When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.

I must thank Justice Scalia for injecting this delightfully descriptive term into the realm of health care.  Justice Scalia’s scathing dissent from the majority in the recent Supreme Court decision interpreting the Patient Protection and Affordable Care Act is rife with memorable expressions, but this is my favorite.

The Merriam Webster definition of jiggery-pokery is:

dishonest or suspicious activity:  underhanded manipulation or dealings; trickery.”

It’s not a term I’ve ever used before, but this old-fashioned, Dickensian-sounding term somehow practically begs for use in the context of a very modern and increasingly common context:  the HIPAA hacking incident.  A recent article in Becker’s Hospital Review lists the “50 biggest data breaches in healthcare” and the most common breach causes are far-and-away hacking and theft.   Notably, hacking incidents result in the highest number of affected individuals.  Here is the break-down:

*          18 hacking incidents (approximately 94 million affected individuals)

*          18 thefts (approximately 14 million affected individuals)

*          9 unauthorized accesses

*          3 missing equipment (1 storage disk, 1 hard drives, and 1 computer server)

*          1 improper disposal

*          1 “other”

In short, it seems that jiggery-pokery is involved far more often than mere carelessness when it comes to HIPAA breaches.  Covered entities and business associates should be alert to dishonest or suspicious activity generally, including from within, but should be especially alert when that activity involves the systems or equipment on which protected health information is created, received, maintained, or transmitted.

Part 2

Money talks.

In other words, offering financial incentives is one way to effect behavior change.  It seems to have worked in getting providers to adopt and use health IT in everyday practice, both in New Jersey and nationally.

HITECH and Meaningful Use Incentive Payments

As explained by ONC in its October 2014 “Report to Congress”:

“Prior to the HITECH Act, adoption of EHRs among physicians and hospitals was quite low. In 2009, roughly one-half (48 percent) of office-based physicians had any type of EHR system. When examining the adoption of EHRs containing functionalities, such as the ability to generate a comprehensive list of patients’ medications and allergies and the ability to view laboratory or imaging results electronically, only 22 percent of office-based physicians had a basic EHR system. U.S. hospitals had similar adoption rates. In 2009, only 12 percent of hospitals had adopted a basic EHR system.”

Stethoscope and currency
Copyright: / 123RF Stock Photo

According to ONC, as of June of 2014, more than 75% of the nation’s eligible physicians had received incentive payments, while 92% of eligible hospitals (including critical access hospitals) had received incentive payments. The areas evaluated by CSHP covered key meaningful use criteria eligible physicians must meet in order to receive these payments.

For the NJ evaluation, CSHP conducted and analyzed a physician mail survey, clinical laboratory and pharmacy mail surveys with telephone follow-up, and physician follow-up telephone interviews with fax and mail follow-up.  In addition, Health Information Organization (HIO) use metrics from each of New Jersey’s six regional HIOs were collected from the New Jersey Department of Health and analyzed by CSHP researchers.

New Jersey Health IT Adoption

The CSHP Report findings identified several key themes.  Among physicians responding, older physicians, those in smaller practices, and specialists were less likely to adopt health IT and more likely to report barriers to adoption (particularly start-up and maintenance costs) and were also more likely to report implementation of health IT as having had a negative impact on their practices.

Most physicians who reported use of health IT felt that use of health IT had a positive impact.  However, they frequently cited start-up and maintenance costs cited as barriers to health IT use.  For labs and pharmacies, those not using health IT reported more perceived barriers to health IT use and anticipated a more negative impact on their workflow and productivity.  Among physicians, labs, and pharmacies, the lack of uniform standards within the industry was cited as resulting in poor system compatibility and was a major issue across all types of health IT.

CSHP weighted the physician mail survey data by specialty to be representative of New Jersey’s office-based physicians. Key findings regarding specific health IT use among the state’s physicians responding to the physician mail survey included the following:

  • Nearly three-fourths (72.5%) of physicians reported use of health IT to transmit prescriptions to pharmacies electronically.
  • Nearly two-thirds (62.6%) of physicians reported use of health IT to view test results from clinical labs electronically. However, only 37.1% reported use of health IT to send lab test requests electronically.
  • Nearly half (48.9%) of physicians reported that they maintained 100% of patient records in their EHR systems.
  • More than half of physicians (57.3%) provided a clinical visit summary to at least 50% of their patients. Less than half of physicians (42.9%) provided electronic patient care summaries to other providers. About one-quarter of physicians (23.0%) accessed electronic patient care summaries created by other providers.

In (very general) comparison, the ONC Report found that in 2013, 57% of prescriptions sent by physicians were sent electronically.  ONC also reported that more than two-thirds (69%) of physicians reported having the capability to order lab tests electronically, while more than three-quarters (77%) reported having the ability to view the lab results electronically.

Perhaps statewide health IT interoperability through expansion of and connection among regional NJ HIOs can be achieved in the next decade, but it will require creation of the necessary health IT infrastructure, awareness of its existence by the providers who will use it, and, perhaps, financial or other incentives to effect its adoption and use.

 

When I need to travel from the southern part of NJ to northern NJ, I often rely on my car or phone GPS and the relative ease and simplicity of the NJ Turnpike.  If I needed my southern NJ physician to share information with my northern NJ physician, I might be surprised to learn that it’s not as easy to get my health data from point A to point B.  My physicians might be using electronic health records (EHR) and health IT, but the communications infrastructure in NJ needs to be further developed.  We need greater awareness and adoption of regional health information organizations (HIOs), a way to fund their maintenance (an EZ Pass system for the transmission of health data?), and development of a connected, statewide system.

In January of 2011, the Office of the National Coordinator for Health Information Technology (ONC) awarded New Jersey $11.4 million to be used for developing a strategic and operational plan for health information exchange, and required the state to conduct an independent evaluation of the state’s health IT program.  The Rutgers University Center for State Health Policy (CSHP) conducted the evaluation and published a Report (Brownlee, et al) last year showing where New Jersey physicians stand (or stood, during a survey period that ran from late 2013 to early 2014) in terms of adoption and use of health IT.

NJ Physician Engagement with Regional HIOs - Pie ChartWhen I read the Report, I was surprised to see that while physician use of health IT is increasing, the road to regional health data sharing (let alone statewide sharing) seems to be a long way off.  The Report found that awareness of the existence of a regional HIO by physicians was low (12.5%), and physician participation in a regional HIO was even lower (6.8%). The New Jersey Turnpike is gloriously accessible and functional as compared with this glimpse of the New Jersey health IT highway.

Where Are We Now? to be continued…

I received a disturbing robo-call over the weekend informing me that someone had attempted to use my credit card number fraudulently in a retail store in the next county. When I called back and verified these were not legitimate charges, my card issuer assured me that I would not be financially responsible, canceled my card and sent me a replacement. My imposter was prevented from accessing my account by the issuer’s tight security system. Victims of healthcare identity theft may not get off so easily, which may explain why smarter thieves are increasingly targeting health records.

The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,

“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.

Medscape reports that a stolen chart may be worth as much as $50, citing an FBI bulletin from April 2014:

Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.

Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.

Perhaps the health care industry has a cybersecurity solution staring us in the face:  vaccines.  Perhaps we should be trying to vaccinate our data storage systems rather than relying on firewalls to quarantine them.  In an article posted on www.philly.com, Associated Press author Youkyung Lee says cybersecurity defense has traditionally been based “on the idea that computers could be protected by a digital quarantine.” Instead, posits Lee, experts need to focus on neutralizing attackers once they get inside a data system, rather than continuing the often-futile attempt to keep them out of the system.

Sounds like a digital vaccination to me.  According to the Centers for Disease Control, the United States is facing a multi-state measles outbreak associated primarily with unvaccinated individuals, and much has been written about parents who refuse to vaccinate their children and thereby unnecessarily and irresponsibly expose others to risk of infection.  When it comes to protecting the safety and wellbeing of protected health information and personal data maintained in a computer system, perhaps the vaccination approach is the way to go.

I turned to www.vaccines.gov for a quick description of how vaccines work in the human body.  Under “Mounting an Immune Response”, the site describes the skin in a way that makes it sound like a computer system’s firewall – it “provides an imposing barrier to invading microbes.  It is generally penetrable only through cuts or tiny abrasions.”  The digestive and respiratory tracts also work like firewalls, using acids and respiratory reflexes (coughs and sneezes) to destroy or expel invading microbes.  If the invading microbes succeed in crossing the body’s natural firewalls, the body’s immune system will kick in to thwart invading bacteria, viruses and parasites.  That’s where vaccines become helpful:

“Vaccines consist of killed or modified microbes, parts of microbes, or microbial DNA that trick the body into thinking an infection has occurred.  A vaccinated person’s immune system attacks the harmless vaccine and prepares for invasions against the kinds of microbe the vaccine contained.  In this way, the person becomes immunized against the microbe:  if re-exposure to the infectious microbe occurs, the immune system will quickly recognize how to stop the infection.”

The HIPAA Security Rule also seems to reflect a “digital quarantine” or firewall approach when it comes to implementing technical safeguards, describing implementation of access control, authentication procedures, and transmission security. (However, the requirement that covered entities and business associates implement audit controls that “record and examine activity in information systems that contain or use electronic protected health information” sounds a bit like the first step needed to develop an effective vaccine against hackers.)

So, since efforts to thwart hackers by using a “digital quarantine” (Lee’s description) or firewall type of barrier have been about as successful as relying on hand-washing and avoidance of theme parks to thwart measles, let’s hope cyber experts start to focus on developing digital vaccines.  These vaccines could not only train data systems to detect and stop a hacker after it has entered the system and before it can damage, remove, or copy the data, but also perhaps even trap the virus or other hacking mechanism for identification, analysis, and law enforcement purposes.

Copyright: / 123RF Stock Photo
Copyright: / 123RF Stock Photo

This post, written by my colleague Elizabeth Hampton, originally appeared on Garden State Gavel, a new blog focusing on New Jersey litigation topics.


Fraud is on the rise in every industry and the lengths that some people will go to make money by “gaming” the system is both fascinating and alarming.  Look for some of these stories in this regular feature designed to inform you of the latest fraud trends and provide practice tips to safeguard your business from unwelcome intruders.

Steps to Fraud- Proof Your  Professional Practice

Fraud is an increasingly lucrative “ business” that weaves its web of deception through corporations, religious and educational institutions, and the provision of health care. The recent data breaches a la Target and Sony are just some of the more highly publicized examples of the breadth of this problem for businesses and their customers.

But did you know that the healthcare industry tops the charts of data breaches and fraud costs?    In fact, The Economist (31 May, 2014) suggests that healthcare fraud in this country contributes to $272 billion dollars in incremental costs to the system.

Health records are like gold to fraudsters because they often contain financial information, insurance numbers and personal data that can be used to obtain drugs or other benefits.  Converting this information in order to submit false healthcare claims has been a regular practice for some scammers.

As government and private insurers have stepped up their fraud detection models, medical providers likewise need to review their policies and step up their own monitoring to protect their practice from potential data breaches and fraud claims.

Have you considered whether your business is at risk for a data breach? Are you taking steps to “fraud- proof” your health care practice?  Consider the following:

1. Perform a “Check- up.”  Every practice needs one. Conduct a random review of your patient files to ensure that all information is appropriately filed and that the files are complete.  Have your patients completed intake forms? Is there proper documentation of an accident or injury?  How is the health information protected from improper disclosure?

2. Review Protocols. When was the last time you reviewed your policies? Have they been updated to comport with new HIPAA standards? Do you understand what the standards mean for you and your employees?

3. Billing. Make sure that your billing is done correctly and that those who have been entrusted to perform this function are on top of things. Have there been trends in collection? Have insurers rejected claims? Find out why.

4. Employees. Do not assume that your employees are aware of the dire consequences associated with the improper disclosure of health care information.  Educate them and set a high bar for security of this information.

Stay tuned for more fraud stories and ways that you can prevent it from damaging your business.

Health-related technology has developed light-years faster than health information privacy and security protection laws and policies, and consumers can find new mobile health applications for a wide range of purposes ranging from diabetes management to mole or rash evaluation to fitness tracking.  Smart mobile app developers wondering when and how HIPAA privacy and security requirements affect their products need to take a step back and ask that most basic of HIPAA questions:  What am I?

The question one that has been posed on this blog in the past, and one worth returning to on a regular basis because the answer is not always obvious, but is critical for HIPAA compliance.

The Secretary of Health and Human Services (HHS) recently released a letter written to U.S. Representative Peter DeFazio regarding development and use of mobile health apps and HIPAA compliance reminding him (and anyone reading the letter) that:

“The first question for any entity … is whether it is a covered entity or a business associate within the meaning of the HIPAA rules.” 

The Secretary then helpfully provides links to the Office for Civil Rights (OCR) website’s “frequently asked questions” tools (see here for examples of “Who are Business Associates” and here for information on Covered Entities) and points out that OCR works closely with the Office of the National Coordinator for Health Information Technology (ONC) developing guidance and tools (a tool specific to mobile device privacy and security is available here) for securing health information technology.   However, there’s no quick and easy way to figure out whether HIPAA applies to a specific mobile health application.  The inquiry must always go back to the beginning:  are you a Business Associate (or subcontractor of a Business Associate) or a Covered Entity?  If not, while there may be other state and federal laws that require you protect individually identifiable information (of which protected health information, or PHI, is a subset), HIPAA does not apply.

Bear in mind that your HIPAA identity will change depending on who is using you and for what purpose.  If you develop a mobile health app allowing an individual to create, receive, maintain or transmit information about herself, it is likely the app is not covered by HIPAA because the individual is not acting as a Business Associate or Covered Entity when using the app.  Even if the individual uses the app to send her PHI to her health care provider, the app most likely will not be subject to HIPAA, just as the patient herself is not subject to HIPAA with respect to information about herself she chooses to share with her provider. However, if you develop the app for use by the health care provider, you very well may be a Business Associate to the Covered Entity health care provider.  In this scenario, if you are providing a service on behalf of the provider that involves your access to PHI (whether sent by the individual patient herself or not), you must comply with HIPAA.

So while the basic “What am I?” question sounds simple, the answer requires consideration of who is downloading and using the mobile health app you create, and the purpose for which it is being used.

Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA.   As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog site and the realization that we have addressed only a miniscule fraction of the health care privacy and security issues of the past year. I see a recurring theme, though:  a persistent refusal or reluctance to grapple with one’s identity and related responsibilities under HIPAA.  It is almost as though we think there’s no HIPAA problem that a slapped-on Business Associate Agreement (BAA) bandage can’t cover.  In reality, though, the sloppy BAA (or Notice of Privacy Practices (NPP), described below) may just confuse matters.

A few explanations come to mind when I think about the reasons for this HIPAA identity crisis. Our world has become data-driven, security-scarred, and privacy-perplexed.  The need to access and share private information electronically has become a given, just as examples of breaches in the security of this information explode in the headlines almost daily.  In addition, we don’t seem to have widespread public agreement as to what “privacy” means when it comes to the personal information we create, receive, maintain, or transmit electronically.

No wonder so many in the health care industry (including large, sophisticated health care providers and payers, the technology vendors serving them, and, as Bill Maruca discussed in his recent blog, even the government office in charge of enforcing HIPAA) cannot seem to get it right when it comes to understanding their roles under HIPAA.  Christopher Rasmussen of the Center for Democracy & Technology wrote about “Covered California’s Misguided Privacy Policy” in an article published on December 17, 2013.  Covered California, the state’s Affordable Care Act insurance marketplace, shared personal information from applicants who had not completed the application with insurance agents and brokers so that the agents and brokers could contact the applicants and invite them to complete the applications.  Apparently, nothing on the Covered California website told applicants that their information would be shared in this manner, and as Mr. Rasmussen correctly points out, the Covered California’s published NPP confuses matters by making it appear that Covered California is a covered entity under HIPAA.  The first line of the NPP reads:  “This notice describes how medical information about you may be used”.   Perhaps none of the applicants included medical information on their incomplete applications, but if they did, it seems unlikely they would want their medical information to be used in an unexpected sales pitch from an insurance broker.

The bottom line?  If you use or disclose health information, pay careful attention to whether you are covered by HIPAA and understand your identity as a covered entity, business associate, subcontractor, or some combination of these roles.  If you aren’t covered by HIPAA, don’t confuse everyone by sounding as though you are.  In either case, resolve to spend time in 2014 understanding your privacy and security responsibilities before using or disclosing individually identifiable information.

My partner Elizabeth G. Litten and I were interviewed by Marla Durben Hirsch in the FierceEMR article “Healthcare Attorneys: New Business Relationships Will Create New EHR Problems.” It is always a pleasure for us to talk with Marla because she provokes our thinking in new areas.  While the full text can be found here as part of the December 19, 2013, issue of FierceEMR, a synopsis is noted below.

The healthcare industry already has experienced several unintended issues related to electronic health records, many of which involve privacy and security, patient safety and coding. But as implementation of EHRs begins to mature and providers step up organizational consolidation and integration in response to health reform, there will be additional unanticipated operational and business problems involving EHRs that will arise.