Federal health information regulators recently clarified that HIPAA permits certain uses and disclosures for public health activities without patient authorization.
A fact sheet released December 20 by the Health and Human Services Office for Civil Rights and the Office of the National Coordinator for Health Information Technology explains a number of hypothetical scenarios in which protected health information (PHI) may be shared in support of public health activities or other important public health policies. Under HIPAA, a number of regulatory provisions permit use and disclosure without patient authorization. Using and disclosing PHI for public health activities is one such provision. While this guidance does not change the existing HIPAA regulatory scheme, it provides a number of scenarios exemplifying some more common uses and disclosures for public health activities. A brief synopsis follows below.
On November 28, 2016, the Office for Civil Rights (OCR) issued an alert to providers and business associates monitoring their email for OCR audit communications. According to OCR, a phishing email disguised as an official communication from the Department of Health and Human Services (HHS) and claiming to be signed by OCR’s director Jocelyn Samuels has been circulated. The email instructs recipients to click a link regarding inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program but redirects to a non-governmental firm marketing its cybersecurity services. The email and the firm are not in any way connected to OCR, HHS, or the HIPAA audits. OCR asks that any questions regarding communications that you may receive purporting to be from HHS or OCR concerning the HIPAA audits be directed to OSOCRAudit@hhs.gov.
The Office for Civil Rights (OCR) has announced two more significant HIPAA settlements involving covered entities. Both settlements were the result of investigations triggered by breach reports involving laptop thefts. And as is often the case, the investigations uncovered numerous HIPAA compliance issues above and beyond those which led to the breach.
North Memorial Health Care of Minnesota (North Memorial) reached a $1.55 million settlement and corrective action plan with OCR related to allegations that it, in the words of OCR Director Jocelyn Samuels, overlooked “two major cornerstones of the HIPAA Rules.” OCR began its investigation following receipt of a breach report in September, 2011, which indicated that an unencrypted, password protected laptop containing electronic protected health information (e-PHI) of approximately 9,000 patients was stolen from a locked vehicle belonging to an employee of a hospital business associate. OCR’s investigation uncovered that North Memorial’s business associate had access to its hospital database containing electronic protected health information (e-PHI) of more than 289,000 patients in order to perform payment and operations activities on its behalf. However, North Memorial failed to require the business associate to enter into a business associate agreement. Additionally, OCR noted that North Memorial did not complete a comprehensive and accurate risk analysis, continuing the trend from OCR’s enforcement action in 2015.
The other recent enforcement involved OCR agreeing to a $3.9 million settlement and “substantial” corrective action plan with the Feinstein Institute for Medical Research (Feinstein). The investigation into Feinstein followed a breach report in September, 2012, indicating that a laptop containing e-PHI of approximately 13,000 research participants was stolen from an employee’s car. OCR’s investigation exposed significant problems with Feinstein’s security management process, and further found that Feinstein did not have appropriate policies and procedures and other safeguards in place to protect e-PHI. Following this settlement, OCR Director Jocelyn Samuels offered a reminder to providers:
Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.
These investigations and settlements offer a number of key takeaways:
- Covered entities should regularly inventory their roster of business associates, and consider auditing those with access to large quantities of PHI.
- Security risk assessments are at the top of regulators’ checklists, and as a result are critical to demonstrating HIPAA compliance.
- Following a breach report, covered entities and business associates should take the opportunity to reexamine its HIPAA compliance – including conducting a security risk assessment; reviewing and updating policies and procedures; and re-training workforce members.
On Monday, the Office for Civil Rights (OCR) announced the long-awaited launch of Phase 2 of its HIPAA Audit Program. OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to establish a permanent compliance audit program for HIPAA covered entities and their business associates. OCR completed the first phase of testing for the audit program in 2012 when it audited 115 covered entities, but it had yet to establish a permanent program until now.
OCR will begin Phase 2 by sending pre-audit questionnaires to both covered entities and business associates to determine potential audit pools. Covered entities and business associates will be included in the pre-audit questionnaires even if they do not provide updated contact information upon request from OCR. In its press release, OCR indicated that the Phase 2 Audits will focus on desk reviews of HIPAA Privacy, Security, and Breach Notification Rules policies and procedures, although some on-site reviews will be conducted. OCR anticipates publishing an updated audit protocol to assist organizations with conducting their own internal self-audits as part of their HIPAA compliance activities. These desk audits are scheduled to be completed by December, 2016.
The announcement of Phase 2 implementation follows an increase of $4 million in OCR’s budget from its 2016 budget, part of which was earmarked for Phase 2 audits. OCR will direct approximately $1.5 million of the requested $4 million budget increase towards the audit program, giving it an estimated $9.2 million budget. In the Fiscal Year 2017 budget justification presented to the House of Representatives Appropriations Committee, OCR Director Jocelyn Samuels noted that the audit program would support OCR’s “compliance and enforcement mission by proactively and systematically measuring industry compliance with HIPAA requirements.” Previously, OCR’s approach to compliance was primarily reactionary, targeting covered entities only in response to complaints. Ms. Samuels indicated that the additional funding for the permanent phase of the audit program will enable OCR to take a “proactive and systemic look at industry compliance successes and struggles” outside the context of a privacy breach incident, and will help “generate analytical tools and methods for entity self-evaluation.”
Look for upcoming posts providing more details on the Phase 2 Audit Program.
The U.S. Substance Abuse and Mental Health Services Administration (SAMHSA) recently published a proposed rule which would amend the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, found in 42 C.F.R. Part 2. The confidentiality provisions were promulgated in 1975, and last amended substantively in 1987, prior to new models of integrated care built upon a foundation of information sharing, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system. SAMHSA’s long awaited proposed rule seeks to modernize the confidentiality provisions to better reflect the current treatment system, particularly with respect to ease of transferring records and patient information, while still maintaining privacy protections for those receiving substance use treatment.
The current regulations protect patient records and information relating to substance use treatment received at a federally assisted substance use program. Generally, any disclosure of identifiable data reflecting substance use treatment without express written consent from the individual is prohibited. In its proposed rule, SAMHSA states that while privacy concerns have not lessened, it believes that changes to the regulations are necessary to “better align them with advances in the U.S. health care delivery system,” and ensure that patients receiving treatment for substance use disorders are able to participate and benefit from new integrated care models which promote health care quality and reduce costs. SAMHSA also notes that improvements in health care technology would allow providers to separate portions of a patient’s record to reflect consent preferences for substance use treatment information within the electronic health records or health information exchanges allowing for easier information sharing while still maintaining compliance with 42 C.F.R. Part 2.
In addition to revisions to certain definitions so as to make the regulations “more understandable and less burdensome,” SAMHSA’s most significant proposed change addresses the consent section of the regulations. Currently, the regulations require that a consent form include the name or title of the individual or the name of the organization to which disclosure is to be made as part of the patient’s written consent to the disclosure. In response to stakeholder concern that the current requirements for sharing patient records covered by Part 2 deter patients from participating in HIEs, ACOs, and other similar organizations, SAMHSA proposes that the “to whom” section of the consent disclosure form could include a more generalized description of entities that would be permitted to receive patient information. The proposed rule would also require that patients receive and sign a statement indicating that they understand the terms of their consent and to whom their information may be released.
Comments on the rule will be accepted through April 11. These changes will take effect beginning 180 days after the publication of the final rule, unless otherwise noted. HHS’s press release may be accessed here and the full text of the proposed rule may be accessed here.
Earlier this month, a bipartisan group of Senators introduced legislation designed to expand the use of telehealth and remote monitoring services in Medicare by removing numerous barriers to reimbursement.
Senate bill S.2484, known as The Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act, would create a program that would waive Medicare requirements that certain telehealth services occur at designated sites. The bill would also expand the categories of providers eligible to perform and be reimbursed for telehealth services. Currently, Medicare reimbursement for telehealth services is available only for limited provider types, located in certain “distant sites,” and treating patients located at certain “originating sites” in designated geographic regions.
The CONNECT for Health Act would allow qualifying providers participating in alternative Medicare payment models through Medicare to use remote patient monitoring (RPM) to monitor patients with chronic conditions without the current Medicare restrictions. The bill would permit more “originating sites,” including dialysis centers and Native American health service facilities, and would permit more telehealth and RPM in community health centers and rural health clinics.
The bill includes measures designed to ensure the quality of services delivered through telehealth. An independent cost analysis conducted by Avalere and Third Way estimates savings to the federal government of $1.8 billion over ten years.
The bill is sponsored by Sens. Brian Schatz (D-Hawaii), John Thune (R-S.D.), Mark Warner, (D-Va.), Roger Wicker (R-Miss.), Thad Cochran (R-Miss.) and Ben Cardin (D-Md.).
Covered entities which experienced a HIPAA breach in calendar year 2015 are required to report all such breaches affecting fewer than 500 individuals to OCR by Monday, February 29, 2016. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those affecting 500 or more individuals — within 60 days of discovering the breach.
This is also an appropriate time to review and update breach notification policies and procedures to make sure that covered entities have in place the appropriate mechanisms to notify OCR timely and appropriately.
Last week, we authored a client alert highlighting affiliations between CVS and a number of health care systems throughout the country which, according to CVS, will enable it to provide prescription and MinuteClinic visit information to participating health care providers by enabling communication between secured electronic health record (EHR) systems. CVS/pharmacy will share electronic messages and alerts with affiliates’ physicians regarding patient medication non-adherence, and MinuteClinic will electronically share patient visit summaries with the patient’s primary care physician (with patient consent).
For a more detailed discussion of how various industry segment providers are moving towards clinical integration with the help of EHRs, please see our alert.
For only the second time in its history, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed civil monetary penalties (CMPs) on a health care provider for HIPAA violations.
Lincare, Inc. d/b/a United Medical (Lincare) was found to have violated HIPAA when the estranged husband of one of its managers complained to OCR that his wife improperly permitted him access to the records of 278 Lincare patients. After an OCR investigation and proposed determination, an HHS administrative law judge (ALJ) upheld the CMP of $239,800, finding that Lincare did not implement policies and procedures to safeguard records containing its patients’ PHI, and failed to protect against a disclosure of the PHI to unauthorized persons.
This post discusses where Lincare went wrong, and what providers can do to avoid a similar fate.
The Federal Trade Commission (“FTC”) recently announced a settlement with Henry Schein Practice Solutions, Inc., a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software.
According to the FTC, Henry Schein advertised its Dentrix G5 software as meeting industry encryption standards despite the fact the company was aware that the software used a proprietary data masking technique that fell short of the NIST encryption standard. The patient data within the Dentrix G5 system was not encrypted, but rather camouflaged. Henry Schein marketed Dentrix G5 to providers as meeting HIPAA requirements when it did not, and also failed to notify providers of the misleading claims after it became aware of the software’s deficiencies.
In the complaint, the FTC determined that Henry Schein’s claims of encryption would be material to providers assessing whether to notify affected individuals in the event of a suspected HIPAA breach since a breach of encrypted PHI does not require notification under HIPAA’s Breach Notification Rule. This enforcement should serve as a reminder to providers to verify whether their (or their vendors’) encryption technology is sufficient to take advantage of the HIPAA breach notification encryption safe harbor. Rigorous due diligence prior to engaging a vendor and robust contractual representations concerning encryption technology are two ways providers can protect themselves in this regard.
The complaint, proposed consent order, and FTC press release may be accessed here.