The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Whereas HIPAA applies to particular types or classes of data creators, recipients, maintainers or transmitters (U.S. covered entities and their business associates and subcontractors), GDPR applies much more generally – it applies to personal data itself. Granted, it doesn’t apply to personal data that has absolutely no nexus to the EU, but assuming it doesn’t apply to your U.S.-based entity simply because you don’t have a physical location in the EU is a mistake.

So when does GDPR apply to a U.S.-based covered entity, business associate, or subcontractor? As with HIPAA, the devil is in the definitions, so I’ve capitalized certain GDPR-defined terms below. GDPR is comprised of 99 articles set forth in 11 chapters, and 173 “Recitals” explain the rationales for adoption. Similar to the way regulatory preambles and guidance published by the U.S. Department of Health and Human Services (HHS) can be helpful to understanding HIPAA compliance, the Recitals offer insight into GDPR applicability and scope.

Under Article 3, GDPR applies:

(1) To the Processing of Personal Data in the context of the activities of an establishment of a Controller or Processor in the EU, regardless of whether the Processing takes place in the EU;

(2) To the Processing of Personal Data of data subjects who are in the EU by a Controller or Processor not established in the EU, where the Processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behavior as far as their behavior takes place within the EU; and

(3) To the Processing of Personal Data by a Controller not established in the EU, but in a place where EU member state law applies by virtue of public international law.

It is paragraph (2) that seems most likely to capture unwitting U.S.-based covered entities, business associates, and subcontractors that are not established in the EU (though Recital 22 offers further explanation of what it means to be Processing data in the context of the activities of an establishment).

Notably, paragraph (2) makes it clear that while the entity need not be located within the EU for GDPR to apply, the data subject must be. If the U.S. entity offers goods or services to, or monitors the behavior of, data subjects who are “in” the EU, GDPR likely applies. It is the location of the data subject, not his or her citizenship, residency or nationality, that matters. GDPR does not follow the data subject outside the EU, but it does follow the data subject (even an American) into the EU – so long as the Processing of the Personal Data takes place in the EU.

So what does this mean for the U.S.-based covered entity, business associate, or subcontractor not established in the EU? It should carefully review its website, marketing activities, discharge or post-service follow-up procedures, and any other activities that might involve the offering goods or services to, or monitoring the behavior of, individuals in EU. If GDPR applies, the company will need to analyze how its HIPAA privacy and data security policies are inconsistent with and fall short of GDPR requirements. The company, whether a covered entity, business associate, or subcontractor, should also make sure that none of its vendors process data on its behalf in the EU.

In addition to understanding where data subjects are located and where Processing takes place in order to determine GDPR applicability, covered entities, business associates and subcontractors must determine whether they are acting as Controllers or Processors in order to understand their GDPR compliance obligations.

This can create particular challenges for a business associate.  If a covered entity is subject to GDPR, a business associate that creates, receives, maintains or transmits Personal Data on behalf of the covered entity will either be acting as a Processor (for example, where the covered entity simply uses the business associates tools or services to conduct its business), or a Controller (for example, where the business associate reaches out directly to plan members or patients, such as by an email campaign).  If the business associate’s services agreement or business associate agreement makes no mention of the fact that the covered entity is subject to GDPR, the business associate may not know whether it is also subject to GDPR, let alone whether it is a Controller or Processor.

The bottom line is that focusing on compliance with HIPAA and other federal and state laws pertaining to privacy and security of personal information is not enough, even for companies that view themselves as operating solely within the U.S.  A thorough risk assessment should include not only careful consideration of HIPAA requirements, but of the potential applicability and compliance requirements of GDPR.

The Report to Congressional Committees of the U.S. Government Accountability Office (“GAO Report”), required under the 21st Century Cures Act, came out about a month earlier than required, but this early bird failed to catch what continues to be a wriggling worm – what can a covered entity charge for these copies?

As discussed in our February 2017 blog post, the Office for Civil Rights issued guidance (“OCR Guidance”) over 2 years ago attempting to clarify that HIPAA charge limits (to a “reasonable, cost-based fee”) apply when an individual (or a third party) requests access to the individual’s medical records. The HIPAA charge limits applicable to access requests apply even if state law permits higher charges for the copies. The OCR Guidance includes a table illustrating the differences between a HIPAA authorization and an access request and notes that the “primary difference” between the two being that one (the authorization) is a “permitted disclosure” and one (the access request) is a “required disclosure”.

In another of our posts on this topic (back in May of 2016), we highlighted the difficulty faced by a covered entity in knowing what amounts may be charged for medical records copies, particularly when a third party requests the copy. We noted HHS’s suggestion that the covered entity ask the individual “whether the request was a direction of the individual or a request from the third party.” The former would be an access request subject to charge limits and other HIPAA requirements, whereas the latter would be “merely a HIPAA authorization”. A wriggling worm, indeed.

The GAO Report attempts to pin down the worm. It describes three types of medical record requests:

*          a patient request, whereby the patient or former patient requests access to or a copy of medical records

*          a patient-directed request, whereby the patient or former patient requests that a copy of the patient’s medical records be sent directly to another person or entity (“For example, a patient might request that her medical records be forwarded to another provider because the patient is moving or wants a second opinion.”)

*          a third-party request, whereby a third party, such as an attorney, obtains permission from the patient (via a HIPAA authorization) to access the patient’s medical records

An explanatory footnote suggests that the first two types of requests are access requests under HIPAA (meaning that charge limits and other HIPAA requirements apply), while the third type of request is an authorization under HIPAA (meaning that the provider is not required to disclose the records and the access request charge limits do not apply). Later, the GAO Report states: “In contrast with patient and patient-directed requests, the fees for third-party requests are not limited by HIPAA’s reasonable, cost-based standard for access requests and are instead governed by state laws.”

Unfortunately, this is where the worm has a chance to get away. First, the example used to describe a patient-directed request implies that a patient access request is required for the provider to forward the medical records to another treating provider. In fact, HIPAA permits disclosure of medical records for treatment purposes without the need for a HIPAA authorization or access request (see OCR Guidance language following table), and, thus, charging even a “reasonable, cost-based” fee for such disclosures may be frowned upon by OCR. Second, these three examples overlook the possibility that a patient-directed request may come from a third party. An access request must be in writing, be signed by the individual, and clearly identify where the medical record copies should be sent, but HIPAA does not prohibit the individual from directing that a third party (such as the individual’s attorney) transmit the individual’s access request to the provider.

Moreover, a recent court decision further muddies this issue. In a February 2018 U.S. district court decision from Alabama, Bocage v. Acton Corp., the court rejected plaintiffs’ claim that they were overcharged search and retrieval fees in violation of HIPAA. The plaintiffs’ attorneys had requested medical records by way of HIPAA authorizations, so the court determined that the fee limitations associated with individual access requests did not apply. Unfortunately, while the decision quotes the OCR Guidance (“The [access request] fee limits apply … regardless of whether the access request was submitted to the covered entity by the individual directly or forwarded to the covered entity by a third party on behalf and at the direction of the individual (such as by an app being used by the individual)… ”), the decision incorrectly suggests that the individual’s attorney cannot be the third party making an access request on behalf of and at the direction of the individual.

The short-term fix for patients hoping to avoid high fees when requesting medical records? Make sure the request is not identified as a HIPAA authorization and, if you are requesting the records in connection with litigation, consider sending it yourself rather than directing your attorney to send it.

In 1973, President Richard Nixon’s Chief of Staff H.R. Haldeman warned White House Counsel John Dean against talking to prosecutors investigating the growing Watergate scandal, telling him “Once the toothpaste is out of the tube, it’s going to be very hard to get it back in,” and a useful idiom was born. Personal electronic data, including protected health information, once disclosed, can be equally difficult to recapture and contain.

A recent article in Slate entitled You Can’t Clean Up a Data Spill describes the obstacles to effectively remediating a data breach or improper disclosure in the wake of revelations about the breach involving Facebook data and Cambridge Analytica. As author April Glaser stated, “There’s no such thing as a cleanup site for data spills. That’s because when data leaks, it can be duplicated far faster than anyone can mop it up.”

Cambridge Analytica, a British political consulting firm, provided research, data mining and communication services to campaigns including those of Ted Cruz and Donald Trump. The firm claimed to have developed “psychographic” profiles of voters that could predict their personality traits and political leanings. The New York Times reported that the firm had harvested information from the Facebook profiles of over 50 million users without their permission, and a subsequent CNN report estimates the breach may have affected up to 87 million users. The firm’s chief executive has claimed that the data had been deleted when the improper acquisition was brought to their attention two years prior to the Times article. But how much toothpaste is still in circulation, and can anything be done to recover it?

Facebook founder Mark Zuckerberg has told CNN that Cambridge Analytica provided them with a formal certification from the firm that it had deleted all user data acquired through improper means. Unfortunately, even if that is accurate, it cannot address whether the data had been copied or further disclosed prior to such deletion. According to Slate:

Tracking down and searching where that data has gone will be incredibly difficult,” says Sarah Aoun, a digital security specialist and open web fellow at the Mozilla Foundation. “I’m not even sure it would be realistic.” Maybe it would be easier if the data was “watermarked,” meaning there was some tag on the data to indicate it was the Cambridge Analytica–obtained Facebook data. But Facebook didn’t do that, as Zuckerberg explained to Wired, and even if it had, Aoun says that “any identifiable trace relating it back to Facebook can be altered and then changed and could exist in 10 different shapes and forms online or in the hands of anyone.”

The Facebook/Cambridge Analytica breach is a sobering cautionary tale for covered entities and business associates subject to HIPAA who routinely handle large amounts of PHI. Once a breach occurs and is discovered, it may be impossible to definitively account for all data that may have been copied or transmitted. All the more reason to secure the cap on your EHR tube.

Many employers who have had it drilled into them that HIPAA applies to protected health information (PHI) of employees are often surprised to learn that the applicability of HIPAA to employee health information (EHI) is actually quite narrow.  HIPAA only applies to EHI related to the employer’s group health plans (such as medical, dental, employee assistance program (EAP) and health flexible spending arrangement (FSA)).  Employer-sponsored group health plans are HIPAA covered entities. Further, although this is true regardless of whether the group health plan is insured by an insurance company or self-insured by the employer, the employer will not generally have HIPAA compliance responsibilities for an insured group health plan if it does not receive any EHI other than for the limited purpose of enrollment activities, or summary health information for amending or terminating the plan or obtaining premium bids. Instead, for a fully-insured group health plan, HIPAA compliance will generally be handled by the insurance company, which is also subject to HIPAA as a covered entity.

HIPAA doesn’t apply to EHI that the employer obtains from a source other than its group health plans, such as medical information related to employment (including pre-employment physicals, drug testing results, medical leave or workers’ compensation) and information from other employment-related benefits that are not group health plans (such as life or disability insurance). This result does not change merely because the employee’s health information is PHI when held by a HIPAA-covered entity health care provider who tested or treated the employee before the information was transferred to the employer via a HIPAA-compliant authorization.

Even though EHI obtained by an employer for employment-related reasons or relating to non-group health plan benefits isn’t subject to HIPAA, this doesn’t mean the employer can throw caution to the wind.  Other federal and state laws (such as the Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) and state workers’ compensation laws) impose restrictions on the employer’s access to and use and disclosure of this EHI and impose obligations to maintain confidentiality of the EHI. These restrictions and obligations apply regardless of how the employer obtains the EHI (for example, even if obtained pursuant to an authorization signed by the employee or directly from the employee).

Because other laws protect EHI even when HIPAA does not, it’s often helpful for the employer to apply the same or similar safeguards to all EHI, even if HIPAA does not apply.  Applying HIPAA-like safeguards to EHI that isn’t subject to HIPAA not only will often bring the employer a long way towards complying with other federal and state laws that may apply; it may also avoid the necessity of categorizing types of EHI to determine what level of safeguards should be imposed.

The New York City skyline, including the Empire State BuildingIn a post on February 28, Fox associate Kristen Marotta discussed the privacy and security issues arising from the growing use of telemedicine, particularly for mental health treatment. Now on the firm’s Physician Law blog, Kristen continues her discussion of telepsychiatry by diving into recent developments in New York State surrounding the innovative practice model. Kristen notes new funding from the New York Office of Mental Health to expand its use, and breaks down the OMH regulations that psychiatrists and physicians will need to consider before offering telepsychiatry services.

We invite you to read Kristen’s piece.

In a recent New York Times op-ed piece entitled “How a Bad Law and a Big Mistake Drove My Mentally Ill Son Away,” the father of a young man involuntarily hospitalized under Florida’s Baker Act decries “privacy laws” for limiting his access to information about his son’s whereabouts and care.   If this account is accurate, it highlights the widespread confusion that surrounds  health care providers’ communication with family members.

The article’s author, Norman Ornstein, describes a disturbing incident in which his son Matthew’s landlord reported that Matthew’s behavior was putting himself in danger.  Based on the landlord’s report, which Ornstein later describes as a pretext for removing Matthew from the property, Ornstein and his wife agreed to authorize a 72-hour involuntary commitment under the Florida statute.  They later learned that Matthew had been seized by police and taken to the county mental health facility, where he was held for three days and released.  He reported:

But the staff members wouldn’t let us in. In fact, they said privacy rules meant that they could not even confirm that he was there. … The Baker Act allows 72 hours of involuntary observation to see whether someone is in fact an imminent danger to himself or others. Matthew was not, and after three awful days, he was put in a taxi and sent home. We were not informed when he was released.

Matthew had begun to struggle with mental illness at age 24, but his age at the time is not specified.  Since he was no longer a minor, his parents would not be “personal representatives” with access to all his health information absent a guardianship appointment, power of attorney, or similar process recognized under applicable law.  However, the facility would have been permitted to confirm his admission and general condition under the HIPAA “directory exception,” which states:

(a) Standard: Use and disclosure for facility directories

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

HIPAA also allows family members to be given information in order to locate an individual, and allows the sharing of protected health information directly relevant to the family members’ involvement with the individual’s health care or payment for such care.

(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.

Finally, the facility could have simply asked Matthew if he agreed to allow the facility to notify his parents that he was being treated there. The Times account does not indicate whether the facility attempted to seek his consent, and it is possible that he was asked and refused.

The Office of Civil Rights (OCR) of the Department of Health and Human Services has addressed these concerns in a bulletin entitled HIPAA Helps Caregiving Connections –  HIPAA helps family and friends stay connected with loved ones who have a substance use disorder, including opioid abuse, or a mental or behavioral health condition:

If a family member, friend, or person you are caring for, has a mental health condition, substance use disorder (including opioid abuse), or other health problem, it can be difficult to stay connected if their condition worsens and they enter a health care facility for observation or treatment. HIPAA helps by allowing the health and mental health providers who treat your loved one to make decisions about communicating with his or her family and friends based on their professional judgment about what is best for the patient.

For Notification Purposes: HIPAA helps you stay connected with your loved one by permitting health professionals to contact you with information related to your family member, friend, or the person you are caring for, that is necessary and relevant to your involvement with the patient’s health care or payment for care. For example, if your loved one becomes disoriented, delirious, or unaware of their surroundings, due, for example, to opioid abuse or a mental health crisis, and arrives at a hospital emergency room for treatment, the doctors, nurses, and social workers may notify you of the patient’s location  and general condition. First, the staff will determine whether the patient agrees to share this information with you or if you are the patient’s personal representative.

If the patient is not able to make decisions (for example, due to being unconscious, sedated, severely intoxicated, or disoriented), then the doctors, nurses, and social workers may contact you without the patient’s permission when they determine that doing so is in the patient’s best interests.

To Help the Patient: HIPAA helps you to assist your loved one by permitting doctors, nurses, and social workers to share protected health information that is related to the care and assistance you are providing to your loved one. For example, if your adult son has been prescribed medication to treat anxiety, and you are helping him by providing supervision or housing, the discharge nurse may inform you what medication he will be taking, if he doesn’t object to sharing this information with you–as well as the side effects to watch for, or symptoms that indicate the medication isn’t working or isn’t being taken properly. If your son is unable to make health decisions independently, the nurse may decide to share this information with you if the nurse determines, using professional judgment, that it is in your son’s best interests.

See also Elizabeth Litten’s post following the Florida nightclub shootings in 2016:  Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Some facilities tend to err on the side of caution when they are uncertain whether they are permitted to release information.  In addition, to the extent a state law affords greater privacy protections than those afforded under HIPAA, the state law protections will control.  However, erring on the side of caution when no HIPAA restriction applies and no other law affords greater privacy protections may actually exacerbate problems for the individual, particularly in the context of mental health.

 

 

Kristen Marotta writes:

Many believe that educated millennials are choosing to work in urban, rather than rural areas, during their early career due to societal milestones being steadily pushed back and the professional opportunities and preferences of a young professional. Recent medical school graduates are a good example of this dichotomy. The shortage of physicians in rural areas is a well-known phenomenon. Over the years, locum tenens staffing has helped to soften the impact and, recently, so has telemedicine.

Illustration of stethoscope and mobile phone, symbolizing telemedicineThe growing prevalence of telemedicine around the country is an important consideration for new physicians as they decide where to settle down and establish their careers.  In New York, medical graduates should be aware that a $500,000 federal grant was given to New York State’s Office of Mental Health this month, February 2018 by the U.S. Department of Agriculture Rural Development Distance Learning and Telemedicine program.  Using telemedicine to provide mental health services may be a productive and efficient way to deliver healthcare, not only because many mental health examinations would not have to be conducted in-person, but also because of the general shortage of psychiatrists and mental health providers to meet these patient needs. Now, medical graduates who would like to establish their lifestyle in a city can simultaneously care for patients living miles apart from them.

It is essential that health care providers engaging in telemedicine understand the implications of this practice model with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Providers rendering health care services via telemedicine should update and adjust their security risk assessments and HIPAA privacy and security policies and procedures, because protected health information is likely to be created in two separate locations (i.e., the location of the provider and the location of the patient).  Providers should also make sure that their (or their practice’s) Notice of Privacy Practices has been updated to reflect the provision of services via telemedicine, so that the patient has the opportunity to make an informed decision about engaging in this type of health care. Additionally, new business associate agreements may be required with telehealth vendors that do not meet the narrow “mere conduit” exception and any new parties who will have access to the individual’s protected health information as a result of the provision of services via telemedicine. In connection with these efforts, Providers should research and conduct due diligence on vendors to confirm that they understand the services model and are HIPAA-compliant.

As telemedicine emerges and gains more traction in health care, state laws and regulations will also be created and/or updated, and physicians will need to keep abreast of these changes. A good example of this is the State of New York, which has an entire section of mental health regulations dedicated to telepsychiatry. Stay tuned to Fox Rothschild’s Physician Law Blog for further updates on these specific New York regulations, as well as the developments in telemedicine.

Kristen A. Marotta is an associate in the firm’s Health Law Department, based in its New York office.

Many employers who offer wellness programs to their employees may not have considered compliance with HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”), since they don’t think of their wellness programs as a group health plan. Part 1 of this post covered why most employee assistance programs (“EAPs”) are subject to the HIPAA Rules. This part discusses wellness programs. As with EAPs, wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

A wellness program may be considered a group health plan in at least two common ways. First, if an employer offers a wellness program as part of another group health plan (e.g., a major medical plan), any individually identifiable health information collected from participants in the wellness program is protected health information (“PHI”) under the HIPAA Rules. In other words, if the wellness program is part of another group health plan, such as a major medical plan—for example, by offering incentives like premium reductions or lower cost-sharing amounts for major medical coverage based on participation in the wellness program—the wellness program will be subject to the HIPAA Rules.

Second, a wellness program will be a group health plan subject to the HIPAA Rules if it provides medical care to employees. Some benefits commonly provided by wellness programs are not medical benefits—a health risk assessment (“HRA”), for example, is typically a questionnaire intended to identify an employee’s possible health risks and to motivate the employee to make positive behavior changes to reduce those risks. HRAs are not medical care if they are not administered by medical professionals and are not intended to diagnose illness or prescribe treatment. Other non-medical benefits offered by wellness programs include exercise, nutrition, or weight loss programs, as long as they are not connected with or recommended in response to a medical practitioner’s diagnosis. A wellness program may also provide general health-related information, or referrals (if made by people without any special medical training), without providing medical care (and without triggering compliance obligations under the HIPAA Rules).

Other common wellness program benefits, however, may provide medical care. A biometric screening (often conducted in conjunction with an HRA) is typically medical care because it often involves a blood draw, labs and a clinical assessment of an employee’s health and is intended to diagnose, or indicate an increased risk of, certain health conditions (heart disease, diabetes, etc.). Wellness programs also often include disease management and smoking cessation services, which are considered medical care because they are designed to assist with specific health conditions. Even something as simple as an employee flu shot is medical care, whether or not it is part of another group health plan. Individualized health coaching by trained nurses or counseling provided by trained counselors also would be considered medical care. Providing any of this medical care through a wellness program may lead to unexpected compliance obligations under the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured wellness program that provides medical care will need to enter into a the HIPAA Rules business associate agreement with the wellness program vendor, amend the plan document for the wellness program to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures in place under the HIPAA Rules for another self-insured group health plan (such as a major medical plan) to make them apply to the wellness program as well. If the wellness program is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance under the HIPAA Rules.

 

 

 

 

 

 

 

 

You may be surprised to learn that those “extra” benefits your company offers to its employees such as your employee assistance program (“EAP”) and wellness program likely are subject to the HIPAA privacy, security and breach notification rules (collectively, “HIPAA Rules”). Part 1 covers why most EAPs are subject to the HIPAA Rules. Part 2 will discuss wellness programs. In both cases, EAPs and wellness programs must comply with the HIPAA Rules to the extent that they are “group health plans” that provide medical care.

As background, the HIPAA Rules apply to “covered entities” and their “business associates.” Health plans and most healthcare providers are “covered entities.” Employers, in their capacity as employers, are not subject to the HIPAA Rules. However, the HIPAA Rules do apply to any “protected health information” (“PHI”) an employer/plan administrator holds on a health plan’s behalf when the employer designs or administers the plan.

Plan administrators and some EAP vendors may not consider EAPs to be group health plans because they do not think of EAPs as providing medical care. Most EAPs, however, do provide medical care. They are staffed by health care providers, such as licensed counselors, and assist employees who are struggling with family or personal problems that rise to the level of a medical condition, including substance abuse and mental health issues. In contrast, an EAP that provides only referrals on the basis of generally available public information, and that is not staffed by health care providers, such as counselors, does not provide medical care and is not subject to the HIPAA Rules.

A self-insured EAP that provides medical care is subject to the HIPAA Rules, and the employer that sponsors and administers the EAP remains responsible for compliance with the HIPAA Rules because it acts on behalf of the plan.   On the other hand, for an EAP that is fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for an insured EAP even though it provides medical care, but only if the employer does not receive PHI from the insurer or only receives summary health information or enrollment/disenrollment information. Even then, the employer needs to ensure it doesn’t retaliate against a participant for exercising their rights under the HIPAA Rules or require waiver of rights under the HIPAA Rules with respect to the EAP.

An EAP that qualifies as an “excepted benefit” for purposes of HIPAA portability and the Affordable Care Act (as is most often the case because the EAP is offered at no cost, eligibility is not conditioned on participation in another plan (such as a major medical plan), benefits aren’t coordinated with another plan, and the EAP does not provide “significant benefits in the nature of medical care”) can be subject to the HIPAA Rules. In other words, just because you’ve determined that your EAP is a HIPAA excepted benefit doesn’t mean the EAP avoids the HIPAA Rules. Most EAPs are HIPAA excepted benefits, yet subject to full compliance with the HIPAA Rules.

Employers/plan administrators facing unexpected compliance obligations under the HIPAA Rules because of a self-insured EAP that provides medical care will need to enter into a HIPAA business associate agreement with the EAP vendor, amend the EAP plan document to include language required by the HIPAA Rules and develop and implement other compliance documents and policies and procedures under the HIPAA Rules. One option is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for another self-insured group health plan to make them apply to the EAP as well. If the EAP is the plan administrator’s only group health plan for which it has compliance responsibility under the HIPAA Rules, the plan administrator should consult with legal counsel to develop and implement all necessary documentation for compliance with the HIPAA Rules.