Posted on July 31, 2009 by Helen Oscislawski

HITECH Help Is On the Way! August 19, 2009

     Do you need help understanding what to do in light of HITECH's privacy and security changes to HIPAA?  Are you concerned about HITECH's increased penalties for HIPAA violations? Are you struggling to understand what needs to be done under the New Jersey Security Breach Notification Act, and how these state requirements reconcile with the HITECH breach notification requirements? 

     Join me on Wednesday, August 19, 2009 at 12:00 p.m. for a Webinar offered through the Medical Society of New Jersey called the "Privacy and Security Law Update" where I will cover the HITECH Act and how it changes HIPAA, required and recomended amendments to Business Associate Agreements, security breach notification obligations under HITECH and the New Jersey Identity Theft Prevention Act, the Red Flags Rule, and more.

     To register, visit MSNJ’s web site and click on the Events Registration link. Please note that non-MSNJ members who wish to register for the webinar must first create an "new user" account with MSNJ and establish a password to be able to register for the webinar.  To create a new user account, visit MSNJ's Events Detail page by clicking here.

Tags: ,
Posted on July 30, 2009 by Helen Oscislawski

Should Health Care Providers Bother with Red Flags?

    Yesterday, the Federal Trade Commission (FTC) announced in a News Release that it will further delay enforcement (yet again!) of the "Red Flags" Rule until November 1, 2009.  The News Release states that the purpose of the delay is to give the FTC additional time to redouble its efforts to educate and assist small businesses and other entities about compliance with the Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.  Interestingly, last week, Law 360 reported that the American Bar Association (ABA) was reeling from the prospect that attorneys could be considered "creditors" subject to the Red Flags Rule, and was not ruling out the possibility of suing the FTC if steps were not taken to exempt lawyers from enforcement.  If the ABA were to go down that route, others could follow suit (excuse the pun). 

     So, in light of all this continuing debate, many in the health care industry are ready to wave the "white flag" with regard to Red Flags . . .  but should they?

     In my view, the question of whether or not the FTC has appropriate jurisdiction to enforce health care providers' compliance with the Red Flags Rule is somewhat of a secondary issue, albeit an important one. The fact of the matter is, studies demonstrate that medical identity theft is a real, growing and dangerous problem in health care.  In light of this, I think health care providers should want to take steps to minimize this risk, and implementing the items outlined in the Red Flags Rule is one way to accomplish this. 

     The scope of an Identity Theft Prevention Program can be scaled to the risk and size of the particular health care provider, so that the burden of developing and implementing such a program should match the size and complexity of the particular health care provider -- and, thus, should be manageable, both from an administrative and financial standpoint.   On the other hand, a victim of medical identity theft can have their safety, well being and even life jeopardized.  The Red Flag Rules should be viewed, then, as one way to help protect patients from this growing problem. 

     To get those red flags waving, click here to watch this great news video segment about how patients can be affected by medical identity theft.

Tags: , , ,
Posted on July 29, 2009 by William Maruca

HIPAA Paranoia Strikes Deep Among Healthcare Providers

Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:

Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients' privacy rights and complying with the law, deny consumers access to their medical records.

Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.

For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.

Tags: , ,
Posted on July 26, 2009 by Michael Kline

Relationship of "Meaningful Use" of EHR, and the Department of Veterans Affairs

[Installment 5 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders] 

This is the fifth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT. 

The other week, two separate and apparently unrelated events occurred on consecutive days with respect to electronic health records (“EHRs”) that dramatically underscore the focus of this series. Governing Boards of hospitals and other stakeholders must place a very high priority in their struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”).

On July 16, 2009, Health Data Management reported that “[t]he federal HIT Policy Committee has approved revised recommendations of a workgroup for an initial definition of ‘meaningful use’ of electronic health records systems. The report goes on to emphasize that “[t]he definition is important because providers must demonstrate meaningful use of EHRs to qualify for Medicare and Medicaid incentive payments starting in 2011 under the economic stimulus law.”

Therefore, health providers will have to meet minimum prescribed standards for their EHRs if they are to benefit in the future from the federal economic stimulus package under the HITECH Act to recoup a portion of the heavy costs that they will incur to implement their EHRs programs. 

On the following day, July 17, 2009, the federal Department of Veterans Affairs (“VA”) published a press release on its Web site that it will temporarily halt 45 information technology projects which are either behind schedule or over budget. These projects will be reviewed by the VA, and it will be determined whether these projects should be continued. The release goes on to say that each of the 45 affected projects will be temporarily halted with no further development until a new project plan that meets the requirements of Program Management Accountability System is created.

Some of the titles of the VA projects that will be halted include significant EHRs-related projects such as “Health Data Repository II,” “Clinical Data Service,” “Home Telehealth Development,” “Occupational Health Record Keeping System,” “Lab Data Sharing & Interoperability – Anatomic Pathology/Microbiology” and many others.

By simply securing additional funding from Congress, the VA, as an agency of the federal government that is generally a favorite of the legislators, can retool and retrench its EHRs initiatives after making a relatively embarrassing press release and perhaps enduring some criticism and lost time. 

The Boards of health care providers do not have the luxuries of the VA. They simply cannot afford false starts and mistakes if they are to meet the meaningful use standards of the HITECH Act on a timely basis. As this blog has stated in earlier installments, the survival of many hospitals is threatened by the uncertainties of possible health care reform, declining patient population, reduced reimbursement, heavy regulation, intense competition, dwindling donor contributions and heavy endowment losses for non-profit hospitals, a history of unclear returns from past substantial investments in HIT and many other factors. The costs of mistakes for the private sector hospitals are not simply the embarrassment or lost time of the VA. They are the huge outlays for conversion to EHRs and the potential for losing access to the federal stimulus funds.

These questions and others must be properly considered at a high level in the hospital, with committed Board oversight, in order to avoid or mitigate liability and loss that will result from expensive choices made with inadequate or incomplete information. 

 [To be continued in Installment 6] 

Tags: , , ,
Posted on July 23, 2009 by Helen Oscislawski

Dare to Take-a-Peek? Think Again.

I have said it before, and I will say it again -- employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient's medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008.   A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA. 

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent's, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate."   One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly's file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient's [Ms. Pressly's] status and accessed the medical chart to find out if the patient was still living."  The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient's records were accessed 3 times that day by the emergency room secretary.  The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days.  Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both!    In addition, towards the end of the News Release, the local U.S. Attorney  prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others' medical records merely to satisfy their own curiosity..."

Does anyone dare to take a peek after that warning?   

Tags: , , , , , , , , ,
Posted on July 16, 2009 by Michael Kline

Securing Protected Health Information (PHI)

[Installment 4 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders].  This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Securing PHI

One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.

DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.

Encryption and Destruction of PHI under DHHS Guidelines

DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.

The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.

Board Oversight Obligations to Secure PHI

In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.

Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.

When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.

[To be continued in Installment 5]
 

Tags: ,