Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty.

The report’s lengthy title says it all:  “The Office for Civil Rights Did Not Meet All Federal Requirements in Its Oversight and Enforcement of the Health Insurance Portability and Accountability Act Security Rule.”  The full report is available here.

The OIG report identifies three major deficiencies in OCR’s oversight efforts:

First, OCR failed to assess the risks, establish priorities, and implement controls for its HITECH requirement to provide for periodic audits of covered entities to ensure their compliance with Security Rule requirements. Accordingly, OIG notes that OCR had limited ability to verify whether covered entities were in compliance with the Security Rule.

Next, OCR’s Security Rule investigation files did not contain required documentation supporting key decisions because its staff did not consistently follow OCR investigation procedures by sufficiently reviewing investigation case documentation. OIG identified gaps in OCR’s controls over investigations which may have led to inconsistent practices in initiating, processing, and closing Security Rule investigations.

Perhaps most surprisingly, OIG noted that OCR had not fully complied with Federal cybersecurity requirements included in the National Institute of Standards and Technology (NIST) Risk Management Framework for its own information systems used to process and store investigation data.  OIG indicated that failure to follow industry standard safeguards could expose OCR to vulnerabilities which could impair OCR’s ability to perform functions vital to its mission.

In response, OCR noted that no funds had been appropriated to allow the agency to maintain a permanent audit program.  Continuing gridlock in Congress suggests that a timely solution to the funding shortfall is unlikely.

We reported on OCR’s prior audit efforts in July 2012. A Peek Behind the OCR Wall of Shame.  Since then, it appears that funding for programs like the KPMG HIPAA Privacy and Security Audit Program may have run out. The period reviewed by the OIG in the recent report, July 2009 through May 2011, predated the KPMG audit, so it is not clear whether all the report’s conclusions remain accurate today.  In any event, OCR is on notice that OIG (and possibly Congress) will expect them to step up their security auditing to the fullest extent financially feasible.

Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog.  It is reproduced below:

Lost in the Shuffle: The September 23 HIPAA Notice Requirements

By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans

With all of the attention being paid to compliance with health care reform and the October 1, 2013 exchange notices to employees, the September 23, 2013 HIPAA compliance deadline may have been lost in the shuffle. Employers should recall that earlier this year, HHS issued its final security and privacy regulations that made some real changes to the breach notification rules and the business associate rules and employers should make sure that thee change have been implemented to avoid penalties.
With respect to the privacy rules, a revised Notice of Privacy Practices should be issued to incorporate the new rules related to breaches in the security of protected health information (PHI). Changes that should be included are the notification provisions if a breach occurs and also specific statement that genetic information will not be used. With respect to the Business Associates Agreements, plan sponsors have to make a determination as to whether service providers are now business associates under the new rules, which broaden the definition. Further, they have to make sure that their current business associates (and any new business associates) are themselves HIPAA compliant. It is also a good idea for sponsors to update privacy and practices statements to include the new breach rules and also undertake to train plan employees about the new privacy restrictions.So when considering how to distribute your October 1 exchange notices, take look at your HIPAA privacy notices as well and make sure they are properly updated and distributed as well. If you have questions about the specifics of the HIPAA requirements, don’t hesitate to get the details from your benefits professionals or your attorneys at fox Rothschild.




The HIPAA/HITECH Omnibus Rule that appeared in the January 25, 2013 Federal Register contained this cryptic and apparently contradictory statement:

DATES: Effective date: This final rule is effective on March 26, 2013.

Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013.


What does it mean for the final rule to be effective today if covered entities and business associates are not required to comply for six more months?


Keep in mind that many of the provisions addressed in the Omnibus Rule were enacted by Congress in the HITECH Act and took effect on February 18, 2010, with some exceptions. The tiered and increased civil money penalty provisions of section 13410(d) were effective for violations occurring after the date HITECH was enacted, February 18, 2009. Accordingly, covered entities and business associates were obligated to comply in good faith with the statutory requirements except where the statute provided that it did not take effect until after publication of regulations.


HHS proposed a 180-day compliance period in its July 14, 2010 notice of proposed rulemaking, and has implemented that grace period in the final omnibus rule.  The 180-day grace period was intended to give covered entities and business associates time to comply while best protecting the privacy and security of patient information, in accordance with the goals of the HITECH Act.


For breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule, through September 23, 2013, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. A cautious approach during the interim would be to analyze any unauthorized disclosure under both the old “subjective” standard and the new “four part” process, and err on the side of concluding that a disclosure is a reportable breach unless it passes both tests.


The gap between the “effective date” and the compliance date leaves some open issues. For example, the definition of “business associate” has been expanded by the omnibus rule to include new entities who “maintain” PHI such as cloud-based data storage companies and warehouse service providers. When do they become BA’s – March 26 or September 23? It appears that covered entities will not be required to have written agreements in place with these newly-designated BA’s until September 23, but it is not clear that such a BA that causes a breach of unsecured PHI during the gap period would not still be directly liable.


These remaining uncertainties offer a valid reason for covered entities, existing business associates and newly-added BA’s to prioritize the process of evaluating and updating their HIPAA/HITECH compliance efforts, starting with new BAA’s, Notices of Privacy Practices and Breach Notification policies. Procrastination is rarely a good strategy, and waiting until the last minute to comply with the omnibus rule could have costly unanticipated consequences

CMS should improve its oversight of its electronic health record incentive program, according to a report by the Office of Inspector General released this month.   The government watchdog agency faults CMS for both inadequate prepayment safeguards and insufficient postpayment monitoring of recipients of federal funding intended to help cover the costs of adoption and implementation of EHR.

As this blog noted earlier this month, some concerns have been raised in a Congressional hearing about how the approximately $7.7 billion in taxpayer funds have been spent to date under the HITECH Act’s incentive program.  In its report, the OIG recommended that CMS:

Obtain and review supporting documentation from selected professionals and hospitals prior to payment to verify the accuracy of their self-reported information;

Issue guidance with specific examples of documentation that professionals and hospitals should maintain to support their compliance; and

Conduct prepayment reviews to improve program oversight.

OIG reported resistance from CMS regarding its recommendation to implement prepayment reviews, which CMS believes would increase the burden on practitioners and hospitals and could delay incentive payments. CMS agreed to take steps to improve program oversight. CMS’s response appears as an exhibit to the OIG report at page 30.

Next, the OIG turned to the Office of the National Coordinator for Health Information Technology (ONC), the government agency that establishes EHR standards and certifies EHR technology. OIG recommended that the ONC:

Require that certified EHR technology be capable of producing reports for yes/no meaningful use measures where possible; and

Improve the certification process for EHR technology to ensure accurate EHR reports.

ONC concurred with both recommendations, as noted in the letter from Dr. Farhad Mostashari appearing at page 32.

The report noted that CMS currently conducts prepayment validation of professionals’ and hospitals’ self-reported meaningful use information to ensure that it meets program requirements, mostly by checking the math in the reports and verifying EHR certification codes.   OIG also noted that CMS plans to audit selected professionals and hospitals after payment using a similar method to select audit targets based on inconsistencies in their reported data. At the time of the OIG review, CMS had not yet completed any postpayment audits.

Among OIG’s findings were:

  • CMS’s prepayment validation functions correctly but does not verify the accuracy of self-reported information.
  • Sufficient data are not available to verify self-reported information through automated system edits.
  • CMS does not collect supporting documentation to verify self-reported information prior to payment.
  • CMS’s planned postpayment audits may not conclusively verify the accuracy of professionals’ and hospitals’ self-reported meaningful use information.
  • Reports from certified EHR technology are not sufficient for CMS to verify self-reported information and may not always be accurate.
  • CMS may not be able to obtain sufficient supporting documentation to verify self-reported information during audits.

Given budgetary pressure and ongoing Congressional oversight, it is likely that CMS and ONC will be looking more closely at how HITECH incentive funds are being applied in the coming year.

A nurse has been fired by a Texas hospital after accessing information on patients for whom she had no clinical responsibility, according to the Mt. Pleasant, TX Daily Tribune. The hospital, Titus Regional Medical Center, reportedly discovered the unauthorized access in the course of an audit in November. The nurse admitted to looking at the records out of curiosity but insisted that no records had been further disclosed.

The hospital decided to notify 108 patients in a letter which warned them of a slight risk of identity theft. The hospital administrator indicated that the notices may not be required under HIPAA but were being sent out of an abundance of caution, and emphasized that there was no evidence any data was printed nor disclosed to any third parties. Although most records accessed did not contain social security numbers, affected patients were nevertheless advised to contact the three major credit bureaus, Equifax, Experian and TransUnion.


This incident is reminiscent of the 2011 UCLA breach which resulted in a prison term for the snooping employee and similar incidents involving other California hospitals. A common element in these breach incidents is that the health information was not sold, distributed or otherwise further disclosed by the snooping employees. However, after an investigation, federal health regulators determined that UCLA employees reviewed patients’ electronic medical records "repeatedly and without a permissible reason."   Ultimately, UCLA entered into a settlement agreement with federal health regulators, which among other things, socked UCLA with a fine of $865,000. 


These cases illustrate the seriousness of HIPAA’s still poorly-defined “minimum necessary” standard which, at the least, requires workers at covered entities and business associates to have a valid reason beyond mere curiosity before they access PHI. The ease with which employees can call up any record in a health system’s database can present an overpowering temptation, and it is incumbent on employers to educate their workforce about the need to resist the urge to snoop.


Early EHR adopters, mark your calendars:  CMS will begin accepting registration for participation in the Medicare EHR incentive program beginning January 3,  2010.   CMS will post a link to the registration process on its Registration and Attestation page on January 3.  The sooner you apply, the sooner you can begin to qualify for the $44,000 in additional Medicare funds per eligible professional which is being offered for meaningful use of electronic health records.

For the eligible professional incentives, the applications must be submitted on behalf of the professionals themselves, not their employers or practices, but the payments may be reassigned. 

In order to apply, eligible professionals will need:

  • National Provider Identifier (NPI)
  • National Plan and Provider Enumeration System (NPPES) ID and Password
  • Payee Tax Identification Number (if you are reassigning your benefits)
  • Payee National Provider Identifier (NPI)(if you are reassigning your benefits)

Eligible hospitals will need:

  • CMS Identity and Access Management (I&A) User ID and Password
  • CMS Certification Number (CCN)
  • National Provider Identifier (NPI)
  • Hospital Tax Identification Number

Applicants for the Medicare incentive must be enrolled in PECOS.

Of course, you must be using certified EHR technology, but you do not need to disclose which certified EHR system you are using until the attestation process.  The Certified Health IT Product List is available at http://www.healthit.hhs.gov/CHPL.

Attestation of meaningful use will begin in April, with payments slated to begin in May.   The provider must install and verify meaningful use of the certified software for at least 90 days in 2011 to qualify for the EHR incentive money. The 90 days of  “meaningful use of certified EHR software” must occur before the end of 2011.  February 29, 2012 is the last day for eligible professionals to register and attest to receive an Incentive Payment for 2011.

The Medicaid incentive program also opens on the same day, but CMS cautions that some states may not be ready to register applicants right away.   keep in mind that if your practice or entity qualifies for both programs, you should evaluate which one is more beneficial to your situation since you cannot participate in both.  Medicaid offers up to $63,750 per qualifying practitioner over six years.

Providers are only required to register once for the Medicare and Medicaid EHR Incentive Programs. However, they must successfully demonstrate that they have either adopted, implemented or upgraded (first participation year for Medicaid) or meaningfully used certified EHR technology each year in order to receive an incentive payment for that year.

For more information, see CMS’s Path To Payment site.

With a press conference featuring top officials including HHS Secretary Kathleen Sibelius, the Office of Civil Rights rolled out a 234-page Notice of Proposed Rulemaking on July 8, 2010. The full text is here. The agency described the proposed rulemaking as including significant modifications to the HIPAA Privacy, Security and Enforcement rules, as well as resources and activities to strengthen the privacy of health information and to help Americans understand their rights and resources available to safeguard their personal health information.   The notice will appear in the Federal Register on July 14, and comments will be received for 60 days thereafter. 

At the same time, HHS issued a statement on Privacy and Security entitled Building Trust in Health Information Exchange, listing the various initiatives it is pursuing. HHS stated that the proposed regulations released today would “expand individuals’ rights to access their information and restrict certain disclosures of protected health information to health plans, extend the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without patient authorization. In addition, the proposed rule is designed to strengthen and expand OCR’s ability to enforce HIPAA’s Privacy and Security provisions. This rulemaking will strengthen the privacy and security of health information, and is an integral piece of the Administration’s efforts to broaden the use of health information technology in health care today.”


Also announced today was a new HHS website for Health Data Privacy and Security Resources, http://www.hhs.gov/healthprivacy, and a revamped format for its online listing of breaches affecting more than 500 individuals .  HHS reports that such breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches.  Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.  


Next up on the HHS agenda  – the final “meaningful use” standards, which will clarify the minimum capabilities for the implementation of electronic medical records systems to qualify for federal subsidies beginning next year.

Ambulance-chasing meets the age of electronic records.  The husband and wife team of Ruben E. Rodriguez and Maria Victoria Suarez  have been charged with conspiring with an ambulance company worker to steal personal identification information of individuals transported by Randle Eastern Ambulance Service, Inc., d/b/a American Medical Response (“AMR”) and sell the information to various South Florida personal injury attorneys and clinics. This is the second time the couple has been charged with theft and sale of patient records. In a plea bargain agreement he later renounced, Rodriguez admitted to paying a hospital technologist for information from records of accident victims that he then sold to personal injury lawyers for a percentage of damage awards and settlements.  See http://www.miamiherald.com/2010/03/07/1518101/coral-gables-couple-accused-again.html

According to the FBI press release, the couple faces a maximum of five (5) years’ imprisonment for both the conspiracy and fraud in connection with computers. They also face a mandatory consecutive term to any other potential sentence of two (2) years’ imprisonment on the aggravated identity theft offenses.


With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.


The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.


The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.


 The Health InformationTechnology for Economic and Clinical Health Act or the “HITECH Act”  provides incentive payments for adoption and meaningful use of HIT and qualified EHRs.  CMS published a proposed rule defining "meaningful use" on December 30.  It’s 566 double-spaced pages long, and can be found here:  http://www.federalregister.gov/OFRUpload/OFRData/2009-31217_PI.pdf.  

An eligible physician or other professional (“EP”) or hospital will be deemed to be a meaningful EHR user of technology certified by HHS if the user:

(1) demonstrates use of certified EHR technology in a meaningful manner;

(2) demonstrates to the satisfaction of the Secretary of HHS that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and

(3) using its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.


The measures include:

  • Implement drug-drug, drug-allergy, drug-formulary checks.
  • Input at least at least one diagnosis based on ICD-9-CM or SNOMED CTor an indication of none for 80% of all unique patients seen by the EP or admitted to an eligible hospital.
  • Maintain active medication lists for 80% of patients seen or admitted.
  • Record demographic info including preferred language; insurance type; gender; race; ethnicity and date of birth for 80% of patients seen or admitted
  • Record blood pressure and BMI and plot the growth chart for children age 2 to 20 years old for 805 of patients seen or admitted;
  • Record smoking status of 80% of patients age 13 or over;
  • Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research and outreach.
  • Implement five clinical decision support rules relevant to the relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
  • Check insurance eligibility electronically for  80% of patients
  • Submit 80% of claims electronically
  • Provide summary of care record for at least 80% of transitions of care and referrals
  • Use computerized provider order entry (CPOE) for 80% of orders.
  • Transmit at least 75 percent of all permissible prescriptions electronically.
  • Report clinical quality measures as required by HHS.
  • Send electronic reminders to at least 50 percent of all unique patients seen by the EP that are 50 years of age and over.
  • Provide requested electronic copies of patients’ health information within 48 hours of patient requests in 80% of cases.
  • Provide patients with timely electronic access to their health information (including diagnostic test results, problem list, medication lists, and allergies) within 96 hours of the information being available to the EP for at least 10 percent of all unique patients seen by the EP.
  • Provide clinical summaries to patients for each office visit for at least 80 percent of all office visits.