Protected health info and HIPAA focus of HHS discussion

With 2017 just beginning, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) need to be aware of current trends in the realm of protected health information (PHI). In a Health Care Compliance Association webinar titled “What’s New on the HIPAA Front?” Vaniecy Nwigwe and Debbie Campos of HHS Office for Civil Rights presented an overview discussion of PHI designation and authorization, PHI breaches, enforcement matters, and marketing.

The HIPAA Privacy Rule generally requires covered entities, i.e. health plans and most health care providers, to provide individuals, upon request, with access to the PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice, as described in 45 C.F.R. Sec. 164.524(c)(3).

PHI designations

Designation occurs when an individual directs the covered entity to transmit the PHI about the individual directly to another person or entity designated by the individual. Conversely, authorization occurs when an individual gives permission to another person to direct the covered entity to transmit the PHI to another person (or entity) designated by the authorized individual (or entity).

The same requirements for providing the PHI to the individual, such as the fee limitations and requirements for providing the PHI in the form and format and manner requested by the individual, apply when an individual directs that the PHI be sent to another person.

According to the speakers, this distinction matters because of fees. The fee limitations only apply to individuals who direct a covered entity to send PHI to another person or entity. Under the Privacy Rule, a covered entity is prohibited from charging an individual who has requested a copy of her PHI more than a reasonable, cost-based fee for the copy that covers only certain labor, supply, and postage costs that may apply in fulfilling the request.

Breaches

From September 2009 through November 2016, approximately 1,738 instances involving a breach of PHI affecting 500 or more individuals were reported. Of that, 60 percent of the breaches initiated through theft or loss. In addition, there were over 58,000 reports of breaches of PHI affecting less than 500 individuals during calendar year 2016 alone.

Enforcement

Highlighting some of HHS’ enforcement actions, the speakers noted that over 125,445 complaints had been received as of December 31, 2015, and over 30,000 cases have been resolved with corrective action or technical assistance. HHS expects to receive 22,000 complaints in 2017.

In one prime example of a major breach, the speakers noted that nonprofit health system, St. Joseph Health’s ePHI was publicly accessible on the internet from February 1, 2011, to February 13, 2012, affecting the records of over 31,800 individuals. St. Joseph Health agreed to adopt a comprehensive corrective action plan and pay $2.4 million to settle allegations that the health system violated the HIPAA Privacy and Security rules (see Health system slammed over searchable internet server, Health Law Daily, October 19, 2016). St. Joseph Health also agreed to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on the revised policies and procedures.

Marketing

Generally, a communication about a product or service that encourages recipients of the communication to purchase or use the product or service is considered marketing. In the case of covered entities, if the communication rises to this level, the covered entity must obtain an individual’s authorization to do so. Another form of marketing communication is an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.