Pathology/Lab Coding Alert

HIPAA Compliance:

Take Heed of State Privacy-Law Enforcement

OCR isn’t the only watchdog now.

Your lab can’t afford to get complacent about HIPAA violations that could bring down the HHS Office for Civil Rights’ (OCR) ire.

Heads up: Now you might also need to steer clear of State Attorneys General (AGs) as they get in on the HIPAA enforcement action. Many states have tightened privacy and breach notification controls, creating stricter laws and bringing large-scale settlements rivaling OCR.

Focus: Data security should sit atop your lab’s to-do lists, particularly with social engineering, hacking, and malware attacks on the rise. Now more than ever, covered entities (CEs) must review the gaps between federally-mandated HIPAA rules and state-law updates to secure patients’ protected health information (PHI).

Grab This Quick Refresher

Providers must ensure that patients’ individually identifiable health information is protected and kept private, according to regulations set forth in the HIPAA Privacy Rule. However, the Rule also makes allowances for state laws that are “more stringent” or “contrary” to the federal mandates, and this falls under its “preemption” guidance.

What that means: When a state’s laws do not meet the federal standards or are “contrary” to the Rule, then HIPAA reigns. But the opposite is true for states whose regulations go above and beyond or are “more stringent” than HIPAA.

“In the unusual case where a more stringent provision of state law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of state law, and the state law prevails,” stresses OCR. The agency goes on to explain that “where the more stringent state law and Privacy Rule are not contrary, covered entities must comply with both laws.”

Change: “The role of states has definitely increased in HIPAA enforcement,” explains Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC in Charlotte, Vermont. “While there were more than a dozen enforcement resolution agreements handed down by HHS a couple of years ago, this year the rate seems to be about a quarter of that, so the pace of enforcement by HHS has certainly decreased.”

Sheldon-Dean points out that the states have stepped in as the federal indictments have diminished. “State attorneys general are now picking up the slack, as they are permitted to do so under the HITECH Act enforcement provisions. Penalties in the hundreds of thousands of dollars have recently been levied in both Massachusetts and New York state in cases where the state AGs felt that HHS was not acting decisively enough, and so filed suit in federal court.”

See How HIPAA Defines ‘Contrary’ and ‘More Stringent’

Discerning which path to follow — HIPAA or your state’s law — can be confusing. These definitions should help you find the way:

Contrary: With preemption wording, the best way to think of a “contrary” state law is to see it as an “obstacle” to following the HIPAA rules, according to section 160.202 of part 45 of the Code of Federal Regulations (CFR). A CE “would find it impossible to comply with both the state and federal requirements,” and thus, would refer to HIPAA as the overarching mandate, OCR guidance notes.

More stringent: For a state law to be considered “more stringent” and preempt HIPAA, the law must outline protections that are more comprehensive than the criteria outlined in 45 CFR, section 160.202.

“These laws generally provide additional protection for sensitive categories of data, such as behavioral health information, HIV test results, genetic testing and counseling information and drug and alcohol treatment information,” indicate attorneys Dianne J. Bourque and Jordan T. Cohen of national law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC, in an analysis of the Rules.

They write, “State laws impose additional compliance requirements. They may also overlap, conflict with, and in many cases, preempt HIPAA.”

Review the nuances of 45 CFR, section 160.202 at www.gpo.gov/fdsys/pkg/CFR-2003-title45-vol1/xml/CFR-2003-title45-vol1-sec160-202.xml.

Prepare Now With Stronger Compliance Protocols

Over the last year, many states have clarified or updated their language on breach notification, encryption, personal information, timing, and more.

“Now all 50 states have some kind of a breach notification law, and states are adopting personal information privacy and security regulations, like the one California has slated for implementation in January of 2020,” Sheldon-Dean says. “Already, personal information protection is required of businesses in states like Massachusetts and Nevada, and [General Data Protection Regulation] GDPR-like privacy frameworks are in development at several levels of government.”

Tip: If your lab serves patients across state lines, you are subject to HIPAA and every state regulation where you administer care. “Many of these state laws can be applicable across state lines, so healthcare entities need to consider the laws of the state of residence of all of their likely patients, not just their local state laws,” reminds Sheldon-Dean.