The Office for Civil Rights (OCR) has announced two more significant HIPAA settlements involving covered entities. Both settlements were the result of investigations triggered by breach reports involving laptop thefts. And as is often the case, the investigations uncovered numerous HIPAA compliance issues above and beyond those which led to the breach.
North Memorial Health Care of Minnesota (North Memorial) reached a $1.55 million settlement and corrective action plan with OCR related to allegations that it, in the words of OCR Director Jocelyn Samuels, overlooked “two major cornerstones of the HIPAA Rules.” OCR began its investigation following receipt of a breach report in September, 2011, which indicated that an unencrypted, password protected laptop containing electronic protected health information (e-PHI) of approximately 9,000 patients was stolen from a locked vehicle belonging to an employee of a hospital business associate. OCR’s investigation uncovered that North Memorial’s business associate had access to its hospital database containing electronic protected health information (e-PHI) of more than 289,000 patients in order to perform payment and operations activities on its behalf. However, North Memorial failed to require the business associate to enter into a business associate agreement. Additionally, OCR noted that North Memorial did not complete a comprehensive and accurate risk analysis, continuing the trend from OCR’s enforcement action in 2015.
The other recent enforcement involved OCR agreeing to a $3.9 million settlement and “substantial” corrective action plan with the Feinstein Institute for Medical Research (Feinstein). The investigation into Feinstein followed a breach report in September, 2012, indicating that a laptop containing e-PHI of approximately 13,000 research participants was stolen from an employee’s car. OCR’s investigation exposed significant problems with Feinstein’s security management process, and further found that Feinstein did not have appropriate policies and procedures and other safeguards in place to protect e-PHI. Following this settlement, OCR Director Jocelyn Samuels offered a reminder to providers:
Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities. For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.
These investigations and settlements offer a number of key takeaways:
- Covered entities should regularly inventory their roster of business associates, and consider auditing those with access to large quantities of PHI.
- Security risk assessments are at the top of regulators’ checklists, and as a result are critical to demonstrating HIPAA compliance.
- Following a breach report, covered entities and business associates should take the opportunity to reexamine its HIPAA compliance – including conducting a security risk assessment; reviewing and updating policies and procedures; and re-training workforce members.
On Monday, the Office for Civil Rights (OCR) announced the long-awaited launch of Phase 2 of its HIPAA Audit Program. OCR is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act to establish a permanent compliance audit program for HIPAA covered entities and their business associates. OCR completed the first phase of testing for the audit program in 2012 when it audited 115 covered entities, but it had yet to establish a permanent program until now.
OCR will begin Phase 2 by sending pre-audit questionnaires to both covered entities and business associates to determine potential audit pools. Covered entities and business associates will be included in the pre-audit questionnaires even if they do not provide updated contact information upon request from OCR. In its press release, OCR indicated that the Phase 2 Audits will focus on desk reviews of HIPAA Privacy, Security, and Breach Notification Rules policies and procedures, although some on-site reviews will be conducted. OCR anticipates publishing an updated audit protocol to assist organizations with conducting their own internal self-audits as part of their HIPAA compliance activities. These desk audits are scheduled to be completed by December, 2016.
The announcement of Phase 2 implementation follows an increase of $4 million in OCR’s budget from its 2016 budget, part of which was earmarked for Phase 2 audits. OCR will direct approximately $1.5 million of the requested $4 million budget increase towards the audit program, giving it an estimated $9.2 million budget. In the Fiscal Year 2017 budget justification presented to the House of Representatives Appropriations Committee, OCR Director Jocelyn Samuels noted that the audit program would support OCR’s “compliance and enforcement mission by proactively and systematically measuring industry compliance with HIPAA requirements.” Previously, OCR’s approach to compliance was primarily reactionary, targeting covered entities only in response to complaints. Ms. Samuels indicated that the additional funding for the permanent phase of the audit program will enable OCR to take a “proactive and systemic look at industry compliance successes and struggles” outside the context of a privacy breach incident, and will help “generate analytical tools and methods for entity self-evaluation.”
Look for upcoming posts providing more details on the Phase 2 Audit Program.
The U.S. Substance Abuse and Mental Health Services Administration (SAMHSA) recently published a proposed rule which would amend the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, found in 42 C.F.R. Part 2. The confidentiality provisions were promulgated in 1975, and last amended substantively in 1987, prior to new models of integrated care built upon a foundation of information sharing, the development of an electronic infrastructure for managing and exchanging patient information, and a new focus on performance measurement within the health care system. SAMHSA’s long awaited proposed rule seeks to modernize the confidentiality provisions to better reflect the current treatment system, particularly with respect to ease of transferring records and patient information, while still maintaining privacy protections for those receiving substance use treatment.
The current regulations protect patient records and information relating to substance use treatment received at a federally assisted substance use program. Generally, any disclosure of identifiable data reflecting substance use treatment without express written consent from the individual is prohibited. In its proposed rule, SAMHSA states that while privacy concerns have not lessened, it believes that changes to the regulations are necessary to “better align them with advances in the U.S. health care delivery system,” and ensure that patients receiving treatment for substance use disorders are able to participate and benefit from new integrated care models which promote health care quality and reduce costs. SAMHSA also notes that improvements in health care technology would allow providers to separate portions of a patient’s record to reflect consent preferences for substance use treatment information within the electronic health records or health information exchanges allowing for easier information sharing while still maintaining compliance with 42 C.F.R. Part 2.
In addition to revisions to certain definitions so as to make the regulations “more understandable and less burdensome,” SAMHSA’s most significant proposed change addresses the consent section of the regulations. Currently, the regulations require that a consent form include the name or title of the individual or the name of the organization to which disclosure is to be made as part of the patient’s written consent to the disclosure. In response to stakeholder concern that the current requirements for sharing patient records covered by Part 2 deter patients from participating in HIEs, ACOs, and other similar organizations, SAMHSA proposes that the “to whom” section of the consent disclosure form could include a more generalized description of entities that would be permitted to receive patient information. The proposed rule would also require that patients receive and sign a statement indicating that they understand the terms of their consent and to whom their information may be released.
Comments on the rule will be accepted through April 11. These changes will take effect beginning 180 days after the publication of the final rule, unless otherwise noted. HHS’s press release may be accessed here and the full text of the proposed rule may be accessed here.
Earlier this month, a bipartisan group of Senators introduced legislation designed to expand the use of telehealth and remote monitoring services in Medicare by removing numerous barriers to reimbursement.
Senate bill S.2484, known as The Creating Opportunities Now for Necessary and Effective Care Technologies (CONNECT) for Health Act, would create a program that would waive Medicare requirements that certain telehealth services occur at designated sites. The bill would also expand the categories of providers eligible to perform and be reimbursed for telehealth services. Currently, Medicare reimbursement for telehealth services is available only for limited provider types, located in certain “distant sites,” and treating patients located at certain “originating sites” in designated geographic regions.
The CONNECT for Health Act would allow qualifying providers participating in alternative Medicare payment models through Medicare to use remote patient monitoring (RPM) to monitor patients with chronic conditions without the current Medicare restrictions. The bill would permit more “originating sites,” including dialysis centers and Native American health service facilities, and would permit more telehealth and RPM in community health centers and rural health clinics.
The bill includes measures designed to ensure the quality of services delivered through telehealth. An independent cost analysis conducted by Avalere and Third Way estimates savings to the federal government of $1.8 billion over ten years.
The bill is sponsored by Sens. Brian Schatz (D-Hawaii), John Thune (R-S.D.), Mark Warner, (D-Va.), Roger Wicker (R-Miss.), Thad Cochran (R-Miss.) and Ben Cardin (D-Md.).
Covered entities which experienced a HIPAA breach in calendar year 2015 are required to report all such breaches affecting fewer than 500 individuals to OCR by Monday, February 29, 2016. The reports must be submitted via OCR’s online portal, available here. This yearly reporting obligation is in addition to the requirement to report large breaches — those affecting 500 or more individuals — within 60 days of discovering the breach.
This is also an appropriate time to review and update breach notification policies and procedures to make sure that covered entities have in place the appropriate mechanisms to notify OCR timely and appropriately.
Last week, we authored a client alert highlighting affiliations between CVS and a number of health care systems throughout the country which, according to CVS, will enable it to provide prescription and MinuteClinic visit information to participating health care providers by enabling communication between secured electronic health record (EHR) systems. CVS/pharmacy will share electronic messages and alerts with affiliates’ physicians regarding patient medication non-adherence, and MinuteClinic will electronically share patient visit summaries with the patient’s primary care physician (with patient consent).
For a more detailed discussion of how various industry segment providers are moving towards clinical integration with the help of EHRs, please see our alert.
For only the second time in its history, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed civil monetary penalties (CMPs) on a health care provider for HIPAA violations.
Lincare, Inc. d/b/a United Medical (Lincare) was found to have violated HIPAA when the estranged husband of one of its managers complained to OCR that his wife improperly permitted him access to the records of 278 Lincare patients. After an OCR investigation and proposed determination, an HHS administrative law judge (ALJ) upheld the CMP of $239,800, finding that Lincare did not implement policies and procedures to safeguard records containing its patients’ PHI, and failed to protect against a disclosure of the PHI to unauthorized persons.
This post discusses where Lincare went wrong, and what providers can do to avoid a similar fate.
The Federal Trade Commission (“FTC”) recently announced a settlement with Henry Schein Practice Solutions, Inc., a dental practice software provider, concluding an investigation into claims that Henry Schein misled customers about the encryption capabilities of its software.
According to the FTC, Henry Schein advertised its Dentrix G5 software as meeting industry encryption standards despite the fact the company was aware that the software used a proprietary data masking technique that fell short of the NIST encryption standard. The patient data within the Dentrix G5 system was not encrypted, but rather camouflaged. Henry Schein marketed Dentrix G5 to providers as meeting HIPAA requirements when it did not, and also failed to notify providers of the misleading claims after it became aware of the software’s deficiencies.
In the complaint, the FTC determined that Henry Schein’s claims of encryption would be material to providers assessing whether to notify affected individuals in the event of a suspected HIPAA breach since a breach of encrypted PHI does not require notification under HIPAA’s Breach Notification Rule. This enforcement should serve as a reminder to providers to verify whether their (or their vendors’) encryption technology is sufficient to take advantage of the HIPAA breach notification encryption safe harbor. Rigorous due diligence prior to engaging a vendor and robust contractual representations concerning encryption technology are two ways providers can protect themselves in this regard.
The complaint, proposed consent order, and FTC press release may be accessed here.
Many thanks to our colleagues Jonathan Ishee and Shannon Majoras for authoring this post.
Recently the Department of Health and Human Services Office for Civil Rights (OCR) announced three settlements to resolve investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA).
OCR reached settlements with two academic medical centers, the Lahey Hospital and Medical Center and University of Washington Medicine (UWM), and one insurance holding company, Triple-S Management Company. Each entity will be subject to a corrective action plan and civil monetary penalties that range from $750,000 to $3.5 million. Continue Reading
Many thanks once again to our colleague, Robin Canowitz, for authoring this post.
In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients. New York Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report in September of 2010, indicating that the disclosure of ePHI of 6,800 individuals included patient status, vital signs, medications and laboratory results. The organizations are separate entities for HIPAA purposes, but operated a shared data network which was administered by employees of both entities.
According to the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the breach was caused when a physician employed by both entities attempted to deactivate a personally owned computer server on a network containing ePHI from NYP. Due to a lack of technical safeguards, the deactivation of the server resulted in ePHI being accessible on internet search engines. OCR noted that its investigation also revealed that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and contained appropriate protections. Further, OCR determined that neither entity had conducted an accurate and thorough risk analysis of their systems which accessed ePHI.
NYP agreed to pay a monetary settlement of $3.3 million, while CU agreed to pay $1.5 million. Both entities have also agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.
You can read the corrective action plans here.