hipaa fallout: how it is working and what it means for the … · hipaa fallout: how it is working...
TRANSCRIPT
HIPAA Fallout: How it is working and what it means
for the future
Kirk J. NahraWiley Rein & Fielding LLPWashington, [email protected]
(IAPP, June 9, 2004)
2
Topics
• 2003 was a crucial year for HIPAA Administrative Simplification
• Major “trouble spots” on the Privacy Rule• Summary of other HIPAA rules and key
issues• Hit some of the emerging issues related to
the Privacy Rule
3
Remainder of Pre-Conference
• Issues related to ongoing privacy audits and OCR enforcement investigations
• Issues related to effects from HIPAA on research activities
• Q and A – Ask the Experts on your HIPAA questions
4
What else is on your mind?
• Other topics for questions or comments? • Areas to pay particular attention to in the
future? • Biggest waste of time and effort in the
privacy rule? • Biggest over-reactions?• Areas likely to lead to future litigation? • Issues most needing additional clarification?
5
Privacy Rule• Effective April 14, 2003• No widespread problems• Ongoing efforts to comply by virtually
everyone• Still lots of uncertainty, ambiguity and
complexity• Little new HHS guidance• No “public” enforcement/Lots of complaints
6
Real World Risks• No statutory private right of action under HIPAA• Widespread belief that plaintiffs “will find a way” to
sue for HIPAA violations• Causes of action will not be called “HIPAA” –
invasion or privacy, unfair, false and misleading practices, unfair competition, consumer fraud
• State attorneys general/Federal Trade Commission (breach of promises)
• HIPAA creates “standard of care”
7
Enforcement Changes ahead? • Voluntary compliance, informal resolution
and education remain enforcement focus• More than 5000 complaints so far (a lot or a
little?) • Criminal and civil enforcement cases are
now in the pipeline• 50 complaints referred to DOJ for criminal
investigation• A new get tough attitude?
8
Top Complaints
• impermissible use or disclosure of PHI;• lack of adequate safeguards to prevent
such use or disclosure;• failure to provide access to PHI;• disclosure of PHI that exceeds the
"minimum necessary" standard; and• failure to provide notice of privacy
practices.
9
Top Targets of Complaints
• private health care providers (doctors);• general hospitals;• pharmacies;• outpatient facilities; and• group health plans.
10
Privacy Problem CasesHouston Hospital case
• Internal Employee• Sold patient records about accident cases to
plaintiff’s lawyers• High visibility problem• Potential criminal sanctions• Illegal before HIPAA
11
More problems - Subcontractors• California hospital hired transcription
company in Texas, subcontracted to another company in Florida, eventually subcontracted to an individual in Pakistan
• Threatened to release PHI on the Web• Lots of concerns, increased issues with BAs
and subcontracting• May be a lingering focal point
12
Friends and Family• Big area of complaints• Ongoing tensions in health plans about
administrative/business efficiencies versus risk management
• Concerns about “too conservative” approaches leading to “too liberal” positions
• How much risk is acceptable?• A core question as to whether the Rule
works right or not
13
State and other laws
• Ongoing preemption challenges• Does anyone understand preemption? • Start of litigation (Ashcroft/DOJ efforts at
medical records)• Substance abuse regulations• Isn’t there a better way?
14
Business associates
• What should you be doing to monitor your business associates?
• Individual rights and business associates• Termination and business associates• New Bas/Problem Bas• Connections with Security Rule• New off-shore outsourcing concerns
15
Group Health Plan issues
• Enormous and ongoing customer relations issues
• New confusion with rule now applicable to small groups?
• Can fully insured groups really avoid PHI? • Likelihood of practical changes in the future?• Has this kicked in yet?
16
Mitigation• A big area of concern• Rule doesn’t say much, but this is a trouble spot• How good is your business at finding problems? • How good is your business at fixing problems? • Link to BA issues? • Customer notification requirements• What kinds of problems have you found so far?
17
Marketing
• Not an issue to date• Why not?• Do people care about this? • Easing up on conservative approaches?
18
The Transactions Rule
• Change in enforcement posture (Do new payment rules mean the end of the contingency plans)?
• Will this rule ever work?• Will anyone ever care?• Will this become a proxy for other fights?
19
Security
• Timing – when will you be ready? • What other rules are pushing you on
security (G-L-B, Sarbanes-Oxley, state law, etc.)
• Business associates – what are you going to do about all your BA agreements?
• Monitoring of BAs
20
New Security Issues• Higher awareness of security concerns• More visible problems• New contract requirements for business
associates• Link to security developments in other areas• May lead to more questions about BA
relationships
21
Broad Impacts from HIPAA
• Litigation – subpoenas, discovery, etc – lots of people seeking information who do not know or understand the privacy rule
• DOJ and abortion records – current debate on intersection of politics and privacy
22
More impact
• Research – Difficult rules, not fully understood, ongoing source of confusion, we may not know for a long time how research will be affected – more later
• State vs. Federal law – Interaction of state law and HIPAA is incredibly confusing. Now becoming a political battleground (e.g., California). Should there be one standard?
23
Impact
• Health care benefits from employers – Rule may shift employers from self-insured plans to fully insured plans, or encourage dropping health care benefits entirely
• Lawyer-Client Relationships (are lawyers required to enter into HIPAA business associate contracts, who negotiates those contracts, how does HIPAA affect attorney-client relationships)
24
More Impact
• Effects on those outside the covered entities– Financial Institutions – ongoing debate on
potential role as clearinghouses and business associates
– More pressure on business associates –especially related to Security
– Links to other laws e.g., FACTA
25
Conclusions
• Lots of details• No law suits• Limited enforcement to date• Still time to work out the kinks• But don’t think HIPAA is “over”