What's the Cost of Losing a Laptop? $1.5 Million.

HHS announced today that it resolved a HIPAA security breach matter with two Massachusetts providers for $1.5 million.  In compliance with the Breach Notification Rule, the Massachusetts providers reported the theft of an unencrypted laptop containing ePHI.  Lest there be any lingering doubt as to the importance of compliance with the Security Rule, OCR Director Leon Rodriguez stated "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices . . . This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”  In addition to the settlement payment, the Massachusetts providers agreed to a corrective action plan that will be overseen by an independent monitor for the next three years.

 

Let the Audits Begin . . .

Following the mandate set forth in HITECH, OCR has just announced that it's piloting a HIPAA compliance audit program beginning this month in order to assess HIPAA compliance efforts.  During this pilot phase, which is expected to last through December 2012, OCR will audit up to 150 covered entities from "as wide a range of types and sizes of covered entities as possible."  At least for now, Business Associates will not be included in the pilot program.  OCR has engaged KPMG LLP to conduct the audits, and has made public a sample initial notification letter.  

Each audit will include a request for documents and information, a site visit, and a draft audit report.  Covered entities will have the ability to comment on the auditor's report before its finalized.  While OCR states that it primarily will be using the audit reports to help develop technical assistance and evaluate the efficacy of corrective action plans, OCR is retaining the right to initiate a compliance review to evaluate any serious compliance issues uncovered during this process.  At the conclusion of the pilot program, OCR will "broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges."  What happens after the pilot program, however, remains to be seen.            

Be Smart About Using Your Smart Phone in Practice: Understand and Manage the Risks Involved in Using Smart Phones and Tablets in Medical Practice

Thousands of people lose or have their smart phones and other portable devices stolen every day. While most people worry only about the irritation of replacing their phone in such a situation, when a health care professional loses a portable device containing patient information, the irritation of replacing the phone is the least of their worries. With the government handing out million dollar plus penalties for the mistreatment of patient information, now is the time to ensure your practice is best positioned to deal with the inevitable loss of a smart phone.

To view the presentation slides from speakers Erin McAlpin Eiselein, Partner at Davis Graham & Stubbs LLP, and Dr. Marion Jenkins, CEO of QSE Technologies, which were presented last Thursday, July 14th, at a seminar and cover best practices for health care providers who use smart phones and tablets in their medical practice, please click here. Learn how to minimize risk and avoid potential liability under the federal and state privacy and security laws so that the loss of a phone does not turn into the loss of your practice.

Improper Release of PHI Draws Criminal Indictment

A physician in Virginia has been criminally indicted and charged with three counts of violating HIPAA in connection with release of protected health information ("PHI") to a patient's employer.  This criminal charge is unique in that it does not allege that the physician released the PHI for personal gain.  Instead, the charges are based on the fact that improper release was made "under the false pretenses that the disclosure of said information was necessary . . . . "  Specifically, the physician knew that the patient was not a serious and imminent threat to the safety of the public, but used that as a basis upon which to release the PHI to the patient's employer.

This indictment demonstrates that the government will pursue criminal charges if it disagrees with a health care provider's rationale for releasing PHI.  Health care providers should continue to carefully adhere to their HIPAA privacy policies when releasing any PHI, and consult with legal counsel in the event that they are unsure whether a release of PHI is permitted under HIPAA.       

OCR Strikes Again: Mass General Pays $1 Million to Settle HIPAA Violations

On the heels of the Cignet Health civil monetary penalty for $4.3 million only two days ago, the OCR has announced today that Mass General, one of the country's oldest and largest hospitals, has agreed to pay HHS $1 million to settle potential HIPAA violations.  The incident leading to this settlement involved an employee who brought documents on the subway with her, as she intended to work on them at home.  Unfortunately for Mass General, those documents contained PHI of 192 individuals and the employee accidentallty left the documents on the subway.  In addition to the million dollar payment, Mass General also agreed to enter into a Corrective Action Plan, which requires the hospital to develop additional privacy policies and procedures, ensure that employees complete additional HIPAA training, and provide HHS with semi-annual reports for the next three years.  The settlement agreement and Corrective Action Plan are available here.

It's a First - HIPAA Violation Costs Cignet Health $4.3 million

HHS imposed the first civil monetary penalty for a HIPAA violation against Cignet Health.  The $4.3 million penalty arose from Cignet's failure to allow 41 patients access to their medical records.  It was then exacerbated by Cignet's refusal to cooperate with the OCR's investigation.  Cignet's willful neglect of its obligation to cooperate with the government investigation ultimately cost it $3 million on top of the $1.3 CMP imposed for the underlying access violation.  Lest there be any lingering doubt, ignoring a government investigation won't make it go away!

New Study Says Hospital Data Breaches Are Frequent and Expensive

How secure is patient data at hospitals?  Not as secure as it should be says a new study released yesterday by the Ponemon Institute, an independent research organization dedicated to privacy, data protection and information security policy.  Despite HITECH's mandates and the move toward EMR, the study found that "data breaches remain a frequent occurrence at healthcare organizations - threatening patient privacy and leaving healthcare organizations with a heavy financial burden." 

Not only is data not as secure as it should be, but data breaches are costing hospitals an estimate of $1 million per year.  With 5,815 registered hospitals in the United States, data breach incidents are costing the health care industry almost $6 billion per year.

Among the study's more interesting findings are the following:

  • Only 29% of hospitals surveyed responded that they have sufficient resources to prevent or quickly detect patient data loss or theft.  
  • Employees are the best line of defense in detecting data breaches, underscoring the importance and value of training data handlers.
  • Of the hospitals that have implemented EMR, 74% believe EMR's have made their data more secure.

Notably, the study was sponsored by ID Experts, a self-described "leading provider of comprehensive data breach solutions."  The results, however, are hardly surprising considering that as of September 20, 2010, almost 5 million patients have had their PHI exposed through the largest 166 data breaches. 

Investment in secure data storage coupled with vigilant training should be on on every health care provider's agenda for 2011.       

HHS Withdraws HIPAA Breach Notification Final Rule

The HHS final rule on breach notification was submitted to the OMB on May 14, 2010, which is typically the final step before the final rule is published. HHS, however, “withdrew” the final rule from the OMB to “allow for further consideration, given the Department’s experience to date in administering the regulations,” as it stated in a notice posted on the HHS website. HHS failed to explain the reason for withdrawing the final rule for further consideration except to note that the breach notification issue is “complex.” 

The breach notification interim final rule issued pursuant to the HITECH Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. According to HHS, during the 60-day public comment period on the interim final rule, HHS received approximately 120 comments.

Many in the industry have speculated that this withdrawal may be related to the controversial “harm” threshold set forth in the rule. Under the harm threshold, a provider only needs to notify patients about a data breach if the provider determines that the breach presents a significant risk of harm to the patients. Critics of the harm threshold contend that all breaches should be disclosed and providers should not have the discretion to make such a risk assessment.

A final rule is expected in the coming months. This withdrawal does not have an impact on the interim final rule.

HIPAA Violation Costs Rite Aid $1 Million

How much does it cost to violate HIPAA?  For drug store chain Rite Aid Corporation, the answer is $1 Million.  Today, HHS announced that Rite Aid will pay a $1 million fine, implement a corrective action program, and sign a consent order with the Federal Trade Commission to resolve this coordinated investigation that was triggered by television media outlets capturing images of prescription bottles containing protected health information improperly disposed in trash containers accessible to the public.  Even after Rite Aid pays the fine, it will feel the effects of its non-compliance for a long time to come as the FTC consent order will remain in place for 20 years.       

New OCR Rule Strengthens HIPAA Requirements

Yesterday the Office for Civil Rights (“OCR”) released a Proposed Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. OCR issued this Proposed Rule pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Proposed Rule will not be published in the Federal Register until July 14, 2010, and there will be 60 days from that date to comment.

More specifically, this Proposed Rule modifies and strengthens the HIPAA Privacy Rule, Security Rule, and Enforcement Rule as well as the penalties and investigation provisions. The most notable changes include the following:

  • The requirements of the Privacy Rule and Security Rule will apply to business associates in the same manner they currently apply to covered entities.
  • Subcontractors of business associates will be considered business associates, and the business associate must obtain “satisfactory assurances” through a contract or other arrangement that the subcontractor will comply with the applicable privacy and security requirements. 
  • There will be new limitations on the use and disclosure of protected health information (“PHI”) in marketing and fundraising, including a requirement that individuals be given opportunities to opt out of receiving marketing or fundraising materials without any impact on their future treatment.
  • Covered entities and business associates will be prohibited from selling an individual’s PHI without that individual’s authorization, and covered entities will not be allowed to coerce patients into authorization by conditioning treatment, payment, enrollment, or eligibility for benefits on authorization.
  • The Proposed Rule expands patients’ rights by allowing patients to request that a covered entity restrict uses or disclosures of their PHI, and by giving patients greater access to copies of their electronic health records.
  • Covered entities’ Notice of Privacy Practices given to patients must include additional information, such as the authorization requirements described above.
  • Penalties for violations of HIPAA privacy and security requirements will be increased to $1.5 million per calendar year for violations of the same requirement or prohibition.
  • The Proposed Rule defines the terms “reasonable cause,” “reasonable diligence,” and "willful neglect,” which provide the basis for the various categories of liability under the Enforcement Rule.
  • Covered entities will have certain identified responsibilities during complaint investigations and compliance reviews.

Red Flags Rule Enforcement Postponed until Court Ruling

The Federal Trade Commission (“FTC”) and several medical associations have agreed to a joint stipulation that the FTC would not enforce its Red Flags Rule with respect to physician members of various associations until the DC Circuit rules on the American Bar Association’s pending action challenging the Red Flags Rule. Although the FTC has already announced that it will again delay the deadline for compliance with the Red Flags Rule until December 31, 2010, this stipulation may extend further the compliance deadline for physicians in the medical associations and state medical societies referred to in the case.

OCR Still Working On HITECH Rulemaking, Delays Enforcement of Certain Provisions

On March 18, 2010, the Office of Civil Rights (OCR) published an update on its rulemaking and enforcement efforts under the HITECH Act. OCR made clear that the increased civil monetary penalties for HIPAA violations and enforcement of the breach notification rule have been effective since February 17, 2010 and February 22, 2010, respectively.

However, OCR stated that it continues to work on a Notice of Proposed Rulemaking (NPRM) regarding the following HITECH provisions: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

OCR noted that although the effective date for many of these provisions has passed (February 17, 2010), the NPRM and subsequent final rule will provide specific information regarding the expected date of compliance and enforcement for the new requirements.

Of particular interest in this rulemaking will be whether the OCR will require parties to affirmatively amend their business associate agreements to reflect the new privacy and security requirements with which business associates must directly comply, or whether the new provisions are already incorporated into the agreements by operation of law.

DGS will continue to monitor OCR’s HITECH rulemaking progress and will post updates as they are available.

Healthcare Professionals Call on FTC for Exemption from its Red Flags Rule

Will health care providers be the second profession to escape the Federal Trade Commission's (FTC) Red Flags Rule?  The heads of the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association hope so, and they're asking the FTC to declare that its identity theft prevention rule (Red Flags Rule or Rule) does not apply to their licensed professionals.

In light of the November 2009 United States District Court decision in American Bar Association v. FTC, which held that the Red Flags Rule did not apply to legal professionals, the healthcare organizations issued a joint letter to the FTC requesting the same treatment.

The healthcare organizations specifically requested that the FTC:  (1) Announce that the Rule will not be applied to licensed health care professionals until at least ninety days after the final resolution of the ABA litigation and (2) Commit that if the result of the final ABA litigation is that the Red Flags Rule will not be applied to lawyers, the FTC will not apply the Rule to licensed health care professionals either.

The letter noted the substantial cost and burdens on healthcare professionals in complying with the Rule and stated that if lawyers were exempt from the Rule it would be "manifestly unfair" to subject healthcare professionals it.

First Lawsuit By State AG Under HITECH

Let the age of HIPAA lawsuits begin.  Yesterday, the Connecticut Attorney General sued Health Net of Connecticut, Inc. for a security breach involving patient medical and financial records.  This is the first state enforcement action against a covered entity for a HIPAA violation since HITECH extended enforcement ability to the state attorneys general.  It serves as a good reminder that covered entities and business associates need to have breach notification policies in place and comply with those policies in the event of a security breach. 

Clarification of HITECH's Amendments to HIPAA's Civil Monetary Penalties

Recognizing the confusion surrounding HITECH's significant amendments to HIPAA's Enforcement Rule, the Department of Health and Human Services ("HHS") published the Interim Final Rule on HIPAA Enforcement ("Interim Final Rule") on October 30th.  The Interim Final Rule seeks to clarify the revised civil monetary penalty scheme established in HITECH, noting that many covered entities "may be unaware they are currently subject to significantly greater penalties for violations of the HIPAA rules."  Indeed - the increase in the maximum aggregate penalties from $25,000 to $1,500,000 is big news for all covered entities (and now business associates too).  HHS felt that this information was so important, it waived the notice and comment period and proceeded straight to the interim final rule, which becomes effective on November 30, 2009.     

 

 

And Yet Another Delay....Red Flags Rule Enforcement Date Pushed Back Until June 2010

The Federal Trade Commission (FTC) announced that it will delay the enforcement of its Red Flags Rule for a fourth time, extending the start date to June 1, 2010.  The FTC previously delayed enforcement until November 1, 2009, but decided on the further extension due to a request from members of Congress.

The Red Flags Rule addresses identity theft and requires certain "creditors" to develop identity theft prevention programs.  You can learn about the specific requirements of the Red Flags Rule in a prior DGS post.

Congress Calls on HHS to Strengthen Breach Notification Rules

In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.

The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA).  Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data. 
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.

According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.

Greater Protection for Genetic Information

Genetic information soon will be more stringently protected thanks to regulations published today by the United States Departments of Health and Human Services, Labor, and the Treasury.  The Genetic Information Nondiscrimination Act of 2008 ("GINA") prohibits health insurers, health plans, and employers from discriminating against individuals based upon their genetic information.  Under the interim final rules, group health plans and group and individual issuers may not do such things as raise premiums or impose pre-existing condition exclusions based upon genetic information, and they may not use genetic information for underwriting purposes.  These rules will become effective on December 7, 2009.

The Office of Civil Rights ("OCR") also issued proposed rules today modifying HIPAA in accordance with GINA.  If these rules are implemented in their current form, "genetic information" will be a defined term and the definition of "health information" will be modified to expressly include genetic information.  Among other things, the proposed rules will prohibit health plans from using or disclosing genetic information for underwriting purposes and will require their notices of privacy practices to reflect this prohibition.  The public has sixty days, up to and including December 7, 2009, to submit comments to the OCR.

 

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Continue Reading...

"Red Flags" Rule: New FTC Regulations Require Healthcare Providers to Combat Identity Theft.

ENFORCEMENT BEGINS AUGUST 1ST.

On August 1, 2009, the Federal Trade Commission (“FTC”) will begin enforcement of its "Red Flags" Rule, which is aimed at reducing identity theft.  The Rule requires creditors to look for "red flags" that signal possible identity theft, and applies to any “creditor” that maintains “covered accounts.” 

While most healthcare providers wouldn't usually think of themselves as traditional creditors, the Rule's definitions are broad enough to bring them into that realm.

Under the Rule, creditor is defined as any person or organization that “regularly extends, renews, or continues credit.” 

  • When a healthcare provider allows a patient to pay for medical services after they are rendered or accepts payments over a period of time, that provider is acting as a creditor. 

Covered accounts include:

  1. Accounts maintained by a creditor which are primarily for personal, family, or household purposes and are designed to permit multiple payments or transactions, or
  2. Any other account for which there is a “reasonably foreseeable risk to consumers” of identity theft.
  • Patient accounts likely fit within both of these categories.

Given the above, most healthcare providers will indeed need to comply with the "Red Flags" Rule.

View this "Red Flags" Rule PowerPoint presentation for a quick overview of the Rule's requirements and the consequences of noncompliance.

You can also consult the FTC's simplified "How-To Guide" , which provides the basics for complying with the Red Flags Rule.

Significant HIPAA Modifications in the American Recovery and Reinvestment Act

The American Recovery and Reinvestment Act of 2009 (commonly called the "Stimulus Bill") contains sweeping changes to HIPAA.  HIPAA has been expanded to reach entities not previously governed by HIPAA, and the penalties for violating HIPAA have increased dramatically.  The devil is in the details, however, and those details remain unknown until the implementing regulations are issued.  For a more detailed summary of the Stimulus Bill's changes to HIPAA, please see our DGS client alert on this issue.