Tuesday, May 21, 2013
Noon – 12:30 p.m. (Eastern Time)

• Analysis of unauthorized access, use, or disclosure
  • Meaning of “breach”
  • Documentation requirements
• Notification requirements – affected individuals, media, and HHS
• Breach prevention
  • Encryption
  • Robust compliance efforts
  • Insurance products

Click here to register or for more information.

Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution.  These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges.  Questions often arise regarding who should have access to records, how to limit access to portions of the medical record involving alcohol and drug abuse, mental health issues, sexually transmitted diseases, and other sensitive categories of PHI.  When treatment of minors is involved, the issues become even more complicated.  Set forth below is a discussion of a few such issues we frequently encounter.

Parent Access

As a general rule, parents and legal guardians have the right to obtain a copy of their child’s medical record.  However, many states permit unemancipated minors to consent to treatment and diagnosis, and to control their PHI for certain sensitive conditions, such as:

• Pregnancy
• Abortion
• Sexually transmitted diseases, including HIV and AIDS
• Sexual Assault
• Mental Illness
• Drug and Alcohol Addiction.

The legislative purpose behind providing unemancipated minors with these rights is to encourage them to seek treatment when they may be afraid to speak with their parents about these sensitive issues.  When implementing an EMR, providers need to consider how they will address this sensitive information.  If a parent requests a copy of his or her child’s medical record, how will the provider ensure that information regarding these sensitive issues does not get released to the parent?  With paper charts, it was easy to segregate this information into a separate section that did not get released.  The EMR is more complicated.  Consider the fact that an HIV positive diagnosis will find its way onto the patient’s “Problem List.”  Psychiatric Drugs prescribed will be listed in the prescription area, in the medication list, and may also be in a progress note.  When the data flows to different areas of the chart, it is much more difficult to separate it out, and ensure that it does not get released in an inappropriate manner.

Patient Portals

Patient portals are designed to allow patients to access parts of their medical record, communicate with their physicians in a secure manner, and set up appointments.  The use of patient portals can often result in significant cost savings to physicians and hospitals.  When children are involved, a critical consideration is who should have access to the patient portal?  Should it be the patient, their parent/legal guardian, or both?  When the child reaches the age of majority, how will the provider terminate the access of the parents or legal guardians?  If the provider allows parents to access the portal, will the parents have access to those sensitive categories of information that the minor patient has the right to control?

Some institutions have decided to keep any diagnosis related to these sensitive PHI categories out of the patient portal.  Another strategy is not to allow information on certain drugs, or on certain test results, to appear in the portals.  However, if a provider does choose to limit the type of information that flows to the patient portal, it is good practice to have a disclaimer on the portal site indicating that it does not contain all information which may be pertinent to the care and treatment of the patient.

Sharing Among Institutions

Many EMRs can “speak” to EMRs at other institutions.  When deciding what can be released from one institution to another, providers must consider both HIPAA and state law governing the release of information.  Some EMRs require that a release be signed before information can flow from one provider’s EMR to another.  When children’s medical records are involved, how does a provider ensure that the other institution has obtained consent from a proper party?  Providers who deal with children on a regular basis should be attuned to the often murky rules regarding who can consent to release.  For example, if parents are divorced, can only the custodial parent can sign a release, or can either parent sign?  If parents are unmarried, what are the rights of the father?  Providers who do not frequently deal with the issues must be sure consent, if required, is obtained from the proper party.

Role Based Access

The use of EMR technology can assist providers in their HIPAA Security Rule compliance by deterring staff from looking at patient information which they do not have a right to see.  Many EMRs have special security settings which will trigger additional questions to staff before they log into a chart they should not be viewing.  Some EMR clients use this technology on all cases where there is alleged child abuse, or cases where there has been significant press coverage.  These are cases where uninvolved staff may want to “take a peek” at that patient’s chart.  Applying this technology can remind staff that they should not be accessing the charts of patients that they are not directly involved in treating, and in the event that wandering eyes cannot be restrained, the EMR will be able to log this inappropriate access.

On Tuesday from noon until 12:30, we will explore the changes to the Privacy Rule, including:

• Greater restrictions on provider use and disclosure of PHI;
• Increased individual rights to PHI; and
• What must be done by September.

The webinar will probe into marketing and fundraising involving PHI, how providers can best respond to patients’ requests for their health information, and how your organization should address these changes both internally (via employee training and updating policies and procedures) and externally (by revising the notice of privacy practices).

To RSVP, or for more information, contact Kayla Allen at ksallen@vorys.com.

With compliance deadlines around the corner, providers are likely wondering what this means for them.  Most are quite familiar with the HIPAA requirement that they have a business associate agreement (“BAA”) in place with their business associates.   For many, this has historically been nothing more than a low-priority fomality.  Now, they must ensure that these agreements adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI.  More fundamentally, providers will need to be more vigilant in identifying their business associates.  And, due to increased enforcement, providers may wish to shepherd their business associates as they strive to become compliant with HIPAA, and even consider periodically auditing these vendors for HIPAA compliance.  As part of this process, which will be discussed in greater detail below, we suggest that providers consider educating their business associates on identifying subcontractors and making these vendors aware of their own HIPAA compliance obligations.

Identify Your Business Associates

Traditional business associates are easy to identify.  Many providers outsource claims processing.  Providers frequently engage professionals to provide legal, accounting, and various consulting services.  When sensitive patient information is no longer needed, providers will often contract with a document shredding company to properly dispose of these records.  Because these third parties provide services which involve creating, receiving, maintaining, or transmitting PHI for a HIPAA covered entity, they fall squarely within the definition of business associate.

But what about a courier transmitting PHI, but who does not need frequent to access the PHI?  Or a data transmission service, such as telecommunications or health information exchange, the provision of which may or may not require access to the PHI ?  Is a third-party financial services entity a business associate when the only information it accesses is the name of the patient, the provider, and the cost of the service?  These types of third-parties may be business associates.  The analysis turns on what type of information is provided to the third-party, the type of service provided by the third-party, and whether the third-party needs routine access to the PHI.

Providers must be attentive to these and other types of situations involving the disclosure of potentially sensitive information outside their organization.  We recommend training all associates who might interface with such situations so that, at the very least, they will be able to identify situations which might involve a business associate.  Although the answer is not always clear, covered entities can best position themselves by having the proper procedures in place to enable them to know when to ask the right questions.

Educate Your Business Associates on Their Business Associates

Once providers identify their business associates and enter into a BAA, they should stay engaged with these business associates.  Just like their covered entity counterparts, the business associates must also enter into BAAs with their third-party vendors.  However, unlike most covered entities, many of these business associates will not be familiar with having to identify their business associates. We envision this as one of the greatest challenges posed by the Final Rule.

Take the example of a small physician practice which engages a consultant to provide coding and billing consultation.  The consultant, likely a business associate, may utilize various vendors – for document services and data storage, for example.  These vendors, to the extent they provide services for the consultant which involve the physician practice PHI, are likely subcontractor business associates.

It is these types of vendors who, although they handle sensitive information, may be entirely unaware of their HIPAA compliance obligations.  HIPAA is widely considered as being limited to health care entities.  Providers know better than this, but many vendors likely still do not.  Because providers are ultimately responsible for ensuring the privacy and security of their patient PHI, it is up to the providers to educate their vendors.

Here is a list of the key issues that every covered entity and business associate must address before September 23, 2013:

• Perform or update a Security Rule risk assessment to identify the potential risks and vulnerabilities of electronic PHI (a similar gap analysis should be performed to identify the risks and vulnerabilities of all PHI, i.e. paper files, x-rays, etc.).  This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security and Privacy Rules.
• Encrypt, encrypt, encrypt.
• Develop or update HIPAA policies and procedures, including policies and procedures that address mobile devices and social media.
• Update and distribute Notice of Privacy Practices to reflect the provisions in the final Omnibus HIPAA rule.
• Review and update all business associate agreements to include and/or clarify breach notification provisions, indemnification obligations, and  cyber-insurance requirements.
• Business associates must enter into business associate agreements with their downstream vendors who handle PHI.  Covered entities, when contracting with their business associates, should review their business associates’ downstream vendor business associate agreements as part of their own due diligence.
• Develop or update breach response plan to include Final Rule’s new objective test for determining whether you have a reportable breach.
• Ensure that all employees are trained regularly to comply with your HIPAA policies and procedures.  Consistently discipline employees who violate HIPAA policies and procedures.
• Consider procuring data breach/cyber insurance to cover the costs of a breach (which could include the following costs: investigation — including a forensic analysis, mitigation, notification, legal, PR, credit monitoring, fines and penalties).

We will begin a series of blog posts next week which will further analyze each of the changes in the Final Omnibus HIPAA Rule.

On Thursday, Feb. 7, at noon, HealtHITech Law bloggers Lisa Reisz and Liam Gruzs will host a webinar discussing the release of the long-awaited final omnibus HIPAA rule by the U.S. Department of Health and Human Services. The new rule includes sweeping changes to the HIPAA Privacy and Security Rules.

The omnibus final rule is comprised of the following four final rules:

• Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH
• Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH
• Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard
• Final rule modifying the HIPAA Privacy Rule as required by GINA

February 7, 2013

Noon – 1 p.m.

RSVP to ksallen@vorys.com.

When the Health Information Technology for Economic and Clinical Health Act (“HITECH”) was enacted nearly four years ago, business associates were aware that HIPAA compliance was going to be required of them – they were just not sure of the extent.  Historically, business associates have been required to comply with HIPAA only insofar as dictated by their contractual relationships with covered entities.  HITECH drastically changed this, mandating that certain HIPAA provisions apply directly to business associates.

In addition to specifying these obligations (discussed below), the Final Rule clarified to whom these obligations apply:

1. Patient Safety Organizations – the Final Rule adopted the proposal to add patient safety activities to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.
2. Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; Vendors of Personal Health Records – such entities that provide services with respect to PHI and require access on a routine basis to such PHI are considered business associates.  Note that this is consistent with HHS’s prior interpretation, which advises that entities that act as “mere conduits” for transporting PHI, but do not access PHI other than on a random or infrequent basis, are not business associates.
3. Subcontractors of Business Associates – downstream entities, i.e. persons to whom a business associate has delegated a function, activity or service that the business associate has agreed to perform for a covered entity or business associate, are now considered business associates.  HHS made clear that no matter how far downstream the PHI flows, entities which meet the definition are business associates.
4. Exceptions – the final rule carves out from the definition of business associate health care providers with respect to disclosures by a covered entity to the provider concerning the treatment of the individual.  This change moves the exception from 164.502(e)(1)(ii), the standard for disclosures to a business associate.

Having clarified who is a business associate, the Final Rule adopted the following key proposed changes relative to business associates:

1. Compliance and Enforcement:  HITECH provided statutory authority requiring HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil monetary penalty (CMP) for the violation.  The Final Rule clarifies that these changes apply to business associates as well as covered entities.
2. Civil Monetary Penalty Liability:  Consistent with HITECH, business associates now are subject to severe CMPs.  The amount of the penalties increase based on the level of culpability, with the most draconian penalties to be levied for violations due to willful neglect.  Each violation carries a minimum penalty of $50,000; the maximum is $1,500,000 for identical violations during a calendar year.
3. Security Rule Obligations:  Just like covered entities, business associates are now required as a matter of law to comply with the entirety of the Security Rule.  This includes the administrative, physical, and technical safeguards; organizational requirements (including business associate agreements with subcontractor business associates); and maintaining policies, procedures, and proper documentation of Security Rule compliance.  For unsuspecting business associates, these requirements may be particularly onerous, and the September 23, 2013 compliance date may come very quickly – even though HITECH was clear in this regard.
4. Privacy Rule Obligations:  The business associate Privacy Rule obligations were likely the most uncertain in the four years since HITECH first came on the scene.  The Final Rule mandates that the Privacy Rule applies to business associates “where provided.”  A few of the most noteworthy provisions:

• Adds a new section specifying required and permitted business associate uses and disclosures of PHI;
• Requires business associates to report breaches of unsecured PHI upstream; and
• Requires business associates to impose business associate regulatory and contractual obligations on subcontractor business associates.

HIPAA business associates who have not been paying attention since HITECH need to take notice.  The timeframe for compliance is less than nine months.  For those business associates who had been hoping for relief in the Final Rule (or simply have had their head in the sand for four years), waiting is no longer an option.

As we continue to digest the Final Rule, be sure to check in frequently as we anticipate much more to come in the next few weeks.

The final omnibus rule is based on the changes first imposed under the Health Information Technology for Economic and Clinical Health ACT (“HITECH”), enacted as part of the American Recovery and Reinvestment Act of 2009 and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).

The final omnibus rule will be effective on March 26, 2013.  Covered entities and business associates will have until September 23, 2013 to comply.

The omnibus final rule is comprised of the following four final rules:

1.  Final modifications to the HIPAA Privacy, Security and Enforcement Rules mandated by HITECH, which include:

• Make business associates directly liable for compliance with HIPAA Privacy Rule and Security Rule requirements.
• Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit sale of PHI without individual authorization.
• Expand individual rights to receive electronic copies of their health information and restrict disclosures to health plans concerning treatment for which an individual has paid out-of-pocket in full.
• Require modifications to and redistribution of a covered entity’s notice of privacy practice.
• Modify individual authorizations and other requirements to facilitate research and disclosure of child immunization proof to schools and to enable access to decedent information by family members or others.
• Adopt the HITECH enhancements to the Enforcement Rule.

2.  Final rule adopting changes to HIPAA Enforcement Rule to incorporate the increased and tiered civil penalty structure provided by HITECH.

3.  Final rule on breach notification for unsecured PHI under HITECH, which replaces the breach notification rule’s “harm” threshold with a more objective standard.

4.  Final rule modifying the HIPAA Privacy Rule as required by GINA.

The Rulemaking announced today, which will be published in the Federal Register on January 25, 2013, may be pre-viewed in the Federal Register at https://www.federalregister.gov/public-inspection.

We will follow-up this post with a series of blog posts analyzing this final rule.

This enforcement action arose out of the theft of an unencrypted laptop containing the protected health information of 441 individuals, including patient names, addresses, dates of birth, Social Security numbers, diagnoses, medications, lab results and other treatment information.  The laptop was stolen from a HONI employee’s car while it was parked at her home in June 2010.

Because the breach involved fewer than 500 individuals, OCR began its investigation after the hospice reported the breach to HHS at the end of 2010 as required by HITECH.

OCR sanctioned HONI after it discovered the hospice (1) had not conducted a security risk analysis as required by the HIPAA Security Rule; (2) did not have in place any policies or procedures to address mobile device security; and (3) did not implement security measures to address the risk of losing patient health information or maintain a process for managing that risk.

This enforcement action should serve as a warning to all covered entities, big and small, that Security Rule compliance must be a priority.  At the very least, all covered entities should consider implementing the following Security Rule measures following the HONI settlement:

• Conduct (or update) an annual security risk analysis, including an evaluation of the potential risks to PHI maintained in and transmitted using portable electronic devices;
• Adopt security measures to ensure confidentiality of PHI created, maintained and transmitted using portable electronic devices;
• Properly encrypt PHI on laptops and other portable devices;
• Continually train employees on encryption and mobile device policies.

With its focus on improved outcomes, ONC envisions Stage 3 requirements as encouraging “a collaborative model of care with shared responsibility and accountability.”  These recommendations reflect a transition from “a setting-specific focus to a collaborate, patient- and family- centric approach.”  This emphasis on improved outcomes builds on the goals of Stage 1 (data capturing and sharing) and Stage 2 (advance clinical processes).

Many of the Stage 3 recommendations reflect those seen in Stage 2, but require increased adoption in order for the provider to demonstrate Meaningful Use.  In addition, the recommendations would retire certain measures that have “topped out” because Stage 2 required eligible professionals and hospitals to adopt them at an 80% threshold.  For example, the Stage 2 requirement that eligible professionals and hospitals record the smoking status of more than 80% of patients age 13 years or older would no longer be necessary.  The recommendations also include certain new objectives, such as enabling patients to add to or amend their medical records electronically, as well as requiring the provider to send electronic notification of a significant healthcare event, such as a patient’s arrival at an emergency department or admission or discharge from the hospital, to key members of that patient’s care team.

ONC is soliciting comments on these recommendations through January 14, 2013.  The committee that developed the recommendations will analyze the feedback it receives and plans to revisit the recommendations in its public meetings in the first quarter of 2013.