Privacy & Security : Health IT Law Blog

Nemours reports breach affecting 1.6 million individuals

Posted on October 19, 2011 by Steve Fox and Vadim Schick

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, breach, breach notification, credit, data, monitoring

Major data breach at Stanford Hospital

Posted on September 12, 2011 by Steve Fox and Vadim Schick

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

Tags: Articles, California, HIPAA, HITECH Act, News, PHI, Privacy & Security, breach, data, privacy, protection

Study: Most data breaches are caused by insiders

Posted on September 7, 2011 by Steve Fox and Vadim Schick

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).

Tags: Articles, HHS, HIPAA, HITECH, News, OCR, PHI, Privacy & Security, breach, data, insider, notification, report

iPad EHR app certified for meaningful use

Posted on August 1, 2011 by Steve Fox and Vadim Schick

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

Tags: ARRA, Articles, EHR, FDA, HITECH Act, News, ONC-ATCB, Privacy & Security, app, certification, certified, device, drchrono, iPad, mobile

FDA to regulate some mobile health applications

Posted on July 20, 2011 by Steve Fox and Vadim Schick

On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a guidance regarding the agency's plans to regulate select software applications intended for use on mobile platforms (mobile applications or "mobile apps"). According to the Washington Post, the FDA proposed to regulate only those mobile apps which: (1) act as an accessory to a regulated medical device; (2) turn a mobile device or gadget into a regulated device; and/or (3) make suggestions regarding a patient's diagnosis or treatment. Via the Post:

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

'We wanted to make sure that we are consistent in regulating medical devices so nothing has changed,' [FDA policy adviser Baku] Patel said. If 'somebody makes a stethoscope on an iPhone, it doesn’t change the level of oversight we have of a stethoscope.'

FDA's guidance does not establish any legally enforceable responsibilities, but describes FDA's current thinking on this topic and should be viewed only as recommendations. The agency will collect input from manufacturers and healthcare providers over the next 90 days.

You can view the full guidance by clicking here.

Tags: Articles, FDA, News, Privacy & Security, apps, device, mobile, mobile apps

UCLA Health System reaches $865,500 settlement with OCR

Posted on July 7, 2011 by Steve Fox and Vadim Schick

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP).

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Tags: Articles, CAP, HIPAA, HITECH Act, News, OCR, Privacy & Security, Privacy and Security Rules, Rule, Security Rule, UCLA, UCLAHS, corrective action plan, privacy rule, violation

HHS issues proposed rule on accounting of PHI disclosures

Posted on June 1, 2011 by Steve Fox and Vadim Schick

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:

'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

You can view and download the proposed rule by clicking here.

Tags: ARRA, Accounting, Articles, HIPAA, HIPAA Privacy Rule, HITECH Act, NPRM, News, Privacy & Security, disclosures, proposed rule

Audit criticizes OCR and ONC over data privacy efforts

Posted on May 19, 2011 by Steve Fox and Vadim Schick

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.) Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

Tags: ARRA, Articles, HHS, HIPAA, News, OCR, OIG, ONC, Privacy & Security, Rule, audit, privacy, security

Updates to privacy and security regulations expected soon

Posted on May 16, 2011 by Steve Fox and Vadim Schick

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.

The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.

Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HITECH, HITECH Act, News, OCR, Privacy & Security, Privacy and Security, Security Rule

California agency to investigate HealthNet

Posted on March 16, 2011 by Steve Fox and Vadim Schick

As we predicted yesterday, HealthNet's breach of personal information of almost 2 million people, is already the subject of a state government agency's investigation. Via Health Leaders Media:

After Health Net, Inc. in California announced Monday that several data servers containing sensitive health and personal information on its enrollees are unaccounted for, state officials said the security breach involves 'personal information for 1.9 million current and past enrollees nationwide.'

The California Department of Managed Health Care, the only stand-alone HMO watchdog agency in the nation, also provided further details beyond the plan's statement, saying that the missing records on nine servers are 'for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in the California Department of Insurance products (another state agency that has oversight responsibility) and a number enrolled in Medicare.'

'The DMHC has opened an investigation into Health Net's security practices," said DMHC spokesperson Lynne Randolph. "Health Net has agreed to provide two years of free credit monitoring services to its California enrollees, in addition to identity theft insurance, fraud resolution and restoration of credit files, if needed.'

This may not be the last government investigation for the embattled insurer. For more information on the breach, please click here.

Tags: 1.9, Articles, California, HIPAA, HealthNet, News, Privacy & Security, breach

HealthNet breach affects 1.9 million individuals

Posted on March 15, 2011 by Steve Fox and Vadim Schick

HealthNet, a California-based insurer, suffered another major data breach last month. Modern Healthcare reports that HealthNet lost data of almost two million employees, members and healthcare providers, including their medical information, Social Security numbers and other sensitive information. The loss was reportedly caused by a missing server drive from HealthNet's Rancho Cordova, CA data center. According to the insurance company's press release, HealthNet's IT vendor, IBM, notified HealthNet that it could not locate the drives.

As we noted previously, HealthNet suffered another major data breach in 2009, when the company lost a portable hard drive containing sensitive and protected information on 1.5 million people. As a result of that breach, HealthNet was sued by then-Connecticut Attorney General Richard Blumenthal, in a first such action under HIPAA, as modified by the HITECH Act. HealthNet and Connecticut settled this suit in 2010 for $250,000 fine, a $500,000 contingency fund and a corrective action plan aimed at enhancing the security of the data in HealthNet's possession.

In light of HHS stepping up enforcement of HIPAA and HIPAA Privacy and Security Rules, HealthNet will become a likely target of both federal and state investigations; and if such investigations reveal negligence or failure to implement or comply with their own corrective action plan referenced above, the fines could be much more severe than the $250,000 number from the Connecticut settlement in 2010.

This should also serve as a reminder about the importance of requiring IT vendors to indemnify healthcare providers against such losses. If HealthNet's investigation concludes that IBM and/or its personnel were responsible for this loss, the parties will likely look to their existing contracts and BAA to determine whether IBM will reimburse HealthNet for its costs in relation to this breach.

Tags: Articles, HIPAA, HITECH, HealthNet, News, Privacy & Security, Privacy and Security, action, breach, corrective, data loss, drive, enforcement, fine, missing, plan

Cignet Health fined $4.3 million for HIPAA Privacy Rule violation

Posted on February 22, 2011 by Steve Fox and Vadim Schick

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation. This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

Tags: 4.3, Articles, CMP, Cignet, HHS, HIPAA, HIPAA Privacy Rule, News, OCR, Office of Civil Rights, Privacy & Security, civil money penalty, privacy rule

New York City hospitals suffer enormous data breach

Posted on February 21, 2011 by Steve Fox and Vadim Schick

New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.

This case should serve as a great reminder to:

check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;

make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;

confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and

review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.

Tags: 1.7, Articles, GRM, HIPAA, HITECH, Health and Hospitals Corporation, NYC, New York City Health and Hospitals Corporation, News, Privacy & Security, Privacy and Security, breach, vendor

New law exempts doctors from Red Flags Rule

Posted on December 23, 2010 by Steve Fox and Vadim Schick

On December 18, 2010, President Obama signed into law the Red Flag Program Clarification Act of 2010, which narrows the definition of a creditor for purposes of implementing the so-called “red flags rule,” i.e., Federal guidelines for use by financial institutions and creditors in establishing policies and procedures to mitigate identity theft risks."

The new law ended years-long dispute between the Federal Trade Commission (charged with enforcement of the Red Flags Rule program) and healthcare providers reluctant to take on an additional administrative and regulatory burden.

Via Healthcare IT News:

Red Flag Program Clarification Act of 2010 (Bill, S. 3987) sponsored by Senators John Thune (R-SD) and Mark Begich (D-AK), was scheduled to go into effect on Dec. 31. It was first introduced in the Senate on Nov. 30 and unanimously passed on the same day. The Senate passed the bill by voice vote on Dec. 7.

The Red Flags rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have "covered accounts" to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.

The Red Flag Program Clarification Act modified the regulation in a way that exempted those creditors from the Red Flags Rule program which "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person."

Tags: Articles, News, Privacy & Security, Red Flags Rule, clarification, clarification act of 2010

U.S. Department of Commerce issues report on online data privacy

Posted on December 17, 2010 by Steve Fox and Vadim Schick

On the heels of FTC's report on web privacy, the U.S. Department of Commerce released its own findings on the state of online privacy and issued recommendations for how to address the growing privacy concerns of consumers while maintaining the Internet platform which supports creativity, innovation, economic growth and job creation. The Commerce Department offered U.S. lawmakers several guidelines aimed at achieving the objective above:

Consider Establishing Fair Information Practice Principles comparable to a “Privacy Bill of Rights” for Online Consumers
Consider Developing Enforceable Privacy Codes of Conduct in Specific Sectors with Stakeholders; Create a Privacy Policy Office in the Department of Commerce
Encourage Global Interoperability to Spur Innovation and Trade
Consider How to Harmonize Disparate Security Breach Notification Rules
Review the Electronic Communications Privacy Act for the Cloud Computing Environment.

The Wall Street Journal called these proposals a "turning point," marking the administration's shift away from self-regulation in the online industry. The Journal also noted that future legislative action on this issue is likely to happen as soon as 2011, and that such legislation would enjoy rare bipartisan support in Washington.

Tags: Articles, Commerce, Do-not-track, News, Privacy & Security, internet, online privacy, privacy, report

New York State plans country's largest health information network

Posted on December 15, 2010 by Steve Fox and Vadim Schick

Via Democrat and Chronicle (Rochester):

The New York state Department of Health and a public-private partnership called New York eHealth Collaborative, or NYeC (pronounced "nice"), recently announced plans to spend $129 million in state and federal money to create a statewide network for electronic medical records, to be complete in 2014. Like the highways, they envision the network as a public utility that will allow medical providers anywhere in the state to view — with your permission — a list of your medications, any allergies and any recent X-rays or other tests that could help guide your care. The e-records network would be the largest in the country, dwarfing networks of other states and the Veterans Administration.

The planned statewide network, called Statewide Health Information Network for New York or SHIN-NY, is intended to serve more than 200 hospitals, thousands of medical practitioners and up to 20 million patients a year.

You can read more about NYeC here.

Tags: ARRA, Articles, EHR, HIE, HITECH Act, NYeC, New, News, PHR, Privacy & Security, RHIO, York, health information network

FTC proposes new privacy framework

Posted on December 1, 2010 by Steve Fox and Vadim Schick

In a highly anticipated move, on December 1, 2010, the Federal Trade Commission (FTC) released its report and recommendations regarding protecting personal information gathered online. The FTC recommended moving away from self-regulation by the industry towards a more European, “privacy-by-design” approach, which offers a much greater degree of protection to individuals, including by requiring businesses collecting data online to build privacy protections into their everyday business practices and retain data on consumer preferences and online browsing activity only as long as needed and deleting data on a regular basis.

While this privacy framework may not be enforceable on its own, FTC’s recommendations therein are expected to be the basis of a broader legislative action. A comprehensive data privacy bill has been circulating in Congress for some time now. For example, Rep. Bobby Rush (D-IL), Rep. Rich Boucher (D-VA), Rep. Joe Barton (R-TX) and Senators Mark Pryor (D-AR) and John Kerry (D-MA) have been working on legislation regulating and protecting an individual’s personal information. In fact, according to Rep. Joe Barton, a key figure on the Energy and Commerce Committee of the U.S. House of Representatives, privacy legislation is expected to advance despite the takeover of the House by the Republicans.

You can view the full report here.

You can view FTC's press release here.

"Agency Proposes ‘Do Not Track’ Option for Web Users," New York Times (December 1, 2010).

Tags: Articles, Do-not-track, FTC, News, Privacy & Security, do not track, framework, information, online, privacy, privacy by design, privacy-by-design

Study: Data Breaches Cost U.S. Hospitals Billions

Posted on November 10, 2010 by Steve Fox and Vadim Schick

A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals: on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.

Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.

71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

Tags: ARRA, Articles, HITECH, HITECH Act, News, Privacy & Security, data breach, data loss, privacy, security, training, training staff

U.S. healthcare providers hesitant about "offshoring" EHRs to India

Posted on November 3, 2010 by Steve Fox and Vadim Schick

Will American healthcare providers, like major companies in other sectors of the economy, outsource their electronic medical records systems and maintenance offshore, especially to an established tech industry in India? According to the Wall Street Journal, Indian technology vendors face a significant amount of skepticism regarding outsourcing health IT to India.

While major tech companies routinely utilize data centers, service desk and other products and services in India, healthcare providers are not used to such outsourcing arrangements. Indian IT companies like HCL, InfoSys, and Wipro are trying to tap into the booming health IT market in the United States. However, they face a number of important challenges, including concerns over privacy, security and integrity of protected data, breadth of experience in the industry,and ease of implementation of such systems. One prominent CIO described this challenge succinctly in the Journal:

Designing and installing new medical systems 'is hard to do off site, let alone offshore,' says Darren Dworkin, chief information officer of Cedars-Sinai Medical Center in Los Angeles. Cedars-Sinai is close to finishing a four-year, $100-million project to install an electronic medical-records system. Mr. Dworkin says that 80% to 90% of the work isn't the sort of commodity coding that is easily outsourced, instead requiring an intimate knowledge of the hospital's terminology and how its doctors and nurses work.

You can read the full article by clicking here.

"Qualms Arise Over Outsourcing Of Electronic Medical Records," Wall Street Journal (November 2, 2010).

Tags: ARRA, Articles, EHR, EMR, News, Privacy & Security, electronic health records, offshore, offshoring, outsource, outsourcing

Our column in Government Health IT on RECs and HIT contracts

Posted on October 29, 2010 by Steve Fox and Vadim Schick

Government Health IT published a column by Steve Fox and yours truly on the critical role Regional Extension Centers (RECs) can and should play in distributing best practices regarding contracting for health IT systems, including EHRs. Via Government Health IT:

RECs have the potential to serve as a valuable resource, especially for remote and underserved paper-based primary practices. However, RECs could be doing a disservice to physicians by failing to advise or provide them with essential EMR contract negotiation skills.

With HITECH Act incentives expiring in just a few years, healthcare providers will likely get only one chance to qualify for the full amount of the incentive payments. Thus, successful implementation and operation of an EMR system by the selected health IT vendor becomes critical to each healthcare organization trying to achieve “meaningful use” and take advantage of the incentive program.

In this environment, strong and effective contracts between healthcare providers and health IT vendors is especially significant, because such agreements can provide adequate protections, safeguards and other rights for the provider-customer, in the event a vendor defaults or otherwise fails to perform to the provider’s satisfaction.

You can read the full column by clicking here.

Tags: ARRA, Articles, EHR, Government Health IT, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security, REC, Regional Extension center, agreement, best practices, contract, incentive, negotiating

Study: Less than 7% of doctors email patients

Posted on October 28, 2010 by Steve Fox and Vadim Schick

According to a new study by the Center for Studying Health System Change, less than 7% of U.S. physicians communicate with their patients via e-mail. According to the Wall Street Journal, most physicians did not have access to electronic health records or other health information technology allowing secure communication with patients online. Yet even among those physicians with access to such technology, only 19.5% reported communicating with patients via email regularly.

Via the Journal:

This survey didn’t ask non-emailing physicians why they weren’t trading LOLs and emoticons with their patients, but the CSHSC brief has a host of previously cited reasons: “lack of reimbursement, the potential for increased workload, maintaining data privacy and security, avoiding increased medical liability and the uncertain impact on care quality.” (Given that list, it’s hard to figure out why any physician would choose to email patients.)

Doctors working in practices the have already converted to electronic medical records were more likely to communicate with patients via email. So were physicians in HMOs or academic centers, compared to those in solo or two-doctor practices.

Tags: Articles, EHR, EMR, HITECH Act, News, Privacy & Security, email, privacy, secure, security

CRISP health exchange goes live in Maryland

Posted on October 21, 2010 by Steve Fox and Vadim Schick

The Chesapeake Regional Information System for our Patients (CRISP) went live this month connecting three hospitals, three radiology centers and two private companies in Montgomery County, Maryland during the initial stage of this health data exchange. According to The Washington Post, all 48 hospitals in Maryland plan to join CRISP by 2012. The exchange will allow hospitals, physician practices, hospitals, clinics, labs, radiology centers, and other health care institutions to share information electronically.

Via the Post:

The Maryland Health Care Commission designated CRISP to oversee the state's effort to create a secure exchange for electronic health information within the state. More than 300 such exchanges are in development throughout the United States as part of a larger effort to develop national exchange standards and best practices. More than 20 organizations were involved in CRISP's development, including doctors, insurance companies, hospitals and consumer advocates, who helped structure the network in a way that will protect patient privacy in accordance with applicable law.

The funding for the network came from a patchwork of state and federal grants. In 2009, Maryland allocated $10 million from a fund that insurance companies pay into to reimburse hospitals for the network's start-up costs. The state health-care commission received an additional $9.3 million in federal stimulus money that covered the cost of the exchange's rollout. In April, a division of the U.S. Department of Health and Human Services that promotes the adoption of information technology gave CRISP $5.5 million to help 1,000 primary care physicians use electronic health records more effectively.

Tags: Articles, CRIPS, HIE, Maryland, News, Privacy & Security, health exchange, health information exchange

Updated: Slides from Webinar on HIPAA Privacy and Security Rules

Posted on October 7, 2010 by Steve Fox and Vadim Schick

Post & Schell, in collaboration with Kroll Fraud Solutions, presented a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick highlighted the key provisions in the NPRM, including:

New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
Providing patients with e-copies of their PHI
Extension of HIPAA Privacy and Security Rules to business associates
Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:

Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
Reviewing current contractual agreements and relationships with business associates and their subcontractors
Training staff of the organization
Breach preparedness and breach response

You can view or download the slides from this presentation by clicking here.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

Tags: Articles, Business, HHS, HIPAA, HITECH Act, NPRM, News, OCR, Privacy & Security, associate, breach, breach assessment, privacy, security, subcontractor

Free Webinar: HIPAA Privacy & Security Rules Update

Posted on September 20, 2010 by Steve Fox and Vadim Schick

On Thursday, October 7, 2010, from 1:00PM to 2:00PM, Post & Schell, in collaboration with Kroll Fraud Solutions, will present a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick will highlight the key provisions in the NPRM, including:

New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
Providing patients with e-copies of their PHI
Extension of HIPAA Privacy and Security Rules to business associates
Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, who will discuss the practical implications of this new set of regulations on covered entities and business associates, including:

Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
Reviewing current contractual agreements and relationships with business associates and their subcontractors
Training staff of the organization
Breach preparedness and breach response

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the webinar: register now. After registering, you will receive log-in information for this webinar by
e-mail.

For more information, contact Vadim Schick at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, HITECH Act, News, Privacy & Security

California fines hospital $250,000 for failing to comply with state breach statute

Posted on September 10, 2010 by Steve Fox and Vadim Schick

As we mentioned previously, California has the strictest data breach notification statute in the country, allowing entities only five days to report a breach, but not permitting even the customary delays for law enforcement efforts. California Department of Public Health (CDPH) is charged with enforcement of this statute, contained in Section 1280.15 of the California Code, and may impose the maximum of $250,000 fine for each breach incident.

CDPH imposed the maximum $250,000 fine on Lucile Salter Packard Children's Hospital (LSPCH) at Stanford University for failing to report within five days a breach involving 532 patients. The breach resulted from an employee of LSPCH stealing a laptop containing PHI for these 532 patients.

The somewhat shocking part is that CDPH levied the maximum fine on this hospital, even though the hospital reported this breach after an investigation less than two weeks later. LSPCH discovered the breach on February 1, 2010, but did not report the breach until February 19, 2010. In fact, CDPH learned of the breach from the hospital's notice. While a clear violation of the five-day rule (however just or draconian the rule may be), it does not seem to be an egregious violation which would merit the maximum fine. LSPCH believes that its notification to the state and to the affected individuals was reasonable and timely and is appealing the fine.

Tags: $250, 000, Articles, CPDH, California, California department of public health, News, Privacy & Security, fine, security

CCHIT to launch certification process on September 20, 2010

Posted on August 31, 2010 by Steve Fox and Vadim Schick

According to Karen Bell, MD, chair of the Certification Commission on Health Information Technology (CCHIT), her organization will begin accepting applications for HHS certification as early as September 20, 2010. Via Healthcare IT News:

CCHIT is authorized to offer HHS certification for complete EHRs that meet all of the Stage 1, 2011/2012 HHS/ONC criteria, as well as certification for modular EHR products that meet one or more - but not all - of the criteria, Bell said.

According to Bell, CCHIT plans to launch its authorized HHS certification program on Sept. 20 at 1 p.m. Eastern time with a Town Call Webcast describing its application and testing process. CCHIT will take new health IT developer applications immediately after the Webcast and the first group of HHS certified complete EHRs and EHR modules will be announced within weeks of that launch.

In addition to HHS certification, CCHIT will continue to offer its CCHIT Certified program for ambulatory and inpatient EHR products that exceed the HHS/ONC criteria and are designed for hospitals and physician practices that are looking for assurance of more robust, integrated EHR products to support the unique needs of its clinicians and patients. Many of these products will also be HHS certified, Bell said.

You can read more about CCHIT's plans here.

Tags: ARRA, Articles, CCHIT, EHR, EMR, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, acute, ambulatory, certification, meaningful, testing, use

CCHIT and Drummond picked as ONC-ATCBs

Posted on August 31, 2010 by Steve Fox and Vadim Schick

Via HHS Press Release:

The Certification Commission for Health Information Technology (CCHIT), Chicago, Ill. and the Drummond Group Inc. (DGI), Austin, Texas, were named today by the Office of the National Coordinator for Health Information Technology (ONC) as the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by the U.S. Department of Health and Human Services earlier this year.

Announcement of these ONC-Authorized Testing and Certification Bodies (ONC-ATCBs) means that EHR vendors can now begin to have their products certified as meeting criteria to support meaningful use, a key step in the national initiative to encourage adoption and effective use of EHRs by America’s health care providers.

“Less than two months following the issuance of final meaningful use rules, we have approved our initial ONC-ATCB certifiers. EHR vendors can begin immediately to get their products certified.” said David Blumenthal, M.D., national coordinator for Health Information Technology. This is a crucial step because it ensures that certified EHR products will be available to support the achievement of the required meaningful use objectives, that these products will be aligned with one another on key standards, and that doctors and hospitals can invest with confidence in these certified systems.”

Tags: ARRA, ATCB, Articles, EHR, EMR, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, certification, meaningful, testing, use

Steve Fox interviewed by InformationWeek about EHR contracts

Posted on August 24, 2010 by Vadim Schick

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT vendors. In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.

Tags: ARRA, Articles, EHR, HITECH, HITECH Act, Meaningful use, News, PHI, Privacy & Security, agreement, contract, data, negotiating, privacy, protection, provision, warranties

On data visualization

Posted on August 23, 2010 by Vadim Schick

Data journalist David McCandless gave a brilliant talk about data analysis and visualization at this year's TED conference in Oxford, England. What kind of stories will the newly collected electronic health data tell us about the human body and mind? If the nationwide EMR adoption proceeds according to plan, we will, for the first time, have enormous amount of health information available for analysis. Data design and visualization will be key to our discovering and understanding of the often-hidden truths contained in raw data.

Tags: Articles, David McCandless, News, Privacy & Security, TED, data visualization

Advisory panel submits recommendations to HIT Policy Committee regarding health data exchanges

Posted on August 20, 2010 by Steve Fox and Vadim Schick

On August 19, 2010, the "tiger team" advisory panel submitted a letter to the HIT Policy Committee, established pursuant to the HITECH Act, proposing new safeguards for personally identifiable information on health information exchanges. Via Bloomberg Business Week:

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

<...> One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

HIT Policy Committee will have to review and approve the proposed safeguards. You can read more about the proposed standards after the jump, and can read the letter in full by clicking here.

Tags: ARRA, Articles, HIT, HIT Policy Committee, HITECH Act, News, ONC, Privacy & Security, Privacy and Security, consent, health data exchange, health information exchange, meaningful consent

eWeek: Top 10 Reasons to avoid EHRs stored in a "cloud"

Posted on August 19, 2010 by Steve Fox and Vadim Schick

eWeek provides a great reminder of the dangers of signing up for an electronic health records system stored in a "cloud." Such ASP/SaaS EHR models are attractive to many practices because they offer consistent (though not always lower) monthly fees and require no equipment purchases or installations. However, as eWeek appropriately summarized, choosing an ASP provider should raise quite a few concerns, including:

Access: who has access to your information (including your patients' protected health information)? How safe is it? Perhaps even more importantly, do you have access to your own information? Each ASP contract must deal with access issues, and clearly state that the provider will always have the right to access its own information stored on remotely hosted servers. Similarly, vendors should warrant that only the necessary personnel will access provider's records, and only in accordance with the scope of the agreement between the parties.
Storage and disposal: Where is the data actually stored, and what regional or international laws may apply to such information? Also, what happens if the provider ceases to exist? eWeek reminds us that in 2001, "GE Healthcare bought health records provider Encounter EHR and eventually ended up shutting it down - giving records holders 30 days' notice to reclaim their data or lose it. This caused a great number of problems." While such instances are rare, what if the vendor storing your records is acquired by another company? Once again, your contracts should clearly deal with these issues, especially by providing that in the event the vendor is sold or goes out of business, provider has the right to terminate the agreement and the vendor must immediately return all of provider's data in its possession in the format specified by the provider.
Cost: Does choosing ASP/SaaS model save money? According to eWeek, not necessarily: "Allscripts' MyWay service costs $700 per month per health care provider. GE Healthcare's new Centricity Advance service will cost doctors from $300 to $800 a month. Most client-server software packages are much less expensive."

Tags: ARRA, ASP, Articles, HITECH Act, News, Privacy & Security, SaaS, agreement, cloud, cloud computing, contracting, contracts, electronic health records, electronic medical records, negotiate

NIST Publishes Approved Testing Procedures for EHRs

Posted on August 19, 2010 by Steve Fox and Vadim Schick

Via NIST:

In efforts to help the nation's health care industry make the transition to the digital age in an effective and meaningful fashion, the National Institute of Standards and Technology (NIST) has published a set of approved procedures for testing information technology systems that work with electronic health records (EHRs). Released in draft form earlier this year (see "NIST, Partners Develop Testing Infrastructure for Health IT Systems," NIST Tech Beat for March 16, 2010, at http://www.nist.gov/itl/hit_031610.cfm), the approved and finalized testing procedures are now available for use.

Under a certification program established by the U.S. Department of Health and Human Services Office of the National Coordinator (HHS/ONC), testing organizations authorized by HHS/ONC can use the tools to evaluate EHR software and systems that vendors would like to sell to doctor's offices, hospitals and other health care providers. Starting next year, the federal government will provide extra Medicare and Medicaid payments to health care providers that implement EHR systems certified to meet ONC requirements that conform to technical standards and are put to "meaningful use," performing specifically defined functions.

These ONC-approved test procedures help ensure that electronic health records function properly and work interchangeably across systems developed by different vendors. The set of 45 approved test procedures evaluate components of electronic health records such as their encryption, how they plot and display growth charts, and how they control access so that only authorized users can access their information.

The development of these tools was mandated by the American Recovery and Reinvestment Act (ARRA) in order to support a health IT infrastructure.

Notice of the approved test procedures appears in the August 9, 2010, Federal Register. For more information, see http://healthcare.nist.gov/use_testing/finalized_requirements.html and http://healthit.hhs.gov/certification

Tags: ARRA, Articles, Certified EHR, EHR, HITECH Act, NIST, News, Privacy & Security, certification, certification process, certifying body, electronic health records

Final breach notification rules delayed

Posted on July 29, 2010 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009.

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010. However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery. However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

Tags: ARRA, Articles, HIPAA, HITECH, HITECH Act, Higher Ed, News, Privacy & Security, breach notification, enforcement, harm threshold, privacy, risk of harm

Rite Aid settles FTC and OCR privacy charges

Posted on July 29, 2010 by Steve Fox and Vadim Schick

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe.

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public. Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed. Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

Tags: ARRA, Articles, CVS, FTC, HHS, HIPAA, HIPAA Privacy Rule, HITECH Act, Higher Ed, News, OCR, Privacy & Security, Rite Aid, corrective action plan, disposal, dumpster, privacy, security, settlement

CMS issues final rules on Meaningful Use

Posted on July 13, 2010 by Steve Fox and Vadim Schick

On July 13, 2010, CMS issued the final rule defining "meaningful use" and establishing the parameters and requirements for eligible professionals, hospitals and other providers to receive incentive payments provided under the HITECH Act for widespread adoption of electronic health records. According to CMS, the key changes included in the final rule (from the meaningful use NPRM published in the Federal Register on January 13, 2010) include:

Greater flexibility with respect to eligible professionals and hospitals in meeting and reporting certain objectives for demonstrating meaningful use. The final rule divides the objectives into a “core” group of required objectives and a “menu set” of procedures from which providers may choose any five to defer in 2011-2012. This gives providers latitude to pick their own path toward full EHR implementation and meaningful use.

An objective of providing condition-specific patient education resources for both EPs and eligible hospitals and the objective of recording advance directives for eligible hospitals, in line with recommendations from the Health Information Technology Policy Committee.

A definition of a hospital-based EP as one who performs substantially all of his or her services in an inpatient hospital setting or emergency room only, which conforms to the Continuing Extension Act of 2010

CAHs within the definition of acute care hospital for the purpose of incentive program eligibility under Medicaid.

You can view the PDF of the final rule on Meaningful Use by clicking here.

You can learn more about it from the HHS press release by clicking here. Also, the New England Journal of Medicine published an excellent summary by Dr. Blumenthal of the changes included in the final rule; you can find this article by clicking here.

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Steve Fox and Vadim Schick

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules." Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy, HIPAA Security, HITECH, HITECH Act, NPRM, News, ONC, PHI, Privacy & Security, breach, data, enforcement, privacy, security

HealthNet and Connecticut settle breach suit

Posted on July 8, 2010 by Steve Fox and Vadim Schick

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons. This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach. According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

$250,000 fine to be paid to Connecticut;

$500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and

a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000. The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut. Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," TheDay.com (July 6, 2010).

Tags: Articles, Blumenthal, HIPAA, HealthNet, News, Privacy & Security, Richard Blumenthal, breach, breach notification, connecticut, privacy, security

Major breach at a New York hospital affects over 130,000 patients

Posted on July 1, 2010 by Steve Fox and Vadim Schick

Lincoln Medical and Mental Health Center (LMMHC) in New York suffered a major breach affecting 130,495 of its patients, according to a notice provided to HHS. The breach occurred when the hospital's contractor, Siemens Medical Solutions USA, shipped seven password-protected, but not encrypted, CDs containing patient information via FedEx; and these CDs were subsequently lost in transit. Via Bloomberg Business Week:

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

<...> Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

LMMHC's breach should serve as a reminder for all healthcare providers currently negotiating health IT contracts to include proper protections in the event its vendor causes a breach or loss of protected data. This is particularly crucial in the post-HITECH Act era.

We always include specific compliance with privacy laws warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. LMMHC's example clearly illustrates that providers must insist on such protections -- often, over strenuous objections from vendors -- because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"New York hospital loses data on 130,000 via FedEx," Bloomberg Business Week (June 29, 2010).

Tags: Articles, HIT, HITECH, HITECH Act, News, Privacy & Security, breach, carve out, contract, indemnification, limitation of liability, negotiating, privacy, warranties

California hospital breached patient privacy by faxing records to a wrong number

Posted on June 28, 2010 by Steve Fox and Vadim Schick

Breaches are not always caused by lost laptops or hackers. They often result from simple errors by the hospital's or another provder's own staff. In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County. Via Orange County Register:

In the first instance, the state found that after a doctor called to give the hospital a new fax number, patient records were instead sent to an auto business. Six faxes with health care information were picked up from the business, the report says.

A month later, the auto shop again notified the hospital that it had received a fax with a patient's name, date of birth and details of visits. The hospital discovered that the wrong fax number had not been changed in a data base.

Hospital staff said the breach would have been prevented if a test fax had been sent as required by hospital policy, the report said.

The other privacy breach occurred when the name of an emergency room patient's doctor was incorrectly entered into the system. Records were then faxed to the wrong doctor who notified the hospital.

CHOC is auditing its database to make sure information is accurate.

It is not clear whether CDPH is going to impose a fine on CHOC like the agency did earlier this month to five different hospitals. Regardless, this episode should serve as a great reminder for healthcare providers about how simple mistakes can lead to costly and highly embarrassing data breaches, especially in instances where the provider fails to adhere to its own privacy policy.

"State blames CHOC in wrong-site surgery," Orange County Register (June 25, 2010).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, breach, fax, patient privacy, policy, privacy, security

Breaking: ONC releases final rule on temporary EHR certification

Posted on June 18, 2010 by Steve Fox and Vadim Schick

On June 18, 2010, the Office of National Coordinator for Health IT issued a final rule, 45 CFR Part 170, establishing a temporary EHR certification program for the purposes of testing and certifying health information technology.

The National Coordinator will utilize the temporary certification program to authorize organizations to test and certify Complete Electronic Health Records (EHRs) and/or EHR Modules, thereby making Certified EHR
Technology available prior to the date on which health care providers seeking incentive payments available under the Medicare and Medicaid EHR Incentive Programs may begin demonstrating meaningful use of Certified EHR Technology.

You can find the new final rule here.

You can find ONC's "Fact Sheet" and Q&A regarding certification here.

Tags: ARRA, Articles, EHR, EHR certification process, HITECH Act, News, ONC, ONC-ATCBs, Privacy & Security, certification, temporary, temporary EHR certification, temporary certification program

Updated: breaches and fines on the rise

Posted on June 16, 2010 by Steve Fox and Vadim Schick

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010. Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year. We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.” Information lost included not only PHI, but also Social Security numbers and even credit card data. The records on the laptop were password protected, but they were not encrypted. The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge. The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information.

Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees. On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009. Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

Tags: ARRA, Articles, California, California department of public health, HIPAA, HITECH, HITECH Act, News, PHI, Privacy & Security, breach, breach notification, privacy, security

HLM: OCR to release privacy and security rules in two weeks

Posted on June 16, 2010 by Steve Fox and Vadim Schick

Via Health Leaders Media:

OCR will release proposed rules later this month [or 'about two weeks or around June 26th'] on most of the HIPAA privacy and security-related provisions in HITECH, according to the North Carolina Healthcare Information and Communications Alliance (NCHICA).

<...> NCHICA reports the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule. The NPRM will also include clarification regarding "willful neglect" (penalty tiers).

Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.

The state alliance also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.

OCR is expected to begin its HITECH-required compliance audits next year, the alliance reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.

"Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the "Quiz the Regulator" session on June 7.

"State Alliance: Proposed HITECH Regulations Coming in Two Weeks," Health Leaders Media (June 15, 2010).

Tags: ARRA, Articles, HIPAA, HITECH Act, News, OCR, Privacy & Security

Allscripts and Eclipsys announce $1.3B merger

Posted on June 14, 2010 by Steve Fox and Vadim Schick

Allscripts and Eclipsys announced a $1.3 billion merger, which some analysts tout as a match "made in heaven" due to Allscripts's strength in the ambulatory space and Eclipsys's strength on the acute side. The merger is expected to be completed in four to six months; the combined company will have around 5,500 employees. The merger will also pose some challenges for the combined entity, with some customers worrying that the merger will distract management from dealing with existing issues. However, analysts believe that Allscripts's smooth merger with Misys in 2008 is a good sign that this merger with Eclipsys will succeed.

Both companies are looking to capitalize on the projected exponential growth in adoption of health IT, in part due to the incentives created by ARRA. According to the Congressional Budget Office, adoption of electronic health records by physician practices is expected to increase from 12% in 2011 to 90% by 2019.

This merger is yet another sign of future consolidation in the healthcare industry, both on the vendor side, and on the provider side, as enterprises try to minimize costs and maximize revenue in the ever-changing and often uncertain business environment.

"Allscripts-Eclipsys: 'A match made in heaven' - mostly," Healthcare IT News (June 10, 2010).

Tags: ARRA, Allscripts, Articles, EHR, Eclipsys, HITECH, HITECH Act, News, Privacy & Security, consolidation, merger

FTC Delays Enforcement of the Red Flags Rule

Posted on June 7, 2010 by Vadim Schick

Upon request from members of Congress, the Federal Trade Commission (FTC) has once again pushed back the enforcement of the Red Flags Rule, this time until December 31, 2010. This is the fifth such delay by the FTC. Via FTC press release:

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.

We have recently reported on the AMA and other medical associations suing the FTC over applicability of the Rule to healthcare providers. There was no mention of the AMA's claims or law suit in the press release.

You can read the full press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (May 28, 2010).

Tags: AMA, Articles, December 31, 2010, FTC, News, Privacy & Security, Red Flags Rule, enforcement

Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

Posted on May 25, 2010 by Steve Fox and Vadim Schick

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act. The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much.

Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

27 percent of the health care organizations had not started and were “barely aware” of what was required;
32 percent of the organizations were waiting for more details;
14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
21 percent of the organizations surveyed were just beginning to act on becoming compliant;
79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).

Tags: ARRA, Articles, Covered Entities, HIIPAA, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, business associate

Medical associations sue FTC over Red Flags Rule

Posted on May 24, 2010 by Steve Fox and Vadim Schick

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations. FTC is to begin enforcement of the Rule on June 1, 2010. Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA. According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Tags: AMA, ARRA, Articles, FTC, HIPAA, HITECH Act, News, Privacy & Security, Red Flags Rule, identity theft, privacy

Facebook's privacy struggles

Posted on May 19, 2010 by Vadim Schick

The Wall Street Journal devoted the front page of its "Marketplace" section to a report on Facebook's struggles with privacy advocates, regulators like FTC, and, at times, even its own employees.

The company can't afford not to act. The Federal Trade Commission is taking a close look at how online social networks are using people's data, and people close to the matter say it is increasingly focused on Facebook. <...>

A group of senators led by Sen. Charles Schumer (D., N.Y.) called on Facebook to roll back the changes and more than a dozen privacy groups lodged a complaint with the FTC on grounds that Facebook was displaying user information without their consent.

Facebook faces a herculean task of keeping personal information of its 500 million subscribers private and secure. Privacy is a major stumbling block for this young company, which hopes to earn billions in ad revenues by using the private data it collects from its subscribers.

Facebook must clearly articulate to its subscribers the privacy risks and security settings available to them; but, ultimately -- as the clever someecard, above, suggests -- the best way to ensure the privacy of one's personal information is not to share it with the world, via Facebook or any other online social networking site.

"Facebook Grapples With Privacy Issues," Wall Street Journal (May 19, 2010).

Tags: Articles, FTC, Facebook, News, Privacy & Security, data, privacy, security

OCR adds investigators to boost security rule enforcement

Posted on May 13, 2010 by Steve Fox and Vadim Schick

According to Health Data Management, Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR) announced at a recent conference that OCR added investigators to 10 regional offices in order to boost enforcement of HIPAA privacy and security rules.

On August 3, 2009, HHS Secretary Kathleen Sebelius transferred the responsibility for HIPAA Security Rule enforcement from CMS to OCR, which is now tasked with enforcement of both the HIPAA Security Rule and the HIPAA Privacy Rule.

While the transition from CMS to OCR "took longer than expected," Ms. McAndrew believes that OCR is finally in a position to increase enforcement efforts in order to realize the privacy and security initiatives enacted last year pursuant to the HITECH Act.

We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement... [and] that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.

"OCR Boosting Security Enforcement," Health Data Management (May 12, 2010).

Tags: ARRA, Act, Articles, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, OCR, Privacy & Security

Prison sentence for hospital employee who breached patient privacy

Posted on May 4, 2010 by Vadim Schick

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA. According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).

Tags: ARRA, Articles, HIPAA, HIPAA breach, HIPAA violation, HITECH Act, News, Privacy & Security, privacy, security

In the news: patient privacy edition

Posted on April 28, 2010 by Steve Fox and Vadim Schick

HHS's Office of Civil Rights (OCR) filed a notice in the Federal Register lifting a requirement preventing OCR from posting names of sole practitioners who suffer breaches of patient data without first obtaining consent from such practitioners. Pursuant to the HITECH Act, any covered entity reporting a breach affecting over 500 individuals must report such breach to HHS, and HHS will post a notice of such breach on its web site. At the same time, HHS did not post names of individual physician practices (e.g., sole practitioners) without such physicians' consent because they deemed the name of the physician to be protected under the Privacy Act of 1974. Instead, HHS listed such breaches under "private practice." However, OCR announced on April 16, 2010, that "it will begin posting on its breach notification web site the names of entities they consider "individuals" regardless of whether or not those entities give consent." According to HealthLeaders Media, the rule will become effective after the comment period closes (about May 23, 2010).

Government Health IT reports that OCR will issue more privacy and security rules mandated by the HITECH Act in May 2010, including rules regarding business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. According to HHS, "OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements."

Tags: ARRA, Articles, HHS, HITECH Act, News, OCR, PHI, Privacy & Security, breach, breach notification, consent

Wall Street Journal on EMRs and HIEs

Posted on April 22, 2010 by Steve Fox and Vadim Schick

On April 13, 2010, the Wall Street Journal published two fascinating articles on health information technology issues. In "Can Technology Cure Health Health Care?" author Jacob Goldstein examined the complexities and major risks of adopting electronic medical records. Goldstein also suggested a few high-level policies necessary to combat such risks, including designing the software with patient care in mind (rather than focusing on billing and other administrative tasks); customizing the software to fit the unique needs of one's organization; and taking the time to implement the EMR in a carefully crafted, staged manner.

The last recommendation seems to be indeed crucial to a successful EMR implementation, but it will likely put many healthcare providers trying to capitalize on HITECH incentive payments in a peculiar situation. Such providers must carefully balance their need to achieve "meaningful use" in a short time frame, while preventing as many disruptions to patient care as possible.

In "Breaking Down the Barriers," Laura Landro examined the state of regional health organizations (RHIOs) and health information exchanges (HIEs). While RHIO/HIE's are still rare, the number of such electronic patient data exchanges grows every day. In fact, according to the Journal, the number of RHIO/HIE's increased by 57% since last year. Such exchanges are also likely to benefit from HITECH Act funding distributed by HHS.

There is an interesting nexus between these two articles: interoperability and exchange. A successful widespread adoption of EMR technology seems to depend upon different EMRs talking to each other, and different - including competing - healthcare providers exchanging patient information. While EMRs may only marginally improve patient care in each individual hospital, they are likely to have a far greater impact as part of a nationwide health information exchange.

"Can Technology Cure Health Care?" Wall Street Journal (April 13, 2010).

"Breaking Down the Barriers," Wall Street Journal (April 13, 2010).

Tags: ARRA, Articles, EMR, HIE, HITECH Act, News, Privacy & Security, RHIO, exchange, health information exchange, interoperability, meaingful use, regional health information organization, risk

In the news: Senators request easing of meaningful use requirements; HHS releases over $267M for RECs; and more

Posted on April 12, 2010 by Steve Fox and Vadim Schick

A group of 37 U.S. Senators sent a letter to HHS Secretary Kathleen Sebelius expressing concern regarding the current definition of meaningful use. The senators urged the Secretary to "allow providers to 'temporarily defer a limited set of IT goals' without otherwise changing the ultimate timeline or requirements of the program." The senators also sought to change the eligibility determination based on Medicare provider numbers, considering many healthcare providers have multiple medical campuses under one such Medicare number. According to Sen. Max Baucus (D-MT), such changes would "improve the guidelines HHS has set in way that will encourage widespread use of basic, functional IT tools and improve patient care.”

HHS released over $267 million from the stimulus funds to help 28 non-profit Regional Extension Centers (RECs). This latest award brought the total of stimulus-funded RECs to 60, and is expected to support 100,000 primary care and hospitals within 2 years. According to Secretary Sebelius, these 28 awards "represent [HHS's] ongoing commitment to make sure that health providers have the necessary support within their communities to maximize the use of health IT to improve the care they provide to their patients."

Tags: ARRA, Articles, HHS, HITECH Act, Meaningful use, News, ONC, Privacy & Security, REC, Regional Extension center, Sebelius, meaningful use regulations

Connecticut radiologist breaches privacy of hundreds

Posted on April 1, 2010 by Steve Fox and Vadim Schick

HealthImaging.com reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From HealthImaging.com:

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data. For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors. Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords. The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," HealthImaging.com (March 31, 2010).

Tags: Act, Articles, HIPAA, HITECH, News, Privacy & Security, breach, connecticut, contract, data, notification, privacy, radiologist, safeguard, security, vendor

ONC publishes white paper on consent options

Posted on April 1, 2010 by Vadim Schick

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange. The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making." While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here. You can view the executive summary by clicking here.

Tags: ARRA, Articles, HITECH Act, News, ONC, ONCHIT, Privacy & Security, Privacy and Security, consent, consent options, privacy, security

DEA to allow e-prescribing of controlled substances

Posted on March 25, 2010 by Steve Fox and Vadim Schick

On March 24, 2010, the U.S. Drug Enforcement Administration (DEA) released its interim final rule allowing electronic prescriptions of controlled substances. According to the DEA, e-prescribing of controlled substances will help reduce paperwork, prescription fraud and errors. Patients are also quite likely to be pleased by this more convenient and accurate way of filling their prescriptions.

According to Healthcare IT News, "ONC, CMS, AHRQ and other HHS staff have worked closely with the [DEA] to develop the policies in the Interim Final Rule."

The Interim Final Rule is classified as a "major rule" and is therefore subject to Congressional review. The Rule will be published in the Federal Register on March 31, 2010, but you can preview the unofficial version here.

You can also download the unofficial version of the Rule by clicking here.

"E-Rx of controlled substances Interim Final Rule available," Healthcare IT News (March 25, 2010).

Tags: Articles, DEA, Drug Enforcement Administration, HITECH Act, News, Privacy & Security, controlled substance, e-prescribing, eRx, electronic prescribing

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

Posted on March 24, 2010 by Steve Fox and Vadim Schick

Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident. This is twice as many cases as in 2008. Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to Computerworld.com (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.

In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act. According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

Tags: ARRA, Articles, CCHIT, CHIME, Certified EHR, HIPAA, HITECH, HITECH Act, News, Privacy & Security, certified, electronic health records, meaingful use, meaningful use regulations, privacy, security

Slides from webinar on negotiating "must-have" provisions in HIT contracts

Posted on March 19, 2010 by Vadim Schick

Last Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell hosted the second webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

The webinar focused on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, discussed:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

If you missed the presentation, you can listen to the podcast here. You can also view the slides from our presentation here.

This webinar was the second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HIPAA, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security, contracts, license, licensing, meaningful use definition, meaningful use regulations, negotiation, webinar

OCR delays enforcement of certain HITECH provisions

Posted on March 18, 2010 by Steve Fox and Vadim Schick

In a much-anticipated move, the Office of Civil Rights (OCR) within the Department of Health and Human Services has issued an update regarding delays of certain HITECH provisions, while confirming enforcement of others. Via OCR press release:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act. These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information. OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions. Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification. New civil money penalty amounts apply to HIPAA Privacy and Security Rule violations occurring after February 17, 2009. Covered entities and business associates must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009. OCR announced previously that it would use its enforcement discretion not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010. Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.

You can find about more here.

"HITECH Act Rulemaking and Implementation Update," OCR Press Release (March 18, 2010).

Tags: ARRA, Act, Articles, HHS, HITECH, HITECH Act, News, OCR, Office of Civil Rights, Privacy & Security, business associate

Free Webinar: Negotiating "Must-Have" Provisions in HIT Contracts

Posted on March 9, 2010 by Steve Fox and Vadim Schick

On Thursday, March 18, 2010, from 1:00PM to 2:00PM (EDT), Post & Schell will host the next webinar in a series examining the effects of meaningful use and other HITECH Act regulations on the healthcare industry.

This webinar will focus on identifying and negotiating the essential elements of HIT agreements, particularly in light of the HITECH Act and related HHS regulations regarding "meaningful use" of "certified EHR technology." Post & Schell's Steve Fox and Vadim Schick, along with Jim Oakes, Principal at Health Care Information Consultants, will discuss:

Warranty, limitation of liability and privacy and security provisions in HIT contracts
Structuring payments to correspond with certain achievement milestones
Acceptance testing procedures
Provisions specific to vendor-financing transactions
ASP / SaaS models of software licensing

You may view this presentation at your desk. There is no charge or limit to the number of people who may listen to the presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

This webinar is second in a series devoted to structuring vendor-provider agreements in the post-HITECH Act world. If you missed our first webinar, A Lawyer's Take on "Meaningful Use," you can still view the slides from that presentation here.

Tags: ARRA, Articles, HITECH, HITECH Act, Meaningful use, Privacy & Security, contract, law, license, meaningful use definition, meaningful use regulations, negotiation

Breaking: ONC releases NPRM on certification programs

Posted on March 2, 2010 by Steve Fox and Vadim Schick

ONC announced release of the much-anticipated Notice of Proposed Rulemaking (NPRM) on certification programs. Via ONC Press Release:

Certification of Health IT will provide assurance to purchasers and other users that an EHR system, or other relevant technology, offers the necessary technological capability, functionality, and security to help them meet the meaningful use criteria established for a given phase. Providers and patients must also be confident that the electronic health IT products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Confidence in health IT systems is an important part of advancing health IT system adoption and allowing for the realization of the benefits of improved patient care.

Eligible professionals and eligible hospitals who seek to qualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs are required by statute to use Certified EHR Technology. Once certified, Complete EHRs and EHR Modules would be able to be used by eligible professionals and eligible hospitals, or be combined, to meet the statutory requirement for Certified EHR Technology.

Tags: ARRA, Articles, Certified EHR, EHR, HITECH Act, Meaningful use, News, Privacy & Security, meaningful use definition, meaningful use regulations

HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act. Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules. That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site. This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach. Business associates who discover a breach must notify the covered entity.

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial "harm threshold" to this requirement: covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual. This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

Free Webinar on Meaningful Use: Slides included below

Posted on February 24, 2010 by Vadim Schick

Here are the slides from our February 25, 2010 Webinar on Meaningful Use. This webinar was first in a series, and focused on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. Steve and I discussed:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, Federal Register meaningful use, HITECH, HITECH Act, Incentives, Medicaid, Medicare, News, Privacy & Security, federal register, incentive payments, meaingful use

OCR may delay enforcement of business associate provisions in the HITECH Act

Posted on February 23, 2010 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, on February 17, 2010, business associates of covered entities became subject to the HIPAA Privacy and Security Rules, including provisions regarding implementation of various safeguards to secure protected health information. As Steve Fox pointed out in a recent report on the subject by the Pittsburgh Business Journal, it is highly unlikely that most companies are ready to comply with these dramatic changes.

However, according to Hunton & Williams's privacy blog, Adam Greene of the HHS Office of Civil Rights (OCR) stated at an ABA conference on February 18, 2010, that OCR will delay enforcement of this provision of the HITECH Act until the relevant regulations are finalized. OCR itself did not publish a press release on the subject, and we were unable to reach Mr. Greene for comment.

Regardless of OCR's intent to enforce compliance, the business associate provisions in the HITECH Act went into effect last week. We would strongly encourage all covered entities and business associates to take all necessary actions to comply with the new law.

"Privacy policies over electronic health records expand reach," Pittsburgh Business Journal (February 19, 2010).

"HHS Delays Enforcement of HITECH Act Business Associate Provisions," Privacy & Information Security Law Blog (February 19, 2010).

Tags: ARRA, Adam Greene, Articles, Business Associates, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, business associates as covered entities, delay, delayed enforcement, enforcement

Thursday: Free Webinar on "Meaningful Use"

Posted on February 22, 2010 by Vadim Schick

On Thursday, February 25, 2010 from 1:00PM to 2:00PM (EST), Steve Fox and yours truly will host a free webinar, the first in a series, which will focus on the critical definition of "meaningful use" of "certified EHR technology," as described in proposed regulations released and published by CMS pursuant to the HITECH Act on January 13, 2009. We will discuss:

Key policy goals and objectives behind meaningful use

Measures required to achieve meaningful use

Structure of incentive payments under Medicare and Medicaid

Eligibility requirements for professionals and hospitals

You may view each of these presentations at your desk. There is no charge or limit to the number of people who may listen to each presentation on the same line. Click here to register. After registering, you will receive log-in information by e-mail.

Our next webinar, to be held on Thursday March 18, 2010, from 1:00 to 2:00 PM, will focus on how to negotiate software and EHR licensing agreements and other transactional issues with respect to dealing with health IT vendors.

For more information, please contact me at vschick@postschell.com or 202-661-6945.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, Meaningful use, Medicaid, Medicare, News, Privacy & Security, electronic health records, electronic medical records, free webinar, incentive payments, meaningful use definition, meaningful use regulations, webinar

Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT. This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law. She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

Tags: ARRA, Articles, Blumenthal, HIPAA, HITECH, HITECH Act, News, ONC, Pritts, Privacy & Security, chief privacy officer, office of national coordinator, privacy

Massive cyber attack affects 75,000 computer systems across the world

Posted on February 18, 2010 by Vadim Schick

According to the Washington Post, more than 75,000 computer systems at over 2,500 companies across the world have been hacked in possibly the largest and extremely sophisticated cross-border cyber attack. The perpetrators appear to be non-state entities operating out of Eastern Europe.

They lured employees of targeted companies to open attachments containing malware or malicious software ("bots") which track down login and password information stored on those systems. Experts believe that such login credentials -- which include online banking user information -- are valuable to such hackers.

The attack mostly affected businesses in the United States, Egypt, Mexico, Turkey and Saudi Arabia. Wall Street Journal named Merck and Cardinal Health among the companies affected.

Tags: Articles, News, Privacy & Security, attack, bots, cyber, malware

Study finds big increases in physicans' online communications with patients

Posted on February 16, 2010 by Steve Fox and Vadim Schick

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006. The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain. Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information. Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients. And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Tags: ARRA, Articles, EMR, HITECH Act, News, Physicians, Privacy & Security, health information, messaging, online communication tools, online communications, patient communications, privacy, secure

Obama administration announces $975M in HIT grants

Posted on February 16, 2010 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius, appearing with Labor Secretary Hilda Solis, announced the Obama administration will release almost $1 billion set aside in the stimulus bill in order to aid implementation of health information technology.

Secretary Sebelius announced $386 million in grants to advance widespread adoption of EHRs at the state level, including for health information exchanges (HIEs). HHS also awarded $375 million to 32 nonprofits for Regional Extension Centers which assist providers in updating their medical record systems and train workers on such new technologies.

Secretary Solis announced around $225 million to support 55 job-training programs in 30 states which is expected to train around 15,000 people in the health records technology.

The Obama administration expects to help more than 100,000 health-care providers set up electronic medical records for their patients by 2014.

Tags: ARRA, Articles, EHR, EMR, HIE, HITECH, HITECH Act, News, Privacy & Security, Regional Extension center, Sebelius, grant, health information exchange, training

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information. Here are just a few notable reports on this subject:

Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat: "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months." According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."

Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches." The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

Tags: ARRA, Articles, BCBS, HITECH, HealthNet, News, Privacy & Security, Privacy and Security, breach, credit, data breach, hacking, health information, malware, monitoring, notification, privacy, security

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick

According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy. Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed. This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.

Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions: "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs." According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

Tags: ARRA, Articles, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, Privacy & Security, breach, de-identification, deidentification, identity theft

Updated: Meaningful Use Definition Released in the Federal Register

Posted on December 30, 2009 by Steve Fox and Vadim Schick

CMS released a proposed rule pursuant to the HITECH Act which includes the much-anticipated definition of Meaningful Use of Certified EHR technology. You can find the full text here.*

HHS has also released an interim final rule with a request for comments to adopt an initial set of standards, implementation specifications, and certification criteria, as required by section 3004(b)(1) of the Public Health Service Act. This interim final rule represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. The certification criteria adopted in this initial set establish the capabilities and related standards that certified electronic health record (EHR) technology will need to include in order to, at a minimum, support the achievement of the proposed meaningful use Stage 1 (beginning in 2011) by eligible professionals and eligible hospitals under the Medicare and Medicaid EHR Incentive Programs. You can find this interim rule here.*

Tags: ARRA, Articles, CMS meaningful use, Certified EHR, EHR, EMR, Federal Register meaningful use, HITECH Act, Meaningful use, News, Privacy & Security, federal register, incentive payments, meaningful use definition, meaningful use regulations

ALERT: CMS and ONC to Discuss Next Steps in EHR Programs Today

Posted on December 30, 2009 by Steve Fox and Vadim Schick

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) will announce two regulations that lay a foundation for improving quality, efficiency, and safety through meaningful use of electronic health record (EHR) technology.

The regulations will help implement the EHR incentive programs enacted under the Health Information Technology for Clinical and Economic Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act of 2009. Public comments on both regulations are encouraged.

Join today’s call; details are listed below:

WHO:
--David Blumenthal, MD, MPP, national coordinator for health information technology
--Jonathan Blum, director, Center for Medicare Management
--Cindy Mann, director, Center for Medicaid and State Operations

WHAT:
Briefing for HITECH Partners and Stakeholders – Providers, HIT Industry Organizations

WHEN:
Today, Wednesday, Dec. 30, 2009, 5:15 p.m. – 6:00 p.m. Eastern Time

WHERE:
Toll-Free Dial: (800) 837-1935
Conference ID: 49047605
Pass Code: HITECH

Stay tuned for more updates and information on the HIMSS Meaningful Use Web site at http://bit.ly/5IdkDe . HIMSS will be posting a statement tomorrow.

Tags: ARRA, Articles, Blumenthal, CMS, HITECH Act, Meaningful use, News, Privacy & Security

ONC names 17 members of the privacy and security workgroup

Posted on December 11, 2009 by Steve Fox and Vadim Schick

The Office of National Coordinator for Health IT named 17 members of the newly formed privacy and security workgroup of the HIT Policy Committee. According to Government Health IT:

The work group will be co-chaired by Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, and Rachel Block, executive director of the New York eHealth Collaborative and deputy commissioner for health IT transformation at the New York State Department of Health.

Their team will advise the Policy Committee on such matters as how safeguards for the exchange of health information should fit into the “meaningful use” test for health IT incentives that ONC has been working on.

The ONC has previously announced the establishment of a separate workgroup devoted to creation of a national health information network, which, of course, will have to deal with its own set of privacy and security concerns. There is also a privacy and security workgroup under the HIT Standards Committee.

Tags: ARRA, Articles, HIT Policy Committee, HIT Standards Committee, HITECH Act, Meaningful use, News, ONC, ONCHIT, Privacy & Security, Privacy and Security, meaningful use definition, office of national coordinator

In the news: EHR incentives; the rising threat of medical identity theft

Posted on November 30, 2009 by Steve Fox and Vadim Schick

In a letter to Dr. Blumenthal, the Medical Group Management Association (MGMA) urged the ONC to define "meaningful use" in a practical and achievable way. Otherwise, many providers could fail to qualify for the HITECH Act's incentives. The MGMA is recommending, inter alia, instituting a pilot test prior to the start of the program and before each new phase of the program; including only criteria for meaningful use that have widespread industry use or have been tested; permitting physicians to test their reporting systems prior to their “go-live” date; permitting flexibility in achieving meaningful use and avoiding a “pass/fail” approach; developing a simple process for physicians to attest that they have achieved meaningful use; simplifying the data-reporting process and ensuring that the government is ready to accept the data; closely monitoring the industry to ensure that the program logistics operate appropriately; and ensuring government oversight of the vendor community for its ability to produce high-quality and reasonably priced software.

A former Johns Hopkins hospital employee, Michelle Johnson, was sentenced to 18 months in prison and ordered to pay $200,000 in restitution for stealing patient information. According to the Associated Press, Ms. Johnson, formerly a patient services coordinator, "provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit. Johnson kept some of the fraudulently ordered merchandise for herself, including a computer monitor, a cordless phone, and clothes for herself and her children."

Tags: ARRA, Articles, Blumenthal, HITECH Act, MGMA, News, Privacy & Security, electronic health records, electronic medical records, meaningful, meaningful use definition, use

Identity thieves target victims of accidents at a medical center in Nevada

Posted on November 20, 2009 by Steve Fox and Vadim Schick

This article serves as a great reminder about the importance of safeguarding your patients' data, both from thieves outside and, unfortunately, from within the organization. Via Las Vegas Sun:

Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.

Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.

Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients.

The full article is available here.

"UMC has patient privacy leak," Las Vegas Sun (November 20, 2009).

Tags: Articles, HIPAA, News, PHI, Privacy & Security, UMC, data breach

Health Net data breach affects 450,000 people

Posted on November 19, 2009 by Steve Fox and Vadim Schick

Health insurance provider Health Net reported a loss of a portable disk drive (which occurred six months ago). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.

Connecticut Attorney General Richard Blumenthal was "outraged" the company waited this long to go public about this major data breach:

Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information <...> Personal information is like cash and should be guarded with equal care. Casual and cavalier attitudes toward data protection and breaches are intolerable and must stop.

This case provides yet another reminder about the importance of encrypting the sensitive and protected data, including PHI, in your possession.

Tags: Articles, Health Net, News, Privacy & Security, breach, data, data breach

HHS releases interim final regulations on HIPAA enforcement changes

Posted on November 2, 2009 by Steve Fox and Vadim Schick

Pursuant to the HITECH Act, the Department of Health and Human Services (HHS) released interim final regulations updating enforcement rules for violations of HIPAA. As reported in Healthcare IT News:

Prior to the HITECH Act, the penalty could be no more than $100 for each violation or $25,000 for all identical violations of the same provision.

A healthcare provider, health plan or clearinghouse could also bar the secretary's imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.

Section 13410(d) of the HITECH Act strengthened the enforcement by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.

The interim final rule with request for comments, published last week, conforms the HIPAA enforcement regulations to the revisions made by the HITECH Act. This rule will become effective on Nov. 30. HHS will consider all comments received by Dec. 29.

You can find the full text of the rule is here.

"HIPAA violators could face fines up to $1.5M," Healthcare IT News (November 2, 2009).

Tags: ARRA, Articles, HHS, HIPAA, HITECH Act, News, Privacy & Security, civil money penalty, enforcement

FTC delays enforcement of the Red Flags Rule till June 2010

Posted on November 2, 2009 by Steve Fox and Vadim Schick

In a fairly predictable move, the Federal Trade Commission delayed enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC. According to the FTC press release, the Commission decided to extend the enforcement deadline at the request of the members of U.S. Congress.

However, in the press release, the FTC reminded us about the progress its staff has made in the last year in providing businesses subject to the Red Flags Rule with sufficient guidance and materials:

The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

You can find the full text of the press release here.

"FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule," FTC Press Release (October 30, 2009).

Tags: Articles, FTC, Flags, News, Privacy & Security, Red, Red Flags Rule, Rule

Doctor and two employees sentenced for HIPAA violations

Posted on October 27, 2009 by Steve Fox and Vadim Schick

On July 20, 2009, Dr. Jay Holland and two hospital employees plead guilty to misdemeanor violations of the health information privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) based on their accessing records of a high-profile patient at the St. Vincent Infirmary Medical Center without any legitimate purpose.

According to the FBI press release, the doctor has been sentenced to a $5,000 fine to be paid in 60 days, and 50 hours of community service educating professionals on HIPAA. The two employees were sentenced to to one-year probation each, and a $2,500 fine for one and a $1,500 fine for another, both payable in installments.

The United States Attorney for the Eastern District of Arkansas stated that:

We hope that today’s sentencings send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information.

"Doctor and Two Former Hospital Employees Sentenced for HIPAA Violations," FBI Press Release (October 26, 2009).

Tags: Articles, HIPAA, News, Privacy & Security, criminal, violation

U.S. House: Red Flags Rule does not apply to dentists

Posted on October 23, 2009 by Vadim Schick

In a remarkable 400-0 vote, the U.S. House of Representatives exempted dentists from the requirements of FTC's Red Flags Rule. The measure garnered rare, unambiguously bi-partisan support in Congress:

It is obvious that physicians and dentists are not creditors, and they should not be forced to spend hundreds of dollars to comply with this needless regulation," said dentist/Rep. Mike Simpson (R-Idaho), one of the key sponsors of the bill. "They don't require full payment at the time of service because they first bill the insurance company, then they bill the patient the remainder of the bill. This system should not be treated the same as a loan with a financial institution," said Congressman Simpson.

Rep. John Adler (D-N.J.), the bill's chief sponsor, said the FTC "went too far. During these tough economic times, the federal government should not be placing burdensome regulations on small businesses."

"By passing this fix today, Congress can provide the FTC a clear definition of how Congress intended the policy to be enacted and protect small businesses and their customers from unnecessary government intervention," said Rep. Christopher Lee (R-N.Y.), a cosponsor.

"In my opinion, the manner in which this legislation was crafted, with input from both sides of the aisle, with the FTC and with the various sectors that would be adversely affected if we had not acted, is the model for how this House can work to actually solve the problems facing our country," said Rep. Paul Broun (R-Ga.), a physician who cosponsored the measure.

Tags: ADA, Articles, News, Privacy & Security, Red Flags Rule

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

Tags: 2012, 2015, ARRA, Articles, Blumenthal, EHR, EHRs, EMR, EMRs, HITECH, HITECH Act, News, Privacy & Security, electronic health records, incentive payments, privacy, reimbursements, security

Massive Data Loss Affects Nearly Every Doctor in America

Posted on October 20, 2009 by Steve Fox and Vadim Schick

Major losses or breaches of personal information are not just for patients anymore: The Chicago Tribune reports that the Blue Cross Blue Shield Association lost sensitive personal information, including, in some cases, social security numbers, of about 800,000 physicians -- nearly all the doctors in the United States. As expected, this data loss came from a stolen laptop. According to the Tribune:

The Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans, confirmed an employee "broke protocol and transferred to a personal laptop" information that was later stolen in late August.

No patient information was on the database, so concern by consumers having personal health records breached is unwarranted, the association said. And doctors have not reported security breaches.

About 16 to 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft.

Despite receiving no reports of identity theft, Blue Cross Blue Shield Association is offering credit monitoring services to those providers whose Social Security numbers were exposed.

"Blue Cross warns doctors about stolen identification data," The Chicago Tribute (October 14, 2009).

Tags: Articles, BCBSA, Blue Cross Blue Shield, Blue Cross Blue Shield Association, News, Privacy & Security, data breach, data loss

In the news: Blumenthal on "meaningful use," new health information management jobs, etc.

Posted on October 12, 2009 by Steve Fox and Vadim Schick

Dr. David Blumenthal, the National Coordinator for Health IT, gave an update on the Obama Administration's efforts to define "meaningful use" and to further adoption of EHRs nationwide. Blumenthal did not reveal any new details regarding the upcoming regulations on meaningful use, reminding his audience of the upcoming "notice of proposed rulemaking in late 2009 with a public comment period in early 2010."

Meanwhile, according to Government HealthIT, the next meeting of the HIT Policy Committee, which will meet on October 27 and 28, will focus on how to map meaningful use objectives to medical specialties as well as small practices and hospitals.

Speaking at the 81st annual American Health Information Management Association convention in Grapevine, Texas, Dr. Blumenthal stated that he expects 50,000 health information management (HIM) jobs to be created as the U.S. moves from the paper-based to the digital system of healthcare. AHIMA's CEO, Linda Kloss, noted that the interest in HIM careers has "exploded" during the last year.

Much more news after the jump.

Tags: ARRA, Articles, Blumenthal, EHR, HIE, HITECH Act, Meaningful use, News, Privacy & Security, e-payment, e-prescribing, health information exchange, meaningful use definition

A note of caution about vendor guarantees on "meaningful use"

Posted on October 5, 2009 by Steve Fox and Vadim Schick

According to Modern Healthcare, several HIT vendors, including GE Healthcare, NextGen Healthcare Information Systems, and Athenahealth, will guarantee that their EHR products will meet or "evolve to meet" the federal requirements for "meaningful use," even though such requirements have not been promulgated yet by CMS. In fact,

Athenahealth recently upped the ante by guaranteeing that, not only will the company's AthenaClinicals Internet-based electronic health-record service meet federal standards, but the doctors who use it will receive a bonus payment for the 2011 program year under the terms of the [HITECH Act].

The HITECH Act provides for a first-year incentive payment of $18,000 for those eligible professionals who achieve meaningful use of certified EHR technology in 2011 or 2012, instead of a first-year payment of $15,000 thereafter.

Some vendors hope that such guarantees will spur activity in the market, persuading some reluctant healthcare providers not to wait until CMS issues its final "meaningful use" regulations next year. There is also some doubt whether such guarantees apply to each vendor's existing customers or solely to new customers.

However, whenever a healthcare organization enters into an EMR purchase or license agreement, it must obtain strong warranties from the vendor that its product(s) and system will meet the applicable federal requirement standards at time of issuance of such standards, as well as for duration of the applicable license. "Meaningful use" requirements will likely change over the life of a license, and a vendor's obligation to meet such evolving standards is absolutely essential. Healthcare providers must also include proper remedies and appropriate carve-outs from vendor's limitation of liability for a vendor's breach of such warranties.

Tags: ARRA, Articles, EHR, EMR, HITECH, HITECH Act, News, Privacy & Security, guarantee, incentive payments, meaingful use, warranties, warranty

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems.
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act. Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology." Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.” The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

Tags: ARRA, Articles, HIPAA, HIT, HIT Standards Committee, HITECH, HITECH Act, News, Privacy & Security, Privacy and Security, incentive, incentive payments, privacy, security

Regional Extension Program: Important Updates and Links from HHS

Posted on September 3, 2009 by Steve Fox and Vadim Schick

Via HHS e-mail update:

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the availability of materials that are of immediate interest and use to stakeholders and potential applicants for the Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, and that are new or updated since the August 27, 2009 technical assistance telephone and web conference.

REVISED – Preliminary Application Template (Attachment I to the Funding Opportunity Announcement): As discussed on the August 27th technical assistance public conference, the suggested template for applicants’ use in compiling and presenting the information required for the Preliminary Application has been updated to include the complete requirements established in the funding opportunity announcement and is now available from www.grants.gov and the Extension Program section of ONC’s website at http://healthit.hhs.gov/extensionprogram.

NEW – A complete transcript of the August 27th technical assistance conference is available for download from the Extension Program section of ONC’s website. Please visit http://healthit.hhs.gov/extensionprogram to access detailed information about the conference, including the transcript and the presentation slides used during the call.

NEW/REVISED – Program-specific Frequently Asked Questions (FAQs) are now available on the Extension Program section of ONC’s website. New FAQs are posted frequently, so potential applicants and other interested parties are encouraged to visit often. Please visit http://healthit.hhs.gov/extensionprogram then scroll down and click on “Frequently Asked Questions”.

On the HIT Extension Program site, you can find the Funding Opportunity Announcement / Application Instructions document, as well as a large FAQ section and the "Facts-At-A-Glance" summary.

You can find the August 27th, 2009 presentation (PPT) here, and the transcript of that same presentation here.

"Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program Update," HHS e-mail update (September 3, 2009).

Tags: ARRA, ARRA funding, ARRA grant application, ARRA grants, HHS, HITECH Act, Meaningful use, News, ONC, Privacy & Security, Regional Extension Program, Regional Extension center, Regional Extension center grant, Regional Extension centers, extension program application, funding opportunity, grant, office of national coordinator, regional extension center grant application

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA.

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.

Tags: ARRA, Articles, HHS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH, HITECH Act, News, Privacy & Security, Recovery Act, breach, breach notification, breach notification requirements, privacy

Government Health IT: CCHIT to serve temporarily as sole EHR certifier

Posted on August 18, 2009 by Steve Fox and Vadim Schick

Via Government Health IT:

The federal Health IT Policy Committee today endorsed recommendations that would leave the Certification Commission for Health IT in the short term as the sole organization authorized to certify health IT systems that qualified for funding under the economic stimulus plan. More certifying organizations would be added later.

Certification of electronic health record systems that met federal criteria for “meaningful use” of health IT could start as early as October, members of the Department of Health and Human Services’ Health IT Policy Committee said at the August 14th meeting.

Under the plan, CCHIT would provide a preliminary stamp of approval that health IT systems were HHS-qualified or certified until a final meaningful use regulation is published at the end of the year, said Marc Probst, chief information office of Intermountain Healthcare and co-chairman of the Committee’s certification work group.

Preliminary certification is meant to give providers and vendors enough certainty to proceed with planning, designing and purchasing systems in 2010. The HHS certification-qualification would mean that a provider purchasing the systems would be eligible for Medicare and Medicaid incentive payments under the stimulus law beginning in 2011.

"CCHIT will be sole health IT certifier, for now," Government Health IT (August 14, 2009).

Tags: ARRA, Articles, CCHIT, Certified EHR, EHR, HHS, HIT, HITECH, HITECH Act, Meaningful use, News, Privacy & Security

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: ARRA, Articles, FTC, HITECH Act, News, PHR, Privacy & Security, breach, breach notification, breach notification requirements, electronic, health, information, notification, personal, privacy, record, security

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes. While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law. <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

Tags: ARRA, EHR, EHRs, Google, GoogleHealth, HIPAA, HITECH, HITECH Act, News, PHR, PHRs, Privacy & Security, privacy

Sebelius shifts responsibility for HIPAA Security Rule enforcement to OCR

Posted on August 4, 2009 by Steve Fox and Vadim Schick

HHS Secretary Kathleen Sebelius has delegated the responsibility for administration and enforcement of the HIPAA Security Rule to the Office of Civil Rights, a division of HHS. Previously, Centers for Medicare and Medicaid Services (CMS), another HHS division, was responsible for Security Rule administration, while OCR was tasked with administering and enforcing the HIPAA Privacy Rule. Effective immediately, OCR is responsible for administering both Security Rule and Privacy Rule, as well as all HIT privacy and security related provisions in the HITECH Act.

According to HHS, this move "will eliminate duplication and increase efficiencies in how the department ensures that Americans’ health information privacy is protected." This transfer of authority is not meant to create any disruption of current procedures. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET) -- which can be accessed here. New security complaints may also be sent to the Office for Civil Rights.

You can find the Federal Register notice here.

"HHS Delegates Authority for the HIPAA Security Rule to Office for Civil Rights," HHS Press Release (August 3, 2009).

Tags: ARRA, CMS, HIPAA, HIPAA Privacy Rule, HIPAA Security Rule, HITECH Act, News, OCR, Privacy & Security, Sebelius, delegate

Breaking News: FTC Delays Enforcement of the Red Flags Rule Again, Until November 1, 2009

Posted on July 29, 2009 by Steve Fox and Vadim Schick

From the FTC:

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

<...>

Although many covered entities have already developed and implemented appropriate, risk-based programs, some – particularly small businesses and entities with a low risk of identity theft – remain uncertain about their obligations. The additional compliance guidance that the Commission will make available shortly is designed to help them. Among other things, Commission staff will create a special link for small and low-risk entities on the Red Flags Rule Web site with materials that provide guidance and direction regarding the Rule. The Commission has already posted FAQs that address how the FTC intends to enforce the Rule and other topics – www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm. The enforcement FAQ states that Commission staff would be unlikely to recommend bringing a law enforcement action if entities know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.

You can read the full press release here.

Tags: Articles, FTC, News, Privacy & Security, Red Flags Rule, delay, enforcement, red flag, red flag rules

LA Times reminds providers that patients are entitled to copies of their medical records

Posted on July 27, 2009 by Steve Fox and Vadim Schick

The Los Angeles Times reported on a story of a patient trying to obtain a copy of her blood tests from her doctor's office. The office wanted to charge the patient $25 to retrieve the test results and send them to her via first-class mail (refusing to fax such results to her for free).

Under both HIPAA and California privacy laws, however, the patient was entitled to such records with only minimum administrative charges:

Most providers are required to follow both HIPAA and the California law, deferring to whichever offers greater consumer protection in cases where the laws differ. As a result, [this patient's] doctor had no legal basis for charging the $25 administrative fee for her lab results.

Under California law, healthcare providers are allowed to charge a fee for the cost of copying a patient's medical record and for the postage to mail it. But the cost cannot exceed 25 cents per page for photocopies and 50 cents per page for microfilm.

The law in California also permits doctors to charge a "retrieval fee" for locating patient records and for making them available. But HIPAA does not allow it. Because HIPAA offers consumers greater protection than California law in this area, doctors in the state cannot charge patients fees beyond those allowed for photocopying.

Tags: Articles, HIPAA, News, Privacy & Security, copies, costs, test results

Some doctors seek to prevent patients from reviewing their services online

Posted on July 27, 2009 by Steve Fox and Vadim Schick

With the number and popularity of consumer review sites, such as Yelp.com and Angie's List, growing steadily, doctors are beginning to find themselves subjects of online reviews more and more frequently. In fact, certain web sites, like RateMD.com, are dedicated specifically to rating physicians.

The Washington Post reported recently on doctors seeking patients to sign contractual forms, commonly known as "gag orders", which may obligate patients not to comment or review their experiences at the doctor's office "without prior written consent" of the physician. The Post explored the positions of both the advocates and opponents of gag orders.

Unsurprisingly, many doctors are vehemently opposed to the idea of being reviewed online (some cite difficulty in capturing quality of care and outcomes, rather than concentrating on the "ambience" of care, as the primary reason). Some physicians go a step further and ask patients to sign contractual forms promising not to comment or review their services. The Post notes that it is not clear whether gag orders are legally enforceable or even ethical.

Tags: Articles, News, Privacy & Security, doctors, gag orders, online, online review, patients, reviews

Study finds dramatic increase in operational HIEs

Posted on July 22, 2009 by Steve Fox and Vadim Schick

eHealth Initiative, an affiliation of organizations devoted to improving the quality, safety and efficiency of healthcare through information technology, released its 2009 survey on Health Information Exchange (HIE), titled "Migrating Toward Meaningful Use: The State of Health Information Exchange."

The survey found many positive trends in the expansion of HIE's in the United States, including:

the number of operational HIE initiatives (e.g., exchanges transmitting live data among stakeholders) has increased by nearly 40% since 2008;
positive impact on physician practices by improving efficiency without disrupting care (e.g., quicker access to test results, reduced staff time spent searching for results and performing other administrative functions);
reduction in costs associated with, inter alia, reduced staff time spent on searching for test results and performing other clerical functions, as well as reduction in duplicate tests and medical errors; and
steadily growing number of initiatives are exchanging data, with almost universal increases in the type of data exchanged.

The survey also found that "initiatives identified 'addressing privacy and confidentiality issues' as the most pressing challenge they face, surpassing 'developing a sustainable business model'."

eHealth Initiative's press release, which includes a more detailed summary of the survey, can be found here.

"Migrating Toward Meaningful Use: The State of Health Information Exchange," eHealth Initiative Study (July 22, 2009).

Tags: ARRA, Articles, HIE, HIE initiative, News, Privacy & Security, ROI, costs, eHealth Initiative, health information exchange, initiative, reducing cost

Healthcare providers must become aware of and comply with PCI DSS

Posted on June 22, 2009 by Steve Fox and Vadim Schick

Healthcare providers are generally familiar with and are used to the complex network of state and federal data privacy protection laws (e.g., HIPAA and HIPAA Privacy and Security regulations). However, most providers may not be aware of another set of data security standards, the Payment Card Industry Data Security Standards (PCI DSS), imposed by a non-governmental, private organization representing the credit card industry.

Contrary to popular belief, PCI standards apply to any processor of credit cards, regardless of volume of credit card transactions. (However, PCI DSS differ based on each organization's transactions volume.) In other words, if your healthcare enterprise or practice accepts credit cards as payment for services (which virtually all practices do), your organization is subject to PCI DSS.

SC Magazine's recent contribution from Jim Lacy, CFO of healthcare IT company ZirMed, provides an excellent reminder for all healthcare providers accepting credit cards to take note of PCI DSS and begin the process of compliance with such standards.

A few lessons from Jim Lacy's piece and more after the jump.

Tags: Articles, PCI, PCI DSS, PCSA, Privacy & Security, breach, data, security

New York Times reports on the growing threat of medical identity theft

Posted on June 12, 2009 by Steve Fox and Vadim Schick

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft. The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration.

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft. The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

Tags: Articles, HITECH, News, Privacy & Security, identity, medical, privacy, security, theft

Sears settles FTC claims regarding its online tracking software

Posted on June 10, 2009 by Steve Fox and Vadim Schick

On June 4, 2009, Sears Holdings Corporation (Sears) settled its dispute with the Federal Trade Commission (FTC) regarding Sears's controversial online tracking software. Sears paid its customers $10 to join "My SHC community" and download software which would track participants' online behavior. However, FTC alleged that Sears did not adequately disclose the enormous scope of information Sears collected on the participants:

<...> Sears represented to consumers that the software would track their “online browsing.” The FTC charges that the software would also monitor consumers’ online secure sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. The software would also track some computer activities that were not related to the Internet.

Sears did disclose the full extent of what information it would monitor, but only "in a lengthy user license agreement, available to consumers at the end of a multi-step registration process", which the FTC deemed to be inadequate.

Under the settlement, Sears is required to destroy the data collected under this program, and to "clearly and prominently disclose the types of data the software will monitor, record, or transmit" if Sears advertises or disseminates any tracking software in the future. The FTC also required Sears to make such disclosure prior to installation of the software and separate from any user license agreement; and disclose whether any of the data will be used by a third party.

"Sears Settles FTC Charges Regarding Tracking Software", FTC press release (June 4, 2009).
"Sears settles with FTC in privacy flap", Reuters (June 4, 2009).

Tags: Articles, FTC, News, Privacy & Security, data, privacy, security

California fines Kaiser hospital $250,000 for violations of patient privacy

Posted on May 15, 2009 by Steve Fox and Vadim Schick

As we mentioned earlier, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom."

On May 14, 2009, California authorities fined Bellflower Hospital, the Kaiser facility where Ms. Suleman was treated, $250,000, the maximum allowed under California's new patient privacy law. The law allows the California Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000.

While the spokesperson for Kaiser argued that the healthcare provider "took numerous steps to prevent" violations of Ms. Suleman's privacy, state officials maintain that such steps were insufficient:

The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.

"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshé, secretary of California's Health and Human Services.

Governor Schwarznegger supported this development: "The fine issued today should be a reminder that there are consequences for violations of medical privacy."

"Kaiser hospital fined $250,000 for privacy breach in octuplet case", Los Angeles Times (May 15, 2009).

Tags: Articles, California, News, Privacy & Security, privacy

Breaking News: FTC Delays Enforcement of the Red Flags Rule Until August 1, 2009

Posted on May 1, 2009 by Steve Fox and Vadim Schick

From the FTC:

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. Today’s announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

“Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said.

You can read the full press release here.

Tags: Articles, FTC, Flags, News, Privacy & Security, Red, Rule

In the news: Personal Health Records edition

Posted on April 28, 2009 by Steve Fox and Vadim Schick

The Federal Trade Commission (FTC) issued interim regulations regarding breach notification requirements for PHR vendors, as mandated by the American Recovery and Reinvestment Act of 2009. According to the FTC press release, aside from breach notification, the proposed rule also:

stipulates that if a service provider to one of these [PHR vendor] entities experiences a breach, it must notify the entity, which in turn must notify consumers of the breach. The proposed rule contains additional requirements governing the standard for what triggers the notice, as well as the timing, method, and content of notice. It also requires entities covered by the proposed rule to notify the FTC of any breaches. The FTC can then post information about the breaches on its Web site, and notify the Secretary of Health and Human Services.

The full notice can be found here.

Mayo Clinic, in collaboration with Microsoft, launched its new personal health record (PHR) site on Tuesday April 21, 2009. The Mayo Clinic Health Manager uses Microsoft's HealthVault system to store medical histories, test results, immunization files and other records from doctors' offices and hospital visits, along with data from home devices like heart rate monitors. Anyone, not just Mayo Clinic patients, can open an account online; users can grant limited access to doctors, family members, and others to view the information contained in their PHR. It would be very interesting to learn if the Mayo Clinic required Microsoft to sign a Business Associate Agreement, or if Microsoft would publicly acknowledge that their PHR product is subject to certain privacy and security rules under HIPAA. ("Mayo Clinic backs new personal health record site", USA Today, April 21, 2009.)

Tags: ARRA, Articles, Clinic, Google, HealthVault, Mayo, Microsoft, News, PHR, Personal health records, Privacy & Security, health

Steve Fox on the new PHR privacy rules

Posted on April 27, 2009 by Vadim Schick

Bob Brewin of NextGov interviewed Steve Fox regarding the new privacy rules for vendors of personal health records (PHRs), and the applicability of such rules not only to PHR vendors such as Google and Microsoft, but also to the less obvious "related entities", a group so broad it may include an iPhone app:

Steven Fox, a lawyer with Post & Schell in Washington who co-chairs the firm's data protection group, agreed that the rules cover Google and Microsoft but said he wished FTC had specifically identified the two companies in the proposed rules.

The rules cover about 200 vendors of personal health record systems and 500 "related entities, which include online medication or weight tracking programs, and 200 third-party providers that offer billing and data services.

The related entities category could include low-cost iPhone applications that would have to comply with the potentially costly breach notification process, Dixon said. An online guide lists "100 Fabulous iPhone Apps for Your Health and Fitness," and Fox said these applications would be covered by the breach notification rules if they exchange information with personal health records.

("Proposed breach notification rule would affect more health vendors", NextGov, April 16, 2009.)

Tags: ARRA, Articles, FTC, Google, HealthVault, Microsoft, News, PHR, Privacy & Security, health

$50,000 Laptops: Average cost to employers in case of breach

Posted on April 23, 2009 by Steve Fox and Vadim Schick

A new study of 138 laptop-loss cases suffered over a recent 12-month period by 29 organizations, found that, on average, each lost or stolen laptop cost the employer $49,246. About 80% of the amount, or about $39,000 per laptop, are costs associated with data breaches, i.e., loss of personal data stored on the lost or stolen laptop. Significantly, the study found that:

The faster the company learns that a laptop is lost, the lower the average cost ... If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849.

The study didn't endorse any particular brand of notebook protection gear, but noted that encryption on average can reduce the cost of a lost laptop by more than $20,000. (It is important to point out here that most data protection laws (both state and federal) exclude loss of encrypted or secured information from their definition of "breach.")

The study was conducted by the Michigan-based Ponemon Institute and commission by Intel.

("Typical lost or stolen laptop costs companies nearly $50,000, study finds", MercuryNews.com, April 22, 2009.)

Tags: Articles, News, Privacy & Security, breach, data, laptop

This just in: New HHS guidance about securing protected information

Posted on April 17, 2009 by Steve Fox and Vadim Schick

From HHS:

On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). This guidance was developed through a joint effort by OCR, the Office of the National Coordinator for Health Information Technology (ONC), and the Centers for Medicare and Medicaid Services (CMS).

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH). HITECH requires these regulations to be published within 180 days of enactment. If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.

The Guidance can be viewed (in PDF) here.

Tags: ARRA, Act, Articles, HIPAA, HITECH, News, Privacy & Security, breach, notification

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick

CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership. Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts. It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement. After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA. ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network. The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect. The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already. ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

Tags: Articles, Google, HIPAA, HITECH Act, Microsoft, News, PHR, Privacy & Security, Vault, health, personal, privacy, record, security

Free Webinar on Data Privacy: April 7, 2009 at 10AM ET

Posted on April 3, 2009 by Steven J. Fox

Post & Schell is presenting a webinar featuring Vadim Schick and Peter Hardy, who will discuss the practical and legal issues created by the new and upcoming changes in the data privacy protection regime. Topics will include:

The Identity Theft Prevention Programs required by the Red Flags Rule
New data breach requirements imposed by HIPAA
Pending federal data privacy legislation that mirrors existing state laws
What steps to take now to be prepared
Why preparing now will save you money and grief later

You can view this presentation at your desk. There is no charge or limit to the number of people who can listen to the presentation on the same line. Click the following link to register for the GoToWebinar presentation: register now. After registering, you will receive log-in information for the April 7th webinar by e-mail.

Also, some of the issues discussed above, including compliance with the Red Flag Rules and HIPAA Privacy and Security Rules, are discussed in a new article by Peter and Vadim, "Preventing Data Breaches: HIPAA Compliance and the Red Flag Rules," published in the April 2009 edition of Compliance Today, and accessible via this link.

Tags: ARRA, Articles, HITECH Act, News, Privacy & Security

Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Posted on April 1, 2009 by Steve Fox and Vadim Schick

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors.

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

Tags: ARRA, Articles, Privacy & Security, data-sharing, information, privacy, secure, security, unsecured

Update: Healthcare Informatics Interviews Steve Fox and Ed Shay about the HITECH Act, Parts III and IV

Posted on March 31, 2009 by Vadim Schick

Healthcare Informatics Editor-in-Chief Anthony Guerra recently talked with our own Steve Fox and fellow Post & Schell partner Edward Shay about the substance of the HITECH Act and what this new legislation means for healthcare providers. The interview appears under the "Online Exclusives" section of the Healthcare Informatics Web site.

Healthcare Informatics recently published Part III and Part IV of the interview on its Web site.

Tags: ARRA, Act, Articles, EHR, HIPAA, HITECH, HITECH Act, News, PHR, Privacy & Security, meaningful, use

In the news

Posted on March 16, 2009 by Steve Fox and Vadim Schick

Kaiser Permanente and IBM inked a $500 million, seven-year IT services deal. IBM will manage Kaiser's data center operations, storage and software, but IBM will not have access to patients' medical records. AP, San Francisco Chronicle (March 17, 2009).
A new study expects that as much as three-quarters of prescribers will use e-prescribing by 2014 because of the incentives for adoption of e-prescribing technology included in the HITECH Act (though only about 15% of current prescribers use e-prescribing). This could result in a massive $22 billion reduction in drug and medical costs. Government Health IT (March 17, 2009).
Wal-Mart is bringing its "high-volume, low-cost" approach to the medical records industry. Wal-Mart's Sam's Club division will produce a package that will include hardware from Dell, software from eClinicalWorks, as well as installation, maintenance and training services. According to the New York Times (March 11, 2009), the "Sam’s Club offering, to be made available this spring, will be under $25,000 for the first physician in a practice, and about $10,000 for each additional doctor. After the installation and training, continuing annual costs for maintenance and support will be $4,000 to $6,500 a year, the company estimates." This development has huge implications for the EHR market, and may actually aid the widespread adoption of EHR technology. Healthcare IT News (March 11, 2009) also covered this story.

More news after the jump.

Tags: ARRA, EHR, Higher Ed, IBM, Kaiser, News, Privacy & Security, Wal-Mart, academia, breach, data, e-prescribing, universities

UPDATED: ARRA Includes Major Changes to Healthcare Privacy Law

Posted on March 13, 2009 by Steve Fox and Vadim Schick

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

Tags: Accounting, Business Associates, Covered Entities, HIPAA, HITECH, HITECH Act, Marketing, Privacy & Security, business associates as covered entities