HIPAA Challenges Ahead in Mining PatientCentric Data 1

HIPAA Challenges Ahead in Mining Patient-Centric Data 1 Kristen B. Rosati Coppersmith Schermer & Brockelman, PLC PRISM Forum SIG on Clinical Informatics October 19, 2010

Agenda A bit of background Upcoming prohibition on “sale” of protected health information (PHI) New restrictions on using or disclosing PHI for marketing Changes in research authorizations Upcoming guidance on de-identification

An Overview of the HITECH Act American Recovery and Reinvestment Act of 2009 (ARRA) -- Division A, Title XIII and Division B, Title IV: Health Information Technology for Economic and Clinical Health Act (HITECH Act) Medicare and Medicaid payment incentives for adoption of electronic health records by hospitals and physicians Grant funding and loans to support health information technology (HIT) and health information exchange (HIE) Changes to the HIPAA Privacy and Security Rules

Privacy and Security in a HITECH World Key privacy and security elements in the HITECH Act Created new HIPAA privacy requirements Applied most HIPAA Privacy and Security Rules directly to business associates Established mandatory breach reporting for covered entities and their business associates Established new civil and criminal penalties for noncompliance and expands enforcement authority to the states Proposed amendments to the HIPAA Privacy Rule to implement the HITECH Act: 75 Fed. Reg. at 40868 (July 14, 2010)

Enforcement in a HITECH World Establishes new civil and criminal penalties for noncompliance Applies criminal penalties to individuals who without authorization obtain or disclose individually identifiable health information that is maintained by a covered entity (enforceable on 2/18/10) Increases amount of civil penalties from $100 per violation and a total of $25, 000 per year, to a tiered penalty system that can go to $50, 000 per violation and total penalties of up to $1, 500, 000 per year Gives State Attorneys General authority to bring civil action to enjoin a violation, seek statutory damages for individuals and obtain attorneys fees

No Sale of PHI 6 Current rule: CE may receive payment for a disclosure of PHI where that disclosure is permitted by the regulations (such as for health care operations or research) HITECH Act prohibits indirect or direct receipt of remuneration in exchange for a disclosure of PHI without the individual’s authorization (with exceptions) Proposed rule would prohibit indirect or direct remuneration in exchange for a disclosure of PHI without authorization (with exceptions on the next slide) [HITECH Act § 13405(d); Proposed 45 CFR § 164. 508]

No Sale of PHI-- Exceptions 7 For public health purposes For research, “where the only remuneration received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit” the PHI For treatment and payment For the sale, transfer, merger or consolidation of the covered entity and related due diligence To or by a business associate to perform activities for the covered entity, where “the only remuneration provided is by the covered entity to the business associate for the performance of such activities” To an individual for access or accounting Where required by law to disclose PHI Where the only remuneration received is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI, or a fee is otherwise expressly permitted by another law [Proposed 45 CFR § 164. 508]

Marketing 8 Current rule: “marketing” is “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service” except: “To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of or enhancements to a health plan; and healthrelated products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; For treatment of the individual; or For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual”

Marketing 9 HITECH Act prohibits covered entity’s receipt of direct or indirect payment for any communication permitted on the previous slide, except where: The communication is regarding a drug currently prescribed for the recipient and such payment is “reasonable”; The communication is made by a business associate on behalf of the covered entity, and is consistent with business associate agreement; or The covered entity obtains a valid authorization [HITECH Act § 13406]

Marketing 10 Proposed rule: Marketing does not include communications “[f]or treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, provided, however, that if the communication is in writing and the health care provider receives financial remuneration in exchange for making the communication, the requirements of § 164. 514(f)(2) are met. ” Financial remuneration: “direct or indirect payment from or on behalf of a third party whose product or service is being described, ” not including payment for treatment [Proposed 45 CFR § 164. 501]

Marketing 11 § 164. 514(f)(2): If a health care provider will receive payment for making treatment communications, the health care provider must: Amend its Notice of Privacy Practices to explain that the provider receives financial remuneration in exchange for making such communications, and that the individual has the right to opt-out of receiving such communications Must disclose in the communication itself the fact that the provider is receiving financial remuneration in exchange for making the communication, and must provide the individual with a “clear and conspicuous opportunity to elect not to receive further such communications” • Opt-out cannot impose undue burden

Marketing 12 Proposed rule continued: Permits refill reminders paid for by third parties, if drug is currently prescribed, if the payment is reasonable related to the costs Permits the following communication unless the CE receives “financial remuneration” in exchange for making the communications: “(A) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or (B) For case management or care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment. ”

Research Authorizations 13 Proposed rule: Would permit “compound authorizations” in research, that combine authorization for a clinical trial and authorization to contribute PHI to a research repository, as long as the form provides the individual with an opportunity opt-in to the research repository [Proposed 45 CFR § 164. 508(b)] Solicits comments on changing the present OCR interpretation that an authorization may not seek permission for use of PHI in future, unspecified research

Current HIPAA De-Identification Rule 14 HIPAA does not regulate de-identified information Current rule on de-identification: Remove or code all HIPAA identifiers; or Have a qualified statistician document that there is a statistically “very small” risk that information could be used to identify a participant (despite the presence of identifiers)

HIPAA “Identifiers” 15 Name; Street address, city, county, precinct, or zip code (unless only the first three digits of the zip code are used and the area has more than 20, 000 residents); The month and day of dates directly related to an individual, such as birth date, admission date, discharge date, dates of service, or date of death; Age if over 89 (unless aggregated into a single category of age 90 and older); Telephone numbers; Fax numbers; Email addresses; Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; Certificate/license numbers; Vehicle identifiers, serial numbers, and license plate numbers; Device identifiers and serial numbers; Web Universal Resource Locators (URLs) and Internet Protocol (IP) addresses; Biometric identifiers, such as fingerprints Full-face photographs and any comparable images; or Any other unique identifying number, characteristic, or code.

Treatment of De-Identified Information 16 HITECH Act requires HHS to issue guidance on methods for de- identification of PHI OCR solicited stakeholder input from experts with practical technical and policy experience to inform the creation of guidance materials, and collected views regarding deidentification approaches, best practices for implementation and management of the current de-identification standard and potential changes to address policy concerns March 2010 2 -day conference on de-identification – see http: //www. hhs. gov/ocr/privacy/hipaa/understanding/coverede ntities/De-identification/deidentificationworkshop 2010. html

Questions? 17 Kristen B. Rosati Coppersmith Schermer & Brockelman PLC 2800 North Central Avenue, Suite 1200 Phoenix, Arizona 85004 tel (602) 381 -5464/fax (602) 772 -3764 Email: krosati@csblaw. com www. csblaw. com