HIPAA, HITECH & HIT :: Fox Rothschild LLP

In the wake of the post-Omnibus Rule (the “Rule”) frenzy, it is necessary to consider some collateral effects that the Rule may have brought about with respect to compliance with HIPAA/HITECH.  The Office of Civil Rights (“OCR”) summaries of closed investigations (the “Summaries”) posted on the U.S. Department of Health and Human Services (“HHS”) list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (“List Breaches”) has been a source of meaningful guidance as discussed in previous posts on this blog.  For example, the summary (the “Tennessee Summary”) for a State of Tennessee Sponsored Group Health Plan breach (the “Tennessee Breach”) continues to provide an excellent road map of pre-Omnibus Rule actions for covered entities (“CEs”) or business associates (“BAs”)  that suffer List Breaches or PHI breaches of any size.  

While the Tennessee Breach itself dealt with mishandling of paper PHI and not electronic health records, the Tennessee Summary does give direction for early intervention by affected CEs or BAs before HHS knocks on their door.  However, while there was excellent compliance in the aftermath of the Tennessee Breach, advice from pre-Rule Summaries cannot be used without carefully taking into account the new requirements respecting PHI breaches under the Rule.  As will be further discussed below, the most important new requirement in this regard is the necessity for a CE, BA or subcontractor to analyze the level of risk of compromise of the affected PHI.

The Tennessee Summary

The Tennessee Breach occurred on October 6, 2011 and involved approximately 1,770 enrollees with respect to names, addresses, birth dates and social security numbers.  According to the Tennessee Summary, an equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope.

The Tennessee Summary states that the CE did the following (with some parenthetical observations from the blog author):

1.         Retrained the equipment operator (suggesting that suspension and/or termination are not the only actions in appropriate cases with respect to dealing with employees involved with a PHI breach where rehabilitation is possible).

2.         Submitted a breach report to HHS (resulting in the posting on the HHS List).

3.         Provided notice to affected individuals.

4.         Notified the media.

5.         Created a toll-free number for information regarding the incident.

6.         Posted notice on the CE’s website.

7.         Modified policies to remove the social security number on templates for future mailings (a good policy whether paper or electronic PHI is involved).

8.         Offered identity theft protection to the affected individuals (a common decision for CEs and BAs based on the type of information that may have been compromised).

9.         Following the OCR investigation, reviewed its policies and procedures to ensure adequate safeguards are in place (with this disclosure in the Tennessee Summary, there is a suggestion that OCR continued to exercise some oversight or received reports after the investigation was finished).

The Tennessee Breach in Retrospect after the Omnibus Rule

There was no discussion in the Tennessee Summary of any analysis by the CE of the probable “risk of harm” from the Tennessee Breach under the proposed rule standards that prevailed prior to the Rule.  However, it is clear that, in the post-Rule period, a risk analysis of the probability that the PHI “has been compromised” would be necessary for the CE; failure to do such an analysis may be a violation in itself.   Under the Rule, there is a presumption that a breach of PHI has taken place unless there is a low probability that the PHI has been compromised.  The four factor analysis that would have been required of the CE in the Tennessee Breach case had it happened after the effectiveness of the Rule encompasses the following (with parenthetical comments):

(i)         Identifying the nature and extent of the PHI involved, including types of identifiers and risk of re-identification (i.e., names, addresses, birth dates and social security numbers);

(ii)        Identifying the unauthorized person(s) who impermissibly used the PHI or to whom the disclosure was made (in the case of the Tennessee Breach, subscribers to the health plan who were not individuals that had an obligation of their own to comply with HIPAA/HITECH);

(iii)       Determining whether the PHI was actually acquired or viewed or, alternatively, if only the opportunity existed for the PHI to be acquired or viewed (in the case of the Tennessee Breach, there is a likelihood that numerous recipients of the PHI or others without the right to view such PHI did in fact view it); and

(iv)       The extent to which risk to the PHI was mitigated (items 3, 4, 5, 6 and 8 above appear to be potential mitigating factors).

As stated in an earlier postings here and here, no Summary has been posted by OCR for any List Breach that occurred later than October 6, 2011. Additionally, no Summary has been posted by OCR for any List Breach involving a BA that occurred later than February 1, 2011.  While the Summaries continue to provide highly useful information for CEs, BAs and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the Rule.  It may be that a concern of OCR about potential confusion which could be created by publishing pre-Rule Summaries has prevented OCR from making recent postings of Summaries on the HHS List.

• Print
• Comments
• Trackbacks
• Share Link

The September 23, 2013 deadline for updating Business Associate Agreements is extended for one year under the Omnibus Rule for covered entities who have compliant Business Associate Agreements in place by Friday, January 25, 2013. This also applies to agreements between Business Associates and their subcontractors.

Covered Entities and Business Associates (as well as Business Associates and their subcontractors) may continue to rely on those agreements for up to one year beyond the compliance date of the modifications, regardless of whether the contract meets the applicable contract requirements in the Omnibus Rule. This includes existing written agreements between business associates and subcontractors under which such subcontractors agree to the same restrictions and conditions that apply to the business associate. Such contracts are deemed to be compliant with the modifications to the Rules until either the covered entity or business associate has renewed or modified the contract following the compliance date of the modifications, or until September 23, 2014 (one year after the compliance date), whichever is sooner. "Evergreen" contracts which automatically renew also qualify for the extension.

Covered Entities (providers, health plans/insurers, and clearinghouses) should verify that they have current signed business associate agreements in place no later than this Friday in order to be grandfathered for an extra year.

Business Associates who have delegated functions to subcontractors involving PHI need to make sure they have signed written agreements in place that meet the standards of the existing rule under which the subcontractors agree to follow HIPAA.   This is where there may be more gaps, since many Business Associates may have been unaware of their obligations to assure compliance by their subcontractors.

Even grandfathered Business Associate Agreements and subcontractor agreements should be reviewed to see if the contracted party (business associate or subcontractor) is acting as an agent of the Covered Entity or Business Associate.  If it is, the date on which a breach is discovered (or should have been discovered) is imputed up contractual chain and could mean that the Covered Entity is responsible for reporting breaches it knows nothing about. 

If you need help determining whether you qualify for grandfathering, please contact your Fox Rothschild attorney immediately

• Print
• Comments
• Trackbacks
• Share Link

By Elizabeth Litten and Michael Kline

Many Covered Entities (CE) and Business Associates (BA) (and now, Subcontractors (SC) as well) are using a variety of approaches to limit exposure to liability and the potentially dire consequences associated with security breaches of Protected Health Information (“PHI”).  Recently, we have noticed “PHI Warnings” in email and facsimile transmissions, by which CE, BA, or SC warn unintended recipients not to transmit or re-send PHI to third parties.  Such PHI Warnings are being routinely used by hospitals, providers, health insurers, law firms and others that create, receive, maintain, or transmit PHI.  Such PHI Warnings should be used and worded with caution, however.

For example, instructions such as the following sample may be found at the bottom of a CE’s email transmission:

Email Confidentiality Notice:  The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  This transmission is intended for the sole use of the individual or entity to whom it is addressed.  If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing  or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties.  If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.

Unfortunately, if an unintended (or unprepared) recipient of such PHI reads this message and follows the sender’s instruction by “replying” to the email, such recipient could be unintentionally perpetuating or re-publishing the breach.  Particularly in a case where the original email was sent to a number of recipients, a “reply” could easily become a “reply to all” and have the effect of re-sending (and announcing) PHI to new unintended third parties. Such a result could make it much more difficult for the original sender to ascertain the total scope of the security breach in its subsequent remediation and compliance efforts.

Moreover, such PHI Warnings should only be used in the context of overall HIPAA/HITECH policies and procedures of the sender.  For example, if the unintended recipient were a BA or SC of the sender, the attempt to comply with the sender’s instructions could actually conflict with, and result in a breach of, the parties’ Business Associate Agreement (“BAA”).

The following sample avoids the problem described above by providing an alternative  method of notifying the original sender but perhaps may still be “too little, too late,” as a serious PHI security breach may have already occurred:

This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the use of ______________ and the recipient(s) named above.  If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited.  If you have received this transmission in error, please notify the sender immediately at 800-xxx-xxxx and permanently delete this email and any attachments.

Finally, if PHI is sent to a recipient prior to the parties’ execution of a compliant BAA and implementation of policies and procedures to protect PHI properly, a PHI Warning is unlikely to mitigate the liability of the sender (or recipient) for a security breach under HIPAA/HITECH.

• Print
• Comments
• Trackbacks
• Share Link