Health IT Law Blog

HHS settlement amounts dwarfed by total costs of data breaches

Steve Fox and Vadim Schick — Mon, 30 Apr 2012 14:15:05 -0500

A surge in data privacy breaches and the accompanying string of recent HHS enforcement actions should serve as an important reminder to healthcare providers regarding the importance of data privacy protection and the skyrocketing costs of failures to comply. 2011 saw a 97% increase in the number of data breaches, as reported by the Salt Lake Tribune in the context of the massive breach of health information privacy in Utah earlier this month.

At the same time, HHS has stepped up its enforcement actions. Last week, we touched on the $100,000 OCR settlement with a cardiology practice in Arizona. Last month, HHS reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) for a breach of about 1 million unencrypted patient records which resided on over 50 stolen hard-drives. However, the $1.5 million settlement amount was dwarfed by the $17 million BCBST had to spend on notification and credit monitoring expenses, as well as investigating and correcting the breach.

The BCBST settlement is a good reminder that breaches and noncompliance can be extraordinarily expensive, even without the federal and/or state regulatory fines. A December 2011 Ponemon Institute study found that data security breaches cost the healthcare industry $6.5 billion in the year leading up to that study. Just last month, a medical records company filed for bankruptcy after its offices were burglarized and medical records of over 14,000 people were stolen. The costs and expenses associated with that breach were so high that the firm had no choice but to go out of business.

These cases also demonstrated that OCR will investigate a breach regardless of the organization's size or reach. In fact, smaller practices should pay particular attention to these developments because a recent study showed that smaller healthcare providers are more likely to suffer a breach because their Internet and sharing practices are not likely as secure as those implemented at large healthcare provider organizations.

Basic compliance with HIPAA and the related regulations is, of course, required, but it is not a panacea. A study by the American National Standards Institute found that insufficient funding and lack of managerial support were among the key causes of security breaches of protected health information.

A HIMSS/Kroll study showed that while most of the surveyed healthcare providers are compliant with the applicable laws, regulations, and industry standards, significant security challenges remain. Employees' compliance with the organization's policies was the primary concern, reported by nearly half of all respondents to that survey. Constant evolution of tech devices and the way doctors and patients interact using such devices is another huge challenge, since regulations cannot keep up with the exponential rate of change in this market.

Finally, the HIMSS/Kroll study showed that healthcare providers are also concerned about third parties (e.g., contractors, business associates, et al) who have access to such providers' patient information. As we have written previously, it is absolutely crucial to have the right contractual protections in your license and services agreements with such third parties, including indemnification or cost reimbursement provisions in the applicable Business Associate Agreements. A hacker or an intentional theft or disclosure by an employee may be difficult to control or prevent; but each healthcare provider can protect themselves contractually for the costs associated with a data breach, if such such breach was caused by the negligence of a business associate or a third party contractor.

HHS settles HIPAA violation case for $100,000, Corrective Action Plan

Steve Fox and Vadim Schick — Wed, 18 Apr 2012 11:32:33 -0500

On April 17, 2012, HHS announced that its Office for Civil Rights (OCR) settled a HIPAA violation case against a surgery practice in Arizona, for $100,000 and a Corrective Action Plan (CAP), which requires implementation of policies and procedures to prevent such HIPAA violations and breaches in the future.

Via HHS Press Release:

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

'This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,' said Leon Rodriguez, director of OCR. 'We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.'

OCR’s investigation also revealed the following issues:

Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;

Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and

Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

"HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards," HHS Press Release (April 17, 2012).

HHS issues proposed rules on Stage 2 of Meaningful Use

Steve Fox and Vadim Schick — Mon, 27 Feb 2012 15:22:46 -0500

On February 24, 2012, Center for Medicare and Medicaid Services (CMS) and the Office of National Coordinator for Health IT (ONC) issued proposed rules regarding Stage 2 of Meaningful Use. The proposed rules include the criteria for demonstrating Stage 2 Meaningful Use, and address the penalties for failure to achieve Meaningful Use by 2015. HHS noted the progress made in the last few years, but also recognized the challenges facing the industry, and pushed back the attestation for Stage 2 to 2014. Via HHS Press Release:

In a November 2011 'We Can’t Wait' announcement, the Department outlined plans to provide an additional year for providers who attested to meaningful use in 2011. Under today’s proposed rule, stage 1 has been extended an additional year, allowing providers to attest to stage 2 in 2014, instead of in 2013. The proposed rule announced by ONC identifies standards and criteria for the certification of EHR technology, so eligible professionals and hospitals can be sure that the systems they adopt are capable of performing the required functions to demonstrate either stage of meaningful use that would be in effect starting in 2014.

'The proposed rules for stage 2 for meaningful use and updated certification criteria largely reflect the recommendations from the Health IT Policy and Standards Committees, the federal advisory committees that operate through a transparent process with broad public input from all key stakeholders. Their recommendations emphasized the desire to increase health information exchange, increase patient and family engagement, and better align reporting requirements with other HHS programs,' said Farzad Mostashari, MD, ScM, National Coordinator for Health Information Technology. 'The proposed rules announced today will continue down the path stage 1 established by focusing on value-added ways in which EHR systems can help providers deliver care which is more coordinated, safer, patient-centered, and efficient.

The number of hospitals using EHRs has more than doubled in the last two years from 16 to 35 percent between 2009 and 2011. Eighty-five percent of hospitals now report that by 2015 they intend to take advantage of the incentive payments.

A technical fact sheet on CMS’s proposed rule is available at http://www.cms.gov/apps/media/fact_sheets.asp.

A technical fact sheet on ONC’s standards and certification criteria proposed rule is available at http://www.healthit.gov/policy-research.

The proposed rules announced today may be viewed at www.ofr.gov/inspection.aspx. Comments are due 60 days after publication in the Federal Register.

Secretary Sebelius announces next stage for providers adopting electronic health records, HHS Press Release (February 24, 2012).

OCR to release final breach notification rule in March

Steve Fox and Vadim Schick — Thu, 16 Feb 2012 16:31:56 -0500

Via Healthcare Info Security:

The Department of Health and Human Services' Office for Civil Rights has set a March target date for release of the long-delayed final version of Health Insurance Portability and Accountability Act modifications and the HIPAA breach notification rule.

Although an HHS semi-annual regulatory agenda published Feb. 13 in the Federal Register did not mention these regulations, a January 'unified agenda' document, with far more details, shows a March target date, notes Susan McAndrew, OCR's deputy director for health information privacy.

The HHS regulatory agenda sets target dates, which, historically, aren't necessarily met. And the rules don't yet appear on the list of regulations under review by the Office of Management and Budget. OMB review is the final step before publishing a rule in the Federal Register.

'OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country,' McAndrew told HealthcareInfoSecurity. 'OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed.'

In mid-2010, OCR issued a proposed version of the HIPAA modifications, which would, among other things, require business associates to comply. An interim final version of the HIPAA breach notification rule is now in effect until the final version is released. OCR submitted a final version for review by the Office of Management and Budget in 2010 and then withdrew it (see: Final Breach Notification Rule on Hold). It's been on hold ever since.

The interim final version of the breach rule contains a controversial harm standard that enables organizations to conduct a risk assessment to determine whether a breach represents a significant risk of harm to individuals and thus merits reporting.

"March Target for HIPAA Modifications," Healthcare Info Security (February 15, 2012).

Data mining by hospitals may be profitable, but not risk-free

Steve Fox and Vadim Schick — Mon, 06 Feb 2012 13:17:17 -0500

The USA Today published a story yesterday about a few hospitals using aggregated consumer data for marketing of such hospitals' most lucrative services. The article describes several instances where such direct marketing efforts yielded significant profits for the hospitals.

We see healthcare providers using aggregated and de-identified data on a regular basis, both for marketing and research purposes. We also see third party vendors (including EHR vendors) adding data mining provisions in their license agreements, which allow such vendors to use the healthcare provider's de-identified patient data for such vendor's internal and commercial purposes.

While these practices are widespread and are becoming standard, they are certainly not risk-free. Healthcare providers should keep in mind that the updated HIPAA Privacy Rule (as modified by the HITECH Act) includes significant new restrictions on covered entities' marketing efforts. Providers should make sure that their marketing efforts, as well as the marketing activities of their subcontractors and business associates, fully comply with these recent regulations. This may require revisions in existing contracts, including Business Associate Agreements, between providers and IT vendors.

Healthcare providers should also insist on full indemnification by the IT vendors against all claims and damages arising out of such vendor's use of the provider's de-identified patient data. Studies have shown that de-identified data can be aggregated or de-identified inappropriately; and it can also be re-identified. Providers should protect themselves contractually prior to allowing the vendor to access and use the hospital's data (including patient data).

The above is certainly not an exhaustive list of all potential issues associated with data mining by healthcare providers and their business partners. But the USA Today article should serve as a good reminder that healthcare providers engaging in such data mining and marketing activities must protect their organizations from liability for damages relating to such data use.

"Hospitals mine patient records in search of customers," USA Today (February 5, 2012).

HHS extends Stage 2 Meaningful Use deadline to 2014

Steve Fox and Vadim Schick — Wed, 30 Nov 2011 15:25:23 -0500

HHS announced today that the government intends to make it easier for healthcare providers to adopt electronic health records (EHRs). As part of this initiative, HHS decided to extend the deadline for meeting Stage 2 of Meaningful Use until 2014. Via HHS press release:

Under the current requirements, eligible doctors and hospitals that begin participating in the Medicare EHR (electronic health record) Incentive Programs this year would have to meet new standards for the program in 2013. If they did not participate in the program until 2012, they could wait to meet these new standards until 2014 and still be eligible for the same incentive payment. To encourage faster adoption, the Secretary announced that HHS intends to allow doctors and hospitals to adopt health IT this year, without meeting the new standards until 2014.

HHS also trumpeted the results of a CDC survey which found that more than half of U.S. physicians plan to take advantage of the EHR incentive program, and that the rate of EHR adoption doubled between 2008 and 2011, from 17% to 34% among physicians.

Of course, HHS did not comment on how low those numbers are. The fact remains that about two-thirds of U.S. physicians have not adopted electronic health records, and continue to use, in Secretary's words, the same technology as Hippocrates. The Obama administration is relying heavily on Regional Extension Centers and training efforts in order to aid healthcare enterprises in adopting EHRs.

We will update this post with links to any relevant regulations if and/or when HHS publishes them in the Federal Register.

"We Can't Wait: Obama Administration takes new steps to encourage doctors and hospitals to use health information technology to lower costs, improve quality, create jobs," HHS press release (November 30, 2011).

CMS issues final rule on ACOs

Steve Fox and Vadim Schick — Wed, 26 Oct 2011 13:00:24 -0500

On October 20, 2011, CMS published the final rule on Accountable Care Organizations (ACOs) or, as it is formally known, the Medicare Shared Savings Program (the "Program"), enacted as part of the Patient Protection and Affordable Care Act (ACA) of 2010. According to CMS chief Don Berwick, MD, the Program represents an "opportunity to coordinate care among providers," which could "greatly improve the quality of care Medicare beneficiaries receive," and produce substantial savings for the federal government. The Program creates incentives for providers to collaborate in treating an individual patient across care settings, in order to receive a portion of the savings generated from providing such care.

CMS has substantially relaxed the requirements for ACOs originally provided in the proposed rule. Some of the key changes include (among many others):

Adding a "one-side" risk model, allowing providers to participate in the program without risking a loss in the event their ACO did not produce savings
"Preliminary perspective assignment" of Medicare beneficiaries, giving ACOs more control over their Medicare beneficiary population
Reducing the number of performance measures from 65 to 33
Eliminating the two percent threshold for being eligible for shared savings

CMS will begin taking applications for the program on January 1, 2012, with start dates of April 1 and July 1, 2012.

Important links via HHS press release:

The Shared Savings Program final rule can be found at: http://www.HealthCare.gov/law/resources/regulations/index.html. (See Final Rule on Shared Savings Program: Accountable Care Organizations)

The Advanced Payment solicitation is posted at: http://innovations.cms.gov/areas-of-focus/seamless-and-coordinated-care-models/advance-payment/.

For more information, fact sheets are posted at: http://www.HealthCare.gov/news/factsheets/2011/10/accountable-care10202011a.html and http://www.cms.gov/ACO/.

The joint CMS and Department of Health and Human Services Office of Inspector General (OIG) Interim Final Rule with Comment Period addressing waivers of certain fraud and abuse laws in connection with the Shared Savings Program can be found at: http://www.HealthCare.gov/law/resources/regulations/index.html. (See Request for Public Comment on Final Waivers in Connection with the Shared Savings Program).

The Antitrust Policy Statement is posted at: www.ftc.gov/opp/aco/ andhttp://www.justice.gov/atr/public/health_care/aco.html.

The Internal Revenue Service (IRS) Fact Sheet, Tax-Exempt Organizations Participating in the Medicare Shared Savings Program through Accountable Care (FS-2001-11), is posted at: http://www.irs.gov/newsroom/article/0,,id=248490,00.html.

Nemours reports breach affecting 1.6 million individuals

Steve Fox and Vadim Schick — Wed, 19 Oct 2011 14:40:39 -0500

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

HHS awards over $650 million in EHR incentive payments

Steve Fox and Vadim Schick — Mon, 26 Sep 2011 16:40:50 -0500

HHS released the first numbers regarding its Meaningful Use incentives program, established by the HITECH Act of 2009. Unsurprisingly, most eligible professionals and hospitals receiving funds this year qualified for incentive payments under Medicaid, rather than Medicare, because Medicare has a higher threshold for receiving such payments. Medicare requires the eligible professional or hospital to achieve and demonstrate meaningful use, while Medicaid mandates only adoption, implementation or upgrade of existing systems.

Nevertheless, the extent of the disparity was somewhat surprising: only about 6% of eligible hospitals and 3% of eligible professionals qualified for meaningful use incentives under Medicare. Via Modern Healthcare:

So far, Medicaid program payments for hospitals, physicians and other eligible professionals that have adopted, implemented or upgraded to a certified EHR system have totaled $389 million. Only $264 million has been paid under the Medicare program, which has a higher eligibility threshold, requiring providers to demonstrate that they are meaningfully using their certified EHR system.

Through Aug. 31, 2,054 hospitals have registered with the CMS to receive Medicare incentive payments. Hospitals that registered as dual-eligibles need to attest to having met meaningful-use targets under the Medicare portion of the program. But only 114 of the registered hospitals—less than 6%—have attested to being meaningful users. They have split about $226 million in Medicare EHR incentive payments.

Similarly, for the same period, 71,378 physicians and other "eligible professionals" have registered with the CMS under the Medicare EHR program, but only 2,129—or about 3%—have shared in $38.3 million in Medicare EHR payments. Unlike hospitals, professionals can't participate in both the Medicare and the Medicaid incentive programs. They must choose one.

According to the CMS, 15 hospitals have been paid solely under state-run Medicaid programs; they have received $32.9 million. In addition, 294 hospitals registered as dual-eligibles have been paid $262.2 million by Medicaid. There have been 4,463 physicians and eligible providers paid $93.9 million under Medicaid, according to the CMS.

You can find the CMS summary and charts relating to EHR incentive payments by clicking here.

"CMS: $653 million in EHR incentives paid," Modern Healthcare (September 22, 2011).

Major data breach at Stanford Hospital

Steve Fox and Vadim Schick — Mon, 12 Sep 2011 11:27:04 -0500

A spreadsheet containing personal data of 20,000 emergency room patients of Stanford Hospital appeared on Student of Fortune, a Web site which "crowdsources" homework to other students online. The lost data included names, admission dates, diagnoses and other sensitive information. According to the New York Times, the spreadsheet was uploaded to this site by a billings contractor of Stanford Hospital, when an employee tried to solicit help on how to create a graph from the data in the spreadsheet. As Gawker reasonably speculated, a contractor's employee probably did not know how to create a graph and "so uploaded it to the homework helper website and offered, probably, a buck or two if someone could do it for them."

This breach stands out among the hundreds of others not because of its size (significantly larger breaches have been reported to HHS in the last year alone), but because this breach went undetected for almost a year and because, once again, a contractor of the healthcare provider caused a major data breach. According to a privacy expert quoted in the Times, "nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed," which is a staggering number.

To protect our healthcare provider clients, we always include specific privacy protection warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss. Stanford Hospital's example illustrates that providers must insist on such protections despite strenuous objections from vendors because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

The Times correctly pointed out that contract language alone is not enough, and that significant due diligence by each provider is required. Certainly, employee training for both the hospital and the business associate-type contractors is absolutely essential. Relating the seriousness and gravity of health information privacy breaches should be a key element of such training. However, having a clear termination right and a strong contractual obligation to indemnify the provider in the event a vendor causes a major breach like the one at Stanford Hospital, is a good start.

We frequently see vendor agreements either without such an indemnification clause or with severe caps on vendor's liability. The latter is often limited to one year's worth of fees, or, in a better scenario, all fees paid by provider to vendor under the agreement. However, in case of a major breach caused by a vendor, such caps would not allow a provider to recover its costs and damages in dealing with the breach. Therefore, carve-outs to vendor's limitation of liability in connection with vendor's own breaches of PHI or other confidential information are crucial.

Stanford Hospital may be exposed to significant fines under both federal and state privacy laws. In fact, another Stanford hospital (Packard Children's) was slapped with a $250,000 fine under California law for failing to report a breach within 5 days. However, such regulatory expenses are just the tip of the iceberg: Stanford Hospital will have to spend a lot more on investigations, legal expenses, staff time, and, possibly, credit monitoring for the affected individuals.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"Patient Data Posted Online in Major Breach of Privacy," The New York Times (September 8, 2011).

"Stanford Hospital Suffers Comically Stupid Patient Data Leak," Gawker.com (September 8, 2011).

Study: Most data breaches are caused by insiders

Steve Fox and Vadim Schick — Wed, 07 Sep 2011 13:23:22 -0500

A survey by Veriphyr, a provider of identity and access intelligence solutions, found that insiders were responsible for over 60% of data breaches of protected health information (PHI). Specifically, 35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees, and 27% due to improper access to records of their friends and relatives.

Over 70% of surveyed entities, which included hospitals and other heathcare providers, reported suffering one or more breaches within the last 12 months. Veriphyr CEO estimated that data breaches cost healthcare organizations almost $6 billion annually, but found that an overwhelming majority of privacy and compliance officers within the surveyed group (79%) felt that they lacked "adequate controls to detect PHI breaches in a timely fashion."

It is worth noting that 45% of breaches in the survey were caused by loss or theft of medical records and/or equipment holding such records. We have recently seen HHS impose a $1 million fine on Massachusetts General Hospital in a case where, it seems, records were lost by an employee due to a simple mistake and with no malice. UCLA Health System also paid a high price for its employees' snooping into medical records of celebrities.

While it is difficult to anticipate or avoid all possible human error, certain best practices - including Board and executive-level support for privacy initiatives, staff training and updated privacy and security policies and procedures, will go a long way to help your organization protect itself from a disastrous and costly data breach.

"Insiders responsible for majority of privacy breaches, survey finds," Healthcare IT News (August 30, 2011).

iPad EHR app certified for meaningful use

Steve Fox and Vadim Schick — Mon, 01 Aug 2011 15:10:03 -0500

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

"iPad EHR gains meaningful use certification," Healthcare IT News (July 29, 2011).

"FDA's mobile medical app guidelines get everybody talking," Healthcare IT News (July 26, 2011).

FDA to regulate some mobile health applications

Steve Fox and Vadim Schick — Wed, 20 Jul 2011 16:08:02 -0500

On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a guidance regarding the agency's plans to regulate select software applications intended for use on mobile platforms (mobile applications or "mobile apps"). According to the Washington Post, the FDA proposed to regulate only those mobile apps which: (1) act as an accessory to a regulated medical device; (2) turn a mobile device or gadget into a regulated device; and/or (3) make suggestions regarding a patient's diagnosis or treatment. Via the Post:

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

'We wanted to make sure that we are consistent in regulating medical devices so nothing has changed,' [FDA policy adviser Baku] Patel said. If 'somebody makes a stethoscope on an iPhone, it doesn’t change the level of oversight we have of a stethoscope.'

FDA's guidance does not establish any legally enforceable responsibilities, but describes FDA's current thinking on this topic and should be viewed only as recommendations. The agency will collect input from manufacturers and healthcare providers over the next 90 days.

You can view the full guidance by clicking here.

UCLA Health System reaches $865,500 settlement with OCR

Steve Fox and Vadim Schick — Thu, 07 Jul 2011 14:38:47 -0500

On July 6, 2011, the University of California at Los Angeles Health System (UCLAHS) reached a settlement with HHS's Office of Civil Rights (OCR) regarding UCLAHS's potential violations of HIPAA Privacy and Security Rules. The settlement includes a payment of $865,500 and a corrective action plan (CAP).

According to the HHS press release, this settlement "resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients."

We reported on possible privacy violations at UCLA Health System before. Specifically, in May 2010, we wrote about Huping Zhou, a UCLAHS employee who was the first person to receive a criminal conviction for a HIPAA violation. It is not surprising that OCR stressed the importance of training staff in prevention of such privacy violations in the CAP required by the settlement. The CAP "requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years."

Via HHS press release:

Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.

<...> Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.

Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”

HHS advisory panel recommends delaying Stage 2 Meaningful Use until 2014

Steve Fox and Vadim Schick — Fri, 10 Jun 2011 13:11:16 -0500

The HIT Policy Committee, which advises the Office of the National Coordinator for Health IT in the Department of Health and Human Services, voted 12-5 to approve a significant delay in requiring providers to meet Stage 2 Meaningful Use until 2014. If finalized by CMS, such delay would be a welcome relief to those providers who qualified for Stage 1 Meaningful Use in 2011 (and therefore would have only a few months to commence Stage 2 Meaningful Use under the current rule).

Via Government Health IT:

The delay is among the stage 2 recommendations that the Health IT Policy Committee approved at its meeting June 8 by an overwhelming vote of 12 to 5.

The original 2013 timeframe does not give vendors enough time to design, develop, and test new functionality and providers to deploy it and report measures for one year, said Dr. Paul Tang, vice chair of the Health IT Policy Committee and chair of its meaningful use work group.

“The only group that would be affected is the early entrants who qualify for stage 1 in 2011 who get put into a bit of predicament in an unintended way,” he said. Tang is also chief medical information officer at the Palo Alto Medical Foundation.

As a result, stage 1 demonstration and attestation would continue through 2013; stage 2 would start in 2014 and stage 3 in 2015. With the revised timing, providers will still receive the same payments as originally planned. Instead of 2013, however, early entrants will have to wait to attest and receive payments for stage 2 in 2014.

You can find and download the Meaningful Use workgroup's recommendations by clicking here.

HHS issues proposed rule on accounting of PHI disclosures

Steve Fox and Vadim Schick — Wed, 01 Jun 2011 14:31:30 -0500

On May 31, 2011, HHS released the proposed rule on accounting for dislosures of protected health information (PHI), which modified the HIPAA Privacy Rule pursuant to the HITECH Act. This proposed rule would give individuals the right to get a report on who has electronically accessed their PHI. Via HHS press release:

'This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information,' said OCR Director Georgina Verdugo. 'We need to protect peoples’ rights so that they know how their health information has been used or disclosed.'

People would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people.

The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The proposed changes to the accounting requirements provide information of value to individuals while placing a reasonable burden on covered entities and business associates.

You can view and download the proposed rule by clicking here.

Audit criticizes OCR and ONC over data privacy efforts

Steve Fox and Vadim Schick — Thu, 19 May 2011 14:35:24 -0500

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.) Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.

OIG also criticized the Office of National Coordinator for Health IT (ONC) for their failure to develop standards ensuring privacy and security of patient data as part of ARRA's push for digitizing medical records:

As a yardstick for ONC performance as a security champion, the inspector general's auditors reviewed last year's ONC-developed interim final rule and final rule on standards, implementation specifications and certification criteria for the ARRA-funded electronic health record system incentive payment program. The auditors found both wanting.

The report's authors differentiated between two types of security measures. One they described as “application security controls” that “function inside systems or applications to ensure that they work correctly.” Such measures include security controls covered by the ONC final rule and used in testing and certification of electronic health-record systems as able to meet meaningful-use requirements for providers participating in the federal IT incentive payment programs. An example is a requirement that certified EHRs be able to encrypt data shared between providers.

The auditors called the other type of measures “general information technology security controls,” described as “structure, policies and procedures that apply to an entity's overall computer operation.”

An example would be a policy that requires providers to use encryption software on their systems and encrypt all data copied from an EHR and placed on a portable storage device, such as a laptop, CD or a portable thumb drive. The auditors found that the ONC had included application controls in writing its interoperability specifications for meaningful use, but that "there were no (health IT) standards that included general IT security controls.”

Other examples of general controls not addressed by the ONC but suggested for development by the report would be requirements that providers use two-factor authentication to gain access to an organization's health IT system and policies that mandate that organizations install “patches” or bug fixes in a routine and timely manner to computers that process and store EHRs.

"Audit reports hit HHS on digital security," Modern Healthcare (May 17, 2011).

Updates to privacy and security regulations expected soon

Steve Fox and Vadim Schick — Mon, 16 May 2011 12:50:27 -0500

According to Healthcareinfosecurity.com, the Office of Civil Rights (OCR) is still working on the final rule regarding the updates to HIPAA and the related HIPAA Privacy and Security Rules mandated by the HITECH Act. Susan McAndrew, deputy director for health information privacy at OCR, stated at a conference in Washington, DC, that such changes will be contained in one omnibus regulation and is expected to be published in a matter of months, if not weeks.

Such omnibus regulation will cover:

HITECH Act-mandated modifications to the HIPAA privacy, security and enforcement rules. These changes, for example, formalize higher penalties for HIPAA violations and make it clear that business associates must comply with HIPAA. Last December, HHS had indicated in its semi-annual regulatory agenda that the final HIPAA modifications, many of which were issued in preliminary form last year, would be completed by March.

The breach notification rule. An interim final version is already in effect. OCR yanked a proposed final version of the rule last year for further consideration. Some observers speculated that the office may be reconsidering the controversial "harm standard" in the interim final version of the rule, which enables organizations to conduct a risk assessment to determine whether a security incident represents a significant risk of harm and thus merits reporting.

Privacy provisions under the Genetic Information Nondiscrimination Act. These provisions will formalize that using genetic information for insurance underwriting purposes is a privacy violation as well as a non-discrimination violation, McAndrew said.

Ms. McAndrew also indicated that "a notice of proposed rulemaking revealing a proposal for accounting for disclosures of information in electronic health records "probably" would be issued before the omnibus set of final regulations. Once that notice is issued, OCR will accept comments before issuing a proposed rule."

"HITECH Mandated Regs Still in Works," Healthcareinfosecurity.com (May 11, 2011).

Breaking: HHS releases proposed rule on ACO's

Steve Fox and Vadim Schick — Thu, 31 Mar 2011 10:34:51 -0500

Earlier today, HHS has released the highly anticipated proposed rule on Accountable Care Organizations (ACOs). The rules will guide healthcare providers in setting up exchanges of healthcare data to improve care and reduce costs, as mandated under the Patient Protection and Accountable Care Act of 2010.

HHS will host a call today, March 31, 2011 on the new regulations, expected to be released prior to the call. The call will take place a noon EDT today and can be accessed by calling 800-475-8413 Code: HHS.

You can find a copy of the proposed rule by clicking here.

Via Healthcare IT News:

Accountable care organizations are pivotal to the federal government's plan to reduce healthcare costs and improve quality. Some providers, such as Intermountain Health in Utah, have been using an approach that's something similar to ACOs for years. Collaborations between doctors and other providers make care more uniform, based on the best outcomes. Often, this care is also the most cost-effective. Some have called ACOs the HMOs of today.

Wednesday afternoon, CMS Administrator Donald Berwick and other federal officials hosted a pre-regulation release call on the pending ACO rule. According to Barnes, who was on the call, Berwick said that ACOs will not simply be the status quo repackaged – and that this will not be a one-size-fits-all approach.

According to Barnes, Berwick said the rule would put patients and families at the center of care, make ACOs particularly sensitive to care transitions and promote innovative care.

Medicare EHR incentives attestation to begin on April 18, 2011

Steve Fox and Vadim Schick — Tue, 29 Mar 2011 14:19:08 -0500

CMS announced that the online Attestation System for the Medicare EHR Incentive Program will launch on April 18, 2011. Eligible professionals and eligible hospitals will be able to use this online portal to self-attest to meeting the Meaningful Use criteria.

CMS also released a preview of the Attestation System. This preview includes attestation screenshots and is intended to give examples of what the attestation process will look like. CMS promised to release additional information about the attestation process soon, including "User Guides" that will give step-by-step instructions for completing attestation, along with educational webinars that describe the attestation process in depth.

Finally, CMS noted that providers will follow a similar process using their state's Attestation System. Such providers may find their state's scheduled launch dates of their Medicaid EHR Incentive Program by clicking here.

You can download the preview by clicking here.

For more information, please visit CMS's EHR Incentive Program web site.