Header graphic for print

HIPAA, HITECH & HIT

Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

How the NIST Cybersecurity Framework Can Help With HIPAA Compliance: 3 Tips

Posted in Privacy & Security

As our partner Mark McCreary writes in his post describing the “Framework for Improving Critical Infrastructure Cybersecurity” published by the National Institute of Standards and Technology (NIST):

The Framework is designed to work with businesses to reach a sufficient level of cybersecurity protection regardless of size, sector, or level of security.  The Framework consists of three parts (1) The Framework Core, (2) The Framework Implementation Tiers, and (3) The Framework Profiles.  The Framework Core is a grouping of cybersecurity activities based on industry indicators, desired outcomes, and practices.  It assists businesses in developing Framework Profiles, which are used to create cybersecurity plans.

So how can a health care covered entity (such as a health care provider or health plan) or business associate use the Framework to help with HIPAA compliance?

1.  Review health industry-specific guidance available on NIST’s Framework website, such as that issued by the Health Information Trust Alliance (HITRUST).

2.  Review the Framework and Framework’s FAQs to build a Framework Core that applies in the context of your business activities — for example, include Framework outcome language such as “physical devices and systems within the organization are inventoried” and a Framework category for “Electronic Health Record Access Control”.

3.  Realize that the Framework can be used to improve or strengthen your PHI security by layering it over or weaving it into your HIPAA Privacy and Security Policies and Procedures.

 

Oncology Group Fined $750,000 Over Stolen Backup Media, Lax Compliance Efforts

Posted in Articles, HIPAA Enforcement, Privacy & Security, Uncategorized

Cancer Care Group, P.C., a 13-physician radiation oncology practice in Indiana (group), has agreed to pay $750,000 and implement a comprehensive corrective action plan in a settlement resulting from the theft of a laptop and backup media containing unencrypted patient information.  As is often the case, the breach incident triggered an investigation that revealed deeper deficiencies in the physician group’s HIPAA compliance efforts.  The Office of Civil Rights of the Department of Health and Human Services (OCR) announced the settlement in a September 2, 2015 press release entitled “$750,000 HIPAA settlement emphasizes the importance of risk analysis and device and media control policies.”  That heading alone strongly suggests that OCR chose this case to send a clear and powerful message to smaller covered entities and business associates that neglecting basic compliance efforts can and will result in heavy fines, especially if meaningful corrective action is not undertaken after a breach occurs.

The practice first notified OCR of the theft of an employee’s laptop bag in 2012 from the employee’s car. The bag contained a laptop, which did not contain ePHI, and unencrypted computer server backup media with names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.   OCR learned upon further investigation that the group had taken its HIPAA obligations less than seriously for years preceding the breach.

It had not conducted an enterprise-wide risk analysis when the breach occurred in July 2012. Further, Cancer Care did not have in place a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities, even though this was common practice within the organization. OCR found that these two issues, in particular, contributed to the breach, as an enterprise-wide risk analysis could have identified the removal of unencrypted backup media as an area of significant risk to Cancer Care’s ePHI, and a comprehensive device and media control policy could have provided employees with direction in regard to their responsibilities when removing devices containing ePHI from the facility.

In addition to the fine, the group adopted a Corrective Action Plan as part of its Resolution Agreement with OCR, which can be read here.

Much like the Phoenix Cardiac Surgery settlement that we discussed on this blog in 2012, this case involved  not just a one-time negligent breach, but a systematic, ongoing failure to adopt and implement appropriate HIPAA safeguards, policies and compliance efforts.  The Resolution Agreement indicates that such failures continued for a significant time after the theft of the devices.

The Resolution Agreement states that the payment of the $750,000 “Resolution Amount” does not preclude the government from imposing civil monetary penalties in the future if the deficiencies are not cured, and the group agreed to extend the statute of limitations on such penalties during the three-year term of the Resolution Agreement and Corrective Action Plan and for one year afterwards.  During the term of the Agreement, the group is required to complete a comprehensive Risk Analysis of all security risks and vulnerabilities posed by its electronic equipment, data systems, and applications that contain, store, transmit, or receive electronic protected health information (“ePHI”) and report the results to OCR; develop and implement an organization-wide Risk Management Plan to address and mitigate any security risks and vulnerabilities found in the Risk Analysis; revised and update its policies and procedures to OCR’s satisfaction; revise its current Security Rule Training Program; investigate any workforce member’s violation of such policies and report the results to OCR (even if such violation did not result in a breach); and file detailed annual reports with OCR.

There are plenty of lessons to learn from this settlement, but one of the most critical lessons may be the easiest to implement: encrypt your data, particularly any data that is stored in portable devices which have a disturbing tendency to disappear.  Had the backup device been encrypted, it is likely that the outcome of this incident would have been very different. Another lesson is that, if a breach of HIPAA is discovered, be proactive and act immediately to assess and address the risk and mediate the potential damage, update your policies and procedures, implement changes designed to avoid another breach, etc.  Do not wait for OCR to tell you how to respond to the breach.

Six Tips for Physicians to Protect Patient Data on the Internet

Posted in HIPAA Enforcement, Privacy & Security

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

Hackers: Take My Health Information, But Please Don’t Take My Health

Posted in Privacy & Security, Sensitive Health Information

We know by now that protected health information (PHI) and other personal information is vulnerable to hackers.  Last week, the Washington Times reported that the Department of Health and Human Services (HHS), the agency responsible for HIPAA enforcement, had suffered security breaches at the hands of hackers in at least five separate divisions over the past three years.  The article focused on a House Committee on Energy and Commerce report that described the breaches as having been relatively unsophisticated and the responsible security officials as having been unable to provide clear information regarding the security incidents.

We know it’s not a question of “if” sensitive information maintained electronically will be compromised by a hacking or other type of cyber security incident, but “when” — regardless of who maintains it — and how destructive an incident it will be. Even HHS and its operating divisions, which include both the Office of Civil Rights (OCR), charged with protecting PHI privacy and security, and the Food and Drug Administration (FDA), the country’s principal consumer protection and health agency, are vulnerable.

Just one day before its coverage of the House Committee report on the cyber security vulnerabilities that exist within the very government agencies charged with protecting us, the Washington Times reported on an even more alarming cyber security risk: the vulnerability of common medical devices, such as x-ray machines and infusion pumps, to hacks that could compromise not just the privacy and security of our health information, but our actual physical health.

This report brought to mind a recent report on the ability of hackers to remotely access the control systems of automobiles.  While the thought of losing control of my car while driving is terrifying, the realization that medical devices are vulnerable to hackers while being used to diagnose or treat patients is particularly creepy.  The two situations may present equally dangerous scenarios, but hacking into a medical device is like hacking into one’s physical being.

So while it’s one thing to have PHI or other sensitive information compromised by a hacking incident, it’s much more alarming to think that one’s health status, itself, could be compromised by a hacker.

HIPAA-Type Protections Are Not Just For Humans – When It Comes To Medical Records, Animals Have Privacy Rights, Too (Part 2)

Posted in Sensitive Health Information, Uncategorized

Co-authored by Nancy E. Halpern, DVM, Esq. and Elizabeth G. Litten.  Also posted on Animal Law Update.

As reported in expressnews.com:

Joseph Larsen, a Houston­-based open records lawyer, said if Texas A&M owns the animals, the chapter cited in the attorney general’s opinion that grants veterinarian-­client confidentiality should not apply because the veterinarians are working for the university. He said the law applies only to veterinarians who see animals that are owned by someone else.

However, nothing in the Texas Veterinary Practice Act provides such an exception.

A client is defined as the “owner or other caretaker of the animal.”  § 801.351(a)(1).

Furthermore, veterinary practice requires the existence of a veterinarian-client-patient relationship which exists between laboratory animal veterinarians, Texas A&M and the animals in their care. The law sets forth requirements of the Veterinarian-Client-Patient Relationship as follows:

a) A person may not practice veterinary medicine unless a veterinarian-client patient relationship exists. A veterinarian-client-patient relationship exists if the veterinarian:

(1) assumes responsibility for medical judgments regarding the health of an animal and a client, who is the owner or other caretaker of the animal, agrees to follow the veterinarian’s instructions;

(2) possesses sufficient knowledge of the animal to initiate at least a general or preliminary diagnosis of the animal’s medical condition; and

(3) is readily available to provide, or has provided, follow-up medical care in the event of an adverse reaction to, or a failure of, the regimen of therapy provided by the veterinarian.

(b) A veterinarian possesses sufficient knowledge of the animal for purposes of Subsection (a)(2) if the veterinarian has recently seen, or is personally acquainted with, the keeping and care of the animal by:

(1) examining the animal; or

(2) making medically appropriate and timely visits to the premises on which the animal is kept.

c) A veterinarian-client-patient relationship may not be established solely by telephone or electronic means.  (Section 801.351)

There are no laws or regulations exempting laboratory animal veterinarians from licensure in Texas. However, the “board may issue a special license to practice veterinary medicine to an applicant who is: (1) a member of the faculty or staff of a board-approved veterinary program at an institution of higher education …  . ” Section 801.256.

Special licenses may also be granted to veterinarians working for the Texas Animal Health Condition or the Texas Veterinary Medical Diagnostic Laboratory, but a special license is not available for a laboratory animal veterinarian serving in that capacity for a university.

In other jurisdictions, like New Jersey, the “practice of veterinary medicine, surgery, and dentistry” does not include:

(6) Any properly trained animal health technician or other properly trained assistant, who is under the responsible supervision and direction of a licensed veterinarian in his practice of veterinary medicine, if the technician or assistant does not represent himself as a veterinarian or use any title or degree pertaining to the practice thereof and does not diagnose, prescribe, or perform surgery.  (N.J.S.A  45:16-8.1.)

However, a laboratory animal veterinarian providing for the clinical care of the animals may still have to be licensed and governed by veterinary practice state laws.

The Beagle Freedom Project, concerned that Texas may set a new precedent for universities in other states, is reportedly considering filing a lawsuit.

Notably, Florida, known for its expansively permissive open public records act, has recently adopted a law which provides for an exemption to the State’s open public records act for animal medical records held by any state college of veterinary medicine that is accredited by the American Veterinary Medical Association Council on education.

In support of this law, the

Legislature finds that the release of such animal medical records compromises the confidentiality protections otherwise afforded the owners of such animals treated by licensed veterinarians in this state . . . [and] that the privacy concerns that result from the release of animal medical records outweigh any public benefit that may be derived from the disclosure of the information.

These concerns arguably also apply to animals owned by research facilities.

Dumpster Diving for PHI Exposes Business Associate (and Physician Practice) to Liability

Posted in Lawsuits, Privacy & Security, Uncategorized

A Chicago record storage and disposal company has been named in a complaint filed by the Illinois Attorney General as a result of the negligent disposal of a medical practice’s patient records in an unlocked dumpster.   The complaint alleges that FileFax, Inc. violated the Illinois Consumer Fraud and Deceptive Business Practices Act by failing to handle the records entrusted to it for secure disposal by the practice, Suburban Lung Associates, as required by the Illinois Personal Information Protection Act as well as HIPAA.

Not only did FileFax allegedly discard the records in its unlocked dumpster adjacent to its place of business, but more incredibly, a FileFax employee permitted another individual to remove 1,100 pounds of records and take them to another facility for recycling.  The recycler, Shred Spot, recognized the documents as protected health records and refused to recycle them.  After consulting his trade association, the National Association for Information Destruction, Shred Spot owner Paul Kaufmann contacted the office of Attorney General Lisa Madigan, according to the Chicago Tribune.

Adding to the perfect storm, shortly after the records were delivered to Shred Spot, Dave Savini, an investigative reporter for CBS Chicago, took a film crew to the dumpster outside of the FileFax facility which remained full of Suburban Lung’s records and remained unlocked, accessible by the general public.  He noted:

“It is an identity thief’s dream, and a nightmare for patients. Medical files, tossed in the trash, contain personal information including drivers’ licenses, Social Security numbers and even medical histories.”

Watch his report here:savini-medical-files[1]
Illinois Attorney General agents and representatives of the Department of Health and Human Services then conducted a site visit of the Shred Spot facility, and documented the return of the records to the practice.

FileFax faces civil penalties and injunctive relief under the AG’s suit including a $50,000 fine for violation of the Consumer Fraud Act and an additional $10,000 for each violation that involved a senior citizen, plus costs of investigation and prosecution, along with another civil penalty of $50,000  for improperly disposing of sensitive personal information and protected health information under the state’s Personal Information Protection Act.  At this point it is not clear what additional sanctions may be sought by HHS under HIPAA.  Further, Suburban Lung Associates may face vicarious liability for the negligence of its business associate, FileFax.

My partners Elizabeth Litten and Michael Kline were quoted by Marla Durben Hirsch in the July 27, 2015 issue of Part B News in an article entitled “Faulty record disposal by business associate exposes physician practice” (subscription required).

“Reporters love to dumpster dive. It’s more sexy [than some other HIPAA violations],” says Kline. “It’s a horror show for the covered entity. And if there’s no business associate agreement, it’s even worse,” he adds.

In the interview, they emphasized the need to treat record storage and disposal companies as seriously as other third-party contractors handling patient-related items, to verify a vendor’s HIPAA compliance efforts before engaging them and to continue monitoring their compliance.

“Consider medical information as other waste, as if it’s toxic. If it’s not disposed of properly, there could be liability,” says Litten.

Further, a covered entity’s business associate agreement is its best defense when a business associate drops the ball.  “You need to know that the business associate knows and complies with HIPAA and state law,” says Litten.

In addition, business associates should be required to report to covered entities within a few days of discovering a breach, and should be required to pay for any costs incurred by the covered entity they have caused, including credit monitoring.

HIPAA-Type Protections Are Not Just For Humans – When It Comes To Medical Records, Animals Have Privacy Rights, Too (Part 1)

Posted in Privacy & Security, Sensitive Health Information

Co-authored by Nancy Halpern, DVM, Esq.; also posted on Animal Law Update

HIPAA does not protect animals’ health information – it applies to the protected health information (or PHI) of an “individual”, defined as “the person who is the subject of” the PHI. However, state laws governing the confidentiality of health information also come into play and, in some cases, expand upon HIPAA’s privacy protections.

Leo Litten

Leo Litten

Physicians, for example, must abide by state law and licensing board requirements specific to medical record maintenance and confidentiality. In most states, veterinarians, like physicians, are required by law to keep the medical records of their patients confidential, unless their client — the patient’s owner — authorizes the release of the medical records, or the records are requested by the State Board of Veterinary Medical Examiners or as ordered by a court.

This requirement was affirmed in several legal opinions recently issued by the Texas Attorney General in response to letters sent from the Office of General Counsel of The Texas A&M University asking “whether certain information is subject to required public disclosure under the Public Information Act (the “Act”), chapter 552 of the [Texas] Government Code.”  Texas A&M had received at least 48 requests “for information pertaining to specified dogs and any specified protocols pertaining to the dogs at issue during a specified time period.”

The requests for information came from individuals claiming to have “virtually adopted” the dogs in question, as reported by expressnews.com.

The Beagle Freedom Project, whose mission is to “rescue beagles used in animal experimentation in research laboratories,” encourages people to adopt research animals virtually, even though those animals are actually already owned by various research institutions and universities across the country.

The “adopters” then demand the medical records of their “adopted” animals in letters citing the state’s open public records act which sets forth requirements of various state agencies to provide requested information within a prescribed period of time.

Texas A&M has refused to provide that information, based on the opinion of the state Attorney General citing the restrictions in the Texas Veterinary Practice Act, which requires a veterinarian to maintain medical records confidentially and provides that the veterinarian can only release those records upon receipt of:

(1) a written authorization or other form of waiver executed by the client; or

(2) an appropriate court order or subpoena.

Occ. Code § 801.353 (b).

As further reported in expressnews.com:

Joseph Larsen, a Houston­-based open records lawyer, said if Texas A&M owns the animals, the chapter cited in the attorney general’s opinion that grants veterinarian­-client confidentiality should not apply because the veterinarians are working for the university. He said the law applies only to veterinarians who see animals that are owned by someone else.

However, nothing in the Texas Veterinary Practice Act provides such an exception.

To Be Continued…

Athletes Do Not Leave Their HIPAA Rights At The Locker Room Door

Posted in Articles, Privacy & Security

HIPAA has made an unlikely appearance twice already this month in news reports involving famous athletes.

Between the Pierre-Paul medical record tweet by ESPN reporter Adam Schefter earlier this month (discussed by my partner and fellow blogger Bill Maruca here) and the ticker-tape parade featuring confetti made of shredded (but apparently legible) medical information raining down on U.S. Women’s soccer team in New York City (reported by WFMY news here), it seems HIPAA breaches and athletes have had an uncanny affinity for one another this summer, particularly in New York City.

Setting the attenuated coincidence of these events aside, the Pierre-Paul incident provides an opportunity to review when medical information that relates to one’s employment is protected under HIPAA and when it isn’t.

In 2002, the U.S. Department of Health and Human Services (HHS), the agency responsible for enforcing HIPAA, considered a comment to a proposed HIPAA regulation suggesting that “health information related to professional athletes should qualify as an employment record,” and, thus, not be considered protected health information under HIPAA.  HHS was quite clear in responding that a professional athlete has the same HIPAA rights as any other individual:

If this comment is suggesting that the records of professional athletes should be deemed “employment records” even when created or maintained by health care providers and health plan, the Department disagrees.  No class of individuals should be singled out for reduced privacy.

HHS refused to provide a definition of “employment record”, fearing that it might “lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which” the information was obtained.

HHS went on to explain how and when protected health information might become “employment record” information:

For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee’s authorization, the test results are provided to the … employer and placed in the employee’s employment record.

HHS further clarified that:

… medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by … an employer.

Going back to Pierre-Paul, the mere fact that his injury could affect his ability to perform as a professional athlete did not automatically turn the protected health information related to the injury (the medical record created by the hospital) into “employment records” exempt from HIPAA protection.  It isn’t unless and until protected health information is disclosed to the employer pursuant to the individual’s authorization that it becomes an “employment record” no longer subject to HIPAA.  Even if an individual’s disclosure of medical records is a condition of employment (apparently not the case in Pierre-Paul’s situation), it is the individual’s authorization that allows its disclosure, not the category or class of the individual.

Fireworks over ESPN’s tweet of NFL player’s medical records

Posted in Articles, Privacy & Security

New York Giants’ defensive end Jason Pierre-Paul suffered hand injuries while handling fireworks on July 4.  A screenshot of a page from his hospital records was tweeted by ESPN reporter Adam Schefter on July 8, resulting in a flurry of speculation over whether the disclosure may have violated HIPAA or other privacy laws.  In an article by  published today by LXBN, the Lexblog Network, our partners and frequent blog contributors Michael Kline and Elizabeth Litten are quoted extensively about the implications of the publication of these records by a media outlet, the health privacy rights of public figures and the effect, if any, of the NFL’s collective bargaining agreement on such disclosures.  The article is here: Did That ESPN Reporter’s Tweet Violate HIPAA?

As noted in Elizabeth’s comments, there is no “public figure exception” to HIPAA, and as we have noted before in this blog, celebrities’ records are frequently the subject of unauthorized snooping.

A critical question is how the ESPN reporter obtained the records, from whom and under what circumstances.  Although HIPAA does not directly regulate parties other than Covered Entities and their Business Associates, the law provides for criminal penalties for unauthorized use or disclosure of individually identifiable health information with the intent to sell, transfer, or use such information for commercial advantage, personal gain or malicious harm, including fines of up to $250,000, and imprisonment for up to ten years.  The Department of Justice has stated that “the liability of persons for conduct that may not be prosecuted directly under section 1320d-6 will be determined by principles of aiding and abetting liability and of conspiracy liability.”

Illicitly obtained medical records should be contrasted with health information that is released voluntarily by the individual patient.  For instance, in the Ebola infection incidents of October 2014, it appears that some information reported in the media may have been voluntarily disclosed by the affected individuals or their families.  Nevertheless, famous individuals, whether their fame arises out of their health condition or because of their prominence as athletes, entertainers or politicians, have the same health privacy rights as others and those rights should be safeguarded by covered entities and their business associates.

Expert Interview with William Maruca About Protecting Medical Records

Posted in HIPAA Business Associates, Privacy & Security

Our partner Bill Maruca, who is the Editor and a frequent contributor to this blog, was recently interviewed by PracticeSuite as part of their Expert Interview program.  In the course of his interview, Bill discusses patient confidentiality, keeping records safe and private, and trends in the medical billing industry. 

One important recommendation by Bill is taken from his earlier post on this blog: encrypt all electronic protected health information (ePHI), especially when transferring it via email, cloud storage or FTP sites or saving it to mobile devices.  The loss of properly-encrypted PHI may not be a HIPAA breach even if a device is lost or stolen, or an email or electronic file is sent to the wrong recipient.  

I recommend that his entire PracticeSuite interview be read here.