The Federal Government Issues New Rules Increasing Pharmacies Obligation to Protect Patient Information

The U.S. Department of Health and Human Services (HHS) issued new rules (Final Rule) established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) implementing some of the most sweeping changes to HIPAA since its inception fifteen years ago. The Final Rule requires every healthcare provider (Covered Entity), which includes pharmacies, to modify their current compliance programs and revise agreements with entities with which they conduct business. It also compels HHS to increase its monitoring of Covered Entities and exact significant financial penalties upon those that do not comply with HIPAA.

Some of the more significant changes include:

• Increased rights for patients and their families to access medical records
• Business associates are directly regulated by HIPAA
• Business associate agreements must be revised to incorporate new provisions required by Final Rule
• All Covered Entities, including pharmacies, must revise their “Notice of Privacy Practice” and redistribute to their patients
• Revised requirements for Covered Entities that experience a “Breach” of patient information
• Increase in HHS authority to investigate and sanction Covered Entities that fail to comply with HIPAA
• Increased fines for Covered Entities that fail to comply with HIPAA, up to $50,000 per occurrence and $1,500,000 annually
• New restrictions on the use of patient information for marketing, fundraising, research, and reporting to insurers

This is a non-inclusive list of the changes most applicable to pharmacies, as well as medical practices and other health care providers. The Final Rule also reaches individuals and entities not previously affected by HIPAA, such as subcontractors of business associates. Covered entities should contact us for assistance in assessing the state of their current compliance plans and actions necessary for them to come into compliance with the Final Rule.

Pharmacies create, use, transmit, and maintain a significant amount of protected health information (PHI), in both electronic and hard-copy format. The magnitude of PHI involved in pharmacy operations, combined with enhanced enforcement under the Final Rule, should cause pharmacies to seriously examine and update their HIPAA compliance plans. Pharmacies, as well as all other Covered Entities, must create new business associate agreements and amend existing ones.

Below are some of the most significant changes required by the Final Rule:

1. Patient access to PHI
   HIPAA has always required covered entities to provide timely access to PHI upon a request by the patient. Under the Final Rule, a covered entity must provide PHI within 30 days of receipt of a request for PHI from the patient or the patient’s agent. The covered entity may extend the 30 day time limit by not more than 30 days once, for good cause, and by providing the patient with a written explanation of the reason for the delay.
   The Final Rule now requires that covered entities provide “an electronic copy” of PHI if requested by the patient or in “the electronic form and format requested by the individual.” If the covered entity cannot accommodate the patient’s request, it must provide the PHI in a readable electronic format agreed upon by the covered entity and the patient.
   The Final Rule also expands the list of family members that may request PHI on behalf of the patient.
2. Direct regulation of business associates
   Revisions to HIPAA necessitated by HITECH require business associates to comply with many provisions of HIPAA, including §§164.308 (compliance reviews), 164.310 (responsibilities), 164.312 (Secretary’s actions regarding complaints), and § 164.316 (refraining from intimidation or retaliation), in the same manner as these requirements apply to covered entities. Business associates are also civilly and criminally liable for violations of HIPAA, in the same manner as a covered entity. These changes nullify the ability of business associates to avoid HIPAA compliance responsibilities while concomitantly subjecting them to the same liabilities as a covered entity. In the past, the business associate’s liability was limited to its contractual obligations to the covered entity; now the business associate has both a contractual obligation to the covered entity and a direct legal obligation enforceable by HHS. It is now prudent for business associates to develop policies and procedures to comport with the Final Rule.
3. Changes to business associate agreements The Final Rule requires that covered entities enter into a contract (Business Associate Agreement or BAA) with all of its business associates that assures the business associates will comply with all of the applicable provision of HIPAA, and also assure that any of the business associate’s subcontractors shall also comply with the applicable provisions of HIPAA. In addition to requiring all new BAAs to comply with the Final Rule, the covered entity must revise all of its existing BAAs to comply with this section. Pharmacies generally have a myriad of Business Associates, including billing providers, PSAOs, technology providers, data aggregators, and document storage and destruction companies, all of which the pharmacy must have compliant BAA with.
4. Requirement of business associates to have written agreements with subcontractors
   For the first time, certain HIPAA regulations are now extended to “Subcontractors” of a business associate. Subcontractors are downstream entities that work at the direction of, or on behalf of, a business associate, and utilize PHI provided by the business associate. The Final Rule requires HIPAA compliance by the Subcontractor in the same manner as the primary business associate, and creates similar liabilities. The business associate must now have a written agreement (similar to the BAA) with each and every Subcontractor with which the business associate shares PHI. For example, a management company provides an entire suite of services on behalf of a covered entity. The management company subcontracts a billing company to process patient claims, so the management company must now have a contract with the billing company requiring the billing company to comply with HIPAA.
5. Required modification to, and redistribution of, notice of privacy practices
   §164.520 Notice of privacy practices for PHI has been extensively revised. This section is likely one of the most well-known by covered entities as it sets forth the content of the notice of privacy practices (NPP) that every patient receives from the covered entity. A detailed examination of all of the modification required to the NPP is beyond the scope of this article, but one of the most important requirements is that NPP advises the patient of the covered entity’s obligation to notify the patient of a breach of unsecured PHI.  Covered entities will need to revise their NPP, reissue it, and distribute it to the covered entity’s patients. Pharmacies that mail prescriptions face unique challenges not generally encountered by other health providers. Since many mail order customers never transact with the “bricks-and-mortar” pharmacy the NPP posting in the pharmacy or hand-delivering the NPP at point of service is not a practical means of communication, the mail order customer requires unique attention. Pharmacies can post the NPP on its website and direct patients to the website. However, this must be complimented with a means of sending the NPP to patients that do not have access to the internet.
6. Breach notification
   The Final Rule amends and clarifies some of the elements of the breach notification requirement. The most significant change is the inclusion in the rule of a methodology by which a covered entity can determine whether a “Breach” has occurred. Previously, HIPAA required the covered entity to assess the “risk of harm” to the individual whose PHI was disclosed in determining whether a breach occurred. This approach proved problematic for many as it required a subjective assessment of how an individual may or may not have been affected. The revised methodology utilizes four factors to consider when assessing “the probability” that the PHI has been compromised. The four factors are: (i) the nature and extent of the PHI; (ii) the unauthorized person who used the PHI or to whom the disclosure was made; (iii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to the PHI has been mitigated.
7. Increased investigations by HHS
   Prior to the implementation of the Final Rule, HHS had significant discretion in investigating complaints. For most of the past 15 years, HHS was less than “aggressive” in its enforcement of HIPAA. A recent uptick in HHS enforcement activity, along with the new provisions in the Final Rule, will likely result in a significant increase in enforcement activity, particularly in the context of breach notification. The Final Rule provides that “[t]he Secretary (of HHS) willinvestigate any complaint filed under this section when a preliminary review of the facts indicates a possible violation due to willful neglect.” (Emphasis added) The same section goes on to provide that “[a]n investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any violation.” Additional provisions require HHS to conduct compliance reviews of covered entities and business associates to determine compliance with HIPAA where willful neglect is suspected.
8. Civil money penalties; tiered penalty structure
   Historically, only covered entities were subject to civil money penalties. The liability of a business associate was merely a private matter, embedded in a contract claim and codified in a well-drafted business associate agreement, where the business associate would indemnify the covered entity for a harm caused by the business associate. Now, HHS can impose civil money penalties directly on a business associate. Prior to HITECH, HHS could impose civil money penalties of not more than $100 for each violation, with the total amount imposed on a covered entity for all violations of an identical requirement or prohibition during a calendar year of not more than $25,000. HITECH established a tiered penalty structure based on the culpability or the “Mens Rea” of the covered entity relative to a violation of HIPAA. The tiered structure incorporates a range of fines, from $100 to $50,000 per occurrence, with a $1,500,000 annual limit, depending on whether the violation was due to a reasonable cause or willful neglect and whether the violation was remediated within 30 days of the occurrence. Other factors considered when determining civil money penalties include: (i) the nature of the violation; (ii) the extent of the harm; (iii) the history of previous compliance issues; and (iv) miscellaneous factors such as the size, sophistication, and financial position of the covered entity. This entire provision is also applicable to business associates.
9. Restrictions on use and disclosure of PHI
   The Final Rule places new restrictions on the sale of PHI, the use of PHI for marketing and fundraising, the disclosure of genetic information, and provides for new consent requirements related to PHI used for research. The Final Rule also provides that patients that pay for prescriptions or other goods or services with cash can prevent the covered entity from disclosing information about their treatment to their health insurers.
10. Compliance dates
    The Final Rule is issued as of January 25, 2013, and most elements take effect March 26, 2013; covered entities and business associates have 180 days to comply with most of the newly modified provisions. Therefore, full compliance is required by September 23, 2013, except for the provision dealing with BAAs. The deadlines for compliance related to the BAA are as follows: (i) any BAA created after January 25, 2013 must be compliant with the Final Rule; (ii) any BAA entered into prior to January 25, 2013 and that is renewed or revised must be compliant with the Final Rule; and (iii) all BAAs must be amended to be compliant with the Final Rule by September 22, 2014.

This summary of the Final Rule reflects only some of the most significant changes in the over 500 pages issued by HHS. Covered entities such as pharmacies must, at a minimum, review and revise existing HIPAA compliance plans and update staff on the changes. Although the Final Rule allows covered entities ample time to revise BAAs, it is in their best interest to affect these changes as soon as possible. Business associates are well advised to develop HIPAA plans and immediately have contracts drafted with their subcontractors to protect the business associates, should a subcontractor violate HIPAA. Finally, individuals and entities that have previously been beyond the reach of HIPAA should review their business operations to determine if they are handling PHI and are therefore now within the reach of HIPAA. Many businesses likely do not even realize that they are handling PHI or are within the jurisdiction of this federal law, and as mentioned above, pharmacies by the very nature of their function use and handle PHI daily. Finally, every individual and entity that transmits PHI via electronic methods should review their policies and practices, as the penalties for non-compliance are potentially severe.

If you have questions regarding HIPAA, contact Frier Levitt to speak to one of our attorneys.