On February 7, 2013, our partner Keith McMurdy, Esq., posted an excellent entry on the Employee Benefits Blog of Fox Rothschild LLP that merits republishing for our readers as well. The post outlines some direct effects of the new HIPAA Omnibus Rule on employers and their health plans. 

Keith McMurdy writes as follows:

 

On January 25, the new (final?) rules about HIPAA Privacy under the HITECH Act were issued in the Federal Register.  While the effect of the new rules may not be to substantially change the way HIPAA privacy is viewed, there are a number of action items for employers as plan sponsors that have to be accomplished when these rules go into effect.

 

There are two pieces of good news.  The first is that the general purpose of compliance remains the same.  Plan sponsors have to ensure PHI is properly protected, refrain from impermissible disclosures and provide notices of security breaches.  The second is that the earliest possible deadline for compliance with the new rules is September 23, 2013, so there is some time to prepare.  But it is not a bad idea to start preparing now.  So let's consider the key changes.

 

1. Tougher Security Breach Notification Standard

 

Under the old rule, the standard for notification to participants of a security breach was only necessary if the release of information "posed a significant risk of financial, reputational or other harm" to a covered person.  Now, that standard is tightened to apply to ANY security breach unless the plan sponsor can prove "a low probability that the [PHI] has been compromised based on a risk assessment."  This should encourage plan sponsors to tighten their security breach protections because any release, even things like accidental e-mails, can potentially become reportable events.  So the first step in compliance would be to review security standards and document steps taken to avoid security breaches.

 

2. Tougher Standards for Business Associates Agreements

 

Because the new rule provides for penalties to a covered entity for breaches by business associates, the default position is that plan sponsors should be much more concerned about how compliant their business associates really are.  Where in the past, plan sponsors may have felt comfortable simply handing off certain protection functions to service providers, the new rule makes it pretty clear that plan sponsors have to actually know that their business associates are HIPAA compliant and diligently seek to confirm that compliance.

 

3.  New Privacy Notices for 2013 Open Enrollment

 

The new rule also requires that plan sponsors add or amend their privacy notices:

1. The notice must specifically state that the covered health plans are required to obtain plan participants' authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, to sell PHI, or to use or disclose PHI for any purpose not described in the notice as well as a statement explaining how plan participants may revoke an authorization.
2. The notices must state that the plans (other than a long-term care plan) are prohibited from using PHI that is genetic information for underwriting purposes
3. The notice must inform plan participants of their right to receive a notice when there is a breach of their unsecured PHI.

The new rules makes it clear that since this new language is a "material change," plan sponsors are required to distribute this revised notice, even if they had just recently sent the old notice. 

 

4. Genetic Information and the GINA Notice

 

The Genetic Information Non-Discrimination Act of 2008 (GINA) prohibits discrimination based on genetic information.  The HIPAA Privacy Rule now similarly prohibits HIPAA-covered plans from taking genetic information into consideration when offering incentives or discounts through a health risk assessment.  Because this modification of the Privacy Rule materially affects how a plan may use PHI, the HIPAA Privacy Rule requires that plan participants be informed in the plan's privacy notice of the prohibition on the use of PHI for underwriting purposes.  See the second item under Part 3, above.

 

So in the midst of our struggles to comply with PPACA, plan sponsors should not forget about HIPAA medical privacy concerns.  Start pulling together privacy notices, business associates agreements and plan documents for review and amendment.  Review your security practices to avoid even accidental breaches.  And be prepared to issue new notices as necessary for your next open enrollment.  For more detailed information about HIPAA and HITECH Compliance, please make sure to check out our HIPAA Blog as well.  More information means better compliance, which is always a good thing.

• Print
• Comments
• Trackbacks
• Share Link

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:

 

1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.

 

2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.

 

3.         The ACO may not grant access to the patient data except as authorized by CMS.

 

4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.

 

5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.

 

6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.

 

7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 

 

8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.

 

9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).

 

And last, but certainly not least:

 

10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.

  

While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 

 

• Print
• Comments
• Trackbacks
• Share Link

We have written several times in this blog series about the long-awaited (some would assert long overdue) HIPAA “Mega Rule.” What was highly anticipated for the summer of 2012 has become the winter of discontent and a new year for eager HIPAA professionals. Below are ten HIPAA resolutions worth making for 2013 for anyone who has contact with protected health information (PHI), even without the benefit of the Mega Rule.  

10.       I will ask for a copy of my employer’s HIPAA Policies and Procedures.

 

9.         I will read them.

 

8.         I will compare what they say with what I do with PHI and will identify and correct discrepancies.

 

7.         I will not snoop through PHI of others or access or use any PHI I do not need in order to do my job.

 

6.         If I get PHI from or send PHI to a third party (outside my employer) as part of my job, I will find out whether my employer has a Business Associate Agreement (“BAA”) in place with that third party (or has decided one is not needed).

 

5.         I will learn how to encrypt (as per National Institute of Standards and Technology) PHI before I save it or send it.

 

4.         I will check my laptop, smartphone, or other portable device for encryption capability and make sure it is activated. I will also check for any unencrypted PHI that may be lurking on my portable device(s). I will encrypt or remove such PHI (if consistent with the HIPAA Policies and Procedures of my employer and any BAAs).

 

3.         I will investigate the “chain of control” of PHI before I send it to make sure it will not end up outside the jurisdiction of the United States.

 

2.         I will educate myself as to whether and how PHI might be de-identified and will recommend that my employer consider a policy of de-identification in accordance with guidance published by the Office of Civil Rights of the Department of Health and Human Services.

 

1.         Even if I’ve accomplished resolution # 4, I will not leave my laptop, smartphone or other portable device containing PHI in plain sight inside my parked car, especially while at lunch.

 

If everyone were to make and follow these resolutions, we all will have a Happy HIPAA New Year.

• Print
• Comments
• Trackbacks
• Share Link

A previous post to this blog by Patricia McManus pointed out that individuals whose protected health information (“PHI”) is stolen, lost, or otherwise inappropriately used, accessed, or left unsecured have no private right of action against the person or entity responsible for the breach under the HIPAA/HITECH laws. That may change for victims of identity theft who can show the theft was caused by a HIPAA breach, at least if the action is brought in the 11^th Circuit.

The 11^th Circuit District Court (Southern District of Florida) decision that came out  on September 5, 2012 involved stolen unencrypted laptops containing PHI of approximately 1.2 million AvMed (health plan) patients. The lower court had dismissed the originally-filed class action because plaintiffs sought "to predicate recovery upon a mere specter of injury: a heightened likelihood of identity theft."  The case was re-filed, naming as plaintiffs a subset of patients whose identities had been actually stolen since the laptop theft, alleging negligence by AvMed in protecting the sensitive information, breach of contract, unjust enrichment, breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. 

 

The District Court's decision to deny AvMed's motion to dismiss plaintiffs' claim that AvMed's data breach caused plaintiffs' identity theft was based on its finding that plaintiffs "sufficiently alleged a nexus between the data theft and the identify theft and therefore meet the federal pleading standards...  ," even though the computers were stolen 10 and 14 months prior to the identity thefts of the two specific plaintiffs named in the action. The court pointed out that both individuals were very protective of their personal data and did not transmit sensitive data electronically or store it on computers. One plaintiff's sensitive information was used to open a Bank of America account and change her address with the US Post Office, while the other plaintiff's sensitive information was used to open an E*Trade Financial account. Neither had experienced identify theft before the theft of the AvMed laptops. 

 

The court also refused to dismiss the plaintiffs' unjust enrichment claim, which was based on the fact that AvMed received premiums that were payments, at least in part, to protect sensitive information with "data management and security measures that are mandated by industry standards." Plaintiffs alleged AvMed failed to implement or inadequately implemented these policies. 

 

If plaintiffs are ultimately successful in obtaining refunds of premiums and/or payments from AvMed for damages incurred as a result of the identity thefts, it could set an interesting precedent for future HIPAA breach victims, particularly if the court’s decision relies (as it seemed to rely in this decision) on the fact that the victims could show they were extremely careful not to store or transmit personal information via electronic means.  In this age of intensive use of computers and the Internet for financial transactions, such plaintiffs are probably highly unusual. An individual who makes frequent or even occasional on-line purchases or pays bills electronically and who becomes the victim of  a HIPAA breach might have difficulty demonstrating that a subsequent identity theft was the direct result of the breach. 

• Print
• Comments
• Trackbacks
• Share Link

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.

 

What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!

• Print
• Comments
• Trackbacks
• Share Link

A recent posting by our partner Christina Stoneburner, Esq., on the Fox Rothschild Employment Discrimination blog discussed the need by employers to limit protected health information (“PHI”) that they provide with respect to medical examinations of employees and job applicants to the least amount of medical information necessary for evaluation.  Interestingly, the focus of her posting was not disclosure under HIPAA/HITECH, or even state statutes regulating the use of PHI; it dealt with allegations that employees and job applicants had been sent for unnecessary medical examinations in violation of the Americans with Disabilities Act and the Genetic Information Nondisclosure Act. 

Christina summarizes her posting with the following:

 

In short, the least amount of medical information necessary to evaluate an employee is what should be provided to examiners.  For example, if you have an employee being evaluated to see if he can perform the essential functions of his job after a shoulder injury, the examining doctor should not be given the medical records relating to his planter's wart being removed.

In her discussion, Christina noted our blog series respecting large breaches and a particular recent posting by Elizabeth Litten, Esq.  Christina also mentioned that the complaint on which her posting focused had alleged, "the employer often turned over Workers' Compensation records . . . , even where those records were not relevant to the examination.”

 

Workers’ compensation is an area where Christina’s posting comes full circle to our blog’s focus on HIPAA;  as HIPAA directly confronts such area by making it clear that only the “minimum necessary” disclosure of PHI is permitted by covered entities without patient authorization pursuant to 45 CFR 164.512(l):

 

A covered entity may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.

 

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published further advice on how the workers’ compensation Regulation works:

 

Covered entities are required reasonably to limit the amount of protected health information disclosed . . . to the minimum necessary to accomplish the worker’s compensation purpose. Under this requirement, protected health information may be shared for such purposes to the full extent authorized by State or other law. 

 

In summary, to avoid needless and costly violations, employers and other covered entities must be constantly aware of the need to comply with multiple regulatory schemes that may govern PHI, beyond those of HIPAA and State laws governing PHI;  there is not unlimited flexibility to disclose PHI even within the context of State-governed workers’ compensation matters. When the long-anticipated “mega-regulation” regarding HIPAA/HITECH is finally published by HHS, special attention must be given to potential changes that may further tighten the “minimum necessary" standards.

• Print
• Comments
• Trackbacks
• Share Link

This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Currently HHS has posted 435 List Breaches affecting marchers in the ever-lengthening parade, although the number of marchers has remained unchanged for several weeks.

The most recent posting on this blog series by my partner Elizabeth Litten, Esq., discussed a recent presentation by Linda Sanches, Office of Civil Rights ("OCR") Senior Advisor and the lead on HIPAA Compliance Audits, on the progress of the 2012 HIPAA Privacy and Security Audit Program.  As pointed out in the earlier posting, the presentation by Ms. Sanches included some general tips that covered entities (“CEs”) and business associates ("BAs") can use to reduce the likelihood of HIPAA violations, one of which is PHI security breaches.

 

The HHS List includes additional focused guidance from OCR that CEs and BAs can use in efforts to avoid, or in the event of, a PHI security breach (even if it does not rise to the level of a List Breach) in the form of  brief summaries of the breach cases that OCR has investigated and closed. To date, the HHS List has posted approximately 93 summaries (“Summaries”) out of the 435 postings respecting marchers in the Breach Parade (which include some multiple postings of List Breaches where an alleged breach by one BA caused a number of CEs to have List Breaches). Of the 93 List Breaches for which Summaries have been prepared by OCR, 18 (approximately 20%) were reported as involving BAs.  

 

These Summaries can provide valuable clues for CEs and BAs on how to deal with a HIPAA security breach. One example is contained in a Summary respecting a List Breach reported on January 29, 2010 by Thrivent Financial for Lutherans (“Thrivent”) in Wisconsin. The List Breach, which did not report an involved BA, related to a theft of laptops that contained the PHI of approximately 9,400 individuals. (The original report by Thrivent had stated that approximately 9,500 individuals had been affected.) The OCR Summary included the following statement:

 

The protected health information involved in the breach included name, address, date of birth, social security number, prescription drugs, medical condition, age, weight, etc. Thrivent provided OCR with additional controls to remedy causes of security breach at various stages of implementation. The actions taken by the CE prior to OCR’s formal investigation brought the CE into compliance.

 

OCR clearly viewed it as noteworthy and commendable that Thrivent had voluntarily taken necessary steps for compliance before OCR conducted its investigation. That should be an alert for those who suffer HIPAA breaches that all appropriate and reasonable remedial measures should be undertaken promptly to demonstrate and document compliance before OCR comes knocking on the door of the CE. This blog series will continue to review various of the OCR Summaries as to guidance that they may contain respecting PHI security breaches.

• Print
• Comments
• Trackbacks
• Share Link

By: Elizabeth G. Litten and Michael J. Kline

Kaiser Health News reported today that a division of UnitedHealth, Optum, will be using cloud computing technology to allow centralized access to fragmented health information. The Philadelphia Business Journal (the “Journal”) also reported today that three large Blues plans in Pennsylvania and New Jersey (Highmark Inc., Independence Blue Cross, and Horizon Blue Cross and Blue Shield of New Jersey) and a health information technology company, Lumeris Corp. (“Lumeris”), will be joining together to purchase NaviNet, “the country’s largest real-time communication network for physicians, hospitals, and health insurers.” 

 

According to the Journal article, Lumeris created an accountable-care delivery platform to support “new payment models that reward improved outcomes, enhanced patient safety, and increased physician and patient satisfaction, while lowering overall health-care costs.” The combination of the Lumeris accountable-care platform and NaviNet’s real-time communication network is designed to facilitate the sharing of information and the “administrative, clinical, and financial tasks” needed for high quality, less costly (i.e, “accountable”) care. 

 

Clearly, the health care industry is racing to create information superhighways into which health information can be entered, consolidated, accessed, maintained and used in novel ways that will improve our health care delivery and payment system. If the protected health information (“PHI”) flowing through these information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race? Even the Centers for Medicare and Medicaid Services encourages sharing and using PHI to improve quality and reduce costs (see discussions of privacy issues in the Final Rule on the “Medicare Shared Savings Program: Accountable Care Organizations”).

 

In his recent post to this blog, our law partner Bill Maruca made it clear that the Minnesota Attorney General (“MAG”) is not a fan of the manner in which at least one company, Accretive Health, Inc. (“Accretive”), accessed and used (and, incidentally, allegedly improperly disclosed) PHI. Although the PHI breach seems to have triggered the MAG’s lawsuit against Accretive, the complaint seems particularly critical of Accretive’s “Quality and Total Cost of Care” services, which allegedly used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasses and has access to a high volume of sensitive and personal information,” which it uses to, among other things, create “per patient risk score” calculations. 

 

The MAG claims that, “upon information and belief”, patients’ medical authorization forms did not “identify Accretive by name or disclose the scope and the breadth of the information” that the hospitals that engaged Accretive for these services shared with Accretive. The MAG does not claim that the hospitals involved violated HIPAA requirements related to notice of privacy practices and patient consents and authorizations. Rather, the complaint alleges violations by Accretive of the Minnesota Prevention of Consumer Fraud Act and the Minnesota Uniform Deceptive Trade Practices Act, related to the assertion that patients were “not aware of the extent of Accretive’s involvement in their health care or the extent to which it amasses data about them.” 

 

We agree wholeheartedly with Bill’s closing comment, cautioning that regulators not chill legitimate uses of health information data and technology. We also wonder whether, and under what circumstances, patients should be informed of the myriad directions in which their health information might “legitimately” travel, be mined, and/or be analyzed, or whether that additional layer of patient notice will create unnecessary speed bumps in the race toward more affordable, high quality care. 

 

Finally, query whether such notice to a patient about the use of PHI for development of modeling, data mining, risk scores, algorithms, etc., meaningfully adds to the patient’s knowledge and understanding of what is likely to matter most to the patient - the extent, if any, to which such uses may enhance, limit and/or alter his/her personal medical treatment by physicians and other providers.

• Print
• Comments
• Trackbacks
• Share Link

The Order of Judge Richard Smoak in a recent Federal District Court case (Opis Management, LLC, et. al. v. Dudek, No. 4:11-cv-400/RS-WCS (N.D. Fla., Tallahassee Division)) (the “Opis Order”) reminds us of the attention that must be paid to the interaction and potential conflicts or dual applicability of state law with HIPAA compliance. While the Opis Order dealt with a relatively narrow issue that did not involve a data security breach, as will be hereinafter discussed, its focus highlights the broader concern about conflicts or dual law coverage involving  HIPAA and state law.

The Opis Order itself dealt with the concern of plaintiffs that compliance with a Florida law would violate federal law under HIPAA, and compliance with federal law under HIPAA would violate state law.As a result, plaintiffs argued that the Florida law was invalid. More specifically they argued that

 

Florida law requires nursing homes to “furnish to the spouse, guardian, surrogate, proxy, or attorney in fact . . . of a former resident . . . a copy of that resident’s records which are in the possession of the facility.” Further, the law provides that “copies of such records shall not be considered part of the deceased resident’s estate and may be made available prior to the administration of an estate, upon request, to the spouse, guardian, surrogate, proxy, or attorney in fact.” FLA. STAT. § 400.145 . . . Plaintiffs claim that their non-compliance is excusable because Section 400.145 is preempted by the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”). They seek a declaratory judgment that Section 400.145 is invalid and injunctive relief prohibiting its enforcement. [For whatever reason, the Opus Order uses the definition “HIPPA” rather than the much more widely-used acronym “HIPAA.” Except in quotations taken directly from the OPIS Order, this posting will use the more prevalent “HIPAA.”] 

 

Under HIPAA, a more stringent state law preempts HIPAA as to a particular matter. HIPAA defines more stringent as meaning “with respect to a use or disclosure, the [state] law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted.” In granting plaintiff’s declaratory judgment petition, the Court found that, rather than being more stringent than HIPAA, Florida provision Section 400.145 actually afforded less protection of protected health information (“PHI”) than HIPAA.  The Opis Order concluded as follows:

 

Section 400.145 is preempted because it is contrary to HIPPA. It affords a patient far less protection than the heightened privacy requirements imposed by the federal requirement and is, therefore, not more stringent than HIPPA. For this reason, Section 400.145 “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPPA].” 45 C.F.R. § 160.202.

 

The Opis Order serves as a case in point of the need to analyze state law whenever considering compliance issues involving HIPAA. However, the Opis Order is only one example of potential conflicts, overlapping or inconsistencies that can exist between HIPAA and state law relative to the same or similar subject matter. A proper analysis requires a comparison of HIPAA and state law definitions of terms, scope of applicability and procedural requirements. Moreover, it must be remembered that, to the extent a HIPAA item is not “contrary to” a state law provision, both HIPAA and state law provisions must be followed. For example, some areas where differences between HIPAA and state law may surface in connection with notification of security breaches include the following:

 

• To what persons does the law apply? - HIPAA applies to covered entities and business associates/state law may apply to different persons, e.g., all businesses and/or public entities.

 

• What type of information is covered? – HIPAA applies to PHI, a very broad range of information/state law may apply to more limited information primarily associated with potential identity theft, such as credit card numbers, social security numbers and dates of birth.

 

•  In what medium is the information contained? -  HIPAA covers PHI in electronic, paper and oral format/state law may only cover one or two of these formats.

 

• What constitutes a security breach? – HIPAA and state law may diverge greatly.

 

• In what cases, who, how and when must regulatory authorities be notified of a data security breach? – HIPAA and state law may have provisions that differ greatly and may conflict with each other, overlap or have dual applicability, while not conflicting.

 

In summary, while HIPAA requires careful compliance in the event of a security breach, state law provisions must also be considered and analyzed as well.

 

Happy New Year and thank you to each of our readers.

• Print
• Comments
• Trackbacks
• Share Link

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

 

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Print
• Comments
• Trackbacks
• Share Link

As physicians and other covered entities evaluate EHR systems, a recurring question is security from intrusion or other breach.  Counterintuitively, a recent blog post at www.softwareadvice.com suggests that the safest place for health data to reside may be "cloud-based" systems.

In the post, entitled HHS Data Tells the True Story of HIPAA Violations in the Cloud, analyst Michael Koploy reviewed the HHS "Wall of Shame" that lists breaches involving 500 or more individuals and broke them down according to causation. He noted that "physical theft and loss accounted for about 63% of the reported breaches. Unauthorized access / disclosure accounted for another 16%, while hacking was only 6%."  Only seven reported violations involved EHR systems, and none of them were off-site, cloud based databases.  The most common breaches involved loss or theft of portable devices or paper records.

It is possible that the emerging cloud-based EHR storage alternative represents too small a percentage of total health records to account for significant breaches, to date. However, based on the incidents reported to HHS, there are a lot less secure places to store your data.

 

• Print
• Comments
• Trackbacks
• Share Link

As reported previously on this blog series, the requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have been bringing direct intervention by attorneys general with respect to enforcement actions regarding such breaches. Last week for the first time, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) exacted heavy financial obligations from (i) Cignet Health and its affiliates (“Cignet”) on February 22, 2011, with a $4.3 million civil monetary penalty assessment  (“CMP”) for violations of the HIPAA Privacy Rule and (ii) the General Hospital Corporation and Massachusetts General Physicians Organization Inc. (collectively, “Mass General” ) on February 24, 2011, for a settlement that includes a payment to the U.S. government of $1,000,000 by Mass General for potential violations of HIPAA.

This is the first time that the OCR has publicized its activities in enforcement actions involving heavy monetary payments. Until now, as reported previously on this blog series, the publicized enforcement activity for monetary recoveries from covered entities under HIPAA/HITECH has been by attorneys general in Connecticut, Indiana and Vermont.

The cases of Cignet and Mass General are efforts by the OCR to demonstrate its seriousness in taking action against violations or alleged violations of HIPAA/HITECH.  In the OCR press release relating to Cignet (the “Cignet Press Release”), Kathleen Sibelius, Secretary Of HHS stated the following:

Ensuring that Americans’ health information privacy is protected is vital to our health care system and a priority of this Administration. The U.S. Department of Health and Human Services is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule.

In the OCR press release relating to Mass General (the “Mass General Press Release”), OCR Director Georgina Verdugo was quoted as follows: “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

The close proximity of the two OCR actions and press releases is noteworthy. According to the Cignet Press Release, the Cignet case involved 41 patients, while, according to the Mass General Press Release, the Mass General case involved 192 patients. Each of these numbers is far fewer than the threshold of 500 affected individuals for listing on the HHS website (the “HHS List”). Some of the 241 incidents reported on the current HHS List involved hundreds of thousands, or even more than one million, affected individuals. It is clear that OCR felt it necessary to make examples of Cignet and Mass General.

The two cases are very different in that the Cignet Health payment involves a CMP imposed by OCR for violations that the OCR found Cignet to have committed, including, according to the Cignet Press Release, the fact that “. . . Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.” Therefore, the heavy CMP on Cignet would appear to based in major part on OCR’s view that Cignet flouted the authority of OCR to investigate alleged HIPAA Privacy violations. 

On the other hand, according to the Mass General Press Release, Mass General settled for a $1,000,000 payment and other compliance actions for “potential violations of the HIPAA Privacy Rule.” It is clear that Mass General, while having an incident that affected almost five times as many individuals as that of Cignet, exhibited a spirit of cooperation with OCR and, therefore, settled for less than one-fourth of the CMP imposed on Cignet and was not found by OCR to have committed a violation.

The juxtaposition of the two cases by OCR shows that cooperation may achieve significant benefits for alleged HIPAA violators, while those who fail to cooperate can be severely punished. The importance of these two cases warrants further discussion in future blog entries.

• Print
• Comments
• Trackbacks
• Share Link

My colleague, Michael Kline, has been regularly reporting on this blog about the parade of Protected Health Information (PHI) privacy and security breaches that are occurring at large, sophisticated hospital systems, such as the Henry Ford Health System in Michigan, and health insurance carriers, such as Wellpoint, Inc. in Indiana.  A recent breach at the Puerto Rico Department of Health involved an estimated 400,000 individuals.  Breaches involving more than 500 individuals, including those referenced in this paragraph, must be reported to the Secretary of Health and Human Services (HHS) and can be accessed at the HHS Web site. 

If state agencies, insurance carriers, and large health care systems are vulnerable to the devastating aftermath of large breaches, how can a smaller covered entity, such as a free-standing specialty hospital or a physician practice group, or a business associate or subcontractor whose business does not revolve around or even frequently involve PHI, effectively limit its vulnerability to the heavy costs of a PHI security breach?

Whether HIPAA/HITECH privacy and security issues are in the forefront of an entity's compliance mindset or are a periodically worrisome background buzz, an entity should investigate measures to protect itself against privacy and security breaches and the ensuing economic costs associated with investigation of the potential breach, notice to affected individuals and, potentially, HHS, damage to reputation, remediation and protection actions, and, possibly, penalties, fines, and other damages asserted by the government or third parties.

I was intrigued to learn recently of a type of relatively new insurance coverage called "Privacy & Computer Security Protection." This coverage may be a good option for those among us who worry that even airtight, well-implemented policies and procedures may not be enough. Whether a breach results from human error (a typical cause for breach) or from organized or individual cyber crime such as hacking and stolen laptops (a less typical, but increasing risk), insurance companies such as Chartis, Beazley, and Hiscox are willing to underwrite certain computer security risks and cover specified losses that may be incurred by an insured from a PHI security breach.

 

According to my friends at Marsh USA Inc. (an insurance broker and an original creator of "cyber" policy forms), subject to the results of an underwriting pre-assessment of risks specifically associated with an entity that is applying for insurance coverage against losses from a PHI security breach, such an entity may pay as little as about $20,000 for $1 million in coverage. Insurance protection might cover claims arising from actual or alleged breaches of duty, neglect, or other acts, errors, or omissions that result in disclosure of PHI or other confidential information; vicarious liability for privacy breaches of an entity's vendor/subcontractor; costs associated with defense of regulatory actions; costs associated with compliance with PHI breach notification requirements, costs associated with public relations/crisis management professionals, etc.

 

The extent of financial risk involved in the HIPAA/HITECH security breach context is daunting. The cost of just setting up and operating a toll-free line for PHI security breaches involving 3,000 individuals is estimated by the federal Office of Civil Rights to be upwards of $8 million (table on page 42764).

 

I plan to review and report back in future blog postings on the current coverage options specifically designed to protect against the costs of HIPAA/HITECH security breaches, gaps that may exist in the currently available coverage and other related matters.

• Print
• Comments
• Trackbacks
• Share Link

 

The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light an increasing volume involving highly respected and sophisticated providers and insurers. It has often encouraged such providers and insurers to go well beyond the minimum legally required responses as a matter of redeeming client relations and public image.

Josh Goldstein wrote in the July 30, 2010 issue of The Philadelphia Inquirer (the “Inquirer”) that a laptop computer with unencrypted PHI on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital (“TJUH”) in Philadelphia on June 14, 2010. According to Mr. Goldstein, “[t]he Jefferson records were for every patient admitted to the hospital from March 9 to June 9 and Aug[ust] 1 to November 1, 2008.” Additionally, the security breach was reported to have resulted from the copying of PHI by one employee onto a personal laptop in violation of TJUH policy.

To provide some support for those affected by the PHI breach, the Goldstein article stated that TJUH has offered a free year of identity monitoring, protection and remediation service (“Identity Protection Service”) to the potential victims. This offer of Identity Protection Service by TJUH is similar to proposals made by numerous other providers and insurers that have experienced PHI security breaches in the past. In expressing deep apology for the PHI mishap, TJUH president Thomas J. Lewis was reported to urge those whose PHI may have been compromised to activate the Identity Protection Service as soon as possible. 

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for security breaches respecting PHI often make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breaches themselves. 

Additionally, TJUH and others that experience PHI breaches are required to report to, and are listed on, a permanent database which is readily accessible online and is operated by the federal Department of Health and Human Services. 

A final intangible but significant concern is that, as was the case in the Goldstein article, other providers in the same geographic region or areas of practice which suffered security breaches of PHI previously will see their past calamities revived as background and comparison for each new reported event. The effect may be repeated publishing of a single past PHI security breach.

To this end, providers and insurers must heighten their efforts to avoid PHI security breaches in the first place. It is clear, however, that even with the policies, policies and precautions instituted by highly respected institutions such as TJUH, the parade of PHI security breaches will continue to lengthen.  If such breaches do occur, prompt, decisive and proactive action such as that undertaken by TJUH is required to maximize damage control and rehabilitate relations with clients and the public.

• Print
• Comments
• Trackbacks
• Share Link

The more famous the patient, the greater the temptation to peek at his or her medical records. This is why California enacted health privacy legislation in 2008. Among the latest providers to be fined by the state is Ronald Reagan UCLA Medical Center in Los Angeles,  reportedly as a result of two employees’ unauthorized access of Michael Jackson’s medical records. The LA Times indicates that the employees who accessed the records have been fired.  State regulators would not confirm that the records were Jackson’s, but the Times cites sources close to Jackson’s case who said his legal team had previously been informed by UCLA officials that Jackson's medical files had been improperly accessed shortly after his death last year.

 

California’s state privacy laws, SB 541 and AB 211, which parallel HIPAA in many respects, established the California Office of Health Information Integrity which is authorized to enforce health privacy rules and impose fines on violators.  Fines range from $25,000 to $250,000 per violation.

 

Well-known persons whose records have been improperly viewed in California include Farrah Fawcett, Britney Spears, “Octomom” Nadya Suleman, and Maria Shriver, wife of Governor Arnold Schwarzenegger.

 

In a related item, the Riverside, CA Press-Enterprise reports that Community Hospital of San Bernadino has been fined $325,000 as a result of unauthorized access of over 200 patient records by a radiology technologist in 2009. Other hospitals fined include Enloe Medical Center, Rideout Memorial Hospital and San Joaquin Community Hospital, according to the California Department of Public Health.

 

A UCLA hospital employee was sentenced to the first reported prison term for unauthorized access of medical records earlier this year.

• Print
• Comments
• Trackbacks
• Share Link

The Secretary of Health and Human Services (HHS) released today a compendium of reports on state law, business practices, and policy variations to assist health information exchange efforts.  I reviewed some of the documents linked through HHS's e-mail and find it extremely helpful that the government is aggregating resources on its website to be used by all in their HIE and RHIO efforts.  The links and summaries of each such report provided through HHS' s e-mail are reprinted here below:

• Report on State Medical Record Access Laws This report analyzes state laws that are intended to require health care providers (specifically, medical doctors and hospitals) to afford individuals access to their own health information and to identify potential barriers to the electronic exchange of health information.  Specific state law provisions examined: scope of medical records to which patients are afforded access, format of information furnished, deadlines for responding to requests, fees for furnishing copies, record retention laws and access to records of minors.
   
• Report on State Law Requirements for Patient Permission to Disclose Health Information
  In Phase I of the HISPC project a majority of participants reported significant variation in the business practices and policies surrounding the need for and process of obtaining patient permission to use and disclose personal health information for a variety of purposes, including for treatment. This report furthers the initial work of this project by collating and analyzing state laws that govern the disclosure of identifiable health information for treatment purposes to identify commonalities and differences.
  
   
• Releasing Clinical Laboratory Test Results: Report on Survey of State Laws For this report, state statutes and regulations were analyzed to determine to whom clinical laboratories may release test results. This report focused on clinical laboratory and hospital licensing laws (that contain standards for hospital laboratories). It also examined general state medical record access laws to determine whether they provided an avenue for patients to access their clinical laboratory results directly.  
  
  
• Report on State Prescribing Laws: Implications for e-Prescribing This report identifies and analyzes the impact and variation of state laws related to e-prescribing.  The report addresses state laws related to the e-prescribing of controlled and non-controlled substances as well as topics such as record keeping and content requirements, out-of-state prescriptions, and generic substitution laws.
  
  
• Perspectives on Patient Matching: Approaches, Findings, and Challenges This report analyzes various approaches to matching patients to their health information in the context of electronic health information exchange.  Current and potential methods for matching patients to their health records are discussed, challenges to performing patient matching such as scalability and ease of use are analyzed, and the types of information some HIOs use to match patients to their health records is described.

• Print
• Comments
• Trackbacks
• Share Link

On November 1, 2009, the "Statistical Reporting of Abortion Law" was scheduled to go into effect in Oklahoma. A temporary restraining order issued on October 20, 2009, however, has blocked enforcement of the law until at least December 4, 2009.* (Davis v. Edmondson, Okla. Dist. Ct. No. CJ-2009-9154). The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health's web site. Some of the required information includes:

• Date of abortion
• County in which abortion performed
• Age of mother
• Marital status of mother (married, divorced, separated, widowed, or never married)
• Race of mother
• Years of education of mother (specify highest year completed)
• State or foreign country of residence of mother
• Total number of previous pregnancies of the mother
• Total number of live births, miscarriages, induced abortions
• Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. The Davis lawsuit alleges the law violates Oklahoma's constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law's reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as the lawsuit continues.

* Correction: An earlier version of the blog post stated that the law went into effect on November 1, 2009.

• Print
• Comments
• Trackbacks
• Share Link

I have said it before, and I will say it again -- employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient's medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008.   A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA. 

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent's, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate."   One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly's file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient's [Ms. Pressly's] status and accessed the medical chart to find out if the patient was still living."  The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient's records were accessed 3 times that day by the emergency room secretary.  The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days.  Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both!    In addition, towards the end of the News Release, the local U.S. Attorney  prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others' medical records merely to satisfy their own curiosity..."

Does anyone dare to take a peek after that warning?   

• Print
• Comments
• Trackbacks
• Share Link

[Installment 4 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders].  This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Securing PHI

One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.

DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.

Encryption and Destruction of PHI under DHHS Guidelines

DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.

The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.

Board Oversight Obligations to Secure PHI

In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.

Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.

When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.

[To be continued in Installment 5]
 

• Print
• Comments
• Trackbacks
• Share Link

[Installment 2 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the second in a series of blog posts that relate to the governance concerns surrounding HIPAA, HITECH and HIT.  It is, however, not the second posting that I had originally planned. A front-page article on May 25, 2009 in the New York Times by Pam Belluck, entitled “Hospitals Using Internet to Interact with Public,” prompted me to write on this topic as part of the series. 

In her article Ms. Belluck stated, “Faced with economic pressures and patients with abundant choices, hospitals are using unconventional, even audacious, ways of connecting directly with the public.” She then reports that hospitals are using Twitter and transmissions from the operating room to communicate with the public on surgical results and YouTube to actually show surgery.  

This is seen by Ms. Belluck as a controversial approach to publicizing new procedures, to compete and attract patients and to stimulate contributions. In this day and age of increasing regulatory activity and heavy penalties for violations of HIPAA and state healthcare privacy and security rules, the Twitter practices should be subjected to careful scrutiny at the highest level by the governing bodies of hospitals.   The image of the hospital and its own sense of what are proper and acceptable marketing practices, the risks of legal or ethical violations from unwarranted communications, and the impact on publicity policies can be undermined by the uncontrolled actions of individuals.  The concept that the results of a complex surgical procedure can be meaningfully compressed into a rapid-fire, 140-character disclosure to the world can be somewhat perplexing.

The practice of using Twitter from the operating room to report on results is very risky and has serious implications for patient privacy. It may be a violation of existing laws or the general right of an individual to privacy.  It is always possible or even likely that the identity of a patient may become public, directly or indirectly, especially if the Twitter communication relates to a novel procedure. It is one thing to have a patient knowingly participate in publicity on YouTube and quite another to have someone send a Twitter message from the operating room while the patient is still recovering from anesthesia.

It is of equal concern that there is no control over the Twitter communications from the operating room. Anyone could make the transmission, which can be premature, totally erroneous and/or misleading.  It is a circumstance in some ways similar to the situation that judges are confronting from jurors who are sending Twitter or e-mail messages on the proceedings from the courtrooms of widely-publicized cases while the trial or jury deliberations are going on. Some judges are even prohibiting all electronic devices from being brought into the courtroom or jury deliberation room. In the case of the operating room there is the additional factor of the possibility that electronic transmissions from Twitter or e-mails may adversely affect or interfere with the normal operation of surrounding medical equipment.

The matter goes further. Will there be additional communications from the Tweeter or the hospital if the patient later develops complications or even dies? If the next patient who undergoes the same procedure does not fare well, will that be communicated through Twitter or other means to avoid misleading the public? How will the hospital control Twitter activity if it chooses to endeavor to do so? 

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.  It is likely that the board should require that the hospital’s code of ethics address in greater detail how and when, if at all, electronic communications relating to patient procedures are communicated to the public and the nature of the patient consent that will be required.

• Print
• Comments
• Trackbacks
• Share Link

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan's proposed Funding Table is as follows:

Total Appropriated (Dollars in Millions)
Privacy and Security*	$ 24.285
National Institute of Standards and Technology (NIST)	20.000
Regional HIT Exchange	300.000
Unspecified	1,655.715
Total towards HIT	$ 2,000.000

* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS' Recovery Website.

• Print
• Comments
• Trackbacks
• Share Link

The recent changes to HIPAA brought about by the American Recovery and Reinvestment Act (ARRA) and its Health Information Technology for Economic and Clinical Health  (HITECH) Act have received a lot of attention, as of late.  In the meantime, however, an "old" HIPAA notice obligation has crept up, and must by complied with by April 14th!

Under the HIPAA Privacy Rule, covered entity health plans are required "no less frequently than once every three years . . . [to] notify individuals then covered by the plan of the availability of the [health plan's Notice of Privacy Practices] and how to obtain the notice."  See 45 CFR 164.520(c)(1)(ii).  For "large" health plans with an original compliance deadline of April 14, 2003, this 3-year "Reminder Notice" must be released by April 14, 2009. 

A "large" health plan is one that has five million or more in annual gross receipts or claims paid.  Although health insurers (e.g., HMOs, PPOs etc) will generally make up the majority of "large" health plans, employers that sponsor health plans that meet the 5 million dollar threshold will need to comply.

The Reminder Notice does not require large health plans to redistribute its Notice of Privacy Practices, however this is one way that the requirement can be satisfied.  Other ways that the requirement can be met include by mailing a separate "Reminder Notice" stating only that the plan's Notice of Privacy Practices is "available" and how a copy can be obtained.  Such a reminder can also be included in a health plan-produced newsletter, or other plan-produced publication.  The government has posted a FAQ regarding the reminder notice requirement which may offer additional guidance. 

 

• Print
• Comments
• Trackbacks
• Share Link

The abandoned records of an Acton, Massachusetts physician who abruptly closed his office have been saved from the shredder by the last-minute intervention of a local hospital, highlighting a potential gap in state law that may leave patients unprotected in similar situations. 

According to the Boston Globe, Dr. Ronald Moody’s landlord evicted him from his office in September for nonpayment of rent and hired a moving and storage company to clean out its contents, including hundreds of patient charts. The moving and storage company kept the records for six months as required by law, then asked the state medical board to take custody of them after failing to find Dr. Moody. The board responded that it had no authority or budget to move, store or distribute the records, and neither the board nor the moving and storage company was able to take on the burden of locating and contacting the patients. Fortunately, a local hospital stepped in days before the records were scheduled to be destroyed. Concord’s Emerson Hospital, after consultation with the medical board, agreed to seek a court order to take possession of the records.

This incident reveals a flaw in the typical state regulatory approach to medicine and medical records. The medical board had been seeking sanctions against Dr. Moody for continuing to practice after his license had expired in 2007. Dr. Moody was required to maintain records as a condition of his license, but once he let it lapse, there was little the board could do. Like many states, Massachusetts had no statutory provisions for handling abandoned medical records.

In Pennsylvania, a similar situation occurred when a chain of imaging centers, MAIN Medical, suddenly closed in 2005. The state Attorney General’s office took over responsibility for storing the films and records and releasing them to patients.

As economic distress continues to affect healthcare providers, it is likely that this situation may play out again in other states. 

• Print
• Comments
• Trackbacks
• Share Link

The Center for Democracy and Technology ("CDT") has released a great guidance document that compares the requirements under the newly-enacted HITECH Act against HIPAA, and highlights specific changes resulting from this new legislation. The CDT guidance document also identifies key compliance deadline dates that all covered entities, business associates and other entities that handle personal health records should note on their calendars.  You can review the CDT's "Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation," as updated March 24, 2009, by clicking here.   

The CDT is a 501(c)(3) non-profit public policy organization that is funded through various private donors, which are listed on the CDT's web page for 2008 and 2007.  

 

• Print
• Comments
• Trackbacks
• Share Link

Today, President Obama signed the Health Information Technology for Economic and Clinical Health Act (known as the "HITECH Act") into law. The final version of HITECH Act is posted on the Library of Congress' THOMAS website. The HITECH Act addresses various aspects relating to the use of health information technology ("H.I.T."), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation.  In addition, Subtitle D of the HITECH Act includes new and far-reaching provisions concerning the privacy and security of health information that will directly affect more entities, businesses and individuals than ever before.

Some of the changes this new law has made to privacy and security include:

• Security Breach Notification - Covered entities, business associates and others are now affirmatively required to notify individuals and others of breaches of unsecured protected health information.
• Accounting of Disclosures with EHR Use - Covered entities using and disclosing PHI through an EHR are required to provide individuals with an accounting, when requested, for the prior three years. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations.
• Access Rights to Electronic Format. -  The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if requested.
• Health Care Operation - The definition of "health care operations" will be reviewed by the Secretary of DHHS by August 17, 2010 and narrowed or clarified.   .
• Marketing - is restricted further.
• Sale of PHI - Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances.

What should affected entities do?

• Update Notice of Privacy Practices to reflect changes in privacy and security policies
• Update HIPAA privacy and security policies accordingly
• Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
• Expand business associate lists to include vendors and others
• Update Business Associate Agreements to include expanded new requirements

• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services, Office for Civil Rights has posted its new Web site, and reports that the health information privacy pages have been "extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule."  

I took some time to peruse the new website, and personally I think that it is a vast improvement to its predecessor. Guidance on privacy can now be accessed under such categories as:

• Consumers
• Covered Entities
• Special Privacy Topics:
  • Public Health
  • Research
  • Emergency Preparedness
  • Health Information Technology
  • Genetic Information
• Summary of the Privacy Rule
• Training Materials
• Enforcement Activities

• Print
• Comments
• Trackbacks
• Share Link

The Center for Democracy and Technology ("CDT") released a major policy paper today that is intended to move the health privacy debate to consider more effective privacy protection of patient information. The CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper indicates in its Press Release that "personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses."
The CDT paper is just one among a growing number of signs that a tightening of HIPAA's original Privacy Rule requirements may be coming. If it happens, covered entities may need to modify their procedures for obtaining written authorizations for disclosures, and new entities, such as business associates and other third parties previously not directly subject to HIPAA, could potentially get swept-in under the direct-compliance umbrella.
 

• Print
• Comments
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has published a new HIPAA Privacy Rule guidance as part of its "Privacy and Security Toolkit" (the "Toolkit") developed in connection with "The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information" (the "HIE Framework").  The new HIPAA guidance is available on the OCR Privacy Rule web site.

The federal government developed the HIE Framework and Toolkit in order to establish privacy and security principles for health care stakeholders engaged in electronic health information exchange ("e-HIE").  The documents also include tools to help implement these principles. Among other things, the new HIPAA Privacy Rule guidance document discusses how the Privacy Rule supports and can facilitate e-HIE in a networked environment.  In addition, the documents address electronic access by patients to his/her PHI, and how the Privacy Rule applies to and supports the use of Personal Health Records.

  

 

• Print
• Comments
• Trackbacks
• Share Link

Today, OCR posted a new response to the FAQ "Is the HIPAA Privacy Rule suspended during a national or public health emergency?"  The federal government's answer? . . . NO!   The FAQ response states that the Secretary of HHS may, however, waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  Therefore, if the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary could waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.   Personally, I think that the government's FAQ could spark further confusion.

Regardless of the activation of an emergency waiver, I think that it's most important to note that the HIPAA Privacy Rule would not prevent disclosures during a national emergency to: 

• provide treatment (45 CFR 164.506(c)); 
• avert a serious threat to health or safety (45 CFR 164.512(j)); and
• disaster relief organizations (45 CFR 164.510(b)(4)). 

So, for instance, a covered entity could share patient information with the American Red Cross to notify family members of the patient's location.  In the end, good judgment should always prevail when the health or safety of an individual is at stake.  For helpful information on how to handle health information issues during a national emergency, visit Katrina.

 

• Print
• Comments
• Trackbacks
• Share Link

It's been years since HIPAA became a household term.  Yet, there continues to be a significant amount of confusion about when it applies, what types of uses and disclosures of PHI are  permitted, and if individuals can sue someone for a HIPAA violation.  

The Office for Civil Rights recently published separate guides, one for health care providers and one for patients, to help clarify misunderstandings about when PHI can be released to family and friends involved in a patient's medical care.  Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. The provider guidance document is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. The guide also includes common questions and a table that summarizes the relevant requirements. 

There are other helpful resources posted on the government's website to help patients and providers understand HIPAA.  Below is a sample of links that aim to dispel certain misunderstanding about HIPAA:

• Fighting Myths about the Privacy Rule
• Who Must Comply With HIPAA
• 10 Myths about HIPAA and Medical Records Privacy

By far, the most frequent question that I receive from individuals is "can I sue for a HIPAA violation?"  There appears, in my experience, to still be significant confusion regarding the fact that HIPAA does not provide for a private right of action. What this means is that an individual cannot sustain a lawsuit against another person or entity based solely on HIPAA, even if such individual believes his or her PHI has been disclosed in violation of HIPAA.  In such situations, HIPAA provides for a mechanism where the individuals can file a complaint with the federal government.  Individuals can also consult with an attorney to determine if other federal laws or their State's laws may provide for any remedy.

• Print
• Comments
• Trackbacks
• Share Link

At the end of June, Investor's Business Daily reported that Google, Microsoft, Aetna, Blue Cross/ and 27 other private organizations "agreed on" ground rules for protecting the privacy of the sensitive information" contained in personal health records (PHRs). Their Report indicated that the group has been working together for the past 18 months, and on Wednesday, June 26th, released the "hundreds of pages long" framework, which "starts with the idea that the information in a PHR is the user's to control -- and spells out how to guard it." 

The "best practices" agreed upon by this private workgroup are posted online. Among them is a policy that audit trails should be conducted so that consumers can see who is looking at their records.  In addition, the workgroup recommended that insurers, employers, and others be prohibited from seeing the information without the individual's prior authorization.  

The point that PHR repositories, like the ones being offered by Google and Microsoft, are not subject to HIPAA has been focused on by opponents of these models.  However, in developing and releasing the Report containing privacy and security "best practices," I think that this is a step in the right direction and may reassure healthcare consumers that information maintained in such online filing cabinets will be kept as confidential and secure as when maintained by entities subject to federal privacy laws, like HIPAA.

   

• Print
• Comments
• Trackbacks
• Share Link

ONC's Coordinator, Dr. Robert Kolodner, has noted that medical identity theft stories are being documented at an increasing rate, bringing to light serious financial, fraud, and patient care issues, and that it is imperative to obtain a more comprehensive understanding of this issue from a variety of perspectives.  The government explains on its HIT Privacy & Security webpage that:

 "Medical identity theft is a specific type of identity theft which occurs when a person uses someone else's personal health identifiable information, such as insurance information, Social Security Number, health care file, or medical records, without the individual's knowledge or consent to obtain medical goods or services, or to submit false claims for medical services . . . [and that] there is limited information available about the scope, depth, and breadth of medical identity theft."

Last month, ONC awarded a contract to Booz Allen Hamilton to assess and evaluate the scope of the medical identity theft problem in the U.S.  The HIT webpage lays out the 3 phases of this assessment and evaluation, which can be summarized as follows:

• Phase 1 - an "Environmental Scan" of the medical identity theft problem in the U.S will be completed, particularly focusing on the intersection with health information technology;
• Phase 2 - A one-day Town Hall meeting will be held to enable health care experts to share knowledge and experience of medical identity theft and how health IT can be utilized to prevent and detect medical identity theft; and
• Phase 3 - A final report and road map will be released in Winter 2008-2009 that will set forth possible next steps for the federal government and other stakeholders in order to work toward prevention, detection, and remediation of medical identify theft.

To read an article that I co-authored on Medical Identity Theft, see HFMA's NJ FOCUS Magazine March/April 2008 edition.   Also, Health Data Management has an interesting and useful white paper on "Securing Critical Healthcare Data from Internal Theft and Loss" that is worth checking out.  

 

• Print
• Comments
• Trackbacks
• Share Link

 

May 23 is the compliance date for the National Provider Identifier (NPI) to be used exclusively for electronic health care claims under HIPAA.  Providers who do not use their assigned NPI after this date may find health insurers starting to reject and return electronic claims.  Although millions of NPI numbers have been issued, it is unclear how may providers are in compliance.  As a result, the next several weeks-to-months are likely to be bumpy as providers begin to find that claims they believe are compliant are rejected.  Some commentators have predicted that if the industry experiences severe problems starting over the Memorial Day Weekend, CMS might relax the deadline.  Health Data Management noted, however, that providers that get too many claim rejections may resubmit the claims on paper. That will enable providers to get paid, but slow the process considerably and adversely affect cash flow.

• Print
• Comments
• Trackbacks
• Share Link

 

Last October, the United States Department of Education released a policy guidance document to to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.  The document was created in response to schools' requests "for guidance on what information can be shared among government agencies and parents under the 1974 Family Educational Rights and Privacy Act” (FERPA).  At that time, Congress was also considering revising FERPA to clearly permit school officials to contact parents if a student is considering suicide or a threat to attack someone.  Currently, FERPA allows officials to share information with parents or other agencies if there is a health or safety emergency, but there was concern - especially after the Virginia Tech incident - that the language is too vague.

On March 24, 2008, almost a year after the shooting rampage at Virginia Tech, the U.S. Department of Education (DOE) proposed regulations to clarify when colleges can release confidential information about students who might be a danger to themselves or others.   The proposed guidelines do not make any substantive changes under FERPA, but attempt to clarify that schools are permitted to report fears about students who might be a danger to themselves or others. Parents are among the parties who can be contacted if a student is at risk.  It is believed that the changes would provide colleges with more flexibility in defining a potentially dangerous situation, and would help ensure that counselors have the tools they need to reach out and build support systems around troubled students. 

HIPAA contains a similar exception for disclosures "to avert a serious threat to health and safety."  Under HIPAA, a covered entity is not prohibited by the federal Privacy Rule from disclosing protected health information if it believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the treat, including the target of the threat.  State laws may, however, impose additional restrictions and must still be considered.

The deadline for comment on the DOE's proposed regulation is May 8, 2008.

 

• Print
• Comments
• Trackbacks
• Share Link

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

• Print
• Comments
• Trackbacks
• Share Link

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

 

 

• Print
• Comments
• Trackbacks
• Share Link

In general, HIPAA requires a written authorization from an individual before a health care provider can make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  However, certain mailings and communications with individuals are permissible without having to obtain prior written authorization because they are not considered "marketing" as defined by the HIPAA Privacy Rule.

The following are a few examples of communications that HIPAA does not consider "marketing":

-- Reminders (e.g., "get your annual pap" letter)
-- Providing information about how to manage a particular condition (e.g., tips on diabetes control)
-- General information about new developments in health care
-- Information about health & wellness classes, support groups, health fairs etc.
-- Announcements of a new specialty group or new medical equipment at your facility

Thus, even though many of us who receive such information in the mail consider such flyers to be at least loosely linked to the “marketing efforts” of the sender, HIPAA considers the foregoing to be “communications essential for quality health care.”  Such communications are not subject to HIPAA’s restrictions otherwise applicable to using patient health information for “marketing” purposes.  Thus, a written authorization is generally not required for a health care provider to mail such information to former or current patients.  

• Print
• Comments
• Trackbacks
• Share Link

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

• Print
• Comments
• Trackbacks
• Share Link

• What the HIPSA?!!   After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose."   But, here it may come..... Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions.  HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information.  The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations.  Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
• New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728.   As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008.  NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan.  That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information. 
• Ban On Data Mining.  On December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians' prescribing trends.  The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information.  Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
   
• States Amending Privacy Laws.  Look for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated.  For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems.  In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.  

• Identity-Theft Prevention Laws.  As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft. 

• Print
• Comments
• Trackbacks
• Share Link

Last week, WCBS-TV in New York reported that as many as two dozen employees, including doctors and nurses, have been suspended for allegedly improperly accessing actor George Clooney's medical records.  As the story goes, employees not involved with the actor's care logged into the hospital's computer system to view his records as doctors tended to his injuries, and that a security guard released a Clooney family member's telephone number.  WCBS said that media seemed to have detailed information about Clooney's condition almost immediately and that as many as 40 hospital employees were under investigation for releasing information to the press, which is a violation of federal law. 

Was the hospital's reaction too harsh?  I personally do not think so.  

Under HIPAA, there is no exception that would permit patients' protected health information (PHI) from being disclosed to the media without first obtaining a written authorization from the patient.  Furthermore, hospital employees who have no need to access PHI about a patient should not be doing so.  HIPAA specifically requires that covered entity providers (e.g., hospitals) have administrative, physical and technological safeguards in place that are aimed at preventing access of PHI by unauthorized individuals.  In one New Jersey Supreme Court case where highly sensitive information about a patient (who also happened to be a hospital employee) was disclosed to employees throughout the hospital who where not involved in the patient's care, the Court found there that the hospital failed to have adequate policies and safeguards in place to prevent such intra-entity unauthorized dissemination of information.  

There are a few lessons to take away from the Clooney incident (and many similar, but less-publicized, incidents).  First, hospitals and other covered entity providers should have clear, written HIPAA policies in place to safeguard PHI from unauthorized access by employees.  Second, employees must be trained on such polices, and reminded that sanctions may be applied if they fail to adhere to them.  Finally, if a HIPAA safeguard policy is breached by an employee, then appropriate sanctions must be followed through on.  These steps are essential to minimizing incidents like the Clooney case from occurring.  

• Print
• Comments
• Trackbacks
• Share Link

The Agency for Healthcare Research and Quality has released a series of reports funded by AHRQ and the Office of the National Coordinator for Health IT which examine the variations in data privacy and security among 34 regional health information organizations.  The reports found that state RHIOs varied in several areas, including the level of adoption for electronic health data exchanges, state health care market forces, and legal and regulatory conditions related to health information.   According to Health Data Management, the reports also recommend additional research and guidance on:

• Determining states' varying interpretations of HIPAA
• Assessing differences between state and federal privacy laws 
• Assessing technologies that could protect the security and privacy of individuals, as well as the related administrative processes and liabilities
• Creating a system that matches patients with their health information and is updated by various providers and organizations, and
• Developing a standard set of definitions and terms to ease health data sharing

• Print
• Comments
• Trackbacks
• Share Link

As more and more providers and other stakeholders in the health care sector move towards using the electronic medium as their preferred method to store and exchange patients' health information, there is growing concern that HIPAA does not adequately assure that patients' privacy will be maintained.  In response, on July 18, 2007, Senators Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) introduced the Health Information Privacy and Security Act of 2007 ("HIPSA") in an attempt to give patients more control over their protected health information.  In addition, HIPSA would create a private right to sue violators (i.e., doctors, hospitals, health plans etc.) for violating their privacy rights, something that HIPAA does not currently afford (HIPAA enforcement is reserved for government action only).  Those who handle patients' health information likely will want to know: (1) how else does the Health Information Privacy and Security Act of 2007 differ from HIPAA and (2) how will it affect them? 

Continue Reading...

• Print
• Comments
• Trackbacks
• Share Link

Do we really need more rules to protect health information?  Certain health experts seem to think so.   Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights Foundation, believes that "thousands" of electronic databases that contain patients' health records exist, and that those patients don't have any way to keep their personal information from being shared with third parties. 

Continue Reading...

• Print
• Comments
• Trackbacks
• Share Link

The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 

 

The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  

 

Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:
 

Continue Reading...

• Print
• Comments
• Trackbacks
• Share Link

Hartford Business Journal recently reported that privacy groups are sounding alarms as the nation’s largest insurance companies finalize plans to allow millions more customers to post their health records on the Internet.  Insurers like Hartford-based Aetna Inc. say Web-based tools help patients and physicians keep track of medical information while potentially holding down spiraling medical costs.  The articles stated that about 100 million insurance customers in the U.S. have access to Web-based tools, but companies don’t have an estimate of how widely they are used. Insurers hope to at least double the technology’s reach by the end of next year . . .

Continue Reading...

• Print
• Comments
• Trackbacks
• Share Link