Posted on May 12, 2008 by Helen Oscislawski

New Enforcement Data Added to HHS' Web Site on HIPAA Privacy Compliance and Enforcement

Last week, the Office for Civil Rights (OCR) added a new data section on its Compliance and Enforcement Web Site.  The new section can be viewed at www.hhs.gov/ocr/privacy/enforcement/data.html.  The public can now access enhanced information about several aspects of OCR's enforcement program, including:

  • Charts showing state-specific case investigation results;
  • Calendar-year enforcement-results graphs and charts;
  • Calendar-year graph showing complaint receipts; and
  • Yearly variation in the issues in cases resolved through corrective action.

Below is a chart posted on OCR's new data section illustrating enforcement results for New Jersey:

pie chart showing enforcement results for New Jersey:No Violation: 13%.Corrective Action Obtained: 20%.Resolved after Intake and Review: 67%.

 Another interesting chart lists the top five types of complaints for each of the last 5 years.  It is worth noting that between 2003-2007, the top 4 types of complaints were exactly the same, in the following order: 

  • #1 - Impermissible Uses and Disclosures
  • #2 - Safeguards
  • #3 - Access
  • #4 - Minimum Necessary

The last spot has changed from 2003 through 2007, with last year's number 5 spot being taken by "Notice" issues.

 

 

Tags: ,
Posted on April 25, 2008 by Helen Oscislawski

Federal Law Passed to Protect Use and Disclosure of Genetic Information

ScienceDaily reports today that the U.S. Senate approved the Genetic Information Nondiscrimination Act of 2008 (GINA) yesterday, April 24, 2008, by unanimous consent of an amended version of H.R. 493, which passed the House last April 25, 2007 by a vote of 420-3.  The House is expected to take up the measure again quickly before sending it to President Bush to sign into law.  A copy of amended H.R.493 can be viewed on the Library of Congress’ Thomas website. 

Among other things, GINA directs the Secretary of DHSS to revise the HIPAA privacy regulation, within 60 days after the date of the enactment  of GINA, to include the following:

(a)(1) Genetic information shall be treated as health information described in [HIPAA].

     (2) The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure. . . . .

    (d) Enforcement - In addition to any other sanctions or remedies that may be available under law, a covered entity that is a group health plan, health insurance issuer, or issuer of a medicare supplemental policy and that violates the HIPAA privacy regulation (as revised under subsection (a) or otherwise) with respect to the use or disclosure of genetic information shall be subject to the penalties described in [the HIPAA Statute] in the same manner and to the same extent that such penalties apply to violations of this part. (Emphasis was added).

GINA aims to protect the privacy of all Americans’ genetic information and to establish a national and uniform basic standard necessary to fully protect the public from discrimination based on genetic information.  Until yesterday, genetic information has been protected specifically only by a handful of states.  In New Jersey, the New Jersey Genetic Privacy Act (N.J.S.A. §§10:5-43 et seq.) already provides that no person may disclose or be compelled to disclose the identity of an individual upon whom a genetic test has been performed, or individually identifiable genetic information, except pursuant to a few very limited exceptions. See N.J.S.A. §10:5-47.  However, any entity that or individual who uses or handles DNA in New Jersey should reevaluate its disclosure and consent procedures in light of GINA’s new standards.

Tags:
Posted on April 15, 2008 by Helen Oscislawski

Educating the Educators on Privacy Laws

 

Last October, the United States Department of Education released a policy guidance document to to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.  The document was created in response to schools' requests "for guidance on what information can be shared among government agencies and parents under the 1974 Family Educational Rights and Privacy Act” (FERPA).  At that time, Congress was also considering revising FERPA to clearly permit school officials to contact parents if a student is considering suicide or a threat to attack someone.  Currently, FERPA allows officials to share information with parents or other agencies if there is a health or safety emergency, but there was concern - especially after the Virginia Tech incident - that the language is too vague.

On March 24, 2008, almost a year after the shooting rampage at Virginia Tech, the U.S. Department of Education (DOE) proposed regulations to clarify when colleges can release confidential information about students who might be a danger to themselves or others.   The proposed guidelines do not make any substantive changes under FERPA, but attempt to clarify that schools are permitted to report fears about students who might be a danger to themselves or others. Parents are among the parties who can be contacted if a student is at risk.  It is believed that the changes would provide colleges with more flexibility in defining a potentially dangerous situation, and would help ensure that counselors have the tools they need to reach out and build support systems around troubled students. 

HIPAA contains a similar exception for disclosures "to avert a serious threat to health and safety."  Under HIPAA, a covered entity is not prohibited by the federal Privacy Rule from disclosing protected health information if it believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the treat, including the target of the threat.  State laws may, however, impose additional restrictions and must still be considered.

The deadline for comment on the DOE's proposed regulation is May 8, 2008.

 


Tags:
Posted on April 10, 2008 by Helen Oscislawski

Sanctions May be Imposed Due to Stark-Struck Snoopers

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

Tags: ,
Posted on March 28, 2008 by Helen Oscislawski

HIPAA Update Seminar

On April 3, 2008, I will be discussing some of the most common HIPAA misinterpretations and burning questions still out there at a Compliance Seminar organized and offered through the NJ Medical Society of New Jersey.   Among the specific questions I will cover are:

  • When can information be released to a patient's relatives and friends?
  • Can medical records be released pursuant to a subpoena?
  • Is a HIPAA Business Associate Agreement required for all vendors?
  • Should medical records be taken home?
  • How long should I keep medical records? billing records? administrative records?
  • Do I have to notify patients of accidental disclosures?  What about security breaches?
  • What should I do if a HIPAA complaint is filed against my practice?
  • What are the benefits and risks with participating in a electronic health information exchange with a hospital or other provider?

For further information about the Compliance Seminar, visit: http://www.msnj.org/practicemanagers/Education.aspx

Tags:
Posted on March 28, 2008 by Helen Oscislawski

One Man's Scrap Paper .... (part 2)

On my previous post, I left open the question of whether UPS is on the hook under HIPAA for the box of medical records that ended up in a paper scrap resale warehouse.  The brief response is not under HIPAA. 

The federal government has expressly stated that mail carriers are not considered business associates under the HIPAA Privacy Rule when they handle protected health information on behalf of a covered entity provider.  The federal government addressed this exact issue in its guidance document published on December 3, 2002.  There, the question posed and government's answer were as follows:

Q:  Are the following entities considered "business associates" under the HIPAA Privacy Rule:  US Postal Service, United Parcel Service, delivery truck line employees and/or their mangement?

A:  No, the Privacy Rule does not require a covered entity to enter into busines associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health infromation.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as requried by law.  Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

As such, UPS had no direct legal obligation under HIPAA or as a Business Associate to safeguard the medical records in the hospital's box.  A covered entity may, however, attempt to impose additional obligations on its delivery service carriers through contract terms, if possible.

Tags:
Posted on March 13, 2008 by Helen Oscislawski

One Man's Scrap Paper Is Another Man's Treasure (part 1)

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

 

 

Tags: ,
Posted on February 11, 2008 by Helen Oscislawski

Is All "Marketing" Prohibited by HIPAA?

In general, HIPAA requires a written authorization from an individual before a health care provider can make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  However, certain mailings and communications with individuals are permissible without having to obtain prior written authorization because they are not considered "marketing" as defined by the HIPAA Privacy Rule.

The following are a few examples of communications that HIPAA does not consider "marketing":

-- Reminders (e.g., "get your annual pap" letter)
-- Providing information about how to manage a particular condition (e.g., tips on diabetes control)
-- General information about new developments in health care
-- Information about health & wellness classes, support groups, health fairs etc.
-- Announcements of a new specialty group or new medical equipment at your facility

Thus, even though many of us who receive such information in the mail consider such flyers to be at least loosely linked to the “marketing efforts” of the sender, HIPAA considers the foregoing to be “communications essential for quality health care.”  Such communications are not subject to HIPAA’s restrictions otherwise applicable to using patient health information for “marketing” purposes.  Thus, a written authorization is generally not required for a health care provider to mail such information to former or current patients.  

Tags: ,
Posted on January 24, 2008 by Helen Oscislawski

CMS to Audit 10-20 Hospitals In Next 9 Months

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

 

Helen's HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 


So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.


 

Tags: ,
Posted on January 4, 2008 by Helen Oscislawski

New Year, New Laws . . . Some Items to Watch In 2008

  • What the HIPSA?!!   After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose."   But, here it may come..... Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions.  HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information.  The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations.  Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
  • New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728.   As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008.  NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan.  That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information. 
  • Ban On Data MiningOn December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians' prescribing trends.  The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information.  Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
  • States Amending Privacy LawsLook for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated.  For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems.  In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.  

  • Identity-Theft Prevention Laws.  As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft. 

Continue Reading...
Tags: ,