The Government Accountability Office (GAO) has assessed the effectiveness of CMS controls intended to protect the security and privacy of the information and information technology (IT) systems used to support Healthcare.gov. The GAO determined that while CMS has taken steps to protect Healthcare.gov security and privacy, “weaknesses remain both in the processes used for managing information security and privacy as well as the technical implementation of IT security controls.” The GAO warns that until such weaknesses are fully addressed, risks remain with regard to unauthorized access, disclosure, or modification of the information collected and maintained by Healthcare.gov and related systems, along with potential disruption of services. The GAO made a series of recommendations to implement security and privacy management controls related to Healthcare.gov. For details, see the full report, “Healthcare.gov: Actions Needed to Address Weaknesses in Information Security and Privacy Controls.”
As reported on our sister blog, http://www.lifescienceslegalupdate.com/, the HHS Office for Civil Rights (OCR) has made a number of recent announcements regarding HIPAA Privacy Rule implementation. First, OCR has issued guidance on how the changes to the HIPAA Privacy Rule’s marketing provisions under the Health Information Technology for Economic and Clinical Health (HITECH) Act and the January 25, 2013 “Omnibus Rule” apply to refill reminders and other communications about current prescriptions for drugs or biologics. Second, OCR has delayed until further notice enforcement of the requirement that certain HIPAA-covered laboratories revise their notices of privacy practices to comply with the Omnibus Rule. Third, OCR has released resources to assist law enforcement and emergency planners when addressing information-sharing that may be subject to the HIPAA Privacy Rule. Finally, OCR has released model Notices of Privacy Practices that health care providers and health plans may use to communicate with their patients and plan members about their privacy practices and their patients’ privacy rights with respect to their personal health information.
Recent Congressional hearings on health policy issues include the following:
- A House Energy and Commerce Health Subcommittee a hearing entitled “PPACA Pulse Check: Part 2,” focusing on ACA readiness and implementation issues (Part 1 of the hearing was on August 1, 2013).
- A House Homeland Security Cybersecurity Subcommittee hearing on “The Threat to Americans’ Personal Information: A Look into the Security and Reliability of the Health Exchange Data Hub.”
- A Senate Health, Education, Labor and Pensions Committee hearing on the “Dental Crisis in America: The Need to Address Cost.”
HHS Considering HIPAA Privacy Rule Amendments to Allow Reporting of Mental Health Data to National Instant Criminal Background Check System
HHS is soliciting comments on whether to amend the HIPAA Privacy Rule to expressly permit covered entities holding information about the identities of individuals who are disqualified from possessing or receiving firearms on mental health grounds to disclose limited information to the National Instant Criminal Background Check System. Comments on the rule will be accepted until June 7, 2013. Additional information about the notice is available on Reed Smith’s Life Sciences Legal Update blog.
The Office for Civil Rights (“OCR”) of the Department of Health and Human Services released today the long awaited, and much anticipated, omnibus final rule modifying the HIPAA Privacy, Security, Breach and Enforcement Rules. The final rule, which implements the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Nondiscrimination Act (“GINA”), is comprised of four final rules and addresses the July 2010 HITECH proposed rule, the Breach Notification and Enforcement interim final rules, as well as the October 2009 GINA proposed rule (collectively, the “HITECH Final Rule”). Notably, the HITECH Final Rule does not address the May 2011 proposed accounting and access report rule.
Noteworthy provisions of the HITECH Final Rule include:
- Making Business Associates directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules;
- Converting subcontractors of Business Associates that create, receive, maintain, or transmit PHI on behalf of the Business Associate into Business Associates themselves;
- Requiring authorizations for all treatment and health care operations communications where the Covered Entity receives financial remuneration for making the communications from a third party whose product or service is being marketed;
- Replacing the Breach Notification Rule’s “harm” threshold with a presumption that an impermissible use or disclosure of PHI is a Breach unless the Covered Entity or Business Associate demonstrates that there is a low probability that the PHI has been compromised; and
- Mandating compliance by Covered Entities and Business Associates with applicable requirements by September 23, 2013.
We are in the process of conducting a full review of the HITECH Final Rule and will release shortly a Client Alert providing a detailed analysis of the Rule. In the meantime, please contact Brad M. Rostolsky (215-851-8195 or email@example.com), Nancy E. Bonifant (202-414-9353 or firstname.lastname@example.org), Salvatore G. Rotella, Jr. (215-851-8123 or email@example.com), or any other member of the Reed Smith Health Care Group with whom you work, if you would like additional information or if you have any questions.
On January 8, 2013, the Obama Administration published its latest semiannual regulatory agenda, outlining planned regulatory initiatives in a number of policy areas. The Federal Register version of the agenda includes only a portion of the regulations in the pipeline, however; the full agenda has been posted on the Office of Management and Budget (OMB) web site. Major Department of Health and Human Services (HHS) regulations are highlighted after the jump.
- An HHS Office of Inspector General (OIG) proposed rule that would add new/modify existing safe harbors under the anti-kickback statute; add new/revise existing regulations governing OIG's authority to impose civil money penalties and assessments; add new/revise existing regulations governing OIG's exclusion authority; and codify new exceptions to the beneficiary inducement prohibition (expected July 2013);
- A final Centers for Medicare & Medicaid Services (CMS) rule implementing Affordable Care Act (ACA) provisions related to Medicaid reimbursement for covered outpatient drugs (expected in August 2013);
- A CMS proposed rule to establish Medicare payment safeguards to prevent providers and suppliers that do not meet Medicare requirements from remaining enrolled in or submitting claims to Medicare (expected May 2013);
- Proposed emergency preparedness requirements for Medicare and Medicaid participating providers and suppliers (expected in July 2013);
- A final CMS rule establishing requirements for disclosure of skilled nursing facilities' ownership (expected May 2013);
- A final rule on long-term care facility agreements with hospice agencies (expected October 2013);
- A proposed rule to establish a prospective payment system for Federally Qualified Health Centers (expected June 2013);
- Annual Medicare payment update rules (various dates);
- Various rules implementing insurance-related provisions of the ACA (various dates);
- A final rule modifying HIPAA privacy, security, enforcement, and breach notification rules (expected but not released in December 2012);
- An advance notice of proposed rulemaking to establish a methodology allowing an individual harmed by an offense punishable under HIPAA to receive a percentage of any civil money penalty or monetary settlement collected (expected March 2013);
- A final rule to enhance human subjects research protections (expected April 2013); and
- A Food and Drug Administration (FDA) final rule establishing a unique device identification system for medical devices (expected May 2013).
There are also some surprises on the Administration’s list of “long-term actions” – including the long-overdue final ACA “Sunshine Act” rule requiring applicable manufacturers of drugs, devices, biologicals, or medical supplies to annually report certain payments to physicians or teaching hospitals (“final action” listed as December 2014). Other long-term actions include a final rule implementing ACA requirements related to reporting and returning of overpayments (February 2015); a variety of rules dealing with the 340B discount drug program (timing listed as “to be determined”); and a final HIPAA privacy rule on accounting for disclosures under the Health Information Technology for Economic and Clinical Health Act (TBD).
The HHS Office for Civil Rights recently announced its first settlement and corrective action plan following a HIPAA breach affecting fewer than 500 individuals. Additional information about the settlement is available on Reed Smith’s Life Sciences Legal Update blog.
As the year draws to a close, industry is speculating about the release date of the long-awaited Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule, which is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules. While the publication date has not yet been announced, it is important for Covered Entities and Business Associates to be prepared for the upcoming changes. Please click here for a more detailed analysis on our sister blog, Life Sciences Legal Update.
The HHS Office of Civil Rights (OCR) recently released guidance on methods to de-identify protected health information in compliance with the HIPAA Privacy Rule. The guidance, which is summarized on the Reed Smith’s Life Sciences Legal Update blog, is intended to assist covered entities and business associates in understanding what de-identification is and how de-identified information is created.
The Office of the National Coordinator for Health Information Technology (ONC) has issued a Request for Comment (RFC) on Stage 3 meaningful use recommendations, which will “target a collaborative model of care with shared responsibility and accountability.” In releasing the RFC, the ONC acknowledges “today’s challenges in setting up data exchanges,” but recommends that Stage 3, which takes effect in 2016, represents “the time to begin to transition from a setting-specific focus to a collaborative, patient- and family- centric approach.” The 37-page RFC highlights three broad areas: Meaningful Use Objectives and Measures; Quality Measures; and Privacy and Security. The comment deadline is January 14, 2013. After the comment period, the ONC Health Information Technology Policy Committee intends to hold public meetings on development of the Stage 3 policy.
The OIG has given the CMS mixed reviews regarding the extent to which it meets American Recovery and Reinvestment Act (Recovery Act) requirements to notify affected beneficiaries when the privacy or security of their protected health information is compromised. In the report, “CMS Response to Breaches and Medical Identity Theft,” the OIG assesses how CMS responded to 14 breaches of protected health information requiring notification under the Recovery Act between September 23, 2009 and December 31, 2011. While CMS notified the 13,775 Medicare beneficiaries affected by the breaches, the OIG concluded that in some cases the agency did not meet all Recovery Act requirements. For instance, in half the cases, CMS did not meet the 60-day deadline for notification, and in some cases the notifications were missing required information. The OIG discusses progress CMS has made in developing a compromised provider/supplier number database for contractors, but the OIG found that contractors do not consistently develop edits to stop payments on compromised numbers. The OIG recommends that CMS take a series of steps to ensure that breach notifications meet Recovery Act requirements, including improving the use of the compromised number database and developing a method to ensure that beneficiaries who are victims of medical identity theft retain access to services.
The GAO has issued a report entitled “Prescription Drug Data: HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight.” The report assesses the extent to which HHS has established a framework to ensure the privacy and security of Medicare beneficiaries’ protected health information when data on prescription drug use are used for purposes other than direct clinical care. According to the GAO, while HHS has issued regulations (including HIPAA Privacy and Security Rules) to safeguard protected health information from unauthorized use and disclosure, the Department has not issued all required guidance or fully implemented required oversight capabilities. For instance, the GAO notes that HHS has not issued required implementation guidance to assist entities in de-identifying personal health information, including when it is used for purposes other than directly providing clinical care to an individual. The GAO also found that HHS does not have plans for establishing a sustained capacity to audit covered entities’ compliance with HHS privacy and security requirements. GAO therefore recommends that HHS issue de-identification guidance and establish a plan for a sustained audit capability; HHS generally agreed with the recommendations.
The HHS Office of Civil Rights has released a number of resources to reinforce an individual’s right to access their personal medical information, including: a Right to Access Memo, "The Right to Access and Correct Your Health Information" Video, and "Your Health Information Privacy Rights" Pamphlet. The OCR notes that while HIPAA has always included a right to access medical information, "many consumers have faced barriers in getting their health information.”
The HHS Office of the National Coordinator for Health Information Technology (ONC) has released a “Guide to Privacy and Security of Health Information,” which is designed to help practitioners, staff, and other professionals better understand the role privacy and security play in the use of electronic health records (EHRs) and Meaningful Use. In addition, the ONC has announced the launch of its “Health IT Dashboard,” a compilation of information about ONC strategy, health care innovation grants programs, and data on adoption of health information technology.
On March 16, 2012, HHS is hosting a Mobile Devices Roundtable on “Real World Usages and Real World Privacy & Security Practices." The roundtable will: address the current privacy and security legal framework for mobile devices accessing, storing and/or transmitting health information; discuss real world usage of mobile devices by providers and other health care professionals to understand their expectations and challenges; gather input regarding the information and format providers need to help them safeguard health information on their mobile devices; and gather input on privacy and security good practices, strategies, and technologies for safeguarding data on mobile devices.
To implement the HITECH Act's mandate for the HHS Office for Civil Rights (OCR) to perform HIPAA audits, OCR has just announced that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. The pilot phase will include an initial 20 audits between November 2011 and April 2012, with the remaining audits scheduled to conclude by December 2012. In the pilot phase, OCR plans to audit covered individual and organizational providers of health services, health plans, and health care clearinghouses; business associates will be included in future audits. During the pilot, every audit will include a document production and onsite visit, and will result in an audit report. OCR will notify a selected covered entity in writing and request documentation of the covered entity’s privacy and security compliance efforts. The covered entity must comply within 10 business days. OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit. Onsite visits may take between three and 10 business days. After fieldwork is completed, the auditor will provide the covered entity with a draft final report. Selected covered entities will then have 10 business days to review the report and provide written comments to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Significantly, OCR will not post a listing of audited entities or the findings of an individual audit that clearly identifies the audited entity.
A number of Congressional committees have held hearings recently on health policy issues, including the following:
- A House Energy and Commerce Health hearing entitled “Do New Health Law Mandates Threaten Conscience Rights and Access to Care?”;
- A Senate Judiciary Subcommittee on Privacy, Technology and the Law hearing on “Your Health and Your Privacy: Protecting Health Information in a Digital World”;
- A Senate Special Committee on Aging hearing on Assisted Living Quality and Oversight; and
- A Senate Health, Education, Labor and Pensions (HELP) Committee hearing on "Improving Quality, Lowering Costs: The Role of Health Care Delivery System Reform.”
A number of additional hearings and markups have been scheduled, including:
- A November 15 Senate HELP Committee hearing on “Medical Devices: Protecting Patients and Promoting Innovation”;
- A November 15 House Ways and Means Oversight Subcommittee hearing on the ACA’s small business health insurance tax credit;
- A December 6, 2011 Senate Judiciary Antitrust Subcommittee hearing on the proposed Express Scripts/Medco merger; and
- An Energy and Commerce Health Subcommittee markup of H.R. 1173, the "Fiscal Responsibility and Retirement Security Act of 2011," which would repeal the ACA’s Community Living Assistance Services and Supports (CLASS) program.
On September 14, 2011, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule amending the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules to give patients (and the patient's representatives) direct access to the patient’s own clinical laboratory test result reports. Specifically, the rule would provide that, upon a patient’s request, the laboratory would be required to provide access to completed test reports that, using the laboratory’s authentication process, can be identified as belonging to that patient. By amending the Privacy Rule, CMS would also preempt contrary state laws governing a patient’s direct access to lab result reports. Comments will be accepted through November 14, 2011, and CMS expects to publish a final rule responding to comments later this year.
The HHS Office of the National Coordinator for Health Information Technology (ONC) has released the final “Federal Health IT Strategic Plan.” The plan describes how the government will promote the meaningful use of health information technology (IT); use IT to improve care and population health while reducing costs; protect the privacy and security of electronic health information; empower individuals with access to their electronic health information; and use health IT to improve knowledge about health care across populations.
The OIG has released two reports on health information technology (HIT) security issues. The first report is entitled “Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight.” The review, involving seven hospital audits, the OIG concluded that CMS’s oversight and enforcement actions were not sufficient to ensure that covered entities effectively implemented the HIPAA Security Rule. Since CMS had limited assurance that controls were protecting electronic protected health information (ePHI), the confidentiality, integrity, and availability of ePHI were at risk. The OIG recommended that the HHS Office for Civil Rights (OCR) continue to conduct compliance reviews to ensure that Security Rule controls are in place and operating as intended to protect ePHI at covered entities. A second OIG review, “Audit of Information Technology Security Included in Health Information Technology Standards,” concluded that the HHS ONC has not adopted HIT standards that included general information security controls (that is, structure, policies, and procedures that apply to an entity's overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls). The OIG recommended that ONC (1) address general IT security controls for supporting systems, networks, and infrastructures; (2) provide guidance to the health industry on established general IT security standards and best practices; (3) emphasize to the medical community the importance of general IT security; and (4) coordinate within HHS to add general IT security controls where applicable.