Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

EHRMagic, of Santa Fe Springs, Calif., had two of its records systems shot down by the government: EHRMagic-Ambulatory and EHRMagic-Inpatient. Two people familiar with the company interviewed for this story said they were not surprised by the development, since the firm didn't seem able to live up to its promises on the sales side of the operation several years ago.

Calls and e-mails to EHRMagic on Thursday were not returned. Records with the California secretary of state list the 4-year-old company's corporate status as “suspended.”

ONC spokesman Peter Ashkenaz said no healthcare provider has “attested” to using the system, which means that no one had tried to receive federal funding to pay for installation of an EHRMagic system. Since 2011, more than 234,000 organizations and individuals have received a total of $12.7 billion in EHR incentives to install one of the 1,700 systems eligible for payments.

But a blog post Thursday from Carol Bean, director of the certification office at the ONC, makes clear that the office will continue aggressive monitoring for other EHR systems that don't meet the federal requirements. That includes proactive investigations and surveillance by the office, as well as inquiries that stem from tips from the public about shoddy systems.

“We want to be clear,” the blog post says, “the office of certification's role doesn't stop after EHR certification. We are also going to monitor certified EHRs to determine whether they continue to meet our requirements. The doctors, hospitals and other providers that are adopting—and have already adopted—EHRs deserve this and should feel confident that the tools they are using are up to the job of helping their patients get the best care possible.”

Ashkenaz declined to say what a healthcare provider should do if the system it is using ends up retroactively decertified for payments, as EHRMagic's systems were.

Richard Gant, CEO of physician-supply seller Innovative Healthcare Systems in Royal Palm Beach, Fla., said the EHRMagic situation pointed to another major concern about decertification. EHRMagic sells what is known as a “cloud-based” system, meaning that patient information is stored off-site and not physically in a provider's office.

“The biggest issue is, all of your information is on their servers,” he said. “And if they disappear, that information could go away.”

Several years ago, Gant's firm attempted to sell EHRMagic's systems through a sales model that would have allowed it to be installed for free in exchange for eventual federal subsidies. But he said Innovative Healthcare Systems severed its relationship with the EHRMagic after several initial attempts to install it failed, and sales payments were not forthcoming.

“When they weren't paying for anything and they weren't supporting clients of ours, we said goodbye,” Gant said. “I'm surprised they were even around to even be decertified.”

By Joe Carlson

“ONC revokes firm's EHR certifications,” Modern Healthcare (April 25, 2013)

The problems may stem from misconceptions about what attracts employees to a healthcare workplace. 

What’s clear is that employees are focused on the practical, while employers are focused on the developmental,” said Laurie Bienstock, North American rewards leader at Towers Watson, in a news release.  “The good news is that the vast majority of employers are taking steps to close the talent gap, and seek more balance in their employee value proposition and rewards program.”

Employers said that offering ”challenging work” was a top factor that attracted workers, while workers attached more value to the employer’s reputation.  Workers also see base salary as a bigger factor than how employers view pay.  The survey included answers from more than 100 healthcare providers given earlier this year.

“But focusing on money is only part of the solution,” said Heidi Toppel, a senior rewards consultant in Towers Watson’s hospital industry group, in the release.  “Presenting career and growth opportunities remains important as well, and savvy employers will create as comprehensive a program as possible.  Our data confirm that IT recruiting in the healthcare industry is a matter of striking the right balance between the practical needs of workers today and the longer-term goal of helping an industry transform itself for a different future.”

Employers are having success with increasing base pay rates, offering retention bonuses while giving workers more educational and training opportunities.

By Ashok Selvam

“Healthcare firms struggle with IT staffing:  survey,” Modern Healthcare (April 12, 2013) 

Industry feedback suggests that HIPAA covered entities have not reached a threshold whereby a majority of covered entities would be able to be in compliance with the operating rules by January 1, 2013. This enforcement discretion period does not prevent applicable HIPAA covered entities that are prepared to conduct transactions using the adopted operating rules from doing so, and all applicable covered entities are encouraged to determine their readiness to use the operating rules as of January 1, 2013 and expeditiously become compliant. Although enforcement action will not be taken, OESS will accept complaints associated with compliance with the operating rules beginning January 1, 2013. If requested by OESS, covered entities that are the subject of complaints (known as "filed-against entities") must produce evidence of either compliance or a good faith effort to become compliant with the operating rules during the 90-day period. HHS will continue to work to align the requirements under Section 1104 of the Affordable Care Act to optimize industry’s ability to achieve timely compliance.

OESS is the U.S. Department of Health and Human Services’ (HHS) component that enforces compliance with HIPAA transaction and code set standards, including operating rules, identifiers and other standards required under HIPAA by the Affordable Care Act.

For copies of the operating rules for the eligibility for a health plan and health care claim status transactions, visit the Council for Affordable Quality Healthcare (CAQH) CORE website at http://www.caqh.org. Links to information on the operating rules for eligibility for a health plan and health care claim status are available at http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/OperatingRulesforEligibilityandClaimsStatus.html

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, visit www.HealthIT.gov/mobiledevices.

The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.pdf

“HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000,” HHS Press Release (January 2, 2013)

The inspector general's review covered the early stages of the Medicare EHR incentive program, from when payments started flowing in May 2011 through December 2011. During that period, the program paid out about $1.7 billion to nearly 27,000 physicians and other eligible professionals and 668 hospitals, the report said. 
 
The inspector general said that the CMS validates the presence of some required information and confirms some calculations provided by hospitals and providers. For example, "The validation checks that self-reported numerators and denominators calculate to required percentage thresholds and that all relevant yes/no measures were checked 'yes,' " according to the report. However, the report continued, the CMS "does not verify that numerators and denominators entered for percentage-based measures reflect the actual number of patients for a given measure or that professionals and hospitals possess certified EHR technology."
 
One "obstacle" the CMS faces in trying to get independent validation that what the providers are attesting to actually happened is that data from other sources—such as Medicare claims or private insurance data—is either incomplete for the task or unavailable.
 
The inspector general's office notes that although the CMS is not required to perform prepayment verification, "doing so would strengthen its oversight of the anticipated $6.6 billion in incentive payments" the program is expected to shell out over its lifetime, which runs through 2016.
 
Regarding post-payment oversight, the inspector general noted that, so far, the CMS "has not yet completed any post-payment audits." But the CMS has said it plans to use EHR-generated reports "to verify the accuracy of self-reported information where possible" and obtain supporting documents in instances where the reports don't cover the audit subject matter—and this is where the ONC comes in for criticism.
 
The ONC oversees the rule writing, and the testing and certification programs to determine whether EHR technology qualifies for use in the Medicare EHR incentive payment program.
 
The CMS "cannot use EHR reports to verify all self-reported meaningful-use information because ONC does not require certified EHR technology to be capable of producing reports for all meaningful-use measures," the inspector general's report said. The ONC requires an EHR to write reports on the 30 percentage-based measures but not the 19 yes/no measures users also are required to attest to in order to get paid.
 
"EHR reports also do not contain information necessary for CMS to verify all percentage-based measures," the inspector general's report said, specifically noting that denominators for many of those measures include data from both paper-based and EHR systems.
 
The inspector general's office recommended that the CMS beef up its prepayment assessment program, including by focusing on "high-risk" professionals and hospitals, asking them to "submit supporting documentation for prepayment review."
 
It also recommended that ONC "improve the certification process" to ensure that certification bodies "comprehensively test EHR reports for accuracy as part of the certification process" as well as not rely on "vendor-supplied data" during the testing phase.
 
The CMS, in an Oct. 9 letter from acting Administrator Marilyn Tavenner, said prepayment audits were not necessary at this time, but concurred with another inspector general's office recommendation to issue a guidance on proper provider documentation required for the program.
 
In a similar letter to the inspector general's office dated Sept. 25, ONC chief Dr. Farzad Mostashari concurred with the inspector general's office's recommendation of testing a "yes/no" reporting functionality. He said he would ask his two advisory committees, the Health IT Policy and Standards committees, to make recommendations "on the appropriate scope and feasibility of a certification criterion focused on 'yes/no' reports."
 
Mostashari also said the ONC has “already taken steps” to address a separate inspector general's recommendation that it improve its EHR testing and certification program. Specifically, the OIG recommended that the national coordinator supplant vendor-supplied data used in the initial rounds of its certification tests with a standard data set to be used by all vendors.
 
Last fall, GE warned customers of two of its EHR systems for ambulatory-care providers that errors had been found in reports to support meaningful-use attestations. That incident was specifically mentioned in the OIG report, which added that the ONC's certification process "did not identify these potential inaccuracies because the vendor-supplied test data did not account for the manner in which some professionals use the products." Similar problems may exist with reports from other EHR products, the OIG report said, but it cited no other examples of report-writing failures.
 
In his letter, Mostashari said the updated 2014 edition testing and certification rules—which were released in February in conjunction with the CMS' Stage 2 meaningful-use rules—contain "more rigorous testing requirements" that became effective Oct. 4, 2012. He said the ONC "will continue to migrate away from the exclusive use of vendor-supplied data."
 
In a telephone interview, Mostashari said the GE report-writing problem was "old news." Asked whether he was aware of any other incidents of EHR systems failing to produce accurate test reports, Mostashari said, "It's really a CMS question."

By Joseph Conn

“HHS inspector general: Medicare EHR program needs better oversight,” Modern Healthcare  (November 29, 2012)

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning. 
 
In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.
 
Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.
 
Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.
 
North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.
 
Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.
 
Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

“Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

According to an e-mailed news release, eHealth Exchange "represents ONC's commitment to support health information exchange innovation in the private sector." The partnership's operations will be supported by Healtheway (PDF), a Richmond, Va.-based not-for-profit organization also founded as a public-private partnership.
 
These operations include conformance and interoperability testing, on-boarding of new participants in eHealth Exchange, and maintenance of operating policies and procedures, the service registry and digital certificates, according to the release. 
 
In addition, the Chicago-based Certification Commission for Health Information Technology will participate in the effort's compliance testing and will certify that interfaces between exchanges are "consistent across multiple states and systems," according to a CCHIT news release.
 
More details will be announced at the New York eHealth Collaborative's Digital Health Conference, scheduled for Oct. 15-16 in New York, the release stated.

By Andis Robeznieks

“ONC moves control of health info network to public-private group,” Modern Healthcare (October 11, 2012)

A study published in the most recent issue of the Annals of Internal Medicine found that 60 to 78 percent of patients who read their visit notes reported that they were more likely to take their medications as prescribed.  And their doctors reported that sharing their notes actually strengthened relationships with patients.

The study included 105 primary care physicians and 13,564 of their patients at Beth Israel Deaconess Medical Center in Massachusetts, Geisinger Health System in Pennsylvania and Harborview Medical Center in Washington, who participated  in a project called OpenNotes, in which patients were given electronic access to their files.

Study authors Tom Delbanco and Jan Walker of Beth Israel said they were surprised and delighted to find that patients who viewed their medical notes were more likely to take their medicines correctly. “Medication adherence is one of the greatest problems in health care,” said Delbanco, “yet flipping this switch seems to activate patients.”

As one patient explained, “having it written down, it’s almost like there’s another person telling you to take your meds.”

Patients also reported “an increased sense of control, greater understanding of their medical issues, improved recall of their plans for care, and better preparation for future visits,” the study authors write.

Despite concerns among participating physicians that sharing their notes would increase their workload, few of them reported longer visits or spent more time answering patients’ questions outside of visits.

One concern is that doctors may change the way they write their notes if their patients can read them. Since the same notes are shared with other doctors, this could have a clinical impact. As an example of a minor change, some doctors reported using “body mass index” in place of “obesity” to avoid offending their patients.

Blunt language, however, seems to have motivated some patients. “In his notes, the doctor called me ‘mildly obese,” one patient commented. “This prompted my immediate enrollment in Weight Watchers and daily exercise. I didn’t think I had gained that much weight. I’m determined to reverse that comment by my next check-up.”

At the end of the experiment, nearly 99 percent of the participating patients wanted continued access to their visit notes. And all three participating hospital sites have decided to broaden patient access to their doctors’ notes.

“Our greatest hope is that this will become a standard of care,” said Walker. “We’re at a good time in history because more and more doctors and hospitals are getting electronic health records and putting up secure patient portals,” allowing many patients easy access to their records.

They add, however, that privacy implications could be enormous: 20 to 45 percent of patients reported that they shared their notes with others, including family and friends. A patient could also choose to post their notes on Facebook or Twitter. “The patient-doctor relationship is confidential,” explained Delbanco, “but whether it’s private is now up to the patient.”

By Jenny Gold

“For Patients, What A Difference A Note Makes,” Kaiser Health News (October 2, 2012)

The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

“Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

“Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

Mostashari said the federal government estimates it will pay out around $20 billion in incentives before the program shifts to a penalty in 2015, but there is no fixed budget set in the HITECH Act that mandated the program. The government recently announced it has paid out nearly $7 billion since the program began in 2011.

[See also: "Government EHR incentives near $7B."]
 

The federal health IT czar said he couldn't imagine health IT advancement – which enjoys widespread bipartisan support – losing the backing of Congress after the election, no matter the party in control.

It would be hard to picture Congress cutting or capping the program after doctors and hospitals have made major investments in health IT "on the good word of Congress," he said.

An attendee of the HIMSS Policy Summit – a sort of pep rally for HIMSS members to promote HIT on the Hill – recommended that Congress all be encouraged to use Blue Button to access their personal health data. This would "crystallize quite clearly" where things stand with regard to health IT today. We need more time and support, the attendee said, and Mostashari and other attendees agreed.

Mostashari praised the meaningful use incentive program, noting that "we've made great steps." He predicted that Stage 2, set to begin in 2014, will bring about even more "incredible progress."

The use of electronic health records is "ultimately about population health," Mostashari said. "You have to care more about the people who didn't walk into your door, than those who did." The meaningful use program is intended to go from measuring quality at the start, to accounting for population health. "That's why doctors are doing what they're doing, [and] that's why we're doing what we're doing," he said of federal regulators.

At a visit to the Cleveland Clinic recently, Mostashari said he observed health data exchanged between the clinic and other local facilities, using compatible coding that transferred the data easily. "They do it all day, every day," he said. "So don't tell us that exchange isn't happening."

[See also: "Stage 2 MU released at last."]

Two years ago, the industry wasn't there, he said of health information exchange. The patient information wasn't packaged and ready to code medications and lab reports in the same record. But things have changed, Mostashari added. He praised the industry and the  marketplace for pushing it forward.

The industry came together with a consensus and pilots and working groups, which resulted in the meaningful use Stage 2 rule, Mostashari said. "We're light years ahead of where we could possibly have been in Stage 1," he added, noting that he believes meaningful use Stage 2 will necessitate a push from the industry for health information exchange standards.

It will be important in the near future to tap into "the biggest underused resource – the patient," Mostashari said. Providers will have to "be sticky," and attract patients to their services because patients will no longer be limited to the provider that holds their health information.

Said Mostashari, speaking to doctors as a doctor: "We have to make them want to come to us."

By Diana Manos, Senior Editor

“Mostashari: No cap on EHR incentive payouts,” Healthcare IT News (September 13, 2012)

1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.
2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.
3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.  This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.
4. Review existing top-level policies to create a culture of security and respect for privacy.  Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.
5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.
6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.
7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.
8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.
9. Require regular reports from senior management on privacy and security risks.
10. Require annual board review of budgets for privacy and security risk management.
11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.
12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

“Boards Are Still Clueless About Cybersecurity,” Forbes (May 16, 2012).

"Governance of Enterprise Security: CyLab 2012 Report -- How Boards and Senior Executives Are Managing Cyber Risks" by Jody Westby, Carnegie Mellon CyLab (May 16, 2012) 

C. Sue Reber, spokeswoman for one of the five, the Chicago-based CCHIT, said the news came in a conference call with the ONC on Tuesday.

In July, all five organizations were accredited by the American National Standards Institute as certification bodies and by the National Voluntary Laboratory Accreditation Program as accredited testing laboratories for EHR systems.

Back in January 2011, the ONC published a final rule creating permanent and separate EHR testing and certification programs for the incentive payment programs run by Medicare and state Medicaid agencies. The permanent programs replace a temporary testing and certification regime set up to get the EHR incentive program off the ground. Under the temporary program, EHR testing and certification functions were combined and performed by the same organizations.

Under the new regime, it is still possible for the same organization to perform both testing and certification, but the procedures to receive authorization to do both are now separate, and the organizations must maintain a "firewall" between those functions, according to the ONC, which has an explanation of the program on its website.

CCHIT will continue to offer testing and certification services under the temporary program until the Oct. 4 effective date of the permanent program, and after that will continue to test and certify systems under the initial, Stage 1 certification criteria.

New testing and certification criteria for what's being called the 2014 edition were released in a new final rule by ONC last week. CCHIT said it would incorporate those new criteria into its programs "as soon as ONC releases approved testing procedures," which are expected to be available at the end of the year.

"Five groups named permanent EHR certifiers", Modern Healthcare (August 29, 2012)

So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.

Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.

The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:

1. Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.

2. Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.

3. Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.

4. Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.

5. Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

6. Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.

7. Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.

8. Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.

9. Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.

10. Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.

Beyond HIPAA and HITECH, ‘ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange,’ the ONC guide notes. ‘If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.

Access the ONC Guide to Privacy and Security of Health Information here.

“ONC privacy and security guide offers 10 steps for MU,” Healthcare IT News (May 9, 2012)

These cases also demonstrated that OCR will investigate a breach regardless of the organization's size or reach. In fact, smaller practices should pay particular attention to these developments because a recent study showed that smaller healthcare providers are more likely to suffer a breach because their Internet and sharing practices are not likely as secure as those implemented at large healthcare provider organizations.

Basic compliance with HIPAA and the related regulations is, of course, required, but it is not a panacea. A study by the American National Standards Institute found that insufficient funding and lack of managerial support were among the key causes of security breaches of protected health information.

A HIMSS/Kroll study showed that while most of the surveyed healthcare providers are compliant with the applicable laws, regulations, and industry standards, significant security challenges remain. Employees' compliance with the organization's policies was the primary concern, reported by nearly half of all respondents to that survey. Constant evolution of tech devices and the way doctors and patients interact using such devices is another huge challenge, since regulations cannot keep up with the exponential rate of change in this market.

Finally, the HIMSS/Kroll study showed that healthcare providers are also concerned about third parties (e.g., contractors, business associates, et al) who have access to such providers' patient information. As we have written previously, it is absolutely crucial to have the right contractual protections in your license and services agreements with such third parties, including indemnification or cost reimbursement provisions in the applicable Business Associate Agreements. A hacker or an intentional theft or disclosure by an employee may be difficult to control or prevent; but each healthcare provider can protect themselves contractually for the costs associated with a data breach, if such such breach was caused by the negligence of a business associate or a third party contractor.

Ed Shay believes one of the reasons could be the controversy regarding the "harm threshold" element of the rule, which we discussed earlier this year.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.  According to Ed:

Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported--with the inference being that risk of harm has proven too judgment dependent in its implementation.

If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.

You can find HHS's brief press release on the subject by clicking here.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," Cincinnati.com (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA's motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

"Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship," Health Data Management (May 21, 2010).

• U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.

• CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," HealthImaging.com (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," Bloomberg.com (March 23, 2010).

"As health data goes digital, security risks grow," Computerworld.com (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).

• According to Washington Technology, HHS is looking for a contractor to research the effectiveness of "de-identifying" PHI:

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

'The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude 'brute force' matching, demonstrate the ability or inability to re-identify the data,' the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

"Former UCLA Health Worker Pleads Guilty To Accessing Celebrities' Medical Records," LA Weekly (January 8, 2010).

"Delaware crime: Trash-picking identity theft targets pharmacy customers," Delaware Online (January 6, 2009).

"HHS wants contractor to test privacy of 'anonymous' data," Washington Technology (January 5, 2010).

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).

The doctor's office was also wrong about refusing to fax the test results to the patient, claiming it would violate patient confidentiality and potentially compromise the privacy and security of her information.

But under HIPAA, sending health information by fax is not prohibited. In addition, the law states that the provider must give patients the information they ask for in the format they request.

The full article is available here.

"Those Medical Tests Are Yours," Los Angeles Times (July 27, 2009).

• This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
• The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)