John_Mulhollan.jpgJohn Mulhollan has actively served a variety of business and healthcare clients in Ohio and California, with a particular emphasis on the healthcare industry, for nearly ten years.

Mr. Mulhollan has experience counseling clients in a variety of substantive areas, including healthcare transactions and contractual negotiations involving Medicare and Medicaid fraud and abuse compliance, physician referral compliance under the Stark law and professional and facility licensing. He has assisted both nonprofit and for-profit clients with legal analysis and documentation of healthcare private offerings, joint venture agreements, leases and corporate governance matters in connection with complex transactions. Focused on providing sound, yet practical, advice, Mr. Mulhollan strives to understand and promote each client's healthcare mission by providing legally compliant solutions to the challenges of today's complex healthcare environment.

Mr. Mulhollan has represented large and small healthcare providers such as healthcare systems, individual hospitals and clinics, as well as physicians and ancillary healthcare businesses. The complex transactions he has handled range from single contractual services arrangements to large healthcare mergers and acquisitions. Examples include the acquisition of a county-owned community hospital by a nonprofit health system, shareholder relations and combinations with respect to private physician practices, and compliance and documentation support for a variety of healthcare ventures involving ambulatory surgery, diagnostic imaging and laboratory services. In addition to providing thorough legal analysis of business issues, Mr. Mulhollan is able to guide clients through complex issues ranging from Medicare/Medicaid certification, change of ownership and reimbursement implications of such transactions to detailed analysis and preparation of professional and vendor services agreements. He also provides guidance and support in the areas of operational restructuring of provider, supplier and medical group operations, including the expansion or contraction of services, outsourcing, marketing and development compliance and complex facility and vendor relationships.

Mr. Mulhollan has advised clients on a variety of organizational compliance efforts, including fraud and abuse and Stark law compliance and corporate policy development. He advises clients on physician professional services and on-call arrangements, medical director agreements, physician recruitment, graduate medical education and medical office leasing. Mr. Mulhollan has advised both healthcare and business clients on implementing the many requirements and compliance issues arising under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as compliance with state medical privacy and professional licensing laws.

In addition, Mr. Mulhollan's business practice includes general business advice to healthcare and non-healthcare clients, including mergers and acquisitions, governance, shareholder transactions, professional entity formation and compliance with government regulations.

Mr. Mulhollan is a member of the American, Ohio and Cleveland Metropolitan (Health Law Section) Bar Associations, as well as the American Health Lawyers Association.

Practice Strengths:

  • Privacy and Information Security
  • Healthcare Industry

Education:

  • J.D., The Ohio State University Michael E. Moritz College of Law
  • B.S., The Ohio State University

Bar/Court Admissions:

  • U.S. Court of Appeals, Ninth Circuit
  • U.S. District Court, Northern District of California
  • U.S. District Court, Northern District of Ohio
  • California
  • Ohio

Entries authored by John Mulhollan

OIG Advisory Opinion Approves Referral Payments Under Electronic Health Record (EHR) System

Posted by John Mulhollan on February 06, 2012

In a significant development impacting the wider electronic health record (EHR) community, the HHS Office of Inspector General (OIG) on December 7 issued an Advisory Opinion (AO 11-18) approving an EHR vendor's proposed transaction fee structure for charging customers that use the vendor's new patient referral ordering system. Although the Advisory Opinion applies only to the specific requestors, the result is viewed favorably by both government and the EHR industry as an initial step in establishing market-based transaction charges for electronic transmission of health information under the nation's developing Health Information Technology (HIT) infrastructure.

Under the proposed arrangement, described as a cloud-based "Coordination Service," the EHR vendor's product would facilitate the electronic transmission of requests for referrals, between so-called ordering (or referring) health professionals and receiving health professionals, which incude a variety of supporting information in standardized format, such as insurance authorization, the ordering health professional's contact information and NPI (National Provider Identifier), the receiving health professional's (referred to as a trading partner, where such professional has signed an agreement to participate in the Coordination Service) contact information and, to the extent needed or available, certain necessary clinical information taken from the patient's EHR, as requested by the receiving health professional.

Three levels of fees are triggered by the service, namely a base transmission fee (capped at $1 per transaction), a functionality fee for recording information and attaching clinical information and a service fee for benefit eligibility and referral authorization. Ordering health professionals who subscribe to the Coordination Service would receive a discount of up to 35 percent off their current monthly EHR service fees. Receiving health professionals who sign a trading partner agreement (which entitles them to enhanced functionality and information) would be charged the transmission fee; otherwise the ordering health professional would be charged the transmission fee. Receiving health professionals that are trading partners also would be assessed the functionality fee and service fee (if applicable) (such services are not available if the receiving health professional is not a trading partner).

In the Advisory Opinion, the OIG stated that "the efficient exchange of health information between Health Professionals is a laudable goal" but that when "the [information] exchange takes place in the context of referrals, we must evaluate whether the means used to achieve that goal implicate the anti-kickback statute." First, the OIG found that the transmission fee, other related service fees and the discount from the EHR service fees offered to ordering health professionals, would not violate the anti-kickback statute because the fees were not offered or received in return for the referrals, nor for the right to be included in the EHR vendor's "network" of health professionals participating in the Coordination Service (which is open to any professional signing a trading partner agreement). Second, the OIG found that the three types of transaction fees were consistent with fair market value because they were unrelated to inducing the actual referrals and were determined in a manner that did not vary based on the value of the items or services that a receiving health professional might ultimately provide to federal healthcare program beneficiaries. Third, the transmission fee, charged on a "per-click" basis, was reasonable since it was charged on each transaction regardless of whether a patient actually received services from the receiving health professional.

The other fees were reasonable because they were related to the value-added services provided and were distinguishable from so-called "success fees" that are directly or indirectly tied to federal healthcare program payments. Further, the OIG concluded that the transaction fees would be unlikely to materially influence providers' referral decisions, were expressly intended to facilitate the permissible purpose of exchanging information and would not necessarily result in preferences in referrals by health professionals, which are based on a variety of other factors (although the added convenience and ease of information exchange was recognized as an advantage that trading partners would receive over nontrading partners).

Therefore, the OIG concluded that, in the absence of any requisite intent to pay for, or induce, the referral of federally reimbursed items and services, no penalties under the anti-kickback statute or civil monetary penalties law would be applied to the proposed arrangement.

As a result of the favorable outcome in this proposed arrangement, industry experts predict that the development of fair market value transaction fees for electronic information exchange under the growing variety of EHR systems will be significantly advanced.

Minnesota A.G. Files Lawsuit Against "Infused" Business Associate for Loss of Patient Data Stored on Laptop; Use of Patient Data Without Full Disclosure

Posted by John Mulhollan on February 06, 2012

In perhaps the first widely publicized action taken against a "business associate" (as defined under the Health Insurance Portability and Accountability Act (HIPAA) and privacy and security regulations thereunder), the Minnesota Attorney General (AG) on January 19 filed a civil lawsuit in federal court against Accretive Health, Inc., for alleged violations of HIPAA, as well as alleged violations of that state's medical privacy law and consumer debt collection practices laws. Minnesota v. Accretive Health Inc., D. Minn., No. 12-145, filed January 19, 2012. The lawsuit arises from the loss by an Accretive employee of a laptop containing several thousand records that included the individually identifiable health information of patients from Accretive's hospital customers. The action is filed under the powers granted to state attorneys general under HITECH provisions that expanded the enforcement powers and civil penalties available for violations of HIPAA.

Accretive Health Inc., the business associate and defendant in the lawsuit, was engaged by two hospitals to perform revenue cycle management services, including a so-called "Quality and Total Cost of Care" service agreement that is alleged to have included intensive management of a hospital's entire revenue cycle process (from patient admissions and registrations, to care coordination, to back office collections of patient receivables), for a fee that included a share of "incentive payments" received by the hospital from payors in return for achieving certain cost savings and quality measures. According to the complaint, management of the hospitals' revenue cycles was performed through so-called "infused employees" of Accretive working on-site in various departments of the hospitals. The patient data was lost when a laptop containing data of approximately 17,000 to 23,000 patients allegedly was stolen from the back seat of a vehicle of an Accretive employee while parked at a local restaurant.

In the lawsuit, the AG alleges that the business associate failed to take adequate security precautions, such as encryption of the data on the lost laptop, to protect the patient information on the device. The information included patients' names, addresses, phone numbers, Social Security numbers and certain clinical information, including information related to chronic conditions such as mental health and HIV/AIDS conditions. Further, the AG alleges that the business associate violated the Minnesota Health Records Act and various state consumer fraud and deceptive practices acts by, among other things, failing to disclose to the hospital patients its extensive role in the hospitals' revenue cycle process, its role as a debt collector and its role in the proactive management of patient care, including the incentive payments based on the hospital's cost savings.

While the remedies available to the AG in this case under HIPAA and the HITECH Act are limited to $25,000 per year, compared to the $1.5 million that the federal government could impose for violations, the defendant in this case, if found to have violated the consumer protection and debt collection agency laws, could face significant financial liability and negative effects on its business reputation. This new enforcement action highlights not only the risks inherent in failing to protect patient data that leads to a privacy breach, but also reveals the underlying scrutiny that will be applied to a business associate's business practices as a result of a data breach. Following actions filed against covered entities in Connecticut and Vermont, this case may portend a new trend of enforcement against HIPAA business associates. Stay tuned...

See the AG's complaint.

Ohio Appeals Court Rejects Claim of Wrongful Disclosure of Medical Information Under Biddle v. Warren General Hospital - Upholds Lack of Private Cause of Action Under HIPAA

Posted by John Mulhollan on January 18, 2012

In an opinion announced on January 10, 2012, the Ohio Tenth District Court of Appeals, in Columbus, Ohio, held that a hospital’s use of a patient’s individually identifiable health information (PHI) for obtaining payment of a patient’s account was a valid use of PHI for payment purposes under the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 (“HIPAA”), and rejected the patient’s claim that disclosure of the patient’s PHI was a wrongful disclosure of medical information under Biddle v. Warren General Hospital, Ohio’s seminal case that established a personal injury tort for wrongful disclosure of confidential medical information.

In OhioHealth Corp. v. Ryan, No. 10AP-937, 2012-OH-60 (10th Dist. App., January 10, 2012), OhioHealth filed a legal action against Ryan, a former patient, to recover on an account for unpaid medical services. The defendant Ryan denied the allegations of the complaint and filed a counterclaim against OhioHealth alleging that OhioHealth created false PHI by claiming that Ryan was uninsured, and that OhioHealth engaged in unauthorized disclosure of said information to a third party. Ryan asserted that under Biddle v. Warren Gen. Hosp., 86 Ohio St. 3d 395 (1999), OhioHealth disclosed, without authorization or privilege, nonpublic medical information of Ryan obtained in a confidential relationship. OhioHealth countered that, as a “covered entity” under HIPAA, its actions were governed by HIPAA’s privacy regulations that specifically authorize disclosure of PHI for purposes of obtaining payment for services, and which preempt contrary state laws (and that no exceptions to state law preemption applied). The trial court granted OhioHealth’s motion to dismiss the patient’s counterclaim on the basis that the disclosure of PHI at issue was indeed permitted under HIPAA and therefore constituted an authorized, privileged use of medical information under the Biddle case. After additional motions for summary judgment and dismissal, the trial court issued a judgment entry finding there were no genuine issues of material fact remaining for trial and held defendant Ryan liable on the unpaid account. Defendant Ryan appealed both the dismissal of the counterclaim, and the judgment entry on the unpaid account.

Appellate Court Finds Biddle Case Inapplicable to Privileged Use of PHI for Payment

The Ohio Tenth District Court of Appeals, in addressing defendant Ryan’s first assignment of error, found that (a) Biddle v. Warren Gen. Hosp. was distinguishable from the instant case because OhioHealth’s disclosure of Ryan’s account information was a protected or “privileged” disclosure, meaning it was legally permitted under HIPAA without obtaining the patient’s consent, and that (b) no private right of action exists under HIPAA, which is the dispositive authority in the case. First, assuming that the Biddle case did apply, the Court found the disclosure in the present case was authorized by HIPAA for payment purposes, thus rendering the disclosure by OhioHealth permissive and not wrongful or unauthorized under Biddle. Further, the disclosure involved account information, and not the entire medical records of the patient, as was the case in Biddle. Second, the Court reasoned that the federal HIPAA law generally preempts or supersedes state laws that are contrary to its requirements, unless such state laws impose requirements that are more stringent than HIPAA (citing 45 C.F.R. § 160.202(6) and § 160.203(b)). The Court found that defendant Ryan failed to cite any Ohio authority more stringent than HIPAA. Third, and significantly, the Court of Appeals recognized that, even if there was a wrongful disclosure under HIPAA, there is no private right of action under HIPAA, as recognized by several federal district courts in Ohio on prior occasions. Ryan was without ability to bring an action under HIPAA in court. Thus, given the privileged, authorized disclosure of information by OhioHealth under HIPAA, and absent any more stringent state law requirement, the defendant was unable to establish a claim that OhioHealth engaged in the tort of wrongful disclosure of nonpublic medical information obtained in a confidential relationship under Biddle v. Warren General Hospital. The Court of Appeals upheld the dismissal of the defendant’s counterclaim against OhioHealth, and upheld the trial court’s summary judgment in favor of OhioHealth on the patient’s past due account.

Update: Final HITECH Act Regulations Amending HIPAA Privacy And Security Will Be Published In 2012

Posted by John Mulhollan on January 11, 2012

During 2011, informal indications were given by the HHS Office of Civil Rights (OCR) and various industry experts that the final HITECH Act regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, as of January 6, 2012, the regulations continue to be delayed, due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS. Reasons for the lengthy time period for the HITECH Act regulations include the numerous policy reviews conducted by HHS, and the need to formulate responses to many of the over 300 comments received in connection with the Proposed Rule published in the Federal Register on July 14, 2010 (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final HITECH Act regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication of the final regulations sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged, or whether revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards, to address a changing healthcare environment and evolving privacy and security threats. Further, OCR is currently in the process of conducting HIPAA privacy and security audits of covered entities, as required under HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates, under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.

HIPAA Audits ARRA Coming! Is your PHI Secure?

Posted by John Mulhollan on July 14, 2011

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  During the next 18 months, HIPAA privacy and security audits mandated under the American Recovery and Reinvestment Act of 2009 (“ARRA”) will be conducted by the Office of Civil Rights (“OCR”) through an audit contractor, it was announced on  June 10, 2011.  The Department of Health and Human Services (“HHS”) awarded a $9.5 million contract to the KPMG accounting firm to “assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”  KPMG was awarded the contract one day after another contract had been awarded to Booz Allen Hamilton to conduct the “audit candidate identification” intended to identify the universe of covered entities and business associates subject to potential audit under this program.

Under Section 13411 of the Health Information Technology for Economic and Clinical Health Act, a part of ARRA (“HITECH”), HHS, through its Office of Civil Rights, is directed to conduct such audits for purposes of determining compliance with the privacy and security regulations under HIPAA.  Until now, the OCR has focused primarily on the investigation of alleged privacy and security violations in response to complaints, and has conducted a limited number of compliance reviews of covered entities, typically in response to publicized incidents.  The new audits will expand OCR’s activities in compliance enforcement and will raise the stakes for entities that have failed to appropriately implement HIPAA privacy and security safeguards.

Continue Reading

Proposed Rule Would Change HIPAA Accounting of Disclosures - Covered Entities Will Continue to Face Significant Technical Challenges

Posted by John Mulhollan on June 13, 2011

On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the "accounting of disclosures" requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including employer-sponsored plans) and business associates. The proposed requirements will not become final until after comments are received and evaluated and a final rule is published by HHS later this year or next. Therefore, healthcare providers, health plans (including employers sponsoring health plans) and business associates should take this opportunity to carefully review the proposed rule's provisions, send comments to HHS and consider the systematic changes that may be necessary when the rule becomes finalized.

The proposed rule changes the existing Health Insurance Portability and Accountability Act (HIPAA) accounting requirement in two very significant ways. First, it revises the accounting requirement to shorten the time period covered by the regulation to the three-year period prior to the request (previously six years) for all disclosures of protected health information (PHI) (paper and electronic), while removing the certain exceptions, including those for disclosures related to treatment, payment and healthcare operations. Second, in the interest of balancing the rights of individuals to learn about disclosures of their PHI, with the burden to covered entities of providing detailed accounting reports, the proposed rule creates a new “access report” requirement which enables covered entities to provide only the date, time and identity of the person who accessed an individual’s electronic PHI, but does not require tracking or reporting the purpose of the disclosure as required under the existing accounting requirement.

Existing HIPAA Accounting Requirement Expanded by HITECH Act

Under the existing HIPAA privacy regulations, individuals are entitled to receive an “accounting” of all disclosures of PHI made by the covered entity, including those through its business associates, for the six years preceding the individual's request, excluding certain permissible disclosures, the most significant of which are (1) for treatment, payment and healthcare operations; (2) disclosures to the individual about him or her; and (3) disclosures to law enforcement. 45 C.F.R. § 164.528(a)(1). The accounting is required to be furnished to the individual no later than 60 days after receiving a written request.

When Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the stimulus legislation known as the American Recovery and Reinvestment Act of 2009, it instructed HHS to adopt an accounting requirement specifically related to “electronic health records” (EHRs) by requiring the accounting of disclosures from an EHR to include all disclosures, without excluding those made for treatment, payment and healthcare operations and shortening the time period covered by an accounting of disclosures from an EHR to three years instead of six (paper records still would be subject to a six-year accounting period). The HITECH Act directed HHS to issue regulations by not later than June 18, 2010.

The changes put forth by HHS in the May 31 proposed rule go significantly beyond the requirements of the HITECH Act, but HHS asserts they are consistent with the major purpose of the Act which was to apply the accounting requirement to electronic PHI in an EHR.

Revisions to the Accounting of Disclosures of PHI Under § 164.528

Healthcare providers, health plans and employer-sponsored health plans may welcome some of the changes being proposed to the existing accounting of disclosures requirement, while finding other changes more burdensome. HHS proposes to shorten the time period covered by a request for an accounting to just three years, regardless of whether the records are paper or electronic. This should enable covered entities to apply accounting procedures consistently across all types of PHI. Additionally, HHS has chosen to focus more attention on accounting of disclosures that are presumed to be most important to individuals by removing some disclosures from the requirement, while adding specific requirements for other categories of disclosures. For example, on the one hand, disclosures for clinical research will be excluded from the accounting requirement (assuming that the IRB or research practitioner has followed HIPAA’s requirements for an authorization or research waiver), as will disclosures that are required by law. On the other hand, a full accounting will be required for all disclosures that are not permitted under HIPAA, including unauthorized disclosures that did not rise to the level of a “breach” under the Breach Notification Interim Final Rule published at 45 C.F.R. part 164, subpart D, disclosures for public health activities (such as infectious disease reporting) and for all disclosures made for law enforcement purposes and judicial or administrative proceedings (even though such disclosures in certain cases do not require an authorization).

Further, on the positive side, the proposed rule limits the accounting for disclosures requirement to only the PHI maintained in a “designated record set” instead of all PHI that may be scattered throughout an organization. Nevertheless, on the negative side, covered entities may find significant challenges in determining what exactly constitutes a “designated record set,” and will continue to be required to track the purpose of each disclosure subject to an accounting -- a task many covered entities have found will add a significant level of complexity to the already expanding list of required features of HIT systems. Generally speaking, a “designated record set” is a group of records maintained by or for a covered healthcare provider that comprises the medical and billing records about individuals or maintained by a health plan (including an employer-sponsored health plan) comprising the enrollment, payment, claims adjudication and case or medical management record systems used, in whole or in part, by or for either type of covered entity to make decisions about individuals. The applicability and scope of the definition (i.e., what provider or health plan records fall within or outside of the definition) have perplexed some covered entities who may be particularly challenged by the existing requirement to maintain written or electronic documentation showing all designated record sets maintained within their organization, under 45 C.F.R. § 164.524. Additionally, the HHS preamble to the proposed rule specifically applies the accounting requirement to copies of designated record sets held by business associates, a factor likely to necessitate amendments to business associate contracts.

As indicated by the brief highlights of the proposed rule described above, the new requirements contain a mixed bag of changes designed to enhance an individual’s right to learn where, by whom and for what purpose disclosures of their PHI have been made, lessening the burden on covered entities by reducing the types of disclosures and the time period covered by the accounting requirement.

Further helping to improve the individuals’ understanding of the types of disclosures made about them may be the new requirement for an access report, described below, which will allow covered entities to respond in a more narrow fashion to individuals’ requests for information on disclosures of their PHI maintained in an electronic designated record set.

New “Access Report” Will Be Required Upon Request by an Individual

Perhaps the most significant change proposed by HHS is the new right of individuals to receive an access report including, at a minimum, the date and time of access and the name of the user or entity that accessed or disclosed PHI maintained in an electronic designated record set. The report must include all access, including uses as well as disclosures, which is a significant expansion of the existing accounting requirement. There will be no distinction between access by internal employees and access by persons outside an organization. Additionally, the report must indicate the type of information accessed (e.g., diagnosis or medications) and the action taken (modify, transfer, etc.), but only if either of such information is available in the HIT system. Perhaps most significantly, the access report applies to all electronic PHI maintained in a designated record set, not just EHRs, and the exception for disclosures relating to treatment, payment or healthcare operations would not apply. Thus, while HHS points out that the new access report requirement satisfies the HITECH Act's mandate to apply the accounting requirement to EHRs, in actual operation, the proposed rule expands the right to an accounting to cover a much wider variety of disclosures, including internal uses of PHI by employees. These changes would create significant new challenges for covered entities already grappling with the design and implementation of appropriate system activity logs and audit reporting technology to comply with existing privacy and security laws.

Impact on Covered Entities and Business Associates

The proposed accounting requirement changes published on May 31 will create significant new challenges to a wider spectrum of covered entities than previously expected by most experts. For example, the expansion of the access report to cover all electronic PHI, rather than merely EHRs, will sweep within the rule's application many additional entities that customarily do not maintain EHRs, such as health plans and health insurers (including employers that sponsor such plans) and business associates working with electronic PHI. Additionally, the application of the new requirements specifically to designated record sets will highlight the need for covered entities and business associates to develop and document the types of PHI they routinely use or disclose, to ensure that designated record sets are appropriately tracked and oversight maintained (both human and electronic) for purposes of preparing an adequate accounting or access report within the time limits and other requirements under the regulation.

Keep in mind that the new requirements published on May 31 are only proposed. Nevertheless, assuming that many of the provisions are enacted in final rule, the following activities, among others described previously, will be needed. It may not be too early for covered entities and business associates to consider and plan for the following new requirements:

Business Associate Agreements

Healthcare providers, health plans and employers sponsoring health plans will need to amend their business associate agreements with business associates (such as billing companies and consultants, third-party administrators and other vendors handling PHI) to reflect and facilitate compliance with the new accounting and access reporting requirements. These amendments should include descriptions of the shortened timing and detailed content required for such reports. Business associate agreements should be amended to require that business associates take steps to gather the appropriate information and actively assist with compiling reports when and as requested by their covered entity customers.

Notice of Privacy Practices

Changes to covered entity Notices of Privacy Practices will be necessary to appropriately describe the new accounting and access report requirements and to inform individuals of the types of disclosures subject to the requirements. For health plans and employers, because these updates are considered material revisions to the notice, the revised Notices will need to be distributed within 60 days of the material revision.

Record Retention Policies

Covered entity and business associate record retention policies would need to be updated to reflect changes in the document retention rules as they apply to accountings of disclosures and the new access report requirement. Specifically, information that is required to be included in an accounting or access report must be retained for three years from the date of the disclosure, but the actual accounting or report must be retained for six years.

Enhanced Tracking of Disclosures and Access

The new rule will put greater urgency and emphasis on adopting reasonable and appropriate technical and administrative measures to log access, changes, uses and disclosures of electronic PHI, including those for public health, law enforcement, judicial or administrative proceedings, research and other permissible activities, which may become subject to the expanded reporting requirements.

HHS has asked that comments on the proposed rule be submitted by August 1, 2011. HIPAA-covered entities, including providers and employer health plan sponsors, should seriously consider submitting comments and questions to HHS in an effort to shape how these rules will ultimately affect them.

Authorship credit:

John S. Mulhollan, jmulhollan@bakerlaw.com

Susan Whittaker Hughes, shughes@bakerlaw.com

Lynn Sessions, lsessions@bakerlaw.com

 

HHS Inspector General Reports Highlight IT Security Gaps in Health Care

Posted by John Mulhollan on May 26, 2011

On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI).  Of particular interest to health care providers and health plans, these reports signal that heightened enforcement efforts appear likely in the future, making information security a top priority when developing and operating interoperable health care information technology (HIT).

The first OIG report, which assessed the Centers for Medicare and Medicaid Services’  (CMS’) and Office of Civil Rights’  (OCR’s) oversight of the Security Standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), found shortcomings in hospital information security implementation, and criticized a perceived lack of effective of oversight of such Security Standards by CMS and OCR.  The OIG audit examined information security systems at seven large hospitals located in several states.  The report found 151 security vulnerabilities, ranging from insufficient password strength and unencrypted laptops containing ePHI, to lack of physical protections (e.g., locks) for computer storage rooms, inadequate encryption methods, and incomplete policies and procedures to address audit controls, backup plans and disaster contingencies.  The majority of findings were rated as “high impact”, which means posing a significant risk of harm to the individuals whose ePHI was transmitted or stored in such facilities.  The report concluded that the OCR needs to significantly improve oversight and enforcement of data security under HIPAA, including continuation of the compliance oversight reviews of covered entities begun in 2009 at the direction of CMS.  The OIG report also referred to exercise of the specific HIPAA enforcement measures and larger penalties enacted under the 2009 American Recovery and Reinvestment Act’s Health Information Technology for Economic and Clinical Health Act (HITECH) provisions.

The second OIG report criticized the Office of the National Coordinator for Health Information Technology (ONC), the agency created under ARRA/HITECH to administer and oversee federal incentives for the adoption and meaningful use of interoperable electronic health records (EHRs), and other related national HIT initiatives.  That report found that the ONC failed to incorporate general information security requirements in the measures required for certified EHRs under HITECH.  While certain application security controls were included in the HIT standards, the OIG found that general security requirements for the overall security structure, policies and procedures to be specifically applied to EHR systems, were lacking.

In light of these OIG reports, and of ongoing news of misappropriation of patients’ health information and wide-scale security breaches, health care providers and health plans should consider reassessing their security risk exposure and preparedness to address information security lapses and HIPAA enforcement likely to be at the forefront of the national HIT trend.

Medicare and Medicaid HER Incentive Programs--Early Results Show Strong Interest in HITECH and Meaningful Use

Posted by John Mulhollan on March 04, 2011

On February 23,  The Centers for Medicare & Medicaid Services (“CMS”) announced that more than 21,000 providers initiated registration for the Medicare and Medicaid EHR Incentive Programs in January and four states reported initial Medicaid incentive payments totaling $20,425,550.   The Medicare and Medicaid EHR Incentive Programs were enacted by Congress under the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  In addition, the Office of the National Coordinator for Health Information Technology (“ONC”) announced that as of Feb. 11, 2011, more than 45,000 providers requested information or registration help from 62 Regional Extension Centers (RECs).  RECs provide hands-on support for providers who want to adopt and become meaningful users of electronic health information technology. According to CMS, this early interest in the Medicare and Medicaid EHR programs reveals strong support for these programs that will advance health care through improvements in patient safety, quality of care, and patient involvement in treatment options.

Eligible professionals and hospitals must register in order to participate in the Medicare and Medicaid EHR incentive programs.  Registration opened on Jan. 3, 2011.

Providers and business associates may go to the following websites to learn more about the Medicare and Medicaid EHR financial incentives and Meaningful Use requirements, including Frequently Asked Questions (“FAQ”): 

HIPAA Bombshells -- Major Civil Monetary Penalties Imposed Against Covered Entities for Privacy Violations

Posted by John Mulhollan on March 02, 2011

The last week of February 2011 will likely be remembered as a noteworthy milestone in the history of HIPAA privacy enforcement by the Department of Health and Human Services (“HHS”).  Showing that HHS intends to vigorously exercise the expanded civil monetary penalty enforcement provisions enacted in 2009 under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), HHS announced that it reached significant resolutions of two cases of alleged HIPAA privacy violations by covered entities.  In the first announcement on February 22, HHS disclosed it has required Cignet Health to pay $4.3 million in civil monetary penalties (“CMPs”) for failing to comply with patient requests to access their health records (protected health information, or “PHI”), and for failing to cooperate in the resulting HIPAA enforcement investigation by the HHS Office of Civil Rights.  In addition to drawing attention to HHS’ intent to exercise its expanded powers under HITECH, the case sends a message that failure to take seriously the specific requirements of HIPAA privacy regulations and honor patient requests in a diligent and timely manner can result in significant financial exposure to covered entities and their business associates.  Of the total $4.3 million CMP imposed against Cignet Health, $3 million was related solely to the company’s alleged failure to cooperate in the HIPAA investigation.  While such an amount could potentially be avoided or mitigated by organizations that diligently and thoroughly cooperate in any investigation of alleged HIPAA violations, the remaining $1.3 million imposed against the organization indicates the vigorous approach that could be taken by HHS in the future with respect to enforcing patients’ privacy rights.

Two days after the announcement of the $4.3 million CMP against Cignet Health, HHS announced on February 24 that it had reached a resolution agreement with The General Hospital Corporation and its affiliate Massachusetts General Physicians Organization, Inc. (“Mass General”) regarding the loss of 192 paper files containing PHI of Mass General outpatients.  The files, which were mistakenly left on a subway train by an employee while commuting, contained billing records with the name, date of birth, medical record number, health insurer and policy number, diagnosis, and name of provider for 66 patients.  Also left on the train were daily office schedules for three days that contained the names and medical record numbers for 192 patients.  HHS found that Mass General failed to implement reasonable and appropriate standards to protect the privacy of PHI when removed from its facilities.  Mass General agreed to pay $1 million to resolve the matter, but perhaps just as significant as the large civil penalty is the agreement by Mass General to adhere to a three-year corrective action plan, requiring it to develop and present for HHS approval new privacy and data security policies and procedures intended to address the administrative, technical and physician safeguards required under the HIPAA regulations, and to train all employees within 90 days of HHS approval of such policies.  The agreement also requires Mass General to appoint an internal monitor for the corrective action plan, who must report to HHS semi-annually the results of its monitoring and any “Reportable Events” under the agreement.  In a requirement of which all covered entities and business associates should take notice, the resolution agreement requires Mass General to issue a communication to all employees prohibiting them from physically removing PHI from facility premises, except for the performance of their job duties and only if reasonable and appropriate steps are taken to safeguard the confidentiality of the PHI removed.

White House Forms New Subcommittee to Review Online Privacy Issues

Posted by John Mulhollan on October 26, 2010

In a statement released October 24, the Obama Administration has launched a new interagency “subcommittee” of the National Science and Technology Council to review privacy and Internet policy, which may include review of health care privacy issues.  The working group will focus primarily on individual privacy issues associated with the Internet and related online systems, to “develop principles and strategic directions with the goal of fostering consensus in legislative, regulatory, and international Internet policy realms.”  Consisting of representatives of eleven Federal agencies, including the Department of Health and Human Services, and eight Executive Organizations, the Subcommittee promises to work closely with private stakeholders to develop a set of core principles to, among other things, facilitate transparency, promote cooperation, empower individual decision-making, and build trust in online environments, while at the same time protecting the rule of law, promoting innovation and economic expansion, and balancing the interests of stakeholders.  The identities of the private stakeholders to be invited, the schedule of the group’s meetings, and the transparency of the subcommittee’s deliberations, have yet to be determined or announced by the Obama Administration.