Posted on November 6, 2009 by Helen Oscislawski

HITECH Workshop for Camden-area Hospitals

Friday, November 20, 2009

Virtua Center for Learning
Classroom A
1200 Howard Blvd.
Mt. Laurel, NJ

Covered entities will be required to make notifications of certain HITECH security breaches to the affected individuals, newspaper and media outlets in the state as well as the U.S. Secretary of Health & Human Services. Penalties will be assessed starting February 2010. Learn how to protect your hospital by putting a plan into action today!  The workshop will cover:

  • Breach notification and requirements for business associates
  • Implementation plan for compliance
  • Case scenarios of how the requirements can impact hospital operations, including what steps can be taken to prevent or mitigate risk

You can prevent your hospital from falling behind the trend toward health information exchange. Learn what you need to do to be compliant with this new regulatory requirement. This session is specifically designed for CIOs and compliance, security and privacy officers as well as in-house legal counsel.

For more information on how to register, visit our registration page.

Tags: ,
Posted on July 29, 2009 by William Maruca

HIPAA Paranoia Strikes Deep Among Healthcare Providers

Hospitals, physician practices and other healthcare providers continue to misunderstand patients’ rights to their own records years after HIPAA’s privacy rule took effect. The Los Angeles Times reported on July 27 that the California Medical Board receives many complaints from patients about trouble accessing medical records from doctors:

Candis Cohen, a spokeswoman for the board, says physicians and their office staffs frequently confuse details of the HIPAA privacy law and, even with the best intentions of protecting patients' privacy rights and complying with the law, deny consumers access to their medical records.

Among the common disputes are whether covered entities are allowed to charge patients retrieval fees for copies of their own records. HIPAA strictly limits charges associated with providing patients access to their records to "a reasonable, cost-based fee" for copying, postage and any time spent on preparing a summary explanation (as applicable). Thus, in instances where state laws allow providers to charge the patient other record-retrieval fees, such as costs associated with retrieving records for insurance companies, lawyers and other non-patients, providers may not be permitted to pass along these costs to their patients due to HIPAA, despite any such permissive state law. Also, some providers erroneously believe that they are not allowed to fax or email medical records to a patient, even at the patient’s request.

For some providers, confusion over the rules and unreasonable fear of penalties under HIPAA and state privacy laws has resulted in reluctance to release medical records to the people HIPAA was designed to protect: the patients themselves. I personally experienced this type of resistance shortly after the Privacy Rule became effective in 2003, when confusion was more understandable. By 2009, you’d think covered entities would have a better grasp on their rights and duties, but misunderstandings persist.

Tags: , ,
Posted on July 23, 2009 by Helen Oscislawski

Dare to Take-a-Peek? Think Again.

I have said it before, and I will say it again -- employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient's medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008.   A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA. 

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent's, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate."   One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly's file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient's [Ms. Pressly's] status and accessed the medical chart to find out if the patient was still living."  The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient's records were accessed 3 times that day by the emergency room secretary.  The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days.  Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both!    In addition, towards the end of the News Release, the local U.S. Attorney  prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others' medical records merely to satisfy their own curiosity..."

Does anyone dare to take a peek after that warning?   

Tags: , , , , , , , , ,
Posted on May 18, 2009 by Helen Oscislawski

Putting ARRA Money in the HIPAA/HITECH Enforcement Mouth

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan's proposed Funding Table is as follows:

Total Appropriated

(Dollars in Millions)

Privacy and Security*

$ 24.285

National Institute of Standards and Technology (NIST)

20.000

Regional HIT Exchange

300.000

Unspecified

1,655.715

Total towards HIT

$ 2,000.000
* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS' Recovery Website.

Tags: , , , , , , , ,
Posted on February 18, 2009 by Helen Oscislawski

CVS Reaches $2.25 Million Settlement Agreement

The U.S. Department of Health and Human Services and the Federal Trade Commission announced today that CVS will pay the U.S. government a $2.25 million settlement and take corrective action in connection with the government finding that CVS had violated the HIPAA Privacy Rule by failing to safeguard identifying information during disposal.  CVS Caremark Corp., the parent company of the pharmacy chain, also signed aconsent order with the FTC to settle potential violations of the FTC Act.

The settlement, which applies to all of CVS's more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential HIPAA violations after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.  At the same time, the FTC opened an investigation of CVS.  OCR and the FTC conducted their investigations jointly. Among other things, the OCR and the FTC found that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and that it failed to adequately train employees on how to dispose of such information properly.

Click here to review the HHS Resolution Agreement and Corrective Action Plan .  The OCR has also posted new FAQs that address requirements for disposal of protected health information. 

 

Tags:
Posted on July 19, 2008 by Helen Oscislawski

Providence's HIPAA Corrective Action Plan

As promised, here is a link to a copy of the Corrective Action Plan between Providence Hospital and the federal government. 

Tags:
Posted on July 17, 2008 by Helen Oscislawski

BREAKING NEWS - Feds Impose Penalties For HIPAA Violations

Well, years have literally come and gone since covered entities first scrambled to comply with HIPAA's Privacy Rule and Security Rule requirements, yet there continued to be no formal penalties assessed by the government for HIPAA violations.  Many believed that such a day would never come . . . but, they were wrong.

In its July 17, 2008 e-mail Press Release, the U.S. Department of Health & Human Services (HHS) announced that it has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential privacy and security violations of HIPAA. 

In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable e-PHI against theft or loss.  The Resolution Agreement relates to Providence’s loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and 2006.

Winston Wilkinson, the director of the OCR, stated in the Press Release that “We are committed to effective enforcement of health information privacy and security protections for consumers. Other covered entities that are not in compliance with the Privacy and Security Rules may face similar action.”  

The Press Release confirms that this is the first time HHS has required a Resolution Agreement from a covered entity.  Providence’s cooperation with OCR and CMS allowed HHS to resolve this case without the need to impose a civil money penalty.

Once the e-mail Press Release is formally posted on the government's website, I will link it here.  Otherwise, you can also keep checking http://www.hhs.gov/ocr/privacy/enforcement/.

To read more about the facts in this case, read on . . . .

Continue Reading...
Tags:
Posted on May 12, 2008 by Helen Oscislawski

New Enforcement Data Added to HHS' Web Site on HIPAA Privacy Compliance and Enforcement

Last week, the Office for Civil Rights (OCR) added a new data section on its Compliance and Enforcement Web Site.  The new section can be viewed at www.hhs.gov/ocr/privacy/enforcement/data.html.  The public can now access enhanced information about several aspects of OCR's enforcement program, including:

  • Charts showing state-specific case investigation results;
  • Calendar-year enforcement-results graphs and charts;
  • Calendar-year graph showing complaint receipts; and
  • Yearly variation in the issues in cases resolved through corrective action.

Below is a chart posted on OCR's new data section illustrating enforcement results for New Jersey:

pie chart showing enforcement results for New Jersey: No Violation: 13%. Corrective Action Obtained: 20%. Resolved after Intake and Review: 67%.

 Another interesting chart lists the top five types of complaints for each of the last 5 years.  It is worth noting that between 2003-2007, the top 4 types of complaints were exactly the same, in the following order: 

  • #1 - Impermissible Uses and Disclosures
  • #2 - Safeguards
  • #3 - Access
  • #4 - Minimum Necessary

The last spot has changed from 2003 through 2007, with last year's number 5 spot being taken by "Notice" issues.

 

 

Tags: ,
Posted on May 8, 2008 by Helen Oscislawski

You CAN Go To Jail for HIPAA Violations

On May 8th, 2008, John C. Richter, United States Attorney for the Western District of Oklahoma, announced in a press release that a 30-year old Oklahoma City woman who pled guilty to violating HIPAA may face up 10 years in prison and a fine of up to $250,000!  

As part of her plea, the woman admitted that in the summer of 2007, while she was employed by a counseling center in Oklahoma City, she knowingly allowed two individuals to take patient files from her place of employment which contained individually identifiable health information with the intent to obtain personal gain.  The press release provides more details of the circumstances of the case.

U.S. Attorney John C. Richter states in his Department of Justice press release:                  

“This case illustrates how easily an illegal disclosure of patient files can be used by others to commit identity theft causing financial trauma to many victims.”

A sentencing hearing is supposed to be set in approximately 90 days.

Tags:
Posted on April 10, 2008 by Helen Oscislawski

Sanctions May be Imposed Due to Stark-Struck Snoopers

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

Tags: ,
Posted on January 24, 2008 by Helen Oscislawski

CMS to Audit 10-20 Hospitals In Next 9 Months

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

 

Helen's HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 


So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.


 

Tags: ,
Posted on December 11, 2007 by Helen Oscislawski

Ho-Ho-Ho...Contractor Hired to Audit the Naughty

HcPro reports that the Center for Medicare and Medicaid Services (CMS) has contracted with Pricewaterhouse Coopers to conduct security audits of covered entities, according to Karen Trudel, deputy director of CMS' Office of E-Health Standards and Services.  Pricewaterhouse's job will be to audit covered entities against which CMS has received a complaint.  The audits conducted by Pricewaterhouse will be in addition to those that are not complaint-driven, such as the random security audit completed of Atlanta's Piedmont Hospital in March of 2007.  It is being said that at least two more similar "random" audits are planned for the near future. 

Currently, if a complaint contains information about an incident or problem that could also be a violation of the HIPAA Security Rule, the Office of Civil Rights (OCR) coordinates its investigation with CMS, which is the agency within HHS that is responsible for enforcing the Security Rule.  By contracting with Pricewaterhouse, CMS will likely increase its ability to respond to complaints regarding potential security breaches and to audit potential offenders.  

Providers who continue to question whether keeping their HIPAA Security compliance program updated and alive is "worth it" should note that CMS's decision to contract with Pricewaterhouse Coopers is just another indication that the federal government is not likely to simply sit back and ignore enforcement.  

Helen's HIPAA Hint:  Keep your HIPAA Security compliance program alive.  At a minimum, covered entities should: (1) periodically review their HIPAA security policies and procedures; (2) respond to internal complaints with internal investigations and appropriate actions; and (3) providing refresher training to employees.  Also, keep an eye on CMS's enforcement website where CMS hopes to put more information regarding security rule enforcement. The ability to demonstrate that your organization has an active and effective HIPAA Security compliance program can help if there ever becomes a need to respond to an audit by CMS or OCR.

Tags:
Posted on August 15, 2007 by Helen Oscislawski

Is the HIPAA Enforcement Tide Turning?

Final regulations setting forth how the Office of Civil Rights (OCR) should enforce HIPAA became effective back in March of 2006.  As of the end of August 2007, there have been 29,994 complaints filed with the government alleging violations of privacy.  Yet, to date, the OCR has not issued a single civil monetary penalty.  As a result, I am asked by providers and others if it is really necessary for them to continue spending resources to stay on top of maintaining their HIPAA compliance program, to which I always respond with an unwavering "yes."  

In addition to the more obvious reasons why compliance with HIPAA is a good idea, the enforcement tide may be turning.  In February of 2007, the Department of Health and Human Services (DHHS) through the Office of Inspector General announced its first audit, which was of Atlanta's Piedmont Hospital's compliance with the HIPAA Security Rule.  On April 16, 2007, DHSS then delegated to the OCR additional authority to issue subpoenas.   Most recently, on April 20, 2007 HHS launched an enforcement Web site, which provides information regarding the Privacy Rule and how OCR enforces health information privacy rights and standards.  

Some say that these are signs that the federal government is gearing up for increasing its national enforcement efforts.  Also worth noting is that the OIG acknowledges in the 2007 Work Plan that "the wider use of electronic medical records and personal health records raises concerns over privacy and security of patient data," which may suggest more audits are on the horizon.  So, keep your HIPAA policies current, alive and on your lower shelf!

Tags: