A lot is happening in the health care world, with the implications of health care reform leading the list. What can we expect to see as the major developments in health care privacy and security in 2010?
The HITECH Era Begins
At the top of the list is the commencement of the Health Information Technology for Economic and Clinical Health (HITECH) Act era, in February 2010, with implementation of most of the new changes required by the Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is still promising additional regulatory guidance to help explain some of the more confusing or ambiguous provisions of the law. For many companies, such guidance may be too little, too late, especially for the companies that were hoping that OCR would provide guidance on the new requirements for business associate contracts.
So, covered entities are moving, some more quickly than others, to revise their overall Health Insurance Portability and Accountability Act (HIPAA) compliance plans to meet these new requirements. At the same time, the business associate community now must comply with not only many of the core provisions of the HIPAA Privacy Rule, but also the very challenging overall requirements of the HIPAA Security Rule. Many business associates seem to remain unaware of these requirements, particularly those for whom health care clients represent only a modest proportion of their overall business. Will these "partial" business associates (for example, an accounting firm whose services to health care clients amount to 10% of its overall business) be held to the same standards as a company whose sole or primary function is to provide services to the health care industry (such as a pharmacy benefits manager or third-party administrator)? In any event, we can expect to see a flurry of business associate contracting over the next few months, along with significant activity by business associates as they realize the full extent of their new HIPAA/HITECH obligations. Business associates of all stripes need to be aware of this new reality—all are subject to the full range of HIPAA laws, and will need to expand their compliance efforts accordingly, and quickly.
Will We See Significant New Enforcement?
The other primary effect in February will be the full impact of the new enforcement provisions of the HITECH Act. While (as HHS made clear in its interim final regulation) the new penalty provisions are in effect for current violations of the existing rules, February brings new opportunities for broader enforcement, both in terms of the new HITECH provisions and the new breach regulations, and affecting the entire business associate community (which had not previously faced any enforcement risks). Additionally, state Attorneys General across the country now have the ability to enforce their own versions of the HIPAA rules. Will we actually see more enforcement? And will HHS continue its overall approach of reasonableness, or will it move more aggressively to bring significant enforcement actions against those who violate these rules?
While the health care industry certainly should anticipate more enforcement of the HIPAA rules (if only because there has essentially been none to date), a seismic shift in overall enforcement approach is not likely. While there certainly have been situations (both in this author's experience and in various public reports) wherein HHS enforcement appeared unfair or inconsistent with the HIPAA provisions, HHS has, in almost all situations, been reasonable in how it has investigated and concluded its enforcement activities. It has appeared to recognize that the HIPAA rules contain confusing elements, which will certainly be exacerbated by some of the HITECH provisions. Moreover, HHS has appeared to understand the difference between unintentional or innocent violations and egregious efforts to bypass HIPAA requirements. Clearly, there will be ongoing efforts to pursue individuals and their employers where health care information is used inappropriately (e.g., health care fraud, identity theft, sale of information to others). There may even be increased enforcement in situations involving no obvious harm, but where a violation clearly occurred (such as the "snooping only" prosecution that was initiated recently). Nonetheless, while we can expect more enforcement, companies still will benefit from conscientious efforts to meet the requirements of the HIPAA and HITECH rules, as HHS has demonstrated a significant willingness to factor a company's compliance efforts into the overall resolution of its enforcement initiatives. We can expect this policy to continue even though HHS now has significantly more enforcement tools available to it.
How Will Breach Reporting Change?
Closely related to the question of overall enforcement is how the health care industry will deal with the new security breach notification regulation. This regulation—which went into effect in September 2009—alters dramatically the landscape for reporting of security breaches. While the HHS regulation clarified that the HITECH Act incorporated a notification threshold of a "significant risk of harm" to individuals whose information is subject to a breach, many questions remain open about how security breaches will be reported. In addition, while HHS provided an interim period wherein there would be no penalties issued for violations of this regulation, that period ends in February, coinciding with the arrival of compliance duties concerning the remaining portions of the HITECH Act. In addition, because the HHS regulation itself is an interim regulation, HHS has, essentially, provided the health care industry with a five-month opportunity to prove its bona fides in connection with breach reporting. If HHS is not satisfied with the results, it has the opportunity to revise the regulation. The health care industry needs to be aware of the tenuous nature of this interim regulation, and must undertake to responsibly report breaches where there is a legitimate reason for reporting.
Accordingly, the health care industry needs to focus substantial attention on issues related to security breaches—both in terms of how best to prevent them in the first place, and also on the investigation, assessment and notification obligations that will result when a breach does occur. Issues related to security breaches have become the single biggest focus of attention in the health care privacy and security debate; breaches are where public attention is centered, where the media and regulators pay the most attention, and where enforcement efforts have been concentrated. Now, with the individual notification and various "public confession" elements of notification imposed by the rule, breaches will receive even more prominence in the public debate. Therefore, it is critical that covered entities and their business associates take significant steps to enhance their overall security for protected health information and take careful and conscientious steps to evaluate breaches and provide notification in appropriate situations. We can expect to see lots of discussion and debate about these issues over the next few months, and to see initial steps by HHS to respond to public (and nonpublic) reports of breaches.
How Will the "Meaningful Use" Principles Affect Privacy and Security?
With all of the focus on the privacy and security implications of the HITECH Act and the impending effective date for these new requirements, many in the health care industry have almost forgotten that the driving force behind these HITECH changes was the new incentives provided to doctors and hospitals to implement electronic health records systems. (This may be because these incentives apply to only small portions of the health care industry, and because the privacy and security changes essentially have nothing to do with these incentives, despite the links asserted by Congress—will Congress and HHS recognize that there may be other significant types of health care providers who also should be receiving "incentives" to move towards electronic health records?) But there are also important impending steps in the movement towards electronic health records, starting with the issuance of the "meaningful use" regulations by HHS, setting forth both the conditions for obtaining the financial incentives and the new standards that will be required across the health care industry for electronic health records in the future. These standards likely will generate extensive debate; moreover, they may be the first step in ascertaining whether we will be able to achieve the three-pronged goals of implementation of electronic health records for the purposes of cost savings, enhanced patient safety and improved health care quality.
"De-identification" and Research Issues
On a broader policy level, we also will see developments in the ongoing debate about some of the potential public benefits of health care information. On the one hand, there is significant ongoing discussion about whether there is a need to re-evaluate the HIPAA standards for "de-identification" of personal health information. This information is used widely for many purposes; some (such as research) are generally lauded and others (for example, those in connection with various marketing activities) receive more criticism. (This debate has even extended to the "privacy" interests of doctors in connection with their own prescribing habits, as several state laws and perhaps even federal legislation will restrict or prevent the use of prescriber data for marketing purposes by pharmaceutical companies, even where no identifiable patient data is used.) The question is whether technological improvements and numerous additional sources of data make this idea of "de-identification" less viable, because it may, in fact, be too easy to "re-identify" information in certain situations.
At the same time, there also is a substantial debate about the public benefits of research for the health care community, and whether the current privacy rules create undue impediments to effective research. The possibilities presented by electronic health records and various forms of health information exchanges exacerbate these issues. These exchanges may maintain substantial volumes of incredibly useful data for research purposes; will the rules for these exchanges allow these benefits to be achieved?
We will be watching both of these issues in 2010, with an eye toward both practical and regulatory/legislative efforts.
The HHS Studies
Beyond the HITECH requirements, Congress also wrestled with making a far more extensive set of changes to the overall HIPAA environment. In rejecting various proposals that had been incorporated into some of the preceding legislation, Congress ultimately directed HHS and the Government Accountability Office to "study" many of these controversial issues. These studies will begin to be released in 2010. We will be watching to see if these studies lead to new potential legislation, or whether the concerns raised in earlier versions of the HITECH Act have been reduced or eliminated by other developments. Specifically, in the HITECH legislation, HHS was directed to issue a variety of studies or guidance that will play a role in the next generation of privacy regulations or legislation. These include studies or guidance related to:
- What constitutes 'minimum necessary' under HIPAA;
- Privacy and security requirements for entities that are not covered entities or business associates, including requirements relating to security, privacy and notification in the case of a breach of security or that should be applied to: (i) vendors of personal health records; (ii) entities that offer products or services through the website of a vendor of personal health records; (iii) entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals' personal health records; (iv) entities that are not covered entities and that access information in a personal health record or send information to a personal health record; and (v) third-party service providers used by a vendor or other entity described above to assist in providing personal health record products or services;
- The definition of "psychotherapy notes" with regard to including test data that is related to direct responses or other materials that are part of a mental health evaluation;
- Recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense;
- The best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual; and
- Guidance on how best to implement the requirements for the de-identification of protected health information.
So, in 2010, the health care industry will face a substantial set of challenges—new privacy and security rules, for both the industry and its vendors, a significant new notification provision relating to security breaches and the expectation of significant new enforcement of these rules. At the same time, the industry will be dealing with the fallout from health care reform and a set of new studies and guidance that may lead to a second wave of new changes. It should be an interesting year for privacy and security in the health care industry.