Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

• Print
• Comments
• Trackbacks
• Share Link

Medical device security experts report increasing issues with computer viruses on hospital medical devices.  Problem sources include inconsistent and/or incompatible security measures, as well as outdated operating systems.  The Government Accounting Office has sounded the alarm, requesting the FDA to address the matter.

See Forbes article at "Hospital Medical Devices 'Rampant' With Computer Viruses".
 

• Print
• Comments
• Trackbacks
• Share Link

Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records.  Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.

This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a "hostage" situation like the one described below.

Via Bloomberg News:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.  

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

• Print
• Comments
• Trackbacks
• Share Link

Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR.  Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy.  The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised.  According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches. 

Via Modern Healthcare:

Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.

• Print
• Comments
• Trackbacks
• Share Link

On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

'This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,' said Leon Rodriguez, director of OCR. 'We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.'

• Print
• Comments
• Trackbacks
• Share Link

Via Healthcare Info Security:

The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.

The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'

• Print
• Comments
• Trackbacks
• Share Link

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free.  Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

• Print
• Comments
• Trackbacks
• Share Link

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

• Print
• Comments
• Trackbacks
• Share Link

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

• Print
• Comments
• Trackbacks
• Share Link

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).

• Print
• Comments
• Trackbacks
• Share Link

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP). 

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

• Print
• Comments
• Trackbacks
• Share Link

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:

'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

You can view and download the proposed rule by clicking here.

• Print
• Comments
• Trackbacks
• Share Link

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.)  Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

• Print
• Comments
• Trackbacks
• Share Link

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

• HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.
   
• The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.
   
• Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.

• Print
• Comments
• Trackbacks
• Share Link

As we predicted yesterday, HealthNet's breach of personal information of almost 2 million people, is already the subject of a state government agency's investigation.  Via Health Leaders Media:

After Health Net, Inc. in California announced Monday that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves 'personal information for 1.9 million current and past enrollees nationwide.'

The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan's statement, saying that the missing records on nine servers are 'for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.'

'The DMHC has opened an investigation into Health Net's security practices," said DMHC spokesperson Lynne Randolph. "Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.'

This may not be the last government investigation for the embattled insurer. For more information on the breach, please click here.

• Print
• Comments
• Trackbacks
• Share Link

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center.  According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people.  As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act.  HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

• Print
• Comments
• Trackbacks
• Share Link

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation.  This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

• Print
• Comments
• Trackbacks
• Share Link

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

• check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;

• make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;

• confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and

• review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.

• Print
• Comments
• Trackbacks
• Share Link

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

• Print
• Comments
• Trackbacks
• Share Link

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records.  According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

• Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.
• An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.
• A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010
• CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here.  Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

• Print
• Comments
• Trackbacks
• Share Link

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

• Print
• Comments
• Trackbacks
• Share Link

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.  This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach.  According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

• $250,000 fine to be paid to Connecticut;

• $500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and

• a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000.  The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut.  Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," TheDay.com (July 6, 2010).

• Print
• Comments
• Trackbacks
• Share Link

Breaches are not always caused by lost laptops or hackers.  They often result from simple errors by the hospital's or another provder's own staff.  In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County.  Via Orange County Register:

In the first instance, the state found that after a doctor called to give the hospital a new fax number, patient records were instead sent to an auto business. Six faxes with health care information were picked up from the business, the report says.

A month later, the auto shop again notified the hospital that it had received a fax with a patient's name, date of birth and details of visits. The hospital discovered that the wrong fax number had not been changed in a data base.

Hospital staff said the breach would have been prevented if a test fax had been sent as required by hospital policy, the report said.

The other privacy breach occurred when the name of an emergency room patient's doctor was incorrectly entered into the system. Records were then faxed to the wrong doctor who notified the hospital.

CHOC is auditing its database to make sure information is accurate.

It is not clear whether CDPH is going to impose a fine on CHOC like the agency did earlier this month to five different hospitals. Regardless, this episode should serve as a great reminder for healthcare providers about how simple mistakes can lead to costly and highly embarrassing data breaches, especially in instances where the provider fails to adhere to its own privacy policy. 

"State blames CHOC in wrong-site surgery," Orange County Register (June 25, 2010).

• Print
• Comments (1)
• Trackbacks
• Share Link

Via Health Leaders Media:

OCR will release proposed rules later this month [or 'about two weeks or around June 26th'] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).

<...> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding "willful neglect" (penalty tiers).

Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.

The state alliance also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.

OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.

"Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the "Quiz the Regulator" session on June 7.

"State Alliance: Proposed HITECH Regulations Coming in Two Weeks," Health Leaders Media (June 15, 2010).

• Print
• Comments
• Trackbacks
• Share Link

According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules. 

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).

• Print
• Comments
• Trackbacks
• Share Link

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).

• Print
• Comments
• Trackbacks
• Share Link

Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry. 

The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:

• Warranty, limitation of liability and privacy and security provisions in HIT contracts
• Structuring payments to correspond with certain achievement milestones
• Acceptance testing procedures
• Provisions specific to vendor-financing transactions
• ASP / SaaS models of software licensing

If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.

This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

• Print
• Comments
• Trackbacks
• Share Link

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

• Print
• Comments
• Trackbacks
• Share Link

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information.  As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized.  OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week.  We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

• Print
• Comments
• Trackbacks
• Share Link

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

• Print
• Comments
• Trackbacks
• Share Link

On July 20, 2009, Dr. Jay Holland and two hospital employees plead guilty to misdemeanor violations of the health information privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) based on their accessing records of a high-profile patient at the St. Vincent Infirmary Medical Center without any legitimate purpose. 

According to the FBI press release, the doctor has been sentenced to a $5,000 fine to be paid in 60 days, and 50 hours of community service educating professionals on HIPAA.  The two employees were sentenced to to one-year probation each, and a $2,500 fine for one and a $1,500 fine for another, both payable in installments.

The United States Attorney for the Eastern District of Arkansas stated that:

We hope that today’s sentencings send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information.

"Doctor and Two Former Hospital Employees Sentenced for HIPAA Violations," FBI Press Release (October 26, 2009).

• Print
• Comments
• Trackbacks
• Share Link

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

• Print
• Comments
• Trackbacks
• Share Link

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS.  Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule.  Effective immediately, OCR is responsible for administering both Security  Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected."  This transfer of authority is not meant to create any disruption of current procedures.  Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights. 

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

• Print
• Comments
• Trackbacks
• Share Link

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

• Print
• Comments
• Trackbacks
• Share Link

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

• New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
• Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

• Print
• Comments
• Trackbacks
• Share Link