Yesterday, November 1, 2009, the "Statistical Reporting of Abortion Law" went into effect in Oklahoma. The Statistical Reporting of Abortion Law is just one aspect of a broad and controversial abortion law, which also bans abortions on the basis of "sex of the unborn child." The Statistical Reporting of Abortion Law requires doctors to obtain detailed information from patients seeking abortions that will then be posted publicly through the Oklahoma Department of Health's web site. Some of the required information includes:

• Date of abortion
• County in which abortion performed
• Age of mother
• Marital status of mother (married, divorced, separated, widowed, or never married)
• Race of mother
• Years of education of mother (specify highest year completed)
• State or foreign country of residence of mother
• Total number of previous pregnancies of the mother
• Total number of live births, miscarriages, induced abortions
• Whether the woman is employed by the State of Oklahoma

The ostensible purpose of the Statistical Reporting of Abortion Law is to collect data about abortions to inform lawmakers about abortion practices in the State. A lawsuit has been filed alleging the law violates Oklahoma's constitution (for reasons unrelated to privacy concerns), but others have expressed concerns that the law violates the spirit, and perhaps the actual provisions, of HIPAA. Some commentators have noted that the information could be used to identify women who have obtained abortions, particularly when they live in small towns. Under HIPAA, "de-identified" protected health information ("PHI") may be used or disclosed for various purposes, including research. De-identified PHI (that is, information that is stripped of details that would identify the patient, such as name, street address, city, county, etc.) can be used or disclosed without restriction, however, HIPAA requires that entities have no actual knowledge that the remaining information could be used alone or in combination with other information to identify an individual. Opponents of the law's reporting provisions believe that under certain circumstances women can be identified based on the information requested, resulting in a violation of HIPAA. More to come as challenges to the law continue.

• Email This
• Print
• Trackbacks

I have said it before, and I will say it again -- employees must come to understand and truly appreciate the huge risks involved and penalties at stake with "taking a peek" at a patient's medical record for no legitimate purpose.

This past Monday, a physician and two former employees at St. Vincent Infirmary Medical Center in Little Rock, Arkansas, pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of local television anchor, Anne Pressly, who was killed back in 2008.   A News Release issued by the U.S. Attorney for the Eastern District of Arkansas states that all three of the accused entered guilty pleas on July 20, 2009 acknowledging they violated the privacy provisions of HIPAA. 

The News Release indicates that the charged physician admitted that after watching a news report regarding Ms. Pressly being slain and taken to St. Vincent's, where he was on-staff, he logged on from home and accessed the hospital’s records system to "determine if the news reports were accurate."   One of the other charged employees, a former account representative at the hospital, admitted that she accessed Ms. Pressly's file about 12 times "out of curiosity". The third employee charged, an emergency room secretary, admitted that she "became curious about the patient's [Ms. Pressly's] status and accessed the medical chart to find out if the patient was still living."  The secretary did not inform anyone about her accessing the chart, but hospital records showed that the patient's records were accessed 3 times that day by the emergency room secretary.  The hospital fired the account representative and the emergency room secretary, and suspended the physician for 2 weeks with required HIPAA re-training.

A sentencing date has not yet been set, but is expected within the next 45-60 days.  Each of the charged individuals faces a maximum penalty of one year in prison, a fine of up to $50,000, or both!    In addition, towards the end of the News Release, the local U.S. Attorney  prosecuting the case included this warning to the health care industry:

"The HIPAA privacy protections are real, and we hope that through vigorous enforcement of HIPAA's right-to-privacy protections and swift prosecution of those who violate HIPAA, we can deter those in the medical industry who have access to protected health information from searching others' medical records merely to satisfy their own curiosity..."

Does anyone dare to take a peek after that warning?   

• Email This
• Print
• Trackbacks

[Installment 4 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders].  This is the fourth in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

Over the next several months, my blog entries will continue to discuss some of the threshold issues that face the manifold stakeholders in the hospital industry as they struggle to cope with the new and somewhat uneven landscape of health information technology (“HIT”) and protected health information (“PHI”). A major focus will be Boards and their responsibilities to their hospitals and other stakeholders with respect to HIT.

Securing PHI

One of the issues facing Boards is the relatively risky and murky area of “securing” PHI under the HITECH Act. The HITECH Act directed the U.S. Department of Health and Human Services (“DHHS”) and the Federal Trade Commission (“FTC”) to issue regulations further detailing the required security breach notifications. Both departments have proposed such regulations and are seeking public comment. Final regulations are to be issued by the departments by August 17, 2009, as required by the HITECH Act.

DHHS has issued guidance on which technologies and methodologies can be used by hospitals to “secure” PHI. The outlined technologies render PHI unusable, unreadable or indecipherable to unauthorized individuals. A breach of secured PHI does not trigger HITECH security breach notification requirements. Following the guidance from DHHS will create the functional equivalent of a safeguard for hospitals and other providers and satisfy compliance with HITECH.

Encryption and Destruction of PHI under DHHS Guidelines

DHHS identifies two methods for rendering PHI “secured”: encryption and destruction. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning to the data unless an individual uses a certain process or has a key. DHHS regulations state that the valid types of encryptions processes to use will be those that are consistent with National Institute of Standards and Technology (NIST) standards for encryption. NIST has published a Guide to Storage Encryption Technologies for End User Devices. It is available at http://www.nist.gov/index.html.

The second method, destruction, will also secure information found in paper or electronic format. The paper or other hard copy media must be shredded or destroyed in a manner that the PHI cannot be read or otherwise reconstructed. Electronic media is to be cleared, purged or destroyed. Destruction should also be performed consistent with NIST standards. NIST has published Guidelines for Media Sanitization. It is available at http://www.nist.gov/index.html.

Board Oversight Obligations to Secure PHI

In satisfying DHHS requirements for “securing” PHI, Boards must establish appropriate and effective safeguards and security measures so that the risk of failure to comply with destruction policies is minimized. The use of improper, careless or noncompliant techniques for encrypting or destroying PHI by a hospital carries with it a high risk of damage control expense, penalties for noncompliance, devastatingly adverse publicity and potential for liability for widespread liability to victims whose PHI has been compromised.

Boards of healthcare providers must devote sufficient resources that are supervised by competent personnel at a sufficiently high level in the corporate organization to secure PHI. The resources invested up front for orderly risk management are well worth the avoidance of the costs of damage control. Monitoring and feedback to the Board on the effectiveness of the efforts are a necessary follow-up.

When the final regulations on securing PHI are issued by DHHS and the FTC, this blog will address some of their principal points.

[To be continued in Installment 5]
 

• Email This
• Print
• Trackbacks

[Installment 2 - Governance Considerations from HIT for the Board and Other Hospital Stakeholders]

This is the second in a series of blog posts that relate to the governance concerns surrounding HIPAA, HITECH and HIT.  It is, however, not the second posting that I had originally planned. A front-page article on May 25, 2009 in the New York Times by Pam Belluck, entitled “Hospitals Using Internet to Interact with Public,” prompted me to write on this topic as part of the series. 

In her article Ms. Belluck stated, “Faced with economic pressures and patients with abundant choices, hospitals are using unconventional, even audacious, ways of connecting directly with the public.” She then reports that hospitals are using Twitter and transmissions from the operating room to communicate with the public on surgical results and YouTube to actually show surgery.  

This is seen by Ms. Belluck as a controversial approach to publicizing new procedures, to compete and attract patients and to stimulate contributions. In this day and age of increasing regulatory activity and heavy penalties for violations of HIPAA and state healthcare privacy and security rules, the Twitter practices should be subjected to careful scrutiny at the highest level by the governing bodies of hospitals.   The image of the hospital and its own sense of what are proper and acceptable marketing practices, the risks of legal or ethical violations from unwarranted communications, and the impact on publicity policies can be undermined by the uncontrolled actions of individuals.  The concept that the results of a complex surgical procedure can be meaningfully compressed into a rapid-fire, 140-character disclosure to the world can be somewhat perplexing.

The practice of using Twitter from the operating room to report on results is very risky and has serious implications for patient privacy. It may be a violation of existing laws or the general right of an individual to privacy.  It is always possible or even likely that the identity of a patient may become public, directly or indirectly, especially if the Twitter communication relates to a novel procedure. It is one thing to have a patient knowingly participate in publicity on YouTube and quite another to have someone send a Twitter message from the operating room while the patient is still recovering from anesthesia.

It is of equal concern that there is no control over the Twitter communications from the operating room. Anyone could make the transmission, which can be premature, totally erroneous and/or misleading.  It is a circumstance in some ways similar to the situation that judges are confronting from jurors who are sending Twitter or e-mail messages on the proceedings from the courtrooms of widely-publicized cases while the trial or jury deliberations are going on. Some judges are even prohibiting all electronic devices from being brought into the courtroom or jury deliberation room. In the case of the operating room there is the additional factor of the possibility that electronic transmissions from Twitter or e-mails may adversely affect or interfere with the normal operation of surrounding medical equipment.

The matter goes further. Will there be additional communications from the Tweeter or the hospital if the patient later develops complications or even dies? If the next patient who undergoes the same procedure does not fare well, will that be communicated through Twitter or other means to avoid misleading the public? How will the hospital control Twitter activity if it chooses to endeavor to do so? 

These questions and others should be properly considered at a high level in the hospital, with board oversight, in order to avoid or mitigate liability, maintain the hospital’s reputation for candor and transparency and avoid the adverse publicity of regulatory violations and penalties.  It is likely that the board should require that the hospital’s code of ethics address in greater detail how and when, if at all, electronic communications relating to patient procedures are communicated to the public and the nature of the patient consent that will be required.

• Email This
• Print
• Trackbacks

In accordance with the 90-day deadline established for an operating plan to be submitted to Congress on expenditures related to the $2 Billion Dollars appropriated under the American Recovery and Reinvestment Act ("ARRA") relating to health information technology ("HIT"), the Office of the National Coordinator ("ONC") has submitted its proposed ARRA Implementation Plan to Congress. The Plan's proposed Funding Table is as follows:

Total Appropriated (Dollars in Millions)
Privacy and Security*	$ 24.285
National Institute of Standards and Technology (NIST)	20.000
Regional HIT Exchange	300.000
Unspecified	1,655.715
Total towards HIT	$ 2,000.000

* Includes 9.5 Million for audits by OCR and CMS.

Of particular interest to many should be the Privacy and Security Spend Plan section.  It specifies that over $24 Million of the federal dollars made available through ARRA would be spent on activities such as enhancing enforcement. More specifically, the Plan indicates that the ARRA funding "will enable the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) to carry out mandated audits, make modifications in their case and document management systems, and train State Attorneys General on their new enforcement role."   The Plan even aims to have State Attorneys General trained and ready to enforce HIPAA and HITECH by the end of the Third Quarter of 2009, or around September 2009!  If completed according to schedule, then the federal government could have a bastion of new HIPAA/HITECH enforcement soilders on the ground and ready when the interm final regulations for implementing breach notification for covered entities and business associates are released on August 18, 2009. 

For a copy of the entire Plan, visit HHS' Recovery Website.

• Email This
• Print
• Trackbacks

The recent changes to HIPAA brought about by the American Recovery and Reinvestment Act (ARRA) and its Health Information Technology for Economic and Clinical Health  (HITECH) Act have received a lot of attention, as of late.  In the meantime, however, an "old" HIPAA notice obligation has crept up, and must by complied with by April 14th!

Under the HIPAA Privacy Rule, covered entity health plans are required "no less frequently than once every three years . . . [to] notify individuals then covered by the plan of the availability of the [health plan's Notice of Privacy Practices] and how to obtain the notice."  See 45 CFR 164.520(c)(1)(ii).  For "large" health plans with an original compliance deadline of April 14, 2003, this 3-year "Reminder Notice" must be released by April 14, 2009. 

A "large" health plan is one that has five million or more in annual gross receipts or claims paid.  Although health insurers (e.g., HMOs, PPOs etc) will generally make up the majority of "large" health plans, employers that sponsor health plans that meet the 5 million dollar threshold will need to comply.

The Reminder Notice does not require large health plans to redistribute its Notice of Privacy Practices, however this is one way that the requirement can be satisfied.  Other ways that the requirement can be met include by mailing a separate "Reminder Notice" stating only that the plan's Notice of Privacy Practices is "available" and how a copy can be obtained.  Such a reminder can also be included in a health plan-produced newsletter, or other plan-produced publication.  The government has posted a FAQ regarding the reminder notice requirement which may offer additional guidance. 

 

• Email This
• Print
• Trackbacks

The abandoned records of an Acton, Massachusetts physician who abruptly closed his office have been saved from the shredder by the last-minute intervention of a local hospital, highlighting a potential gap in state law that may leave patients unprotected in similar situations. 

According to the Boston Globe, Dr. Ronald Moody’s landlord evicted him from his office in September for nonpayment of rent and hired a moving and storage company to clean out its contents, including hundreds of patient charts. The moving and storage company kept the records for six months as required by law, then asked the state medical board to take custody of them after failing to find Dr. Moody. The board responded that it had no authority or budget to move, store or distribute the records, and neither the board nor the moving and storage company was able to take on the burden of locating and contacting the patients. Fortunately, a local hospital stepped in days before the records were scheduled to be destroyed. Concord’s Emerson Hospital, after consultation with the medical board, agreed to seek a court order to take possession of the records.

This incident reveals a flaw in the typical state regulatory approach to medicine and medical records. The medical board had been seeking sanctions against Dr. Moody for continuing to practice after his license had expired in 2007. Dr. Moody was required to maintain records as a condition of his license, but once he let it lapse, there was little the board could do. Like many states, Massachusetts had no statutory provisions for handling abandoned medical records.

In Pennsylvania, a similar situation occurred when a chain of imaging centers, MAIN Medical, suddenly closed in 2005. The state Attorney General’s office took over responsibility for storing the films and records and releasing them to patients.

As economic distress continues to affect healthcare providers, it is likely that this situation may play out again in other states. 

• Email This
• Print
• Trackbacks

The Center for Democracy and Technology ("CDT") has released a great guidance document that compares the requirements under the newly-enacted HITECH Act against HIPAA, and highlights specific changes resulting from this new legislation. The CDT guidance document also identifies key compliance deadline dates that all covered entities, business associates and other entities that handle personal health records should note on their calendars.  You can review the CDT's "Summary of Health Privacy Provisions in the 2009 Economic Stimulus Legislation," as updated March 24, 2009, by clicking here.   

The CDT is a 501(c)(3) non-profit public policy organization that is funded through various private donors, which are listed on the CDT's web page for 2008 and 2007.  

 

• Email This
• Print
• Trackbacks

Today, President Obama signed the Health Information Technology for Economic and Clinical Health Act (known as the "HITECH Act") into law. The final version of HITECH Act is posted on the Library of Congress' THOMAS website. The HITECH Act addresses various aspects relating to the use of health information technology ("H.I.T."), including providing for federal funding by way of grants and incentive payments in order to promote H.I.T. implementation.  In addition, Subtitle D of the HITECH Act includes new and far-reaching provisions concerning the privacy and security of health information that will directly affect more entities, businesses and individuals than ever before.

Some of the changes this new law has made to privacy and security include:

• Security Breach Notification - Covered entities, business associates and others are now affirmatively required to notify individuals and others of breaches of unsecured protected health information.
• Accounting of Disclosures with EHR Use - Covered entities using and disclosing PHI through an EHR are required to provide individuals with an accounting, when requested, for the prior three years. Uses and disclosures of PHI through EHRs include treatment, payment and health care operations.
• Access Rights to Electronic Format. -  The HIPAA Privacy Rule is amended to give individuals the right to obtain access to their PHI in electronic format, if requested.
• Health Care Operation - The definition of "health care operations" will be reviewed by the Secretary of DHHS by August 17, 2010 and narrowed or clarified.   .
• Marketing - is restricted further.
• Sale of PHI - Covered entities and business associates are prohibited from directly or indirectly receiving any remuneration in exchange for any PHI of an individual unless a valid authorization is obtained from the individual, except in a very limited number of circumstances.

What should affected entities do?

• Update Notice of Privacy Practices to reflect changes in privacy and security policies
• Update HIPAA privacy and security policies accordingly
• Develop a detailed Breach Notification Policy that complies with HITECH and any state law counterpart to the new federal breach notification provisions
• Expand business associate lists to include vendors and others
• Update Business Associate Agreements to include expanded new requirements

• Email This
• Print
• Trackbacks

The Department of Health and Human Services, Office for Civil Rights has posted its new Web site, and reports that the health information privacy pages have been "extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule."  

I took some time to peruse the new website, and personally I think that it is a vast improvement to its predecessor. Guidance on privacy can now be accessed under such categories as:

• Consumers
• Covered Entities
• Special Privacy Topics:
  • Public Health
  • Research
  • Emergency Preparedness
  • Health Information Technology
  • Genetic Information
• Summary of the Privacy Rule
• Training Materials
• Enforcement Activities

• Email This
• Print
• Trackbacks

The Center for Democracy and Technology ("CDT") released a major policy paper today that is intended to move the health privacy debate to consider more effective privacy protection of patient information. The CDT is advocating for the inclusion of privacy protections in the President's economic stimulus bill, which contains at least $20 billion for a national health information technology network. CDT's paper indicates in its Press Release that "personal health information should easily flow for treatment, payment, and certain core administrative tasks without requiring patient consent, but that stricter limits need to be placed on marketing and other secondary uses."
The CDT paper is just one among a growing number of signs that a tightening of HIPAA's original Privacy Rule requirements may be coming. If it happens, covered entities may need to modify their procedures for obtaining written authorizations for disclosures, and new entities, such as business associates and other third parties previously not directly subject to HIPAA, could potentially get swept-in under the direct-compliance umbrella.
 

• Email This
• Print
• Trackbacks

The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has published a new HIPAA Privacy Rule guidance as part of its "Privacy and Security Toolkit" (the "Toolkit") developed in connection with "The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information" (the "HIE Framework").  The new HIPAA guidance is available on the OCR Privacy Rule web site.

The federal government developed the HIE Framework and Toolkit in order to establish privacy and security principles for health care stakeholders engaged in electronic health information exchange ("e-HIE").  The documents also include tools to help implement these principles. Among other things, the new HIPAA Privacy Rule guidance document discusses how the Privacy Rule supports and can facilitate e-HIE in a networked environment.  In addition, the documents address electronic access by patients to his/her PHI, and how the Privacy Rule applies to and supports the use of Personal Health Records.

  

 

• Email This
• Print
• Trackbacks

Today, OCR posted a new response to the FAQ "Is the HIPAA Privacy Rule suspended during a national or public health emergency?"  The federal government's answer? . . . NO!   The FAQ response states that the Secretary of HHS may, however, waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  Therefore, if the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary could waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.   Personally, I think that the government's FAQ could spark further confusion.

Regardless of the activation of an emergency waiver, I think that it's most important to note that the HIPAA Privacy Rule would not prevent disclosures during a national emergency to: 

• provide treatment (45 CFR 164.506(c)); 
• avert a serious threat to health or safety (45 CFR 164.512(j)); and
• disaster relief organizations (45 CFR 164.510(b)(4)). 

So, for instance, a covered entity could share patient information with the American Red Cross to notify family members of the patient's location.  In the end, good judgment should always prevail when the health or safety of an individual is at stake.  For helpful information on how to handle health information issues during a national emergency, visit Katrina.

 

• Email This
• Print
• Trackbacks

It's been years since HIPAA became a household term.  Yet, there continues to be a significant amount of confusion about when it applies, what types of uses and disclosures of PHI are  permitted, and if individuals can sue someone for a HIPAA violation.  

The Office for Civil Rights recently published separate guides, one for health care providers and one for patients, to help clarify misunderstandings about when PHI can be released to family and friends involved in a patient's medical care.  Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care. The provider guidance document is intended to clarify these HIPAA requirements so that health care providers do not unnecessarily withhold a patient’s health information from these persons. The guide also includes common questions and a table that summarizes the relevant requirements. 

There are other helpful resources posted on the government's website to help patients and providers understand HIPAA.  Below is a sample of links that aim to dispel certain misunderstanding about HIPAA:

• Fighting Myths about the Privacy Rule
• Who Must Comply With HIPAA
• 10 Myths about HIPAA and Medical Records Privacy

By far, the most frequent question that I receive from individuals is "can I sue for a HIPAA violation?"  There appears, in my experience, to still be significant confusion regarding the fact that HIPAA does not provide for a private right of action. What this means is that an individual cannot sustain a lawsuit against another person or entity based solely on HIPAA, even if such individual believes his or her PHI has been disclosed in violation of HIPAA.  In such situations, HIPAA provides for a mechanism where the individuals can file a complaint with the federal government.  Individuals can also consult with an attorney to determine if other federal laws or their State's laws may provide for any remedy.

• Email This
• Print
• Trackbacks

At the end of June, Investor's Business Daily reported that Google, Microsoft, Aetna, Blue Cross/ and 27 other private organizations "agreed on" ground rules for protecting the privacy of the sensitive information" contained in personal health records (PHRs). Their Report indicated that the group has been working together for the past 18 months, and on Wednesday, June 26th, released the "hundreds of pages long" framework, which "starts with the idea that the information in a PHR is the user's to control -- and spells out how to guard it." 

The "best practices" agreed upon by this private workgroup are posted online. Among them is a policy that audit trails should be conducted so that consumers can see who is looking at their records.  In addition, the workgroup recommended that insurers, employers, and others be prohibited from seeing the information without the individual's prior authorization.  

The point that PHR repositories, like the ones being offered by Google and Microsoft, are not subject to HIPAA has been focused on by opponents of these models.  However, in developing and releasing the Report containing privacy and security "best practices," I think that this is a step in the right direction and may reassure healthcare consumers that information maintained in such online filing cabinets will be kept as confidential and secure as when maintained by entities subject to federal privacy laws, like HIPAA.

   

• Email This
• Print
• Trackbacks

ONC's Coordinator, Dr. Robert Kolodner, has noted that medical identity theft stories are being documented at an increasing rate, bringing to light serious financial, fraud, and patient care issues, and that it is imperative to obtain a more comprehensive understanding of this issue from a variety of perspectives.  The government explains on its HIT Privacy & Security webpage that:

 "Medical identity theft is a specific type of identity theft which occurs when a person uses someone else's personal health identifiable information, such as insurance information, Social Security Number, health care file, or medical records, without the individual's knowledge or consent to obtain medical goods or services, or to submit false claims for medical services . . . [and that] there is limited information available about the scope, depth, and breadth of medical identity theft."

Last month, ONC awarded a contract to Booz Allen Hamilton to assess and evaluate the scope of the medical identity theft problem in the U.S.  The HIT webpage lays out the 3 phases of this assessment and evaluation, which can be summarized as follows:

• Phase 1 - an "Environmental Scan" of the medical identity theft problem in the U.S will be completed, particularly focusing on the intersection with health information technology;
• Phase 2 - A one-day Town Hall meeting will be held to enable health care experts to share knowledge and experience of medical identity theft and how health IT can be utilized to prevent and detect medical identity theft; and
• Phase 3 - A final report and road map will be released in Winter 2008-2009 that will set forth possible next steps for the federal government and other stakeholders in order to work toward prevention, detection, and remediation of medical identify theft.

To read an article that I co-authored on Medical Identity Theft, see HFMA's NJ FOCUS Magazine March/April 2008 edition.   Also, Health Data Management has an interesting and useful white paper on "Securing Critical Healthcare Data from Internal Theft and Loss" that is worth checking out.  

 

• Email This
• Print
• Trackbacks

 

May 23 is the compliance date for the National Provider Identifier (NPI) to be used exclusively for electronic health care claims under HIPAA.  Providers who do not use their assigned NPI after this date may find health insurers starting to reject and return electronic claims.  Although millions of NPI numbers have been issued, it is unclear how may providers are in compliance.  As a result, the next several weeks-to-months are likely to be bumpy as providers begin to find that claims they believe are compliant are rejected.  Some commentators have predicted that if the industry experiences severe problems starting over the Memorial Day Weekend, CMS might relax the deadline.  Health Data Management noted, however, that providers that get too many claim rejections may resubmit the claims on paper. That will enable providers to get paid, but slow the process considerably and adversely affect cash flow.

• Email This
• Print
• Trackbacks

 

Last October, the United States Department of Education released a policy guidance document to to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.  The document was created in response to schools' requests "for guidance on what information can be shared among government agencies and parents under the 1974 Family Educational Rights and Privacy Act” (FERPA).  At that time, Congress was also considering revising FERPA to clearly permit school officials to contact parents if a student is considering suicide or a threat to attack someone.  Currently, FERPA allows officials to share information with parents or other agencies if there is a health or safety emergency, but there was concern - especially after the Virginia Tech incident - that the language is too vague.

On March 24, 2008, almost a year after the shooting rampage at Virginia Tech, the U.S. Department of Education (DOE) proposed regulations to clarify when colleges can release confidential information about students who might be a danger to themselves or others.   The proposed guidelines do not make any substantive changes under FERPA, but attempt to clarify that schools are permitted to report fears about students who might be a danger to themselves or others. Parents are among the parties who can be contacted if a student is at risk.  It is believed that the changes would provide colleges with more flexibility in defining a potentially dangerous situation, and would help ensure that counselors have the tools they need to reach out and build support systems around troubled students. 

HIPAA contains a similar exception for disclosures "to avert a serious threat to health and safety."  Under HIPAA, a covered entity is not prohibited by the federal Privacy Rule from disclosing protected health information if it believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the treat, including the target of the threat.  State laws may, however, impose additional restrictions and must still be considered.

The deadline for comment on the DOE's proposed regulation is May 8, 2008.

 

• Email This
• Print
• Trackbacks

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

• Email This
• Print
• Trackbacks

Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom.  According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital. 

The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas.  When one of the boxes was not received, the auditor contacted hospital officials.  The hospital then got in touch with UPS and attempted to determine the location of the third box.  The hospital's risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands.  As luck would have it, it did - although it could have been much worse than ending up in the hands of a fourth grade teacher. 

The mishap raises a few interesting questions.  One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination.  Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper.  I will offer my thoughts with regard to the first question on this post.  I invite you to check back for my response to the second question. 

Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule.  In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule.  45 C.F.R. 164.530(f).  HIPAA does not contain a mandatory security breach notification requirement.   Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information. 

The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws.  In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store.  Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system.  If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason. 

As it turns out, however, the box did end up in unintended hands.  In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor.  If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse.  However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost.  Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.

Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands.  A few come to mind.  One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender.  Another  is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents.  Finally, use a mail carrier with a system that can allow a package to be tracked down.

Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital? 

 

 

• Email This
• Print
• Trackbacks

In general, HIPAA requires a written authorization from an individual before a health care provider can make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  However, certain mailings and communications with individuals are permissible without having to obtain prior written authorization because they are not considered "marketing" as defined by the HIPAA Privacy Rule.

The following are a few examples of communications that HIPAA does not consider "marketing":

-- Reminders (e.g., "get your annual pap" letter)
-- Providing information about how to manage a particular condition (e.g., tips on diabetes control)
-- General information about new developments in health care
-- Information about health & wellness classes, support groups, health fairs etc.
-- Announcements of a new specialty group or new medical equipment at your facility

Thus, even though many of us who receive such information in the mail consider such flyers to be at least loosely linked to the “marketing efforts” of the sender, HIPAA considers the foregoing to be “communications essential for quality health care.”  Such communications are not subject to HIPAA’s restrictions otherwise applicable to using patient health information for “marketing” purposes.  Thus, a written authorization is generally not required for a health care provider to mail such information to former or current patients.  

• Email This
• Print
• Trackbacks

GovernmentHealthIT reports that on January 16, 2008 at a workshop on HIPAA security, CMS announced that it will begin its audits by reviewing 10 to 20 hospitals in the next nine months for
compliance with the HIPAA Security Rule.  As posted earlier on this Blog, CMS has contracted with PriceWaterhouseCoopers (PWC), an accounting and consulting firm, to help with the reviews.

Who Will Be Audited?   Tony Trenkle, Director of CMS' Office of e-Health Standards and Services, stated at the January 16th workshop that the first reviews will be at hospitals where CMS has received complaints about security practices.  Then, CMS will move onto auditing "larger" hospitals nationwide.

What Will CMS Look For?   CMS representatives state that before a visit, the CMS-PWC team will request documents required under the HIPAA Security Rule, such as the hospital’s security risk assessment and its remote access policies.  Director Trenkle indicated that remote access to data and use of portable storage devices are among the issues that CMS will focus on.  Lorraine Doo, senior policy adviser at the Office of E-health Standards and Services, elaborated that CMS-PWC will interview the compliance officer, security director, lead systems security manager and access controls manager at each hospital.

Consequences:   Hospitals will be invited to comment on the CMS-PWC team’s findings before the results are final.  After the reviews, CMS will publish the results of the security review, but not the organizations' names, on its website.  However, if the review uncovers major lapses, Ms. Doo indicates that CMS could fine a hospital or levy other punishments allowed for under the HIPAA statute.

• Email This
• Print
• Trackbacks

• What the HIPSA?!!   After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose."   But, here it may come..... Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions.  HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information.  The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations.  Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
• New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728.   As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008.  NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan.  That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information. 
• Ban On Data Mining.  On December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians' prescribing trends.  The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information.  Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
   
• States Amending Privacy Laws.  Look for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated.  For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems.  In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.  

• Identity-Theft Prevention Laws.  As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft. 

• Email This
• Print
• Trackbacks

Last week, WCBS-TV in New York reported that as many as two dozen employees, including doctors and nurses, have been suspended for allegedly improperly accessing actor George Clooney's medical records.  As the story goes, employees not involved with the actor's care logged into the hospital's computer system to view his records as doctors tended to his injuries, and that a security guard released a Clooney family member's telephone number.  WCBS said that media seemed to have detailed information about Clooney's condition almost immediately and that as many as 40 hospital employees were under investigation for releasing information to the press, which is a violation of federal law. 

Was the hospital's reaction too harsh?  I personally do not think so.  

Under HIPAA, there is no exception that would permit patients' protected health information (PHI) from being disclosed to the media without first obtaining a written authorization from the patient.  Furthermore, hospital employees who have no need to access PHI about a patient should not be doing so.  HIPAA specifically requires that covered entity providers (e.g., hospitals) have administrative, physical and technological safeguards in place that are aimed at preventing access of PHI by unauthorized individuals.  In one New Jersey Supreme Court case where highly sensitive information about a patient (who also happened to be a hospital employee) was disclosed to employees throughout the hospital who where not involved in the patient's care, the Court found there that the hospital failed to have adequate policies and safeguards in place to prevent such intra-entity unauthorized dissemination of information.  

There are a few lessons to take away from the Clooney incident (and many similar, but less-publicized, incidents).  First, hospitals and other covered entity providers should have clear, written HIPAA policies in place to safeguard PHI from unauthorized access by employees.  Second, employees must be trained on such polices, and reminded that sanctions may be applied if they fail to adhere to them.  Finally, if a HIPAA safeguard policy is breached by an employee, then appropriate sanctions must be followed through on.  These steps are essential to minimizing incidents like the Clooney case from occurring.  

• Email This
• Print
• Trackbacks

The Agency for Healthcare Research and Quality has released a series of reports funded by AHRQ and the Office of the National Coordinator for Health IT which examine the variations in data privacy and security among 34 regional health information organizations.  The reports found that state RHIOs varied in several areas, including the level of adoption for electronic health data exchanges, state health care market forces, and legal and regulatory conditions related to health information.   According to Health Data Management, the reports also recommend additional research and guidance on:

• Determining states' varying interpretations of HIPAA
• Assessing differences between state and federal privacy laws 
• Assessing technologies that could protect the security and privacy of individuals, as well as the related administrative processes and liabilities
• Creating a system that matches patients with their health information and is updated by various providers and organizations, and
• Developing a standard set of definitions and terms to ease health data sharing

• Email This
• Print
• Trackbacks

As more and more providers and other stakeholders in the health care sector move towards using the electronic medium as their preferred method to store and exchange patients' health information, there is growing concern that HIPAA does not adequately assure that patients' privacy will be maintained.  In response, on July 18, 2007, Senators Patrick Leahy (D-Vt.) and Edward Kennedy (D-Mass.) introduced the Health Information Privacy and Security Act of 2007 ("HIPSA") in an attempt to give patients more control over their protected health information.  In addition, HIPSA would create a private right to sue violators (i.e., doctors, hospitals, health plans etc.) for violating their privacy rights, something that HIPAA does not currently afford (HIPAA enforcement is reserved for government action only).  Those who handle patients' health information likely will want to know: (1) how else does the Health Information Privacy and Security Act of 2007 differ from HIPAA and (2) how will it affect them? 

Continue Reading...

• Email This
• Print
• Trackbacks

Do we really need more rules to protect health information?  Certain health experts seem to think so.   Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights Foundation, believes that "thousands" of electronic databases that contain patients' health records exist, and that those patients don't have any way to keep their personal information from being shared with third parties. 

Continue Reading...

• Email This
• Print
• Trackbacks

The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 

 

The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  

 

Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:
 

Continue Reading...

• Email This
• Print
• Trackbacks

Hartford Business Journal recently reported that privacy groups are sounding alarms as the nation’s largest insurance companies finalize plans to allow millions more customers to post their health records on the Internet.  Insurers like Hartford-based Aetna Inc. say Web-based tools help patients and physicians keep track of medical information while potentially holding down spiraling medical costs.  The articles stated that about 100 million insurance customers in the U.S. have access to Web-based tools, but companies don’t have an estimate of how widely they are used. Insurers hope to at least double the technology’s reach by the end of next year . . .

Continue Reading...

• Email This
• Print
• Trackbacks