OCR issues new HITECH regulations

Legal Compliance Ned Milenkovich, PharmD, JD

The Office for Civil Rights (OCR) at HHS issued a final rule on January 17, 2013, implementing various provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The final rule revises the Privacy, Security and Enforcement Rules that were previously issued under HIPAA and the interim final Breach Notification Rule that was previously issued in accordance with the HITECH Act.

Background

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009, which included the HITECH Act. The HITECH Act provided incentives for the use of electronic health records and expanded the obligations of covered entities (such as pharmacies) and their business associates to safeguard protected health information (PHI).

The HIPAA Privacy and Security Rules allow pharmacies to interact with business associates regarding PHI, subject to the terms of a business associate agreement between the parties. Prior to the HITECH Act, business associates had contractual obligations to maintain the privacy and security of PHI but were not subject to sanctions for failure to comply with the law. The HITECH Act also strengthened HIPAA penalties and enforcement mechanisms, and required periodic audits to ensure compliance with the Privacy and Security Rules.

Expansion of obligations

The final rule implements the HITECH Act’s expansion of business associates’ HIPAA obligations by applying the Security and Privacy Rules directly to business associates (and their subcontractors) and by subjecting both to civil and criminal penalties for HIPAA violations.

Breach notification rule

The final rule will broaden the breach notification obligations of covered entities and business associates by modifying the definition of “breach” and the risk assessment process. Under a new approach, a use or disclosure of PHI that is not permitted under the Privacy Rule is presumed to be a “breach,” unless the covered entity or business associate demonstrates a low probability that PHI has been compromised, based on a risk assessment of several factors.

Other provisions

The final rule addresses a long list of other issues, including but not limited to:

• Requiring a covered entity to agree to an individual’s request restricting disclosure of PHI when the health plan does not pay for the item or service;

• Prohibiting the sale of PHI without authorization, and conditioning a covered entity to receive remuneration for disclosing PHI;

• Allowing individuals to obtain a copy of PHI in an electronic format if the covered entity uses an electronic health record;

• Clarifying that covered entities are allowed to send ePHI to individuals in unencrypted e-mails only after notifying the individual of the risk;

• Prohibiting health plans from using or disclosing genetic information for underwriting;

• Allowing disclosure of proof of immunization to schools if the parent or guardian, or the individual agrees.

Effective and compliance dates

The final rule takes effect on March 26, 2013, having a general compliance date of September 23, 2013, with some exceptions. If certain conditions are met, the final rule allows additional time to revise business associate agreements to bring them into compliance with the HITECH requirements.

Implications

Covered entities and business associates should review their policies and procedures, and their business associate agreements prior to the September 23, 2013 compliance date, so they can identify and implement changes necessary to comply with the final rule. In addition, appropriate training should be provided to covered entity and business associate personnel prior to the compliance date.   

This article is not intended as legal advice and should not be used as such. When legal questions arise, pharmacists should consult with attorneys familiar with the relevant drug and pharmacy laws.

Ned Milenkovich is a member at McDonald Hopkins, LLC, and chairs its drug and pharmacy practice group. He is also Vice-Chairman of the Illinois State Board of Pharmacy. Contact Ned at 312-642-1480 or at nmilenkovich@mcdonaldhopkins.com.