Delayed Privacy Rules Put Healthcare Companies in a Bind

That toe-tapping you hear is the sound of healthcare compliance officers growing impatient over the long delay to finalize changes to the Health Insurance Portability and Accountability Act's (HIPAA) privacy and securities rules.

The pending rules date back to February 2009, when Congress enacted the HITECH Act in response to the growing reliance of IT systems in healthcare and the increasing number of data breaches of sensitive patient information. More than four years later, many of those HIPAA modifications, packaged together, have yet to be finalized and put into practice.

The HIPAA Omnibus Rule, formally known as “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” is a package of numerous privacy-related rule changes. Chief among them potentially is a provision that will lower or eliminate the “harm threshold” used to determine when a healthcare provider is required to report data breaches. Another change could require “business associates” and sub-contractors to abide by some of the same requirements as the covered entities they work with, including encryption standards for patient data that may pass into their hands. The proposed rule would make them liable for unintended disclosures.

Last March, it looked as though progress was being made as the federal Office for Civil Rights, which oversees HIPAA regulations as part of the Department of Health and Human Services, finally sent proposed final rules to the Office of Management and Budget (OMB) for review and approval. That process, normally 90-days, has now stretched into several months with no sign of progress and no issuance of an expected timeline. Assurances that final rules would be issued by the end of last summer proved hollow.

The delay has confounded many in the healthcare industry. “I can't give any explanation for why it has taken so long,” says Kirk Nahra, an attorney who specializes in healthcare privacy and information security for the law firm Wiley Rein. “It really is astonishing at this point.”

He adds that the delay is all-the-more befuddling because the final rule is “overwhelmingly clerical” in nature. “It is a regulation implementing a statute, but the statute didn't just create a rule, it explicitly said, ‘Here's what the rule needs to say.' It is impossible at this point to explain the delay except that it just isn't a priority.”

“We are all in the dark as to why it continues to take so long, and we are not hearing OCR talk about any particular time frame,” says Adam Greene, a partner with the law firm Davis Wright Tremaine.

Asked if there was a imeline to report, an HHS/OCR spokesperson described it as "sooner rather than later," but added, "we do not have a date to share at this time."

To be sure, the OMB has been busy with a flood of new rules filtering through its review process as a result of the Dodd-Frank Act, not to mention the work the office has been doing on legislation related to solving the fiscal cliff crisis.

No matter the reason, the delay has been frustrating and costly for many. “In 2009, business associates were essentially told, as a result of the passage of HITECH Act, that they would be statutorily liable, but that they ought to hold off on doing anything because regulations would be coming to tell them what was needed,” says Lisa Sotto, who heads the law firm Hunton & Williams' privacy and data security practice. “So, there has been this purgatory period. Some of the really diligent business associates got to work right away to comply with the HIPAA security rule that was drafted. They have been penalized for spending significant time and money complying with a rule that would not be enforced for another four years and counting.”

“The biggest impact of things like this HIPAA security rule are actually going to be on companies that don't think of themselves as being in the healthcare industry, they just happen to have clients in the healthcare industry.”

—Kirk Nahra,

Lawyer,

Wiley Rein

Because of the delay, most of these companies are now scuttling any effort to get ahead of the forthcoming requirements. Their attitude, Sotto says: “I'll do what I need to do, but give me the rules of the road.”

Much of requirements in the HIPAA Omnibus rule won't present much of a challenge to healthcare providers, as many only tweak or clarify existing or expected rules. The HITECH law, for instance, provided greater clarity regarding prohibitions on the sale and marketing of protected patient information. Another rule prohibits the use of genetic information for insurance underwriting.

A HIPAA modification that calls for “business associates and sub-contractors” to comply with HIPAA requirements is decidedly more controversial. A big, unanswered question is the breadth of what companies fall under those definitions. While a document-shredding vendor hired by a hospital, for example, is an obvious business to include, and past guidance has exempted janitors who might have incidental exposure to patient data, other vendors may not get that degree of clarity.

“The reach is potentially enormous if it is going to apply to everybody downstream from a company that contracts with the hospital,” Nahra says. “If you are three tiers downstream and you aren't really in the healthcare industry, I don't think you even know about this.”

An accounting firm hired by the hospital knows they are working for the hospital, Nahra explains. But if an accounting firm is hired by an IT company for its audit, and that firm has no idea who the IT firm's clients are but one of them turns out to be a hospital and there is patient information, then all of a sudden it flows down to the accounting firm.

The fact that final rules have been delayed so long will increasingly prove problematic when drafting contracts. “Many covered entities have been in a holding pattern with respect to not wanting to revisit their business associate agreements until they know what needs to be done under the omnibus rule,” Greene says.

HITECH EXPLAINED

The following is taken from a Sept. 2012 client advisory authored by Kirk Nahra of the law firm Wiley Rein.

Marketing

One of the key “new” provisions of the HITECH statute involved marketing and the desire of Congress to preclude marketing that involves “remuneration.”

While written in a convoluted manner, the statute appeared to alter the existing marketing provisions of HIPAA by imposing a new restriction in situations where the previous rule permitted individual information to be used or disclosed in connection with marketing. Under HITECH, if the entity received “direct or indirect remuneration” for the marketing, now an authorization would be required.

This statutory provision cried out for a regulatory interpretation, primarily as to the meaning of “direct or indirect” remuneration. However, the proposed regulation did little to clarify the statutory terms. The language of the final rule will be important to significant segments of the health care industry (including pharmaceuticals and wellness programs), by defining the scope of these new limitations.

Sale

The HITECH law also included similar language about the “sale” of protected health information. As with the marketing provisions, while HHS “clarified” some exceptions to this prohibition, it did not address some of the statutory ambiguities. While there is little blatant sale of information that is permitted today, consistent with the current rules, this provision does have an impact on certain practices that involve cooperative treatment efforts, research and other adjacent activities to core treatment and payment actions. Again, to the extent that HHS clarifies or expands on this language, this provision will have an important impact on a wide range of health care activities.

Source: Wiley Rein.

“The reality for a sophisticated hospital is that they have hundreds, if not thousands, of business associates they work with,” Nahra says. “You are asking someone else to comply and that becomes a point of tension. Service providers are saying they will do it when they have to, but they are not going to agree in advance.”

Breach Notification

The final version of the rule, whenever it arrives, could also clarify when breaches must be reported to patients.

After HHS issued an interim final breach notification rule that included a harm threshold, Greene explains that some members of Congress were adamant that it be removed as legislators had considered and rejected a harm threshold when enacting the HITECH Act.”

“You can ask any hospital in California [which requires all breaches to be reported] how much of a nightmare it is to notify patients of every breach, regardless of whether there is actual harm,” he says.

Greene adds that reporting every breach could create reputational risk for healthcare providers and also diminish the impact of notification. “If people are receiving notices from healthcare providers every week, the ones they really need to take action on are going to be harder to distinguish.”

 “It is completely absurd to have this barrage of notifications,” Sotto says. The upshot of the rules, no matter how delayed they may continue to be, is that those in the healthcare industry, and their business associates, need to “think harder and more creatively about how to prevent breaches from happening in the first place.”

“Training is certainly helpful because so many of these result from human error,” she adds. “Malicious breaches seem to be occurring more and more, so it is important to make sure you have automated processes in place to try to prevent them, and then also having human back-up to check things like logs to make sure there are not anomalies in the system.”