Protected Health Information (PHI)

Our colleague  at Epstein Becker Green has a post on the Technology Employment Law blog that will be of interest to our readers in the health care industry: “The GDPR Soon Will Go Into Effect, and U.S. Companies Have to Prepare.”

Following is an excerpt:

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the GDPR:

What does the GDPR do? The GDPR unifies European data and privacy protection laws as to companies that collect or process the personally identifiable information (“PII” or, as the GDPR calls it, “personal data”) of European residents (not just citizens). …

Read the full post here.

By Frank C. Morris, Jr.

The Ebola virus disease (“Ebola”) has become a worldwide threat, which, among many other effects, has forced employers to think about how to protect their employees. Employers also must consider how Ebola might impact employment policies and procedures, including, but not limited to, those addressing attendance, leaves of absence, discipline, and medical testing.

My colleagues and I have written a detailed Act Now advisory providing legal framework of best practices and legal risks pertaining to Ebola.

Click here to read the advisory in its entirety.

Several colleagues and I recently wrote Health Reform: Key Compliance Actions for the New HIPAA Privacy Regulations, an alert published by the Implementing Health and Insurance Reform team of Epstein Becker Green.

In it, we summarized areas in which employers should consider taking action prior to September 2013 to facilitate compliance with the new requirements.  Here are our top five action items for covered entities and business associates to focus on in their Omnibus Rule compliance efforts:

  1. Review Business Associate Relationships, and Update Business Associate Agreements;
  2. Evaluate Compliance with Heightened Safeguard Requirements;
  3. Update Notices of Privacy Practices;
  4. Update Privacy Policies and Procedures; and
  5. Update Policies Regarding Determination of Breaches of Unsecured PHI.

The following is an excerpt from the alert:

In light of the Omnibus Rule’s new requirements, business associates and covered entities should strongly consider reviewing their existing HIPAA privacy and security practices, including compliance policies and business associate agreements. While the Omnibus Rule takes effect on March 26, 2013, affected parties have until September 23, 2013, to come into compliance with most of its provisions. This alert reviews several of the regulatory changes and suggests action items to facilitate compliance with the new requirements.

Read the full version on

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule provides standards for the use and disclosure of “individually identifiable health information,” dubbed protected health information, or PHI.  PHI is information, including demographic information, that relates to an individual’s physical or mental health, the provision of health care to the individual, or payment for the provision of health care to the individual.  Such information constitutes PHI if it identifies the individual or if there is a reasonable basis to believe it can be used to identify the individual to whom the health information pertains.  Thus, PHI includes many everyday identifiers (i.e. name, address, birth date, social security number)that can be associated with an individual’s health information.

With the rapid advancement in information analytic technologies, the ability to combine large, complex data sets from various sources into a powerful tool for advancement in health care protocols is accelerating.  These same analytic technologies, however, enhance the ability to use publicly available demographic information to associate an individual’s health information with that individual.  In order to balance the potential utility of health information, even when it is not individually identifiable, against the risk that the subject of the information might be identified, the Privacy Rule provides two methods of de-identification: (1) determination by a qualified expert; and (2) removal of specified identifiers.


The HIPAA Privacy Rule provides a safe harbor for de-identification that requires the complete removal of each of 18 types of identifiers.  However, the removal of these identifiers, such as birth date, dates of admission and discharge, death, and indications of age over 89, may render the data set less useful as a research tool.  To provide some flexibility, the Rule allows use of other de-identification strategies where an expert determines “that the risk is very small that the information could be used, alone or in combination with other reasonably available information” to identify the subject of the information. § 164.514(b).  Beyond this rather limited language, no guidance is provided regarding when it should be applied to real-life circumstances.  As a result, the Office of Civil Rights of the United States Department of Health and Human Services (OCR), the entity charged with enforcement of the Privacy Rule, has recently issued guidance regarding methods for de-identifying PHI that would satisfy the Rule.  See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.


Beginning with the level of expertise needed by an “expert” in order to provide a de-identification opinion under HIPAA, the Rule requires “[a] person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable . . .”   § 164.514(b)  The guidance confirms that no specific professional degree or certification exists for such expertise.  Relevant expertise may be obtained through many types of experience in the scientific, mathematical, statistical or other arenas.  Whether a particular individual is such an expert under the Privacy Rule is a judgment to be exercised based upon the relevant professional experience and training of the individual.

Likewise, there is no specific statistically determined numerical level of identified risk that will constitute a “very small” risk that the subject individual may be identified. The guidance indicates that this risk is dependent upon many factors to be taken into account.  The assessed risk of identification for a particular data set in the context of one environment may not be the same for that data set in a different environment, or for a different data set in the same environment.  Similarly, since technology and the availability of information are rapidly changing, the level of risk for even the same data set in the same environment may change over time.   Thus, the guidance confirms that no specific process must be used to reach a conclusion that the risk of identification is small.

What the expert must do is: (1) evaluate the extent to which the health information itself is identifiable; (2) provide advice on the methods that can be applied to mitigate the risk; (3) consider what data sources may be available (such as voter registration records) for use in identification; and (4) confirm that the identification risk of the resulting product is no more than very small.    This analysis will include such factors as the degree to which the data set can be matched to a data source that reveals the identity of the individuals, such as matching a birthdate and zip code combination in a health record to a birth date and zip code combination in a voter registration record.  The accessibility of the alternative data sources should also be considered by the expert.  For example, the existence in  the data set of patient demographics is high risk, as they potentially can be matched with data that appears in public records, while clinical features and event related time frames pose a much lower risk.  Certain combinations of values may, for similar reasons, increase the risk of identification.

Consistent with this theme, the Privacy Rule also does not prescribe any particular approach to mitigation of any risk of identification that does exist.  The expert should choose from various measures, such as suppression of an entire category of data, supression of some individual records, or generalization of a particular measure into a band of values, when necessary to reduce the risk of identification. The OCR also suggests limiting redisclosure of the data set through agreement as a mitigation methodology.

In sum, the OCR has made clear, through the publication of the de-identification guidance, that the Privacy Rule’s intention is to provide maximum flexibility in the design of data sets containing Protected Health Information, so long as the ultimate goal, limiting the risk that an individual’s PHI will be discovered to a “very small” possibility, is served.

In the wake of Hurricane Sandy, employers with employees and operations impacted by Hurricane Sandy are asking what types of tax and employee benefits relief may be available to them and their affected employees.  The Internal Revenue Service (“IRS”), the Department of Labor (“DOL”) and the Pension Benefit Guaranty Corporation (“PBGC”) have moved quickly to provide disaster relief guidance for affected employers and their employees.

IRS Relief.  In response to Hurricane Sandy, on November 2, 2012, the IRS in IR-2012-84 declared Hurricane Sandy a “qualified disaster” for federal income tax purposes under Section 139 of the Internal Revenue Code of 1986, as amended (the “Code”).  The IRS then acted to institute the following relief measures:

  • Qualified disaster relief payments.  The designation of Hurricane Sandy as a “qualified disaster” under Code Section 139 allows employers to make “qualified disaster relief payments” for expenses resulting from or attributable to Hurricane Sandy.  Qualified disaster relief payments are excluded from the employees’ federal gross income and are not wages for purposes of employment taxes.  Qualified disaster relief payments are defined as payments that are not covered by insurance made for personal, family, living or funeral expenses resulting from the qualified disaster, including the costs of repairing or rehabilitating personal residences damaged by the qualified disaster and replacing their contents.
  • Sharing and/or donating accrued vacation, sick and PTO leave.  On November 6, 2012, the IRS announced in IR-2012-88 and IRS Notice 2012-69 that employees will be permitted to forego vacation, sick or personal leave and contribute the value of the leave as a cash payment for the relief of victims of Hurricane Sandy.  The cash payments may be contributed to a Code Section 170(c) private foundation, including an employer-sponsored foundation, for the relief of victims of Hurricane Sandy, as long as those amounts are paid to the organization on or before January 1, 2014.  The leave contributed by an employee will not be included in the employee’s gross income or wages and the right to make a contribution will not result in constructive receipt for purposes of income or employment taxes.  Electing employees, however, may not claim a charitable contribution deduction under Section 170 for the value of the cash payment.  On November 6, 2012, the IRS also announced in IR 2012-87 an expedited review and approval process for Code Section 170(c) private foundations that are newly established to help individuals impacted by Hurricane Sandy.
  • Delay of tax filing deadlines to February 1, 2013.  On November 2, 2012, the IRS announced in IR-2012-83 that certain taxpayers affected by Hurricane Sandy will be eligible for filing and payment federal tax relief.  Affected individuals and businesses located in certain counties of the States of Connecticut CT-2012-48 (effective October 27), New Jersey NJ-2012-47 (effective October 26), New York NY-2012-47 (effective October 27) and Rhode Island RI-2012-30 (effective October 26), as well as relief workers working in those areas, will have until February 1, 2013 to file certain tax returns and pay any taxes due.  This includes the filing of the fourth quarter individual estimated tax payment, payroll and excise taxes for the third and fourth quarters, and Form 990 and Form 5500 if the deadlines or extensions occur during the applicable extended filing period.  The extension does not apply to Forms W-2, 1098 and 1099, or Forms 1042-S and 8027.  The IRS is also waiving failure to deposit penalties for federal and excise tax deposits on or after the applicable disaster area effective date through November 26, 2012 if deposits are made by November 26, 2012.
  • Expansion of hardship distributions and participant loans under 401(k) plans, 403(b) plans and 457(b) plans.  On November 16, 2012, the IRS announced in IR-2012-93 and IRS Notice 2012-44that a qualified retirement plan will not be treated as violating any tax qualification requirements if it makes hardship distributions for a need arising from Hurricane Sandy or loans to employees or former employees whose primary residence or place of employment is in a qualified disaster area.
    • Hardship distributions and loans also may be made to employees who have relatives living in the qualified disaster area impacted by Hurricane Sandy.  Relatives for this purpose include an employee’s grandparents, parents, children, grandchildren, dependents, or a spouse.
    • Certain documentation and procedural requirements, and other limitations, are not required if the plan administrator makes a good-faith diligent effort to satisfy those requirements and the plan administrator, as soon as practicable, uses reasonable efforts to assemble any forgone documentation.
    • If the plan does not provide for loans or hardship distributions, the plan may be amended to allow for Hurricane Sandy distributions no later than the end of the first plan year beginning after December 31, 2012.
  • Code Section 409A deferred compensation plans.  Hurricane Sandy may qualify as an “unforeseeable emergency” affecting a service provider that allows for a distribution under a nonqualified deferred compensation plan subject to Code Section 409A.  Though not clear, it may be possible for a plan to be amended to allow for payment upon an unforeseeable emergency after the occurrence of the emergency.

DOL Relief.  The DOL is providing disaster relief by allowing plans to take certain actions that otherwise could be a violation of Title I of the Employee Retirement Income Security Act of 1974, as amended (“ERISA”).  The DOL will not consider the following events to be a fiduciary violation under ERISA:

  • The plan provides for loans and hardship distributions in compliance with the IRS Hurricane Sandy disaster relief guidance described above.
  • There is a temporary delay under the plan in forwarding participant contributions and loan repayments from payroll processing services in the Hurricane Sandy qualified disaster area and the affected employers and service providers act reasonably.
  • There is a blackout period under a retirement plan related to Hurricane Sandy and the plan is not able to comply with the requirements to give participants and beneficiaries 30-day advance written notice of the blackout.
  • Group health plans make reasonable accommodations due to Hurricane Sandy for plan participants and beneficiaries for deadlines and documentation in filing claims for benefits, including COBRA elections.
  • Group health plans and issuers are not able to comply with pre-established claims procedures and disclosures due to the physical disruption to the plan or service provider’s principal place of business from Hurricane Sandy.

PBGC Relief.  The PBGC is providing limited disaster relief for a plan or plan sponsor located in the qualified disaster area, specifically Connecticut, New Jersey, New York and Rhode Island, or a plan or plan sponsor that cannot reasonably obtain information from a service provider, bank or other person whose operations were directly affected by Hurricane Sandy.  The PBGC relief includes the following:

  • Any premium payment required to be made on and after October 26, 2012 and on or before February 1, 2013 (the “PBGC disaster relief period”) will not be subject to penalties if made by February 1, 2013.
  • Single-employer standard terminations and distress terminations deadlines required to be made during the PBGC disaster relief period are extended to February 1, 2013.
  • Reportable event post-event notice deadlines for the PBGC disaster relief period are extended to February 1, 2013.  Pre-event reportable event notice deadlines may be extended on a case-by-case basis.
  • Annual financial and actuarial information reporting for certain large underfunded plans, missed contributions or funding waivers may be extended on a case-by-case basis.
  • If information is requested under an allowable extension of a Form 5500 filing date, and the Form 5500 is eligible for a filing extension under the IRS guidance for Hurricane Sandy, the allowable extension will commence on the last day of the qualified disaster extended deadline.
  • Requests for reconsiderations or appeals are extended through the PBGC disaster relief period.
  • Multiemployer plans’ premium deadlines will be extended as described above.  The PBGC will not assess a penalty or take enforcement action for the failure to comply with multiemployer plan deadlines during the PBGC disaster relief period.

All employers with employees and operations impacted by Hurricane Sandy directly or indirectly should take immediate action to review the relief available for their businesses and employees.

For further information on employment considerations for qualified disasters such as Hurricane Sandy, please see our client advisory entitled HR Guide for Employers – Responding to Natural Disasters.

They say that everything is bigger in Texas, and the Lone Star State’s new privacy protection laws are no exception.  Texas House Bill 300 (“HB 300”) amends the Texas Medical Records Privacy Act (“Texas Act”) and takes effect on September 1, 2012.  HB 300 significantly expands patient privacy protections for Texas covered entities beyond those federal requirements as outlined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act by:

•revising the definition of a “covered entity;”

•increasing mandates on covered entities;

•establishing standards for the use of electronic health records (“EHRs”);

•granting enforcement authority to several state agencies; and

•increasing civil and criminal penalties for the wrongful electronic disclosure of protected health information (“PHI”).

Expanded Definition of Covered Entity

HB 300 significantly expands the definition of a Texas “covered entity” to include not only health care providers, but those entities and individuals who under the “HIPAA Privacy Rule” would be classified as business associates and health care payers.  In addition, the Texas Act’s “covered entity” definition includes governmental units, information or computer management entities, schools, health researchers, health care facility, clinics, and persons who maintain an Internet site. As a result, this revision impacts any entity that conducts business in Texas and collects, uses, and/or stores PHI.

Customized Training Required

Mandatory customized employee training regarding state and federal patient privacy and security laws is another significant change to the Texas Act through the adoption of HB 300.  Training must cover federal and state regulatory requirements as well as include the covered entity’s course of business and employees’ scope of employment as it relates to PHI use and disclosure.   Employees of covered entities must complete training at least once every two years and not later than 60 days post-hire date.   This training requirement is more onerous than the HIPAA Privacy Rule, which does not currently require customized staff training and instead requires that employees be trained “within a reasonable period of time” after hire and after any material changes in applicable policies.

 Release of EHR and Consumer Information

After September 1st, covered entities must provide patients with their electronic EHRs within 15 business days after written request.  The Texas Health and Human Services Commission will soon recommend a standard format for the release of EHRs that is consistent with federal law.  Also, following the Office of Civil Rights’ recent lead, the Texas Attorney General’s website will provide consumer access to public health information.  State agencies will file annual complaint reports to the Texas Attorney General who will then provide an annual report about the complaints to the Texas Legislature.

Scope of Notice of Privacy Practices and Penalties Broadened

The law also broadens the scope of covered entities’ Notice of Privacy Practices or other general notices to inform patients about how their e-PHI is used and disclosed.  Entities (such as business associates that are not required to issue a Notice of Privacy Practices under the Privacy Rule) will soon need to issue a notice if PHI is subject to electronic disclosure.  In addition, HB 300 authorizes civil and criminal penalties for data breaches, depending on the breach’s severity, the covered entity’s compliance program, certification, and its corrective action.

Steps to Adopt HB 300’s Requirements

With the effective date nearing, Texas covered entities should take immediate steps to ensure compliance with these more stringent state requirements. To meet this deadline, covered entities should:

  • ramp up their efforts to provide customized employee training;
  • update their Notice of Privacy Practices; and
  • review and update policies to incorporate the new statutory requirements.

Epstein Becker Green has been designated by the Health Information Trust Alliance (HITRUST) as a Common Security Framework (CSF) Assessor. This will allow the firm to provide health care organizations with privacy and security risk assessments to protect the entities from breaches of protected health information (PHI). The health care industry has accepted the HITRUST CSF as the most widely adopted security framework. Epstein Becker Green is the first law firm to become a CSF Assessor and the designation exemplifies the firm’s distinct capability to identify and address risk for health care industry clients.

HITRUST provides resources, tools, education, and training to develop and maintain effective security programs for health care and life sciences companies that comply with security laws, regulations, and standards including HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements.

Read the Full Announcement from Epstein Becker Green