The costs of HIPAA breaches are well-documented. Thefts of laptops containing sensitive health information of patients impose significant costs on providers and their business associates, ranging from preliminary investigations to mail notification of all patients impacted, to say nothing of the reputational harm inflicted by the mandatory self-reporting to CMS’s public wall of shame. If these costs were not enough, savvy plaintiff attorneys are finding ways to frame class actions based on these breaches, which, if successful, will add significant additional costs on top of these already severe regulatory penalties.
In a previous post, we addressed a consumer class action in which the Oregon Supreme Court held that the alleged harm – a risk of future identity theft – was not sufficient to provide a basis for a cause of action. In a recent decision in the Eleventh Circuit Court of Appeals, Resnick v. AvMed, the court reversed the district court’s dismissal, finding that the putative class alleged a cognizable injury sufficient for standing and to support their state law claims for recovery for losses suffered from identity theft following a data breach.
The facts of Resnick should sound familiar. A HIPAA covered entity had two laptops stolen from its Florida office. The laptops contained PHI, as well as social security numbers, and other personal information, of 1.2 million of its members. Nearly a year after the theft, the named plaintiffs alleged they had become victims of identity theft – bank accounts were opened, addresses were changed, credit cards were opened, and purchases were made. Naturally, they attributed their identity thefts to the laptop thefts.
The district court dismissed the complaint, finding that it failed to allege a cognizable injury. The Eleventh Circuit reversed, finding plaintiffs’ allegations of actual identity theft resulting from a data breach to be sufficient to constitute injury in fact. The court found a plausible, logical nexus between the data breach and the identity thefts. Plaintiffs alleged that they had not had their identities stolen or their sensitive information compromised prior to the laptop theft. They stated that they took considerable precautions with their own information, such as not transmitting unencrypted sensitive information over the internet. According to the Court, based on these facts, the allegations moved “from the realm of the possible into the plausible.”
To be sure, the defendant could have been more protective of its PHI to prevent the breach in the first place. The data could have been more secure, and the facility security probably could have been more robust. The Resnick decision did not address whether the defendant notified the plaintiffs, or took any remedial measures, such as attempting to locate the stolen information, or purchasing identity theft protection. Nevertheless, Resnick is particularly troubling for HIPAA covered entities and business associates because of the potential unanticipated costs which may come to light months or even years after the initial breach if the response to the breach is not handled properly. Although the upfront costs of a breach may be significant, these investments may prevent, or at least limit, future exposure if the breached information finds its way into the wrong hands.
The Centers for Medicare and Medicaid Services (“CMS”) Medicare and Medicaid EHR Incentive Programs Stage 2 final rule (“Final Rule”) made two key changes which should benefit providers seeking Medicaid incentive payments: (1) allowing more patient encounters to be included in satisfying the required patient volume threshold for eligible professionals; and (2) simplifying hospital reporting of discharges. This post is the third in our multi-part series exploring various issues related to the Final Rule. In case you missed them, here is our first, and here is our second.
As we reported last month, the Centers for Medicare and Medicaid Services (“CMS”) released its final rule for Stage 2 of its EHR Incentive Programs. This post is our second in a multi-part series addressing various aspects of the final rule. Continue Reading
On Thursday, from 2:00 – 3:00 PM ET, the Centers for Medicare and Medicaid Services (CMS) will host a call for providers to explain the new criteria for Stage 2 of the EHR Incentive Programs.
According to CMS, the agenda will include the following topics:
- The extension to Stage 1 of meaningful use
- Changes to Stage 1 criteria for meaningful use
- Proposed Medicaid policies
- Stage 2 meaningful use overview
- Stage 2 clinical quality measures (CQMs)
- Medicare payment adjustments and exceptions
- Questions and answers about the EHR Incentive Programs
Register here, but please note that space is limited. Registration closes at 12:00 ET on the day of the call, or when available space has been filled.
CMS plans to make the slide presentation available here. More information about the EHR incentive programs can be found here.
We plan to participate in the call, so please check back early next week for our reaction. In the meantime, continue to monitor the blog for updates.
The Centers for Medicare and Medicaid Services (“CMS”) has released its final rule for Stage 2 of the Medicare and Medicaid Electronic Health Record (“EHR”) Incentive Programs. The rule specifies criteria that eligible professionals and hospitals must meet in order to continue to receive incentive payments. CMS has indicated that the final rule will be published in the September 4 issue of the Federal Register, and will be effective on the 60th day following publication.
Whereas Stage 1 focused principally on data collection, Stage 2 emphasizes care improvement through a concerted effort to increase coordination of care. According to CMS Secretary Kathleen Sebelius:
The changes we’re announcing today will lead to more coordination of patient care, reduced medical errors, elimination of duplicate screenings and tests and greater patient engagement in their own care.
For example, Stage 2 core objectives include using secure electronic messaging to communicate with patients on relevant health information.
A major change in the final rule concerns the timing of meeting Stage 2 requirements. The original Stage 1 timeline required providers who received incentive payments for 2011 to be ready for Stage 2 in 2013. Now, providers who first demonstrate meaningful use in 2011 will not have to meet the Stage 2 requirements until 2014. We found the CMS image below particularly helpful:
To Learn More
Continue to monitor our blog as we plan to provide more in-depth analysis of the provisions of the final rule. In a multi-part series, we will explore the Stage 2 objectives, clinical quality measures, as well as issues related to payment, such as hardship exceptions to the Medicare payment adjustments and the Medicaid eligibility expansion. In the meantime, CMS has a number of helpful resources on its Stage 2 website which we recommend.
The Health Information Technology for Economic and Clinical Health Act (“HITECH”) made available an estimated $27 billion in federal incentive payments to medical professionals and hospitals when they adopt certified Electronic Health Records (“EHRs”) and demonstrate meaningful use of the EHRs. Eligible Professionals (“EPs”) can receive as much as $44,000 through Medicare, or as much as $63,750 from Medicaid, while eligible hospitals stand to receive millions for implementation and meaningful use of certified EHRs.
As of June, more than 100,000 health care providers have received more than $6 billion in meaningful use incentive payments paid in the first year of the program. In Ohio alone, providers have received more than $250 million in incentive payments. EHR utilization certainly is increasing — to the benefit of providers, patients, and even payers. There is no shortage of commentary on this development. What has not received enough attention to date, however, is the fact that many types of medical professionals may not become eligible for incentive payments — even if they do become “meaningful users” of EHRs. Continue Reading
In 2009, HITECH gave State Attorneys General the authority to bring civil actions on behalf of their state residents for violations of HIPAA. The HITECH Act permits State Attorneys General to sue in federal district court to obtain monetary damages on behalf of state residents and/or to enjoin further violations of HIPAA.
Although trained by OCR in June 2011, State AGs have been slow to jump into the HIPAA pool. Indeed, by the end of calendar year 2011, only two state attorneys general — Connecticut and Vermont – had acted on their HITECH-expanded HIPAA enforcement powers.
However, more are wading in this year:
- On May 26, 2012, the Massachusetts Attorney General announced that it had settled a lawsuit filed against South Shore Hospital for $750,000.00. The lawsuit, which alleged violations of HIPAA and the Massachusetts Consumer Protection Act, arose out of South Shore’s decision to send unencrypted back-up tapes offsite to a data archiving vendor to be erased and re-sold as blank media. However, South Shore failed to notify the vendor that the tapes contained PHI and did not ensure that the vendor had the appropriate safeguards to protect the PHI.
- On July 30, 2012, the Minnesota Attorney General announced a $2.5 million settlement with business associate Accretive Health, Inc., a debt collection agency serving two Minnesota hospitals. The settlement arose out of a lawsuit filed in January 2012 alleging violations of HIPAA and other Minnesota state laws after Accretive lost a laptop containing the unencrypted PHI of over 23,000 Minnesota patients.
With scarcely a week that goes by without a data breach, privacy, especially as it relates to the protection of health information, is now squarely on the radar of most state regulators. Therefore, whether under HIPAA alone or in conjunction with state privacy and consumer protection laws, it is expected that state attorneys general will sit on the front lines of the HIPAA enforcement effort in the years to come.
Thus, covered entities and business associates alike should understand the heightened regulatory environment in which they conduct business, should appreciate the significant impact that fifty new regulators will have upon HIPAA enforcement efforts, and should take meaningful steps towards HIPAA compliance.
The White House Ofice of Management and Budget (“OMB”) has extended its review of the final omnibus HIPAA rule, validating recent comments indicating that further delay was likely. As we reported back in March, the Department of Health and Human Services Office for Civil Rigths submitted the final omnibus rule for review by OMB, which typically takes 90 days. Now that this review period has passed, late summer appears to be the time frame du jour. We will continue to monitor any developments and report on them as they occur.
Last week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule. The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative safeguards to ensure that electronic protected health information (“ePHI”) remains private and secure.
OCR began its investigation when Alaska DHHS self-reported a breach to OCR under HITECH’s breach reporting rules. The breach occurred when a USB hard drive potentially containing ePHI was stolen from the vehicle of an Alaska DHHS employee.
In addition to the breach, OCR’s investigation revealed that Alaska DHHS did not have adequate policies and procedures in place to safeguard ePHI. OCR also found that Alaska DHHS had not completed a risk assessment, implemented sufficient risk management measures, completed employee security training, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
Alaska DHHS also entered into a corrective action plan that requires Alaska DHHS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.
Finally, OCR appointed a monitor who will regularly report to OCR on the Alaska DHHS’s ongoing compliance efforts. The HHS/Alaska DHHS Resolution Agreement can be found on the OCR website.
Importantly, this is OCR’s first enforcement action against a State entity and demonstrates that OCR will not hesitate to bring an enforcement action against public entities who fail to take their HIPAA obligations and responsibilities seriously. OCR Director Leon Rodriguez, stated that “we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.”
OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews.
OCR has repeatedly stated that its Audit Program is intended to serve as a compliance improvement tool, not an enforcement tool. To that end, a HIPAA complaint to OCR does not trigger an audit (at least not yet). Nevertheless, OCR has warned that while an Audit may uncover issues that can appropriately be addressed through voluntary corrective action, if an audit indicates serious noncompliance, it could trigger a separate enforcement action.
OCR’s Audit Program is being conducted in two phases. The initial audit phase – to test OCR’s newly developed audit protocol – involved the identification of 20 covered entities (10 providers, 8 health plans and 2 health clearinghouses) to audit. The first 20 entities were divided into four different groupings:
- Level 1 entities – large provider or plan with over $1 billion in revenues and extensive HIT use.
- Level 2 entities – regional providers or plans with revenues between $300 million to $1 billion with paper and HIT enabled workflows.
- Level 3 entities – community hospitals, regional pharmacies, self-insured health plans that do not adjudicate their own plans with $50-$300 million in revenues and some HIT use.
- Level 4 entities – small providers, community hospitals or rural pharmacy with revenues less than $50 million and little to no use of HIT.
These initial audits are now complete, and on June 7, 2012, Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits, presented initial audit findings at the OCR/NIST conference, Safeguarding Health Information: Building Assurance through HIPAA Security.