By Adam H. Greene
The new audits will look little like the old ones, with OCR conducting the audits itself and focusing on more high-risk areas, abandoning on-site visits, and potentially integrating audits into OCR's formal enforcement program. To prepare, we suggest that covered entities and business associates consider the following steps:
By Adam H. Greene
Be sure to check out at our recent advisory discussing the latest HIPAA guidance on mental health information. It discusses how the Department of Health and Human Services addresses frequently asked questions about when it is appropriate for providers to share protected health information of a patient who is being treated for a mental health condition with family, friends, or others involved in the patient’s care. The guidance was issued in order to clarify how the HIPAA Privacy Rule operates to strike a balance between protecting individuals’ privacy of mental health information with the need to communicate information to others in order to enhance treatment and assure safety. You can read the advisory here.
HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.Continue Reading...
By Adam Greene
Just in time for the September 23, 2013, deadline for compliance with the HIPAA Omnibus Rule, the U.S. Department of Health and Human Services (“HHS”) issued a set of model notices of privacy practices for health care providers and group health plans, available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. HIPAA requires covered health care providers and health plans to post, distribute to enrollees and new patients, and make available to everyone such a notice. Business associates of covered entities, who are subject to certain HIPAA privacy and security requirements, are not required to maintain a notice of privacy practices. The new model notices reflect changes required by the Omnibus Rule, but their use is not required and covered entities are free to use notices that they have drafted, so long as they have been updated with changes that the Omnibus Rule requires.Continue Reading...
New Advisory Highlights How HIPAA Restricts Covered Entities' Freedom in Responding to Media Requests and Public Complaints
Adam Greene has posted a new advisory discussing Shasta Regional Medical Center’s HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights, arising out of the Center’s use and disclosure of protected health information in attempting to rebut media reports of alleged Medicare fraud. The advisory spotlights the limits that covered entities face in responding to media requests and public patient complaints. You can access the advisory here.
By: Adam H. Greene
In January 2013, The U.S. Department of Health and Human Services released the HIPAA Omnibus Rule in the Federal Register, the most significant changes to the HIPAA regulations since they were first promulgated. These changes, however, are not yet reflected in the Code of Federal Regulations. For those of you who have been jumping back and forth between the prior codifications of the HIPAA regulations and the more recent HIPAA Omnibus Rule, there is good news. HHS has released an updated version of the HIPAA regulations, which incorporates the recent changes from the Omnibus Rule. The updated regulations are available here, which is the “unofficial version.” The official version will not be available until title 45 of the Code of Federal Regulations is updated, likely in October.
Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register. The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits. It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA). The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA. You can access the advisory here.
At long last, after much delay and speculation, the HIPAA Omnibus Rule has been placed on display at the Federal Register in preparation for formal publication. Clocking in at 563 pages, we have to admit that we have not yet fully analyzed it, but it is expected to address:
• The breach notification harm threshold
• Direct liability for business associates
• Covered entity liability for business associates who are agents
• Sale of “protected health information” or “PHI”
• Use and disclosure of PHI for marketing purposes
• Use and disclosure of PHI for fundraising
• Enforcement where noncompliance is due to “willful neglect”
• Use of compound authorizations for research and authorization of future research
• Restrictions on disclosure of PHI to health plans when patient pays out of pocket
• Use and disclosure of genetic information for underwriting purposes by health plans
• Disclosure of student immunization records to schools
We will provide more information in a DWT alert and can address your particular issues after we have had an opportunity to review and analyze the rule.
In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.
The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a relatively small breach and more narrow information security issues.
OCR reportedly has received tens of thousands of small breach reports since the interim final breach notification rule’s compliance date of September 2009. This appears to be the first of such breach reports that has led to a settlement. It begs the question of whether other types of small breaches will lead to settlements, such as cases of employee “snooping.”
One final note is that of OCR’s 11 settlements related to HIPAA, this is the fifth from Region X (Seattle). Although there are 10 OCR regional offices, 45 percent of the settlements have come from the Seattle regional office.
HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security
The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices. The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.Continue Reading...
Check out our recent advisory describing the New HIPAA Guidance on De-Identifying Health Information. In it, Adam Greene explains that the HHS Office for Civil Rights released guidance on how health information may be de-identified, which allows covered entities and business associates to reduce their exposure to HIPAA and expand their use of health data. The guidance teaches two key lessons – specifically, that health information generally is considered individually identifiable unless certain stringent requirements are met, and that using an appropriate expert can provide ways to de-identify information while retaining important properties that otherwise might be lost through other methods of de-identification. The advisory can be accessed here.
By Adam Greene
The past week has brought a number of developments with respect to HIPAA. The long-awaited finalization of a number of modifications to HIPAA remains on hold as the Office of Management and Budget posted that it has extended its review of the draft regulations. The HHS Office for Civil Rights (“OCR”), which administers and enforces HIPAA, published the audit protocol that is being used in OCR’s current privacy and security audits. The protocol includes the key areas of the audits, the types of questions that will be asked, and the types of documentation that will be reviewed. The protocol leaves a lot of ambiguity, however, by failing to provide much detail about the standards against which audited entities are judged. Finally, OCR announced a $1.7 million settlement against Alaska’s Medicaid agency. The investigation was triggered by the theft of a portable hard drive that may have contained protected health information, but led to OCR finding allegedly widespread noncompliance with the Security Rule. It shows that no covered entities are immune from a sizable settlement under HIPAA, and that relatively small breaches may unearth large HIPAA problems during the subsequent investigation. More information about these developments are available in a DWT advisory available here.
Over at our Learning Center, be sure to check out the new advisory on the first formal enforcement action against a business associate, Accretive Health, Inc., for alleged violations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which was brought by Minnesota’s Attorney General under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The enforcement action comes after the theft of an unencrypted laptop computer containing approximately 23,500 patients' records, and offers stark reminders both that the HITECH Act’s provisions for business associates currently are in effect, and that state attorneys general and the federal Department of Justice are not bound by the U.S. Department of Health and Human Services’ still-effective forbearance from enforcing the HITECH Act in cases like that of Accretive Health. You can read more here.
Nov. 10, 2011, 1:00pm: Enforcement Trends in Health Care with Adam Greene
Over the past couple of years, we have seen a significant increase in enforcement of health care privacy laws at both the federal and state level. On November 10th at 1:00 pm EST, Davis Wright Tremaine’s Adam Greene will be presenting on this topic on a webinar of the International Association of Privacy Professionals. More information, including registration, is available at https://www.privacyassociation.org/events_and_programs/web_conferences/.
On Sept. 19, 2011, the U.S. Department of Health and Human Services (HHS) announced recommendations from an internal Text4Health Task Force on ways in which HHS can best utilize text messaging to improve population health. One of the issues raised by the Task Force is the need for further research and guidance on the privacy and security of health text messaging.Continue Reading...
On Sept. 12, 2011, HHS announced the appointment of Leon Rodriguez as the Director of the Office for Civil Rights, the agency responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. Mr. Rodriguez is coming from the Department of Justice Civil Rights Division, where he served as the Deputy Assistant Attorney General and chief of staff. He has extensive experience as a prosecutor at Department of Justice, a defense attorney in private practice, and as the county attorney for Montgomery County, Maryland.Continue Reading...
This posting has been modified as of Sept. 8, 2011. Audit contracts are now available here.
By Adam H. Greene
In July 2011, DWT issued an advisory on HHS’ recent awarding of a contract to KPMG to conduct HIPAA privacy and security audits, available here. Since that time, we have obtained copies of the audit contracts, available here, and heard from the HHS Office for Civil Rights, shedding some additional light on what covered entities can expect:
• Audits that uncover major violations may lead to formal enforcement;
• The audits will focus on general privacy and security compliance;
• The contractor is expected to precede site visits with advanced requests for documentation, thereby providing some level of advanced notice;
• Audit teams are expected to consist of three to five persons and site visits are expected to last two to five days; and
• Pilot testing of the audit protocol is likely to begin later this year and proceed through January 2012, with the full round of audits occurring through the remainder of the year.
HHS has announced its fourth HIPAA formal settlement agreement in less than a year (which does not even include $4.3 million civil money penalty that was also imposed). Adam Greene discusses this new level of HIPAA enforcement, highlights some of the lessons learned from the first settlements, and points to the government's upcoming enforcement opportunities that could bring a new wave of HIPAA headlines. To read more, click here.
Earlier this month, HHS awarded a contract to KPMG to conduct as many as 150 HIPAA privacy and security audits through December 31, 2012. Adam Greene explores the limited information that has been publicly released about these upcoming audits, including a number of questions they raise. The advisory can be found here.
Next up in our series of advisories relating to emerging issues under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), previous installments of which can be found here and here, Adam Greene looks at a recent proposed HIPAA Privacy Rule expansion that would significantly impact financial institutions that serve as "business associates" to HIPAA-covered entities, by potentially requiring them to furnish lists of their employees to those entities’ patients/enrollees. The advisory can be found here.
New Advisory: Incidental Exposure to Health Information May Lead to Substantial HIPAA Exposure for ISPs
Check out our most recently posted HIPAA-related advisory, by Adam Greene and Michael Sloan. It explains how telecommunications carriers and Internet service providers (ISPs) may, without even knowing it, be subject to the privacy, security, and breach notification requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules. It also offers suggestions on how such service providers can start thinking critically about whether they are potentially covered, and other steps they should consider taking. You can find the advisory here.
Dr. Richard Kaye, a former medical director of the Psychiatric Care Center at Sentara Obici Hospital (Suffolk, Virginia), was indicted on June 21, 2011, in the U.S. District Court for the Eastern District of Virginia, on three counts of violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The indictment is significant in that it is the first criminal prosecution under HIPAA premised on communications with a patient’s employer.Continue Reading...
The DWT PrivSecBlog is pleased to welcome a new contributor from whom visitors will start seeing posts from time-to-time, Adam H. Green. Adam is a veteran health law attorney and former key regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing HIPAA privacy, security, and breach notification rules, and where his responsibilities included determining how HIPAA rules apply to new and emerging health information technologies.Continue Reading...
Posted by Tom Jeffry
Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693]. Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.
The proposed amendment uses language familiar to those of you who have read HIPAA. Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different. For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers. The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers.
Posted by Thomas Jeffry
Intel CEO Paul Otellini was quoted recently in the Financial Times attacking the healthcare industry as "the slowest moving industry in the world" because it was the least penetrated by IT.
Mr. Otellini’s comments follow several post-mortem reports posted last week by Health Affairs discussing the reasons for the demise of the Santa Barbara County Care Data Exchange (SBCCDE) last December. SBCCDE was considered a pioneer for community-based electronic health information exchange (HIE) also know as regional health information organization (RHIO). In principle, HIEs are intended to create a simple and secure way to electronically share patient data between health care providers, caregivers, and consumers.Continue Reading...
Posted by Thomas Jeffry
An interesting development from the American Medical Association is worth noting.
The AMA House of Delegates met in Chicago at the end of June where it received a report previously requested by that group’s governing body on the medical and ethical implications of the use of implantable radio frequency identification (RFID) microchips in humans. Use of RFID chips were approved for use in humans by the Food & Drug Administration in 2004. Similar versions of such chips are commonly used to tag pet dogs and cats for identification purposes.Continue Reading...
Posted by Peerapong Tantamjarik
While not involving computer hackers, here's a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.Continue Reading...