Last week, I blogged about a recent U.S. Department of Health and Human Services Office of Civil Rights (OCR) announcement on its push to investigate smaller breaches (those involving fewer than 500 individuals).   The week before that, my partner and fellow blogger Michael Kline wrote about OCR’s guidance on responding to cybersecurity incidents.  Today, TechRepublic Staff Writer Alison DeNisco addresses how a small or medium sized business (MSB) can deal with the heightened threat of OCR investigations or lawsuits emanating from a security breach.  Alison’s piece, “Security breaches:  How small businesses can avoid a HIPAA lawsuit”, is must-read for MSBs struggling to understand and prioritize their cybersecurity needs.

Michael and I spoke with Alison about the recent OCR pronouncements, and she pulled several of our comments together to create a list of tips for an SMB to consider to minimize HIPAA security breach headaches. The following 6 tips are excerpted from the full article:

  1. Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. Document that you have policies and procedures in place to fight cyber crime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cybersecurity news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Present annually to your company board on where the company is in terms of cybersecurity protection, and where it needs to be to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organization, be clear with your client what you need to access and when, Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.

The article also quotes Ebba Blitz, CEO of Alertsec, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:

You need a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools.

In summary, confronting ever-growing and evolving challenges of cybersecurity for SMBs is dependent upon serious planning, development and implementation of current policies and procedures, documentation of cybersecurity measures taken and entity-wide commitment to the efforts.

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals).

Subscribers to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) listserv received an announcement a couple of weeks ago that OCR would begin to “More Widely Investigate Breaches Affecting Fewer than 500 Individuals”. The announcement states that the OCR Regional Offices investigate all reported breaches involving PHI of 500 or more individuals and, “as resources permit”, investigate breaches involving fewer than 500.  Then the announcement warns that Regional Offices will increase efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to these “under-500” breaches.

Regional Offices will still focus these investigations on the size of the breach (so perhaps an isolated breach affecting only one or two individuals will not raise red flags), but now they will also focus on small breaches that involve the following factors:

*          Theft or improper disposal of unencrypted PHI;

*          Breaches that involve unwanted intrusions to IT systems (for example, by hacking);

*          The amount, nature and sensitivity of the PHI involved; and

*          Instances where numerous breach reports from a particular covered entity or business associate raise similar concerns

If any of these factors are involved in the breach, the reporting entity should not assume that, because the PHI of fewer than 500 individuals was compromised in a single incident, OCR is not going to pay attention. Instead, whenever any of these factors relate to the breach being reported, the covered entity (or business associate involved with the breach) should double or triple its efforts to understand how the breach occurred and to prevent its recurrence.  In other words, don’t wait for the OCR to contact you – promptly take action to address the incident and to try to prevent it from happening again.

So if an employee’s smart phone is stolen and it includes the PHI of a handful of individuals, that’s one thing. But if you don’t have or quickly adopt a mobile device policy following the incident and, worse yet, another employee’s smart phone or laptop is lost or stolen (and contains unencrypted PHI, even if it only contains that of a small handful of individuals), you may be more likely to be prioritized for investigation and face potential monetary penalties, in addition to costly reporting and compliance requirements.

This list of factors really should come as no surprise to covered entities and business associates, given the links included in the announcement to recent, well-publicized OCR settlements of cases involving smaller breaches.  But OCR’s comment near the very end of the announcement, seemingly made almost in passing, is enough to send chills down the spines of HIPAA compliance officers, if not induce full-blown headaches:

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

In other words, if the hospital across town is regularly reporting hacking incidents involving fewer than 500 individuals, but your hospital only reported one or two such incidents in the past reporting period, your “small breach” may be the next Regional Office target for investigation. It will be the covered entity’s (or business associate’s) problem to figure out what their competitors and colleagues are reporting to OCR by way of the “fewer than 500” notice link.

In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security.

Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August 29, 2016 issue of Environment of Care Leader entitled “OCR: Providers need to assess cybersecurity response.” Full text can be found in the August 29, 2016 issue, but a synopsis is below.

Litten and Kline observed that the Guidance provided less specificity than prior guidance releases in the HIPAA area and seemed to be  more geared to large providers and managed healthcare systems. Nonetheless, Litten observed, “The bar [for PHI security] is higher than what some providers thought, especially if you read this with the [contemporaneous OCR] guidance on ransomware. So you may need [to take more steps] to protect your software.” Kline added, “OCR is going to say that if we tell you to do this and you don’t, tough on you.”

Some of the tips provided by Litten and Kline in the article include the following:

  1. Litten: Protect your electronic patient information if you haven’t done so already, taking into account your particular resources and limitations. “You don’t need a forensic analyst on staff, but you may want the contact information of one in your address book. If you’re not sure how to proceed or even where to start, you may need to hire a consultant to help you.”
  2. Kline: Develop policies and procedures to address cybersecurity. “The fact that you’ve done something constructive and documented that you’ve tried to comply, you’re so much better off [if you get audited by OCR].”
  3. Kline and Litten: Review your cybersecurity response policies, plans and procedures annually.
  4. Litten: Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems. “You want to make use of tools you have or at least know what you don’t have.”
  5. Kline: Understand that OCR considers a cybersecurity incident, not just a breach and not just ransomware, a reportable breach that must be put through the four-part risk analysis to determine whether that presumption can be refuted. “It’s not just [clear] breaches that need a HIPAA risk analysis.”
  6. Kline and Litten: Document all of your plans, policies and pro­cedures your facility has to respond to a cybersecurity incident and what you have done if you have been subject to one.
  7. Litten: Use free or easily available resources when you can. For instance, OCR has tools on its website, such as a sample risk analysis to determine vulnerabilities of electronic patient data. Your local medical societies may also offer tools, webinars and training.
  8. Litten: Make sure that your business associates also have cybersecurity protections in place. “The [G]uidance specifies that business associates as well as covered entities need to have this capability. Because it’s the covered entity that’s ultimately responsible for protecting its patient data and for reporting security breaches, it falls to the entity to ensure that the business associate complies.” So you need to ask business associates what their cybersecurity response plans entail and make sure that they’re adequate, include the fact that they have such a plan in the representa­tions and warranties of your business associate agreement, require swift reporting to you of any cybersecurity incidents suffered by a business associate and make sure that business associates limit access to your patients’ data. “You don’t want seepage of patient protected health information.”

In light of the clear concerns of OCR that covered entities and business associates, both large and small, pay sufficient attention to security of PHI, current compliance efforts should evidence relevant concrete policies and procedures that cover not only privacy but also security. Documentation of such efforts should specifically address current issues such as ransomware and risk analysis to demonstrate that the covered entity or business associate is staying current on areas deemed to be of high risk by OCR.

HIPAA turns 20 today.   A lot has changed in the two decades since its enactment.  When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain myspace.com had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution).  In December of 1996, Microsoft’s Office 97 was published in CD ROM and also available on a set of 45 3 ½ inch floppy disks.  The internet did not exist in many countries, and The New York Times took the bold step of starting its own website.  Google was also born in 1996, but few people had heard of it outside of Stanford University. Pokémon hit the market for the first time, but it wasn’t a game played on cell phones.  Even texting was a rarity:

“Most early GSM mobile phone handsets did not support the ability to send SMS text messages, and Nokia was the only handset manufacturer whose total GSM phone line in 1993 supported user-sending of SMS text messages. According to Matti Makkonen, the inventor of SMS text messages, Nokia 2010, which was released in January 1994, was the first mobile phone to support composing SMSes easily … Initial growth was slow, with customers in 1995 sending on average only 0.4 messages per GSM customer per month.” [https://en.wikipedia.org/wiki/Short_Message_Service]

According to Wikipedia, the first secure data kidnapping attack was invented by experts at Columbia University and was presented at an IEEE Privacy and Security conference in 1996.   Fast forward 20 years to the first six months of 2016, and ransomware attacks of hospitals made headlines after a hospital in Hollywood, California paid $17,000 in ransom (reportedly in bitcoins, another digital invention never considered in 1996).

The Department of Health and Human Services (HHS) released a “FACT SHEET: Ransomware and HIPAA” in July of 2016, reporting a 300% increase in ransomware attacks reported in the first 6 months of 2016 as compared with those reported in all of 2015.  It’s hard to imagine that, back in 1996 (or even in 2000 or 2003, when the Privacy Rule and Security Rule, respectively, were first promulgated) HIPAA compliance would require staving off and responding to cybersecurity attacks involving data “kidnapping”.

Over the years, this blog site has addressed many issues that were not a gleam in the eyes of the federal and state governments, healthcare organizations, insurers, patients and many other stakeholders in 1996.  Ten of these issues featured in the last two years on this blog and their links and posting dates are noted below.

  • Is Your Facility a PokéStop? (A what?) – July 20, 2016
  • HIPAA audits – April 10, 2016
  • Health Information Mobile Apps – March 31, 2016
  • The Federal Trade Commission becomes one of several competing new sheriffs in town for regulating healthcare privacy and security – January 11, 2016
  • Stolen laptops as constant sources of HIPAA privacy breaches – September 3, 2015
  • Dumpster diving as a common source of HIPAA breaches respecting paper records – July 31,  2015
  • Federal and state governments become victims of HIPAA breaches even with high levels of security – June 26, 2015
  • Countless cases of alleged theft and other crimes involving PHI or other HIPAA breaches by employees, including physicians – March 24, 2015
  • Numerous lawsuits by State Attorneys General to enforce HIPAA and state health information privacy laws – December 17, 2014
  • The “Wall of Shame” features many highly respected and well-known hospitals, universities, insurers, Fortune 500 companies and numerous other lesser-known victims – July 30, 2014

It can be expected that many more unanticipated and challenging issues will confront HIPAA in the future as the dizzying advance of technology surges onward, matched only by the boundless ingenuity of hackers and others seeking to profit from illegal activities relating to PHI.

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.

 

Are strangers wandering around your health care facility with their noses buried in their smartphones? And if so, what should you do about it? They’re playing Pokémon GO, a location-based augmented reality mobile game that was released for iOS and Android devices on July 6, 2016. Its popularity exceeded all expectations (my kids are probably playing it right now).

The game’s objective requires players to search in real-world locations for icons that appear on a GPS-like virtual map. The icons may represent PokéStops where players may find and capture Pokémon (“pocket monster” characters) that appear on the player’s phone superimposed over images of the real-world location when in augmented reality (AR) mode, and “Gyms” where they can virtually battle other players. Niantic, Inc., a Google spinoff, developed the game and based its PokéStops and Gyms on user-contributed locations (“portals”) from its previous augmented reality game, Ingress. These sites include businesses, parks, public buildings, museums, churches, private homes, and yes, even hospitals.

When players encounter Pokémon, they can take screen shots using their phone’s camera, which in AR mode will also capture whatever is in the background at the time. Naturally, this is giving hospitals and other healthcare facilities some concerns about safety, privacy, and maintaining a peaceful healing environment.  Indeed, in extreme cases of “invasion by Pokémon GO players,” the law of tort or criminal trespass could possibly be invoked by a health care facility in many jurisdictions. Simply stated, the action of trespass can be maintained against anyone who interferes with the right of ownership or possession of land, whether the invasion is by a person or by something that a person has set in motion. However, such an action would undoubtedly create a media sensation and must be carefully considered before undertaking it

The game has already made headlines for contributing to incidents where deeply-absorbed players have been injured by following their phones into the path of danger. The Advisory Board reports that the game has directed players near a hospital’s helipad Amid ‘Pokémon Go’ craze, hospitals say game players could jeopardize patient safety. Healthcare Business and Technology reports “The sheer amount of unauthorized visitors has raised safety concerns about everything from security issues to increased germ exposure that heightens patients’ risk of infections.” Pokemon Go causes problems for hospitals: How to respond.

Ban it? Embrace it?

Accordingly, some hospitals have asked players to avoid their campuses or banned the game outright. Others have forbidden their staffs from playing the game while on site, according to Healthcare IT News. The game appeals to a surprisingly wide age group since many adults have fond memories of playing the original Nintendo game in the mid-1990’s.

For HIPAA purposes, the use of smartphone cameras in the game can be problematic. At a recent meeting of the Healthcare Council of Western Pennsylvania, compliance officers reported that they had discovered PokéStops in their facility near patient care areas where records were potentially visible. Hospitals certainly do not want to encourage or permit individuals to wander their halls who are not there to obtain care or visit patients they know.

Many hospitals have policies on use of cameras or camera phones on campus, and those policies should be reviewed and recirculated to staff as well as communicated to patients and visitors in light of the popularity of the game.

Some children’s hospitals, however, are big fans of the game and its ability to motivate hospitalized kids to be more physically active and socially interactive. USA Today reports:

In the past, young patients at C.S. Mott Children’s Hospital in Ann Arbor, Mich., shuffled down the hallways without speaking to each other, but now it’s not uncommon to see them stop and talk near a Pokémon Go hotspot.

Advocate Children’s hospital in Oak Lawn/Park Ridge, IL tweeted a photo of a young patient playing the game with the caption “Luke’s mom says @Pokemon Go has been a lifesaver to get him out of his hospital room and moving around!” We hope they had Luke’s mom’s permission for the tweet. Toronto’s Sunnybrook Hospital tweeted : “We love that #PokemonGO encourages exercise! Remember: stay alert & safe. Can’t catch ’em all from a hospital bed.” Of course HIPAA is not an issue in Canada, but there is Ontario’s Personal Health Information Protection Act (PHIPA). And a meme is circulating featuring an anime-style nurse which reads “

Hey Pokémon Go players. Have extra lures? Then drive to your nearest Children’s Hospital and drop the lure there. There are plenty of kids who would love to go out and collect Pokémon, but they are stuck in bed, so this will help them.”

(Lures are markers players can collect and distribute within the game that help attract Pokémon).

Wipe yourself off the map?

Hospitals are not the only unwilling hosts of PokéStops and Gyms. The Holocaust Museum and Arlington National Cemetery are among locations that are included in the game’s map. As a result of objections, Niantic has set up a link to a form on its web site through which you can request removal of a PokéStop or Gym. It is not clear how long it will take for the company to remove an unwelcome site.

It’s common these days for technology to outpace policy, but it’s a good idea to understand this sudden craze and decide how to approach it in your organization.

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

The private sector is still not prepared – and generally lacks the knowledge – to respond effectively to a major cyber breach, according to 80 percent of respondents in a survey released by Fox Rothschild LLP.

“There is an alarming lack of awareness at the senior level when it comes to data governance practices in the private sector” said Fox partner Scott Vernick, who chairs the firm’s data security and privacy practice.

In its survey of cybersecurity professionals and risk experts across insurance, legal and other industries, Fox found that despite companies’ pouring real money and resources into data security:

  • 65 percent said the private sector is only “somewhat prepared” to respond to a data breach;
  • 15 percent stated it is “not prepared” at all; and
  • Only 20 percent said the private sector is “very prepared.”

The survey’s 75 respondents also expressed significant concern about senior management’s understanding of how data is, and can be, vulnerable. In fact, more than 85 percent said senior business leaders could “not accurately” or only “somewhat accurately” identify and address their companies’ data collection and storage practices.

“Companies in all sectors need to understand what types of data they collect, who has access to it and how it is stored well before a breach takes place,” Vernick added. “If they don’t follow best practices, it will cripple their ability to respond effectively and lead to costly litigation.”

In the debate over encryption and “access to data,” 84 percent of the Fox survey respondents favored the private sector’s right to guard customer data against government access in the event data was encrypted and otherwise not accessible. Nearly 75 percent also believe the private sector should be permitted to tell customers when the government subpoenas their data.

Survey respondents cited the following areas as requiring the most improvement by the private sector when it relates to cybersecurity strategy:

  • Employee training (29 percent);
  • Vendor management (24 percent);
  • Security and protection of systems, networks, firewalls and applications (19 percent);
  • Funding and resources (19 percent);
  • Encryption of data (5 percent); and
  • BYOD security (4 percent).

Contributed by Elizabeth R. Larkin and Jessica Forbes Olson

Health care providers know about and have worked with HIPAA privacy and security rules for well over a decade. They have diligently applied it to their covered entity health care provider practices and to their patients and think they have HIPAA covered.

What providers may not realize is that they may actually have two separate HIPAA covered entities. A provider that offers an employee group health plan (which includes a self-insured medical, dental, or vision plan, an employee assistance program, a health reimbursement arrangement, and any health flexible spending account benefits) has a covered entity health plan and there are some additional and different HIPAA requirements that must be addressed.

Health care providers need to ensure they have implemented HIPAA for their covered entity group health plans and plan participants (employees) and their dependents who are enrolled in coverage. Providers should not rely on the HIPAA compliance documentation that they use for patients for use with their group health plans.

HIPAA applies differently to covered entity health care providers and covered entity group health plans. For example:

  • A group health plan is required to have a HIPAA plan document amendment that includes specific promises to comply with the HIPAA rules, including an obligation of the plan sponsor (employer) to not use protected health information (PHI) for employment related reasons or for any benefits other than the group health plan without signed authorizations from impacted group health plan participants and their dependents. The plan document amendment needs to be adopted (signed) in the same manner as other group health plan amendments.
  • A group health plan needs to indicate in the plan document amendment which employees are allowed to have access to group health plan PHI to perform group health plan administration activities. This will be limited to a small group of individuals (e.g., individuals in HR/benefits and payroll and IT personnel who provide support services to them along with the HIPAA privacy and security officials for group health plans).
  • A group health plan is required to have a document certifying that they have the appropriate HIPAA plan document amendment in place.
  • HIPAA training for the group health plans is limited to those workforce members listed in the HIPAA plan amendment as being entitled to access PHI in connection with performing plan administration functions (instead of the entire company workforce).
  • A group health plan needs its own HIPAA notice of privacy practices that describes how the group health plan will use and disclose PHI, which will be different from the notice of privacy practices it uses as a health care provider. (For example, one main reason a provider will use PHI is for treatment for its patients.  This will not apply to a group health plan since it does not provide treatment, but instead pays for covered treatment.)
  • The posting and distribution requirements for a group health plan notice of privacy practices to plan participants are different than the posting and distribution requirements that apply to patients.
  • A group health plan may not have to comply with more stringent state privacy or security laws due to ERISA preemption.
  • A group health plan needs HIPAA policies and procedures, but due to the differences between covered entity providers and covered entity group health plans, they will be different.
  • A group health plan needs a HIPAA privacy and HIPAA security official appointed. They can be the same individuals that act in this capacity for the covered entity provider, but do not have to be and often are not, at least for the HIPAA privacy official.  Group health plans often appoint as their HIPAA privacy official someone senior who is responsible for overseeing employee benefits (e.g., VP of Compensation and Benefits or Director of Benefits), while covered entity providers often appoint an organization-wide compliance officer or someone who works closely with that person to be the HIPAA privacy official.

The U.S. Department of Health and Human Services (HHS) is in the process of selecting covered entities and their business associates to audit for HIPAA compliance, and it is possible that HHS could select the health care provider’s covered entity group health plan to audit rather than (or in addition to) the covered entity health care provider practice. HHS can impose separate penalties for covered entity group health plan violations.  The range of possible penalties is the same for covered entity group health plans and covered entity health care providers.

Not only do covered entity health care providers have an obligation to ensure that their separate covered entity group health plans are in compliance with HIPAA, it will reflect poorly on a practice to have a HIPAA violation with respect to its group health plan. If you don’t comply with HIPAA for your employee group health plans, patients may assume that you don’t comply with HIPAA for your practice.

In short, health care providers need to make certain that they comply with HIPAA with respect to both their practices and their employee group health plans.

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.

HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects.  For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision.  HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.

So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?

If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:

*          A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death

*          A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition

*          A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families

*          If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends

*          If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions.  That person can also authorize release of information to others

Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”.  Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI.  [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]

However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.

Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA.   HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.

Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.