The Press has announced that the Merger Agreement between UPMC and Washington Health System was approved by the Pennsylvania Attorney General with certain conditions, one of which was that UPMC would honor existing employment contracts and not impose restrictive covenants or non-compete agreements more restrictive than those that currently exist.
We will be researching that further and will provide whatever information we discover.
In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information to the wrong individual, or a large breach where your system has been hacked and all your patient records have potentially been exposed, the Department of Health and Human Services lays out clear guidance for your next steps.
What is a breach?
Before diving into the required process following a breach, it may be helpful to discuss what is considered a breach in the first place.
Under the Breach Notification Rule, a breach has taken place when there is an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a breach has occurred can be determined by a risk assessment that evaluates:
Unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised, any impermissible use or disclosure of PHI is presumed to have been a breach.
The rule does provide for three exceptions to this definition:
Notification Requirements
When a covered entity determines that a breach has occurred, the covered entity must provide notification to (1) the individual, (2) the Department of Health and Human Services, and (3) in some situations, the media.
Individual Notification
The individual must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.
In the notification, the individual must be provided:
This notification must be provided in the form of first-class mail but can be sent via email if the individual has agreed to receive such notices electronically. In the event that the covered entity is unable to contact 10 or more individuals affected by the breach, the covered entity must substitute the individual notice by either posting the notice on its website for a minimum of 90 days or by providing the notice in the media where the affected individuals likely reside. In these instances, the covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can call to learn if their information was involved in the breach.
When a business associate is responsible for the breach, the covered entity remains the party responsible for providing notification to the individuals affected. In these situations, the business associate must notify the covered entity within 60 days.
Department of Health and Human Services Notification
The process for notifying the Secretary of the Department of Health and Human Services can be completed online on the HHS website (click here).
In breaches that affect 500 or more individuals, the Secretary must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.
In breaches that affect less than 500 individuals, the notification requirement only needs to occur annually but no later than 60 days after the end of the calendar year in which the breach is discovered.
The Department of Health and Human Services maintains a list on its website of recent HIPAA breach cases under investigation (click here).
Media Notification
In situations where 500 individuals or more are affected by a breach, the covered entity must provide notice to the prominent media outlets covering the region where the affected individuals likely reside. This notice can be provided in the form of a press release, must include the same information as required for notifying the individuals, and must be provided without unreasonable delay but no later than 60 days following the discovery of the breach.
Conclusion
Navigating HIPAA compliance can be a confusing and burdensome task – we are here to help. If you’ve had a breach and are questioning what your next steps should be, or if you have a general question about how to better align your practice’s processes with HIPAA’s compliance requirements, please reach out at aappleberry@tuckerlaw.com or (412) 594-5532.
As expected, businesses have sued the FTC challenging the recent final rule that ends non-compete agreements, as reported by the Wall Street Journal Wednesday morning (read WSJ article here). The U.S. Chamber of Commerce challenged the final rule in federal court in East Texas, which has been joined by other business groups. A lawsuit was also filed by a tax-services firm, Ryan LLC, in Dallas.
According to the suit filed by the U.S. Chamber of Congress, courts have long understood the value of non-compete agreements for businesses in protecting their trade secrets and confidential information. When non-compete agreements are too restrictive, state governments have limited them. According to the Chamber’s suit, Congress never authorized the FTC to step in for the states to regulate these restrictive covenants.
In a Special Open Commission Meeting held this afternoon, the Federal Trade Commission voted to approve the final rule to ban non-compete agreements for for-profit businesses, the effective date of such ban being in 120-days.
Important items of note with the final rule:
The FTC acknowledged that much of the healthcare industry operates under a non-profit tax status, so this new rule would not apply to employees of those healthcare entities. The FTC staff encouraged Congress to review the impact that non-compete agreements have on healthcare professionals and to take similar action with non-compete agreements in the healthcare industry.
Numerous business groups have expressed opposition to the proposed ban leading up to today’s vote, citing that noncompete agreements allow businesses to protect confidential information as well as protect other business interests. The FTC stated that, although it considered these business justifications for non-compete agreements, the benefits from such claimed justifications do not justify the harm to workers created by non-compete agreements.
The Federal Trade Commission has announced that it will be holding a Special Open Commission Meeting on Tuesday, April 23, 2024, at 2pm EST regarding the rule to ban non-compete agreements (read the announcement here). The expectation for this meeting is that the FTC will disclose the proposed final rule followed by remarks by the FTC chair and will conclude with a Commission vote on the proposed final rule.
This Open Commission Meeting follows the proposed rule in January 2023 (available here) that proposed banning most employers from imposing non-compete agreements on their employees. This proposed rule was subject to a 90-day public comment period, during which the FTC received over 26,000 comments.
The Open Commission Meeting is open to the public and will be available via webcast here.
The Allegheny County Medical Society has reported that the Pennsylvania House of Representatives has passed a bill to bar non-compete agreements in healthcare employment. Click here for a copy of the Press Release, and a copy of the legislation. There are limitations:
It now goes to the Pennsylvania Senate.
In March of this year, The Office for Civil Rights of the Department of Health and Human Services issued a letter addressing the recent cybersecurity incident impacting many health care entities, primarily Change Healthcare, a unit of UnitedHealthcare Group (read the letter here). This incident was a great reminder of the constant vigilance required to protect patient health information in the age of remote healthcare, telehealth, and electronic health records.
In the wake of these recent cybersecurity events, safeguarding patient information has become paramount, prompting heightened scrutiny of HIPAA compliance. HIPAA, or the Health Insurance Portability & Accountability Act, provides for a series of rules relating to the protection of protected health information, or PHI. These rules apply to all covered entities and their business associates. As any provider knows, HIPAA compliance can become complicated and confusing. This article provides a high-level overview on three major components covered by HIPAA: The Privacy Rule, The Security Rule, and the Breach Notification Rule.
Privacy Rule
The Privacy Rule covers the process of protecting PHI while allowing for the secure transfer of PHI in the coordination of a patient’s care. PHI is any information that can be used to identify a patient, which can be electronic, paper, or verbal, and includes (1) common identifiers, such as name, address, birth date, social security number, etc., (2) a patient’s physical or mental health condition, whether past, present, or future, (3) the health care provided to the patient, and (4) payment information for a patient’s health care, whether past, present, or future.
Under the Privacy Rule, covered entities are required to (i) notify patients about their privacy rights and how their information will be used, (ii) adopt privacy procedures and train employees on such procedures, (iii) assign a security officer to ensure proper adoption and compliance with the privacy procedures, and (iv) secure patient records containing PHI so they do not become available to those who do not have a need to see them. The Privacy Rule also provides that patients are allowed access to examine and get a copy of their medical records and to request corrections to their medical records.
In order to facilitate patient care, covered entities may share information with doctors, hospitals, and ambulances for treatment, payment, and health care operations, even without a signed consent from the patient. If a provider feels as if she is acting in the patient’s best interest, the provider may share information about a patient, so long as proper safeguards against breach are taken. Unless a patient objects, the Privacy Rule allows for PHI to be given to family, friends, or anyone else the patient identifies as being involved in their care.
Security Rule
The Security Rule covers the requirements of how you are to protect PHI, including a patient’s electronic PHI, or ePHI. Under the Security Rule, a covered entity must (1) develop reasonable and appropriate security policies, (2) ensure the confidentiality, integrity, and availability of all ePHI, both while maintaining and transmitting such ePHI, (3) identify and protect against any possible security threats to ePHI, (4) prevent unauthorized uses or disclosures, (5) analyze security risks that may be present in the physical and cyber environments and create appropriate safeguards against such risks, (6) continually review and modify security measures to ensure continuous protection of ePHI, and (7) train all employees on appropriate handing of PHI for HIPAA compliance.
When a covered entity is developing its HIPAA compliance safety measures, it should take into consideration its size, complexity, and capabilities, its technical, hardware, and software infrastructure, and the costs of its security measures, all while balancing the likelihood and possible impact of risks to ePHI.
Breach Notification Rule
The Breach Notification Rule outlines the requirements for notifying patients and the Department of Health and Human Services in the event that there is a breach. In some instances, depending on the size and scale of the breach, there may even be a requirement to notify the media. A breach is generally defined as an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a disclosure or unpermitted use has occurred can be determined by a risk assessment that evaluates (1) the nature and extent of PHI involved, (2) the unauthorized individual who used or gained access to the PHI, (3) whether an unauthorized individual actually acquired or viewed the PHI, and (4) the extent to which the covered entity or business associate reduced the PHI exposure risk.
If a breach affects the PHI of more than 500 patients, the covered entity must notify the Department of Health and Human Services without reasonable delay but no later than 60 days after discovery of the breach. In smaller breaches affecting 500 patients or less, the Department of Health and Human Services must be notified on an annual basis.
Conclusion
This high-level overview of three major HIPAA components is just the tip of the iceberg, and each rule referenced could even have several articles diving into its complexity and nuance. If you have a question about properly safeguarding PHI, what to do in the event of a breach, or just have a general HIPAA compliance question, engaging legal counsel can be a valuable resource. For more information, contact Adam Appleberry at aappleberry@tuckerlaw.com or (412) 594-5532.
The 2024 Consolidated Appropriations Act passed and signed on Saturday, March 23, 2024, increased of Medicare Conversion Factor from $32.7442 to $33.2875, an increase of slightly over $0.54.
During the American Bar Association’s 39th National Institute on White Collar Crime, the most senior executives of the DOJ (Attorney General Merrick B. Garland and Deputy Attorney General Lisa Monaco) delivered remarks promoting the success of DOJ compliance and enforcement by:
Here are links to the remarks of Attorney General Garland and Deputy Attorney General Monaco.
“On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group was the victim of the most significant cyberattack on the US healthcare system in American history. Change Healthcare is the predominant source of more than 100 critical functions that keep the healthcare system operating.”
This hack was first reported by the Wall Street Journal on February 23, 2024, in an article entitled “Hospitals and Pharmacies Reeling After Change Healthcare Attack”.
The Wall Street Journal further reported on March 1, 2024 in an article titled “Medical Providers Fight to Survive After Change Healthcare Attack” that medical practices have gone without revenue for well over a week as a result of the ransom or attack on Change Healthcare.
On March 7, 2024, the Wall Street Journal reported that “UnitedHealth Aims to Restore Change Healthcare Systems Within Two Weeks”.
