Privacy & Security : Health IT Law Blog

Free Webinar: Negotiating "Must-Have" Provisions in HIT Contracts

Posted on March 9, 2010 by Steve Fox and Vadim Schick

On Thursday, March 18, 2010 from 1:00PM to 2:00PM (EST), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HITECH, HITECH Act, Meaningful use, Privacy & Security, contract, law, license, meaningful use definition, meaningful use regulations, negotiation

Breaking: ONC releases NPRM on certification programs

Posted on March 2, 2010 by Steve Fox and Vadim Schick

ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs. Via ONC Press Release:

Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.

Tags: ARRA, Articles, Certified EHR, EHR, HITECH Act, Meaningful use, News, Privacy & Security, meaningful use definition, meaningful use regulations

HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial "harm threshold" to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

Free Webinar on Meaningful Use: Slides included below

Posted on February 24, 2010 by Vadim Schick

Here are the slides from our February 25, 2010 Webinar on Meaningful Use. This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. Steve and I discussed:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, Federal Register meaningful use, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News, Privacy & Security, federal register, incentive payments, meaingful use

OCR may delay enforcement of business associate provisions in the HITECH Act

Posted on February 23, 2010 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information. As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized. OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week. We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

Tags: ARRA, Adam Greene, Articles, Business Associates, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, business associates as covered entities, delay, delayed enforcement, enforcement

Thursday: Free Webinar on "Meaningful Use"

Posted on February 22, 2010 by Vadim Schick

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. We will discuss:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, Medicaid, Medicare, News, Privacy & Security, electronic health records, electronic medical records, free webinar, incentive payments, meaningful use definition, meaningful use regulations, webinar

Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law. She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

Tags: ARRA, Articles, Blumenthal, HIPAA, HITECH, HITECH Act, News, ONC, Pritts, Privacy & Security, chief privacy officer, office of national coordinator, privacy

Massive cyber attack affects 75,000 computer systems across the world

Posted on February 18, 2010 by Vadim Schick

According to the Washington Post, more than 75,000 computer systems at over 2,500 companies across the world have been hacked in possibly the largest and extremely sophisticated cross-border cyber attack. The perpetrators appear to be non-state entities operating out of Eastern Europe.

They lured employees of targeted companies to open attachments containing malware or malicious software ("bots") which track down login and password information stored on those systems. Experts believe that such login credentials -- which include online banking user information -- are valuable to such hackers.

The attack mostly affected businesses in the United States, Egypt, Mexico, Turkey and Saudi Arabia. Wall Street Journal named Merck and Cardinal Health among the companies affected.

Tags: Articles, News, Privacy & Security, attack, bots, cyber, malware

Study finds big increases in physicans' online communications with patients

Posted on February 16, 2010 by Steve Fox and Vadim Schick

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006. The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain. Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information. Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients. And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Tags: ARRA, Articles, EMR, HITECH Act, News, Physicians, Privacy & Security, health information, messaging, online communication tools, online communications, patient communications, privacy, secure

Obama administration announces $975M in HIT grants

Posted on February 16, 2010 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs). HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

Tags: ARRA, Articles, EHR, EMR, HIE, HITECH, HITECH Act, News, Privacy & Security, Regional Extension center, Sebelius, grant, health information exchange, training

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:

Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat: "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months." According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."

Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches." The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

Tags: ARRA, Articles, BCBS, HITECH, HealthNet, News, Privacy & Security, Privacy and Security, breach, credit, data breach, hacking, health information, malware, monitoring, notification, privacy, security

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick

According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed. This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.

Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions: "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs." According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

Tags: ARRA, Articles, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, Privacy & Security, breach, de-identification, deidentification, identity theft

Updated: Meaningful Use Definition Released in the Federal Register

Posted on December 30, 2009 by Steve Fox and Vadim Schick

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology. You can find the full text here.*

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs. You can find this interim rule here.*

Tags: ARRA, Articles, CMS meaningful use, Certified EHR, EHR, EMR, Federal Register meaningful use, HITECH Act, Meaningful use, News, Privacy & Security, federal register, incentive payments, meaningful use definition, meaningful use regulations

ALERT: CMS and ONC to Discuss Next Steps in EHR Programs Today

Posted on December 30, 2009 by Steve Fox and Vadim Schick

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.

The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.

Join today’s call; details are listed below:

WHO:
--David Blumenthal, MD, MPP, national coordinator for health information technology
--Jonathan Blum, director, Center for Medicare Management
--Cindy Mann, director, Center for Medicaid and State Operations

WHAT:
Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations

WHEN:
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE:
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at http://bit.ly/5IdkDe . HIMSS will be posting a statement tomorrow.

Tags: ARRA, Articles, Blumenthal, CMS, HITECH Act, Meaningful use, News, Privacy & Security

ONC names 17 members of the privacy and security workgroup

Posted on December 11, 2009 by Steve Fox and Vadim Schick

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee. According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns. There is also a privacy and security workgroup under the HIT Standards Committee.

Tags: ARRA, Articles, HIT Policy Committee, HIT Standards Committee, HITECH Act, Meaningful use, News, ONC, ONCHIT, Privacy & Security, Privacy and Security, meaningful use definition, office of national coordinator

In the news: EHR incentives; the rising threat of medical identity theft

Posted on November 30, 2009 by Steve Fox and Vadim Schick

In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way. Otherwise, many providers could fail to qualify for the HITECH Act's incentives. The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.

A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information. According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."

Tags: ARRA, Articles, Blumenthal, HITECH Act, MGMA, News, Privacy & Security, electronic health records, electronic medical records, meaningful, meaningful use definition, use

Identity thieves target victims of accidents at a medical center in Nevada

Posted on November 20, 2009 by Steve Fox and Vadim Schick

This article serves as a great reminder about the importance of safeguarding your patients' data, both from thieves outside and, unfortunately, from within the organization. Via Las Vegas Sun:

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.

Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients.

The full article is available here.

"UMC has patient privacy leak," Las Vegas Sun (November 20, 2009).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, UMC, data breach

Health Net data breach affects 450,000 people

Posted on November 19, 2009 by Steve Fox and Vadim Schick

Health insurance provider Health Net reported a loss of a portable disk drive (which occurred six months ago). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.

Connecticut Attorney General Richard Blumenthal was "outraged" the company waited this long to go public about this major data breach:

Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information <...> Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.

This case provides yet another reminder about the importance of encrypting the sensitive and protected data, including PHI, in your possession.

Tags: Articles, Health Net, News, Privacy & Security, breach, data, data breach

HHS releases interim final regulations on HIPAA enforcement changes

Posted on November 2, 2009 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

Tags: ARRA, Articles, HHS, HIPAA, HITECH Act, News, Privacy & Security, civil money penalty, enforcement

FTC delays enforcement of the Red Flags Rule till June 2010

Posted on November 2, 2009 by Steve Fox and Vadim Schick

In a fairly predictable move, the Federal Trade Commission delayed enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC. According to the FTC press release, the Commission decided to extend the enforcement deadline at the request of the members of U.S. Congress.

However, in the press release, the FTC reminded us about the progress its staff has made in the last year in providing businesses subject to the Red Flags Rule with sufficient guidance and materials:

The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

You can find the full text of the press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (October 30, 2009).

Tags: Articles, FTC, Flags, News, Privacy & Security, Red, Red Flags Rule, Rule

Doctor and two employees sentenced for HIPAA violations

Posted on October 27, 2009 by Steve Fox and Vadim Schick

On July 20, 2009, Dr. Jay Holland and two hospital employees plead guilty to misdemeanor violations of the health information privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) based on their accessing records of a high-profile patient at the St. Vincent Infirmary Medical Center without any legitimate purpose.

According to the FBI press release, the doctor has been sentenced to a $5,000 fine to be paid in 60 days, and 50 hours of community service educating professionals on HIPAA. The two employees were sentenced to to one-year probation each, and a $2,500 fine for one and a $1,500 fine for another, both payable in installments.

The United States Attorney for the Eastern District of Arkansas stated that:

We hope that today’s sentencings send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information.

"Doctor and Two Former Hospital Employees Sentenced for HIPAA Violations," FBI Press Release (October 26, 2009).

Tags: Articles, HIPAA, News, Privacy & Security, criminal, violation

U.S. House: Red Flags Rule does not apply to dentists

Posted on October 23, 2009 by Vadim Schick

In a remarkable 400-0 vote, the U.S. House of Representatives exempted dentists from the requirements of FTC's Red Flags Rule. The measure garnered rare, unambiguously bi-partisan support in Congress:

It is obvious that physicians and dentists are not creditors, and they should not be forced to spend hundreds of dollars to comply with this needless regulation," said dentist/Rep. Mike Simpson (R-Idaho), one of the key sponsors of the bill. "They don't require full payment at the time of service because they first bill the insurance company, then they bill the patient the remainder of the bill. This system should not be treated the same as a loan with a financial institution," said Congressman Simpson.

Rep. John Adler (D-N.J.), the bill's chief sponsor, said the FTC "went too far. During these tough economic times, the federal government should not be placing burdensome regulations on small businesses."

"By passing this fix today, Congress can provide the FTC a clear definition of how Congress intended the policy to be enacted and protect small businesses and their customers from unnecessary government intervention," said Rep. Christopher Lee (R-N.Y.), a cosponsor.

"In my opinion, the manner in which this legislation was crafted, with input from both sides of the aisle, with the FTC and with the various sectors that would be adversely affected if we had not acted, is the model for how this House can work to actually solve the problems facing our country," said Rep. Paul Broun (R-Ga.), a physician who cosponsored the measure.

Tags: ADA, Articles, News, Privacy & Security, Red Flags Rule

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

Tags: 2012, 2015, ARRA, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, HITECH Act, News, Privacy & Security, electronic health records, incentive payments, privacy, reimbursements, security

Massive Data Loss Affects Nearly Every Doctor in America

Posted on October 20, 2009 by Steve Fox and Vadim Schick

Major losses or breaches of personal information are not just for patients anymore: The Chicago Tribune reports that the Blue Cross Blue Shield Association lost sensitive personal information, including, in some cases, social security numbers, of about 800,000 physicians -- nearly all the doctors in the United States. As expected, this data loss came from a stolen laptop. According to the Tribune:

The Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans, confirmed an employee "broke protocol and transferred to a personal laptop" information that was later stolen in late August.

No patient information was on the database, so concern by consumers having personal health records breached is unwarranted, the association said. And doctors have not reported security breaches.

About 16 to 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft.

Despite receiving no reports of identity theft, Blue Cross Blue Shield Association is offering credit monitoring services to those providers whose Social Security numbers were exposed.

"Blue Cross warns doctors about stolen identification data," The Chicago Tribute (October 14, 2009).

Tags: Articles, BCBSA, Blue Cross Blue Shield, Blue Cross Blue Shield Association, News, Privacy & Security, data breach, data loss

In the news: Blumenthal on "meaningful use," new health information management jobs, etc.

Posted on October 12, 2009 by Steve Fox and Vadim Schick

Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide. Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare. AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.

Much more news after the jump.

Tags: ARRA, Articles, Blumenthal, EHR, HIE, HITECH Act, Meaningful use, News, Privacy & Security, e-payment, e-prescribing, health information exchange, meaningful use definition

A note of caution about vendor guarantees on "meaningful use"

Posted on October 5, 2009 by Steve Fox and Vadim Schick

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS. In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year. There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license. "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential. Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, Privacy & Security, guarantee, incentive payments, meaingful use, warranties, warranty

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act. Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology." Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.” The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

Tags: ARRA, Articles, HIPAA, HIT, HIT Standards Committee, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, incentive, incentive payments, privacy, security

Regional Extension Program: Important Updates and Links from HHS

Posted on September 3, 2009 by Steve Fox and Vadim Schick

Via HHS e-mail update:

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the availability of materials that are of immediate interest and use to stakeholders and potential applicants for the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, and that are new or updated since the August 27, 2009 technical assistance telephone and web conference.

REVISED – Preliminary Application Template (Attachment I to the Funding Opportunity Announcement): As discussed on the August 27th technical assistance public conference, the suggested template for applicants’ use in compiling and presenting the information required for the Preliminary Application has been updated to include the complete requirements established in the funding opportunity announcement and is now available from www.grants.gov and the Extension Program section of ONC’s website at http://healthit.hhs.gov/extensionprogram.

NEW – A complete transcript of the August 27th technical assistance conference is available for download from the Extension Program section of ONC’s website. Please visit http://healthit.hhs.gov/extensionprogram to access detailed information about the conference, including the transcript and the presentation slides used during the call.

NEW/REVISED – Program-specific Frequently Asked Questions (FAQs) are now available on the Extension Program section of ONC’s website. New FAQs are posted frequently, so potential applicants and other interested parties are encouraged to visit often. Please visit http://healthit.hhs.gov/extensionprogram then scroll down and click on “Frequently Asked Questions”.

On the HIT Extension Program site, you can find the Funding Opportunity Announcement / Application Instructions document, as well as a large FAQ section and the "Facts-At-A-Glance" summary.

You can find the August 27th, 2009 presentation (PPT) here, and the transcript of that same presentation here.

"Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program Update," HHS e-mail update (September 3, 2009).

Tags: ARRA, ARRA funding, ARRA grant application, ARRA grants, HHS, HITECH Act, Meaningful use, News, ONC, Privacy & Security, Regional Extension Program, Regional Extension center, Regional Extension center grant, Regional Extension centers, extension program application, funding opportunity, grant, office of national coordinator, regional extension center grant application

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, Privacy & Security, Recovery Act, breach, breach notification, breach notification requirements, privacy

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Posted on August 18, 2009 by Steve Fox and Vadim Schick

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Tags: ARRA, Articles, CCHIT, Certified EHR, EHR, HHS, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: ARRA, Articles, FTC, HITECH Act, News, PHR, Privacy & Security, breach, breach notification, breach notification requirements, electronic, health, information, notification, personal, privacy, record, security

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes. While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law. <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

Tags: ARRA, EHR, EHRs, Google, GoogleHealth, HIPAA, HITECH, HITECH Act, News, PHR, PHRs, Privacy & Security, privacy

Sebelius shifts responsibility for HIPAA Security Rule enforcement to OCR

Posted on August 4, 2009 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS. Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule. Effective immediately, OCR is responsible for administering both Security Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected." This transfer of authority is not meant to create any disruption of current procedures. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights.

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

Tags: ARRA, CMS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, Sebelius, delegate

Breaking News: FTC Delays Enforcement of the Red Flags Rule Again, Until November 1, 2009

Posted on July 29, 2009 by Steve Fox and Vadim Schick

From the FTC:

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

<...>

Although many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.

You can read the full press release here.

Tags: Articles, FTC, News, Privacy & Security, Red Flags Rule, delay, enforcement, red flag, red flag rules

LA Times reminds providers that patients are entitled to copies of their medical records

Posted on July 27, 2009 by Steve Fox and Vadim Schick

The Los Angeles Times reported on a story of a patient trying to obtain a copy of her blood tests from her doctor's office. The office wanted to charge the patient $25 to retrieve the test results and send them to her via first-class mail (refusing to fax such results to her for free).

Under both HIPAA and California privacy laws, however, the patient was entitled to such records with only minimum administrative charges:

Most providers are required to follow both HIPAA and the California law, deferring to whichever offers greater consumer protection in cases where the laws differ. As a result, [this patient's] doctor had no legal basis for charging the $25 administrative fee for her lab results.

Under California law, healthcare providers are allowed to charge a fee for the cost of copying a patient's medical record and for the postage to mail it. But the cost cannot exceed 25 cents per page for photocopies and 50 cents per page for microfilm.

The law in California also permits doctors to charge a "retrieval fee" for locating patient records and for making them available. But HIPAA does not allow it. Because HIPAA offers consumers greater protection than California law in this area, doctors in the state cannot charge patients fees beyond those allowed for photocopying.

Tags: Articles, HIPAA, News, Privacy & Security, copies, costs, test results

Some doctors seek to prevent patients from reviewing their services online

Posted on July 27, 2009 by Steve Fox and Vadim Schick

With the number and popularity of consumer review sites, such as Yelp.com and Angie's List, growing steadily, doctors are beginning to find themselves subjects of online reviews more and more frequently. In fact, certain web sites, like RateMD.com, are dedicated specifically to rating physicians.

The Washington Post reported recently on doctors seeking patients to sign contractual forms, commonly known as "gag orders", which may obligate patients not to comment or review their experiences at the doctor's office "without prior written consent" of the physician. The Post explored the positions of both the advocates and opponents of gag orders.

Unsurprisingly, many doctors are vehemently opposed to the idea of being reviewed online (some cite difficulty in capturing quality of care and outcomes, rather than concentrating on the "ambience" of care, as the primary reason). Some physicians go a step further and ask patients to sign contractual forms promising not to comment or review their services. The Post notes that it is not clear whether gag orders are legally enforceable or even ethical.

Tags: Articles, News, Privacy & Security, doctors, gag orders, online, online review, patients, reviews

Study finds dramatic increase in operational HIEs

Posted on July 22, 2009 by Steve Fox and Vadim Schick

eHealth Initiative, an affiliation of organizations devoted to improving the quality, safety and efficiency of healthcare through information technology, released its 2009 survey on Health Information Exchange (HIE), titled "Migrating Toward Meaningful Use: The State of Health Information Exchange."

The survey found many positive trends in the expansion of HIE's in the United States, including:

the number of operational HIE initiatives (e.g., exchanges transmitting live data among stakeholders) has increased by nearly 40% since 2008;
positive impact on physician practices by improving efficiency without disrupting care (e.g., quicker access to test results, reduced staff time spent searching for results and performing other administrative functions);
reduction in costs associated with, inter alia, reduced staff time spent on searching for test results and performing other clerical functions, as well as reduction in duplicate tests and medical errors; and
steadily growing number of initiatives are exchanging data, with almost universal increases in the type of data exchanged.

The survey also found that "initiatives identified 'addressing privacy and confidentiality issues' as the most pressing challenge they face, surpassing 'developing a sustainable business model'."

eHealth Initiative's press release, which includes a more detailed summary of the survey, can be found here.

"Migrating Toward Meaningful Use: The State of Health Information Exchange," eHealth Initiative Study (July 22, 2009).

Tags: ARRA, Articles, HIE, HIE initiative, News, Privacy & Security, ROI, costs, eHealth Initiative, health information exchange, initiative, reducing cost

Healthcare providers must become aware of and comply with PCI DSS

Posted on June 22, 2009 by Steve Fox and Vadim Schick

Healthcare providers are generally familiar with and are used to the complex network of state and federal data privacy protection laws (e.g., HIPAA and HIPAA Privacy and Security regulations). However, most providers may not be aware of another set of data security standards, the Payment Card Industry Data Security Standards (PCI DSS), imposed by a non-governmental, private organization representing the credit card industry.

Contrary to popular belief, PCI standards apply to any processor of credit cards, regardless of volume of credit card transactions. (However, PCI DSS differ based on each organization's transactions volume.) In other words, if your healthcare enterprise or practice accepts credit cards as payment for services (which virtually all practices do), your organization is subject to PCI DSS.

SC Magazine's recent contribution from Jim Lacy, CFO of healthcare IT company ZirMed, provides an excellent reminder for all healthcare providers accepting credit cards to take note of PCI DSS and begin the process of compliance with such standards.

A few lessons from Jim Lacy's piece and more after the jump.

Tags: Articles, PCI, PCI DSS, PCSA, Privacy & Security, breach, data, security

New York Times reports on the growing threat of medical identity theft

Posted on June 12, 2009 by Steve Fox and Vadim Schick

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft. The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration.

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft. The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

Tags: Articles, HITECH, News, Privacy & Security, identity, medical, privacy, security, theft

Sears settles FTC claims regarding its online tracking software

Posted on June 10, 2009 by Steve Fox and Vadim Schick

On June 4, 2009, Sears Holdings Corporation (Sears) settled its dispute with the Federal Trade Commission (FTC) regarding Sears's controversial online tracking software. Sears paid its customers $10 to join "My SHC community" and download software which would track participants' online behavior. However, FTC alleged that Sears did not adequately disclose the enormous scope of information Sears collected on the participants:

<...> Sears represented to consumers that the software would track their “online browsing.” The FTC charges that the software would also monitor consumers’ online secure sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. The software would also track some computer activities that were not related to the Internet.

Sears did disclose the full extent of what information it would monitor, but only "in a lengthy user license agreement, available to consumers at the end of a multi-step registration process", which the FTC deemed to be inadequate.

Under the settlement, Sears is required to destroy the data collected under this program, and to "clearly and prominently disclose the types of data the software will monitor, record, or transmit" if Sears advertises or disseminates any tracking software in the future. The FTC also required Sears to make such disclosure prior to installation of the software and separate from any user license agreement; and disclose whether any of the data will be used by a third party.

"Sears Settles FTC Charges Regarding Tracking Software", FTC press release (June 4, 2009).
"Sears settles with FTC in privacy flap", Reuters (June 4, 2009).

Tags: Articles, FTC, News, Privacy & Security, data, privacy, security

California fines Kaiser hospital $250,000 for violations of patient privacy

Posted on May 15, 2009 by Steve Fox and Vadim Schick

As we mentioned earlier, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom."

On May 14, 2009, California authorities fined Bellflower Hospital, the Kaiser facility where Ms. Suleman was treated, $250,000, the maximum allowed under California's new patient privacy law. The law allows the California Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000.

While the spokesperson for Kaiser argued that the healthcare provider "took numerous steps to prevent" violations of Ms. Suleman's privacy, state officials maintain that such steps were insufficient:

The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.

"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshé, secretary of California's Health and Human Services.

Governor Schwarznegger supported this development: "The fine issued today should be a reminder that there are consequences for violations of medical privacy."

"Kaiser hospital fined $250,000 for privacy breach in octuplet case", Los Angeles Times (May 15, 2009).

Tags: Articles, California, News, Privacy & Security, privacy

Breaking News: FTC Delays Enforcement of the Red Flags Rule Until August 1, 2009

Posted on May 1, 2009 by Steve Fox and Vadim Schick

From the FTC:

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

You can read the full press release here.

Tags: Articles, FTC, Flags, News, Privacy & Security, Red, Rule

In the news: Personal Health Records edition

Posted on April 28, 2009 by Steve Fox and Vadim Schick

The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009. According to the FTC press release, aside from breach notification, the proposed rule also:

stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The full notice can be found here.

Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009. The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors. Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR. It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA. ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)

Tags: ARRA, Articles, Clinic, Google, HealthVault, Mayo, Microsoft, News, PHR, Personal health records, Privacy & Security, health

Steve Fox on the new PHR privacy rules

Posted on April 27, 2009 by Vadim Schick

Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)

Tags: ARRA, Articles, FTC, Google, HealthVault, Microsoft, News, PHR, Privacy & Security, health

$50,000 Laptops: Average cost to employers in case of breach

Posted on April 23, 2009 by Steve Fox and Vadim Schick

A new study of 138 laptop-loss cases suffered over a recent 12-month period by 29 organizations, found that, on average, each lost or stolen laptop cost the employer $49,246. About 80% of the amount, or about $39,000 per laptop, are costs associated with data breaches, i.e., loss of personal data stored on the lost or stolen laptop. Significantly, the study found that:

The faster the company learns that a laptop is lost, the lower the average cost ... If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.

The study didn't endorse any particular brand of notebook protection gear, but noted that encryption on average can reduce the cost of a lost laptop by more than $20,000. (It is important to point out here that most data protection laws (both state and federal) exclude loss of encrypted or secured information from their definition of "breach.")

The study was conducted by the Michigan-based Ponemon Institute and commission by Intel.

("Typical lost or stolen laptop costs companies nearly $50,000, study finds", MercuryNews.com, April 22, 2009.)

Tags: Articles, News, Privacy & Security, breach, data, laptop

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: ARRA, Act, Articles, HIPAA, HITECH, News, Privacy & Security, breach, notification

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick

CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership. Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts. It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement. After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA. ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network. The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect. The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already. ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

Tags: Articles, Google, HIPAA, HITECH Act, Microsoft, News, PHR, Privacy & Security, Vault, health, personal, privacy, record, security

Free Webinar on Data Privacy: April 7, 2009 at 10AM ET

Posted on April 3, 2009 by Steven J. Fox

Post & Schell is presenting a webinar featuring Vadim Schick and Peter Hardy, who will discuss the practical and legal issues created by the new and upcoming changes in the data privacy protection regime. Topics will include:

The Identity Theft Prevention Programs required by the Red Flags Rule
New data breach requirements imposed by HIPAA
Pending federal data privacy legislation that mirrors existing state laws
What steps to take now to be prepared
Why preparing now will save you money and grief later

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the GoToWebinar presentation: register now. After registering, you will receive log-in information for the April 7th webinar by e-mail.

Also, some of the issues discussed above, including compliance with the Red Flag Rules and HIPAA Privacy and Security Rules, are discussed in a new article by Peter and Vadim, "Preventing Data Breaches: HIPAA Compliance and the Red Flag Rules," published in the April 2009 edition of Compliance Today, and accessible via this link.

Tags: ARRA, Articles, HITECH Act, News, Privacy & Security

Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Posted on April 1, 2009 by Steve Fox and Vadim Schick

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors.

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

Tags: ARRA, Articles, Privacy & Security, data-sharing, information, privacy, secure, security, unsecured

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Posted on March 31, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

Tags: ARRA, Act, Articles, EHR, HIPAA, HITECH, HITECH Act, News, PHR, Privacy & Security, meaningful, use

In the news

Posted on March 16, 2009 by Steve Fox and Vadim Schick

Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal. IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records. AP, San Francisco Chronicle (March 17, 2009).
A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing). This could result in a massive $22 billion reduction in drug and medical costs. Government Health IT (March 17, 2009).
Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry. Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services. According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology. Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

Tags: ARRA, EHR, Higher Ed, IBM, Kaiser, News, Privacy & Security, Wal-Mart, academia, breach, data, e-prescribing, universities

UPDATED: ARRA Includes Major Changes to Healthcare Privacy Law

Posted on March 13, 2009 by Steve Fox and Vadim Schick

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

Tags: Accounting, Business Associates, Covered Entities, HIPAA, HITECH, HITECH Act, Marketing, Privacy & Security, business associates as covered entities