Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.

As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.

During the course of our conversation with Marla, Elizabeth observed, “This type of problem [risk of using unreliable HIPAA software vendors] is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”

The six tips listed by Marla are summarized as follows:

  1. Litten and Kline:

Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.


  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.


  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”


  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.


  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.


  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.

The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

Our partner Elizabeth Litten and I were quoted by our good friend Marla Durben Hirsch in her article in Medical Practice Compliance Alert entitled “6 Compliance Trends Likely to Affect Your Practices in 2016.” Full text can be found in the January 13, 2016, issue, but a synopsis is below.

For her article, Marla asked various health law professionals to make predictions on matters such as HIPAA enforcement, the involvement of federal agencies in privacy and data security, and actions related to the Office for Civil Rights (“OCR”) of the federal Department of Health and Human Services (“HHS”).

After the interview with Marla was published, I noted that each of Elizabeth’s and my predictions described below happened to touch on our anticipation of the expansion by HHS and other federal agencies of their scope and areas of healthcare privacy regulation and enforcement. I believe that this trend is not a coincidence in this Presidential election year, as such agencies endeavor to showcase their regulatory activities and enlarge their enforcement footprints in advance of possible changes in the regulatory environment under a new administration in 2017. If an agency can demonstrate effectiveness and success during 2016 in new areas, it can make a stronger case for funding human and other resources to continue its activities in 2017 and thereafter.

Our predictions that were quoted by Marla follow.

Kline Prediction: Privacy and data enforcement actions will receive more attention from federal agencies outside of the OCR.

In light of the amount of breaches that took place in 2015, the New Year will most likely see an increase of HIPAA enforcement. However, regulators outside of healthcare –such as the Department of Homeland Security, the Securities and Exchange Commission and the Federal Communications Commission — also try to extend their foothold into the healthcare compliance realm, much in a way that the Federal Trade Commission has.

Litten Prediction: The Department of Justice (DOJ) and the OCR will focus more on individual liability

In September of 2015, the DOJ announced through the Yates Memo, that they would be shifting their strategy to hold individuals to a higher level of accountability for an entity’s wrongdoing. The OCR has also mentioned that they will focus more on individuals who violate HIPAA. “They’re trying to put the fear in smaller entities. A small breach is as important as a big one,” says Litten.

Kline Prediction: OCR will examine business associate relationships.

The HIPAA permanent audit program, which has been delayed by the OCR, will be rolled out in 2016 and will scrutinize several business associates. In turn, all business associate relationships will receive increased attention.   According to Kline, “There will be more focus on how you selected and use a business associate and what due diligence you used. People also will be more careful about reviewing the content of business associate agreements and determining whether one between the parties is needed.”

We shall continue to observe whether the apparent trend of federal agencies to grow their reach into regulation of healthcare privacy continues as we approach the Presidential election.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Improve Usability but Mind HIPAA if Using Personal Mobile Devices for Work.” The full text can be found in the September 28, 2015, issue of Medical Practice Compliance Alert, but a synopsis reflecting our comments is included below.

Medical practice communications are increasingly mobile, with a reported 83% of physicians using mobile technology to provide patient care and 71% of nurses doing the same, according to a mobile technology survey from the Healthcare Information and Management Systems Society (HIMSS). Mobile devices, however, must be managed carefully to avoid creating an undue HIPAA security risk.

Some steps to protect patient data when using mobile devises include the following:

  1. Health care providers should use encryption to make mobile devices more secure. Email programs should be able to assure that the message cannot be read until it has been transmitted to the provider’s device. Kline warns, “A password on a phone is not encryption.”
  2. Providers should get informal messages and conversations from mobile devices, such as text messages, into the patient’s medical record. Kline says, “Have you made an entry [of the informal message or conversation] in the record? If not, the medical record is not accurate.”
  3. Providers should be sure to obtain patient consent to communicate by mobile device as well,” says Litten. This is especially important if the communication may be unsecured.
  4. Avoiding the lack of discipline that mobile devices often encourage, such as non-medical shorthand, is crucial. Kline says, “Communications over mobile devices are more likely to contain misspellings and other errors, which can create malpractice liability and are not best practice when communicating treatment.”

The ever-increasing utilization of mobile devices in the delivery of healthcare services to patients is placing greater demands on those providers who are subject to, and those who are drafting, implementing and enforcing, HIPAA policies and procedures.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent articles in Medical Practice Compliance Alert entitled “Misapplication of Internet Application Triggers $218,400 Settlement” and “Protect Patient Data on the Internet with These 6 Steps.”  The three of us together were able to come up with a number of ideas to assist physicians in improving the likelihood that protected health information (“PHI”) will be more secure. The full text can be found in the August 17, 2015 issue of Medical Practice Compliance Alert, but a synopsis of our input is included below.

Internet applications and files should be included in a physician practice’s HIPAA compliance plan, or a violation may result.  As an example, St. Elizabeth’s Medical Center (“SEMC”) in Brighton, MA recently settled several potential HIPAA violations for $218,400 with the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”).  One of the incidents involved SEMC’s use of an unauthorized internet-based document. The size of this settlement highlights the concerns of OCR about misuse by healthcare providers of internet-based document sharing or other applications.

Some steps to protect patient data on the internet include the following:

  1. Review the internet applications your practice uses. Litten says, “Take steps such as encryption to protect the data when it’s shared, transmitted and stored.”
  2. Ask the application’s manufacturer about its security safeguards. “If a manufacturer claims that (its application) is HIPAA protected, ask what that means,” Litten urges.
  3. Investigate all internal and external complaints and concerns. Kline says, “Expect the government to find out about PHI exposed on the Internet from a third party.”
  4. Keep track of the steps you take to identify and fix the problem. “You do better if you have a history that you endeavored to comply with HIPAA,” says Kline.
  5. Provide a mechanism by which employees can report concerns anonymously. Kline suggests, “You need a private place where people feel they’re not being watched.”
  6. Don’t allow staff to use unauthorized public networks. “Don’t open documents in, say, a Starbucks,” warns Litten.

In summary, in order for physicians to protect their practices, they must be certain that they understand HIPAA obligations with respect to privacy and security in the context of internet application usage.

Our partner Elizabeth Litten and I were once again quoted by our good friend Marla Durben Hirsch in her recent article in Medical Practice Compliance Alert entitled “Beware of HIPAA, Patient Privacy During Practice Employment Disputes.”  The full text can be found in the March 30, 2015 issue of Medical Practice Compliance Alert, but a synopsis is below.

The opinion in the case of Peace et al. v. Premier Primary Care Physicians S.C. et al. (the “Peace Case”) in the U.S. District Court for the Northern District of Illinois highlights how privacy rights do not give physician practices free rein to use patient information for their own purposes without potential serious legal fallout.  In the Peace Case a physician practice group (the “Practice”) terminated two employees, citing, among other things, poor job performance and rude and unprofessional behavior to patients.  The Practice then refused to reveal to the terminated employees the names of specific patients who had purportedly complained of such unprofessional behavior.

The District Judge sided with the former employees to some extent and ordered the Practice to provide contact information for a limited number of such patients, so that the terminated employees could contact and interview them as part of the discovery process in their employment lawsuit against the Practice.  Elizabeth observed, “The physicians had enough information [to justify the termination] without putting patients in the middle.  The [P]ractice put itself in a position to now have to turn over patient information and alienate patients.”

The Peace Case also demonstrates the confusion surrounding privacy rights, as the Practice may have violated HIPAA patient privacy requirements by having to disclose patient protected health information (“PHI”) without authorization.  Unfortunately, Elizabeth suspects, the judge and attorneys in the Peace Case appeared not to have known much about HIPAA, so its applicability was not adequately addressed. I was quoted as adding the following to Elizabeth’s point:

It looks like the judge factored a remedy designed to pressure them [the Practice and the terminated employees] to settle.  Even if the [former] employees were entitled to PHI in their employment suit, HIPAA likely was not followed. There was neither protective order [limiting the disclosure] nor [adherence to HIPAA’s] minimum necessary requirements. Either party would have helped their cases here by invoking HIPAA.

Practices should also take caution when using PHI and identities of patients to justify employment decisions. “The [P]ractice should have downplayed the role of patients,” Elizabeth advised.

In summary, in order for physicians to protect their practices, they must be certain that the practice and its legal counsel understand HIPAA obligations with respect to privacy and security in the context of employment disputes.  The judge may need guidance in this area or even to be alerted that HIPAA may be an issue.

We have seen substantial delay in publication of the long-awaited HIPAA/HITECH Omnibus Final Rule, sometimes affectionately referred to as the “Mega Rule.” Health Data Management reported on June 6 of this year that Farzad Mostashari, national coordinator for health information technology, had said that the HIPAA Mega rule, which will include modifications to the privacy and security rule, breach notification and enforcement, “should’ be published by “the end of summer.” After previous disappointments and delays in regulations in other contexts from the U.S. Department of Health and Human Services, however, it may be noteworthy that Mr. Mostashari was said to have used the word “should,” and did not specify the summer of what year, e.g., 2012, 2013, 2014, etc.

Now there has been some scuttlebutt that the Mega Rule may not surface until after Election Day, November 6, 2012, perhaps because of concerns about potential political implications. Even as we wait, there is some justifiable trepidation as to the number of pages of regulations that will be published. The recently-issued CMS final requirements that hospitals and other providers must meet to receive funding under the second phase of the federal electronic health-record incentive program, which is a relatively narrow topic, constituted 672 pages.


What can we expect from HHS on the Mega Rule? Well, we can register our own speculations. Marla Durben Hirsch, Editor of Medical Practice Compliance Alert published by DecisionHealth, Inc., informed me of a clever contest that is being conducted on line by idexperts as to the Mega Rule. Any household can put in a single entry as to the month, day and year that the Mega Rule will be published in the Federal Register. In the event of a tie, the number of pages in the Mega Rule will serve as a first tie breaker. The prize for first place is a contribution of $2,500 in the name of the winner to the Wounded Warrior Project, a $200 Amazon gift card, a year’s subscription to RADAR published by idexperts and, of course, internet bragging rights.

So, with the approach of Labor Day and the waning days of summer, join the contest and make the Mega Rule wait more enjoyable!