Data mining by hospitals may be profitable, but not risk-free

Posted on February 6, 2012 by Steve Fox and Vadim Schick

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free.  Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

The above is certainly not an exhaustive list of all potential issues associated with data mining by healthcare providers and their business partners. But the USA Today article should serve as a good reminder that healthcare providers engaging in such data mining and marketing activities must protect their organizations from liability for damages relating to such data use.

"Hospitals mine patient records in search of customers," USA Today (February 5, 2012).
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , ,

UCLA Health System reaches $865,500 settlement with OCR

Posted on July 7, 2011 by Steve Fox and Vadim Schick

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP). 

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Via HHS press release:

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

<...> Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , ,

Cignet Health fined $4.3 million for HIPAA Privacy Rule violation

Posted on February 22, 2011 by Steve Fox and Vadim Schick

Cignet Health, a Maryland health plan and a HIPAA covered entity, has been fined $4.3 million for failing to produce health records upon request to 41 patients, and for failing to cooperate with OCR with the agency's investigation.  This is the very first civil money penalty (CMP) issued by HHS under the HIPAA Privacy Rule.

Via HHS Press Release:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

 

 OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

“Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” said OCR Director Georgina Verdugo. “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.”

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

A copy of the Notice of Proposed Determination and Notice of Final Determination can be found at http://www.hhs.gov/ocr/privacy. Additional information about OCR’s enforcement activities can be found at http://www.hhs.gov/ocr.

 
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , ,