This article was reprinted with permission from Michael Volkov’s Corruption Crime & Compliance.
Everyone old enough to remember will recall Y2K – the year our world was supposed to end in a catastrophic transition from December 31, 1999 to January 1, 2000. Instead, since we are still here, we all recall what happened: nothing.
September 23, 2013 was the day when the new HIPAA regulations for covered entities came into effect. Despite all the whining and predictions of disaster, we all continue to exist and the world did not end. What happened? A lot has happened.
The regulations gave all covered entities 180 days to comply with the new HIPAA requirements, which impose new and significant obligations on covered entities to revise their HIPAA policies. Covered entities should have updated their HIPAA compliance policies and procedures, their notices of privacy practices and their business associate agreements for protecting sensitive health information from disclosure.
The key areas to change included:
Patients’ authorizations or restrictions on protected health information (PHI) disclosures: Covered entities have to: (1) honor patients’ requests to restrict disclosure of PHI to a health insurance plan when a patient pays for the service out-of-pocket; (2) obtain patient approval to sell the patient’s PHI, which includes direct or indirect payments from other parties for PHI; (3) obtain patient authorization to cover all treatment and health care communications where the covered entity may obtain money from a third party (e.g., a drug or device company) and (4) permit patients to obtain an electronic record of their PHI.
Breach notification: Covered entities have to notify patients of a breach of their PHI, including an impermissible use or disclosure of PHI (unless the covered entity demonstrates that there is a low risk that PHI was compromised).
Fundraising notices: Covered entities have to give patients an opportunity to opt out of receiving fundraising notices.
Training: Covered entities should have updated their HIPAA training programs.
Notice of privacy practices: Documentation must be updated and redistributed to reflect the changes to privacy and security practices. The NPP has to explain to patients that: they will be notified if their PHI is subject to a breach, they may opt out of fundraising communications, their PHI may be communicated to a health plan and any uses and disclosures beyond those described in the NPP require patient authorization, including any “sale of PHI.”
Covered entities must make the NPP available upon request, distribute the modified notice to new patients, and display the NPP at the office, including on the website.
Finally, with respect to business associate agreements (BAA), covered entities were required to review all vendor relationships to ensure compliance with new regulations. Each vendor who creates, receives, maintains or transmits PHI must have a BAA in effect.
The covered entity has until September 22, 2014 to amend BAAs entered into prior to January 25, 2013. Updated BAAs must include provisions requiring the business associate to share responsibility for breach notifications and the protection of PHI. The BAA also must require the obligation to secure similar protections from its subcontractors.
Successfully represented three officers of a multinational company in two separate criminal antitrust investigations involving a criminal antitrust investigation in the District of Columbia and the Southern District of New York.
Defended pharmaceutical company before the Food and Drug Administration and Senate Finance Committee relating to application for approval of generic drug.
Conducted internal investigation which exonerated company against allegations of false statements in submissions to the FDA and against improper conduct alleged by Senate Finance Committee.
Represented company before the US State Department on alleged violations of ITAR which lead to voluntary disclosure and imposition of no civil or criminal penalties.
Advised several multinational companies on compliance with anti‐corruption laws, and design and implementation of anti‐corruption and anti‐money laundering compliance programs.
Advised hospitals, pharmaceutical companies and medical device companies on compliance issues relating to Stark law and Anti‐Kickback law and regulations.
Conducted due diligence investigations for large multinational companies for anti‐corruption compliance of: potential third party agents, joint venture partners and acquisition targets in Europe, Africa, Asia and Latin America.
Represented individual in white collar fraud case in Alexandria, Virginia and secured dismissal of criminal charges and expungement of criminal record.
Represented company before Congress and Executive Branch in effort to modify Justice Department regulations concerning use of federal funds.
Advised and assisted World Bank in review of global corruption policies, enforcement programs and corruption investigations and prosecutions.