What OIRA’s HIPAA agenda means for providers

Earlier this month, the Office of Information and Regulatory Affairs (OIRA) posted the Fall 2018 Unified Agenda of Regulatory and Deregulatory Actions, including three items related to the Health Insurance Portability and Accountability Act (HIPAA).

Twice a year, OIRA analyzes the anticipated regulatory activity from a variety of federal agencies in the coming year. For the Department of Health and Human Services (HHS), the regulatory agenda extends beyond the usual litany of payment rule updates. Some areas of focus for HHS include care coordination (e.g., Stark Law and Anti-Kickback Statute Reforms); HIPAA; the Health Information Technology for Economic and Clinical Health Act (HITECH Act); and the opioid epidemic.

Let’s sidestep for a moment. At almost the same time that OIRA posted its agenda, HHS announced its largest-ever HIPAA settlement. Anthem, Inc., an independent licensee of the Blue Cross and Blue Shield Association, agreed to pay $16 million dollars and take corrective measures following significant breaches of the HIPAA Privacy and Security rules.

Anthem self-disclosed on its breach report to HHS dated March 13, 2015, that the breach affected nearly 79 million people. Approximately six weeks earlier, Anthem discovered cyber-attackers had infiltrated the IT system through a technique known as an advanced persistent threat attack. Specifically, the attackers used spear phishing emails as the preferred form of social engineering. Spear phishing is a targeted and personalized attack that often appears to come from an individual within the recipient’s own company or from someone the target knows personally.

Stepping back to the HIPAA-related activity noted in the OIRA agenda, the historic fine assessed against Anthem, coupled with the following priorities should make the next year interesting, to put it mildly. Here are three key HIPAA/HITECH areas to watch:

HIPAA Privacy Rule: Request for information on changes to support, and remove barriers to, coordinated care.

An additional request for information (RFI) will be published in November 2018. Specifically, the RFI solicits public comment on whether provisions of the HIPAA rules “present barriers that limit or discourage coordinated care and case management among hospitals, physicians (and other providers), payers, and patients, or otherwise impose regulatory burdens that may impede the transformation to value-based healthcare without providing commensurate privacy or security protections for patients' protected health information (PHI) and while maintaining patients’ ability to control the use or disclosure of their PHI and to access PHI.”

The RFI also seeks comment on a number of particular issues, including: methods for disclosing patients’ PHI; patients’ receipt of providers’ notice of privacy practices; creation of a safe harbor for good faith disclosures of PHI for the purposes of care coordination or case management; PHI disclosures without patients’ authorization for treatment, payment, and health care operations; and the minimum necessary standard/requirement.

This RFI would subsume the previous 0945-AA08 entry in the Regulatory Agenda.

HIPAA Enforcement Rule: Sharing civil money penalties or monetary settlements.

As required under the HITECH Act, an RFI will be sought in January 2019 on whether individuals harmed by a HIPAA violation should receive a share of any monetary settlement.

HIPAA Privacy Rule: Presumption of good faith of healthcare providers.

This specifically relates to the opioid epidemic and would make numerous changes to the Privacy Rule regarding the use and disclosure of PHI in certain circumstances.

In sum, there are a lot of balls in the air. For physicians, one thing is for certain: the emphasis on HIPAA is not going away. In light of the significant fine against Anthem and the potential for a “HIPAA whistleblower program” now, more than ever, physicians need to assess their compliance on an ongoing basis.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate, and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.