Study: 94% of healthcare businesses not in substantial compliance with HITECH and HIPAA

Posted on May 25, 2010 by Steve Fox and Vadim Schick

A new survey by the Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices, found that almost all surveyed organizations did not substantially comply with HIPAA, including as modified by the HITECH Act.  The survey was conducted in November 2009, but, according to Ponemon, the results are not supposed to have changed much. 

Ponemon Institute's survey of 77 healthcare organizations, including 42 covered entities and 35 business associates, found (via BNA):

  • 27 percent of the health care organizations had not started and were “barely aware” of what was required;
  • 32 percent of the organizations were waiting for more details;
  • 14 percent of organizations surveyed had a plan but were waiting for more details on the requirements;
  • 21 percent of the organizations surveyed were just beginning to act on becoming compliant;
  • 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy; and
  • 57 percent reported having known deficiencies for privacy or security.

You can find the full survey here.

"Study Finds Majority of Health Care Entities Not Compliant with HIPAA, HITECH Provisions," BNA Health IT Law & Industry Report (May 24, 2010).

 

Tags: , , , , , , , , ,

HHS begins enforcement of breach notification requirements

Posted on February 25, 2010 by Steve Fox and Vadim Schick

As of February 22, 2010, HHS is expected to begin enforcing the new breach notification requirements created by the privacy and security provisions within the HITECH Act.  Although such requirements went into effect last fall, HHS gave covered entities and business associates a few months to adapt to the new rules.  That enforcement delay is now over, and, perhaps in a related move, on February 23, 2010, HHS's Office of Civil Rights, pursuant to the HITECH Act, posted a list of organizations which reported breaches of unsecured protected health information affecting 500 or more individuals on OCR's web site.  This should serve as a good reminder to providers and HIT vendors alike to be keenly aware of the new regulations on breach notification.

The HITECH Act required a covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information” to notify each individual “whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed” due to the breach.  Business associates who discover a breach must notify the covered entity. 

By regulation published in the Federal Register on August 24, 2009, HHS added a rather controversial  "harm threshold" to this requirement:  covered entities and business associates are required to notify the affected individual, the HHS, and, in some cases, the media, if such breach poses a significant risk of harm to the individual.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.

The HITECH Act defines “breach” as “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” The Act includes two important (albeit vague) exceptions to this definition for cases in which: (1) “the unauthorized acquisition, access, or use of PHI is unintentional and made by an employee or individual acting under authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship with the covered entity or business associate, and such information is not further acquired, accessed, used, or disclosed”; or (2) “where an inadvertent disclosure occurs by an individual who is authorized to access PHI at a facility operated by a covered entity or business associate to another similarly situated individual at the same facility, as long as the PHI is not further acquired, accessed, used, or disclosed without authorization.

The HITECH Act imposes a similar notification requirement on a business associate “that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured” PHI. In the event of a breach, the business associate shall provide notice to the covered entity, including “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.”

The term “unsecured protected health information” refers to PHI that is not secured through the use of a “technology or methodology” specified by the Secretary in a “Guidance” issued as part of the breach notification regulation in the Federal Register on August 24, 2009 (see link above).  The Guidance, which is to be updated annually, specifies two basic ways of rendering PHI “secure:” encryption and destruction. Electronic PHI must be properly encrypted “by ‘the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key’ and such confidential process or key that might enable decryption has not been breached.” The Guidance provided an exhaustive list of technologies which would encrypt PHI, referencing “approved” processes and methods from the National Institute of Standards and Technology (NIST). Electronic PHI may be properly destroyed in the hard copy media (e.g., paper, tapes) on which the PHI is stored is shredded or destroyed “suchin such a way “that the PHI cannot be read or otherwise cannot be reconstructed;” electronic media containing PHI “must be cleared, purged, or destroyed consistent with NIST [Guidelines] such that the PHI cannot be retrieved.”

Securing PHI in accordance with this Guidance will be the safest way to protect a healthcare organization from a serious breach of patient data privacy. Organizations that suffer a breach involving disclosed, stolen or lost data that was not “secured” may be subject to a wide range of newly established breach notification requirements.  It is important to note, however, that for both covered entities and business associates, the breach shall be deemed to have been discovered on the first day on which it is “known to such entity or associate.” The term “known” means that the circumstances of the breach are known by any “employee, officer, or other agent of such entity or associate,” other than the person who committed the breach. Furthermore, all notifications (by both covered entities and business associates) must be made “without unreasonable delay,” which, in Congressional time, means no later than 60 calendar days after discovery of the breach. The entity making the notification has the burden of demonstrating that all required notifications were made, as well as explaining the necessity of any delay.

There is a lot more information that covered entities and business associates must know about the new rules, including, for example, requirements regarding the content of breach notices.  For more information on these matters, please do not hesitate to contact us.
Tags: , , , , , , , , , , , , , , , , , , , ,

UPDATED: ARRA Includes Major Changes to Healthcare Privacy Law

Posted on March 13, 2009 by Steve Fox and Vadim Schick

The HITECH Act includes a number of provisions regarding confidentiality, privacy and security of protected health information, which significantly affect both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy and Security Rules. The Act provides for different enforcement dates for nearly each of the provisions, but some of them already gone into effect upon ARRA’s enactment on February 17, 2009. Furthermore, the Act mandates the HHS Secretary to promulgate regulations regarding various privacy and security provisions, thereby delaying enforcement until the completion of the rule-making process. Consequently, there is still much uncertainty regarding the new privacy and security regime, as established by this Act.
Some of the most significant changes include:

  • New breach notification requirements for covered entities. The Act requires covered entities to notify individuals in writing if their protected health information (PHI) is disclosed, lost or otherwise compromised. The notices must be given within sixty (60) days of discovering the breach; if the breach involves 500 or more individuals, the covered entity must also inform HHS and “prominent media outlets serving a state or a jurisdiction.” There are also “temporary” breach notification requirements for commercial personal health record vendors, such as Google Health, Microsoft Vault and Revolution Health; however, Google Health has claimed that the Act’s provisions do not apply to Google. We will have to await the final regulations to see if they remove any ambiguity in this area.
  • Business Associates are now subject to HIPAA. Third-party administrators, health information technology vendors, benefit providers and consultants are now directly subject to certain specified HIPAA privacy and security rules and regulations. (Please note that this change in particular may require a review of existing Business Associate Agreements as well as revision of any new BAA's entered into.)

MORE after the jump.

  • State Attorneys General may now bring state actions to enforce HIPAA, seeking statutory damages and attorneys’ fees for violations. Previously, such enforcement was exclusively limited to the Office of Civil Rights within HHS.
  • The Act restricts a covered entity’s right to refuse an individual’s request not to use or disclose PHI if: (i) disclosure is to a health plan for carrying out payment or health care operations (not for treatment); and (ii) the PHI “pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.” Previously, the covered entity was not required to agree to such requested restrictions.
  • The Act requires a covered entity using or disclosing PHI, or requesting PHI from another covered entity, to limit “to the extent practicable” disclosure of PHI to the “limited data set” as defined under HIPAA, or, if more information is “needed,” to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request, respectively.” Depending upon the forthcoming guidance from HHS (due within 18 months), this may require considerable education, training and additional resources necessary to implement this new requirement.
  • The Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. When this becomes effective (which depends on when an EHR is acquired), all such disclosures must be accounted for if the disclosure was made “through” an EHR. However, the right to disclosures only applies to the 3 years prior to the date on which the accounting is requested, rather than the 6 years currently permitted under HIPAA.
  • Covered entities and business associates will be prohibited from receiving remuneration in exchange for any PHI of an individual without first obtaining an authorization from such individual (subject to certain exceptions). The authorization must specify whether the original receiver of PHI may further exchange it for remuneration. This will go into effect in approximately 24 months after ARRA’s enactment.
  • A covered entity that “maintains” an EHR is required to produce a copy of a patient’s PHI in electronic format upon an individual’s request, and if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual. A fee for such service may not be greater than the covered entity’s labor costs in responding to the request for the copy.
  • The Act imposes new restrictions on covered entities’ and business associates’ marketing communications to potential buyers or users of their products. This is also subject to certain exceptions and qualifications depending on the purpose of the communications and whether any payments are involved.
Tags: , , , , , , , ,