The recent criminal conviction of a Massachusetts physician provides a stark reminder that violating HIPAA can result in more than civil monetary penalties and the financial and reputational fall-out that results from a breach. In this case, perhaps the cover-up was worse than the crime, or maybe prosecutors decided that a conviction on other charges would have been harder to get. Either way, the case should alert covered entities and business associates to the fact that HIPAA violations can result in jail time and criminal fines.

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) investigates complaints and may impose civil monetary penalties (CMPs) for violations of HIPAA.   The U.S. Department of Justice (DOJ) handles criminal investigations and penalties.  This may not provide much comfort, but a CMP will not be imposed if the HIPAA violation is determined to constitute a criminal offense.

OCR will refer matters to DOJ for criminal enforcement in some cases or will work cooperatively with DOJ where a DOJ investigation on other grounds reveals a potential HIPAA violation.  HHS reported that OCR had referred 688 cases to the DOJ for criminal investigation as of June 30, 2018.

The criminal enforcement of HIPAA was described in a Memorandum Opinion issued in 2005 jointly to HHS and the Senior Counsel to the Deputy Attorney General by Steven Bradbury, then-acting Assistant Attorney General of the Office of Legal Counsel within DOJ (the DOJ Memo). The DOJ Memo explains that HIPAA allows for criminal penalties only for violations that involve the disclosure of “unique health identifiers” or “individually identifiable health information” (IIHI) that are made “knowingly” and in violation of HIPAA.   Specifically, a person may be subject to criminal penalties if he or she knowingly (and in violation of HIPAA):  (i) uses or causes to be used a unique health identifier; (ii) obtains IIHI; or (iii) discloses IIHI to another person.  Criminal penalties range from misdemeanors to felonies.  The maximum criminal penalty (a fine of up to $250,000 and imprisonment of up to 10 years) can be imposed if one of these offenses is committed “with intent to sell, transfer, or use [IIHI] for commercial advantage, personal gain, or malicious harm.”  The DOJ Memo explains that “knowingly” refers to knowledge of the facts that constitute the offense, not knowledge of the law being violated (HIPAA).

The DOJ Memo emphasizes the fact that criminal penalties are reserved for limited and specific violations of HIPAA:  “Such punishment is reserved for violations involving `unique health identifiers’ and [IIHI]…  Thus, the statute reflects a heightened concern for violations that intrude upon the medical privacy of individuals.”  The DOJ Memo focuses on violations by covered entities. It notes that when a covered entity is not an individual, but is a corporate entity, the conduct of agents may be imputed to the entity when the agents act within the scope of employment, and the criminal liability of a corporate entity may be attributed to individuals in managerial roles.

DOJ might decide to seek a conviction for a violation of HIPAA when it believes such a conviction would be easier to get than a conviction for a violation of other federal laws governing health care providers (such as the anti-kickback statute).   After all, the DOJ Memo makes it clear that “knowing” refers to the conduct, not the state of the law.  However, it should be noted, as per the DOJ Memo, that the DOJ’s interpretation of “`knowingly’ does not dispense with the mens rea requirement of section 1320d-6 [HIPAA] and create a strict liability offense; satisfaction of the ‘knowing’ element will still require proof that the defendant knew the facts that constitute the offense.”

When a health care entity (like a large hospital system or health plan) has deep pockets, the OCR may decide to pursue very high civil monetary penalties and rely on the financial and reputational implications of the civil monetary penalties to act as a deterrence.  On the other hand, the DOJ may seek to deter behavior associated with a wider range of criminal activities by pursuing jail time for a HIPAA violation.

In the case of the Massachusetts physician, it is also likely that the DOJ pursued the criminal charge because she lied about her relationship with the third party to which she disclosed patient information. My law partner Charles DeMonaco, a white collar defense attorney and former DOJ prosecutor, agrees:

It is understandable why this doctor was indicted and convicted for these offenses.  She was accused of lying to the agents, which is always a major hurdle in a criminal case.  Even if an underlying crime cannot be established, a lie of a material fact to a government agent is a stand-alone false-statement felony.  It also establishes consciousness of guilt. The doctor could have asserted her Fifth Amendment privilege against self-incrimination to avoid talking to the government agents.  It is never a good thing for a doctor to speak with agents who are investigating the doctor’s conduct without counsel and without proper protection of limited use immunity being sought prior to the interview.  The government also proved that she accepted fees from the pharma company after providing the [IIHI] in violation of HIPAA.  Under these facts, it is not surprising that this case was brought as a criminal prosecution and that a guilty verdict was returned.

Everyone subject to HIPAA should be aware that a HIPAA violation involving disclosure or breach of IIHI may be the low-hanging fruit for criminal prosecutors originally focused on other violations of law.   In particular, covered entities should carefully evaluate arrangements with third parties that involve the sharing of IIHI with those parties for commercial/personal gain or commercial harm. If the sharing of IIHI is not permitted under HIPAA and commercial gain or harm is involved, these violations could result in the most severe level of criminal penalties, including significant jail time.

In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last two months in response to the Opioid Crisis gripping the nation and confusion regarding when and to whom PHI of patient’s suffering from addiction or mental illness may be disclosed.

Pills and capsules on white backgroundTo make the guidance easily accessible to patients and health care professionals, OCR published two webpages, one dedicated to patients and their family members and the other dedicated to professionals.

  • Patients and their family members can find easy-to-read commentary addressing the disclosure of PHI in situations of overdose, incapacity or other mental health issues here.
  • Physicians and other health care professionals can find similar fact sheets tailored to their roles as covered entities here.
  • OCR also recently issued a two-page document summarizing its guidance on when health care professionals may disclose PHI related to opioid abuse and incapacity [accessible here].

The main points from this guidance include:

  1. If a patient has the capacity to make decisions regarding his or her health care, a health care professional may not generally share any PHI with family, friends or others involved in the patient’s care (or payment for care), unless the patient consents to such disclosure.  However, a health care professional may disclose PHI if there is a serious and imminent threat of harm to the patient’s health and the provider in good faith believes that the individual to whom the information is disclosed would be reasonably able (or in a position) to prevent or lessen such threat. According to OCR, in the context of opioid abuse, this rule allows a physician to disclose information about the patient’s opioid abuse to any individual to whom the physician in good faith believes could reasonably prevent or lessen the harm that could be caused by the patient’s continued opioid abuse following discharge.
  2. If the patient is incapacitated or unconscious, HIPAA allows health care professionals to disclose certain PHI to family and close friends without a patient’s permission where (i) the individuals are involved in the care of the patient, (ii) the health care professional determines that disclosing the information is in the best interests of the patient, and (iii) the PHI shared is directly related to the family or friend’s involvement in the patient’s health care (or payment for such health care). As an example, OCR clarified that a physician may, in his or her professional judgment, share PHI regarding an opioid overdose and related medical information with the parents of someone who is incapacitated due to an overdose.
  3. OCR also addressed the difficult situation where a patient is severely intoxicated or unconscious, but may regain sufficient capacity to make health care decisions several hours after arriving in the emergency room.   In such situations, HIPAA would allow a physician or nurse to share PHI related to the patient’s overdose and medical condition with the patient’s family or close personal friends while the patient is incapacitated, so long as the nurse or doctor believes that it is in the patient’s best interest to do so and the information shared with the family member or friend is related to the individual’s involvement in the patient’s health care.

OCR published similar guidance, available at the above websites, regarding the disclosure of PHI related to the mental health of a patient.  Included in that guidance is clarification that HIPAA does not prohibit treating physicians from sharing PHI of a patient with a mental illness or substance use disorder for treatment purposes, except in the case of psychotherapy notes.

However, it is important to understand that OCR’s guidance on these issues does not supersede state laws or other federal laws or rules of medical ethics that would apply to disclosure of a patient’s PHI, including the federal confidentiality regulations [located at 42 CFR Part 2] pertaining to patient records maintained in connection with certain federally-assisted substance use disorder treatment programs.  The “Part 2” regulations (as well as state patient confidentiality laws that are more restrictive than HIPAA) could prohibit some or all of the disclosures which OCR has now clarified are permitted under HIPAA.

If you have a question regarding how this new guidance may affect your practice, please contact a knowledgeable attorney.

A patient requests a copy of her medical record, and the hospital charges the per-page amount permitted under state law. Does this violate HIPAA? It may.

In the spring of 2016, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services, the agency that enforces HIPAA, issued a new guidance document on individuals’ right to access their health information under HIPAA (“Access Guidance”).   The Access Guidance reminds covered entities that state laws that provide individuals with a greater right of access (for example, where the state law requires that access be given within a shorter time frame than that required by HIPAA, or allows individuals a free copy of medical records) preempt HIPAA, but state laws that are contrary to HIPAA’s access rights (such as where the state law prohibits disclosure to an individual of certain health information, like test reports) are preempted by HIPAA.

For New Jersey physicians, for example, this means they may not automatically charge $1.00 per page or $100.00 for the a copy of the entire medical record, whatever is less, despite the fact that the New Jersey Board of Medical Examiners (“BME”) expressly permits these charges.  In fact, according to the Access Guidance, physicians should not charge “per page” fees at all unless they maintain medical records in paper form only.  New Jersey physicians also may not charge the “administrative fee” of the lesser of $10.00 or 10% of the cost of reproducing x-rays and other documents that cannot be reproduced by ordinary copying machines.  Instead, a New Jersey physician may charge only the lesser of the charges permitted by the BME or those permitted under HIPAA, as described below.

HIPAA limits the amount that covered entities may charge a patient (or third party) requesting access to medical records to only a “reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy” of the record.  Only the following may be charged:   

(1) the reasonable cost of labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, but not costs associated with reviewing the request, searching for or retrieving the records, and segregating or “otherwise preparing” the record for copying;  

(2) the cost of supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests the records in portable electronic media; and  

(3) actual postage costs, when the individual requests mailing. 

The fee may also include the reasonable cost of labor to prepare an explanation or summary of the record, but only if the individual, in advance, chooses to receive and explanation or summary AND agrees to the fee to be charged for the explanation or the summary.   

A provider may calculate its actual labor costs each time an individual requests access, or may develop a schedule of costs for labor based on the average (and HIPAA-permitted types of) labor costs incurred in fulfilling standard types of access requests.  However, a provider is NOT permitted to charge an average labor cost as a per-page fee unless the medical record is: (1) maintained in paper form; and (2) the individual requests a paper copy or asks that the paper record be scanned into an electronic format.  Thus, under HIPAA, a per-page fee is not permitted for medical records that are maintained electronically.  As stated in the Access Guidance, “OCR does not consider per page fees for copies of … [protected health information] maintained electronically to be reasonable” for purposes of complying with the HIPAA rules.   

A provider may also decide to charge a flat fee of up to $6.50 (inclusive of labor, supplies, and any applicable postage) for requests for electronic copies of medical records maintained electronically.    OCR explains that the $6.50 is not a maximum, simply an alternative that may be used if the provider does not want to go through the process of calculating actual or average allowable costs for requests for electronic copies. 

OCR has identified compliance with “individual access rights” as one of seven areas of focus in the HIPAA audits of covered entities and business associates currently underway, signaling its concern that physicians and other covered entities may be violating HIPAA in this respect.  All covered entities should, therefore, calculate what HIPAA permits them to charge when copies of medical records are requested by an individual (or someone acting at the direction of or as a personal representative of an individual), compare that amount to the applicable state law charge limits, and make sure that only the lesser of the two amounts is charged.

 

Part 2

Money talks.

In other words, offering financial incentives is one way to effect behavior change.  It seems to have worked in getting providers to adopt and use health IT in everyday practice, both in New Jersey and nationally.

HITECH and Meaningful Use Incentive Payments

As explained by ONC in its October 2014 “Report to Congress”:

“Prior to the HITECH Act, adoption of EHRs among physicians and hospitals was quite low. In 2009, roughly one-half (48 percent) of office-based physicians had any type of EHR system. When examining the adoption of EHRs containing functionalities, such as the ability to generate a comprehensive list of patients’ medications and allergies and the ability to view laboratory or imaging results electronically, only 22 percent of office-based physicians had a basic EHR system. U.S. hospitals had similar adoption rates. In 2009, only 12 percent of hospitals had adopted a basic EHR system.”

Stethoscope and currency
Copyright: / 123RF Stock Photo

According to ONC, as of June of 2014, more than 75% of the nation’s eligible physicians had received incentive payments, while 92% of eligible hospitals (including critical access hospitals) had received incentive payments. The areas evaluated by CSHP covered key meaningful use criteria eligible physicians must meet in order to receive these payments.

For the NJ evaluation, CSHP conducted and analyzed a physician mail survey, clinical laboratory and pharmacy mail surveys with telephone follow-up, and physician follow-up telephone interviews with fax and mail follow-up.  In addition, Health Information Organization (HIO) use metrics from each of New Jersey’s six regional HIOs were collected from the New Jersey Department of Health and analyzed by CSHP researchers.

New Jersey Health IT Adoption

The CSHP Report findings identified several key themes.  Among physicians responding, older physicians, those in smaller practices, and specialists were less likely to adopt health IT and more likely to report barriers to adoption (particularly start-up and maintenance costs) and were also more likely to report implementation of health IT as having had a negative impact on their practices.

Most physicians who reported use of health IT felt that use of health IT had a positive impact.  However, they frequently cited start-up and maintenance costs cited as barriers to health IT use.  For labs and pharmacies, those not using health IT reported more perceived barriers to health IT use and anticipated a more negative impact on their workflow and productivity.  Among physicians, labs, and pharmacies, the lack of uniform standards within the industry was cited as resulting in poor system compatibility and was a major issue across all types of health IT.

CSHP weighted the physician mail survey data by specialty to be representative of New Jersey’s office-based physicians. Key findings regarding specific health IT use among the state’s physicians responding to the physician mail survey included the following:

  • Nearly three-fourths (72.5%) of physicians reported use of health IT to transmit prescriptions to pharmacies electronically.
  • Nearly two-thirds (62.6%) of physicians reported use of health IT to view test results from clinical labs electronically. However, only 37.1% reported use of health IT to send lab test requests electronically.
  • Nearly half (48.9%) of physicians reported that they maintained 100% of patient records in their EHR systems.
  • More than half of physicians (57.3%) provided a clinical visit summary to at least 50% of their patients. Less than half of physicians (42.9%) provided electronic patient care summaries to other providers. About one-quarter of physicians (23.0%) accessed electronic patient care summaries created by other providers.

In (very general) comparison, the ONC Report found that in 2013, 57% of prescriptions sent by physicians were sent electronically.  ONC also reported that more than two-thirds (69%) of physicians reported having the capability to order lab tests electronically, while more than three-quarters (77%) reported having the ability to view the lab results electronically.

Perhaps statewide health IT interoperability through expansion of and connection among regional NJ HIOs can be achieved in the next decade, but it will require creation of the necessary health IT infrastructure, awareness of its existence by the providers who will use it, and, perhaps, financial or other incentives to effect its adoption and use.

 

When I need to travel from the southern part of NJ to northern NJ, I often rely on my car or phone GPS and the relative ease and simplicity of the NJ Turnpike.  If I needed my southern NJ physician to share information with my northern NJ physician, I might be surprised to learn that it’s not as easy to get my health data from point A to point B.  My physicians might be using electronic health records (EHR) and health IT, but the communications infrastructure in NJ needs to be further developed.  We need greater awareness and adoption of regional health information organizations (HIOs), a way to fund their maintenance (an EZ Pass system for the transmission of health data?), and development of a connected, statewide system.

In January of 2011, the Office of the National Coordinator for Health Information Technology (ONC) awarded New Jersey $11.4 million to be used for developing a strategic and operational plan for health information exchange, and required the state to conduct an independent evaluation of the state’s health IT program.  The Rutgers University Center for State Health Policy (CSHP) conducted the evaluation and published a Report (Brownlee, et al) last year showing where New Jersey physicians stand (or stood, during a survey period that ran from late 2013 to early 2014) in terms of adoption and use of health IT.

NJ Physician Engagement with Regional HIOs - Pie ChartWhen I read the Report, I was surprised to see that while physician use of health IT is increasing, the road to regional health data sharing (let alone statewide sharing) seems to be a long way off.  The Report found that awareness of the existence of a regional HIO by physicians was low (12.5%), and physician participation in a regional HIO was even lower (6.8%). The New Jersey Turnpike is gloriously accessible and functional as compared with this glimpse of the New Jersey health IT highway.

Where Are We Now? to be continued…

Do you think a two-physician cardiology group is too small for the feds to fine for  alleged HIPAA violations? Phoenix Cardiac Surgery, P.C.  (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice groups,  and  enforcement has largely been low-hanging fruit of failure to comply on a timely basis with notice requirements.  The Resolution Agreement, announced by HHS in an April 17 press release, describes a very different participant in the Parade of HIPAA Breaches we have been following in this blog series.  Among the unusual features of this settlement are:

  • The type of  covered entity – a two-physician cardiology practice;
  • The  alleged  nature of the violation – not just a one-time negligent breach, but a systematic, multi-year failure to adopt and implement appropriate HIPAA safeguards; and 
  • The size of the violation – as the breach has yet to appear on the OCR Wall of Shame, it may have involved  fewer than 500 individuals. 

Phoenix Cardiac Surgery first came to the attention of HHS’s Office of Civil Rights following a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. That alone is not unique – other covered entities including SAIC and Stanford University Hospital have been embarrassed to discover their PHI had been inadvertently made available online to prying eyes. What OCR found upon further investigation was a startling indifference to health privacy concerns dating back to the earliest effective dates of HIPAA and continuing through 2009. 

OCR determined that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). The Resolution Agreement indicates that PCS was unusually lax about HIPAA training, policies and procedures, safeguards, and accountability.  It is almost a textbook case of everything a covered entity can do wrong. OCR alleged that PCS:

  • did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.
  • posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar over a two year period;
  • transmitted ePHI daily from an Internet-based email account to workforce members’ personal Internet-based email accounts.
  • failed to appoint a security official until 2009.
  • failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by PCS.
  • failed to obtain satisfactory assurances in business  associate agreements from the Internet-based calendar vendor and from the Internet-based public email provider that these entities would appropriately safeguard the ePHI received from PCS.
  • permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on  behalf of PCS without obtaining satisfactory assurances in a business associate agreement with the entity.  

OCR imposed a $100,000 penalty and required PCS to adopt a Corrective Action Plan which appears as Appendix A to the Resolution Agreement. The plan requires PCS to

  • Develop, maintain and revise, as necessary, written policies and procedures that meet the requirements of the HIPAA Privacy and Security Rules, and submit them to OCR for review and approval within 60 days;
  • Make any changes required by OCR and implement the finalized policies and procedures within 30 days of approval.
  • Distribute the policies and procedures to all members of the workforce within 15 days of their joining PCS‘s workforce, and obtain certification from each member that they have read, understood and will abide by such policies and procedures;
  • Update its 2009 risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device;
  • Develop and submit a risk management plan to OCR for approval.
  •  Appoint a security official;
  • Produce satisfactory assurances that all business associates will comply with HIPAA;
  • Adopt  technical safeguards for electronic information systems;
  • Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI;
  • Provide and document comprehensive privacy and security training to its workforce;
  • Report all violations of the policies and procedures by any member of the workforce to OCR within 30 days;

OCR also reserves the right to impose additional civil monetary penalties in the event of a breach of the Corrective Action Plan that is not cured within 30 days.

In essence, the Corrective Action Plan requires PCS to do what it should have done all along to comply with HIPAA, but with the added intrusion and inconvenience of government oversight analogous to the Corporate Integrity Agreements frequently required in settlements of Medicare fraud and other federal false claims allegations. For Phoenix Cardiac Surgery, this is one march that provides no aerobic benefits.

If OCR is trying to send a message that no covered entity is too small to be penalized, they picked a particularly clear and egregious first case. However, that is no assurance that less pervasive compliance failures will continue to fly under the OCR radar.