HIPAA Fallout: How it is working and what it means

for the future

Kirk J. NahraWiley Rein & Fielding LLPWashington, D.C.202.719.7335KNahra@WRF.com

(IAPP, June 9, 2004)

2

Topics

• 2003 was a crucial year for HIPAA Administrative Simplification

• Major “trouble spots” on the Privacy Rule• Summary of other HIPAA rules and key

issues• Hit some of the emerging issues related to

the Privacy Rule

3

Remainder of Pre-Conference

• Issues related to ongoing privacy audits and OCR enforcement investigations

• Issues related to effects from HIPAA on research activities

• Q and A – Ask the Experts on your HIPAA questions

4

What else is on your mind?

• Other topics for questions or comments? • Areas to pay particular attention to in the

future? • Biggest waste of time and effort in the

privacy rule? • Biggest over-reactions?• Areas likely to lead to future litigation? • Issues most needing additional clarification?

5

Privacy Rule• Effective April 14, 2003• No widespread problems• Ongoing efforts to comply by virtually

everyone• Still lots of uncertainty, ambiguity and

complexity• Little new HHS guidance• No “public” enforcement/Lots of complaints

6

Real World Risks• No statutory private right of action under HIPAA• Widespread belief that plaintiffs “will find a way” to

sue for HIPAA violations• Causes of action will not be called “HIPAA” –

invasion or privacy, unfair, false and misleading practices, unfair competition, consumer fraud

• State attorneys general/Federal Trade Commission (breach of promises)

• HIPAA creates “standard of care”

7

Enforcement Changes ahead? • Voluntary compliance, informal resolution

and education remain enforcement focus• More than 5000 complaints so far (a lot or a

little?) • Criminal and civil enforcement cases are

now in the pipeline• 50 complaints referred to DOJ for criminal

investigation• A new get tough attitude?

8

Top Complaints

• impermissible use or disclosure of PHI;• lack of adequate safeguards to prevent

such use or disclosure;• failure to provide access to PHI;• disclosure of PHI that exceeds the

"minimum necessary" standard; and• failure to provide notice of privacy

practices.

9

Top Targets of Complaints

• private health care providers (doctors);• general hospitals;• pharmacies;• outpatient facilities; and• group health plans.

10

Privacy Problem CasesHouston Hospital case

• Internal Employee• Sold patient records about accident cases to

plaintiff’s lawyers• High visibility problem• Potential criminal sanctions• Illegal before HIPAA

11

More problems - Subcontractors• California hospital hired transcription

company in Texas, subcontracted to another company in Florida, eventually subcontracted to an individual in Pakistan

• Threatened to release PHI on the Web• Lots of concerns, increased issues with BAs

and subcontracting• May be a lingering focal point

12

Friends and Family• Big area of complaints• Ongoing tensions in health plans about

administrative/business efficiencies versus risk management

• Concerns about “too conservative” approaches leading to “too liberal” positions

• How much risk is acceptable?• A core question as to whether the Rule

works right or not

13

State and other laws

• Ongoing preemption challenges• Does anyone understand preemption? • Start of litigation (Ashcroft/DOJ efforts at

medical records)• Substance abuse regulations• Isn’t there a better way?

14

Business associates

• What should you be doing to monitor your business associates?

• Individual rights and business associates• Termination and business associates• New Bas/Problem Bas• Connections with Security Rule• New off-shore outsourcing concerns

15

Group Health Plan issues

• Enormous and ongoing customer relations issues

• New confusion with rule now applicable to small groups?

• Can fully insured groups really avoid PHI? • Likelihood of practical changes in the future?• Has this kicked in yet?

16

Mitigation• A big area of concern• Rule doesn’t say much, but this is a trouble spot• How good is your business at finding problems? • How good is your business at fixing problems? • Link to BA issues? • Customer notification requirements• What kinds of problems have you found so far?

17

Marketing

• Not an issue to date• Why not?• Do people care about this? • Easing up on conservative approaches?

18

The Transactions Rule

• Change in enforcement posture (Do new payment rules mean the end of the contingency plans)?

• Will this rule ever work?• Will anyone ever care?• Will this become a proxy for other fights?

19

Security

• Timing – when will you be ready? • What other rules are pushing you on

security (G-L-B, Sarbanes-Oxley, state law, etc.)

• Business associates – what are you going to do about all your BA agreements?

• Monitoring of BAs

20

New Security Issues• Higher awareness of security concerns• More visible problems• New contract requirements for business

associates• Link to security developments in other areas• May lead to more questions about BA

relationships

21

Broad Impacts from HIPAA

• Litigation – subpoenas, discovery, etc – lots of people seeking information who do not know or understand the privacy rule

• DOJ and abortion records – current debate on intersection of politics and privacy

22

More impact

• Research – Difficult rules, not fully understood, ongoing source of confusion, we may not know for a long time how research will be affected – more later

• State vs. Federal law – Interaction of state law and HIPAA is incredibly confusing. Now becoming a political battleground (e.g., California). Should there be one standard?

23

Impact

• Health care benefits from employers – Rule may shift employers from self-insured plans to fully insured plans, or encourage dropping health care benefits entirely

• Lawyer-Client Relationships (are lawyers required to enter into HIPAA business associate contracts, who negotiates those contracts, how does HIPAA affect attorney-client relationships)

24

More Impact

• Effects on those outside the covered entities– Financial Institutions – ongoing debate on

potential role as clearinghouses and business associates

– More pressure on business associates –especially related to Security

– Links to other laws e.g., FACTA

25

Conclusions

• Lots of details• No law suits• Limited enforcement to date• Still time to work out the kinks• But don’t think HIPAA is “over”

26

Critical Challenges• Watching the connections between privacy

and security (both regulatory and practical) • Paying attention to mistakes and complaints• Paying attention to lawsuits and

enforcement • Making appropriate adjustments to your

privacy program