Life Science Compliance Update

May 19, 2016

The Importance of Being Private – OCR Intensifies Enforcement Efforts

The Department of Health and Human Services' Office of Civil Rights is stepping up its enforcement efforts. Phase 2 of its HIPAA compliance audit program has begun, and most covered entities and business associates are potential candidates. Also, first quarter civil penalties for privacy and security violations have reached nearly $5.5 million. This article will provide insight on the audits to be conducted and lessons furnished by the settlements to help companies determine how best to evaluate and adjust their compliance programs.

The Department of Health and Human Services is stepping up its privacy enforcement efforts. HHS Office of Civil Rights announced in March the launch of Phase 2 of its program to audit the HIPAA compliance programs of both covered entities and business associates. Phase 1 of the program, launched in 2011 and 2012, was a pilot and involved only 115 covered entities. Although HHS's Office for Civil Rights has released no statement regarding the details of the targets of the program, OCR's deputy director of health information privacy, Deven McGraw, said in an interview in March that the

The full text of this article is available in the May 2016 Issue of Life Science Compliance Update

To Read the Full Story, Subscribe, Download a Sample Issue, or Sign In

March 30, 2016

New HIPAA Audits Announced

After many years of anticipation, the Office of Civil Rights (OCR) launched a new round of audits to gauge compliance with patient privacy provisions under the Health Insurance Portability and Accountability Act (HIPAA). These audits are intended to determine whether or not healthcare organizations and their contractors are in compliance with HIPAA. If organizations and contractors are not in compliance OCR is hoping that the audits will trigger a reaction and allow them to get in front of potential problems and better direct guidance to address issues that affect the confidentiality and security of protected health information (PHI).

The launch came with little fanfare, starting with emails to "covered entities" (i.e., healthcare providers, insurance plans, and clearinghouses) and to business associates that may handle patient information on behalf of those entities. The emails ask them to verify contact information, which, once verified, will lead to receipt of a "pre-audit questionnaire," seeking details on their business size, business type, and operations. If an entity or associate does not respond to the "pre-audit questionnaire," OCR will use publicly available information about the entity in creating the audit pool. An entity who fails to respond to OCR may still be selected for an audit or subject to a compliance review.

Once OCR receives the audit questionnaires back, it will create a pool of audit targets that represents a range of covered entities and business associates. According to OCR, the wider the range of audit candidates, the better idea OCR will have of HIPAA compliance across the industry.

The audits will take place in several rounds: desk audits (focused on document review) make up the majority of the audits and will take place in two rounds. The first round will focus on covered entities and the second round will focus on their business associates. The desk audits are expected to be completed by December 2016. The third round of audits is reserved for on-site audits, which will begin later in the year. Additionally, just because an entity undergoes a desk audit does not release them from a potential on-site audit. HHS will cover the cost of the on-site auditor; neither covered entities nor their business associates are responsible for the costs of the audit program.

Desk Audits

Entities who are selected for a desk audit will be informed via email and will be asked to provide documents and other data. The desk audit will focus on compliance with particular provisions of the HIPAA Privacy, Security, and Breach Notification Rules, such as risk analyses, notices of privacy requests, and response to requests for PHI access. Those subjected to an audit will be given ten days to submit the requested information to OCR through a portal. Once OCR receives the documents, it will review them and develop draft findings, which will then be shared with the audited entity, allowing ten business days for an entity response. The written entity response will be included in the final audit report, which will also be shared with the entity.

On-Site Audits

An on-site audit is also preceded by an email, and will take place over three to five days, depending on the size of the entity. On-site audits will be more comprehensive and have a broader focus on HIPAA requirements. Entities subject to an on-site audit will also have ten business days to review the draft findings and provide written responsive comments to the auditor. A final report will then be shared with the audited entity.

What Comes After the Audit

Following an audit, if any serious issues were uncovered, an OCR compliance review may be done. Even though OCR will not post a list of audited entities, nor will they post the findings of an individual audit that clearly identifies the audited entry, audit notification letters and other audit information may be discoverable under the Freedom of Information Act (FOIA).

Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be the most helpful. OCR will also use information gleaned from the audits to develop tools and guidance to assist the industry in compliance self-evaluation, preventing further breaches.


November 05, 2013

HITECH HIPAA Restrictions on Refill Reminders and Patient Communications

In late January of this year, we reported that the U.S. Department of Health & Human Services (HHS) issued four final rules, combined to create an omnibus final rule addressing several aspects of patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rules were combined—563 pages—to "reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities." 

HHS' Office of Civil Rights (OCR), which implements HIPAA and its related provisions recently estimated that healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule. The bulk of that time--30.655 million hours--will involve the dissemination and acknowledgement of privacy practices at provider offices.

Recently, OCR issued model Notice of Privacy Practices for health care providers and health plans, which can be accessed here. The model concisely reflects the regulatory changes of the Final Rule. Specifically, it highlights

  • the patient's right to an electronic copy of her medical record (if the practice uses an electronic health record),
  • the patient's right to restrict disclosure to her health insurer for out-of-pocket payments made in full, and
  • the written authorization required for marketing and sale of protected health information (PHI).

The model is available in four formats (booklet, layered, full page, and text only) and can be easily customized for distribution to patients and display on the practice's website.

OCR has also issued samples of business associate agreements and the American Medical Association (AMA) has issued HIPAA resources.

First Amendment Challenge to Omnibus Rule

In response to this final rule, Adheris, Inc. has filed a complaint (and accompanying memorandum) seeking injunctive and declaratory relief to prohibit HHS regarding from enforcing provisions of the final rule as they pertain to certain paid marketing communications, as reported by the FDA Law Blog.

At issue is whether Adheris can continue to communicate refill and adherence reminders and whether HHS' case violates the First Amendment.

The final rule went into effect on September 23rd, 2013.

As explained by the FDA Law Blog, "Adheris's core business model involves sending reminders to customers of participating pharmacies to refill their existing prescriptions before their refills are due, and also preparing and sending letters that encourage customers to adhere to their prescribed treatment regimens.  The letters the company sends include "educational information about the medication, safety information, positive reinforcement to stay on therapy, and a direction to follow the treating physician's advice." 

Adheris's complaint states its services have a "verifiably significant impact on the percentage of patients still complying with their prescribed regimens at the end of a program period," and, therefore, improve patient health.  Although pharmaceutical companies are the sponsors of these refill reminders and adherence messages, Adheris does not disclose protected health information to pharmaceutical manufacturers.  According to the complaint, Adheris derived total revenues of $49 million from these services in 2012."

In addition to this lawsuit, Pharmalot reported that InVentive Health filed a similar lawsuit, challenging the final rule as violating Free Speech rights with respect to refill reminders. "This rule undermines a valuable extension of a physician's treatment that promotes patient health, helps save lives and reduces healthcare costs, all of which are in the public interest and consistent with the objectives of the Affordable Care Act," says InVentiv Health general counsel Eric Sherbet in a statement. "It is a misguided regulation and one that impinges on our right to speech that serves a significant public health interest."

HHS' Final Rule

The blog post explains that prior to the HITECH Act, which became law on February 17, 2009, "pharmaceutical companies could hire pharmacies and pharmacy chains to remind patients to refill their prescriptions, or recommend switching to alternative therapies.  These types of communications were considered treatment communications and did not require a written authorization from the patient to comply with HIPAA."

Congress called these types of communications "health care operations" (a separate category under HIPAA) without addressing treatment communications. Consequently, HHS' final rule seeks "to implement the HITECH Act and requires patient authorization before using protected health information to direct any paid communication recommending a product or service to the patient, regardless of whether the purpose of the communication is treatment or health care operations," according to the post.

One exception provided for in the final rule "is that refill reminders, adherence communications, and other communications to patients with current prescriptions for that drug do not require authorization if the payment received by the covered entity" is "reasonably related to the covered entity's cost of making the communication."  HHS explained that this means that a covered entity cannot profit from the communication. 

"If the covered entity receives a financial incentive beyond its cost, it must obtain the patient's authorization.  Because, as the complaint states, Adheris's service-related expenses far exceed its permissible remuneration, Adheris's business is threatened by the rule."

However, several days after the lawsuit was filed, the FDA Law Blog reported that HHS filed a joint motion requesting the suspension of Adheris's motion for a preliminary injunction seeking to prohibit HHS from enforcing its final rule restricting certain paid marketing communications.

HHS informed the court that that it intends to issue guidance pertaining "to the final remuneration that would be considered 'reasonable' for providing refill reminders or other communications about a drug or biologic currently being prescribed to an individual."  HHS stated that it expects to issue such guidance by September 23, 2013. 

In addition, HHS announced that it decided "not to enforce the restrictions on remuneration refill reminders and other communications about drugs and biologics (as set forth in 45 C.F.R. § 164.501) for a period of 45 days . . . or until November 7, 2013." 

Additionally, OCR announced that it will delay its enforcement of the new requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs)."

This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B).  The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.


HHS OCR Refill Guidance


Consequently, OCR released guidance regarding the refill reminders. A summary of the guidance was written and edited for the American Health Lawyers Association (AHLA) by Mary Bearden and Allison Shelton of the law firm Brown & Fortunato PC, in Amarillo, Texas.


On September 19, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) released guidance entitled, "The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Prescribed for the Individual" (Guidance). This Guidance concerns the new definition of "marketing" adopted in the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule.

OCR's Guidance breaks down the elements of the refill-reminder exception and provides clarification on several scenarios that are potentially affected by the exception.

Under the Guidance, OCR will permit payment "up to the fair market value of [the] services" to qualify as reasonable financial remuneration and to, therefore, fall within the exception for refill reminders in the case of Adheris. In the Guidance, OCR discusses:

  1. payments from a third party to a covered entity for refill reminders;
  2. payments from a covered entity to a business associate when a third party directly or indirectly covers the payments to the business associate; and
  3. payments from a covered entity to a business associate when no third party is involved.

In the first case, the third party may only cover the direct and indirect costs related to the refill reminder. For example, the third party may pay reasonable costs related to labor, supplies, materials, overhead, and capital expenditures.

In the second case, when a business associate receives remuneration directly or indirectly from the third party, the third party may pay fair market value for the business associate's services as would be the case under Adheris' business model.

Finally, in the third case, the exception for refill reminders will not limit the financial remuneration that the covered entity may pay the business associate because no third party is involved.

Even though OCR's interpretation concerning reasonable financial remuneration was the most-anticipated aspect of the Guidance, clarification for other interesting scenarios is also provided in the Guidance. For example, various messages can qualify for the refill-reminder exception, including information about generic equivalents of the prescribed drug; communications about prescriptions that have lapsed within the last 90 calendar days; and communications encouraging individuals to take medications as directed.

Also, if a drug is administered through durable medical equipment (DME), such as an insulin pump or a nebulizer, then the refill-reminder exception will encompass "communications regarding all aspects of the drug delivery system," including DME.

Other communications will not qualify for the exception, including communications about new formulations of the prescribed drug; information about adjunctive drugs that may be used along with the currently prescribed drug; and messages encouraging the recipient to switch to an alternative medicine.

Such communications are permitted under the treatment exception so as long as the covered entity does not receive financial remuneration for the communication. Also, the Guidance indicates that covered entities may communicate with the individual about new formulations and adjunctive drugs in a general manner and without naming the actual drug. For example, a pharmacy may encourage an individual to speak with his or her doctor about medications that may treat the side effects of a currently prescribed drug.

When a covered entity obtains an individual's written authorization for communications funded by a pharmaceutical manufacturer, the Guidance indicates that a new authorization is not required for each new prescription. HIPAA-compliant authorizations must include an expiration date or event. According to the Guidance, this requirement may be met if the authorization expires when the individual opts out of receiving the authorized communication. Moreover, the scope of the authorization need not be limited to a single drug or biological or to a single pharmaceutical manufacturer.


HIPAA Compliance


In light of the new Omnibus Rule going into effect on September 23rd, a number of articles have been published offering stakeholders advice and recommendations to ensure compliance and to assist with implementation.


For example, Zachary Landman, M.D., chief medical officer at DoctorBase, an m-Health-as-a-service-provider, debunked common myths about HIPAA in a mHealthNews, as reported by FierceHealthIT. The story covered five myths:


  1. HIPAA doesn't apply to me because I'm not a medical provider or part of a healthcare institution. Landman pointed out that the Omnibus rule now includes enforcement to any business or vendor that "creates, receives, maintains or transmits personal health information (PHI)." 
  2. HIPAA applies to all health data. Actually, it only applies to data held by a patient's physician or care team, Landman explained. So if you record your weight and diet on an app and then don't share it with a physician, HIPAA doesn't apply.
  3. Data is secure, so that means it's private. Data transmission must be highly encrypted, or it is subject to third-party attacks, like stolen laptops, Landman said.
  4. Being HIPAA-complaint is only an IT problem. It's everyone's problem, Landman said--something as small as putting a note with your username and password on your monitor is a HIPAA violation.
  5. A smartphone's PIN makes it secure. They're too easy to crack, plain and simple, he said.

In another article reported by FierceHealthIT, Mark Dill, director of information security at Cleveland Clinic offered five (5) recommendations to prepare for a HIPAA audit. Starting Oct. 1, 2014, a permanent HIPAA security audit program will begin, according to OCR officials.

  • Know what gaps are in your program in advance. The worst time to find out about problems are at the time of the audit, Dill said.
  • Be organized. If you look disorganized, HHS will think you are disorganized, Dill said. In addition, you will be able to prevent an on-site audit if your documentation is of the highest quality. 
  • Display your results in the right format. Dill suggested using the OCR recommended format (800-30); Cleveland Clinic, he said, uses "an improved format based on the standard."
  • Use three-year benchmarks as "tabs in your book of evidence" for compliance and formal, organization-wide analysis. He suggests keeping a written calendar and schedule of business impact analysis.
  • Partner with a reputable third-party consultant or firm. "Third party attestation can reveal at least 30 percent about what you don't know, and peer comparisons give you a really clear picture," Dill said.



The overall goal of HIPAA to protect patient privacy may be laudable, but with the tremendous cost of implementation and restrictions on patient communications in the end we may look at this as just another burdensome regulation with little real benefit to patients.


Preview | Powered by FeedBlitz


April 2018
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30