, and sports industries. Foley & Lardner has been recognized as one of the elite BTI Client Service 30 for nine of the past 10 years in a survey* of Fortune 1000 corporate counsel for delivering exceptional client service. In 2013, Foley was recognized by Chambers USA: America’s Leading Business Lawyers in the areas of health care, banking and finance, bankruptcy and restructuring, construction, corporate/M&A, corporate/M&A and private equity, energy and natural resources, franchising, general commercial litigation, government contracts, insurance, insurance: dispute resolution: reinsurance, intellectual property (IP), IP patent prosecution, IP trademark, copyright, and trade secrets, IT and outsourcing, labor and employment, Latin American investment, life sciences, natural resources and environment, privacy and data security, real estate, real estate zoning and land use, sports law, and white collar crime and government investigations litigation. To know more about Foley & Lardner LLP please visit:www.foley.com
About Cadwalader, Wickersham & Taft LLP
With talented practitioners in diverse areas affecting the industry – corporate governance, corporate finance, government regulation, Medicare and Medicaid, insolvency and restructuring, labor relations, litigation, risk management, securities, capital markets, and tax – Cadwalader is a leader in health care law.
About Blank Rome LLP
Blank Rome LLP is one of America’s largest law firms. With nearly 500 attorneys serving clients around the globe, Blank Rome is an international law firm representing businesses and organizations ranging from Fortune 500 companies to start-up entities. Blank Rome helps its clients in all aspects of their businesses. The Firm’s practices cover areas including business tax; commercial and corporate litigation; consumer finance; employment, benefits and labor; environmental litigation; financial services; business restructuring and bankruptcy; government relations; intellectual property; maritime, international trade and public contracts; matrimonial; mergers & acquisitions and private equity; product liability, mass torts, insurance; public companies and capital formation; public finance; real estate; trusts and estates; and white collar defense and investigations. Blank Rome also represents pro bono clients in a wide variety of cases and matters. More information about the firm is available at www.BlankRome.com.