Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

Texas Governor Rick Perry just signed a law protecting patients’ data in electronic health records and increasing penalties for violation of the health care privacy laws. In what was a heated legislative session, this bill passed both houses without opposition, signaling widespread support for a stronger stance on protecting patients’ health information. The new law becomes effective September 1, 2012.

The Texas law requires covered entities, such as hospitals, physicians, health plans, health care clearinghouses and their business associates, to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) privacy standards. Adopting HIPAA, the new law states that an individual’s protected health information may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, health care operations, insurance purposes, and as otherwise authorized by state or federal law. Covered entities must provide notice to patients of their policies on their website or other prominent place where patients will see the notice.

Most notably, the law substantially increases penalties for privacy violations from $2,500 per violation, to up to $5,000 per negligent violation, up to $25,000 per knowing or intentional violation, and up to $250,000 penalties if the disclosure is for financial gain. For repeat offenders, the maximum penalty is increased to $1.5 million. A health care provider’s professional or institutional license may also be revoke for repeated violations under the new law. With a single disclosure, a covered entity with Texas patients is potentially subject to substantial state and federal penalties depending on the violation.

The Texas law also puts into place a regulatory framework with the Texas Health and Human Services Commission, Texas Health Care Authority, Texas Department of Insurance, and the Texas Attorney General’s office having audit authority to ensure privacy compliance. The AG’s office is also required to set up a complaint system and information website, already seen in several other states. The Texas Health Care Authority is charged with developing standards for electronic sharing of protected health information in compliance with HIPAA, to ensure security maintenance and disclosure of records.

The U.S. Supreme Court released its decision today in Sorrell v. IMS Health Care, Inc., a case concerning the constitutionality of a Vermont statute that prohibited pharmacies from selling or disclosing prescriber-identifying information taken from prescriptions for marketing purposes.  The challenge to the statute was made by data mining companies.  The Supreme Court stated that "speech in aid of pharmaceutical marketing ... is a form of expression protected by the Free Speech Clause of the First Amendment."  After applying heightened scrutiny, the Court found that the Vermont statute unjustly burdened speech in violation of the First Amendment.

Thirty-five states filed an amicus brief supporting the law as necessary to protect the privacy of patient data.  Senator Leahy (VT) issued a press release following the decision, which stated:

Today the Supreme Court has overturned a sensible Vermont law that sought to protect the privacy of the doctor-patient relationship.  This divided ruling is a win for data miners and large corporations and a loss for those of us who care about privacy not only in my home state of Vermont but across the nation.  States like Vermont must be able to protect the privacy of sensitive information exchanged between a doctor and patient.  This decision undermines that ability, and risks unduly influencing doctors in their future prescription choices.

On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the "accounting of disclosures" requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including employer-sponsored plans) and business associates. The proposed requirements will not become final until after comments are received and evaluated and a final rule is published by HHS later this year or next. Therefore, healthcare providers, health plans (including employers sponsoring health plans) and business associates should take this opportunity to carefully review the proposed rule's provisions, send comments to HHS and consider the systematic changes that may be necessary when the rule becomes finalized.

The proposed rule changes the existing Health Insurance Portability and Accountability Act (HIPAA) accounting requirement in two very significant ways. First, it revises the accounting requirement to shorten the time period covered by the regulation to the three-year period prior to the request (previously six years) for all disclosures of protected health information (PHI) (paper and electronic), while removing the certain exceptions, including those for disclosures related to treatment, payment and healthcare operations. Second, in the interest of balancing the rights of individuals to learn about disclosures of their PHI, with the burden to covered entities of providing detailed accounting reports, the proposed rule creates a new “access report” requirement which enables covered entities to provide only the date, time and identity of the person who accessed an individual’s electronic PHI, but does not require tracking or reporting the purpose of the disclosure as required under the existing accounting requirement.

Existing HIPAA Accounting Requirement Expanded by HITECH Act

Under the existing HIPAA privacy regulations, individuals are entitled to receive an “accounting” of all disclosures of PHI made by the covered entity, including those through its business associates, for the six years preceding the individual's request, excluding certain permissible disclosures, the most significant of which are (1) for treatment, payment and healthcare operations; (2) disclosures to the individual about him or her; and (3) disclosures to law enforcement. 45 C.F.R. § 164.528(a)(1). The accounting is required to be furnished to the individual no later than 60 days after receiving a written request.

When Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the stimulus legislation known as the American Recovery and Reinvestment Act of 2009, it instructed HHS to adopt an accounting requirement specifically related to “electronic health records” (EHRs) by requiring the accounting of disclosures from an EHR to include all disclosures, without excluding those made for treatment, payment and healthcare operations and shortening the time period covered by an accounting of disclosures from an EHR to three years instead of six (paper records still would be subject to a six-year accounting period). The HITECH Act directed HHS to issue regulations by not later than June 18, 2010.

The changes put forth by HHS in the May 31 proposed rule go significantly beyond the requirements of the HITECH Act, but HHS asserts they are consistent with the major purpose of the Act which was to apply the accounting requirement to electronic PHI in an EHR.

Revisions to the Accounting of Disclosures of PHI Under § 164.528

Healthcare providers, health plans and employer-sponsored health plans may welcome some of the changes being proposed to the existing accounting of disclosures requirement, while finding other changes more burdensome. HHS proposes to shorten the time period covered by a request for an accounting to just three years, regardless of whether the records are paper or electronic. This should enable covered entities to apply accounting procedures consistently across all types of PHI. Additionally, HHS has chosen to focus more attention on accounting of disclosures that are presumed to be most important to individuals by removing some disclosures from the requirement, while adding specific requirements for other categories of disclosures. For example, on the one hand, disclosures for clinical research will be excluded from the accounting requirement (assuming that the IRB or research practitioner has followed HIPAA’s requirements for an authorization or research waiver), as will disclosures that are required by law. On the other hand, a full accounting will be required for all disclosures that are not permitted under HIPAA, including unauthorized disclosures that did not rise to the level of a “breach” under the Breach Notification Interim Final Rule published at 45 C.F.R. part 164, subpart D, disclosures for public health activities (such as infectious disease reporting) and for all disclosures made for law enforcement purposes and judicial or administrative proceedings (even though such disclosures in certain cases do not require an authorization).

Further, on the positive side, the proposed rule limits the accounting for disclosures requirement to only the PHI maintained in a “designated record set” instead of all PHI that may be scattered throughout an organization. Nevertheless, on the negative side, covered entities may find significant challenges in determining what exactly constitutes a “designated record set,” and will continue to be required to track the purpose of each disclosure subject to an accounting -- a task many covered entities have found will add a significant level of complexity to the already expanding list of required features of HIT systems. Generally speaking, a “designated record set” is a group of records maintained by or for a covered healthcare provider that comprises the medical and billing records about individuals or maintained by a health plan (including an employer-sponsored health plan) comprising the enrollment, payment, claims adjudication and case or medical management record systems used, in whole or in part, by or for either type of covered entity to make decisions about individuals. The applicability and scope of the definition (i.e., what provider or health plan records fall within or outside of the definition) have perplexed some covered entities who may be particularly challenged by the existing requirement to maintain written or electronic documentation showing all designated record sets maintained within their organization, under 45 C.F.R. § 164.524. Additionally, the HHS preamble to the proposed rule specifically applies the accounting requirement to copies of designated record sets held by business associates, a factor likely to necessitate amendments to business associate contracts.

As indicated by the brief highlights of the proposed rule described above, the new requirements contain a mixed bag of changes designed to enhance an individual’s right to learn where, by whom and for what purpose disclosures of their PHI have been made, lessening the burden on covered entities by reducing the types of disclosures and the time period covered by the accounting requirement.

Further helping to improve the individuals’ understanding of the types of disclosures made about them may be the new requirement for an access report, described below, which will allow covered entities to respond in a more narrow fashion to individuals’ requests for information on disclosures of their PHI maintained in an electronic designated record set.

New “Access Report” Will Be Required Upon Request by an Individual

Perhaps the most significant change proposed by HHS is the new right of individuals to receive an access report including, at a minimum, the date and time of access and the name of the user or entity that accessed or disclosed PHI maintained in an electronic designated record set. The report must include all access, including uses as well as disclosures, which is a significant expansion of the existing accounting requirement. There will be no distinction between access by internal employees and access by persons outside an organization. Additionally, the report must indicate the type of information accessed (e.g., diagnosis or medications) and the action taken (modify, transfer, etc.), but only if either of such information is available in the HIT system. Perhaps most significantly, the access report applies to all electronic PHI maintained in a designated record set, not just EHRs, and the exception for disclosures relating to treatment, payment or healthcare operations would not apply. Thus, while HHS points out that the new access report requirement satisfies the HITECH Act's mandate to apply the accounting requirement to EHRs, in actual operation, the proposed rule expands the right to an accounting to cover a much wider variety of disclosures, including internal uses of PHI by employees. These changes would create significant new challenges for covered entities already grappling with the design and implementation of appropriate system activity logs and audit reporting technology to comply with existing privacy and security laws.

Impact on Covered Entities and Business Associates

The proposed accounting requirement changes published on May 31 will create significant new challenges to a wider spectrum of covered entities than previously expected by most experts. For example, the expansion of the access report to cover all electronic PHI, rather than merely EHRs, will sweep within the rule's application many additional entities that customarily do not maintain EHRs, such as health plans and health insurers (including employers that sponsor such plans) and business associates working with electronic PHI. Additionally, the application of the new requirements specifically to designated record sets will highlight the need for covered entities and business associates to develop and document the types of PHI they routinely use or disclose, to ensure that designated record sets are appropriately tracked and oversight maintained (both human and electronic) for purposes of preparing an adequate accounting or access report within the time limits and other requirements under the regulation.

Keep in mind that the new requirements published on May 31 are only proposed. Nevertheless, assuming that many of the provisions are enacted in final rule, the following activities, among others described previously, will be needed. It may not be too early for covered entities and business associates to consider and plan for the following new requirements:

Business Associate Agreements

Healthcare providers, health plans and employers sponsoring health plans will need to amend their business associate agreements with business associates (such as billing companies and consultants, third-party administrators and other vendors handling PHI) to reflect and facilitate compliance with the new accounting and access reporting requirements. These amendments should include descriptions of the shortened timing and detailed content required for such reports. Business associate agreements should be amended to require that business associates take steps to gather the appropriate information and actively assist with compiling reports when and as requested by their covered entity customers.

Notice of Privacy Practices

Changes to covered entity Notices of Privacy Practices will be necessary to appropriately describe the new accounting and access report requirements and to inform individuals of the types of disclosures subject to the requirements. For health plans and employers, because these updates are considered material revisions to the notice, the revised Notices will need to be distributed within 60 days of the material revision.

Record Retention Policies

Covered entity and business associate record retention policies would need to be updated to reflect changes in the document retention rules as they apply to accountings of disclosures and the new access report requirement. Specifically, information that is required to be included in an accounting or access report must be retained for three years from the date of the disclosure, but the actual accounting or report must be retained for six years.

Enhanced Tracking of Disclosures and Access

The new rule will put greater urgency and emphasis on adopting reasonable and appropriate technical and administrative measures to log access, changes, uses and disclosures of electronic PHI, including those for public health, law enforcement, judicial or administrative proceedings, research and other permissible activities, which may become subject to the expanded reporting requirements.

HHS has asked that comments on the proposed rule be submitted by August 1, 2011. HIPAA-covered entities, including providers and employer health plan sponsors, should seriously consider submitting comments and questions to HHS in an effort to shape how these rules will ultimately affect them.

Authorship credit:

John S. Mulhollan, jmulhollan@bakerlaw.com

Susan Whittaker Hughes, shughes@bakerlaw.com

Lynn Sessions, lsessions@bakerlaw.com

In the wake of the recent breaches at Epsilon and Sony and the scrutiny Apple and Google are facing for their geolocation data tracking practices, there has been little media focus on the benefits of data collection and analysis.  Indeed, most of the coverage has been trained on proposed legislation and new regulations that would restrict data collection practices.  A research study released earlier in May 2011 by McKinsey Global Institute, however, suggests that utilization of “big data” could lead to billions of dollars in annual value in the private and public sectors. 

The study, Big data: The next frontier for innovation, competition, and productivity, is a 156-page effort that looks at the proliferation of large datasets and finds that data can create “significant value for the world economy.”  The source of data include customer transactions, networked sensors and actuators (the so-called “Internet of Things”), social media sites, smartphones, PCs, and laptops.  And after identifying the techniques and technologies used capture and analyze big data, the study concludes that “[a]nalyzing large data sets—so called big data—will become a key basis of competition, underpinning new waves of productivity growth, innovation, and consumer surplus as long as the right policies and enablers are in place.”

The study cites examples of companies that have effectively used big data to create economic value through increased productivity and customer loyalty, including Tesco’s use of customer loyalty card data, Wal-Mart’s use of vendor-managed data to optimize its supply chain, and Amazon’s use of customer data to make “you may also like” recommendations.  McKinsey looked at five domains—health care, retailing, the public sector, manufacturing, and personal location data.  From this research, the study identified five ways to leverage big data: (1) Making big data more accessible in a timely manner; (2) Using data and experimentation to expose variability and improve performance; (3) Segmenting populations to customize actions; (4) Replacing and supporting human decision-making with automated algorithms; and (5) Innovating new business models, products, and services.

For the healthcare industry, after making certain assumptions (e.g. necessary IT investment, analytical capabilities, privacy protections, and economic incentives), the study predicts that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.”  In the public sector, the study projects that the EU could use “big data levers” to increase productivity and efficiency that would result in administrative cost savings of up to $446 billion.  In retail, “pioneers” are projected to have the ability to reduce operating margins by up to 60%.  Similarly, the manufacturing sector could use big data to reduce costs and increase innovation.  Lastly, the study projects that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.  

In response to skeptics who suggest that the economic benefit of big data is still wishful thinking and that productivity gains driven by data analytics has peaked, the authors of the study suggest that economic statistics will not show productivity gains for a few years, similar to the delay in measuring the productivity gains from the use of computers.