Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

Ebola In The News – Is Too Much PHI Being Revealed And By Whom?

Posted in Articles, Privacy & Security

The names and photos of the late Thomas Eric Duncan and his former nurse Nina Pham are all over news media reports of the first cases of Ebola in the United States.   But just how did news outlets learn their identities?   Or, as my assistant asked me this morning, “isn’t this a HIPAA violation?” as many of the facts would appear to qualify as protected health information (PHI).

DuncanAP_nina_pham_ebola_jtm_141014_16x9_992
Thomas Eric Duncan – Source: CBS46.com                 Nina Pham, R.N. – Source: ABC News

Mr. Duncan’s name hit the news shortly after he was diagnosed with Ebola at Texas Health Presbyterian on September 20, 2014, upon his second visit to that hospital after arriving in Dallas from Liberia where he had been exposed to a neighbor who later died from the deadly virus.   After he succumbed to the disease on October 8, the details of his illness and treatment began to flow.   A recent Associated Press story  describes his care day-by-day.  It states that Duncan’s nephew, Josephus Weeks, talked to them and indicates that “Hundreds of pages of medical records provided to The Associated Press chart the disease’s relentless march through Duncan’s body and provide an unprecedented look at how Ebola killed despite the aggressive efforts doctors made to save him.”  His mother, Nowai Korkoyah, is also quoted in the article.

One of the critical care nurses who had treated Duncan at Texas Health Presbyterian Hospital, Nina Pham, has now tested positively for the disease and is being treated in isolation.  Pham was reportedly identified by family members who confirmed her name to ABC News affiliate WFAA.  Her family also reportedly confirmed her identity to USA Today.

Pham’s pastor reportedly disclosed to WFAA that she received a blood transfusion on October 14.  The story identifies the donor, Dr. Kent Brantly, and the fact that he was himself an Ebola survivor and attributes that information to “sources close to Brantly.”

Ebola is a devastating communicable disease about which the general public needs education and guidance, but the HIPAA rule does not provide exceptions for newsworthy or unusually terrifying medical conditions.  There are exceptions relating to public health and safety, but they generally do not permit covered entities or their business associates to release PHI to the media or general public.  Also, keep in mind that HIPAA applies only to covered entities and business associates, and does not restrict what information patients, or their family members, clergy, friends or neighbors, may legally disclose.   (However, there is a need to be aware that state privacy or defamation statutes and case law may limit what family members, clergy, friends or neighbors may legally disclose.)

Duncan’s relatives would have had access to his medical records after his death only to the extent they were involved in his care or if they were his “personal representatives,” or during his life if he released his records to them.   HIPAA Regulation section 164.502(g)(4) states  “If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual’s estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.”   Not all relatives can compel the release of a decedent’s medical records, but anyone who obtains such records, for instance from another relative who is the executor or administrator of the estate, is not prohibited by HIPAA from sharing them with the media.

What about public safety?  Some commenters have suggested that in the case of serious public threats, “HIPAA be damned.”    The HIPAA rule at 45 CFR § 164.512(b) does include an exception for uses and disclosures for public health activities, but that exception is limited.   A covered entity may use or disclose PHI to a public health authority (such as the Centers for Disease Control (CDC)) that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, and the conduct of public health surveillance, public health investigations, and public health interventions.  The CDC has issued valuable guidance on the effect of HIPAA on its mission.

PHI may also be disclosed to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.  That exception could authorize, for example, direct communication with the families and close associates of Mr. Duncan and Ms. Pham, but not to media outlets.

How did Ms. Pham’s identity emerge?  One web site, Gotnews.com explained in an Exclusive & Breaking report “After learning the address of the unnamed Ebola patient, Gotnews.com editor-in-chief Charles C. Johnson and researcher Shannon Knutsen cross referenced the address with a list of every known occupant.” This begs the question of how they learned her address.   Yahoo news claimed they identified Pham through ”public records and a state nursing database.”  Sounds like impressive detective work, but what additional data did they rely on to narrow down their search, and from what sources?   Resourceful journalists will follow leads, rumors and word-or-mouth reports, but if the sources were hospital personnel who revealed sufficient information about these patients to allow their identification when cross-referenced with public sources, they likely  crossed the line even if they did not reveal patient names, particularly if the leakers had knowledge that the information could be combined with other information to identify the individual.

Individuals are certainly free to share their own stories any way they like.  For example, Dr. Brantly authored a first-person piece entitled  This Is What It Feels like To Survive Ebola in Time magazine.   Nina Pham issued a statement through the hospital, assuring supporters “I’m doing well and want to thank everyone for their kind wishes and prayers.”

This isn’t the first time Ebola has raised HIPAA compliance issues. Two Nebraska Medical Center employees were fired for improperly accessing records of a patient being treated for Ebola in September.  (Ironically, these reports also reveal the name of the patient, an American doctor who contracted the virus in West Africa.)  Accordingly, covered entities and business associates should remind all personnel that the rules don’t change because of controversial, highly dangerous diseases.   We will continue to monitor developments in this rapidly evolving story.

Cyber-Sleuth or Cyber-Thief? LabMD Case Continues to Expose the Good, the Bad, and the Downright Ugly in Cyber-Security Developments

Posted in HIPAA Enforcement, Privacy & Security, Uncategorized

LabMD, Inc. CEO Michael J. Daugherty continues to doggedly defend LabMD against an action brought by the Federal Trade Commission (FTC) against LabMD based on Section 5 of the FTC Act.  He now has an opportunity to prove himself the “good guy” following last week’s decision by Chief Administrative Law Judge D. Michael Chappell granting LabMD’s motion that Chappell formally request an order from the U.S. Attorney General to compel testimony from, and provide immunity to, a key witness expected to expose the dirty investigative tactics and tainted facts relied upon by the government in bringing the action against LabMD.  The key witness is a former employee of Tiversa Holding Company, Inc. (“Tiversa”), the company that dredged up a patient data file, leading the FTC to claim LabMD had “unreasonable data security practices” that were “likely to result in unauthorized exposure of data” in violation of Section 5.   So who’s the “bad guy” here?

The witness is expected to testify that, contrary to allegations that form the bedrock of the FTC’s action, Tiversa did not find LabMD’s patient data file on four separate internet addresses as the result of a LabMD employee’s unauthorized download of a peer-to-peer (“P2P”) music-sharing app on a company computer.  Rather, using what Tiversa has referred to as its high-powered, patent-pending search engine technology, Tiversa found the patient data file only on a LabMD computer.

The murky relationship between the FTC and Tiversa appears to be a key trigger of the Congressional Oversight Committee investigation into this case, but I am most struck by the murkiness of the line separating cyber-sleuthing from cyber-stealing here.  That line becomes a bit more clear (and unsettling) when the case is viewed in terms of who found what, where, when and how.  If Tiversa came across the LabMD patient data file sitting around on unprotected internet addresses, it would suggest that members of the public could have accessed and may have viewed the files.  If, on the other hand, Tiversa crept into LabMD’s computer system and found the patient data file residing within LabMD’s system, it’s quite another matter.

If the local police (or neighborhood watch member) sees that a homeowner has left the front door wide open, should the police or neighbor be permitted to walk in, look around for a key to lock the house, or perhaps even take the homeowner’s possessions?  If the door is closed, should the police or neighbor be allowed to search for the hidden key, open the front door, and take some things to teach the homeowner a lesson – or to profit by selling the homeowner a home security system?  Most people would agree there’s a distinct line between helpful investigation and protection, on one side, and abuse of power and theft, on the other.  But  I digress.  Back to Section 5 of the FTC Act.

Reading between the redacted lines of FTC counsel’s response to LabMD’s motion, it appears the FTC will try to show that the witness is biased against Tiversa and unreliable, and will argue that even if Tiversa didn’t discover the LabMD data file any place outside of LabMD’s possession, Section 5 was violated because the patient data file was “available for sharing on a P2P network from a LabMD computer” back in 2008, when the it was initially “found” by Tiversa.

In June of 2014, the FTC opposed LabMD’s motion to dismiss the Section 5 action.  It argued that Section 5 broadly permits the FTC to bring enforcement actions where a company’s practices “[1] cause[d] or [are] likely to cause substantial injury to consumers which is [2] not reasonably avoidable by the consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition.”  The FTC then argued that “a showing of substantial injury or the likelihood of substantial injury from a company’s security practices does not require that an actual breach occur.”  Under HIPAA, on the other hand, it is generally the occurrence of a breach that triggers government action.

This case isn’t over, and it remains to be seen whether Chappell will find the witness’s testimony credible and/or relevant to a finding that LabMD violated Section 5.  It also remains to be seen whether the FTC and Tiversa will end up looking like cyber-sleuths out to uncover, and protect the public from, lax security practices, or will look more like cyber-thieves grasping for money, power, publicity or something else.  Either way, this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.


 

Beware of Social Utilities Bearing New Apps Gifts

Posted in Privacy & Security

Michael Coco writes:

I have never considered myself to be at the forefront of the newest technology. Those familiar with the Technology Adoption Lifecycle might even classify me as a “laggard.” For example, I don’t own a Blu-ray player, a first-generation iPod nano controls the music in my car, and the only reason I bought an iPhone 5 is that my iPhone 4 broke and buying a new iPhone 5 was actually cheaper than fixing my iPhone 4. P.S., buying an iPhone 6 is not on my current radar screen.  I do, however, use most mainstream technology and social media such as Facebook and LinkedIn (I am not a dinosaur, yet). When my son was born last month, I received several messages on my Facebook account, but I ran into trouble when I tried to read the messages on my iPhone.

When I attempted to read my Facebook messages as I had done in the past, I was annoyingly surprised when a little critter popped up and informed me that they had “moved” to a new messaging system and that I needed to download a new app. As a laggard, I am reluctant to download new apps. Most people would find my iPhone very boring – I don’t even have Angry Birds. Naturally, I refused to download the app. I went online to see if there was a way to decline the app, and what I discovered was alarming. Many people, like me, have apparently already expressed annoyance that they were required to download an app for something that worked perfectly well to begin with, but the more troubling information surrounding the app was its privacy and permissions concerns.

When I started digging, I learned that the new Facebook Messenger makes several “permissions” requests in certain devices; such requests include permission to access your contacts, call logs, camera, microphone, text messages, and make phone calls.  There has been widespread criticism aimed at the intrusive properties of this new app, and some bloggers say it resembles “spyware.  People who are entrusted to secure confidential information, such as attorneys and health care providers, should take care when downloading apps like Facebook Messenger. I don’t mean to pick on Facebook Messenger with this blog entry; it is merely a current example. To be fair, many other applications request similar permissions and gain access to various parts of your phone or personal device and you probably already have these applications installed (unless you are a paranoid laggard like me). Apps like Facebook Messenger request such permissions to improve efficiency and make a better product for the end user. As more toys are added to personal devices, more and more apps will integrate and access different areas of your personal device.

As permissions from apps increase and overall privacy decreases, health care providers and others should be careful when both entering sensitive information, such as protected health information, into a personal device and downloading applications that could be used to access such sensitive information. If you must place the names of patients or clients in your personal device, or if such information may come involuntarily to your device from another person, do not include any notes related to sensitive information. And, above all, make sure not to just check the acceptance box to use the app unless you actually read beforehand what you are authorizing the app provider to do with your information.  I would appreciate recommendations from people who know of any ways to secure or separate data within a personal device to protect it from being accessed by other applications.

(All capitalized terms constituting trademarks are the property of the respective trademark owners.)

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]

 

“Step Away from that Subpoena” and Review HIPAA Obligations Before Producing PHI

Posted in Privacy & Security

If you receive a subpoena, discovery request, or even a court order demanding the release or production of documents or files that may contain protected health information (PHI), are you obligated to comply?  The surprising answer, in many cases, is “no”.  Even more surprising may be the fact that, in attempting to comply with what appears to be a valid legal document, you may actually be violating federal law.

HIPAA regulations require, first and foremost, that covered entities, business associates, and their subcontractors protect the privacy and security of PHI they create, receive, maintain, or transmit.  HIPAA regulations permit disclosure of PHI only under very specific circumstances, one of which includes disclosures for judicial and administrative procedures.  Yet even this specific “judicial and administrative procedures” circumstance contains limits and, notably, permits, but does not require the disclosure.  While other HIPAA regulations require disclosure under specific circumstances, the regulations specific to “judicial and administrative procedures” allow, but do not mandate, the disclosure.  Recent inquiries about litigation matters that involve subpoenas, court orders, and PHI prompted me to list a few reasons to step back and carefully consider your HIPAA obligations before responding.

  1. Does the demand or request require you to redact PHI from your response?  If so, be sure not only to remove all obvious individual identifiers, but review 45 C.F.R. 164.514 to make certain you have completely de-identified the information (beware, for example, of failing to remove geographic identifiers, such as the city in which the individual resides).
  2. If the demand or request is contained in a court order, can you limit the disclosure to only the information authorized in the order?  Do not produce documents or files in response to an order of a court or administrative tribunal if the production might result in the release of PHI that is not specifically identified in the order.                             
  3. Evaluate the demand or request to ascertain if the PHI demanded or requested is the “minimum necessary” to meet the purpose.   Do not produce documents or files in response to an order of a court or administrative tribunal if the production might result in the release of PHI that is in excess of what may be deemed to be “minimally necessary” under HIPAA to achieve the purposes of the subpoena, discovery request, or court order.   
  4. If the demand or request is contained in a subpoena or discovery request, you cannot disclose PHI until you receive required assurances.   Bear in mind that you “may” disclose PHI in response to a subpoena or discovery request, but only after receiving satisfactory assurances that the individuals affected have been contacted or that qualified protective order has been sought.

Don’t be intimidated by an official-looking legal document or assume that because it demands information in connection with litigation (whether you are a party to the litigation or not), you can ignore your responsibility to protect and secure PHI under HIPAA.   Remember that the lawyer who drafted (or sent you) that subpoena, discovery request or court order is not responsible for your HIPAA compliance.

Countdown to September 22nd — Shortcuts for Business Associate Agreement Compliance

Posted in HIPAA Business Associates

The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today.  What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements?  Here are  3 shortcuts that might help you squeak that new BAA in before the deadline:

  • Review and update or prepare an Omnibus Rule-compliant BAA; consider changing opening language to state that you and/or your contractor “may be” a CE, BA, or subcontractor as those terms are defined under HIPAA and that the services “may” involve or require to use or disclosure of protected health information (“PHI”).  This way, the BAA can be executed, but will only apply to HIPAA-covered arrangements.
  • If you know you are CE, BA, or subcontractor of a BA and know (or expect) the arrangement will involve or require the use or disclosure of PHI, but you aren’t sure your existing BAAs are up-to-date, send a generic letter to your contractors via email letting them know that, to the extent HIPAA applies to your business arrangement, you share their responsibility and desire to comply with HIPAA.  Attach or send a link to a website where your updated or new BAA can be accessed by the contractor.
  • Encourage your contractor to sign the new BAA and email or print and fax a signed copy back to you (again, time is running out!).

HIPAA compliance is more than BAA documentation, of course, but these shortcuts can help you jumpstart (or wrap up) this aspect of compliance.

Is that Cute Baby Photo Really PHI? Calming the HIPAA Hullabaloo

Posted in Privacy & Security

Last Sunday’s New York Times article by Anemona Hartocollis on the illegality of posting baby pictures in a doctor’s office made me wonder if anyone I know could pick my kids’ faces out of a line up of cute newborn photos posted on the wall of a doctor’s office.

I like to think my kids had the most adorable, memorable baby faces ever, but the reality is that most babies are adorable and I’m not sure even my closest friends would recognize my kids’ faces in a doctor office baby photo collage.  If not, would their photos even be protected health information (PHI) — or would this posting really jeopardize the privacy or security of the PHI in a manner violative of HIPAA?

Before HIPAA hullabaloo becomes HIPAA hysteria, it’s often helpful to do a quick run down of a few important (albeit oversimplified) HIPAA basics:

  • PHI is “individually identifiable health information”
  • “Individually identifiable health information” is a subset of health information that is:
    • created or received by a health care provider;
    • relates to the past, present or future physical or mental health or condition of an individual or the past, present or future provision of health care to an individual; and
    • identifies the individual.

OK, let’s say a proud parent sends the doctor a photo of a blinking or sleeping newborn, or even a picture of a smiling toddler, presumably because the doctor treated the child (or, in the case of an ob/gyn, treated the mother – who, by the way, is not in the photo to begin with in my scenario).  The doctor then adds the photo to a collage or gallery of photos posted in the doctor’s waiting room that has no names, dates, or other identifiers.  If the doctor actually treated the baby or child, the receipt and posting of the photo could be viewed as being “related to” past treatment of the baby or child (though perhaps the doctor includes friends’ and family members’ cute baby photos in the collage, as well).  If third parties could look at the photo and identify the baby or child, arguably the case for some limited period of time (which period is particularly limited, most would agree, in the case of a newborn photo), and it’s obvious that the photos are all photos of the doctor’s patients, then I could concede that the photo constitutes PHI.

But that wouldn’t mean the waiting room posting was necessarily a HIPAA breach, even without the appropriate written, HIPAA-compliant authorization.

Another (again, oversimplified) HIPAA basic:

  • A “breach” excludes a disclosure of PHI where a covered entity (here, the doctor) has a “good faith belief” that an unauthorized person to whom the disclosure was made (other patients or visitors to the office, if the parent did not authorize the posting) would not reasonably have been able to retain the information.

Here’s where the facts and common sense come into play.  Let’s say the doctor’s office posts a sign requesting that patients and visitors not use cell phones in the waiting room, and that a receptionist or staff member has full view of the waiting area.  Let’s also imagine that the baby photo gallery contains dozens, or even hundreds, of baby photos.  Arguably,  it is not very likely that the parent waiting with a kid at the pediatrician’s office, or even the interviewing staff member or waiting vendor, will memorize an individual baby’s face so as to identify that baby as having received services from this doctor.

I admit to spending a great deal of time trying to prevent HIPAA breaches, but sometimes HIPAA compliance morphs into unnecessary HIPAA hullabaloo that can be calmed by a quick review of HIPAA basics, some common sense, and a few deep breaths.

The Parade of Major Reported PHI Breaches Surges to 885 – Theft and Loss Dominate the Numbers

Posted in Privacy & Security, Security Breach Notification

The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this ever-lengthening parade on the HHS List of PHI breaches affecting 500 or more individuals (the List Breaches). Previous blog posts in this series including those discussed here and here discussed the volume of List Breaches that occurred in earlier periods.

It took nearly 3½ years between the inception of the HHS List on March 4, 2010 and August 13, 2013, to reach 646 postings, for an annualized average of approximately 189 postings per twelve-month period. In less than twelve months from August 13, 2013 to July 29, 2014, 239 more marchers have joined the parade on the HHS List.

A total of 430 or almost one-half (48.6%) of the total of 885 List Breaches reported the breach type to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 73 additional List Breaches that have reported the breach type as a “loss” of various types (excluding as a loss item any List Breach that also reported theft as a breach type) is added to the 430 theft events, the total for the two categories swells to approximately 503 or 56.8% of the 885 posted List Breaches. Combining the two categories appears to make some sense, as it is likely that a number of the List Breaches categorized as a “loss” event may have involved some criminal aspects.

Even more significant may be the fact that approximately 272 (30.7%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices (collectively, Portable Devices). Theft or loss of Portable Devices thus constituted 54.1% of the approximately 503 List Breaches that reported theft or loss as the breach type.

As has been emphasized in the past, it may have become more a question of when a covered entity (CE), business associate (BA) or subcontractor (SC) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in Portable Devices that can create, receive, maintain and transmit PHI requires CEs, BAs and SCs to perform adequate risk assessments and establish effective policies and procedures respecting employer-supplied and personally-owned Portable Devices.

Two Months to Amend HIPAA Business Associate Agreements for Omnibus Compliance, But Beware the Bare Bones BAA

Posted in HIPAA Enforcement, Omnibus Rule

Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document?

Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use the next few weeks to make sure your BAA complies with the law and reflects your business deal.

HHS published a bare bones sample BAA when the Omnibus Rule came out, and a number of posts to this blog provide tips that can be used in reviewing and updating your BAA.

But don’t forget that a good BAA supports and is supported by the underlying services contract between the parties, and should be the meat on the bones of the BAA and the brain behind it. A perfectly HIPAA-compliant BAA will crumble into dust if it’s not written to reflect and support the services contract and underlying business deal. Here are two key questions to ask to make sure the business deal and BAA are working in synch:

Question 1: Who are the parties to the BAA?

  • What are the roles of the parties under HIPAA? Check definitions and what is being performed by one party “on behalf of” the other.
  • If the business associate is really a subcontractor (because the covered entity is really a business associate or subcontractor itself), does the BAA (or subcontractor agreement (SA)) recognize and describe the privacy and security obligations imposed by the BAA above it? Has such BAA or subcontractor actually reviewed the BAA or SA above it?
  • If both parties are covered entities, does the BAA clearly describe when the business associate is acting as such, and not as its own covered entity?
  • Will the covered entity ever act as a business associate in relation to the other party?

Question 2: What is the business reason for or purpose of the use and/or disclosure of protected health information (PHI)?

  • What is the reason PHI is being created, received, maintained or transmitted on behalf of the covered entity, business associate or subcontractor?
  • Do the parties have reciprocal obligations to abide by privacy and security standards, such as minimum necessary standards?
  • Will the business associate (or subcontractor) have any claim to own, de-identify, aggregate, modify or keep data derived from the PHI that is the subject of the BAA (for example, will the business associate’s activities with respect to the PHI under the BAA produce other data or data sets not subject to or contemplated by the services contract)?

The bottom line? Before the summer fades (and certainly before September 22nd), make sure your BAA meets the Omnibus Rule requirements, but also make sure it reflects and supports your business deal. The bare bones BAA may not be what you want or need.

Hobby Lobby, HIPAA and Happy Independence Day

Posted in Health Reform, Privacy & Security

The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations).  Perhaps not many people are pondering the HIPAA implications of this historic decision, but if you are reading this blog, you might be among the very few of us wondering what this decision means in terms of HIPAA protection.  Or, more likely, you are wondering why I don’t have better things to think about on the eve of a national holiday.

The majority notes that the Department of Health and Human Services (HHS) has effectively exempted certain religious nonprofit organizations (“eligible organizations”) from the contraceptive mandate imposed by the Affordable Care Act (ACA).  If an employer certifies that it is an eligible organization, its health insurance issuer must exclude contraceptive coverage from the employer’s plan and must provide separate payments for contraceptive services for plan participants without imposing fees or cost-sharing requirements on the eligible organization, its insurance plan, or its employee beneficiaries.  HHS regulations implementing this eligible organization contraceptive policy make it clear that the health insurance issuer is not acting as an insurance carrier under state insurance law because the payments for contraceptive coverage “derive solely from a federal regulatory requirement, not a health insurance policy… .”  If the eligible organization is self-funded, its third party administrator (TPA) must pay for contraceptive services (without imposing fees or cost-sharing requirements) or arrange for an insurer or other entity to pay for these services.

The Hobby Lobby majority endorses this “reasonable accommodation” for use by religious for-profit, closely-held corporations such as Hobby Lobby – it points out that HHS has the means to achieve its desired goal (here, employer plan coverage of contraceptives) without imposing a substantial burden on the exercise of religion by these closely-held corporate entities.

Back to HIPAA.  If a beneficiary of an eligible organization’s health plan seeks contraceptive coverage, and the health plan is not covering this benefit, who is the covered entity for purposes of HIPAA compliance?  If the eligible organization has a self-funded plan, is the TPA (which acts the business associate in relation to the self-funded plan in its normal course of operations) the “covered entity” for purposes of protected health information (PHI) related to contraceptive services?   This is an important question because presumably the beneficiary who is seeking contraceptive services must obtain coverage for these services someone other than the eligible organization’s health plan.

Women whose health plans do not cover contraception, whether because their employer plans were exempt from the ACA contraceptive coverage mandate under the pre-Hobby Lobby religious nonprofit exemption, or because the Hobby Lobby decision casts open the doors to new employer plan exemptions, may want to think about who’s responsible for protecting this very personal PHI.

The requirements of HIPAA impose other specific obligations on a covered entity and raise additional questions.  For example, what will the Notice of Privacy Practices of the covered entity (assuming we know who that is) look like for contraceptive services?  If the TPA (or other person now responsible for paying for contraceptive services) normally acts as a business associate in relation to the employer plan, does it now need its own Notice of Privacy Practices and business associate agreements with third parties to deal with its receipt of PHI related to contraceptive services?  These types of issues will likely become more clouded as cases involving other challenges to the ACA move through the courts.  Certainly, religious freedom is important and worth protecting, but so too is health information privacy.  Happy Fourth!

 

Paper Records HIPAA Violation Results in $800,000 Payment under HHS Resolution Agreement

Posted in HIPAA Enforcement, Privacy & Security

My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.”  While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article.  (Elizabeth herself has written many entries on this blog related to the topic of large breaches of protected health information (“PHI”) under HIPAA.)

The article discusses the U.S. Department of Health and Human Services (“HHS”) press release on June 23, 2014 that it had reached a Resolution Agreement (the “Resolution Agreement”) with Parkview Health System, Inc. d/b/a Parkview Physicians Group, f/k/a Parkview Medical Group, a nonprofit Indiana health provider (“Parkview”).  Pursuant to the Resolution Agreement, Parkview has agreed to pay $800,000 as a “Resolution Amount” and to enter a corrective action plan to address its HIPAA compliance issues.

There are several interesting aspects to the Parkview incident and Resolution Agreement, including those in Elizabeth’s comments quoted below.  The Resolution Agreement recites that it relates to an incident that was reported in a complaint to HHS on June 10, 2009 by Dr. Christine Hamilton, a physician.  Dr. Hamilton apparently asserted that Parkview failed to appropriately and reasonably safeguard the PHI of thousands of her patients in paper medical records that had been in the custody of Parkview from September, 2008 when Dr. Hamilton had retired.  The Resolution Agreement alleged that

Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.

Elizabeth pointed out in the DataGuidance article, “The fact that Parkview left such a large volume of medical records in an unsecured location suggests that Parkview acted with ‘willful neglect’ as defined by the HIPAA regulations.”  Elizabeth went on to say in the article,

Although the resolution amount of $800,000 seems high given the fact that the records were, apparently, intended to be transferred from one covered entity to another, the circumstances suggest that Parkview was intentionally or recklessly indifferent to its obligation to secure the records. Second, the incident underscores the risks attendant to paper records. A majority of large breaches involve electronic records, but paper PHI is also vulnerable to breach and covered entities and business associates need to realize that large fines and penalties are also likely to be imposed for failure to secure PHI contained in paper form. . . .  While the Resolution Agreement does not provide very much information as to the events leading up to the ‘driveway dumping’ event, its recitation of the facts raises the possibility that Parkview may not have had proper authorization to hold the records in the first place. . . .  Parkview ‘received and took control’ of the records of 5,000 to 8,000 of the physician’s patients in September of 2008, because it was ‘assisting’ the physician with transitioning the patients to new providers and was ‘considering the possibility of purchasing’ the records from the physician, who was retiring and closing her practice. The ‘driveway dumping’ did not occur until June of 2009. It is not clear from the Resolution Agreement when the physician retired, whether Parkview ever treated the patients, and/or whether Parkview was otherwise appropriately authorized under HIPAA to receive, control and hold the records for this  10-month period.

In addition to the incisive analysis by Elizabeth in the DataGuidance article, there are a few other points worth making relative to the Resolution Agreement.  First, the incident is not posted on the HHS “Wall of Shame” for large PHI breaches affecting 500 or more individuals because it occurred several months before the effective date in September 2009 for such posting.  Second, it is noteworthy that it took almost five years after the incident for the Resolution Agreement to be signed between Parkview and HHS.  Third, the Web site of Parkview appears to be notably void to this point in time of any reference to the Resolution Agreement or payment of the Resolution Amount.

Finally, the Resolution Agreement took great effort to make it clear that the $800,000 payment by Parkview was not a civil monetary penalty (“CMP”) but a “resolution amount”; in the Resolution Agreement, HHS reserved the right to impose a CMP if there was noncompliance by Parkview with the corrective action plan.  The HHS Web site says the following about the relatively few cases of resolution agreements (only 21 reported to date):

A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.