Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

HIP-HIP(AA)-HOORAY: Margaret Davino, Esq. Joins Fox Rothschild HIPAA Team and Offers 5 Tips for 2016 HIPAA Compliance

Posted in HIPAA Enforcement, Privacy & Security

I’m sure fellow bloggers Bill Maruca and Michael Kline join me in giving three cheers for the recent growth in our firm’s health care practice (welcome, Minneapolis!) and ever-deepening pool of attorneys dealing with clients’ privacy and data security issues. But one recent addition to our team, Margaret (“Margie”) Davino, gets a fourth cheer for jumping into her new position as a partner practicing out of our New York City and Princeton, NJ offices and immediately leading a HIPAA webinar for HFMA’s Region 2 (metro NY) entitled “HIPAA: What to Expect in 2016”.

Margie covered a wide range of HIPAA topics, discussing how OCR investigations arise, preparing for Phase 2 of OCR’s audits, and how HIPAA might overlap or interplay with other laws (the FTC Act, state law causes of action, and the Telephone Consumer Protection Act, to name a few). For HIPAA nerds like me, it was a satisfying smorgasbord of HIPAA tidbits, past, present and future.  But several of Margie’s take-aways are particularly useful additions to the 2016 HIPAA compliance “To-Do” list:

  1. Make sure your security risk analysis encompasses all entities within your “family” – in other words, don’t just analyze your electronic health record, but focus on each entity and location from which protected health information (PHI) might be stolen or lost.
  2. If you are a small entity, make use of HHS’s Security Risk Assessment Tool to identify whether corrective action should be taken in a particular area. (In other words, there’s no excuse for ignoring item #1 on this list!)
  3. Encrypt data, if at all possible (and make sure it’s up to NIST encryption standards).
  4. Check that you have updated Business Associate (BA) Agreements in place for all BA relationships (and check first to make sure it’s really a BA relationship).
  5. Have a mobile device policy – and include mobile devices in your security risk analysis.

I like this short “To-Do” list because it helps prioritize HIPAA compliance tasks for 2016 based on what we have learned from breaches and enforcement actions in 2015 and prior years.

Elizabeth Litten Named Fox Rothschild HIPAA Privacy Officer

Posted in News

We are proud to report that, as part of Fox Rothschild’s ongoing commitment to protecting the confidential and personal information of clients and employees, the firm has named Partner Elizabeth G. Litten as its first HIPAA Privacy Officer.  Elizabeth is one of the most prolific and incisive contributors to this blog and will continue her practice as a Partner in the firm’s Corporate Department.

This appointment follows on the heels of the firm’s naming of Mark McCreary, Esq., another Partner of Fox Rothschild, as its Chief Privacy Officer. Both positions complement the firm’s robust data privacy and health law practices and further the firm’s mission to protect sensitive data for clients and employees.

Bill Maruca, Esq. and I look forward to working with Elizabeth in her additional role at the firm.

Election Year Predictions: Expansion of Federal Healthcare Privacy Regulation

Posted in HIPAA Enforcement, Privacy & Security

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.

For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).

After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.

Our predictions that were quoted by Marla follow.

Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.

In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.

Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability

In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.

Kline Prediction: OCR will examine business associate relationships.

The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention.   According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”

We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.

Patient Data Must Be Encrypted, Not “Camouflaged”, as Per FTC Settlement

Posted in Health IT, Privacy & Security

Health care vendors beware: if you tell customers that your product provides industry-standard encryption of protected health information in compliance with HIPAA, you’d better be sure it doesn’t simply “camouflage” the data.

The FTC recently announced a $250,000 settlement with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for falsely advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA.

In fact, according to the FTC’s Complaint, the software (called “Dentrix G5”) actually used a data protection tool Henry Schein knew was “less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.” The Complaint states that Henry Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers to guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption to protect patient data.

The Complaint states that Henry Schein’s product did not use AES encryption, and alleges that Henry Schein was notified that its database engine vendor had agreed to re-brand the data protection used by Henry Schein as “Data Camouflage” so it would not be confused with standard encryption algorithms, like AES encryption. Still, Henry Schein allegedly continued to market its product as offering data encryption needed for HIPAA compliance.

In January of 2014, the Complaint concedes, Henry Schein published an announcement in the Spring 2014 issue of Dentrix Magazine stating:

“Available only in Dentrix G5, we previously referred to this data protection as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate.”

Alas, the admission that the product provided mere “data masking” or “camouflaging” rather than encryption was, apparently, too little and too late to avoid the FTC enforcement action and ensuing settlement payment and negative publicity. Though no data breach was alleged to have occurred, the damage had been done by the “false or misleading” claims already made by Henry Schein.

The lessons for covered entities and business associates using and marketing patient data tools? Simple:

(1) Encrypt, don’t camouflage (check NIST guidance and recommendations for current encryption standards).

(2) Don’t exaggerate your capabilities (don’t say you encrypt, when you merely camouflage, and if you only use some process like password protection, don’t suggest that you encrypt or even camouflage – potential misleading in this area can bring FTC sanctions).

(3) As we’ve said before on this blog, don’t forget that the FTC is watching – health care providers, payers, and vendors must remember that HHS isn’t the only sheriff in town when it comes to data protection, HIPAA isn’t the only law that governs patient data and privacy, and the States are also increasingly active in enforcing data privacy and security.

Firearms, Mental Health, Executive Orders and HIPAA: A Volatile Mix

Posted in Articles, Privacy & Security

President Obama announced a series of Executive Orders on January 4, 2016 to address gun-related violence in America. Among those orders was an initiative to increase mental health reporting to the background check system. But this does not mean that mental health records will be widely released or that anyone who has sought treatment for mental illness will be banned from gun ownership.  It only means that information about individuals who are already prevented from owning guns under current law will be made available for background checks.

A fact sheet released by the administration includes this summary:

Remove unnecessary legal barriers preventing States from reporting relevant information to the background check system. Although States generally report criminal history information to [the National Instant Criminal Background Check System, (NICS)], many continue to report little information about individuals who are prohibited by Federal law from possessing or receiving a gun for specific mental health reasons. Some State officials raised concerns about whether such reporting would be precluded by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today, the Department of Health and Human Services issued a final rule expressly permitting certain HIPAA covered entities to provide to the NICS limited demographic and other necessary information about these individuals.

A Final Rule was posted by the Office of Civil Rights of the Department Health and Human Services (OCR) at https://federalregister.gov/a/2015-33181.  In an announcement posted by OCR, the agency emphasized that this rule is narrowly drawn and applies only to a limited category of covered entities:

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having firearms or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS.

The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information. [emphasis added]

OCR emphasizes that individuals who seek help for mental health conditions and/or receives mental health services are not automatically legally prohibited from having a firearm, and that nothing in the final rule changes that.

The rule only applies to state agencies or other agencies that are designated by the state to report, or which collects information for purposes of reporting, on behalf of the state, to the NICS; or a court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to lose the right to possess firearms under existing federal law.  It authorizes such agencies to disclose the information only to NICS or an entity designated by the state to report, or which collects information for purposes of reporting, on behalf of the State, to NICS, and permits disclosure of only such limited demographic and certain other information needed for purposes of NICS reporting.  It expressly prohibits disclosure of diagnostic or clinical information for such purposes.

In light of the heightened emotions surrounding any government action relating to firearms, especially as it may involve mental health and HIPAA, it is likely that misunderstandings, exaggerations, misinformation (or even intentional disinformation)  about this limited change will circulate through social media and similar channels.  Healthcare providers and other covered entities should be aware that the rule changes nothing except for certain state agencies and their agents.

 

 

A reader comments on that “Medical Hack” meme

Posted in Articles, Uncategorized

A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme,  which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.

Jeff Knapp wrote:

This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.

Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed.  See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?

Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.

Debunking a Viral “Medical Hack” Meme

Posted in Articles, Uncategorized

Since the early days of HIPAA, a steady trickle of misinterpretations, misunderstandings and half-truths have circulated informally both within the medical community and among the general public.  The prevalence of social media only amplifies the effect. For example, a meme currently making the rounds on Facebook suggests using HIPAA as a strategy for convincing a health insurer to reverse a coverage denial decision.  The post, entitled “Medical Hack,” began appearing this month.  While containing some accurate information, the post contains a number of flaws.

hipaa-medical-hack-insurance

It reads as follows:

So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.

OK, here is what you do:

1. Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)

2. Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.

3. They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!

4. Any refusal should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.

As with any viral post, it is prudent to fact-check this advice with reliable sources such as Snopes.com.  Sure enough, Snopes has addressed the “hack” and classified it a mixture of true, false and undetermined information.   See http://www.snopes.com/hipaa-medical-hack-insurance-claim-denials/

To their credit, the fact-checkers at Snopes picked up on several flaws in the strategy suggested in the hack, particularly the fact that neither HIPAA nor the Affordable Care Act require insurers to base decisions to deny coverage of services or medications on the decision of a doctor, let alone a doctor that is board certified in the specialty under which that treatment fell.  (In fact, these issues are primarily regulated by state insurance laws.)   To that effect, Snopes notes:

… if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy.

However, the most critical flaw in the suggested strategy is the fact that insurers and other covered entities are not required to account for all internal disclosures (and even many external disclosures for that matter), and disclosures for payment or health care operations purposes are specifically carved out of the accounting requirement in 45 C.F.R. 164.528(a).  Insurance clerks, regardless of their level of education, are likely to be utilizing patient records for payment and operations purposes when processing claims denials.

With regard to the requirement to designate a  “HIPAA Compliance/Privacy Officer,” the Snopes report stated “We were unable to locate any relevant portion of the act that specifically mandated what the meme claimed.”   In fact,  45 C.F.R. § 164.530 states:

(a)(1) Standard: Personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

A better approach for health insurance subscribers facing denial of a treatment ordered by their physician is to follow the appeal mechanisms specified in their plans, and check their rights under applicable state law. For instance, Pennsylvania’s Act 68 includes certain standards for managed care plans and offers complaint and grievance procedures for individuals.

Lesson: Viral memes are often an unreliable source of legal advice.  I’m a major fan of Snopes.com, but sometimes even Snopes doesn’t get all the details.

Some Issues for Providers Regarding Involvement of Authorities in Patient ID Checks

Posted in Articles, Medical Identity Theft, Privacy & Security

Our partners Elizabeth Litten and William H. Maruca and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “Watch for HIPAA Pitfalls When Involving Police in ID Checks.” Full text can be found in the October 26, 2015, issue, but a synopsis is below. Marla’s article was also featured in Part B News.

Houston area OB/GYN clinic Northeast Women’s Healthcare has received attention due to a situation involving the verification of a patient’s identification by contacting law enforcement.  The clinic believed that a patient was attempting to use false identification in order to receive treatment at the facility, which prompted them to contact law enforcement. When local authorities were given the license number, it was determined that the information provided was false which led to the arrest of the individual seeking treatment.

Although the individual was alleged to have tampered with government records and has been noted as an undocumented immigrant, some questions have surfaced whether the clinic’s procedure violated HIPAA regulations by disclosing protected health information.

Some of the considerations identified in the article for providers that are concerned about possible false identification submitted by a patient data include the following from Marla’s article:

  1. “Providers appear to be under no obligation under HIPAA to report suspicious documents,” points out Maruca.
  2. “It’s not up to a doctor’s office to be a cop. You need to balance quality and safety issues versus the veneer of not wanting to treat the undocumented,” Litten says.
  3. “The controversy also is fueled by its occurrence in Texas, with not only a large demographic of immigrants but also where immigration status is a hot button issue and has garnered significant publicity.” Kline says.
  4. Kline continues by stating, “Emotions on this are high in Texas. It heightens the sexiness of the case.”

The obligations of providers to report to authorities that an individual has submitted suspected false identification to secure healthcare services can be complex and fact-specific.  Depending on the fact pattern, the matter can even become a media event.  In light of heightened sensitivities to immigration status, this issue can be expected to be a developing area of HIPAA and State law on identity theft, which may differ from HIPAA.

Chief Administrative Law Judge Refuses to Swallow FTC’s Section 5 Interpretation in LabMD Ruling

Posted in Privacy & Security, Uncategorized

Already many blogs and articles have been written on Chief Administrative Law Judge D. Michael Chappell’s November 13, 2015 92-page decision exonerating LabMD from the FTC’s charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks in violation of Section 5(a) of the FTC Act.  A number of the commentators accurately point out that this ruling makes it clear the FTC does not have unbridled enforcement authority over allegedly “unfair” data security cases.

The FTC would have had Chief Judge Chappell believe that liability should be imposed for conduct that is theoretically “likely” to cause consumer harm, despite its inability to identify a single instance of consumer harm over the course of 7 years since the allegedly “unfair” conduct occurred. Judge Chappell refused to drink the FTC’s Kool-Aid, though, restoring my faith in the ability of logic and rational thinking to outweigh agency fluff and bluster in an administrative judicial proceeding.  Section 5(n) of the FTC Act requires a showing that the conduct “caused, or is likely to cause, substantial injury to consumers,” and while the Act doesn’t define the word “likely”,  Judge Chappell concluded that:

The term “likely” in Section 5(n) does not mean that something is merely possible.  Instead, “likely” means that it is probable that something will occur.”

Hardly complex legal reasoning – just basic, simple common sense.

We blogged on this case and the FTC’s enforcement activities in the data security realm in October of 2014 (read here), as well as in March, April, May and June of 2014 (read here), and have closely followed LabMD founder Michael Daugherty’s tireless battle to defend his small, now-defunct cancer testing company from what has seemed an outrageous abuse of regulatory enforcement power from the beginning.

It’s refreshing (and relieving, for other businesses facing FTC investigations over what may seem to be minor and inconsequential infractions) that Judge Chappell carefully considered the evidence presented over the course of approximately two years and injected intelligence and reason into a case that seemed shockingly deficient in these traits.  Thank goodness Judge Chappell refused to drink from the FTC’s “possible-means-likely” cup of legal reasoning.  However, the Judge’s painstakingly articulated factual findings, enumerated in 258 paragraphs, reveal the unsettling back-story behind this case.

The FTC’s case was built around information provided to it by a company affiliated with Tiversa, a business involved in finding security vulnerabilities in companies’ computer networks and then selling remediation services to the companies to prevent similar infiltrations.  LabMD declined Tiversa’s offer to sell it remediation services.  Chief Judge Chappell found:

158.  Mr. Boback’s motive to retaliate against LabMD for refusing to purchase remediation services from Tiversa … resulted in Tiversa’s decision to include LabMD in the information provided to the FTC… .”

The FTC may be wishing it had heeded the warning and advice of FTC Commissioner J. Thomas Rosch, who had initially suggested (in his Dissenting Statement issued June 21, 2012) that FTC staff should not rely on Tiversa for evidence or information related to LabMD, given Tiversa’s business model and prior attempts to sell its services to LabMD, in order to avoid the appearance of impropriety.  Instead, FTC staff readily accepted Tiversa’s Kool-Aid, relying on evidence it might have realized was tainted at the outset.

Again, hardly complex reasoning – just basic, simple common sense:  if it doesn’t smell or taste right, don’t drink the Kool-Aid.

Regardless of whether the case is appealed and its ultimate outcome, the LabMD ruling  may serve as a precedent to encourage others to challenge the FTC’s enforcement authority under Section 5, authority that the agency has expanded over the years through consent decrees, particularly where there is no evidence that allegedly inadequate security practices have resulted in (or will probably result in) consumer harm.

Emailing PHI? NIST Seeks Comments on Trustworthy Email by November 30, 2015

Posted in Health IT, HIPAA Enforcement, Privacy & Security, Uncategorized

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.