Rite Aid Agrees to $1 Million Payment to HHS Concerning Potential HIPAA Privacy Violations

Posted on July 27, 2010 by Joseph Lazzarotti

Rite Aid Corporation and its affiliates have agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced today. At the same time, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

The lesson to be learned from this case:

Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes.

The Office of Civil Rights, which enforces the HIPAA Privacy and Security Rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.

The investigation also indicated other potential concerns about Rite Aid's policies related to safeguarding patient information during the disposal process, training employees, and a related sanction policy.

The Director of OCR noted:

It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA.

The corrective action Rite Aid has agreed to includes improving policies and procedures to safeguard the privacy of its customers' health information, and applies to all of its nearly 4,800 retail pharmacies. More specifically, the settlement requires Rite Aid to take a number of steps including

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS and FTC.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. The length and scope of these plans show the seriousness these agencies are taking concerning compliance with requirements to safeguard personal information.  

Tags: , , , , , ,

HHS Announces Final EHR Regulations Charting Path to Billions in Incentives for Providers and Hospitals to Adopt EHR Systems

Posted on July 13, 2010 by Joseph Lazzarotti

U.S. Department of Health and Human Services Secretary Kathleen Sebelius has announced final rules for eligible health care professionals and hospitals to qualify for a portion of the $27 billion or so in Medicare and Medicaid incentive payments for implementation and meaningful use of certified electronic health records (EHR). Many are concerned these incentives will increase the risks for data privacy and security that will come with more health data being maintained, used and disclosed in electronic format. Under the rules, eligible professionals may receive as much as $44,000 under Medicare and $63,750 under Medicaid, and hospitals may receive millions of dollars under both Medicare and Medicaid.
 

"We will make the immediate investments necessary to ensure that within five years, all of America's medical records are computerized."

President Barack H. Obama, January 8, 2009 

HHS’s July 13 action is consistent with the agenda of President Obama and some of his predecessors to help improve Americans’ health, increase safety and reduce health care costs through expanding use of EHRs and simplifying the administrative costs of healthcare. The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 significantly advanced this agenda by establishing the statutory structure for eligible health care professionals and hospitals to receive government subsidies to adopt certified EHR technology. The HITECH Act, however, also expanded and tightened the HIPAA privacy and security regulations to address, in part, concerns about improper access and use of EHRs.

HHS’s regulations (consisting of more than 1,000 pages) define the minimum requirements and “meaningful use” objectives to qualify for the bonus payments (pdf) and identify the technical capabilities required for certified EHR technology (pdf). At the same time, providers and hospitals will need to focus on the evolving privacy and security mandates under HITECH, as well as under state law, to minimize the risks to protected health information and other personal information. So, as providers and hospitals look to Medicare and Medicaid funds to jumpstart their move to EHR systems, it will be important for them to be sure to have in place the appropriate policies, procedures and agreements to safeguard those records, which should include the careful handling and/or disposition of the mountains of paper records they currently maintain.

Tags: , , ,

Electronic Health Records: The Work to Build a Health Information Technology Infrastructure Begins

Posted on December 1, 2009 by Jason C. Gavejian

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

Tags: , , , , , , , ,