Life Science Compliance Update

March 30, 2016

New HIPAA Audits Announced

After many years of anticipation, the Office of Civil Rights (OCR) launched a new round of audits to gauge compliance with patient privacy provisions under the Health Insurance Portability and Accountability Act (HIPAA). These audits are intended to determine whether or not healthcare organizations and their contractors are in compliance with HIPAA. If organizations and contractors are not in compliance OCR is hoping that the audits will trigger a reaction and allow them to get in front of potential problems and better direct guidance to address issues that affect the confidentiality and security of protected health information (PHI).

The launch came with little fanfare, starting with emails to "covered entities" (i.e., healthcare providers, insurance plans, and clearinghouses) and to business associates that may handle patient information on behalf of those entities. The emails ask them to verify contact information, which, once verified, will lead to receipt of a "pre-audit questionnaire," seeking details on their business size, business type, and operations. If an entity or associate does not respond to the "pre-audit questionnaire," OCR will use publicly available information about the entity in creating the audit pool. An entity who fails to respond to OCR may still be selected for an audit or subject to a compliance review.

Once OCR receives the audit questionnaires back, it will create a pool of audit targets that represents a range of covered entities and business associates. According to OCR, the wider the range of audit candidates, the better idea OCR will have of HIPAA compliance across the industry.

The audits will take place in several rounds: desk audits (focused on document review) make up the majority of the audits and will take place in two rounds. The first round will focus on covered entities and the second round will focus on their business associates. The desk audits are expected to be completed by December 2016. The third round of audits is reserved for on-site audits, which will begin later in the year. Additionally, just because an entity undergoes a desk audit does not release them from a potential on-site audit. HHS will cover the cost of the on-site auditor; neither covered entities nor their business associates are responsible for the costs of the audit program.

Desk Audits

Entities who are selected for a desk audit will be informed via email and will be asked to provide documents and other data. The desk audit will focus on compliance with particular provisions of the HIPAA Privacy, Security, and Breach Notification Rules, such as risk analyses, notices of privacy requests, and response to requests for PHI access. Those subjected to an audit will be given ten days to submit the requested information to OCR through a portal. Once OCR receives the documents, it will review them and develop draft findings, which will then be shared with the audited entity, allowing ten business days for an entity response. The written entity response will be included in the final audit report, which will also be shared with the entity.

On-Site Audits

An on-site audit is also preceded by an email, and will take place over three to five days, depending on the size of the entity. On-site audits will be more comprehensive and have a broader focus on HIPAA requirements. Entities subject to an on-site audit will also have ten business days to review the draft findings and provide written responsive comments to the auditor. A final report will then be shared with the audited entity.

What Comes After the Audit

Following an audit, if any serious issues were uncovered, an OCR compliance review may be done. Even though OCR will not post a list of audited entities, nor will they post the findings of an individual audit that clearly identifies the audited entry, audit notification letters and other audit information may be discoverable under the Freedom of Information Act (FOIA).

Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be the most helpful. OCR will also use information gleaned from the audits to develop tools and guidance to assist the industry in compliance self-evaluation, preventing further breaches.


November 05, 2013

HITECH HIPAA Restrictions on Refill Reminders and Patient Communications

In late January of this year, we reported that the U.S. Department of Health & Human Services (HHS) issued four final rules, combined to create an omnibus final rule addressing several aspects of patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rules were combined—563 pages—to "reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities." 

HHS' Office of Civil Rights (OCR), which implements HIPAA and its related provisions recently estimated that healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule. The bulk of that time--30.655 million hours--will involve the dissemination and acknowledgement of privacy practices at provider offices.

Recently, OCR issued model Notice of Privacy Practices for health care providers and health plans, which can be accessed here. The model concisely reflects the regulatory changes of the Final Rule. Specifically, it highlights

  • the patient's right to an electronic copy of her medical record (if the practice uses an electronic health record),
  • the patient's right to restrict disclosure to her health insurer for out-of-pocket payments made in full, and
  • the written authorization required for marketing and sale of protected health information (PHI).

The model is available in four formats (booklet, layered, full page, and text only) and can be easily customized for distribution to patients and display on the practice's website.

OCR has also issued samples of business associate agreements and the American Medical Association (AMA) has issued HIPAA resources.

First Amendment Challenge to Omnibus Rule

In response to this final rule, Adheris, Inc. has filed a complaint (and accompanying memorandum) seeking injunctive and declaratory relief to prohibit HHS regarding from enforcing provisions of the final rule as they pertain to certain paid marketing communications, as reported by the FDA Law Blog.

At issue is whether Adheris can continue to communicate refill and adherence reminders and whether HHS' case violates the First Amendment.

The final rule went into effect on September 23rd, 2013.

As explained by the FDA Law Blog, "Adheris's core business model involves sending reminders to customers of participating pharmacies to refill their existing prescriptions before their refills are due, and also preparing and sending letters that encourage customers to adhere to their prescribed treatment regimens.  The letters the company sends include "educational information about the medication, safety information, positive reinforcement to stay on therapy, and a direction to follow the treating physician's advice." 

Adheris's complaint states its services have a "verifiably significant impact on the percentage of patients still complying with their prescribed regimens at the end of a program period," and, therefore, improve patient health.  Although pharmaceutical companies are the sponsors of these refill reminders and adherence messages, Adheris does not disclose protected health information to pharmaceutical manufacturers.  According to the complaint, Adheris derived total revenues of $49 million from these services in 2012."

In addition to this lawsuit, Pharmalot reported that InVentive Health filed a similar lawsuit, challenging the final rule as violating Free Speech rights with respect to refill reminders. "This rule undermines a valuable extension of a physician's treatment that promotes patient health, helps save lives and reduces healthcare costs, all of which are in the public interest and consistent with the objectives of the Affordable Care Act," says InVentiv Health general counsel Eric Sherbet in a statement. "It is a misguided regulation and one that impinges on our right to speech that serves a significant public health interest."

HHS' Final Rule

The blog post explains that prior to the HITECH Act, which became law on February 17, 2009, "pharmaceutical companies could hire pharmacies and pharmacy chains to remind patients to refill their prescriptions, or recommend switching to alternative therapies.  These types of communications were considered treatment communications and did not require a written authorization from the patient to comply with HIPAA."

Congress called these types of communications "health care operations" (a separate category under HIPAA) without addressing treatment communications. Consequently, HHS' final rule seeks "to implement the HITECH Act and requires patient authorization before using protected health information to direct any paid communication recommending a product or service to the patient, regardless of whether the purpose of the communication is treatment or health care operations," according to the post.

One exception provided for in the final rule "is that refill reminders, adherence communications, and other communications to patients with current prescriptions for that drug do not require authorization if the payment received by the covered entity" is "reasonably related to the covered entity's cost of making the communication."  HHS explained that this means that a covered entity cannot profit from the communication. 

"If the covered entity receives a financial incentive beyond its cost, it must obtain the patient's authorization.  Because, as the complaint states, Adheris's service-related expenses far exceed its permissible remuneration, Adheris's business is threatened by the rule."

However, several days after the lawsuit was filed, the FDA Law Blog reported that HHS filed a joint motion requesting the suspension of Adheris's motion for a preliminary injunction seeking to prohibit HHS from enforcing its final rule restricting certain paid marketing communications.

HHS informed the court that that it intends to issue guidance pertaining "to the final remuneration that would be considered 'reasonable' for providing refill reminders or other communications about a drug or biologic currently being prescribed to an individual."  HHS stated that it expects to issue such guidance by September 23, 2013. 

In addition, HHS announced that it decided "not to enforce the restrictions on remuneration refill reminders and other communications about drugs and biologics (as set forth in 45 C.F.R. § 164.501) for a period of 45 days . . . or until November 7, 2013." 

Additionally, OCR announced that it will delay its enforcement of the new requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs)."

This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B).  The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.


HHS OCR Refill Guidance


Consequently, OCR released guidance regarding the refill reminders. A summary of the guidance was written and edited for the American Health Lawyers Association (AHLA) by Mary Bearden and Allison Shelton of the law firm Brown & Fortunato PC, in Amarillo, Texas.


On September 19, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) released guidance entitled, "The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Prescribed for the Individual" (Guidance). This Guidance concerns the new definition of "marketing" adopted in the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule.

OCR's Guidance breaks down the elements of the refill-reminder exception and provides clarification on several scenarios that are potentially affected by the exception.

Under the Guidance, OCR will permit payment "up to the fair market value of [the] services" to qualify as reasonable financial remuneration and to, therefore, fall within the exception for refill reminders in the case of Adheris. In the Guidance, OCR discusses:

  1. payments from a third party to a covered entity for refill reminders;
  2. payments from a covered entity to a business associate when a third party directly or indirectly covers the payments to the business associate; and
  3. payments from a covered entity to a business associate when no third party is involved.

In the first case, the third party may only cover the direct and indirect costs related to the refill reminder. For example, the third party may pay reasonable costs related to labor, supplies, materials, overhead, and capital expenditures.

In the second case, when a business associate receives remuneration directly or indirectly from the third party, the third party may pay fair market value for the business associate's services as would be the case under Adheris' business model.

Finally, in the third case, the exception for refill reminders will not limit the financial remuneration that the covered entity may pay the business associate because no third party is involved.

Even though OCR's interpretation concerning reasonable financial remuneration was the most-anticipated aspect of the Guidance, clarification for other interesting scenarios is also provided in the Guidance. For example, various messages can qualify for the refill-reminder exception, including information about generic equivalents of the prescribed drug; communications about prescriptions that have lapsed within the last 90 calendar days; and communications encouraging individuals to take medications as directed.

Also, if a drug is administered through durable medical equipment (DME), such as an insulin pump or a nebulizer, then the refill-reminder exception will encompass "communications regarding all aspects of the drug delivery system," including DME.

Other communications will not qualify for the exception, including communications about new formulations of the prescribed drug; information about adjunctive drugs that may be used along with the currently prescribed drug; and messages encouraging the recipient to switch to an alternative medicine.

Such communications are permitted under the treatment exception so as long as the covered entity does not receive financial remuneration for the communication. Also, the Guidance indicates that covered entities may communicate with the individual about new formulations and adjunctive drugs in a general manner and without naming the actual drug. For example, a pharmacy may encourage an individual to speak with his or her doctor about medications that may treat the side effects of a currently prescribed drug.

When a covered entity obtains an individual's written authorization for communications funded by a pharmaceutical manufacturer, the Guidance indicates that a new authorization is not required for each new prescription. HIPAA-compliant authorizations must include an expiration date or event. According to the Guidance, this requirement may be met if the authorization expires when the individual opts out of receiving the authorized communication. Moreover, the scope of the authorization need not be limited to a single drug or biological or to a single pharmaceutical manufacturer.


HIPAA Compliance


In light of the new Omnibus Rule going into effect on September 23rd, a number of articles have been published offering stakeholders advice and recommendations to ensure compliance and to assist with implementation.


For example, Zachary Landman, M.D., chief medical officer at DoctorBase, an m-Health-as-a-service-provider, debunked common myths about HIPAA in a mHealthNews, as reported by FierceHealthIT. The story covered five myths:


  1. HIPAA doesn't apply to me because I'm not a medical provider or part of a healthcare institution. Landman pointed out that the Omnibus rule now includes enforcement to any business or vendor that "creates, receives, maintains or transmits personal health information (PHI)." 
  2. HIPAA applies to all health data. Actually, it only applies to data held by a patient's physician or care team, Landman explained. So if you record your weight and diet on an app and then don't share it with a physician, HIPAA doesn't apply.
  3. Data is secure, so that means it's private. Data transmission must be highly encrypted, or it is subject to third-party attacks, like stolen laptops, Landman said.
  4. Being HIPAA-complaint is only an IT problem. It's everyone's problem, Landman said--something as small as putting a note with your username and password on your monitor is a HIPAA violation.
  5. A smartphone's PIN makes it secure. They're too easy to crack, plain and simple, he said.

In another article reported by FierceHealthIT, Mark Dill, director of information security at Cleveland Clinic offered five (5) recommendations to prepare for a HIPAA audit. Starting Oct. 1, 2014, a permanent HIPAA security audit program will begin, according to OCR officials.

  • Know what gaps are in your program in advance. The worst time to find out about problems are at the time of the audit, Dill said.
  • Be organized. If you look disorganized, HHS will think you are disorganized, Dill said. In addition, you will be able to prevent an on-site audit if your documentation is of the highest quality. 
  • Display your results in the right format. Dill suggested using the OCR recommended format (800-30); Cleveland Clinic, he said, uses "an improved format based on the standard."
  • Use three-year benchmarks as "tabs in your book of evidence" for compliance and formal, organization-wide analysis. He suggests keeping a written calendar and schedule of business impact analysis.
  • Partner with a reputable third-party consultant or firm. "Third party attestation can reveal at least 30 percent about what you don't know, and peer comparisons give you a really clear picture," Dill said.



The overall goal of HIPAA to protect patient privacy may be laudable, but with the tremendous cost of implementation and restrictions on patient communications in the end we may look at this as just another burdensome regulation with little real benefit to patients.

January 31, 2013

HHS Unveils Final HIPPA Omnibus Rule

In late January, the U.S. Department of Health & Human Services (HHS) issued four final rules, combined to create an omnibus final rule addressing several aspects of patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  The rules were combined—563 pages—to “reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities.”  The new rule will be effective March 26, with a compliance date of Sept. 21.  As reported by FierceHealthIT, the rules include: 

  • Modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health Act, and certain other modifications to improve the rules, which were issued as a proposed rule on July 14, 2010.
  • Changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on Oct. 30, 2009.
  • A final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on Aug. 24, 2009.
  • A final rule modifying the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on Oct. 7, 2009. 

“Much has changed in healthcare since HIPAA was enacted over 15 years ago," HHS Secretary Kathleen Sebelius said in a statement. "The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

According to HHS, contractors, subcontractors and other business associates of healthcare entities that process health insurance claims now will be liable for the protection of private patient information under the updated rule.  In addition, monetary penalties for noncompliance with the rule have increased, with a maximum penalty of $1.5 million per violation. 

Individual rights are expanded in important ways.  Patients can ask for a copy of their electronic medical record in an electronic form.  When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.  The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.   

The FDA Law Blog posted an interesting analysis explaining that the new rule places dramatic revisions to marketing practices and research authorizations.   For example, previously, “pharmaceutical companies could pay pharmacies to communicate with their patients for the purpose of either reminding patients to refill their prescription (“refill reminders”), or to recommend switching to alternative therapies (“switch communications”).”

The final rule “now requires patient authorization before using protected health information for all paid communications that recommend a product or service to the patient, regardless of whether the purpose is treatment or health care operations.”  There are several exceptions, however for: 

  • Refill reminders,
  • Adherence communications, and
  • Other communications about a drug or biologic that is currently prescribed for the individual do not require authorization, provided that the payment received by the covered entity is “reasonably related to the covered entity’s cost of making the communication.”   

The post explained that “reasonably related” most likely “means the covered entity cannot profit from the communication.  If the covered entity receives a financial incentive beyond their cost, they must obtain the patient’s authorization.”   

“HHS also clarified that communications about a drug or biologic currently prescribed includes communications about generic equivalents.  They also clarified that for self-administered drugs or biologics, communications about the entire drug delivery system, such as an insulin pump are considered communications about the drug itself.” 

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement.  “These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.” 

The final rule was accepted for review by the Office of Management and Budget last March and had been dubbed as moving to its final clearance hurdle by Susan McAndrew, Deputy Director for Health Information Privacy at OCR at that time.  It had been anticipated that the rule would be published last summer. 

Executing the New Rules 

In response to the new rules, several healthcare stakeholders expressed concern about the challenges executing them.  Todd Richardson , vice president and CIO of Wausau, Wis.-based non-profit health system Aspirus, Inc., told FierceHealthIT that “providers and vendors that use and create electronic health record systems already walk a tight balance between complying with HIPAA and meeting the requirements of the HITECH Act and Meaningful Use regulations.” 

“On one hand we have 'protect, protect, protect' and on the other hand we have 'share, share, share,” Richardson said to FireceHealthIT.  “While the balance is ‘protect and share,’ the devil is always in the details.  The reality is that all of the information is not under the tight control of the covered entity.” 

Richardson added that “while all healthcare professionals understand the responsibility to protect patient information, as more systems come online with information, inevitably, there will be more opportunity for data breaches.”   Donna Staton, CIO at Warrenton, Va.-based Fauquier Health, noted that the rules “may require a lot of payers and vendors to rethink their positions under reform, where there is already a lot of momentum.”  “Patients will definitely see this as an improvement, though, giving them increased control, which supports the goal of improved patient engagement under reform,” she said. 

Joseph Kvedar, director of Partners HealthCare's Center for Connected Health in Boston, noted that while privacy is important, “the more privacy we have, the less data liquidity--and that could be a challenge.” 

Angela Rose, MHA, RHIA, CHPS, director of health information management practice excellence at the American Health Information Management Association (AHIMA), told Medpage Today that the health information management industry is “breathing a sigh of relief” after the final rule was released, noting that final rules have been anticipated since 2009. 

“The final rule ... strengthens patient privacy and security protections that were established under [HIPAA],” said Renae Moch, practice management strategist at the American Academy of Family Physicians in an email.  “This rule is presumed to increase workability and flexibility, decrease burden, and better standardize the requirements of the rule for covered entities such as healthcare providers, health plans, or healthcare clearinghouses.” 

Impact on Clinical Trials 

Analyzing the final rules, RAPs noted that clinical trial sites “will also be exempted from certain requirements, such as those limiting the use of single authorizations ("compound authorizations") for the release of PHI. (Page 175 of the rule).”

“Permitting the use of protected health information is part of the decision to receive care through a clinical trial, and health care providers conducting such trials are able to condition research-related treatment on the individual’s willingness to authorize the use or disclosure of protected health information for research associated with the trial,” DHHS explained in its rule. 

These exemptions could prove crucial to companies hoping to use collected data for “corollary research activity,” such as for research databases or repositories used to find common genetic markers or other information used to generate new information on therapies.  “However, trial sites will still be prohibited from using compound authorizations for tissue banking purposes, though they can ask for such samples in a separate authorization form or in the same package so long as it is unconditional,” RAPs writes.  DHHS suggested the use of separate check boxes and authorization signature lines for entities that wish to simplify the enrollment process. 

Impact on EHRs, HIT 

FierceHealthIT also noted that the final omnibus rule has a number of important provisions that directly affect electronic health records (EHRs) and related health information technology (HIT), including: 

  • Health information exchanges (which the rule calls health information organizations) and electronic prescribing gateways will be considered business associates and thus directly subject to many of HIPAA's privacy and security provisions. The obligation applies upon creation of the business associate relationship, not when a business associate agreement is signed. A personal health record vendor may or may not be a business associate, depending on the services that the vendor is providing to the covered entity.
  • Business associate agreements are necessary despite this new direct liability [i.e. EHR vendors that qualify as business associates need to sign these contracts]
  • A provider does not have to use an EHR to comply with the new rule, but if the provider does use an EHR, patients have the right to obtain copies of their records in electronic format, in a form requested by the patient. If that format is not available, then the format provided shall be as agreed upon by the provider and the patient. The provider can only charge the patient the labor costs involved.
  • The final rule sets 30 days (down from 60) for providers to provide patients with access to their records, but "encourages" providers to take advantage of their technologies and provide them sooner, considering that the Meaningful Use program contemplates much faster access than 30 days. 

“If a covered entity belongs to a HIE, and the HIE suffers a breach, the covered entity is the one obligated to notify patients.  However, since multiple covered entities may be involved due the data sharing inherent in an HIE, the covered entities may delegate to the HIE the notification obligation since that way a patient will only receive one notice.”



Preview | Powered by FeedBlitz


May 2016
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31