Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
The latest clarifications and revisions to HIPAA require some careful reading by physicians. A little help from a professional might help too.
Editor's Note: This is the first in a five-part series on modifications to HIPAA recently unveiled by HHS on January 17, 2013.
For non-lawyers and lawyers alike, scrolling through over 500 pages of regulations can be daunting to say the least (See the most recent modifications to HIPAA rules by the federal government, released on January 17, 2012). Because of the sheer magnitude, subtleties may easily be overlooked. One must approach the reading and possible interpretation like that of a contract. Reading the HITECH Act/HIPAA Final Rules requires physicians to consider not only a single item, but also other items in the same text, court opinions, and related laws to get the full picture.
Typically, courts look to the “four corners” of the document when determining the meaning of a particular provision. Depending on the state law, extrinsic evidence may be considered. Crucially, when a court, attorney, or sophisticated business person reads a contract, they look for internal definitions, as well as to other portions of the document to determine a meaning. Hence, merely looking at one segment of the entire document may not give the full picture. As a result, the parties to the contract may end up litigating over the particular terms.
Likewise, the reading of the recent HITECH Act/HIPAA Final Rules [78 Fed. Reg. 5566 (Jan. 25, 2013)], which include the application of various provisions set forth in the HITECH Act, should be approached in a similar manner. When reading laws and regulations for their meaning, one should always consider the doctrine of in pari materia.
Literally translated, the Latin phrase in pari materia means "on the same subject." Black's Law Dictionary 807 (8th ed. 2004). The doctrine of in pari materia is a rule of statutory construction providing "that statutes that are in pari materia may be construed together, so that inconsistencies in one statute may be resolved by looking at another statute on the same subject." Id. The Texas Court of Criminal Appeals has recently described the doctrine of in pari materia:
It is a settled rule of statutory interpretation that statutes that deal with the same general subject, have the same general purpose, or relate to the same person or thing or class of persons or things, are considered to be in pari materia though they contain no reference to one another, and though they were passed at different times or at different sessions of the legislature.
(Azeez v. State, 248 S.W.3d 182, 191 (Tex. Crim. App. 2008)).
The doctrine of in pari materia, unlike the “four-corners” approach to reviewing a contract, should be considered in two ways: 1.) reading different parts of the same law or regulation to determine a meaning; and 2.) reading two separate but related laws or regulations. A common example would be reading the Stark Laws in tandem with the Antikickback Laws. (Martin Merritt, Compliance Tips for Your Medical Practice ). But, there is one caveat. In contract law, a person may argue that the contract is a “contract of adhesion” - that is, a contract is so imbalanced in favor of one party over the other that it was not fairly bargained for. A common example is provisions that are buried, slanted, or print that is so small that a reasonable person would not consider it. Often, the opposing party is not in a position to bargain. In relation to the HITECH Act/HIPAA Final Rules, the government and the making of laws and regulations diverges. In reality, the government did consult those potentially impacted when it called for comments in accordance with the Administrative Procedure Act (P.L. 79-404, 60 Stat. 237).
Let’s apply an example from the HITECH Act/HIPAA Final Rules. Section 164.308 has been interpreted to mean that both the interim final rule and final rule imposed administrative safeguards compliance on business associates and their subcontractors. And, business associates and not covered entities are responsible for business associate subcontractor compliance. Reading this alone can be interpreted to mean that the actions of a business associate’s subcontractor will have no impact on the covered entities liability.
Now, read Sections164.314 (breach reporting requirements), 160.300 (imposition of direct monetary penalties on business associates), and 160.402 (explanation of the agency relationship between covered entities, business associates and subcontractors) in relation to 164.308. Moreover, when a recent United States District Court opinion (United States ex rel. Spray v. CVS Caremark Corp., 2:09-cv-04672 (E.D.PA Dec. 20, 2012)) is considered that upheld the nexus in liability between a covered entity and a subcontractor in relation to Medicare Part D claims submissions and the False Claims Act, covered entities can suffer consequences for not doing adequate due diligence and requesting substantiated assurances on a business associate’s subcontractor compliance.
Therefore, physicians should pay close attention not only to the correlation between the various provisions contained within the HITECH Act/HIPAA Final Rules but, also, current case law and other law. In doing so, along with coordinating with counsel, physicians may mitigate both their immediate and long-term liability risk.