Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

HHS settlement amounts dwarfed by total costs of data breaches

Posted on April 30, 2012 by Steve Fox and Vadim Schick

A surge in data privacy breaches and the accompanying string of recent HHS enforcement actions should serve as an important reminder to healthcare providers regarding the importance of data privacy protection and the skyrocketing costs of failures to comply. 2011 saw a 97% increase in the number of data breaches, as reported by the Salt Lake Tribune in the context of the massive breach of health information privacy in Utah earlier this month.

At the same time, HHS has stepped up its enforcement actions. Last week, we touched on the $100,000 OCR settlement with a cardiology practice in Arizona. Last month, HHS reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) for a breach of about 1 million unencrypted patient records which resided on over 50 stolen hard-drives. However, the $1.5 million settlement amount was dwarfed by the $17 million BCBST had to spend on notification and credit monitoring expenses, as well as investigating and correcting the breach.

The BCBST settlement is a good reminder that breaches and noncompliance can be extraordinarily expensive, even without the federal and/or state regulatory fines. A December 2011 Ponemon Institute study found that data security breaches cost the healthcare industry $6.5 billion in the year leading up to that study. Just last month, a medical records company filed for bankruptcy after its offices were burglarized and medical records of over 14,000 people were stolen. The costs and expenses associated with that breach were so high that the firm had no choice but to go out of business.

Tags: ARRA, Articles, HIPAA, HIPAA Privacy Rule, HITECH Act, News, PHI, Privacy & Security, Security Rule, breach, breach notification

HHS settles HIPAA violation case for $100,000, Corrective Action Plan

Posted on April 18, 2012 by Steve Fox and Vadim Schick

On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

'This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,' said Leon Rodriguez, director of OCR. 'We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.'

Tags: Articles, CAP, HHS, HIPAA, HITECH Act, News, OCR, Privacy & Security, Privacy and Security, Rule, breach

HHS issues proposed rules on Stage 2 of Meaningful Use

Posted on February 27, 2012 by Steve Fox and Vadim Schick

On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via HHS Press Release:

In a November 2011 'We Can’t Wait' announcement, the Department outlined plans to provide an additional year for providers who attested to meaningful use in 2011. Under today’s proposed rule, stage 1 has been extended an additional year, allowing providers to attest to stage 2 in 2014, instead of in 2013. The proposed rule announced by ONC identifies standards and criteria for the certification of EHR technology, so eligible professionals and hospitals can be sure that the systems they adopt are capable of performing the required functions to demonstrate either stage of meaningful use that would be in effect starting in 2014.

Tags: ARRA, Articles, CMS, HHS, HITECH, HITECH Act, News, ONC, Stage, Stage 2, incentive, meaningful, proposed rule, use

OCR to release final breach notification rule in March

Posted on February 16, 2012 by Steve Fox and Vadim Schick

Via Healthcare Info Security:

The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.

The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'

Tags: ARRA, Articles, HIPAA, HITECH Act, News, Privacy & Security, Rule, breach, breach notification, final, privacy

Data mining by hospitals may be profitable, but not risk-free

Posted on February 6, 2012 by Steve Fox and Vadim Schick

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free. Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

Tags: Articles, BAA, HIPAA, HITECH, HITECH Act, News, Privacy & Security, data, data mining, de-identification, deidentified, indemnification, liability, privacy rule

HHS extends Stage 2 Meaningful Use deadline to 2014

Posted on November 30, 2011 by Steve Fox and Vadim Schick

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).

Tags: 2, 2014, ARRA, Articles, HHS, HITECH, HITECH Act, Medicare, News, Stage, incentive, meaingful use, payments

CMS issues final rule on ACOs

Posted on October 26, 2011 by Steve Fox and Vadim Schick

On October 20, 2011, CMS published the final rule on Accountable Care Organizations (ACOs) or, as it is formally known, the Medicare Shared Savings Program (the "Program"), enacted as part of the Patient Protection and Affordable Care Act (ACA) of 2010. According to CMS chief Don Berwick, MD, the Program represents an "opportunity to coordinate care among providers," which could "greatly improve the quality of care Medicare beneficiaries receive," and produce substantial savings for the federal government. The Program creates incentives for providers to collaborate in treating an individual patient across care settings, in order to receive a portion of the savings generated from providing such care.

CMS has substantially relaxed the requirements for ACOs originally provided in the proposed rule. Some of the key changes include (among many others):

Adding a "one-side" risk model, allowing providers to participate in the program without risking a loss in the event their ACO did not produce savings
"Preliminary perspective assignment" of Medicare beneficiaries, giving ACOs more control over their Medicare beneficiary population
Reducing the number of performance measures from 65 to 33
Eliminating the two percent threshold for being eligible for shared savings

CMS will begin taking applications for the program on January 1, 2012, with start dates of April 1 and July 1, 2012.

Tags: ACA, ACO, Accountable Care Act, Anti-kickback, Articles, CMS, HHS, IRS, News, Stark, accountable care organization, anti-trust, antitrust

Nemours reports breach affecting 1.6 million individuals

Posted on October 19, 2011 by Steve Fox and Vadim Schick

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, breach, breach notification, credit, data, monitoring

HHS awards over $650 million in EHR incentive payments

Posted on September 26, 2011 by Steve Fox and Vadim Schick

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare. Via Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

Tags: ARRA, Articles, CMS, EHR, EHR Incentive Program, HHS, HITECH Act, Medicaid, Medicare, Medicare incentives, News, incentive, meaingful use

Major data breach at Stanford Hospital

Posted on September 12, 2011 by Steve Fox and Vadim Schick

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

Tags: Articles, California, HIPAA, HITECH Act, News, PHI, Privacy & Security, breach, data, privacy, protection

Health IT Law Blog

www.healthitlawblog.com

Post & Schell, P.C.

Allentown

1245 South Cedar Crest Boulevard
Suite 300

Allentown, PA 18103

(610) 433-0193

(610) 433-3972

(fax)

Harrisburg

17 North Second Street
12th Floor

Harrisburg, PA 17101-1601

(717) 731-1970

(717) 731-1985

(fax)

Lancaster

1857 William Penn Way
P.O. Box 10248

Lancaster, PA 17605-0248

(717) 291-4532

(717) 291-1609

(fax)

Philadelphia

Four Penn Center
1600 John F. Kennedy Boulevard

Philadelphia, PA 19103-2808

(215) 587-1000

(215) 587-1444

(fax)

Pittsburgh

One Oxford Centre
301 Grant Street
Suite 4300

Pittsburgh, PA 15219

(412) 577-2972

(412) 577-2973

(fax)

Princeton

Overlook Center
100 Overlook Drive

Princeton, NJ 08540

(609) 924-3333

(609) 924-4144

(fax)

Washington, D.C.

Suite 600
607 14th Street NW

Washington, D.C. 20005-2006

(202) 347-1000

(202) 661-6970

(fax)

Healthcare IT Lawyer & Attorney of Post & Schell Law Firm, offering services related to HIT, health care systems, medical software, HIPAA compliance, EHR software licenses and electronic medical records systems (EMR).