Posted on August 19, 2009 by Helen Oscislawski

Let the Breach Notifications Begin! . . . (in 30 days, or so)

The U.S. Department of Health and Human Services (HHS) announced today in a News Release that it has issued new regulations requiring health care providers, health plans, and other entities (e.g., now also Business Associates) covered by the Health Insurance Portability and Accountability Act (HIPAA), to notify individuals, and in some instances the media and HHS, in the event of a "security breach" of "unsecured" protected health information (PHI).  Yesterday, the FTC also issued a Press Release that it finalized its final rule on security breach notification, which will apply to vendors of personal health records.  Both HHS' and FTC's  “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Both sets of regulations are effective 30 days after publication in the Federal Register (which has not occurred just yet), but the HHS press release indicates that its rule will includes a 60-day public comment period.   However, the HITECH Act specifies that compliance with breach notification requirements set forth in the HITECH Act (e.g., Sections 13401-13402) go into effect with respect to breaches that are discovered on or 30 days after the date upon which the publication of the interim final rules.  Therefore, those required to comply with such provisions in the HITECH Act should be prepared to comply with the HITECH Act's security breach notification requirements by some time towards the end of September.

Click here to link to a copy of the HHS' Interim Final Breach Notification Rule.

Tags: ,
Posted on April 20, 2009 by Helen Oscislawski

HHS Issues Guidance on Security Breach Notification

On April 17, 2009, the federal Department of Health and Human Services (HHS) issued guidance specifying the technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).  The guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached !

In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.   View the HITECH Breach Notification Guidance and Request for Public Comment.

The guidance must be updated annually, but HHS may update and reissue it this year, after public comment is considered and at the same time HHS’s breach notification regulation is published.

Tags: ,
Posted on April 16, 2009 by Helen Oscislawski

FTC Issues Proposed Rules for Security Breach Notification under HITECH

The Federal Trade Commission (FTC) posted its proposed rule today implementing new breach notification requirements for health records, which were required to be promulgated by the Health Information Technology for Economic and Clinical Health ("HITECH") Act.  The FTC rule will apply to vendors of personal health records and related entities not covered directly by HIPAA.  

The Department of Health and Human Services is required to issue by August 17, 2009 proposed rules pertaining to similar breach notification provisions applicable to entities covered by HIPAA, namely Covered Entities (health care providers; health plans; clearinghouses) and now, as a result of the HITECH Act, Business Associates.  

To review the text of the FTC's proposed rule, click herePublic comments are due on June 1, 2009.

Tags: ,
Posted on October 21, 2008 by Helen Oscislawski

Red Flags to Help Combat Medical Identity Theft

The FTC published the Red Flag rule on November 9, 2007.   However, over the last year there was considerable confusion and uncertainty about whether the rule, which is primarily geared toward financial institutions and other lenders, also applied (or should apply) to healthcare providers.   However, on October 15, 2008, the Office of the National Coordinator for Health IT (ONC) sponsored a Medical Identity Theft Town Hall and, on the same day, posted a document titled "Medical Identity Theft Environmental Scan" which, among other things, confirms that the FTC's Red Flag Rules extend to "entities outside of the traditional financial institutions, including entities in the health care industry."   The FTC's June 2008 Business Alert  also specifically noted that "nonprofit entities and government entities that defer payment for goods and services [are] considered 'creditors'" for purposes of the rule.

The compliance deadline for implementing Red Flags is fast approaching on November 1, 2008.    UPDATE: On October 22, 2008, the FTC delayed the compliance deadline for Red Flag requirements pertaining to identity theft for six months.  The new compliance deadline is now  May 1, 2009

A broad application of the Red Flag rules to the healthcare sector has likely been embraced because of an increased awareness that medical identity theft is a growing issue in healthcare;  And, it is hoped that Red Flags will assist with combating this risk.  To comply with the Red Flag rule requirements, hospitals must have a plan in place to detect, mitigate, and prevent red flags that signal potential identity theft.  Covered Entity providers may note that an effective HIPAA privacy and security compliance program contain many safeguards (i.e., access controls, person/entity authentication, audits etc.) that already accomplish some of what the Red Flag rules require.

For a sample medical identity theft policy, visit the website of Health Ethics Trust.  The World Privacy Forum also published a report on September 24 entitled "Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers" that is helpful.

Tags: ,
Posted on July 30, 2008 by Helen Oscislawski

"Opps," BC/BS Did it Again

First in New Jersey . . . now in Georgia.

The Atlanta Journal-Constitution reported yesterday that last week BC/BS of Georgia sent over 202,000 EOB letters to the wrong addresses.  Apparently the letters were mistakenly directed to the addresses of other policyholders, and included patients' names and insurance identification numbers, their doctors names, and in some cases Social Security numbers.   The United Press International also reports that "Blue Cross said the problem was the result of a change in the computer system that was not properly tested."   Patients with sensitive diagnoses, like HIV/AIDS and other conditions, are particularly upset.   Identity theft is also a big concern.

Georgia's Insurance Commissioner, John Oxendine, ordered BC/BS of Georgia to give written notice to policyholders whose names were on the explanation of benefits letters and compile a list of names of those who mistakenly received the forms (Georgia also has an enacted Security Breach Notification Law).  The Commissioner is also "requiring the company to give a year of free credit monitoring to all affected customers," due to the risk of identity theft.           

Back in January 28, 2008, Horizon BC/BS of New Jersey also experienced a data security breach that occurred when a Horizon employee's laptop computer was stolen.   The laptop contained the names, addresses and social security numbers of New Jersey employees and their dependents. Between 200,000 and 300,000 identities were on the stolen computer.  One year of free credit report monitoring was offered in that instance as well. 
 
In light of the government's recent decision to pursue enforcement against Providence hospital in Washington for similar types of security breaches, it cannot be overemphasized that any organization that handles electronic health information should have an active and effective HIPAA Security compliance program.  This includes, among other things, conducting testing, audits, and having clear policies and procedures in place to safeguard against unintended disclosures. 
Tags:
Posted on March 13, 2008 by Helen Oscislawski

One Man's Scrap Paper Is Another Man's Treasure (part 1)

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

 

 

Tags: ,
Posted on July 27, 2007 by Helen Oscislawski

Security Breach Affects Private Information of Over 800,000 Individuals

Information technology and processing vendor SAIC recently announced on its website www.saic.com that a data security beach placed protected information of about 867,000 individuals at risk for compromise.  SAIC (Science Applications International Corporation) is a Fortune 500® company and the contractor for the TRICARE military health program. The affected information, including demographic data, Social Security numbers and some medical information, was stored on an unsecured server at one location, and some unencrypted information was transmitted over the Internet. SAIC indicates that a forensic analysis found no evidence data was compromised, but it acknowledged that the possibility exists.

What may be the most interesting aspect of this particular data breach incident is the manner in which SAIC responded.

 

 

Continue Reading...
Tags:
Posted on July 10, 2007 by Helen Oscislawski

State Laws Require Notification of Data Breaches

The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 

 

The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  

 

Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:
 

Continue Reading...
Tags: ,