The importance of collectively reading law addressing similar subject matter

I can still remember the first time that I heard the phrase in pari materia – a Latin phrase meaning “on the same subject.” (BLACK’S LAW DICTIONARY 911 (10th ed. 2009)). I was attending my Health Law class at Vanderbilt and the topics of the Anti-Kickback Statute (AKS) and the Physician Self-Referral Law (Stark) were being taught by a law school professor, who to this day is still one of my favorite professors and remains a mentor of mine.

As many persons involved in health care know both the AKS and Stark have been around for a while and address the issue of providing remuneration, whether in-cash or in-kind, directly or indirectly, to a physician (or other person depending on the law) in a position to influence referrals to government programs. The reach of the AKS is different than Stark because it includes all federal health care programs with the exception of the Federal Employee Health Benefit Program, it is a criminal statute and the safe harbors are specific. By way of contrast, the Stark applies only to designated health services (DHS), is a strict liability statute (no scienter required) and has specific exceptions. My professor’s sage advice – “when addressing Stark, be sure to read the AKS and when addressing the AKS, be sure to read Stark.” In essence, the take-away was that Stark and AKS (along with the Eliminating Kickbacks in Recovery Act (EKRA)) center around the same subject – kickbacks to induce referrals – and the safe harbors and exceptions of the laws are not identical. Therefore, just because the AKS has a safe harbor does not mean that Stark and EKRA have an equivalent.

Where else does the doctrine of in pari materia arise in health care and should prompt persons to read more than one statute because they are centered around the same subject or conduct? Health data privacy and security!

A common trap that organizations fall into is only focusing solely on the Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 21, 1996) (HIPAA) and the related Privacy Rule, Security Rule and Breach Notification Rule, as well as related updates to these rules (i.e., Final Omnibus Rule 78 Fed. Reg. 5566 (Jan. 25, 2013)) (collectively “HIPAA Rules”). Not considering similar state laws (i.e., Texas HB 300 (Sept. 2012), the Federal Trade Commission’s (FTC) Health Breach Notification Rule (HBNR), 16 CFR Part 318, which was promulgated as directed by Congress in the Health Information Technology for Economic and Clinical Health Act, Pub. L. 111-5 (Feb. 2009) (HITECH Act), the Federal Trade Commission Act (FTC Act) can lead to a false sense of security that other government agencies – whether state or federal – do not have authority to enforce health information privacy and security breaches. They do indeed.

See here and here.

What follows is a roadmap of what laws to read in conjunction with each other in order to glean the complete scope of complying with health data privacy and security requirements.

First, the type of health data must be ascertained. Pursuant to 45 CFR § 160.103 does the health-related information qualify as health information, protected health information (PHI) (or one of the electronic derivatives electronic protected health information (ePHI) and electronic health information (EHI)), which are subsets of “health information” under HIPAA, or does it qualify as individually identifiable health information (IIHI)? Here are the respective definitions:

• Health information under HIPAA means “any information, including genetic information, whether oral or recorded in any form or medium, that: (1) [i]s created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) [r]elates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” By way of contrast, the FTC’s interpretation of “Health information” is broader and “includes more than treatments and diagnoses. Rather, it’s anything that conveys information or enables an inference about a consumer’s health. For example, browsing information, location information (e.g., data showing a consumer visited a cancer center) or purchase information (e.g., data showing a consumer purchased a home pregnancy test) can convey health information. To avoid violating the FTC Act, take a broad view of what constitutes health data and handle it accordingly.” (emphasis added).
• PHI means individually identifiable health information that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. PHI excludes, individually identifiable health information: (i) [i]n education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) [i]n records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) [i]n employment records held by a covered entity in its role as employer; and (iv) [r]egarding a person who has been deceased for more than 50 years. Additionally, DODM 6025.18 and DODI 6025.18 excludes information that has been de-identified in accordance with the HIPAA Privacy Rule.
• IIHI means information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and(i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.