Data Privacy Monitor - Commentary on Data Privacy, Security and Social Media Subjects

“HIPAA is a valve, not a blockage,” stated HHS OCR Director Leon Rodriguez, at the OCR/NIST 6^th Annual Conference on Safeguarding Health Information:  Building Assurance through HIPAA Security.  Discussing the tension inherent in HIPAA, between patient access to patient information and an organization’s safeguarding of protected health information (PHI), Director Rodriguez characterized OCR’s HIPAA guidance as providing the “super highways” to ensuring patient access to PHI and to safeguarding PHI.   An organization, on its own, must figure out the “surface streets,” emphasizing once again the flexibility and scalability of HIPAA.  Regardless of the type or size of an organization governed by HIPAA, the basic rules remain the same.  To adequately safeguard PHI, HIPAA defines a process.  HIPAA provides an organization with a series of decisions, policies and procedures, analyses, and plans.  Above all, patient expectations govern. 

Where does an organization draw the line between patient access and protecting PHI, especially in light of increased OCR enforcement of HIPAA/HITECH?  To ease a covered entity’s and business associate’s anxiety, Director Rodriguez reassured organizations that OCR is not playing a game of “gotcha.”   OCR is neither trolling for enforcement actions and civil monetary penalties (CMPs), nor seeking to punish a proactive organization for a single incident.   In support of his statement, Director Rodriguez highlighted the fact that of the 74,554 complaints filed since 2003, and the 26,513 total cases investigated by OCR, 17,767 cases resulted in corrective action, and only 13 cases since 2008 resulted in a Resolution Agreement and CMPs.   

Director Rodriguez acknowledged that breaches of PHI are going to happen, as risks exist even where organizations are doing everything right.   OCR is interested in what an organization is not doing, and whether the proper analysis is being conducted.  An organization must identify, remedy and change (if needed).  

So what type of action/inaction ends up in an OCR monetary enforcement scenario?  Director Rodriguez categorized two culprits:  (1) an ongoing failure to comply with the HIPAA Privacy and Security Rules, and (2) an unforgivable disclosure.  Regarding the first category, an ongoing failure usually exists over several months and/or years.  Often times, a risk analysis is missing, including a lack of routine information system reviews.  Director Rodriguez stressed the importance of conducting risk analyses to identify vulnerabilities.  Once risk is identified, it must be properly evaluated and addressed.  Another reoccurring ongoing failure is the lack of updating of policies and procedures after a change in business operations or a change in technology.  Director Rodriguez summarized the routine case OCR falling under monetary enforcement scenario as an incident affecting a large number of records, a vulnerability that exists for a number of months, and a failure to assess risk (e.g. OCR’s May 21, 2013 Resolution Agreement with Idaho State University).  The second category is an unforgivable disclosure of PHI that is borderline criminal (e.g. UCLA breach of celebrities’ privacy resulting in OCR’s July 6, 2011 Resolution Agreement). 

Regarding CMPs, Director Rodriguez highlighted the guidance provided in the Final Rule regarding factors to consider in determining the amount of CMPs to assess.  The Resolution Agreement in the Alaska DHSS, where there was an alleged lack of remediation over a long period of time, is an example used by Director Rodriguez to demonstrate how the failure to remediate over a prolonged period of time can increase a CMP.  In Alaska DHHS, the Resolution Agreement required payment of $1.7M.  Accordingly, in addition to identifying, assessing and responding to a breach incident, an organization must also timely remedy any vulnerability in order to keep the amount of any potential CMP low.       

Director Rodriguez also commented on the vulnerabilities associated with mobile devices, which remains a topic of interest for OCR.  Of the breach reports received by OCR, 25% are related to paper records and vulnerability of mobile devices.  Director Rodriguez encourages all organizations to focus on securing mobile devices (a “great vulnerability”) and to use HHS resources regarding mobile device security.   

OCR’s HIPAA audits were also discussed – specifically OCR’s findings regarding encryption.  Not surprisingly, OCR found that encryption, an addressable implementation specification under the Security Rule, was not always implemented by organizations.  Director Rodriguez stressed the importance of conducting an analysis – shopping for technology, evaluating the risks and costs with implementation, and how encryption might affect patient care in the clinical setting.  An organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt.  This lack of analysis regarding the adoption of encryption is a red flag.   

Director Rodriguez, concluding his dialogue on HIPAA/HITECH compliance, recommended that every organization “be smart and implement best practices” and remember that the patient is most important.  Organizations must determine how to best ensure patient access to PHI while also adequately safeguarding PHI.  “[A] risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program.”

Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal Background Check System (NICS).  The ANPRM stems from one of the 23 Executive Actions included in the Obama Administration’s January 2013 plan to reduce gun violence that sought to address “unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the NICS.” 

What is the NICS? 

The NICS is the federal government’s background check system for the sale or transfer of firearms.  Established under the Brady Handgun Violence Prevention Act, licensed gun dealers use the NICS to identify persons who are subject to one or more “prohibitors” under the Gun Control Act that make them ineligible to purchase firearms.  One such prohibitor is the “mental health prohibitor,” which applies to persons who have been involuntarily committed to a mental institution, found incompetent to stand trial or not guilty by reason of insanity, or otherwise adjudicated as having a serious mental condition that results in their presenting a danger to themselves or to others or being unable to manage their own affairs.  Prohibitors often originate at the state level, but federal law does not require state agencies to disclose the identities of individuals subject to prohibitors to the NICS, and not all states report prohibitors.  This lack of reporting to the NICS can result in the sale or transfer of firearms to individuals who are prohibited from purchasing them.

How does the Privacy Rule Affect the NICS?

According to the ANPRM, some states are not reporting mental health prohibitor information to the NICS because they are concerned that such disclosures may be prohibited under the HIPAA Privacy Rule.  However, as the ANPRM points out, much of the mental health prohibitor information in question, such as records of individuals adjudicated as incompetent to stand trial, originates with entities in the criminal justice system that are not covered entities subject to the Privacy Rule.  In addition, to the extent covered entities are involved, the ANPRM provides that there are ways in which the Privacy Rule permits reporting to the NICS, such as through the enactment of state legislation requiring such reporting or the use of hybrid entity status.  The ANPRM does note, however, that NICS reporting would not fall under the Privacy Rule’s provisions permitting disclosures for law enforcement purposes (which apply to specific law enforcement inquiries) or to avert a serious threat to public safety (which require an imminent threat of harm). 

How would the amendment work?

The amendments under consideration would expressly permit covered entities with information on the identities of persons subject to a mental health prohibitor to disclose this information to the NICS.  Such disclosures would be subject to the minimum necessary rule and would likely be limited to names, demographic information, and codes identifying the reporting entity and the relevant prohibitor.  No treatment records or other clinical or diagnostic information would be disclosed.  In addition, only those entities responsible for the determination that a mental health prohibitor exists would be permitted to disclose the information. 

What’s next?

HHS is seeking information regarding the nature and scope of the underreporting problem, the entities creating and/or maintaining data, the extent to which existing permissible disclosures are insufficient and additional methods of disseminating information concerning whether the Privacy Rule affects reporting to the NICS.  In particular, HHS has requested specific examples of situations where NICS reporting has been hindered by HIPAA requirements or where covered entities are uncertain over how HIPAA applies to such reporting.  HHS will then review and evaluate comments to the ANPRM and determine whether amendments to the HIPAA Privacy Rule are necessary.  Comments regarding the Privacy Rule amendments and the information requested by HHS are due by June 7, 2013. 

All of the excitement surrounding the publication of the HIPAA Omnibus Final Rule may have overshadowed another very important development in health information privacy.  On January 16, 2013, the Obama Administration released its comprehensive plan to reduce gun violence in America by banning military-style assault weapons and high capacity magazines, increasing access to mental health services, improving school security, and strengthening the background check system.  In addition to calling on Congress to pass appropriate gun control legislation, the plan includes 23 Gun Violence Reduction Executive Actions that outline how the Administration intends to implement the plan unilaterally.  One of these Executive Actions states the following:

“[T]he Administration will . . . 2.  Address unnecessary legal barriers, particularly relating to [HIPAA], that may prevent states from making information available to the background check system.” 

According to the plan, “some states have cited concerns about restrictions under [HIPAA] as a reason not to share relevant information on people prohibited from gun ownership for mental health reasons.  The Administration will begin the regulatory process to remove any needless barriers, starting by gathering information about the scope and extent of the problem.”

Prior to the Obama Administration’s announcement, Leon Rodriguez, Director of the Office for Civil Rights (OCR), published a letter entitled “Message to Our Nation’s Health Care Providers” advising providers that the HIPAA Privacy Rule would not prevent providers from disclosing necessary information about a patient to law enforcement, family members of the patient, or other persons when the patient presents a serious danger to himself or other people.   

What does all of this mean? 

The protections of the HIPAA Privacy Rule intersect with the Administration’s gun control plan in two important contexts:  (1) use and disclosure of patient information without the patient’s authorization in order to prevent imminent gun violence; and (2) use and disclosure of mental health information without the patient’s authorization for background check purposes.

1.       Use and disclosure to prevent imminent gun violence.

As Director Rodriguez’s letter makes clear, under 45 C.F.R. § 164.512(j), PHI may be used or disclosed without patient authorization by a health care provider who believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others.  Furthermore, the provider is presumed to have a good faith belief when that belief is based on the provider’s interaction with the patient or in reliance on credible representations from a person with apparent knowledge or authority.  Accordingly, HIPAA does not present a legal barrier to using or disclosing PHI without patient authorization to prevent imminent gun violence. 

However, some state laws could make this analysis slightly more complex.  For example, under Section 611.004(4) of the Texas Health and Safety Code, providers are prohibited from disclosing certain "confidential information", including the diagnosis or identity of a patient in relation to treatment or evaluation for any mental or emotional condition or disorder, unless, among other things, the disclosure is made to medical or law enforcement personnel when the provider determines that there is a probability of imminent physical injury to the patient or others, or the disclosure is made to a person who has the written consent of the patient.  Unlike HIPAA's good faith belief exception, which essentially permits any use or disclosure to any individual or entity reasonably necessary to prevent threats to public safety, Texas law restricts permissible disclosures to a limited class of individuals and entities, such as medical personnel, law enforcement, and individuals who have received the patient's consent.  As this provision is not contrary to HIPAA and appears to be more stringent than its federal counterpart, it is unlikely that it would be preempted under HIPAA's preemption rules and could therefore affect a provider's ability to directly notify specific individuals who may be in danger if the threat is not imminent. 

2.       Use and disclosure for background check purposes.

According to the Administration’s plan, the current firearm background check system is incomplete and should be supplemented with additional information, specifically mental health information, in order to accurately identify dangerous people who should not be permitted to obtain firearms.  However, providers have not been consistently disclosing patient mental health information to the state authorities responsible for reporting the information to the federal background check system, as doing so without the patient’s authorization and absent a threat of imminent harm could be considered an impermissible use or disclosure of PHI under both the HIPAA Privacy Rule and applicable state laws.  These concerns may be justified, as the use or disclosure of mental health information for background check purposes does not appear to precisely fit any of the narrow exceptions to the HIPAA Privacy Rule that would permit use or disclosure of this information without the patient’s authorization.  Further, state prohibitions on the disclosure of mental health information, such as the provisions of Texas law discussed above, may present additional legal barriers to disclosure of patient mental health information unless the disclosure were to be expressly required or authorized by law.

Precisely how the Administration plans to address these legal barriers is still unclear—the Administration has only promised to “begin the regulatory process” by “gathering information about the scope and extent of the problem.”  Political hedging aside, it seems as though further revisions to HIPAA could be just around the corner. 

The long awaited HIPAA/HITECH final rule is out. Data Privacy Monitor contributors Theodore J. Kobus III and Lynn Sessions held a webinar that covered what stands out as big changes and how healthcare organizations need to prepare. Have the standards just been juggled or will healthcare organizations need to change their approach?

View Webinar Recording. 

Ted and Lynn have helped healthcare organizations handle hundreds of privacy events, including some the largest and most complicated the industry has faced.

If you have questions about HIPAA/HITECH and how it affects your business, please do not hesitate to contact Ted Kobus or Lynn Sessions.

The Department of Health and Human Services (HHS) issued, on January 17, 2013, its Final Omnibus Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules as well as the breach notification rules of the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  Our initial discussion can be found here.  The healthcare industry has been waiting for the final rule for more than two and half years--now that it is here, what do Covered Entities (CEs) and Business Associates (BAs) need to do to prepare for compliance?  We will cover recommendations for CEs in this post, Part I, and BAs will be addressed in Part II.

Incident Response Plans:  To the extent you are a CE who has been waiting for the final rule to implement an incident response plan (IRP), now is the time.  An IRP helps the breach response team respond to privacy events by providing them with a roadmap so that a determination can be made as to whether or not a breach has occurred.  At a minimum, new and existing plans should incorporate the factors outlined by HHS to be considered:  (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). 

Policies and Procedures:  CEs policies and procedures, including the Notice of Privacy Policy, must be updated and amended to reflect the new requirements.  For example, there are new requirements regarding the timeliness of responding to requests for a copy of PHI.

Breach Analysis Forms:  CEs have been utilizing forms that reflect the language of the interim final rule where the focus is on the potential harm to the patient.  Many CEs have also utilized breach analysis forms that depend on a risk rating developed by third parties to assess whether there is a significant risk of harm due to the impermissible use or disclosure.  The standard has changed and so will the required analysis.  A breach is presumed unless the CE can show that there is a low possibility of a compromise.  Moreover, HHS has outlined at least four (4) factors that must be considered.  (The four factors are listed under Incident Response Plans, supra.)

Education:  HHS and OCR expect that healthcare organizations will create a culture of compliance.  Raising awareness about the importance of privacy issues through education is just one way to achieve this goal.  CEs should consider other opportunities to keep privacy at the top of their employees' minds (e.g., posters, newsletters, committee calls).  Just as the Federal Trade Commission (FTC) is promoting Privacy by Design, CEs need to consider ways that privacy awareness can be incorporated into every aspect of patient care and healthcare operations. 

Vendor Lists and Vendor Contracts:  Vendors remain the cause of a large percentage of breaches that occur; more than a third of all breaches are caused by vendors.  Even though BAs are now directly liable, the final rule makes it clear that CEs have an obligation related to appropriately selecting and retaining vendors.  Review your vendor lists to see if any vendors should be removed because of issues relating to data security and privacy.  Review your contracts to see if language needs to be updated to reflect the final rule.

Risk Assessments and Risk Management Plans:  HIPAA requires healthcare organizations to conduct periodic risk assessments and then to address the risks identified in a risk management plan.  Now is a good time to review and assess your risks to determine if changes can be made to help avoid breaches. Privacy counsel can be a critical member of this exercise.  For example, in some instances, outside counsel can retain the vendor and oversee the project to help maintain the attorney-client privilege. The experience of the privacy counsel, however, is also crucial.  Organizations should retain counsel who has been involved in dozens of OCR investigations and who can provide guidance around what OCR is asking for during those investigations.  That experience translates into the organization's ability to better identify risk mitigation strategies in response to the vulnerabilities found during the risk assessment.

Cyber Insurance:  There are many types of cyber policies being sold to healthcare organizations.  Whether or not you have purchased cyber insurance for breach notification, consider seriously the scope of your coverage for regulatory violations and defense of class actions. We predict that OCR and State Attorneys General (SAGs) are going to be far more aggressive than in the past.  Additionally, due to the changed threshold for breach notification, we may see more class action lawsuits which are expensive to defend.

Legal:  Experienced outside privacy counsel is critical for full compliance with the breach notification requirements of the final rule.  A breach is now presumed which means that outside counsel is going to need to help document the reasons why an organization concludes a breach did not occur.

Forensics:  I am not a big proponent of retaining forensics companies prior to a breach occurring.  This is because, like lawyers, the strengths amongst forensics firms varies.  Therefore, if I am dealing with an issue involving a new malware variant, I may find a forensics vendor who has experience with the variant and is better positioned to assist my client.  The final rule, however, is a bit of a game changer and I am now encouraging my clients who do not have insurance to interview a few forensics firms as the new breach notification rules make it clear that a technically sound and understandable forensics report is critical for supporting determinations that a breach did not occur.  For those that have insurance, talk to your broker or carrier about the forensics options and seek recommendations from them as to how the coverage will support you with the changes in the regulations.

The final rule becomes effective on March 26, 2013, but enforcement will not commence until September 23, 2013.  This does not mean that mean that organizations do not need to be compliant.  The Office for Civil Rights (OCR) has made it clear that civil monetary penalties (CMPs) will be on the rise for HIPAA violations.  A culture of compliance is expected and not encouraged.  

On Wednesday, January 23, 2013 at Noon EST, we will be hosting a webinar to discuss some of the big changes in the final rule.  You may register here.

The long awaited HIPAA/HITECH Final Rule is out.  The final rule is effective March 26, 2013, but covered entities (CEs) and business associates (BAs) will have 180 days beyond the effective date to come into compliance. While we are still conducting a comprehensive review of this 563-page document, below are a few of the changes we have found so far:

• BAs are now directly liable for compliance with certain HIPAA Privacy and Security Rule requirements:  impermissible uses and disclosures; failure to provide breach notification to the covered entity; failure to provide access to a copy of electronic protected health information to either covered entity, the individual, or the individual's designee; failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules; failure to provide an accounting of disclosures; and for failure to comply with the requirements of the Security Rule.
• Insurers may need a business associate agreement (BAA) with a covered entity if it is performing risk management or assessment activities or legal services for the covered entity which involve access to PHI.
• Additional guidance has been provided regarding the assessment of civil monetary penalties (CMPs):  number of individuals affected and time period during which violations occurred will be considered.  As noted below, OCR's presentation to the State Attorneys General shows how quickly CMPs can reach very high numbers.
• Reputational harm is a fact-specific inquiry and does not arise solely from the sensitivity of the diagnosis.  Instead, OCR will look at whether there were adverse affects on employment, standing in the community, or personal relationships.  
• When assessing CMPs, an organization's history of compliance and non-compliance will be considered.  A mere complaint does not constitute an indication of non-compliance.
• There are significant changes to treatment and care communications when the covered entity receives financial remuneration for promoting a third party's goods and services.
• Individuals must have a right to access and to obtain a copy of PHI within 30 days (with a one-time 30 day extension after written notice for the delay and when the records will be provided).
• The definition of breach has been modified to clarify that an impermissible use or disclosure of PHI is PRESUMED to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised.  Documentation sufficient to meet this burden of proof must be maintained.
• Breach notification is not required if a CE or BA demonstrates through a risk assessment that there is a low probability that the PHI has been compromised--the focus is no longer on the harm to the individual.
• The probability of harm must be assessed by considering at least: (1) the nature and extent of PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether PHI was actually acquired or viewed; (4) the extent to which the risk to PHI has been mitigated (e.g. assurances from trusted third-parties that the information was destroyed). Most of these factors were likely considered previously by CEs.
• Notification does not require an analysis of risk because the occurrence of a breach is presumed.
• Notification, in situations where the use or disclosure is so inconsequential, is not warranted because it may cause the individual unnecessary anxiety or even eventual apathy if notifications of these types of incidents are sent routinely.  An example is provided of a misdirected fax to the incorrect physician who immediately calls to report the error. This is nothing new, just a clear expression of what many have already believed.
• Substitute notice or media notice may at times occur after the 60-day period dependin g on circumstances.
• Breaches under 500 must be reported no later than 60 days after the calendar year in which they were discovered, not when they occurred.
• Notification to the Secretary must occur contemporaneously with notice to individuals for breaches over 500.

We also notice some things remain:

• HITECH only preempts state law to the extent HITECH is more stringent.  HITECH is only a Federal floor of privacy protection.
• The revised penalty structure remains.  A presentation by the OCR to state Attorneys General shows how aggressive OCR may be in assessing civil monetary penalties (CMPs).
• "The goal of enforcement is to ensure that violations do not recur without impeding access to care." P. 79.  An entity's financial condition will still be considered.
• The addressable standard remains.  HHS does "not mandate the use of specific technologies, or require uniform policies and procedures for compliance, because [they] recognize the diversity of regulated entities and appreciate the unique characteristics of their environments." P. 102.
• The "minimum necessary" standard applies directly to BAs.
• Certain provisions of the Privacy Rule do not apply to BAs unless the CE delegates that responsibility: designating a privacy officer, providing a notice of privacy practices (NPP).
• BAAs are still required to help clarify and limit permissible uses and disclosures.
• A decedent's PHI will require protection for 50 years.
• The requirement for return or destruction of PHI by the BA at the termination of the contract (if feasible) does extend to sub-BAAs.
• HHS will not establish or endorse a certification process for HIPAA compliance by BAAs and sub-BAAs.
• Timeliness and content of notification have not changed.
• A CE retains the ultimate obligation for proper notification.  Notification by the BA can be delegated.
• Media notification and notification to HHS has not changed.
• Law enforcement delays remain available.
• There are no changes to the circumstances permitting preemption of state law of HITECH.

We will continue to assess these changes and post updates as our analysis develops and the impact of these changes is further considered.  

To date, the Department of Health and Human Services (“HHS”) has entered into ten resolution agreements and one civil monetary penalty related to its enforcement of the Health Insurance Portability and Accountability Act (“HIPAA”).  Four resolution agreements have been triggered by a covered entity’s report of a security breach to HHS in compliance with the HITECH Act. 

HHS’ fourth resolution agreement pertains to an April 2010 incident at Massachusetts Eye and Ear Infirmary (“MEEI”) and the Massachusetts Eye and Ear Associates, Inc. (“MEEA”) (hereinafter collectively referred to as “MEEI”) and MEEI’s paying of $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules.  MEEI has also agreed to take corrective action to improve policies and procedures for safeguarding the privacy and security of their patients’ protected health information.  The Corrective Action Plan (“CAP”), contained in the resolution agreement, can be found here.  The CAP includes  minimum content for policies and procedures, workforce compliance with policies and procedures, training, and monitoring over a three year period. 

The settlement stems from MEEI’s April 21, 2010 reporting to  HHS of the theft of an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 3,500 individuals – patients and research subjects, including patient names, email addresses, dates of  birth and medical histories.  Social Security numbers or financial account information were not affected by the incident.  The laptop was stolen from a hospital doctor lecturing in South Korea.  Immediately upon learning of the incident, MEEI remotely disabled the computer’s hard drive.  HHS, upon receiving the report, initiated an investigation by the Office for Civil Rights (“OCR”) into MEEI’s compliance with the Privacy, Security, and Breach Notification Rules.  HHS' investigation indicated the following:

• MEEI, as part of its security management process, did not demonstrate that it conducted a through ongoing risk analysis regarding the confidentiality of ePHI;
• MEEI lacked security measures to ensure the confidentiality of ePHI;
• MEEI lacked policies and procedures to address security incident identification, reporting, and response;
• MEEI lacked policies and procedures for restricting access to authorized users for portable devices with access to ePHI;
• MEEI lacked policies and procedures governing the receipt and removal of portable devices; and
• MEEI lacked technical policies and procedures for restrcting access to ePHI on portable devices. 

As stated by OCR Director Leon Rodriguez in a press release regarding the settlement, “In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices. This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”  MEEI, in a statement regarding the settlement, commented that  “Given the lack of patient harm discovered in this investigation, [Massachusetts] Eye and Ear was disappointed with the size of the fine, especially since the independent specialty hospital’s annual revenue is very small compared to other much larger institutions that have received smaller fines.”

Since 2008, HHS has ramped up its enforcement of the HIPAA Privacy and Security Rules.  HHS’ enforcement actions have included both private and public covered entities.  The evolution of HHS’ enforcement activity is as follows:

• July 16, 2008 Resolution Agreement with Providence Health & Services - $100,000 (stolen tapes and disks containing unencrypted ePHI of over 386,000 patients);
• January 16, 2009 Resolution with CVS Pharmacy, Inc. - $2.25 million (inappropriate disposal of PHI);
• July 27, 2010 Resolution Agreement with Rite Aid Corporation - $1 million (inappropriate disposal of PHI);
• December 13, 2010 Resolution Agreement with Management Services Organization Washington, Inc. - $35,000 (disclosure of ePHI for marketing purposes);
• February 4, 2011 Civil Money Penalty issued to Cignet Health of Prince George’s County, MD - $4.3 million (denial of patient access to medical records);
• February 14, 2011 Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc. - $1 million (loss of PHI of 192 patients);
• July 6, 2011 Resolution Agreement with the University of California at Los Angeles Health System - $865,500 (unauthorized employee access to ePHI);
• March 13, 2012 Resolution Agreement with BCBST - $1.5 million (stolen unencrypted hard drives containing ePHI of over 1 million patients);
• April 13, 2012 Resolution Agreement with Phoenix Cardiac Surgery - $100,000 (public accessibility to Internet-based calendar of clinical and surgical appointments);
• June 26, 2012 Resolution Agreement with Alaska DHSS - $1.7 million (stolen USB hard drive possibly containing ePHI of 501 patients); and
• September 17, 2012 Resolution Agreement with MEEI - $1.5 million (stolen laptop containing ePHI of 3,500 individuals). 

HHS’ last four resolution agreements have resulted from OCR investigations initiated after a covered entity’s reporting of a breach incident.  From this most recent resolution agreement, it is clear that HHS will continue with OCR investigations post breach reporting – to ensure that a covered entity has in place policies and procedures for safeguarding of PHI.  Moreover, MEEI's resolution agreement demonstrates that HHS is concerned with a covered entity's lack of an ongoing risk assessment as to the confidentiality of ePHI.  In line with the BCBST, Phoenix Cardiac Surgery, and Alaska DHSS resolution agreements, a covered entity must conduct an ongoing, accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the covered entity. 

Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the materials used in training the state attorneys general (AGs) last year on the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR has published video of the two-day training sessions along with the slides presented to AGs. A review of the training materials show that the state AGs were trained on the following:

• state enforcement of HIPAA/HITECH;
• the HIPAA Privacy Rule;
• the HIPAA Security Rule;
• the impact of HITECH;
• federal enforcement of HIPAA/HITECH;
• investigation and prosecution of potential violations of HIPAA/HITECH;
• preemption of state law; and
• resources for HIPAA enforcement.

The training sessions discuss the issues that were identified by OCR in the first full year of HITECH’s implementation, including impermissible uses and disclosures; administrative, physical and technical safeguards; access to protected health information; compliance with minimum necessary requirements; and patient complaints. These issues are consistent with those raised by the OCR in working with our clients. The training confirms that the AGs are expected to place increased scrutiny on healthcare providers for privacy violations. Healthcare providers and other covered entities are encouraged to ensure compliance with HIPAA/HITECH, including review and enhancement of privacy policies and procedures.

BlueCross BlueShield of Tennessee (BCBST) was the victim of a theft in 2009 when an intruder stole 57 hard drives which contained protected health information (PHI) of more than 1 million customers.  The information on the hard drives included names, Social Security Numbers, diagnosis codes, dates of birth, and health plan identification numbers.  Reports suggest that the information would be very difficult to extract from the hard drives and BlueCross BlueShield of Tennessee undertook great efforts and significant expense to identify their customers.  Indeed, over 800 people may have worked on the efforts to identify the customers.  After the incident, BCBST undertook efforts to encrypt all data at rest.

Still, BCBST entered into a resolution agreement (.pdf) on March 13, 2011, by which it agreed to pay $1.5M.  BCBST also entered into a corrective action plan (CAP) which sets out a period of compliance obligations and has a term of 450 days.  The CAP requires:

• BCBST implement policies and procedures (to be reviewed by HHS) which require:

-  A risk assessment be performed to identify potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used, or transmitted on or off-site

-  A risk management plan be implemented to respond to the risks identified in the risk assessment;

-  Use of facility access controls and a facility security plan to limit access to areas where ePHI is located;

-  Physical safeguards governing the storage of electronic storage media containing ePHI;

• Training on policies and procedures;
• Random monitoring by BCBST’s Chief Privacy Officer for compliance with the policies;
• Biannual reports to HHS over the CAP period describing compliance with policies and procedures, training efforts, and reportable events that occurred.

When dealing with regulators, such as OCR, keep these principles in mind:

• Regulators expect transparency.
• Your investigation should be prompt, thorough, and well documented.  If certain investigations are privileged, make certain that you assert that privilege.
• A good attitude and cooperation send a message that the organization is committed to compliance and safeguarding PII, PHI, and ePHI.
• Notification concerning a breach should be appropriate and prompt.
• Know the root cause of the breach and address it through staff training, awareness programs, technical safeguards, and new policies/procedures/physical safeguards.
• Provide customers with the appropriate level of mitigation or remediation measures.  Credit monitoring does not always address the risk to the customer.  Sometimes, it can be as simple as advising a patient to monitor its Explanation of Benefits (EOB) statements or telling a customer to file a report with a credit card company that his or her credit card number has potentiall been exposed.

Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said, “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”  The safeguard and training requirements of the CAP are very similar to requests for information we see from OCR following a reportable breach.  If a healthcare organization does not currently have the above risk management plans and safeguards in place, the warning sent as a result of this settlement is clear—make these compliance issues a priority before you have a reportable breach.

During 2011, informal indications were given by the HHS Office of Civil Rights (OCR) and various industry experts that the final HITECH Act regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, as of January 6, 2012, the regulations continue to be delayed, due to the numerous comments and policy questions being reviewed and addressed by OCR and other Health Information Privacy officials within HHS. Reasons for the lengthy time period for the HITECH Act regulations include the numerous policy reviews conducted by HHS, and the need to formulate responses to many of the over 300 comments received in connection with the Proposed Rule published in the Federal Register on July 14, 2010 (75 Fed. Reg. 40868). Although no specific month or day has been announced for publication of the final HITECH Act regulations in 2012, healthcare providers, health plans and clearinghouses should be prepared for publication of the final regulations sometime this year, and expect a few weeks or months of delayed enforcement to enable subject entities to transition to any new requirements.

Additionally, policy reviews are still being conducted by HHS OCR with respect to the Interim Final Rule for breach notification under the HITECH Act, which is found at 45 C.F.R. part 164, subpart D. It is not clear whether the breach notification regulations will remain unchanged, or whether revisions will be announced along with the HITECH Act final regulations.

Despite the continued delay in the final HITECH Act regulations, covered entities and business associates that are reviewing, implementing and updating their HIPAA privacy and security policies and procedures should continue to do so with diligence. The HIPAA regulations require periodic evaluation and updating of policies and safeguards, to address a changing healthcare environment and evolving privacy and security threats. Further, OCR is currently in the process of conducting HIPAA privacy and security audits of covered entities, as required under HITECH Act, notification of which began in November 2011. Covered entities should keep in mind that the HIPAA Security Standards took effect for most covered entities in April of 2005. For business associates, under the HITECH Act, the HIPAA Security Standards became directly applicable to them in February 2010. Similarly, the HITECH breach notification interim final rule, referred to above, became actively enforced in February 2010. Covered entities and business associates should consider finalizing any updates to their privacy and security policies, procedures, safeguards and documentation, and revisit these later in the year for any adjustments needed when the final HITECH Act regulations are published.

In an effort to comply with Section 13411 of the HITECH Act, the Office for Civil Rights (“OCR”) recently announced the implementation of a pilot program to audit covered entities and business associates to ensure they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. OCR anticipates performing up to 150 audits during the pilot phase, which began in November 2011 and should conclude by December 2012. OCR will use the audits and associated site visits to assess HIPAA compliance efforts, examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s complaint investigations and compliance reviews.

Every covered entity is eligible for an audit, and OCR anticipates including business associates in future audits. When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The notification letter will provide an introduction to the auditor contractor—KPMG won OCR’s $9.2 million contract for the HITECH-required HIPAA audits—explain the audit process, and describe the initial document and information requests. OCR expects entities selected for audit to provide the requested information within ten business days of the request for information.

During the pilot phase, every audit will be accompanied by a site visit in which auditors will interview key personnel and observe processes and operations to help determine compliance. Covered entities should be notified of a site visit between 30 and 90 days prior to the anticipated visit, which itself may take between three to ten business days. Auditors will then develop a draft report describing the findings and what actions the covered entity is taking in response to those findings. Before finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified.

OCR maintains that the audits are primarily a compliance improvement activity. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem. Unlike breaches, OCR will not post a listing of audited entities or otherwise identify the audited entity when sharing findings. Covered entities should begin preparing for these new audits by reviewing and updating their policies, procedures, and training. Entities should ensure compliance protocols are being followed and that they are positioned to identify audit notification letters and respond in the short time frames for producing requested information.

For more information, please contact Lynn Sessions, lsessions@bakerlaw.com or 713.646.1352, or Ameena N. Ashfaq, aashfaq@bakerlaw.com or 713.646.1329.

Advisen has released report titled, “A New Era in Information Security and Cyber Liability Risk Management: A Survey on Enterprise-wide Cyber Risk Management Practices,” which summarizes the results of a survey of over 500 risk management professionals. More than 60 percent of the survey participants work for companies with annual revenues exceeding $1 Billion a year while the remainder work for smaller companies.

The survey results suggest that businesses are recognizing the seriousness of the risks posed by potential compromise of data security. The vast majority of respondents stated that their organization views information security as at least a moderate threat and more than two-thirds of respondents stated that information security risks are a specific risk management focus within their organizations. Most organizations have some form of multi-departmental information security and cyber risk team or committee, and more than two thirds of respondents said their organizations have a disaster response plan in place in the event of a major breach.

Despite widespread recognition of data breach risk, risk contingency planning may still be inadequate. For 41 percent of respondents, the IT department is responsible for complying with state data breach notification laws following a breach. The IT department often may be ill-equipped to satisfy the inconsistent notification requirements of the 46 different states that have enacted breach notification laws and the independent obligations that may arise under federal laws, such as HIPAA-HiTech and Gramm-Leach-Bliley, or under industry self-regulation, such as the CPI rules. The recent adoption of breach notification rules in various jurisdictions around the globe further complicates data breach response. Furthermore, the majority of the organizations represented by this survey have not acquired cyber insurance as a tool for managing the risks associated with data breach. This statistic may change as companies consider the SEC’s recent recommendation that companies disclose in their SEC filings both: 1) the particular data security risks that their organization faces; and 2) the insurance they have in place to address that risk.

On August 10, 2011, several members of Baker Hostetler's Healthcare Industry and Privacy, Security and Social Media Teams hosted a webinar entitled "Are You Ready for a Data Breach?" The program focused on the complex and rapidly changing HIPAA/HITECH regulations and compliance issues facing healthcare institutions.

The program also discussed the multimillion-dollar penalties that recently have been assessed against healthcare institutions, and the exponential increase in the use of mobile technology within the healthcare industry.

The webinar centered on assisting in-house counsel, compliance, risk management and IT officers with forming a stronger response to a data breach incident. The discussion also offered timely practical tips and processes that can help covered entities and business associates prevent a data breach from initially occurring.

Baker Hostetler data breach attorneys Jerry Ferguson, Lynn Sessions, John Mulhollan and Craig Hoffman led the session.

View Recorded Webinar

The Department of Health and Human Services (HHS) provided an Advanced Notice of Proposed Rule Making (ANPRN) on July 22, 2011, to enhance protections for medical research subjects, including standards around privacy and data security. The ANPRN seeks comments on how better to protect human research subjects while facilitating valuable research. The current Common Rule was developed over 20 years ago and does not reflect changes in how medical research is conducted today and the advanced technology used to facilitate the research.

HHS acknowledges concerns with the current Common Rule and the increasing use of genetic information, biospecimens, medical and research records and administrative data. The risks related to these types of research are considered informational risks, such as the unauthorized release of information about the research subject. The HIPAA Privacy Rule addresses some of these risks by imposing restrictions on how protected health information may be used and disclosed, including for research. The HIPAA Security Rule protects subjects by requiring covered entities and their business associates to have physical, administrative and technical safeguards to protect information in electronic form. However, not all research investigators are subject to HIPAA. Too, the Privacy Act of 1974 does not apply to non-Federal researchers. Further, HHS acknowledges the Common Rule and the HIPAA Privacy Rule can be inconsistent which makes it difficult for researchers to comply with both. Current privacy regulations do not take into account the genetic and information technologies that make complete de-identification of biospecimens impossible and re-identification of sensitive health data easier.

HHS proposes establishing mandatory data security and information protection standards for all research studies that involve identifiable and potentially identifiable data and where data is collected, stored analyzed or otherwise reused. HHS also anticipates creating rules to protect against the inappropriate re-identification of de-identified information that is collected as part of a research study. The ANPRN advocates for adopting the HIPAA standards around de-identification and pulling in those investigators who are not covered entities or business associates. With these new rules, HHS expects to streamline the Institutional Review Board (IRB) process, and no longer require the IRB to assess the adequacy of the protections against informational risks. In addition to adopting the HIPAA Privacy Rule, HHS further proposes the following: 1) research involving identifiable data would be required to adhere to the HIPAA Security Rule, including the breach notification standards; 2) data could be considered de-identified or in a limited data set if the investigator sees the identifiers but does not record them in a permanent research file; and 3) retrospective audits and additional enforcement tools.

In the growing world of RAC audits, Voluntary Disclosure Protocols, IRS Form 990 disclosures, “Never Events” and HIPAA breach notifications, there is a new kid on the block in the area of federal audit and oversight for health care providers, health plans and their business associates under the health information privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  During the next 18 months, HIPAA privacy and security audits mandated under the American Recovery and Reinvestment Act of 2009 (“ARRA”) will be conducted by the Office of Civil Rights (“OCR”) through an audit contractor, it was announced on  June 10, 2011.  The Department of Health and Human Services (“HHS”) awarded a $9.5 million contract to the KPMG accounting firm to “assist OCR in operating an audit program that effectively implements the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by ARRA.”  KPMG was awarded the contract one day after another contract had been awarded to Booz Allen Hamilton to conduct the “audit candidate identification” intended to identify the universe of covered entities and business associates subject to potential audit under this program.

Under Section 13411 of the Health Information Technology for Economic and Clinical Health Act, a part of ARRA (“HITECH”), HHS, through its Office of Civil Rights, is directed to conduct such audits for purposes of determining compliance with the privacy and security regulations under HIPAA.  Until now, the OCR has focused primarily on the investigation of alleged privacy and security violations in response to complaints, and has conducted a limited number of compliance reviews of covered entities, typically in response to publicized incidents.  The new audits will expand OCR’s activities in compliance enforcement and will raise the stakes for entities that have failed to appropriately implement HIPAA privacy and security safeguards.

Continue Reading

On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the "accounting of disclosures" requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including employer-sponsored plans) and business associates. The proposed requirements will not become final until after comments are received and evaluated and a final rule is published by HHS later this year or next. Therefore, healthcare providers, health plans (including employers sponsoring health plans) and business associates should take this opportunity to carefully review the proposed rule's provisions, send comments to HHS and consider the systematic changes that may be necessary when the rule becomes finalized.

The proposed rule changes the existing Health Insurance Portability and Accountability Act (HIPAA) accounting requirement in two very significant ways. First, it revises the accounting requirement to shorten the time period covered by the regulation to the three-year period prior to the request (previously six years) for all disclosures of protected health information (PHI) (paper and electronic), while removing the certain exceptions, including those for disclosures related to treatment, payment and healthcare operations. Second, in the interest of balancing the rights of individuals to learn about disclosures of their PHI, with the burden to covered entities of providing detailed accounting reports, the proposed rule creates a new “access report” requirement which enables covered entities to provide only the date, time and identity of the person who accessed an individual’s electronic PHI, but does not require tracking or reporting the purpose of the disclosure as required under the existing accounting requirement.

Existing HIPAA Accounting Requirement Expanded by HITECH Act

Under the existing HIPAA privacy regulations, individuals are entitled to receive an “accounting” of all disclosures of PHI made by the covered entity, including those through its business associates, for the six years preceding the individual's request, excluding certain permissible disclosures, the most significant of which are (1) for treatment, payment and healthcare operations; (2) disclosures to the individual about him or her; and (3) disclosures to law enforcement. 45 C.F.R. § 164.528(a)(1). The accounting is required to be furnished to the individual no later than 60 days after receiving a written request.

When Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act), part of the stimulus legislation known as the American Recovery and Reinvestment Act of 2009, it instructed HHS to adopt an accounting requirement specifically related to “electronic health records” (EHRs) by requiring the accounting of disclosures from an EHR to include all disclosures, without excluding those made for treatment, payment and healthcare operations and shortening the time period covered by an accounting of disclosures from an EHR to three years instead of six (paper records still would be subject to a six-year accounting period). The HITECH Act directed HHS to issue regulations by not later than June 18, 2010.

The changes put forth by HHS in the May 31 proposed rule go significantly beyond the requirements of the HITECH Act, but HHS asserts they are consistent with the major purpose of the Act which was to apply the accounting requirement to electronic PHI in an EHR.

Revisions to the Accounting of Disclosures of PHI Under § 164.528

Healthcare providers, health plans and employer-sponsored health plans may welcome some of the changes being proposed to the existing accounting of disclosures requirement, while finding other changes more burdensome. HHS proposes to shorten the time period covered by a request for an accounting to just three years, regardless of whether the records are paper or electronic. This should enable covered entities to apply accounting procedures consistently across all types of PHI. Additionally, HHS has chosen to focus more attention on accounting of disclosures that are presumed to be most important to individuals by removing some disclosures from the requirement, while adding specific requirements for other categories of disclosures. For example, on the one hand, disclosures for clinical research will be excluded from the accounting requirement (assuming that the IRB or research practitioner has followed HIPAA’s requirements for an authorization or research waiver), as will disclosures that are required by law. On the other hand, a full accounting will be required for all disclosures that are not permitted under HIPAA, including unauthorized disclosures that did not rise to the level of a “breach” under the Breach Notification Interim Final Rule published at 45 C.F.R. part 164, subpart D, disclosures for public health activities (such as infectious disease reporting) and for all disclosures made for law enforcement purposes and judicial or administrative proceedings (even though such disclosures in certain cases do not require an authorization).

Further, on the positive side, the proposed rule limits the accounting for disclosures requirement to only the PHI maintained in a “designated record set” instead of all PHI that may be scattered throughout an organization. Nevertheless, on the negative side, covered entities may find significant challenges in determining what exactly constitutes a “designated record set,” and will continue to be required to track the purpose of each disclosure subject to an accounting -- a task many covered entities have found will add a significant level of complexity to the already expanding list of required features of HIT systems. Generally speaking, a “designated record set” is a group of records maintained by or for a covered healthcare provider that comprises the medical and billing records about individuals or maintained by a health plan (including an employer-sponsored health plan) comprising the enrollment, payment, claims adjudication and case or medical management record systems used, in whole or in part, by or for either type of covered entity to make decisions about individuals. The applicability and scope of the definition (i.e., what provider or health plan records fall within or outside of the definition) have perplexed some covered entities who may be particularly challenged by the existing requirement to maintain written or electronic documentation showing all designated record sets maintained within their organization, under 45 C.F.R. § 164.524. Additionally, the HHS preamble to the proposed rule specifically applies the accounting requirement to copies of designated record sets held by business associates, a factor likely to necessitate amendments to business associate contracts.

As indicated by the brief highlights of the proposed rule described above, the new requirements contain a mixed bag of changes designed to enhance an individual’s right to learn where, by whom and for what purpose disclosures of their PHI have been made, lessening the burden on covered entities by reducing the types of disclosures and the time period covered by the accounting requirement.

Further helping to improve the individuals’ understanding of the types of disclosures made about them may be the new requirement for an access report, described below, which will allow covered entities to respond in a more narrow fashion to individuals’ requests for information on disclosures of their PHI maintained in an electronic designated record set.

New “Access Report” Will Be Required Upon Request by an Individual

Perhaps the most significant change proposed by HHS is the new right of individuals to receive an access report including, at a minimum, the date and time of access and the name of the user or entity that accessed or disclosed PHI maintained in an electronic designated record set. The report must include all access, including uses as well as disclosures, which is a significant expansion of the existing accounting requirement. There will be no distinction between access by internal employees and access by persons outside an organization. Additionally, the report must indicate the type of information accessed (e.g., diagnosis or medications) and the action taken (modify, transfer, etc.), but only if either of such information is available in the HIT system. Perhaps most significantly, the access report applies to all electronic PHI maintained in a designated record set, not just EHRs, and the exception for disclosures relating to treatment, payment or healthcare operations would not apply. Thus, while HHS points out that the new access report requirement satisfies the HITECH Act's mandate to apply the accounting requirement to EHRs, in actual operation, the proposed rule expands the right to an accounting to cover a much wider variety of disclosures, including internal uses of PHI by employees. These changes would create significant new challenges for covered entities already grappling with the design and implementation of appropriate system activity logs and audit reporting technology to comply with existing privacy and security laws.

Impact on Covered Entities and Business Associates

The proposed accounting requirement changes published on May 31 will create significant new challenges to a wider spectrum of covered entities than previously expected by most experts. For example, the expansion of the access report to cover all electronic PHI, rather than merely EHRs, will sweep within the rule's application many additional entities that customarily do not maintain EHRs, such as health plans and health insurers (including employers that sponsor such plans) and business associates working with electronic PHI. Additionally, the application of the new requirements specifically to designated record sets will highlight the need for covered entities and business associates to develop and document the types of PHI they routinely use or disclose, to ensure that designated record sets are appropriately tracked and oversight maintained (both human and electronic) for purposes of preparing an adequate accounting or access report within the time limits and other requirements under the regulation.

Keep in mind that the new requirements published on May 31 are only proposed. Nevertheless, assuming that many of the provisions are enacted in final rule, the following activities, among others described previously, will be needed. It may not be too early for covered entities and business associates to consider and plan for the following new requirements:

Business Associate Agreements

Healthcare providers, health plans and employers sponsoring health plans will need to amend their business associate agreements with business associates (such as billing companies and consultants, third-party administrators and other vendors handling PHI) to reflect and facilitate compliance with the new accounting and access reporting requirements. These amendments should include descriptions of the shortened timing and detailed content required for such reports. Business associate agreements should be amended to require that business associates take steps to gather the appropriate information and actively assist with compiling reports when and as requested by their covered entity customers.

Notice of Privacy Practices

Changes to covered entity Notices of Privacy Practices will be necessary to appropriately describe the new accounting and access report requirements and to inform individuals of the types of disclosures subject to the requirements. For health plans and employers, because these updates are considered material revisions to the notice, the revised Notices will need to be distributed within 60 days of the material revision.

Record Retention Policies

Covered entity and business associate record retention policies would need to be updated to reflect changes in the document retention rules as they apply to accountings of disclosures and the new access report requirement. Specifically, information that is required to be included in an accounting or access report must be retained for three years from the date of the disclosure, but the actual accounting or report must be retained for six years.

Enhanced Tracking of Disclosures and Access

The new rule will put greater urgency and emphasis on adopting reasonable and appropriate technical and administrative measures to log access, changes, uses and disclosures of electronic PHI, including those for public health, law enforcement, judicial or administrative proceedings, research and other permissible activities, which may become subject to the expanded reporting requirements.

HHS has asked that comments on the proposed rule be submitted by August 1, 2011. HIPAA-covered entities, including providers and employer health plan sponsors, should seriously consider submitting comments and questions to HHS in an effort to shape how these rules will ultimately affect them.

Authorship credit:

John S. Mulhollan, jmulhollan@bakerlaw.com

Susan Whittaker Hughes, shughes@bakerlaw.com

Lynn Sessions, lsessions@bakerlaw.com

On February 23,  The Centers for Medicare & Medicaid Services (“CMS”) announced that more than 21,000 providers initiated registration for the Medicare and Medicaid EHR Incentive Programs in January and four states reported initial Medicaid incentive payments totaling $20,425,550.   The Medicare and Medicaid EHR Incentive Programs were enacted by Congress under the Health Information Technology for Economic and Clinical Health Act (“HITECH”).  In addition, the Office of the National Coordinator for Health Information Technology (“ONC”) announced that as of Feb. 11, 2011, more than 45,000 providers requested information or registration help from 62 Regional Extension Centers (RECs).  RECs provide hands-on support for providers who want to adopt and become meaningful users of electronic health information technology. According to CMS, this early interest in the Medicare and Medicaid EHR programs reveals strong support for these programs that will advance health care through improvements in patient safety, quality of care, and patient involvement in treatment options.

Eligible professionals and hospitals must register in order to participate in the Medicare and Medicaid EHR incentive programs.  Registration opened on Jan. 3, 2011.

Providers and business associates may go to the following websites to learn more about the Medicare and Medicaid EHR financial incentives and Meaningful Use requirements, including Frequently Asked Questions (“FAQ”): 

• CMS EHR Incentive Programs Main Page:   
• ONC EHR and Meaningful Use Main Page

The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce.  Below is a brief summary of those two reports and other issues drawing attention in the past year:

(1) FTC Issues Long-Awaited Consumer Privacy Policy Report

On December 1, the FTC published the Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policy Makers

The FTC’s press release provides a summary of the preliminary report.  The best practices framework recommended in the preliminary report for businesses that collect or use consumer data include:

• simplifying choices for consumers, providing consumers with greater transparency, and following the Fair Information Practice Principles;
• creating a “Do Not Track” mechanism to give consumers a choice to avoid online tracking;
• extending protection to information collected offline;
• dispensing with the distinction between PII and non-PII because technology allows data fragments to be pieced together; and
• a “Privacy by Design” concept for businesses.

The preliminary report did not change the FTC’s continued focus on self-regulation.  Finally, the preliminary report contained an appendix with 64 questions on which it invited comment by January 31, 2011.  A final report will be issued later in 2011 based on the comments. 

 (2) Department of Commerce Calls for a “Privacy Bill of Rights”

On the heels of the FTC’s preliminary report, the Department of Commerce Internet Policy Task Force released a green paper titled: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The press release contains a summary.

The Baker Hostetler Data Privacy Monitor covered this green paper here.  The four broad policy recommendations of the task force are:

• Enhance consumer trust online through recognition of revitalized Fair Information Practice Principles.
• Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through collaborative efforts of multi-stakeholder groups, the FTC, and a Privacy Policy Office within the Department of Commerce.
• Encourage global interoperability.
• Ensure nationally consistent security breach notification rules.

(3) Behavioral Advertising Opt-Out Icon

As reported by the Baker Hostetler Data Privacy Monitor, a behavioral advertising industry group proposed a Self-Regulatory Program for Online Behavioral Advertising, which features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising.  Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.

(4) Social Media

• Facebook faced several privacy issues, including an FTC complaint regarding its privacy policy, details of 100 million Facebook users were published online, and questions from U.S. Senators.
• Google apologized for collecting about 600 gigabytes of data snippets captured from e-mails and browsing history from Wi-Fi networks in more than 30 countries.
• In the first FTC action against a social network service, Twitter settled charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.

 (5)  HHS/HIPAA/HITECH

• White House Forms New Subcommittee to Review Online Privacy Issues
• HHS Withdraws Draft Of Final HIPAA Breach Notification Rule

(6) Massachusetts Data Security Regulations

Massachusetts’ aggressive new data security regulations (201 CMR 17.00 et seq.), which became effective on March 1, 2010, contain broad and imposing mandates that go further than any other state law or regulation.  Even companies that have no facilities or personnel in Massachusetts must comply with the strict mandates if they maintain personal information of any Massachusetts resident in connection with providing goods or services. 

All businesses covered by the statute must institute a written information security program.  That program must, among other things:

• Designate an employee to maintain the security program;
• Identify and evaluates internal and external security risks;
• Impose disciplinary measures for violations of the program rules;
• Oversee third-party service providers;
• Require regular monitoring and updating of the program; and
• Documents responsive actions taken in connection with any breach of security.

For many business, the most difficult compliance issues arises from the encryption mandates of 201 CMR 17.04, which requires the encryption of: (1) laptops containing personal information that leave the businesses premises; (2) personal information transmitted across the Internet or wirelessly; and (3) backup tapes on a prospective basis.

On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review.  The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect.  All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.

Continue Reading