Características del tratamiento educativo

There are currently numerous federal and state laws addressing health information practices, patient privacy and electronic data security that apply to us. These federal and state health information, privacy and security laws require us to acquire, implement and maintain expensive computer systems, employee training programs and business policies and procedures to protect the privacy and security of each patient’s health information consistent with the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Health Information Technology for Economic and Clinical Health Act, or HITECH, and the regulations promulgated thereunder. Federal regulations also require us to comply with standards for the format and content of certain electronic payment-related transactions that we conduct with health plans. These regulations have had and are expected to continue to have a considerable financial impact on the healthcare industry because they impose extensive new requirements and restrictions on the use and disclosure of identifiable patient information.

FEDERAL PRIVACY AND SECURITY LAWS

Under HIPAA and HITECH, the US Department of Health and Human Services, or HHS, has issued regulations that establish uniform standards governing the format and content of certain electronic payment-related transactions, and protecting the privacy and security of individually identifiable health information, also known as protected health information, or PHI, held by healthcare providers and other covered entities. Three principal sets of regulatory standards have been promulgated under HIPAA and HITECH: the Standards for Privacy of Individually Identifiable Health Information (referred to as the “Privacy Standards”), which restrict the use and disclosure of certain individually identifiable health information, and give individuals certain rights with respect to health information about them; the Standards for Electronic Transactions (referred to as the “Transaction Standards”), which establish standards for the format and content of common electronic payment-related transactions among health care providers and health plans, such as claims for payment by a provider, inquiries from a health care provider to a health plan concerning an individual’s eligibility for benefits under the plan, and inquiries from a health care provider to a health plan concerning the status of a claim for payment; and the Security Rule, which require covered entities and their business associates to implement and maintain security measures to safeguard electronic PHI, including administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of such information.

Penalties for violations of HIPAA and HITECH laws and regulations include civil and criminal penalties. HIPAA has a tiered system of money penalties, based on the degree of negligence or willfulness of the breach, and whether or not it was timely corrected. Possible penalties range up to $50,000 for each violation, subject to a $1.5 million maximum for identical violations during a calendar year. Criminal penalties may be imposed on any person who knowingly obtains or discloses PHI in violation of HIPAA. The penalties depend on intent; violations committed with intent to sell, transfer, or use the information for commercial advantage, personal gain, or malicious harm, carry the highest penalties—fines up to $250,000, imprisonment up to 10 years, or both.

The Privacy Standards govern the use and disclosure of PHI by healthcare providers. These standards also set forth certain rights that an individual has with respect to his or her PHI maintained by a healthcare provider, including the right to access or amend certain records containing PHI, and to obtain an accounting of certain disclosures of PHI. HIPAA also governs patient access to laboratory test reports. Effective October 6, 2014, certain covered entity laboratories like us must provide individuals (or their personal representatives) with the right to access test reports directly from laboratories. We have implemented practices and procedures with the intent to comply with the requirements of the HIPAA Privacy Standards and applicable state privacy laws.

We have also implemented policies, procedures and standards with the intent to comply with the HIPAA Security Standards, which establish requirements for safeguarding the confidentiality, integrity and availability of electronic PHI. In addition, we have taken necessary steps to comply with HIPAA’s Transaction Standards, which establish standards for common payment-related transactions among health plans and health care providers. In particular, we have completed conversion of our electronic fee-for- service claim transactions and our electronic fee-for-service remittance transactions to the HIPAA Transaction Standards, including the standards for billing claims, remittance advices, enrollment and eligibility verification inquiries.

In 2009, Congress passed the American Recovery and Reinvestment Act of 2009, or ARRA, which included HITECH. HITECH made significant changes to HIPAA, including increasing penalties for violations, providing the federal and state governments with additional enforcement capabilities, further restricting certain uses of PHI (particularly for commercial purposes), and extending some provisions of HIPAA to cover contractors of covered entities—known as business associates—directly.

Further, HITECH requires HIPAA covered entities, such as clinical laboratories, to provide notification to affected individuals and to the Secretary of HHS following discovery of a breach of unsecured PHI and imposes penalties on those that fail to do so. The 2013 final HITECH omnibus rule modified the breach reporting standard in a manner that will likely make more data security incidents qualify as reportable breaches. In some cases, HITECH also requires covered entities to provide notification to the media of breaches. In addition, in the case of a breach of unsecured PHI at or by a business associate of a covered entity, the regulations require the business associate to notify the covered entity of the breach. HITECH also increased the civil and criminal penalties that may be imposed against covered entities, business associates and possibly other persons and gave state attorneys general new authority to file civil actions for damages or injunctions in federal courts to enforce the federal HIPAA laws and seek attorney fees and costs associated with pursuing federal civil actions.

STATE PRIVACY AND SECURITY LAWS

HIPAA and HITECH and their implementing regulations establish a uniform federal “floor” and do not supersede state laws that are more stringent or provide individuals with greater rights with respect to the privacy or security of, and access to, their records containing PHI. As a result, we are required to comply with both federal privacy and security regulations and state privacy and security laws, many of which differ from each other in significant ways and may not have the same effect, thus complicating compliance efforts.

As one example, the Confidentiality of Medical Information Act, or CMIA, is California’s statutory scheme governing the disclosure of medical information by providers of health care. Certain aspects of the CMIA are more stringent than the requirements of HIPAA, particularly with regard to the form used to obtain

authorization to disclose a patient’s medical information. Like a number of other states, California also places special restrictions on the use and disclosure of particularly sensitive kinds of health information, such as information concerning alcohol and drug abuse, mental health, developmental disabilities, and HIV and genetic test results. Significant administrative penalties may be imposed for violation of any of these requirements. In addition, certain states have adopted information security requirements that apply to all businesses that store confidential personal information, including Massachusetts and California. Most states, including California, also have state breach notification laws that may be more onerous than the breach notification requirements under federal law. In addition to penalties that may be imposed by regulatory agencies, an individual whose medical information was the subject of a breach may also sue in some cases for statutory or actual damages.