Rachel V. Rose, JD, MBA, principal at Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas) recently presented the webinar “HIPAA Celebrates 25 Years – A Synopsis of the Law’s Evolution.” Rachel returned to answer many commonly asked questions from the webinar.
Enacted August 21, 1996, the Health Information Portability and Accountability Act (HIPAA) made significant changes to various facets of healthcare and employment law. Although most people are familiar with HIPAA’s requirements related to protecting the privacy and security of protected health information (PHI), HIPAA also impacted the continuation of healthcare coverage for group health plans by amending COBRA (Section 421e), promoted the use of medical savings accounts, and gave more “teeth” to efforts to combat healthcare fraud.
25 Years later, here are some relevant questions and answers to consider as the privacy and security of PHI continues to evolve.
How might the May 12, 2021 Executive Order impact the pending revisions to the Privacy Rule?
The Executive Order reinforces what the past four Administrations have espoused – the United States is vulnerable to cyberattacks and it will take a collaborative effort between the public and private sectors to ensure that the U.S. Government and private persons are protected. This Executive Order goes a step further to highlight the importance of prevention, detection, and correction in order to remediate the risks of cybersecurity incidents.
As the U.S. Department of Health and Human Services sets forth, “[t]he proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; … while continuing to protect individuals’ health information privacy interests.” In order to achieve protection, it is imperative that the requisite technical, administrative, and physical safeguards are in place, as adequate security is the first line of defense in protecting privacy. This is where the inner-play between the Executive Order and the Privacy Rule’s pending changes emerge. HHS is still considering the comments received during the comment period, which ended on May 6, 2021. This is an area to watch.
What are ways that organizations can legally implement information blocking?
The concept of “information blocking” is relevant to achieving the balance of system security and providing patients access to their medical records. The first step is to read the ONC Final Rule and the related CMS Final Rule, which relate to the 21st Century Cures Act of 2016 and were published in the Federal Register in May 2020.
Section 4004 of the Cures Act provides the general prohibition against the following forms of information blocking as well as eight exceptions. The following practices most likely constitute information blocking:
- Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT).
- Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI.
- Implementing health IT in ways that are likely to: (a) Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or (b) lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.
The way to legally implement information blocking is to take the following steps: (1) ascertain if the action falls under the Section 4004 of the Cures Act; (2) if the action does meet the definition of information blocking, the next step is to see if one of the eight (8) exceptions apply; (3) if one of the 8 exceptions applies, notify the patient that his/her information cannot be delivered to the requested app or in the requested format, so it will be delivered via encrypted email; and (4) make sure that policies and procedures, as well as Notice of Privacy Practices, are up to date.
What are the best five ways to mitigate risk of non-compliance with HIPAA?
One of my favorite questions. I advise my clients to have their business associates or subcontractors sign an attestation in order to ascertain reasonable assurances or include these five specific items in the business associate agreement because HHS has identified them as “low hanging fruit” –
- Annual risk analysis
- Annual workforce training
- Policies and Procedures
- Business Associate Agreements
- Encryption of data at rest and in transit
These five items enable a person to ascertain reasonable assurances that another person is acting in accordance with the law, as well as mitigating its own risk.
How should organizations incorporate HR 7898?
HR 7898 was signed into law on January 5, 2021, defines “recognized security practices” and amends the HITECH Act. HR 7898 should be incorporated into the annual risk analysis and policies and procedures because it essentially creates a safe harbor, so long as the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may—
- (1) mitigate fines under section 1176 of the Social Security Act (as amended by section 13410);
- (2) result in the early, favorable termination of an audit under section 13411; and
- (3) mitigate the remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title) between the covered entity or business associate and the Department of Health and Human Services.
For more information, please see an article that I wrote on this topic.
What are two items that anyone should remember before paying ransom in the event of a ransomware attack?
The two items to remember have been articulated by various federal government enforcement agencies, including the FBI: (1) contact the FBI and HHS; and (2) paying ransom does not guarantee that you will get the data back, but it could prompt cybercriminals to make additional requests.
Rachel V. Rose, JD, MBA, is a principal at Rachel V. Rose – Attorney at Law, PLLC (Houston, Texas)
Ms. Rose has a unique background, having worked in many different facets of healthcare, securities, cybersecurity, as well as international law and business throughout her career. Her practice focuses on a variety of cybersecurity, health care and securities law issues related to industry compliance and transactional work, as well as representing plaintiffs in Dodd-Frank/False Claims Act whistleblower claims.
In addition to being extensively published and a sought-after presenter and quoted expert, Ms. Rose holds an MBA with minors in healthcare and entrepreneurship from Vanderbilt University, and a law degree from Stetson University College of Law, where she graduated with various honors, including the National Scribes Award and The William F. Blews Pro Bono Service Award.
Ms. Rose is licensed in Texas and is a Fellow of the Federal Bar Association. Currently, she is the Chair of the Federal Bar Association’s Government Relations Committee, a board member of the Federal Bar Association’s Qui Tam Section, the co-editor of the American Health Lawyers Association’s Enterprise Risk Management Handbook for Healthcare Entities (2nd Edition), as well as a co-author of the books The ABCs of ACOs and What Are International HIPAA Considerations?
She has been named consecutively to the Texas Bar College, the National Women Trial Lawyers Association’s Top 25 and Houstonia Magazine’s Top Lawyers for healthcare. In 2019, she was also named to the National Trial Lawyers Association’s Top 100, as well as 1st Healthcare Compliance’s 2019 Top Presenter. Ms. Rose is also an Affiliated Member with the Baylor College of Medicine’s Center for Medical Ethics and Health Policy, where she teaches bioethics. See www.rvrose.com for additional information.
Federal Court Admissions: Supreme Court of the United States, DC, SDTX, NDTX, EDTX and WDTX.
Be sure to view a recording of this webinar here and don’t miss our many other expert webinars, podcasts, and blogs with Rachel here. Take a look at our book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH.