Text messaging is a convenient way for busy doctors to communicate, but for years, the question has remained: are doctors allowed to convey sensitive health information with other members of their provider team over SMS? The answer is now “yes,” thanks to a memo published last week by the U.S. Department of Health & Human Services (HHS), Centers for Medicare & Medicaid Services (CMS).   The memo clarifies that “texting patient information among members of the health care team is permissible if accomplished through a secure platform.”

However, texting patient orders is prohibited “regardless of the platform utilized” under the CMS hospital Conditions of Participation or Conditions of Coverage, and providers should enter orders into an electronic health record (EHR) by Computerized Provider Order Entry (CPOE).

According to the memo, CMS expects providers and organizations to implement policies and procedures that “routinely assess the security and integrity of the texting systems/platforms that are being utilized” to avoid negatively affecting patient care.

What’s interesting about the CMS memo is that texting on a cell phone has become as routine (if not more routine) as speaking into a cell phone – and HHS published guidance way back in 2013 explaining that the HIPAA Privacy Rule permits doctors and other health care providers to share protected health information over the phone. Telling a 21st century doctor not to communicate by text message (within the proper HIPAA parameters, of course) is like telling the President he can’t communicate on Twitter.

CMS’s restriction on texting patient orders appears to relate to concerns about medical record accuracy, not privacy and security. “CMS has held to the long standing practice that a physician … should enter orders into the medical record via a hand written order” or by CPOE, “with an immediate download into the … [EHR, which] would be dated, timed, authenticated, and promptly placed in the medical record.”

I asked a couple of IT security experts here at Fox how a provider or organization would go about “routinely assessing the security and integrity of the texting systems/platforms” being used by doctors. According Fox partner and Chief Privacy Officer Mark McCreary, CIPP/US, the provider or organization might want to start by:

“… receiv[ing] and review[ing] their third party audits and certifications.  Most platform providers would make those available to customers (if not the public).  They like to tout their security.”

Matthew Bruce, Fox’s Information Security Officer, agreed:

“That is really the only practical way to routinely assess. SMS, which is standard text messaging, isn’t secure so it would likely require the potential use of third party app like Signal.  iMessages are encrypted and secure but only between iPhone users. Both companies should publish their security practices.”

So, providers or organizations participating in Medicare can (continue to) allow doctors to communicate (but not enter treatment orders) by text, but should periodically review the security of the texting systems or platforms the doctors are using. They may also want to remind doctors to make sure they know when and how to preserve text messages, whether by taking screen shots, using an SMS backup app, or some other method.

When I need to travel from the southern part of NJ to northern NJ, I often rely on my car or phone GPS and the relative ease and simplicity of the NJ Turnpike.  If I needed my southern NJ physician to share information with my northern NJ physician, I might be surprised to learn that it’s not as easy to get my health data from point A to point B.  My physicians might be using electronic health records (EHR) and health IT, but the communications infrastructure in NJ needs to be further developed.  We need greater awareness and adoption of regional health information organizations (HIOs), a way to fund their maintenance (an EZ Pass system for the transmission of health data?), and development of a connected, statewide system.

In January of 2011, the Office of the National Coordinator for Health Information Technology (ONC) awarded New Jersey $11.4 million to be used for developing a strategic and operational plan for health information exchange, and required the state to conduct an independent evaluation of the state’s health IT program.  The Rutgers University Center for State Health Policy (CSHP) conducted the evaluation and published a Report (Brownlee, et al) last year showing where New Jersey physicians stand (or stood, during a survey period that ran from late 2013 to early 2014) in terms of adoption and use of health IT.

NJ Physician Engagement with Regional HIOs - Pie ChartWhen I read the Report, I was surprised to see that while physician use of health IT is increasing, the road to regional health data sharing (let alone statewide sharing) seems to be a long way off.  The Report found that awareness of the existence of a regional HIO by physicians was low (12.5%), and physician participation in a regional HIO was even lower (6.8%). The New Jersey Turnpike is gloriously accessible and functional as compared with this glimpse of the New Jersey health IT highway.

Where Are We Now? to be continued…

Medicare beneficiaries whose healthcare providers participate in an Accountable Care Organization (ACO) under the Medicare Shared Savings Program (MSSP) may want to add the Centers for Medicare & Medicaid Services (CMS) website, “Medicare & You”, to their lists of favorite internet links if they don’t want their Medicare claims data shared.  Proposed rules published by CMS in the December 8, 2014 Federal Register (the “Proposed Rules”) tweak the data sharing “opt-out” process slightly, but significantly.

Under the current MSSP regulations, a Medicare beneficiary that is a “preliminarily prospective assigned beneficiary” (meaning the beneficiary’s primary care provider participates in the ACO, but the beneficiary has not yet sought primary care services during the ACO performance year) may get a letter from his or her provider’s ACO informing the beneficiary that the ACO “may request [from Medicare] personal health information*  about the beneficiary for purposes of its care coordination and quality improvement work… .”  The beneficiary has 30 days from the date the letter is sent “to decline having his/her claims information shared with the ACO.”

*          Interestingly, the regulation references “personal health information”, rather than “protected health information”, the term used by the Office for Civil Rights (which, like CMS, resides in the Department of Health and Human Services) in the HIPAA regulations, but the widely-used PHI acronym works for both, so what the heck?  But I digress… .

The current regulation only allows the ACO to request “identifiable claims data” (aka “personal health information” /“claims information”) from this “preliminarily prospective assigned beneficiary” if the beneficiary does not decline the data sharing within 30 days after the ACO letter is sent.

Under the Proposed Rules, Medicare fee-for-service beneficiaries will be “notified about the opportunity to decline claims data sharing through materials such as the CMS Medicare & You Handbook and through the notifications” received at the point of care.  These notifications are deemed “received” by the Medicare beneficiary when posted as signs at the ACO provider’s facility or office (and, in settings in which primary care is provided, when given to the beneficiary in writing upon request).  The beneficiary can still opt-out, but the notice itself will make it clear that data sharing may have already occurred:  “The notifications … must state that the ACO may have requested beneficiary identifiable claims data about the beneficiary for purposes of its care coordination and quality improvement work… .”

Data sharing is a key aspect of any successful ACO and can certainly be achieved in a HIPAA-compliant manner.  Notably, as CMS explains in the preamble to the Proposed Rules, care coordination and quality improvement activities, when performed by an ACO that is a covered entity or, by an ACO that is a business associate, on behalf of a covered entity, qualify as “health care operations” functions or activities under HIPAA.  The elimination of the ACO letters and 30-day opt-out period for “preliminarily prospective assigned beneficiaries” is likely to reduce beneficiary confusion and ACO administrative expense.

As noted in the preamble to the Proposed Rules, only 2% of beneficiaries have historically opted out of ACO claims data sharing, anyway.  Perhaps only 2% of Medicare beneficiaries care about claims data sharing.  If the Proposed Rules are adopted, hopefully the “preliminarily prospective assigned beneficiaries” in the (however small) pool of future opt-outs will find the “Medicare & You” website and the ACO information (currently located on page 138) buried deep within it.

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are to be reported within one hour of their discovery, according to regulations proposed by the Department of Health and Human Services (HHS) on June 19, 2013 (“Exchange Regulations”).  That’s right – within one hour, or a measly 60 minutes, of discovery of a breach involving personally identifiable information (PII), the entity where the breach occurs must report it to HHS.  Even a mere security “incident” would have to be reported within one hour.  The broad term “incident” would include:

[t]he act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. 

Whereas HIPAA breaches (those involving protected health information, or PHI) affecting more than 500 individuals must be reported to HHS “without unreasonable delay and in no case later than 60 days after discovery” and (as discussed here in an earlier blog post) there is no express requirement for reporting of security incidents to HHS , HHS’s new proposal requires a 60-minute turn-around for PII breaches and incidents alike.  HHS says that it “considered but declined to use the definitions” for “incident” and “breach” provided under the HIPAA regulations because “the PHI that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections… .” 

The 60-minute turnaround time may sound familiar to Medicare Shared Savings Programs (MSSPs, also known as Medicare Accountable Care Organizations or ACOs).  Approved MSSPs must sign a Data Use Agreement with the Centers for Medicare & Medicaid Services (CMS) before it can obtain data from CMS that contains Medicare beneficiaries’ PHI.  The 60-minute turnaround under the Data Use Agreement is even a bit more onerous than that proposed in Exchange Regulations in that breaches of PII must be reported within 60 minutes of the breach, loss, or unauthorized disclosure itself, rather than within 60 minutes of discovery of the breach, loss, or unauthorized disclosure.  Then again, the Data Use Agreement doesn’t require reporting of “incidents” like attempted access or power interruptions, and CMS is thoughtful enough to provide a phone number and email address to be used in making the reports.

The recent release of the HIPAA/HITECH “mega rule” or “omnibus rule” has given bloggers and lawyers like us plenty of topics for analysis and debate, as well as some tools with which to prod covered entities, business associates and subcontractors to put HIPAA/HITECH-compliant Business Associate Agreements (“BAAs”) in place. It’s also a reminder to read BAAs that are already in place, and to make sure the provisions accurately describe how and why protected health information (“PHI”) is to be created, received, maintained, and/or transmitted. 

If you are an entity that participates in the Medicare Shared Savings Program as a Medicare Accountable Care Organization (“ACO”), your ability to access patient data from Medicare depends on your having signed the CMS Data Use Agreement (the “Data Use Agreement”). Just as covered entities, business associates, and subcontractors should read and fully understand their BAAs, Medicare ACOs should make sure they are aware of several Data Use Agreement provisions that are more stringent than provisions typically included in a BAA and that may come as a surprise. Here are ten provisions from the Data Use Agreement worth reviewing, whether you are a Medicare ACO or any other business associate or subcontractor, as these may very well resurface in some form in the “Super BAA” of the future:


1.         CMS (the covered entity) retains ownership rights in the patient data furnished to the ACO.


2.         The ACO may only use the patient data for the purposes enumerated in the Data Use Agreement.


3.         The ACO may not grant access to the patient data except as authorized by CMS.


4.         The ACO agrees that, within the ACO and its agents, access to patient data will be limited to the minimum amount of data and minimum number of individuals necessary to achieve the stated purposes.


5.         The ACO will only retain the patient data (and any derivative data) for one year or until 30 days after the purpose specified in the Data Use Agreement is completed, whichever is earlier, and the ACO must destroy the data and send written certification of the destruction to CMS within 30 days.


6.         The ACO must establish administrative, technical, and physical safeguards that meet or exceed standards established by the Office of Management and Budget and the National Institute of Standards and Technology.


7.         The ACO acknowledges that it is prohibited from using unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the patient files. 


8.         The ACO agrees not to disclose any information derived from the patient data, even if the information does not include direct identifiers, if the information can, by itself or in combination with other data, be used to deduce an individual’s identity.


9.         The ACO agrees to abide by CMS’s cell size suppression policy (which stipulates that no cell of 10 or less may be displayed).


And last, but certainly not least:


10.       The ACO agrees to report to CMS any breach of personally identifiable information from the CMS data file(s), loss of these data, or disclosure to an unauthorized person by telephone or email within one hour.


While the undertakings of a Medicare ACO and the terminology in the Data Use Agreement for protection of patient data may differ from those of covered entities, business associates and subcontractors and their BAAs under the HIPAA/HITECH regulations, they have many striking similarities and purposes. 


We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.


What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!

The Centers for Medicare & Medicaid Services (CMS) recently published proposed rules setting forth the “Stage 2” criteria that eligible providers (EPs), eligible hospitals (EHs), and critical access hospitals (CAHs) (referred to herein collectively as “providers”) would be required to meet in order to qualify for Medicare and/or Medicaid incentive payments for the use of electronic health records (EHRs) (“Stage 2 Proposal”). The Stage 2 Proposal is a small-font, acronym-laden, tediously-detailed 131-page document that modifies and expands upon the criteria included in the “Stage 1” final rule published on July 28, 2010 and is likely to be of interest primarily to providers concerned with receiving or continuing to receive added payments from CMS for adopting and “meaningfully using” EHR. 

The Stage 2 Proposal is not, at first glance, particularly relevant reading for those of us generally interested in issues involving the privacy and security of personal information — or even those of us more specifically interested in the privacy and security of protected health information (PHI). Still, two new provisions caught my attention because they measure the meaningful use required for provider incentive payments based not simply on the providers’ use of EHR, but on their patients’ use of it. 


One provision of the Stage 2 Proposal would require a provider to give at least 50% of its patients the ability to timely "view online, download, and transmit" their health information ("timely" meaning within 4 business days after the provider receives it) (and subject to the provider’s discretion to withhold certain information).  Moreover, it would require that more than 10% of those patients (or their authorized representatives) actually view, download or transmit the information to a third party.  There’s an exception for providers that conduct a majority (more than 50%) of their patient encounters in a county that doesn’t have 50% or more of "its housing units with 4Mbps broadband availability as per the most recent information available from the FCC” (whew!) for the applicable EHR reporting period. 


Another provision would require a provider to use "secure electronic messaging to communicate with patients on relevant health information" and would require the provider to show that more than 10% of the provider’s patients seen during the reporting period actually sent secure messages (presumably, to the provider, though the language is not precise) using the "electronic messaging function of Certified EHR Technology."  According to CMS:


[O]ver 43,000 providers have received $3.1 billion to help make the transition to electronic health records; the number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011; and 85 percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.


The Stage 2 Proposal will incentivize providers to continue this trend toward meaningful use of EHRs, but is also likely to result in providers’ efforts to induce to their patients to become EHR users.


Perhaps patients are ready, willing and able to communicate with providers via email and to download and forward their PHI. According to AARP, the aging baby boomer generation appears to be embracing electronic media and social networking at an unprecedented rate, and it is this segment of the population that is most likely to require health care services. 

By: Elizabeth G. Litten and Michael J. Kline

Kaiser Health News reported today that a division of UnitedHealth, Optum, will be using cloud computing technology to allow centralized access to fragmented health information. The Philadelphia Business Journal (the “Journal”) also reported today that three large Blues plans in Pennsylvania and New Jersey (Highmark Inc., Independence Blue Cross, and Horizon Blue Cross and Blue Shield of New Jersey) and a health information technology company, Lumeris Corp. (“Lumeris”), will be joining together to purchase NaviNet, “the country’s largest real-time communication network for physicians, hospitals, and health insurers.” 


According to the Journal article, Lumeris created an accountable-care delivery platform to support “new payment models that reward improved outcomes, enhanced patient safety, and increased physician and patient satisfaction, while lowering overall health-care costs.” The combination of the Lumeris accountable-care platform and NaviNet’s real-time communication network is designed to facilitate the sharing of information and the “administrative, clinical, and financial tasks” needed for high quality, less costly (i.e, “accountable”) care. 


Clearly, the health care industry is racing to create information superhighways into which health information can be entered, consolidated, accessed, maintained and used in novel ways that will improve our health care delivery and payment system. If the protected health information (“PHI”) flowing through these information superhighways and into and out of clouds and other data bases is adequately secured and the increased use and sophistication of health information technology results in improved quality and reduced cost, can anyone reasonably object to this race? Even the Centers for Medicare and Medicaid Services encourages sharing and using PHI to improve quality and reduce costs (see discussions of privacy issues in the Final Rule on the “Medicare Shared Savings Program: Accountable Care Organizations”).


In his recent post to this blog, our law partner Bill Maruca made it clear that the Minnesota Attorney General (“MAG”) is not a fan of the manner in which at least one company, Accretive Health, Inc. (“Accretive”), accessed and used (and, incidentally, allegedly improperly disclosed) PHI. Although the PHI breach seems to have triggered the MAG’s lawsuit against Accretive, the complaint seems particularly critical of Accretive’s “Quality and Total Cost of Care” services, which allegedly used “data mining,” “consumer behavior modeling,” and “propensity to pay” algorithms.  Accretive allegedly “amasses and has access to a high volume of sensitive and personal information,” which it uses to, among other things, create “per patient risk score” calculations. 


The MAG claims that, “upon information and belief”, patients’ medical authorization forms did not “identify Accretive by name or disclose the scope and the breadth of the information” that the hospitals that engaged Accretive for these services shared with Accretive. The MAG does not claim that the hospitals involved violated HIPAA requirements related to notice of privacy practices and patient consents and authorizations. Rather, the complaint alleges violations by Accretive of the Minnesota Prevention of Consumer Fraud Act and the Minnesota Uniform Deceptive Trade Practices Act, related to the assertion that patients were “not aware of the extent of Accretive’s involvement in their health care or the extent to which it amasses data about them.” 


We agree wholeheartedly with Bill’s closing comment, cautioning that regulators not chill legitimate uses of health information data and technology. We also wonder whether, and under what circumstances, patients should be informed of the myriad directions in which their health information might “legitimately” travel, be mined, and/or be analyzed, or whether that additional layer of patient notice will create unnecessary speed bumps in the race toward more affordable, high quality care. 


Finally, query whether such notice to a patient about the use of PHI for development of modeling, data mining, risk scores, algorithms, etc., meaningfully adds to the patient’s knowledge and understanding of what is likely to matter most to the patient – the extent, if any, to which such uses may enhance, limit and/or alter his/her personal medical treatment by physicians and other providers.

As HITECH refocuses the health care industry’s attention on security, the role of National Institute of Standards and Technology (“NIST”) in developing standards for health information security will become more center stage.  

On May 18, 2009, Fox Rothschild LLP will present at the NIST and CMS Security Rule Conference in Gaithersburg, Maryland called“Safeguarding Health Information:  Building Assurance Through HIPAA Security”.   Elizabeth Litten, Esq., a partner of Fox Rothschild’s Health Law Group, and Co-chair of its Government Relations practice group, will be presenting at the NIST/CMS Security Conference as part of a Panel Discussion on Assessments from the Organizational Perspective.   The panel will share its experiences with, and expectations for, audits, assessments, and compliance reviews, and provide strategies for greater assessment efficiencies.   For further information on the NIST/CMS Security Rule Conference, please visit the NIST website


For a copy of the Power Point presentation prepared by Elizabeth and Helen Oscislawski, Esq. for the NIST/CMS Security Rule Conference please visit our Blog again next week, or if you subscribe to our Blog a copy will be e-mailed to you directly.