President Biden issued an Executive Order on September 9, 2021 (the “EO”) that will lead to required COVID-19 vaccinations for workers in most health care facilities that receive Medicare or Medicaid funds.  This covers approximately 50,000 health care providers across the country.

The EO also triggers COVID-19 vaccination requirements for many of these health care providers’ HIPAA business associates, if the contracts are entered into, renewed, or extended on or after October 15, 2021.

As per the EO, the Safer Federal Workforce Task Force will issue further guidance by September 24, 2021, including language that affected covered entities and business associates must incorporate into their contracts and subcontracts.  The EO contains few exceptions:

This order shall not apply to:
(i)    grants;
(ii)   contracts, contract-like instruments, or agreements with Indian Tribes under the Indian Self-Determination and Education Assistance Act (Public Law 93-638), as amended;
(iii)  contracts or subcontracts whose value is equal to or less than the simplified acquisition threshold, as that term is defined in section 2.101 of the Federal Acquisition Regulation;
(iv)   employees who perform work outside the United States or its outlying areas, as those terms are defined in section 2.101 of the Federal Acquisition Regulation; or
(v)    subcontracts solely for the provision of products.

Many covered entity health care providers have been implementing worker vaccination mandates for some time, and have grappled in recent months with the breadth and scope of COVID-19 vaccination mandates affecting workers, volunteers, vendors, and other individuals who enter their facilities.  Business associates who provide services to these health care providers are less likely to have developed policies and procedures dealing with workforce and subcontractor vaccination requirements.  The EO should serve as a wake-up call to business associates who may face a COVID-19 employee and subcontractor vaccination requirement in the near future.

 

 

Cyber security

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory aimed at reminding businesses to be on guard over the Labor Day and other holiday weekends against cyberattacks.

History has shown threat actors often ramp up ransomware and other attacks over holidays when businesses let down their guard.

Nate Williams of the firm’s Privacy & Data Security Practice and Data Breach Prevention & Response Team summarizes the guidance in this client alert.

HIPAA has been around for a quarter century, but confusion continues as to its scope and applicability.   The COVID pandemic, surge in Delta variant cases, and increasing number of employer and government vaccine mandates has triggered a new wave of interest in other people’s’ vaccination status. Many people are surprised to learn that HIPAA does not prevent you from asking or answering the question “Are you vaccinated?”

Fellow Fox partner Bill Maruca was recently interviewed by his local (Pittsburgh) NPR affiliate in this piece:  UPMC’s New CEO Says No Vaccine Mandates, Will Focus On Education.

Here’s an excerpt:

There have been questions, and misunderstandings about what is and isn’t legal for an employer, healthcare provider or even individual to know about others’ vaccination status. For example, Republican Representative Marjorie Taylor Greene of Georgia has said reporters asking about her vaccine status is a violation of the Health Insurance Portability and Accountability Act (HIPAA).

That’s absolutely wrong,” says Bill Maruca, an attorney at Fox Rothschild LLP and expert in health care laws, including HIPAA.

If they were to ask her doctor if she was vaccinated, that would be covered by HIPAA and her doctor would not be permitted to reveal that information. … Asking her directly is not a HIPAA violation, but she doesn’t have to answer.”

 

Artificial Intelligence (AI) is widely viewed as a valuable tool for improving health and healthcare. It is being used by major technology companies such as Google, small start-up companies, and researchers to collect and analyze health data collected from a variety of sources.  As stated by Abhimanyu S. Ahjula in this October 2019 article:

AI is poised to play an increasingly prominent role in medicine and healthcare because
of advances in computing power, learning algorithms, and the availability of large datasets (big data) sourced from medical records and wearable health monitors.

However, if the health data involved is subject to HIPAA, extra precautions are required.  Fox Rothschild LLP associate Kristina Neff Burland and I examined the interplay between HIPAA and the use of AI in this article published on January 21, 2021 by OneTrust DataGuidance.   Key take-aways described in the article include:

  1.  Determine whether HIPAA may apply — consumer-generated and submitted data may provide an out
  2.  De-identifying protected health information (PHI)?  Proceed with caution
  3.  Have a business associate agreement in place before transferring PHI to a third party
  4.  Make sure processing PHI for purposes of AI is a permissible “use” under HIPAA

Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information.  The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule).  This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.

The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.  As described by the FTC in a “request for comment” published last May:

The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).  The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…

The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”

Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.  Although its impermissible practices seem to have been “discovered” back in February of 2019 (see here for original WSJ revealing Flo Health’s data practices), Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

While the proposed settlement requires website notice and individual email/mobile app notice within 14 days after the filing of the Consent Order, such notice would come well beyond the “60-day following discovery” deadline.   In addition, as drafted by the FTC, the notice is focused on what was not improperly disclosed (name, address, or birthday), rather than what was.  When a covered entity notifies individuals, regulators, and the media of a HIPAA breach, it must include a description of the types of information involved in the breach.

Two FTC commissioners, Rohit Chopra and Rebecca Kelly Slaughter, picked up on the FTC’s failure to enforce the Recovery Act and FTC breach notification rule. Their Joint Statement points out that the “explosion in connected health apps” make the breach notification rule “more important than ever”:

[S]ervices like Flo need to come clean when they experience privacy or security breaches.”

Unless they do, health app users will have no idea when their trust is misplaced.

Prior to the holiday, the OCR settled its thirteenth enforcement action under the HIPAA Right of Access Initiative, which involved a primary care physician practicing in the State of Georgia.  Dr. Peter Wrobel, M.D., P.C., operating under the fictitious name of Elite Primary Care, became subject to an OCR investigation (twice) for his alleged violations of the HIPAA Privacy Rule.

In 2019, the OCR received a complaint stating that Elite Primary Care failed to provide a patient timely access to his medical records.  The OCR assisted Elite Primary Care by providing technical assistance, which ultimately led to the OCR closing the complaint.  Just a few months later, the OCR received a second complaint from the same patient stating he still did not receive his medical records.  As a result, Dr. Wrobel must pay a Resolution Amount of $36,000.00 and implement a two year Corrective Action Plan following the OCR’s second investigation.

Again, yet another single  patient complaint leads to a substantial penalty under the Right of Access Initiative.  Although not specifically stated within the Corrective Action Plan, the steep Resolution Amount seems like a by-product of the OCR’s frustration with providing technical assistance and receiving a second complaint involving the same patient and issue.  For the entire press release, please click here.

Additionally, for more information on past enforcement actions under the HIPAA Right of Access Initiative, please click here.

H.R. 7898, sent to the President for signature on December 24, 2020 may be the HIPAA holiday gift covered entities and business associates have been waiting for.  The bill requires the Secretary of the Department of Health and Human Services, when considering penalties, audits and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months.

“Recognized security practices” broadly include:

[S]tandards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.

Almost exactly two years ago, HHS announced the publication of “Health Industry Cybersecurity Practices” developed as per the mandate under section 405(d) of the Cybersecurity Act of 2015.  The HICP are practical, cost-effective guidelines to reduce cybersecurity risks.  They include two separate sections: one designed for small health care organizations, and one designed for medium and large organizations.  Though published as “voluntary” practices, entities hoping to avoid HIPAA penalties will have a new reason to voluntarily adopt them if and when H.R. 7898 takes effect.

Since entities must have had HICP or another recognized cybersecurity practice in place for at least 12 months in order to fall within the protections of H.R. 7879, the sooner such practices are implemented, the better.  Every covered entity and business associate should resolve to start 2021 with a renewed commitment to implementing and/or reviewing and updating their cybersecurity practices.

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far.  In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on  providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions.  In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.

I.         Dignity Health

On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical record in acting as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.

The OCR  determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000 “Resolution Amount” (as defined in the Corrective Action Plan)  and mandating Dignity Health to enter into a two year Corrective Action Plan.  For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS.  You can find the entire OCR announcement regarding Dignity Health here.

II.        NY Spine Medicine

Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.

The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set.  In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan.  Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.

III.      Riverside Psychiatric Medical Group

The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California.  Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group.  However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.

IV.      Dr. Bhayani

Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York.  Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records.  Yet again, the OCR responded by providing Dr. Bhayani with technical assistance.  In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two year Corrective Action Plan, which includes a six  year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.

V.       Moving Forward

The message is loud and clear, Director Severino. The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative.  Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.

**** Update: University of Cincinnati Medical Center

Following the initial posting of this blog, the OCR subsequently announced the settlement of its twelfth investigation under the HIPAA Right of Access Initiative, which involved the University of Cincinnati Medical Center, LLC (“UCMC”). UCMC is an affiliate of the University of Cincinnati and offers a wide range of medical services within the Greater Cincinnati metropolitan area.  In 2019, the OCR received a complaint from a patient stating that UCMC failed to deliver an electronic copy of her health records to her lawyers.  Upon further investigation, the OCR determined that UCMC failed to timely respond to the patient’s request to deliver her medical records to a third-party, which is an permissible action under the Privacy Rule.  As a result, the OCR issued a $65,000 Resolution Amount and mandated a two year Corrective Action Plan.  You can find the entire OCR announcement regarding UCMC here.

If you have any questions regarding the Right of Access Initiative and how it affects your practice or healthcare business, please do not hesitate to contact us.

Covered entities beware: a timing pitfall lurks within the recently adopted rules prohibiting information blocking.  We have posted about OCR’s “Right to Access Initiative” and numerous enforcement actions taken to make sure that covered entities respond to patient access requests in a timely manner.  The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days, but OCR has emphasized that this is an “outer limit and covered entities are encouraged to respond as soon as possible.”

Soon, when compliance with the rules adopted by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) is required, covered entity health care providers will have another outer limit to contend with when responding to patient access requests.  These rules implement certain provisions of the 21st Century Cures Act and are often referred to as the “Information Blocking rules”, though they also address interoperability of electronic health information and the ONC IT Certification Program.

The Information Blocking rule incorporates and cross-references many of the HIPAA Privacy Rules, including the rule giving individuals the right to access their PHI (45 C.F.R. 164.524).  The Information Blocking rule also provides specific exceptions for activities that will not be considered information blocking.  The exceptions generally align with (and cross-reference) provisions in the HIPAA Privacy Rule.  For example, the “preventing harm” exception aligns with the HIPAA access right exception that allows a covered entity to deny an access request when a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person.

Only one exception, however, includes an “outer limit” for response, and the outer limit is much shorter than the 30-day limit for responding to HIPAA access requests.

The “infeasibility exception” applies when certain events or circumstances prevent the health care provider from responding to an access request.  These include “uncontrollable events” such as (among others specified in the rule) public health emergencies, internet service interruptions, and labor strikes; the inability to segment the requested information from certain types of other electronic health information, such as information that cannot be made available by law; or where specified circumstances exist that make responding to the request infeasible.  However, if a health care provider denies an individual’s access request under the infeasibility exception, the provider must respond, in writing, to the individual within ten business days of receipt of the request, explaining why providing the requested access is infeasible.

HHS recently extended the date for compliance with the Information Blocking rule from November 2, 2020 to April 5, 2021, but covered entity health care providers may want to take steps now to account for the shortened response time for access requests that may meet the “infeasibility exception”.  Reviewing and amending business associate agreements and HIPAA policies and procedures to incorporate faster turn-around times are good places to start.  Training personnel about the changes and documenting all activities undertaken by the covered entity to comply are other good ways to demonstrate serious compliance efforts.

A recent conversation with a colleague in California prompted me to write this. He said that as part of its back-to-school plan, his children’s elementary school district “highly encouraged” that all students be tested for COVID-19 before returning to class. The district provided families with an in-home saliva test and asked parents to collect their child’s saliva, place the vial in a plastic bag along with some forms containing identifying information, and drop them off at the district offices before the start of school. He was surprised to see that the drop-off box was an open-lidded container on a table outside the entrance to the school district offices. The forms completed by other parents (listing children’s names, insurance information, addresses, etc.) were visible, folded in half inside clear plastic bags along with the samples, but no staff member was stationed at the table to prevent people from peering into the container, removing or reading through the forms. I said that HIPAA most likely does not apply to this health information, but FERPA might (even though the health information on the forms had apparently not yet been recorded into the students’ school records).  Nevertheless, the conversation reminded me that efforts to keep students healthy and safe must account for privacy.

When Ebola was in the public health spotlight, I posted here about a New Jersey elementary school that posted an announcement about two new students arriving from Rwanda.  The post said that the students would be kept at home for 21 days to allay concerns about infecting other students.  The students were not identified by name, and the school admitted that the kids were symptom-free and not from a part of Africa affected by the Ebola outbreak, but the report raised concerns with how schools protect student privacy as well as the health of other students and staff.

Here in my home state of New Jersey, many elementary and secondary schools are open and doing their best to prevent COVID-19 from spreading in the classroom and the community.  The New Jersey Department of Health issued recommendations to local health departments in early September that involve screening of students and staff and collection and reporting of COVID-19 symptoms and test results. As schools around the country grapple with whether and how to get students back into the classroom, it is easy to overlook data privacy requirements, especially when the privacy law that applies to most individually identifiable health information (HIPAA) and the privacy law that applies to most student records (FERPA) differ.

I noted one key difference in the Ebola posting:  HIPAA allows disclosure of protected health information for public health activities, such as to a public health authority that is authorized by law to collect the information to prevent or control disease, but FERPA creates a slightly higher bar to disclosure of identifiable health information contained in a student’s record.  Under FERPA, parents must provide written consent for disclosures of this information, unless an exception applies.  The FERPA “health or safety emergency” exception allows disclosure without parental consent to a public health agency, for example, if the school determines that the public health agency needs the information to protect the health or safety of the students or other individuals.  The school must determine that there is “an articulable and significant threat to the health or safety of students or other individuals” and, within a reasonable period of time after the disclosure, document in the student’s record the threat that formed the basis for the disclosure.  In other words, while reporting the number of students testing positive for COVID-19 might satisfy the FERPA “health or safety emergency” exception, reporting the students’ names or other information might not.

The U.S. Department of Education published FAQs in March 2020 on FERPA and COVID-19, describing the “health or safety emergency” exception that allows reporting to public health departments, as well as when health information can be disclosed to other parties such as parents of other students.  Interestingly, FAQ 7 states that schools can disclose information about a COVID-19 positive teacher or staff member to parents and students, as FERPA only protects information contained in student records, but points out that state privacy laws may apply.  However, it’s worth noting that if the school has a self-funded health plan and receives the information in that capacity, HIPAA would prevent such a disclosure without the individual’s authorization.