Posted on June 30, 2008 by Helen Oscislawski

Best Practices for HealthVault and Google Health

At the end of June, Investor's Business Daily reported that Google, Microsoft, Aetna, Blue Cross/ and 27 other private organizations "agreed on" ground rules for protecting the privacy of the sensitive information" contained in personal health records (PHRs). Their Report indicated that the group has been working together for the past 18 months, and on Wednesday, June 26th, released the "hundreds of pages long" framework, which "starts with the idea that the information in a PHR is the user's to control -- and spells out how to guard it." 

The "best practices" agreed upon by this private workgroup are posted onlineAmong them is a policy that audit trails should be conducted so that consumers can see who is looking at their records.  In addition, the workgroup recommended that insurers, employers, and others be prohibited from seeing the information without the individual's prior authorization.  

The point that PHR repositories, like the ones being offered by Google and Microsoft, are not subject to HIPAA has been focused on by opponents of these models.  However, in developing and releasing the Report containing privacy and security "best practices," I think that this is a step in the right direction and may reassure healthcare consumers that information maintained in such online filing cabinets will be kept as confidential and secure as when maintained by entities subject to federal privacy laws, like HIPAA.

   

Tags: ,
Posted on June 13, 2008 by Helen Oscislawski

"But, I Never Had My Kidney Removed . . . ."

ONC's Coordinator, Dr. Robert Kolodner, has noted that medical identity theft stories are being documented at an increasing rate, bringing to light serious financial, fraud, and patient care issues, and that it is imperative to obtain a more comprehensive understanding of this issue from a variety of perspectives.  The government explains on its HIT Privacy & Security webpage that:

 "Medical identity theft is a specific type of identity theft which occurs when a person uses someone else's personal health identifiable information, such as insurance information, Social Security Number, health care file, or medical records, without the individual's knowledge or consent to obtain medical goods or services, or to submit false claims for medical services . . . [and that] there is limited information available about the scope, depth, and breadth of medical identity theft."

Last month, ONC awarded a contract to Booz Allen Hamilton to assess and evaluate the scope of the medical identity theft problem in the U.S.  The HIT webpage lays out the 3 phases of this assessment and evaluation, which can be summarized as follows:

  • Phase 1 - an "Environmental Scan" of the medical identity theft problem in the U.S will be completed, particularly focusing on the intersection with health information technology;
  • Phase 2 - A one-day Town Hall meeting will be held to enable health care experts to share knowledge and experience of medical identity theft and how health IT can be utilized to prevent and detect medical identity theft; and
  • Phase 3 - A final report and road map will be released in Winter 2008-2009 that will set forth possible next steps for the federal government and other stakeholders in order to work toward prevention, detection, and remediation of medical identify theft.

To read an article that I co-authored on Medical Identity Theft, see HFMA's NJ FOCUS Magazine March/April 2008 edition.   Also, Health Data Management has an interesting and useful white paper on "Securing Critical Healthcare Data from Internal Theft and Loss" that is worth checking out.  

 

Tags:
Posted on April 15, 2008 by Helen Oscislawski

Educating the Educators on Privacy Laws

 

Last October, the United States Department of Education released a policy guidance document to to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.  The document was created in response to schools' requests "for guidance on what information can be shared among government agencies and parents under the 1974 Family Educational Rights and Privacy Act” (FERPA).  At that time, Congress was also considering revising FERPA to clearly permit school officials to contact parents if a student is considering suicide or a threat to attack someone.  Currently, FERPA allows officials to share information with parents or other agencies if there is a health or safety emergency, but there was concern - especially after the Virginia Tech incident - that the language is too vague.

On March 24, 2008, almost a year after the shooting rampage at Virginia Tech, the U.S. Department of Education (DOE) proposed regulations to clarify when colleges can release confidential information about students who might be a danger to themselves or others.   The proposed guidelines do not make any substantive changes under FERPA, but attempt to clarify that schools are permitted to report fears about students who might be a danger to themselves or others. Parents are among the parties who can be contacted if a student is at risk.  It is believed that the changes would provide colleges with more flexibility in defining a potentially dangerous situation, and would help ensure that counselors have the tools they need to reach out and build support systems around troubled students. 

HIPAA contains a similar exception for disclosures "to avert a serious threat to health and safety."  Under HIPAA, a covered entity is not prohibited by the federal Privacy Rule from disclosing protected health information if it believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the treat, including the target of the threat.  State laws may, however, impose additional restrictions and must still be considered.

The deadline for comment on the DOE's proposed regulation is May 8, 2008.

 


Tags:
Posted on April 10, 2008 by Helen Oscislawski

Sanctions May be Imposed Due to Stark-Struck Snoopers

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

Tags: ,
Posted on March 13, 2008 by Helen Oscislawski

One Man's Scrap Paper Is Another Man's Treasure (part 1)

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

 

 

Tags: ,
Posted on February 11, 2008 by Helen Oscislawski

Is All "Marketing" Prohibited by HIPAA?

In general, HIPAA requires a written authorization from an individual before a health care provider can make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  However, certain mailings and communications with individuals are permissible without having to obtain prior written authorization because they are not considered "marketing" as defined by the HIPAA Privacy Rule.

The following are a few examples of communications that HIPAA does not consider "marketing":

-- Reminders (e.g., "get your annual pap" letter)
-- Providing information about how to manage a particular condition (e.g., tips on diabetes control)
-- General information about new developments in health care
-- Information about health & wellness classes, support groups, health fairs etc.
-- Announcements of a new specialty group or new medical equipment at your facility

Thus, even though many of us who receive such information in the mail consider such flyers to be at least loosely linked to the “marketing efforts” of the sender, HIPAA considers the foregoing to be “communications essential for quality health care.”  Such communications are not subject to HIPAA’s restrictions otherwise applicable to using patient health information for “marketing” purposes.  Thus, a written authorization is generally not required for a health care provider to mail such information to former or current patients.  

Tags: ,
Posted on January 24, 2008 by Helen Oscislawski

CMS to Audit 10-20 Hospitals In Next 9 Months

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

 

Helen's HIPAA Hint: The comment made by CMS’ Senior Policy Advisor, Ms. Doo, will likely make covered entities ask who is a “Lead Systems Security Manager” and who is an “Access Controls Manager”? and did the Security Rule require us to appoint such individuals?   The technical answer is “no,” the Security Rule only expressly requires a covered entity to appoint a Security Officer. However, the practical answer is that in order for the covered entity to insure that the required technical, physical and administrative safeguards are effectively implemented, monitored and revised as needed, the “buck must stop” (as they say) ultimately with someone. 

In smaller organizations, the Security Officer may have to take on all of these roles.  However, larger entities may find it necessary to create a “team” of individuals who will work in tandem with the Security Officer in make sure that the entity is in full compliance. 


So, if a covered entity does not have an Access Controls Manager or a Lead Systems Security Manager will CMS find this organization non-compliant?  I do not think so, as long as the entity can demonstrate that a specific individual is or specific individuals are ultimately responsible for making sure that all of the Security Rule’s safeguards are effectively implemented, being monitored and audited, and issues are being addressed as they come up.


 

Tags: ,
Posted on January 4, 2008 by Helen Oscislawski

New Year, New Laws . . . Some Items to Watch In 2008

  • What the HIPSA?!!   After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose."   But, here it may come..... Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions.  HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information.  The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations.  Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
  • New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728.   As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008.  NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan.  That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information. 
  • Ban On Data MiningOn December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians' prescribing trends.  The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information.  Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
  • States Amending Privacy LawsLook for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated.  For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems.  In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.  

  • Identity-Theft Prevention Laws.  As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft. 

Continue Reading...
Tags: ,
Posted on October 15, 2007 by Helen Oscislawski

Employees suspended for snooping about George Clooney

Last week, WCBS-TV in New York reported that as many as two dozen employees, including doctors and nurses, have been suspended for allegedly improperly accessing actor George Clooney's medical records.  As the story goes, employees not involved with the actor's care logged into the hospital's computer system to view his records as doctors tended to his injuries, and that a security guard released a Clooney family member's telephone number.  WCBS said that media seemed to have detailed information about Clooney's condition almost immediately and that as many as 40 hospital employees were under investigation for releasing information to the press, which is a violation of federal law. 

Was the hospital's reaction too harsh?  I personally do not think so.  

Under HIPAA, there is no exception that would permit patients' protected health information (PHI) from being disclosed to the media without first obtaining a written authorization from the patient.  Furthermore, hospital employees who have no need to access PHI about a patient should not be doing so.  HIPAA specifically requires that covered entity providers (e.g., hospitals) have administrative, physical and technological safeguards in place that are aimed at preventing access of PHI by unauthorized individuals.  In one New Jersey Supreme Court case where highly sensitive information about a patient (who also happened to be a hospital employee) was disclosed to employees throughout the hospital who where not involved in the patient's care, the Court found there that the hospital failed to have adequate policies and safeguards in place to prevent such intra-entity unauthorized dissemination of information.  

There are a few lessons to take away from the Clooney incident (and many similar, but less-publicized, incidents).  First, hospitals and other covered entity providers should have clear, written HIPAA policies in place to safeguard PHI from unauthorized access by employees.  Second, employees must be trained on such polices, and reminded that sanctions may be applied if they fail to adhere to them.  Finally, if a HIPAA safeguard policy is breached by an employee, then appropriate sanctions must be followed through on.  These steps are essential to minimizing incidents like the Clooney case from occurring.  

Tags:
Posted on August 10, 2007 by Helen Oscislawski

Reports Find Security & Privacy Variations in State Health Data Exchanges

The Agency for Healthcare Research and Quality has released a series of reports funded by AHRQ and the Office of the National Coordinator for Health IT which examine the variations in data privacy and security among 34 regional health information organizations.  The reports found that state RHIOs varied in several areas, including the level of adoption for electronic health data exchanges, state health care market forces, and legal and regulatory conditions related to health information.   According to Health Data Management, the reports also recommend additional research and guidance on:

  • Determining states' varying interpretations of HIPAA
  • Assessing differences between state and federal privacy laws 
  • Assessing technologies that could protect the security and privacy of individuals, as well as the related administrative processes and liabilities
  • Creating a system that matches patients with their health information and is updated by various providers and organizations, and
  • Developing a standard set of definitions and terms to ease health data sharing

Tags: ,
Posted on July 24, 2007 by Helen Oscislawski

Legislators Introduce New Privacy Law

As more and more providers and other stakeholders in the health care sector move towards using the electronic medium as their preferred method to store and exchange patients' health information, there is growing concern that HIPAA does not adequately assure that patients' privacy will be maintained.  In response, on July 18, 2007, Senators Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) introduced the Health Information Privacy and Security Act of 2007 ("HIPSA") in an attempt to give patients more control over their protected health information.  In addition, HIPSA would create a private right to sue violators (i.e., doctors, hospitals, health plans etc.) for violating their privacy rights, something that HIPAA does not currently afford (HIPAA enforcement is reserved for government action only).  Those who handle patients' health information likely will want to know: (1) how else does the Health Information Privacy and Security Act of 2007 differ from HIPAA and (2) how will it affect them? 

Continue Reading...
Tags: ,
Posted on July 19, 2007 by Helen Oscislawski

Health Experts Say Privacy Rules Needed for e-Health Records

Do we really need more rules to protect health information?  Certain health experts seem to think so.   Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights Foundation, believes that "thousands" of electronic databases that contain patients' health records exist, and that those patients don't have any way to keep their personal information from being shared with third parties. 

Continue Reading...
Tags: ,
Posted on July 10, 2007 by Helen Oscislawski

State Laws Require Notification of Data Breaches

The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 

 

The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  

 

Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:
 

Continue Reading...
Tags: ,
Posted on July 6, 2007 by Helen Oscislawski

Insurance Companies Finalize Plans to Post Electronic Health Records On The Internet

Hartford Business Journal recently reported that privacy groups are sounding alarms as the nation’s largest insurance companies finalize plans to allow millions more customers to post their health records on the Internet.  Insurers like Hartford-based Aetna Inc. say Web-based tools help patients and physicians keep track of medical information while potentially holding down spiraling medical costs.  The articles stated that about 100 million insurance customers in the U.S. have access to Web-based tools, but companies don’t have an estimate of how widely they are used. Insurers hope to at least double the technology’s reach by the end of next year . . .

Continue Reading...
Tags: ,