Health care vendors beware: if you tell customers that your product provides industry-standard encryption of protected health information in compliance with HIPAA, you’d better be sure it doesn’t simply “camouflage” the data.

The FTC recently announced a $250,000 settlement with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for falsely advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA.

In fact, according to the FTC’s Complaint, the software (called “Dentrix G5”) actually used a data protection tool Henry Schein knew was “less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.” The Complaint states that Henry Schein was aware that the Department of Health and Human Services (“HHS”) directs health care providers to guidance promulgated by the National Institute of Standards and Technology (“NIST”), which recommends AES encryption to protect patient data.

The Complaint states that Henry Schein’s product did not use AES encryption, and alleges that Henry Schein was notified that its database engine vendor had agreed to re-brand the data protection used by Henry Schein as “Data Camouflage” so it would not be confused with standard encryption algorithms, like AES encryption. Still, Henry Schein allegedly continued to market its product as offering data encryption needed for HIPAA compliance.

In January of 2014, the Complaint concedes, Henry Schein published an announcement in the Spring 2014 issue of Dentrix Magazine stating:

“Available only in Dentrix G5, we previously referred to this data protection as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate.”

Alas, the admission that the product provided mere “data masking” or “camouflaging” rather than encryption was, apparently, too little and too late to avoid the FTC enforcement action and ensuing settlement payment and negative publicity. Though no data breach was alleged to have occurred, the damage had been done by the “false or misleading” claims already made by Henry Schein.

The lessons for covered entities and business associates using and marketing patient data tools? Simple:

(1) Encrypt, don’t camouflage (check NIST guidance and recommendations for current encryption standards).

(2) Don’t exaggerate your capabilities (don’t say you encrypt, when you merely camouflage, and if you only use some process like password protection, don’t suggest that you encrypt or even camouflage – potential misleading in this area can bring FTC sanctions).

(3) As we’ve said before on this blog, don’t forget that the FTC is watching – health care providers, payers, and vendors must remember that HHS isn’t the only sheriff in town when it comes to data protection, HIPAA isn’t the only law that governs patient data and privacy, and the States are also increasingly active in enforcing data privacy and security.

President Obama announced a series of Executive Orders on January 4, 2016 to address gun-related violence in America. Among those orders was an initiative to increase mental health reporting to the background check system. But this does not mean that mental health records will be widely released or that anyone who has sought treatment for mental illness will be banned from gun ownership.  It only means that information about individuals who are already prevented from owning guns under current law will be made available for background checks.

A fact sheet released by the administration includes this summary:

Remove unnecessary legal barriers preventing States from reporting relevant information to the background check system. Although States generally report criminal history information to [the National Instant Criminal Background Check System, (NICS)], many continue to report little information about individuals who are prohibited by Federal law from possessing or receiving a gun for specific mental health reasons. Some State officials raised concerns about whether such reporting would be precluded by the Privacy Rule issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Today, the Department of Health and Human Services issued a final rule expressly permitting certain HIPAA covered entities to provide to the NICS limited demographic and other necessary information about these individuals.

A Final Rule was posted by the Office of Civil Rights of the Department Health and Human Services (OCR) at https://federalregister.gov/a/2015-33181.  In an announcement posted by OCR, the agency emphasized that this rule is narrowly drawn and applies only to a limited category of covered entities:

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having firearms or are designated by their States to report this information to NICS – and it allows such entities to report only limited identifying, non-clinical information to the NICS.

The rule does not apply to most treating providers and does not allow reporting of diagnostic, clinical, or other mental health treatment information. [emphasis added]

OCR emphasizes that individuals who seek help for mental health conditions and/or receives mental health services are not automatically legally prohibited from having a firearm, and that nothing in the final rule changes that.

The rule only applies to state agencies or other agencies that are designated by the state to report, or which collects information for purposes of reporting, on behalf of the state, to the NICS; or a court, board, commission, or other lawful authority that makes the commitment or adjudication that causes an individual to lose the right to possess firearms under existing federal law.  It authorizes such agencies to disclose the information only to NICS or an entity designated by the state to report, or which collects information for purposes of reporting, on behalf of the State, to NICS, and permits disclosure of only such limited demographic and certain other information needed for purposes of NICS reporting.  It expressly prohibits disclosure of diagnostic or clinical information for such purposes.

In light of the heightened emotions surrounding any government action relating to firearms, especially as it may involve mental health and HIPAA, it is likely that misunderstandings, exaggerations, misinformation (or even intentional disinformation)  about this limited change will circulate through social media and similar channels.  Healthcare providers and other covered entities should be aware that the rule changes nothing except for certain state agencies and their agents.

 

 

A thoughtful reader responded to our last post, Debunking a Viral “Medical Hack” Meme,  which advised health plan subscribers to cite certain HIPAA compliance issues in efforts to overturn unfavorable insurance coverage decisions.

Jeff Knapp wrote:

This meme just popped up in my Facebook news feed this morning, and I was happy to see you addressed it so quickly. I too immediately noticed several flaws. In addition to the ones you noted here, there is certainly no right under HIPAA for an individual to speak with a covered entity’s privacy officer. While it’s true that a covered entity must designate a contact person or office, in my experience the contact person/office and the privacy officer are not the same. Typically, a privacy officer is dealing with higher-level issues than responding to requests for documents. I always enjoy reading your blog posts.

Mr. Knapp accurately notes that there is no right to contact a privacy officer, and in fact, HIPAA provides no private right of action for an individual whose protected health information was improperly accessed.  See Why Can’t I Sue Under HIPAA for a Breach of my Protected Health Information? What Can I Do?

Moreover, if the individual disputing a coverage decision is covered by a self-insured plan sponsored by his or her employer, the strategy advocated by the meme could easily backfire, notwithstanding any separation of insurance administration and human resources functions within an employer’s management structure, whether nominal or reasonable.

Since the early days of HIPAA, a steady trickle of misinterpretations, misunderstandings and half-truths have circulated informally both within the medical community and among the general public.  The prevalence of social media only amplifies the effect. For example, a meme currently making the rounds on Facebook suggests using HIPAA as a strategy for convincing a health insurer to reverse a coverage denial decision.  The post, entitled “Medical Hack,” began appearing this month.  While containing some accurate information, the post contains a number of flaws.

hipaa-medical-hack-insurance

It reads as follows:

So, your doctor ordered a medical test or treatment and your insurance company denied it. That is a typical cost saving method.

OK, here is what you do:

1. Call the insurance company and tell them you want to speak with the “HIPAA Compliance/Privacy Officer” (By federal law, they have to have one)

2. Then ask them for the NAMES and CREDENTIALS of every person accessing your record to make that decision of denial. By law you have a right to that information.

3. They will almost always reverse the decision very shortly rather than admit that the committee is made of low paid HS graduates, looking at “criteria words,” making the medical decision to deny your care. Even in the rare case it is made by medical personnel, it is unlikely it is made by a board certified doctor in that specialty and they DO NOT WANT YOU TO KNOW THIS!

4. Any refusal should be reported to the US Office of Civil Rights (OCR.gov) as a HIPAA violation.

As with any viral post, it is prudent to fact-check this advice with reliable sources such as Snopes.com.  Sure enough, Snopes has addressed the “hack” and classified it a mixture of true, false and undetermined information.   See http://www.snopes.com/hipaa-medical-hack-insurance-claim-denials/

To their credit, the fact-checkers at Snopes picked up on several flaws in the strategy suggested in the hack, particularly the fact that neither HIPAA nor the Affordable Care Act require insurers to base decisions to deny coverage of services or medications on the decision of a doctor, let alone a doctor that is board certified in the specialty under which that treatment fell.  (In fact, these issues are primarily regulated by state insurance laws.)   To that effect, Snopes notes:

… if insurance companies are entitled to deny coverage on a discretionary basis without the say-so of a doctor, there’s no reason a non-mandated process would be outlined through any plan resource or HHS guideline. Asking for such documentation would make as much sense as someone demanding a receipt for a donut you didn’t buy.

However, the most critical flaw in the suggested strategy is the fact that insurers and other covered entities are not required to account for all internal disclosures (and even many external disclosures for that matter), and disclosures for payment or health care operations purposes are specifically carved out of the accounting requirement in 45 C.F.R. 164.528(a).  Insurance clerks, regardless of their level of education, are likely to be utilizing patient records for payment and operations purposes when processing claims denials.

With regard to the requirement to designate a  “HIPAA Compliance/Privacy Officer,” the Snopes report stated “We were unable to locate any relevant portion of the act that specifically mandated what the meme claimed.”   In fact,  45 C.F.R. § 164.530 states:

(a)(1) Standard: Personnel designations.(i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

A better approach for health insurance subscribers facing denial of a treatment ordered by their physician is to follow the appeal mechanisms specified in their plans, and check their rights under applicable state law. For instance, Pennsylvania’s Act 68 includes certain standards for managed care plans and offers complaint and grievance procedures for individuals.

Lesson: Viral memes are often an unreliable source of legal advice.  I’m a major fan of Snopes.com, but sometimes even Snopes doesn’t get all the details.

Our partners Elizabeth Litten and William H. Maruca and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “Watch for HIPAA Pitfalls When Involving Police in ID Checks.” Full text can be found in the October 26, 2015, issue, but a synopsis is below. Marla’s article was also featured in Part B News.

Houston area OB/GYN clinic Northeast Women’s Healthcare has received attention due to a situation involving the verification of a patient’s identification by contacting law enforcement.  The clinic believed that a patient was attempting to use false identification in order to receive treatment at the facility, which prompted them to contact law enforcement. When local authorities were given the license number, it was determined that the information provided was false which led to the arrest of the individual seeking treatment.

Although the individual was alleged to have tampered with government records and has been noted as an undocumented immigrant, some questions have surfaced whether the clinic’s procedure violated HIPAA regulations by disclosing protected health information.

Some of the considerations identified in the article for providers that are concerned about possible false identification submitted by a patient data include the following from Marla’s article:

  1. “Providers appear to be under no obligation under HIPAA to report suspicious documents,” points out Maruca.
  2. “It’s not up to a doctor’s office to be a cop. You need to balance quality and safety issues versus the veneer of not wanting to treat the undocumented,” Litten says.
  3. “The controversy also is fueled by its occurrence in Texas, with not only a large demographic of immigrants but also where immigration status is a hot button issue and has garnered significant publicity.” Kline says.
  4. Kline continues by stating, “Emotions on this are high in Texas. It heightens the sexiness of the case.”

The obligations of providers to report to authorities that an individual has submitted suspected false identification to secure healthcare services can be complex and fact-specific.  Depending on the fact pattern, the matter can even become a media event.  In light of heightened sensitivities to immigration status, this issue can be expected to be a developing area of HIPAA and State law on identity theft, which may differ from HIPAA.

Already many blogs and articles have been written on Chief Administrative Law Judge D. Michael Chappell’s November 13, 2015 92-page decision exonerating LabMD from the FTC’s charges that it failed to provide reasonable and appropriate security for personal information maintained on its computer networks in violation of Section 5(a) of the FTC Act.  A number of the commentators accurately point out that this ruling makes it clear the FTC does not have unbridled enforcement authority over allegedly “unfair” data security cases.

The FTC would have had Chief Judge Chappell believe that liability should be imposed for conduct that is theoretically “likely” to cause consumer harm, despite its inability to identify a single instance of consumer harm over the course of 7 years since the allegedly “unfair” conduct occurred. Judge Chappell refused to drink the FTC’s Kool-Aid, though, restoring my faith in the ability of logic and rational thinking to outweigh agency fluff and bluster in an administrative judicial proceeding.  Section 5(n) of the FTC Act requires a showing that the conduct “caused, or is likely to cause, substantial injury to consumers,” and while the Act doesn’t define the word “likely”,  Judge Chappell concluded that:

The term “likely” in Section 5(n) does not mean that something is merely possible.  Instead, “likely” means that it is probable that something will occur.”

Hardly complex legal reasoning – just basic, simple common sense.

We blogged on this case and the FTC’s enforcement activities in the data security realm in October of 2014 (read here), as well as in March, April, May and June of 2014 (read here), and have closely followed LabMD founder Michael Daugherty’s tireless battle to defend his small, now-defunct cancer testing company from what has seemed an outrageous abuse of regulatory enforcement power from the beginning.

It’s refreshing (and relieving, for other businesses facing FTC investigations over what may seem to be minor and inconsequential infractions) that Judge Chappell carefully considered the evidence presented over the course of approximately two years and injected intelligence and reason into a case that seemed shockingly deficient in these traits.  Thank goodness Judge Chappell refused to drink from the FTC’s “possible-means-likely” cup of legal reasoning.  However, the Judge’s painstakingly articulated factual findings, enumerated in 258 paragraphs, reveal the unsettling back-story behind this case.

The FTC’s case was built around information provided to it by a company affiliated with Tiversa, a business involved in finding security vulnerabilities in companies’ computer networks and then selling remediation services to the companies to prevent similar infiltrations.  LabMD declined Tiversa’s offer to sell it remediation services.  Chief Judge Chappell found:

158.  Mr. Boback’s motive to retaliate against LabMD for refusing to purchase remediation services from Tiversa … resulted in Tiversa’s decision to include LabMD in the information provided to the FTC… .”

The FTC may be wishing it had heeded the warning and advice of FTC Commissioner J. Thomas Rosch, who had initially suggested (in his Dissenting Statement issued June 21, 2012) that FTC staff should not rely on Tiversa for evidence or information related to LabMD, given Tiversa’s business model and prior attempts to sell its services to LabMD, in order to avoid the appearance of impropriety.  Instead, FTC staff readily accepted Tiversa’s Kool-Aid, relying on evidence it might have realized was tainted at the outset.

Again, hardly complex reasoning – just basic, simple common sense:  if it doesn’t smell or taste right, don’t drink the Kool-Aid.

Regardless of whether the case is appealed and its ultimate outcome, the LabMD ruling  may serve as a precedent to encourage others to challenge the FTC’s enforcement authority under Section 5, authority that the agency has expanded over the years through consent decrees, particularly where there is no evidence that allegedly inadequate security practices have resulted in (or will probably result in) consumer harm.

When and how should you email PHI, if at all?  The Office for Civil Rights (OCR) offers guidance as to the permissibility of sending PHI via email in this “Frequently Asked Question” answer, but doesn’t provide specifics as to how PHI can be safely emailed.  Whether you are a covered entity or a business associate (or the CIO or Privacy Officer for a covered entity or business associate), an attorney trying to navigate privacy and security compliance under HIPAA and other laws, or an individual whose PHI is at stake, you may wonder what tools and resources are available to protect PHI transmitted via email.

The National Institute of Standards and Technology (NIST) has provided many such tools and resources, including its 2007 “Guidelines on Electronic Mail Security”.  Now, though, NIST is accepting comments through November 30, 2015 on its most recent proposed set of email security guidelines, “Special Publication 800-177, Trustworthy Email”.  Though this Trustworthy Email draft (available with other NIST computer security and privacy publications here) comes with a disclaimer that it is “written for the enterprise email administrator, information security specialists and network managers”, it’s worth review (even by the less tech-savvy among us) because it breaks down and describes each component of email functionality and the protocols and technology currently available to improve privacy and security.

Emailing PHI has become extremely common, but before deciding to send or receive PHI via email, it’s a good idea to make sure the Trustworthy Email protocols and technologies have been considered.   And if you have suggestions or comments as to how these protocols and technologies specifically relate to or can be improved in the context of emails containing PHI, here’s your chance to speak up!  Finally, remember that whatever comes out as the final set of NIST guidelines can become obsolete quickly in this rapidly developing and expanding e-world.

Congratulations!  You have a HIPAA-compliant business associate (or subcontractor) agreement in place – now what? How can you implement the agreement without becoming a HIPAA guru?

There are many resources available that offer detailed guidance on risk analysis and implementation protocols (such as the Guide to Privacy and Security of Electronic Health Information published by the Office of the National Coordinator for Health Information Technology and numerous “Special Publications” issued by the National Institute of Standards and Technology (NIST)).

These are terrific resources and can keep a team of IT professionals and Privacy and Security Officers reading and scratching their heads for weeks, but here are a few simple and practical steps you can take to avoid the security incident that may result in a protected health information (PHI) breach.

  1. Make sure the covered entity knows which individual(s) is authorized to receive PHI at the business associate. If neither the services agreement nor the business associate agreement specifies the person to whom PHI is to be disclosed, make sure the name, title and contact information of any designated recipient is communicated to the covered entity in writing.
  2. Include a provision in the business associate agreement (or subcontractor agreement) or develop a process whereby the covered entity (or business associate) provides notice, when feasible, prior to transmitting PHI to the designated recipient. Particularly when the transmission of PHI is sporadic or infrequent, provision of advance notice helps heighten awareness of the parties’ HIPAA obligations with respect to particular data being transmitted.
  3. Establish an agreed-upon means of PHI transmission – for example, specify whether transmission will be made via encrypted email, portable device, hard copy, etc. – and document the chain of custody from covered entity to business associate and after receipt by business associate.
  4. Create a “vault” for PHI received by the business associate that is secured by access codes that are changed periodically and can be deactivated when personnel leave the employ of the business associate.
  5. Maintain a perpetual inventory of PHI repositories, delegating responsibility to the Security Officer to oversee or authorize repository access rights, review activity, and conduct regular audits.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Improve Usability but Mind HIPAA if Using Personal Mobile Devices for Work.” The full text can be found in the September 28, 2015, issue of Medical Practice Compliance Alert, but a synopsis reflecting our comments is included below.

Medical practice communications are increasingly mobile, with a reported 83% of physicians using mobile technology to provide patient care and 71% of nurses doing the same, according to a mobile technology survey from the Healthcare Information and Management Systems Society (HIMSS). Mobile devices, however, must be managed carefully to avoid creating an undue HIPAA security risk.

Some steps to protect patient data when using mobile devises include the following:

  1. Health care providers should use encryption to make mobile devices more secure. Email programs should be able to assure that the message cannot be read until it has been transmitted to the provider’s device. Kline warns, “A password on a phone is not encryption.”
  2. Providers should get informal messages and conversations from mobile devices, such as text messages, into the patient’s medical record. Kline says, “Have you made an entry [of the informal message or conversation] in the record? If not, the medical record is not accurate.”
  3. Providers should be sure to obtain patient consent to communicate by mobile device as well,” says Litten. This is especially important if the communication may be unsecured.
  4. Avoiding the lack of discipline that mobile devices often encourage, such as non-medical shorthand, is crucial. Kline says, “Communications over mobile devices are more likely to contain misspellings and other errors, which can create malpractice liability and are not best practice when communicating treatment.”

The ever-increasing utilization of mobile devices in the delivery of healthcare services to patients is placing greater demands on those providers who are subject to, and those who are drafting, implementing and enforcing, HIPAA policies and procedures.

A Houston-area woman was arrested at her gynecologist’s office by Sheriff’s deputies because she presented a false ID and now may face deportation, according to a September 11, 2015 report in the Houston Press.  The woman, Blanca Borrego, was reportedly visiting Northeast Women’s Healthcare for an annual check-up and to follow up on a painful abdominal cyst that had been identified a year earlier.   The Houston Press goes on to say that after filling out paperwork and waiting two hours, she was called into an exam room and met by law enforcement officers, who led her out in handcuffs in front of her young daughters.

“We’re going to take her downtown, she presented a form of false identification,” Borrego’s daughter recalled the deputy saying. He said their mother’s bond would probably be around $20,000, and added, “She’s going to get deported.”

Ms. Borrego had reportedly remained in the U.S. for 12 years on an expired visa.  It was her first visit to this clinic, although she had been treated previously by the same physician.  However, one commentator suggests she may have been eligible for protection from deportation under current law:

In fact, Borrego would have qualified for President Obama’s Deferred Action for Parents of Americans and Lawful Permanent Residents (DAPA) administrative reform program, which was announced last year. For the estimated 4.1 million undocumented individuals like Borrego—who have been in the United States since January 1, 2001 and have a son or daughter who is a U.S. citizen or lawful permanent resident—DAPA allows work permit applications and protection from deportation.  – Ana DeFrates, Texas Latina Advocacy Network, National Latina Institute for Reproductive Health

When can a physician practice, clinic, hospital or other healthcare provider reveal protected health information to law enforcement?  Section 164.512(j) of the HIPAA rule permits such disclosures to avert a serious threat to health or safety, and only in limited situations:

(j) A covered entity may,consistent with applicable law and standards of ethical conduct, use or disclose protected health information, if the covered entity, in good faith, believes the use or disclosure:

(i)(A) Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and

(B) Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or

(ii) Is necessary for law enforcement authorities to identify or apprehend an individual:

(A) Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim; or

(B) Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms are defined in §164.501.

Covered entities may also disclose to law enforcement officials protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.  It is not clear whether at this time if Northeast will rely on that provision to justify their call to the police.  There are no allegations of identity theft and in fact Ms. Borrego reportedly was covered by her husband’s health insurance policy.

Ironically, when asked by the Houston Press about its policies regarding informing authorities about suspected undocumented aliens, the Houston Press reports that Memorial Hermann spokeswoman Alex Loessin replied  “As you know, because of patient privacy, I am unable to provide comment.”

The HIPAA implications of this emerging story have yet to fully play out.  Covered entities and their business associates should use caution before voluntarily disclosing PHI to law enforcement agencies, particularly when there is no indication of violent crime or serious threats to health or safety.