Workplace Privacy, Data Management & Security Report : Privacy Lawyers & Attorneys : Jackson Lewis Law Firm : Data Security, HIPAA & Confidentiality Issues

Like many universities, Idaho State University (ISU) operates a number of health facilities, some of which are subject to the HIPAA privacy and security regulations. According to a U.S. Department of Health Human Services (HHS) press release, the Office for Civil Rights (OCR) opened an investigation after ISU notified HHS of a breach in which the electronic "protected health information" (ePHI) of approximately 17,500 patients was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. To settle the alleged violations of the HIPAA security rules, ISU has agreed to pay $400,000, and to comply with a two-year corrective action plan.

OCR’s action here is consistent with prior reported breaches and with its discussions of enforcement in recent final regulations, which we reported on. It is important to note that OCR's investigation indicated that:

ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring.

Additionally, OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner.

This makes clear that it is NOT sufficient to simply create policies and procedures that safeguard protected health information. A HIPAA covered entity must conduct and document a risk assessment, a process OCR Director Leon Rodriguez noted is a cornerstone of an effective HIPAA security compliance program. This basic requirement also applies to business associates, and is a common sense practice any entity should follow when setting out to safeguard data.

• Email This
• Print
• Comments
• Trackbacks

Unwilling to wait for Congress to act, President Obama signed an executive order on Feb. 12, 2013, the same date that he delivered the State of the Union address. The executive order directs certain federal agencies to develop voluntary standards for achieving cybersecurity, an effort to be led, in part, by the National Institute of Standards and Technology, a component of the Commerce Department.

Citing national security concerns, the President's order seeks cooperation and collaboration with the private sector. It is unclear at this point how far the "voluntary" standards will reach, or how much the President can force compliance absent Congressional action. However, once in place, companies may feel compelled to comply in order to remain competitive and to ensure a stronger defensible position in litigation involving lapses in security of critical data. 

• Email This
• Print
• Comments
• Trackbacks

The National Health Service, which represents a significant part of the United Kingdom's government-run health system, is looking to go paperless. In the process, as part of its "Everyone Counts" initiative, it has plans to require doctors to turn over to NHS significant amounts of patient data. (Read more about NHS' plan).  For example, NHS providers would be required to turn over a patient's NHS number, date of birth, gender, post code, ethnicity code and date of death, among other data elements including diagnosis code, smoking status, alcohol use and so on.

Just as concerns in the U.S. led to the HIPAA privacy and security regulations, the Guardian is reporting privacy advocates in the UK are concerned about this collection of personal health information by the government. And there are reasons for concern - it has been reported that for the 12-month period ending July 2012, NHS had 16 breaches that exposed 1.8 million health records. It remains to be seen how secure this information will be.

• Email This
• Print
• Comments
• Trackbacks

Linking his announcement to National Privacy Day, January 28, 2013, Maryland Attorney General Douglas F. Gansler informed the public that his office has formed an Internet Privacy Unit. (See similar step taken by Connecticut AG)

The stated purpose of the Unit is to protect the privacy of online users. The Unit will be charged with "monitor[ing] companies to ensure they are in compliance with state and federal consumer protection laws." In addition, the Unit will "examine weaknesses in online privacy policies" and help to create awareness about privacy rights. Of course, the Unit also will pursue enforcement actions to ensure consumer protection.

As in other states, such as Massachusetts and California, Maryland has a Personal Information Protection Act.  The Act provides, in part:

To protect personal information from unauthorized access, use, modification, or disclosure, a business that owns or licenses personal information of an individual residing in the State shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Md. Code Ann. Comm. Section 14-3503. The Attorney General's Office has published some guidance about the data breach provisions of the law.

Maryland businesses and businesses which maintain personal information about Maryland residents should review their online privacy statements, as well as the policies and procedures for safeguarding personal information. In his press release, Attorney General Gansler acknowledged "the emergence and evolution of the Digital Age has created new and significant privacy risks for both consumers and businesses." Businesses need to be prepared to address these risks and defend against enforcement activities.

• Email This
• Print
• Comments
• Trackbacks

As we continue to examine the final HIPAA privacy and security regulations, as amended by the HITECH Act and the Genetic Information Nondiscrimination Act, we pulled together a summary of some of the key points. We fully expect additional sub-regulatory guidance to be provided by OCR, such as frequently asked questions and sample business associate agreement provisions.

• Email This
• Print
• Comments
• Trackbacks

Prepared by Jason Gavejian and Joseph Lazzarotti

In honor of National Data Privacy Day, we have laid out 13 key issues affecting businesses in 2013. While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2013.

1. BYOD. As advancements in technology continue at a breakneck pace, many businesses are confronted with the idea of implementing a Bring Your Own Device (“BYOD”) program. Under these programs, employees are permitted to connect their own personal devices to the company’s networks and systems to complete job tasks either in the office or working remotely. While BYOD programs have advantages, they also have associated risks. Developing a thorough implementation strategy with appropriate policies is critical.
2. Bans On Requesting Social Media Passwords. As we have previously discussed  fourteen states introduced legislation in 2012 which would prohibit employers from requiring current, or prospective, employees to disclose a user name or password for a personal social media account. Six states have passed and/or enacted such legislation and it is anticipated that other states will pass similar measures in 2013.
3. Final HIPAA Regulations. On January 17, 2012, the Office for Civil Rights released final privacy and security regulations under the Health Insurance Portability and Accountability Act. In addition to incorporating the HITECH Act which, among other things, expands the application of the rules to business associates, the final rules also apply the rules to subcontractors and remove the risk of harm trigger for data breaches affecting unsecured protected health information.
4. Disaster Recovery Plans. Hurricane Sandy caused extensive damage on the east coast in 2012, greatly affecting not only personal residences, but many businesses up and down the coast. Unfortunately, protecting information and technology assets from natural disasters and other emergencies is often an afterthought. However, developing a comprehensive disaster recovery plan now can avoid the significant expense, and often irretrievable loss of data, associated with natural disasters.
5. Develop a Plan for Responding to a Breach Notification. All state and federal data breach notification requirements currently in effect require notice be provided as soon as possible. Delays in notification viewed as unreasonable could trigger an inquiry by the state’s Attorney General, or in the case of HIPAA protected health information, the Office of Civil Rights. This is true even when the number of individuals affected is relatively small.
6. Investigating Social Media. As the use of social media continues to grow throughout the world, it is only natural that social media content is being sought to aid in litigation. While public content may generally be utilized without issue, if private content is accessed improperly, serious repercussions can follow. This is especially true for attorneys and their staff who attempt to aid their clients by accessing social media content.
7. International Data Protection. More and more company information is being stored in electronic format and shared with various corporate divisions through company intranets or email. While U.S. law requires some safeguarding of this information, international protections on personal information can be much more stringent. When the transfer of data across international borders is possible, or actively occurring, companies should be advised on the potential risks and requirements associated with same.
8. Develop a Written Information Security Program. Even if adopting a written information security program (WISP) to protect personal information is not an express statutory or regulatory mandate in your state, having one is critical to addressing information risk. Not only will a WISP better position a company when defending claims related to a data breach, but it will help the company manage and safeguard critical information, and may even help the company avoid whistleblower claims from employees. For some companies, a WISP can be a competitive advantage. Of course, in states like Massachusetts, Maryland, Oregon, Texas, Connecticut and others, a WISP in one form or another is required.
9. Risk Assessment. Many businesses remain unaware of how much personal and confidential information they maintain, who has access to it, how it is used and disclosed, how it is safeguarded, and so on. Getting a handle on a business' critical information assets must be the first step, and is perhaps the most important step to tackling information risk. You simply can’t adequately safeguard something you are not aware exists. And failing to conduct a risk assessment may subject the business to penalties under federal and/or state law.
10. Insurance. Like many other risks, information risk can be addressed in part through insurance. More carriers are developing products dealing with personal information risk, and specifically data breach response. This kind of coverage should be a part of any CIO, privacy officer or risk manager’s toolkit for safeguarding information.
11. Training. A necessary component of any WISP and a required element under most federal and state laws mandating data security is training. In addition to meeting compliance requirements, training employees and supervisors also will aid in defending any potential breach of privacy claim that may be asserted against the company.
12. Carefully Integrate New Technologies. As businesses look for new technologies to increase productivity, cut costs, and gain a competitive advantage, how those technologies address information risk must be a factor in the decision to adopt.
13. Watch for New Legislation. Today, managing data and ensuring its privacy, security and integrity is critical for businesses and individuals, and is increasingly becoming the subject of broad, complex regulation. As no national law requiring the protection of personal information has yet to be passed in the U.S., companies are left to navigate the constantly evolving web of growing state legislation. Companies therefore need to stay tuned in order to continue to remain compliant and competitive in this regard.

• Email This
• Print
• Comments (1)
• Trackbacks

Under the HITECH Act, business associates are subject to the HIPAA privacy and security rules (the "HIPAA Rules") virtually to the same extent as covered entities. In addition to implementing this change for business associates ("BAs"), and providing additional guidance concerning what entities are business associates, the final HIPAA regulations issued last week also treat certain subcontractors of BAs as BAs directly subject to the HIPAA Rules. As a result of some of these changes, covered entities and BAs need to re-examine the relationships with their subcontractors to ensure they obtain the appropriate satisfactory assurances concerning the "protected health information" (PHI) they make available to those subcontractors.

Below are some of the key points from the final regulations concerning BAs and subcontractors:

• Subcontractors. The final HIPAA regulations provide that subcontractors that create, receive, maintain, or transmit PHI on behalf of a BA are business associates. This is a significant expansion of the application of the HIPAA Rules; it makes subcontractors directly liable under the HIPAA Rules.

As a result of this change, just as covered entities need to ensure that they obtain satisfactory assurances concerning compliance with the HIPAA Rules (usually in the form of a business associate agreement, BAA) from their BAs, BAs must do the same with regard to certain subcontractors. This must continue no matter how far “down the chain” the PHI flows.

• Business Associate Agreement Not Necessary to Establish Status as Business Associate. The final HIPAA regulations confirm that persons and entities that meet the definition of a BA have that status regardless of whether a "business associate agreement" is in place.

• Data Storage Companies. Entities that maintain PHI (digital or hard copy) on behalf of a covered entity are BAs, "even if [they] do not actually view the [PHI]."  This provision may create significant compliance issues for cloud service providers, as well as hard copy document storage companies, that have access to the records of their clients but may never look at them. The conduit exception is a narrow one and only applies transmissions of data, not storage. 

• Certain Groups Not Considered Business Associates.
  • Researchers generally are not considered BAs when performing research functions.
  • Banking institutions generally are not considered BAs with respect to certain payment processing activities (e.g., cashing a check or conducting a funds transfer)
  • Malpractice insurers generally are not considered BAs when providing services related to the insurance, but may be BAs when providing risk management and similar services to covered entities.

Transition rule for compliance. A transition rule under the final HIPAA regulations permits covered entities and BAs to continue to operate under certain existing contracts for up to one year beyond the compliance date (September 23, 2013) of the final regulations. A qualifying business associate agreement will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. This rule only applies to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates. 

Covered entities and business associates may want to act more quickly to identify and contract with those individuals and entities from whom they must obtain satisfactory assurances under HIPAA.

• Email This
• Print
• Comments
• Trackbacks

The Office for Civil Rights released on January 17, 2013, final privacy and security regulations (563 pages) under the Health Insurance Portability and Accountability Act. The rules address four key issues:

• Reflecting the changes made by the Health Information for Economic and Clinical Health Act (HITECH);
• Revisions to the HIPAA enforcement rule;
• Updates to the previously issued data breach regulations; and
• Incorporating the changes made by the Genetic Information Nondiscrimination Act.

In general, covered entities and business associates will need to comply by September 23, 2013. We expect to be reporting on some of the key changes shortly.  

ACCESS SUMMARY HERE
 

• Email This
• Print
• Comments
• Trackbacks

As more companies move to the cloud, regulatory compliance remains a critical issue. For cloud service providers to the healthcare industry, it looks like the requirement to comply with the HIPAA privacy and security rules as business associates will be confirmed when long-awaited final regulations are issued, based on a report by Marianne Kolbasuk McGee with Healthcare Information Security. According to Ms. McGee's report, Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, a unit of the Department of Health and Human Services, addressed this issue during a Jan. 7 panel discussion on cloud computing hosted by Patient Privacy Rights.

Cloud service providers would prefer to take the position that they are conduits to protected health information, and therefore not business associates, similar to the US Postal Service, and certain private couriers and their electronic equivalents. See HIPAA FAQ.  A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. However, HHS has already noted that "a software company that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software function, is a business associate of a covered entity." See HIPAA FAQ. 

According to Ms. Pritts' remarks in the report cited above, it appears that the modifications made to HIPAA under the Health Information Technology for Economic and Clinical Health (the HITECH Act), along with anticipated regulatory guidance, will remove any doubt that cloud service providers servicing HIPAA covered entities are "business associates." This would require, among other things, that covered entities enter into business associate agreements with their cloud providers, and that standard confidentiality clauses likely will be insufficient. Of course, covered entities, practitioners and others are looking forward to these long awaited regulations to help clarify this and other issues.

• Email This
• Print
• Comments
• Trackbacks

The U.S. Department of Health and Human Services’ (HHS) reported today its first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals. According to a statement from the Office for Civil Rights Director Leon Rodriguez, “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

The breach occurred in June 2010, when an unencrypted laptop belonging to the Hospice of North Idaho (HONI) that contained ePHI of 441 patients was stolen. The Office for Civil Rights (OCR) learned of the incident when HONI reported it to OCR pursuant to the annual reporting requirement for breaches affecting fewer than 500 individuals under the Health Information Technology for Economic and Clinical Health (HITECH). When OCR investigated, it discovered "that HONI had not conducted a risk analysis to safeguard ePHI." OCR also reported that HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. 

HONI agreed to pay HHS $50,000 to settle potential violations of the Security Rule.

• Email This
• Print
• Comments
• Trackbacks

On Monday, the Office for Civil Rights released guidance regarding methods for de-identification of protected health information (PHI) in accordance with the HIPAA Privacy Rule and as required by the American Recovery and Reinvestment Act of 2009.

HIPAA covered entities and business associates recognize the increasing risks related to handling "protected health information." One way to reduce these risks is through the "de-dentification" process. When performed correctly, de-identification causes the remaining information to no longer constitute "protected health information," and therefore no longer subject to the HIPAA privacy and security rules.  

The OCR page provides greater detail, in question and answer format, concerning the two methods that can be used to satisfy the Privacy Rule’s de-identification standard:

• "Expert Determination" -  a formal determination by a qualified expert.
• "Safe Harbor" - the removal of specified individual identifiers as well as absence of actual knowledge by the covered entity (or business associate) that the remaining information could be used alone or in combination with other information to identify the individual.

Under either method, PHI is no longer protected by the Privacy Rule, but the remaining data has limited usefulness. However, the guidance also describes de-identification strategies that can minimize the loss of usefulness to the data. Of course, where de-identification is not practical, which is often the case, covered entities and business associates need to ensure compliance with HIPAA privacy and security rules.

• Email This
• Print
• Comments
• Trackbacks

In another case of a breach reported to HHS Office for Civil Rights (“OCR”), a HIPAA covered health care provider, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, “MEEI”), has settled charges of potential HIPAA security rule violations. MEEI agreed (i) to pay $1.5 million and (ii) to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.

As in the Alaska Department of Health and Social Services (DHSS) case, an unencrypted electronic storage device was stolen, the covered entity reported the breach, OCR investigated the breach and broader compliance with HIPAA's privacy and security rules, and found potential violations.  

For more information about the MEEI incident, click here.

This kind of enforcement activity could be lucrative for cash-strapped federal and state agencies. It is no wonder that some states are amending their statutes to require Attorney General notification. Accordingly, because data breaches can and will occur, HIPAA covered entities and businesses subject to HIPAA and state data breach notification statutes should be doing more to prepare for the audit that may follow the reporting of a data breach. That is, they should be doing more to safeguard personal information and PHI pursuant to the applicable standards.  

• Email This
• Print
• Comments
• Trackbacks

Bringing work home is nothing new, but for one Oregon Health & Science University Hospital (OHSU) employee, it resulted in a significant data breach when a flash drive was stolen from the employee's house containing protected health and other personal information on over 14,000 patients and OHSU employees, as reported by a health information privacy watchdog.

Based on a statement OHSU put out concerning the breach, it appears the organization had taken steps to safeguard the information:

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

However, it remains to be seen whether those safeguards will stand up to scrutiny should the Office of Civil Rights investigate the situation and review with 20/20 hindsight OHSU's policies and procedures. When developing policies and procedures, covered entities under HIPAA, business associates and any other entity charged with protecting personal information should be thinking about not only whether their safeguards are reasonable and "compliant," but whether they will stand up to the applicable regulatory agency's scrutiny following a data breach.    

• Email This
• Print
• Comments
• Trackbacks (1)

Employers increasingly have health professionals on-site providing medical services to employees. For some employers, the reason is to address the rising costs of health care, including uncertainties about the full impact of health care reform, the Affordable Care Act, looming in 2014. For others, more comprehensive approaches to disability and leave management can mitigate compliance and litigation concerns. 

Whether it is a single nurse at a facility providing basic first aid and assisting in fitness-for-duty exams, or a full-scale health clinic staffed with physicians, nurses and others, there are a range of issues the company should be thinking about – e.g., workplace safety, disability/leave management, labor, employee benefits, and privacy. Some of our practice group leaders put together a white paper to aid employers in spotting these issues. We hope you find this helpful and easy to read. 

Click here to access the White Paper: An Overview of Legal Considerations When Bringing Health Care "In-House"
 

• Email This
• Print
• Comments
• Trackbacks

While we do not know the exact nature and scope of the imminent HIPAA audits, we do know that HIPAA compliance and the verification of compliance (the audit) can be a very daunting process that mandates a great deal of preparation and organization. Beyond getting legally compliant, HIPAA covered entities and business associates need to consider how to practically and efficiently track and illustrate this compliance should they find an OCR investigator knocking at the door.

We have asked Alan Heyman, Managing Director of Cyber Security Auditors & Administrators LLC (CSA2) to discuss how certain applications can facilitate the response to a HIPAA audit, including minimizing the time staff needs to be involved. The following is an excerpt from Alan's discussion of this issue:

For many health care providers and other covered entities, compliance with HIPAA and other data privacy and security requirements is a multifaceted and ongoing process of assessing changing risks, policy development and implementation across various departments, conducting and tracking training of workforce members, monitoring compliance, managing vendors and vendor agreements, responding the customer complaints and so on. When an OCR auditor is on the doorstep, pulling evidence of all of these efforts together would likely sap an already thin workforce of most covered entities. When various segments of the covered entity are not coordinated, the files are incomplete, and the persons leading the effort are in disarray, the auditor is likely to suspect there are substantial deficiencies and adjust the audit accordingly.

It is not difficult to imagine the Privacy Officer having to go from department to department asking, among other things:

• Where are the current policies and procedures for your department concerning privacy and security?

• Would you please send me the training sign-in sheets for your group? Why was that group not trained?

• Where are the signed copies of the business associate agreements? Is this all of them?

• Where can I find a copy of the risk assessment for your department? Is it updated?

• How was that complaint resolved? Were there any others?

• Do you have all of the documents for the data breach that affected the radiology department?

• Can you send me your evaluation logs and what changes you have made based upon those efforts?

It is also not difficult to imagine how much easier this process would be if the covered entity's compliance efforts were tracked, maintained and documented in a single environment. An environment that would, for example

• Allow different departments/groups to log on an update their compliance efforts,

• Secure email notification/reminders for maintenance to update all required analysis, training, network architecture diagrams, etc.,

• Digital repository for all required employee affidavits, training sign-in sheets and managed with email notification for maintenance and updating,

• Maintain and track policy changes via secure email notification/reminders to all departments and employees from Privacy Officer or legal counsel,

• Track and document responses to patient complaints,

• Digitize interactive system for updating and obtaining required commentary from all required departments and Business Associates to establish and audit trail for creating “defensible position” to regulators.

• Centralize administration for permissions to all employees, advisors or Business Associates access to read only, print, edit, etc., with watermark capabilities on all printed and viewed documents.

• Centralize reporting dashboard status of all projects as well as the ability to digitally feed approved 3rd party software analytic results for centralized viewing to permission based participants with email notification of updates.

• Prepare for post-breach requirements in a pre-breach environment allowing reduction in costs of time sensitive response.

Such a tool also could be designed to permit the auditor limited access to conduct the audit with less effort on the part of the privacy officer or his or her staff. While certainly not required under HIPAA, organizing compliance in this way would simplify the compliance process and put the covered entity in a much better position to survive an OCR audit with minimal effort.

• Email This
• Print
• Comments
• Trackbacks

Today, the Office for Civil Rights formally announced it is implementing the audit requirement under the American Recovery and Reinvestment Act of 2009, in Section 13411 of the HITECH Act. The agency confirmed that it is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance, and that the pilot phase will begin November 2011 and conclude by December 2012.

A new page on OCR's website answers some helpful questions for covered entities and business associates... 

• Email This
• Print
• Comments
• Trackbacks

If you have an interest in the role the growing use of mobile communications devices (smart phones, iPads, iPhones, etc.) will play in how personal health information is exchanged in the health care industry, the Office of the National Coordinator for Health Information Technology (ONC) is seeking your input. According to a notice published Nov. 1, 2011 (76 Fed. Reg. 67455), comments are due Dec. 31.

As part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009, ONC is proposing to conduct a nationwide communication campaign to meet the Congressional mandate to educate the public about privacy and security of electronically exchanged personal health information. To conduct the campaign effectively, ONC requires "formative and process information" about different segments of the public. Among other things, ONC is seeking comments on consumer attitudes and preferences about the use of these devices to exchange health information, including how privacy and security information is presented electronically to consumers.

• Email This
• Print
• Comments (1)
• Trackbacks

CLICK HERE FOR UPDATED INFORMATION CONCERNING THE AUDIT PROGRAM

The Health Information Technology for Economic and Clinical Health law (“HITECH”) made a number of changes for HIPAA covered entities and business associates. One key change stems from Section 13411 of HITECH, which gives the Secretary of the Department of Health and Human Services authority to conduct “periodic audits to ensure that covered entities and business associates” comply with the privacy and security mandates under HIPAA. Susan McAndrew, the Deputy Director for Health Information Privacy at the Office of Civil Rights ("OCR"), has been speaking out about the nature, scope and timing of these audits, which are expected to begin in February 2012. A summary of reports about the audit program follows below.  

Covered entities and business associates need to be prepared and take stock of their HIPAA compliance. One hundred percent compliance can be an elusive goal, particularly in a short time frame. So, perhaps a more efficient way to prepare for the coming wave of audits it to look, at a minimum, for the low hanging fruit, such as: (i) having clear policies and procedures on topics such as access management, breach notification, discipline, passwords, managing portable data storage devices, distributing notices of privacy practices, and similar items, (ii) conducting and documenting training of workforce members, and (iii) ensuring appropriate agreements are in place with business associates and subcontractors.   

• Email This
• Print
• Comments
• Trackbacks

In November 2010, the Department of Health and Human Services established the Department-wide Text4Health Task Force to among other things identify ongoing initiatives and proposals for feasible new projects which would deliver health information and resources to users' fingertips via their mobile phones. The Task Force announced recommendations on September 19 to support health text messaging and mobile health programs, which include addressing the privacy and security concerns inherent in texting.

The Task Force acknowledged in its recommendations some critical facts driving the need for guidance in this area:

• Approximately 2.2 trillion text messages were sent in the U.S. in 2010.
• Text messaging is particularly prevalent among teenagers, with nearly 90% of teenagers who have cell phones reporting that they use text messaging.
• A growing body of empirical studies suggests that the use of mobile phone text messaging can be effective in improving health behaviors and health outcomes.

The recommendations note that text messaging programs may be subject to numerous privacy and security laws, including the privacy and security regulations under Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additional guidance in this area would be welcomed as many health care providers look to use developing technologies, including texting, to deliver their services.

• Email This
• Print
• Comments
• Trackbacks

The Office of Civil Rights of the U.S. Department of Health and Human Services (“HHS”) has published its first round of annual reports to Congress under the HITECH (Health Information Technology for Economic and Clinical Health) Act of 2009 to Congress. The first report concerns HHS’s HIPAA (Health Insurance Portability and Accountability Act of 1996) enforcement activity for 2009 and 2010 and the second report focuses on reported or recorded data breaches occurring in 2009 and 2010.  

The HITECH Act contains multiple breach notification requirements for HIPAA-covered entities and their business associates. Covered entities and business associates that create unreadable or indecipherable protected health information, however, are exempt from such requirements. Covered entities must notify individuals and the Secretary of HHS of any breach of unsecured protected health information within 60 days following the discovery of the breach. For breaches involving more than 500 residents of a state, a covered entity must also notify the media in addition to the individuals and the Secretary of HHS. Business associates of covered entities under HIPAA must notify the covered entity of any breach of unsecured protected health information so the covered entity can notify affected individuals. 

As reported by HHS, between September 23, 2009 and December 31, 2010, the HHS Office of Civil Rights received 45 reports of breaches affecting 500 individuals or more in 2009 and 207 reports in 2010, resulting in notification of 7.8 million affected individuals. 

The general causes of breaches of unsecured protected health information included, first and foremost, theft.  27 of the 45 large 2009 incidents involved theft and 17 of those incidents occurred on the premises of a covered entity or its business associates. Likewise, 99 of the 207 incidents in 2010 involved theft, primarily of electronic or paper records, affecting some 2,979,121 people. Types of theft noted by HHS included theft of back-up tapes transported by a vendor of a medical facility, of laptops or desk-top computers at covered entity sites, and of smart phones or flash drives. Other causes of breaches generally involved loss of electronic media or paper records containing protected health information, unauthorized access to, use of or disclosure of protected health information, human error, and improper disposal. Notably, loss of portable electronic devices is a major factor in the loss of electronic media.

With respect to complaints and compliance with HIPAA’s Privacy Rule, HHS reports that from April 14, 2003, the date HIPAA-covered entities were to comply with the Privacy Rule, through December 31, 2010, it received 57,375 complaints and resolved 91% of them.   Through the same time period, HHS investigated 19,161 complaints, achieved corrective action in 66% of them and found no violation in 34%. 

HHS further reports that between April 20, 2005, and December 31, 2010, it investigated 289 complaints of the 803 it received related to HIPAA’s Security Rule, resolving 77% of them and finding no violation in 48%. 

The compliance issues related to the Privacy Rule most investigated included impermissible uses and disclosures of protected health information, lack of safeguards, and denial of individual access. HHS Security Rule investigations focused on a covered entity’s failures to demonstrate adequate policies and procedures to address response or reporting of security incidents, security training, access controls and workstation security.  

The two HHS reports to Congress show a marked improvement in compliance with HIPAA’s Privacy Rule. However, the reports also highlight a continuing vulnerability for covered entities that rely on electronic devices and employee accountability for elements of their privacy and security compliance programs under HIPAA (as we have touched on in previous posts). As noted by HHS, remedial actions for violations include revising policies and procedures; improving physical security; training or retraining workforce members; adopting encryption technologies; changing passwords; performing new risk assessments; and revising business associate agreements to specify required confidentiality protections. The HHS reports remind covered entities and their business associates to review and place appropriate limits on employee access to protected health information and incorporate HHS’s remedial measures into their best practices.

• Email This
• Print
• Comments
• Trackbacks

Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act becoming law, the HIPAA Privacy Rule required covered entities to provide individuals with an accounting of certain disclosures of their protected health information (PHI). HITECH enhances these accounting rules and requires that individuals be able to know who has accessed their electronic PHI. The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is proposing changes to the Privacy Rule to implement these new requirements and is seeking comments from the public to help shape the law so as to provide the greatest transparency for individuals with respect to access to and disclosures of their PHI, while minimizing the burden on covered entities and business associates. Remember, under HITECH, business associate are subject to nearly all of the requirements under the HIPAA Privacy and Security Rules as covered entities. The discussion below touches on some of the key proposals.

HHS' Notice of Proposed Rulemaking would enhance the rules concerning the obligation to provide an accounting of certain disclosures of PHI and fleshes out the right of individuals to get a report on who has electronically accessed their PHI. These two rights, to an accounting of disclosures and to an access report, would be distinct but complementary. The right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes (e.g., law enforcement, judicial hearings, public health investigations). The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information.  In contrast, the intent of the accounting of disclosures is to provide more detailed information (a “full accounting”) for certain disclosures that are most likely to impact the individual.

In general, designated record sets include the medical and health care payment records maintained by or for a covered entity, and other records used by or for the covered entity to make decisions about individuals. See the definition of “designated record set” at 45 CFR § 164.501. An example of PHI that is outside the designated record set are transcripts of customer calls that are used only for purposes of customer service review, rather than to make decisions about the individual.

HHS believes the access report requirement will not present an unreasonable burden on covered entities and business associates because by limiting the access report to information maintained in an electronic designated record set, the report will include information that a covered entity is already required to collect under the HIPAA Security Rule. That is, under §§ 164.308(a)(1)(ii)(D) and 164.312(b) of the HIPAA Security Rule, a covered entity is required to record and examine activity in information systems and to regularly review records of such activity. Access reports would cover a three-year period, and would provide the individual with information about who has accessed the individual's electronic PHI held by a covered entity or business associate. They would not distinguish between “uses” and “disclosures,” and thus, would apply when any person accesses an electronic designated record set, whether that person is a member of the workforce or a person outside the covered entity. The report would be required to identify the date, time, and name of the person (or name of the entity if the person's name is unavailable) who accessed the information, and potentially a description of the protected health information that was accessed and the user's action, if that information is available.

The right to an accounting of disclosures would encompass disclosures of both hard copy and electronic PHI that is maintained in a designated record set. It would cover a three-year period (down from the current six year period), and would require a covered entity and its business associates to account for the disclosures of PHI believed to be of most interest to individuals. That is, the proposed rule explicitly lists the types of disclosures that are subject to the accounting requirement, rather than the previous approach of listing the types of disclosures for which an accounting was not required. In general, the proposed rule would continue to include in the accounting requirement, without limitation, disclosures for public health activities (except those involving reports of child abuse or neglect), for judicial and administrative proceedings, for law enforcement activities, to avert a serious threat to health or safety, for military and veterans activities, for the Department of State's medical suitability determinations, to government programs providing public benefits, and for workers' compensation.  Also, covered entities will continue to be required to account for disclosures that are impermissible under the Privacy Rule, even if those disclosures did not amount to a "breach" under the Breach Notification Rule at § 164.404.

While the proposed rules referenced above may vary when made final, they will require covered entities to re-examine their current practices to comply with the new rules. In addition, covered entities and business associates may need to make modifications to business associate agreements (as well as agreements with subcontractors and other vendors).  The Notice of Privacy Practices also will require modification to explain to individuals these new and modified rights concerning their PHI.

In regard to when action is needed, the rules propose that covered entities (including small health plans) and business associates comply with the modifications to the accounting of disclosures requirement beginning 180 days after the effective date of the final regulation (240 days after publication). As for the right to an access report, the rules propose that covered entities and business associates be prepared to make this available beginning January 1, 2013, for electronic designated record set systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic designated record set systems acquired as of January 1, 2009.

• Email This
• Print
• Comments
• Trackbacks

In a report issued earlier this week, the Office of Inspector General found that the Center for Medicare and Medicaid Services' (CMS) oversight and enforcement actions were not sufficient to ensure that covered entities, such as hospitals, effectively implemented the HIPAA Security Rule.

OIG's recommendation: Continue the compliance review process (audits) that began in 2009 and implement procedures for conducting compliance reviews to ensure that HIPAA Security Rule controls are in place and operating as intended to protect ePHI at covered entities.

To reach this conclusion, OIG audited 7 hospitals throughout the country (locations in California, Georgia, Illinois, Massachusetts, Missouri, New York, and Texas).  These audits focused primarily on:

1. wireless electronic communications network or security measures the security management staff implemented in its computerized information systems (technical safeguards);
2. the physical access to electronic information systems and the facilities in which they are housed (physical safeguards); and
3. the policies and procedures developed and implemented for the security measures to protect the confidentiality, integrity, and availability of ePHI (administrative safeguards).

Significant vulnerabilities identified. The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. A high vulnerability refers to one that

may result in the highly costly loss of major tangible assets or resources; may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or may result in human death or serious injury.

The report noted that outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries’ personal data and performed unauthorized acts without the hospitals’ knowledge. Although each of the seven hospitals had implemented some controls, policies, and procedures to protect ePHI from improper alteration or destruction, none had sufficiently implemented the administrative, technical, and physical safeguard provisions of the Security Rule. Clearly, mediocre compliance is not sufficient.  

Some of the more significant vulnerabilities found related to (i) wireless access; (ii) access controls, and (iii) integrity controls. In the case of wireless access problems, the report identified vulnerabilities including ineffective encryption, rogue wireless access points, no firewall separating wireless from internal wired networks, the inability to detect rogue devices intruding on the wireless network, and no procedures for continuously monitoring the wireless networks. Access control problems included inadequate password settings, computers that did not log users off after periods of inactivity, unencrypted laptops containing ePHI, and excessive access to root folders. According to the OIG, these conditions could have led to unauthorized individuals viewing or altering ePHI data on nonclinical workstations that were not automatically logged off after a period of inactivity; ePHI being compromised on lost or stolen unencrypted laptops; and unauthorized users circumventing system controls and harming system files.

The list goes on and on.

The Office of Civil Rights (OCR), the arm of HHS now charged with enforcing the HIPAA security regulations, may be listening. As reported here earlier, OCR appears to be taking steps to improve its enforcement efforts, which likely will include increasing the number of compliance reviews/audits at hospitals and health care providers around the country. These efforts include a request by the agency to increase its budget for 2012 by $5.6 million, or 13.6%, to be aimed at enforcement. 

Because HIPAA now applies to business associates, it would not be surprising to see business associates on an audit list. Accordingly, covered entities and business associates should be taking steps now to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks

Last month, the Federal Trade Commission's Bureau of Consumer Protection posted FAQs on its website to guide health care providers and health plans when their patients and subscribers are affected by medical identity theft. 

When most people hear about an identity theft or a data breach, they typically think about credit card data or Social Security numbers being stolen and used by unauthorized parties, and the damage to one's credit rating that sometimes follows. However, as reported by Businessweek, medical identity theft is one of the fastest growing types of identity theft. According to the article, the number of incidents of medical identity theft was approximately 275,000 in 2009; double the number in 2008. As the country implements the new health care reform law, assuming it gets past some significant obstacles, there likely will be periods of confusion and transition that may create the perfect conditions for even higher levels of medical identity theft.

The FTC's FAQs point out that health care providers and health plans may have some obligations when they learn about medical identity theft affecting their patients or subscribers. For example, depending on the circumstances, the provider or plan may have to revisit its privacy and security policies and procedures under HIPAA and other federal and state laws. The theft also may have resulted from a data breach that requires the provider or plan to notify other affected persons. Providers and plans also need to be prepared to help victims get the information they need and exercise their rights under HIPAA and other laws to help mitigate the adverse effects of this unfortunate crime.

Providers and plans should be taking steps to be prepared to address medical identify theft situations.

• Email This
• Print
• Comments
• Trackbacks

Written by: Lillian Moon

As employees become more savvy with electronic communications and employers face increasing challenges with controlling vast amounts of data, the circumstances in this recent San Francisco Examiner story are likely being repeated all over the country – employee takes company information to support her wrongful termination case.

As reported by the Examiner, a Human Services Agency of San Francisco employee, after being terminated for performance issues, e-mailed caseload files, containing Medi-Cal beneficiaries’ names, Social Security numbers, and other personal identifying information belonging to 2400 individuals, to her personal computer, two attorneys and two union representatives.

While the facts are not entirely clear from the report, including why the former employee still had access to her former employer’s systems following termination, such a disclosure could have triggered the breach notification requirements under the HIPAA Privacy and Security Rules, and likely did trigger California’s own breach notification laws. With breach notification mandates in almost every state, few employers are immune from the risks of a data breach or the costs that are associated with responding to a breach when it occurs.

As this situation makes clear, employers need to implement written information security programs containing privacy and security policies. These policies should include data breach detection and response procedures and mandate training for all employees. While being mindful of applicable whistle blower protections, employers should remind employees that confidential company and personal information is not to be used or disseminated, except when consistent with the employee’s assigned job responsibilities. In this case, based on the information reported, the entire incident might have been avoided had the former employee's access to the Agency’s systems been terminated.

Employers must continually assess their risks (e.g., examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company's current set of safeguards), determine the best methods of protecting the sensitive information they possess, and create a culture of data security and privacy throughout their organizations. This can only be accomplished when data security and privacy are made a priority through clear policies with frequent training and attention. And, of course, when terminating or disciplining employees, employers should expect employees might begin using and disclosing information in a manner that is not permitted, and should take steps to prevent these kinds of disclosures.
 

• Email This
• Print
• Comments
• Trackbacks

The demand for "data breach" insurance appears to be growing based on our experiences, as well as commentary such as a recent article by Pamela Lewis Dolan of American Medical News.

As we've reported, data breach coverage is something quite different than traditional "cyber-risk" coverage which tends to address "hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures.” According to Ms. Dolan's article, data breach policies tend to cover the cost of notification and credit monitoring for affected persons, public relations expenses to address reputational harm, breach investigation, legal fees and compensatory damages, judgments and settlements. Of course, as with any type of insurance, businesses should seek appropriate advice concerning the scope of coverage they are purchasing.

Ms. Dolan's focus on health care providers is well placed given the recent HIPAA breach notification mandate and the sensitive protected health information such businesses handle. This is particularly true for small health care practices which often do not have the resources to adequately respond to a data breach - for those, a data breach policy could be a wise investment.  It is also true for those businesses that service the health care industry - many of which are business associates that are also subject to HIPAA and its breach notification requirements. 

Beyond HIPAA, breach notification mandates exist in nearly all states in the U.S. and other jurisdictions. So, many businesses can benefit from addressing this risk through insurance as well as adopting policies and procedures to reduce the likelihood of a breach in the first place. In this connection, Ms. Dolan is also wise to report that data breach insurance doesn't absolve health care practices or any other business for that matter from implementing safeguards to protect personal information or protected health information. Various federal and state laws require to one degree or another businesses to adopt "written information security programs" to safeguard personal information.

This is much like protecting your building/office space from fire damage - you have fire insurance, but you also have a plan to safeguard critical assets and exit the building!

• Email This
• Print
• Comments
• Trackbacks

Coauthored with Jason Gavejian

California hospitals and nursing homes take note - the California Department of Public Health (CDPH) takes data breaches seriously. Since June of this year, CDPH has imposed nearly $1.5 million in fines affecting 12 California health facilities. California Health and Safety Code 1280.15(a) requires covered health facilities to prevent unlawful or unauthorized access, use or disclosure of patient medical information.

Violations of this requirement can result in penalties of up to $25,000 per patient and up to $17,500 per subsequent occurrences of unlawful or unauthorized access, use or disclosure of that patients medical information. 

In its most recent wave of penalties, announced November 19, 2010, CDPH assessed fines totaling $792,500 against six hospitals and one nursing home that it determined failed to prevent unauthorized access to confidential patient medical information. In one case, a health facility was fined $310,000:

• $60,000 because the facility failed to prevent unauthorized access and disclosure of one patient’s medical information by two employees on three occasions.
• $250,000 because the facility failed to prevent the theft of 596 patients’ medical information

The larger penalty resulted in part when laboratory reports of 596 patients were lost. In its investigation, CDPH learned that the staff employee at the facility responsible for running and storing laboratory reports, and who had signed the facility's confidentiality statement, placed lab reports in an outside locker, but did not lock the locker because the lock was not working and the locker door was broken. This staff member told CDPH the locker had been broken for several months, although he did not report it. The lab reports that were lost included patient names, Social Security numbers and laboratory results, among other personal information. 

Beyond that, California health facilities should be reminded of Cal. Health and Safety Code § 1280.15, which requires covered facilities to notify CDPH and affected individuals of “unlawful or unauthorized access to” personal health data within five business days after discovery of a breach. Late notices can result in fines of $100 per day for each patient affected, up to maximum of $250,000. Of course, health care providers also need to take into account the interim final rules, promulgated under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act and enforced by the Department of Health and Human Services (“HHS”), which require entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to report similar incidents.  Under the HIPAA rules, notice must be provided without "unreasonable delay."

As the number of data security incidents in the health care industry continue to mount, CDPH's enforcement activity should urge covered health facilities in California to pay greater attention to data security. As the incident above makes clear, simply requiring an employee to sign an acknowledgment of complying with facility data security policy will not be enough. Health facilities, including hospitals and nursing homes, need to continually assess their risks in this area and create a culture of data privacy and security across their organizations. This can only be accomplished through clear policy and frequent training and attention to the issue. 

• Email This
• Print
• Comments
• Trackbacks

What had been the first use of the enforcement authority under the HIPAA privacy regulations granted to a State Attorney General, has ended in a settlement agreement between Connecticut's Insurance Department and Health Net of Connecticut. Under the agreement, Health Net will pay $375,000 in penalties, and it agreed to provide credit monitoring protection for 2 years to all affected persons in Connecticut and to take significant steps to improve data and equipment security in both its Shelton, CT locations.

One important item to note from the Insurance Department's press release is that the "most prominent failure stemmed from the untimely notification of the 2009 loss of a disk drive from the Shelton location resulting in the loss of personal health information of approximately 500,000 Connecticut members." This should be a reminder to any entity involved in a data breach of the importance of acting quickly to notify affected individuals.

• Email This
• Print
• Comments (1)
• Trackbacks

Welcome to the next advancement in the delivery of health services -

monitoring patients and promoting healthy behavior through mobile phones and other portable devices

The Washington Post reported today about a service offered through Voxiva whereby expectant mothers receive free text messages concerning prenatal health advice. The pilot program has been in place since February and since then more than 100,000 expectant mothers are reported to have participated in the program. These technologies clearly are in line with initiatives in this country to move to electronic health records. However, whether these methods for delivering health care take hold remains to be seen. As the WP notes, while these technologies are attractive, there are challenges:

• As noted by WP reporter Steven Overly, communicating to a wide variety of patients through a "wide variety of mobile devices, operating systems and network speeds" raises significant challenges. 
• Another issue, of course, is HIPAA and how these communications and devices will meet the privacy and security requirements under those regulations.
• Human error easily could cause the wrong messages to be sent to the wrong patients creating data breach, malpractice and other risks.
• One of our more recent posts highlights the concern about information maintained on cellphones and other mobile devices and what happens to that information when the phones are discarded. 
• Employers who provide phones to their employees and have the right to review text messages, see recent U.S. Supreme Court decision in Quon v. City of Ontario, can easily find themselves with access to all kinds of medical information of employees and possibly their dependents who give their doctors their cell phone number. This risks here could be significant.   

As with the adoption of any new technology or new application of technology, companies and employers should be careful to think through all of the issues and take appropriate preventive steps toward minimizing risks.

• Email This
• Print
• Comments
• Trackbacks

In March 2010, we reported on a decision by the U.S. District Court for the District of New Jersey that allowed an employee's retaliation claim to proceed to trial under the New Jersey Conscientious Employee Protection Act (“CEPA”) on the ground that he was engaged in protected whistle blowing activity - voicing concerns regarding his employer’s handling of data security. A California Appellate Court recently adopted a similar line of reasoning. 

Rather than addressing an employee’s concerns, a company fired the employee for questioning whether the company’s networks and information systems adequately protected HIPAA patient information contained on those systems. Cutler v. Dike, 2010 WL 3341663 (Cal. Ct. App. Aug 26, 2010) (unpublished). Based on his employment contract, the employee reasonably believed that his job included acting as the company’s privacy officer. As the court found, the employee also reasonably believed:

the database used to test the company’s . . . software contained confidential patient information which would be exposed in violation of HIPAA, because [the company president] had told him it was patient information . . . [and that] confidential patient data would be used in the future as the program was implemented.

The employee had refused to participate in configuring the computer system as directed and voiced his objections that doing so would violate HIPAA rules and regulations. In response, the company president recommended that the employee resign or risk being fired “since you have chosen to be very negative about issues in the organization.” The employee sued the employer for wrongful termination and the jury found against the employer. The employer appealed the jury verdict.

The court began by citing the relevant section of the California Labor Code (Section 1102.5), which states:

[a]n employer may not retaliate against an employee for refusing to participate in an activity that would result in a violation of state or federal statute, or a violation or noncompliance with a state or federal rule or regulation.

The court went on to hold, “[T]he protection of confidential patient information is clearly the type of general public interest that supports a cause of action for wrongful termination in violation of public policy.” Accordingly, the court upheld the jury’s finding of liability against the employer for wrongful termination in violation of public policy.

Employers across the country generally are prohibited from retaliating against employees for refusing to participate in activities that are impermissible under state or federal law or regulations. This includes retaliating against employees that raise concerns under the HIPAA privacy and security regulations, or other data security mandates under federal or state laws, such as those in Massachusetts, Connecticut, or New Jersey. Employers may find themselves responding to more of these kinds of concerns from employees as employees are more aware of breaches reported in the media over the past few years and become anxious over their own sensitive personal information in their employer’s possession.

An employer should avoid reacting to an employee’s complaint of weaknesses in its data system by firing or disciplining the employee. Shooting the messenger is not acceptable. The company should investigate the issues which have been raised and, if necessary, address them appropriately. Employers are better served by employees who feel secure enough to come forward with unpleasant news, than by suppressing such reports and enduring embarrassing and costly disclosures later. Of course, vulnerabilities can be minimized by taking the preventive steps required under many state and federal laws to safeguard personal and confidential information.  

• Email This
• Print
• Comments
• Trackbacks

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

• Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

• Email This
• Print
• Comments
• Trackbacks

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

• Email This
• Print
• Comments
• Trackbacks

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

• Email This
• Print
• Comments
• Trackbacks