Monthly Archives: January 2013

January 18, 2013

HHS Issues New HIPAA Omnibus Rule

by Kim Stanger, Holland & Hart LLP

HHS issued the new HIPAA omnibus rule yesterday. The new rule contains important changes for health care providers and their business associates. For example, the new rule:

  • Modifies the standard for reporting breaches to patients and HHS. HHS replaced the former "no harm, no foul" rule with a new standard: a breach is presumed unless the covered entity can demonstrate a low probability that the protected health information has not been compromised. This requires an assessment of specified factors and will likely increase the number of reportable breaches.
  • Confirms HIPAA requirements for business associates and their subcontractors. Business associates are subject to HIPAA penalties if they fail to comply. The definition of "business associates" was expanded to include entities that provide data transmission services for protected health information and require routine access to the information.
  • Confirms providers are liable for their business associate's violations if the business associate is acting as the agent for the provider. The rule's commentary contains a helpful analysis for determining whether an agency relationship exists.
  • Makes it easier for family members to obtain information about decedents. The rule also confirms that HIPAA does not apply to information 50 years after the decedent's death.
  • Expands patients' right to obtain electronic copies of their records.
  • Prohibits providers from disclosing information to health insurers if the patient pays for the treatment and requests that the information not be disclosed to insurers. Implementation will create significant practical problems for practitioners.
  • Prohibits the sale of protected health information unless certain conditions are satisfied.
  • Imposes additional requirements for the use of protected health information for marketing or fundraising. Among other things, an authorization is required to disclose information for treatment purposes if the provider is receiving remuneration for the disclosure.
  • Requires new provisions to be added to providers' Notice of Privacy Practices, including a description of disclosures that require authorizations and notice of a patient's right to receive notice of HIPAA breaches.

The new rules take effect March 23, 2013, but covered entities and business associates will have until September 23, 2013 to comply. Before then, providers will need to take certain actions to remain compliant, including:

  • Modify their Notice of Privacy Practices.
  • Update and/or execute new business associate contracts, including contracts for subcontractors and health information organizations. Existing compliant contracts do not need to be modified until September 2014.
  • Revise privacy, security and breach notification policies to incorporate the new requirements.
  • Modify authorizations and other forms as necessary to track the new rules.
  • Ensure their electronic medical records programs have the functionality to address the new regulatory requirements.
  • Take even greater care to protect patient information given the new standard for evaluating whether breaches are reportable.

Business associates will also need to implement HIPAA privacy and security policies and safeguards applicable to business associates. HHS estimates that complying with the new requirements will cost affected parties a total of $114 million to $225 million during the first year. The new rule can be accessed at: http://www.ofr.gov/OFRUpload/OFRData/2013-01073_PI.pdf. HHS's press release can be accessed at www.hhs.gov/news/press/2013pres/01/20130117b.html.


For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

January 15, 2013

Who May Consent to Health Care under Idaho Law?

by Kim Stanger, Holland & Hart LLP

I am frequently asked how an Idaho health care provider may determine whether a person is competent to consent to their own healthcare.  Idaho Code § 39-4503 establishes the general standard for medical consents:

Persons who may consent to their own care. Any person who comprehends the need for, the nature of and the significant risks ordinarily inherent in any contemplated hospital, medical, dental, surgical or other health care, treatment or procedure is competent to consent thereto on his or her own behalf. Any health care provider may provide such health care and services in reliance upon such a consent if the consenting person appears to the health care provider securing the consent to possess such requisite comprehension at the time of giving the consent.

(Emphasis added).  If the health care provider believes that an adult patient currently lacks the requisite comprehension, the provider should determine whether the patient executed an advance directive or otherwise conveyed his or her wishes while competent.  (See I.C. § 39-4509).  If there is no such prior direction from the patient or if the patient is an unemancipated minor, the healthcare provider should generally obtain consent from one of the persons identified in Idaho Code § 39-4504(1), i.e., in decreasing order of priority:  a court-appointed guardian; person with durable power of attorney for healthcare; spouse; adult child; parent; person identified in delegation of parental authority; other appropriate relative; or other person who is responsible for the patient’s care.  With limited statutory exceptions, the general rule is that unemancipated minors probably lack capacity to consent to their own health care.  (See I.C. § 39-4504(1)).  Idaho Code § 39-4504(3) generally protects providers who, in good faith, obtain consent from a person who appears to have the requisite authority to give consent.

January 14, 2013

Hospital Faces Religious Discrimination Claims for Firing Vegan Employee Who Refused a Flu Shot

by Kim Stanger, Holland & Hart LLP

Cincinnati Children's Hospital, like many others around the nation, has adopted a policy requiring employees to get a flu shot. A federal court in Ohio just decided that the religious discrimination lawsuit brought by a vegan employee should go forward, at least for now. The ruling allows former employee, Sakile Chenzira, to proceed with her case against the Hospital alleging that the Hospital discriminated against her based on her religious beliefs when it discharged her for refusing a flu vaccination. Chenzira v. Cincinnati Children's Hosp. Med. Ctr., No. 1:11-CV-00917 (S.D. Ohio Dec. 27, 2012).

Refusing vaccine leads to termination. Chenzira had worked as a customer service representative for the Hospital for more than ten years. As a practicing vegan, Chenzira does not ingest any animal or animal by-products. Chenzira claims that prior to 2010, the Hospital accommodated her request not to receive flu vaccinations because they contained animal by-products. In December of 2010, however, the Hospital terminated Chenzira for refusing the flu vaccine.

Vegan Files Lawsuit Alleging Religious Discrimination and Wrongful Discharge. Chenzira alleges that the Hospital discharged her based on her religious and philosophical convictions as a vegan. She filed a lawsuit in federal court in Ohio asserting three claims, including religious discrimination in violation of Title VII of the Civil Rights Act of 1964.

Hospital Argues Veganism is Not a Protected Religion. The Hospital asked the Court to dismiss Chenzira's claims in their entirety. As to the religious discrimination claims, the Hospital argued that veganism is not a religion and therefore, cannot be the basis for a discrimination claim. In the Hospital's view, veganism is a dietary preference or social philosophy. In fact, it found no other cases in which veganism was the basis for a religious discrimination claim. Chenzira, however, argued that her vegan practice constituted a moral and ethical belief that she sincerely held with the strength of traditional religious views. On a motion to dismiss, Chenzira was not required to "prove" her case, but only allege a claim that was plausible on its face. The Court ruled that it was plausible that Chenzira could believe in veganism to the extent necessary to equate to a traditional religious belief. The Court denied the Hospital's request to throw out the religious discrimination claims.

Defense of Religious Discrimination Claims Will Proceed. The Hospital may have lost the first battle on the religious discrimination claims but it hasn't lost the war. Chenzira must actually establish that her belief in vegan practices rises to the level of a traditional religious belief. In addition, as the Court pointed out, the Hospital may justify its termination of Chenzira based on patient safety or other overriding reasons. The Court's ruling, however, keeps Chenzira's religious discrimination claims based on her veganism alive – at least for now.Hospitals and other health care employers have regularly defeated employee lawsuits challenging mandatory immunization policies, primarily because the employers have carefully crafted those policies to recognize religious and disability-based exceptions. We will continue to watch the Cincinnati Children's case and let you know if veganism gets a shot in the arm from this federal court.