Posts relating to the Federal Privacy Regulations
The Department of Health and Human Services Office of Civil Rights (“OCR”) has added a new page to its website. (Or at least updated an existing page.) Interested people can now look up enforcement statistics at OCR’s website here. Statistics they are tracking include number of complaints by year, number of complaints by state, a break down of resolutions each year, and the top 5 issues investigated each year. One interesting fact from the website, not surprisingly, the number of complaints has gone up each year since HIPAA went into effect. Last year, the number of complaints hit an all time high of 8,132 complaints. That is up 800 from the year before. The only bigger jump is between 2003 and 2004, of course you would expect to see a big jump there, because 2003 was a partial year. It is interesting to look at these statistics, especially as Congress is considering major changes to HIPAA. (The Health Information Privacy and Security Act is currently winding its way through Congress.) Part of the motivation to amend HIPAA is a mistaken belief that HIPAA does not provide enough protection to individuals. This is a result of the major security breaches that are reported on the news about once a quarter or so. However, OCR’s statistics show a much larger number of complaints investigated and resolved without the need for corrective action. On average, the charts (which do not contain a great deal of explanation) appear to say that corrective action was pursued in about 20% of the cases. That would indicate that in 80% of the complaints, the providers were not doing anything wrong. Within the 20% of cases where corrective action was obtained, it does not indicate how severe the violations were or how expansive the corrective action was. This would be interesting to know, because if the majority of the violations were not severe this would combine with the large number of complaints in which no violations was found to indicate that Congress does not need to overhaul HIPAA to provide more stringent protections and steeper penalties. If the providers are complying under the current regime, why create a bigger stick to threaten them with. It is also interesting to note that the statistics show no fines or other penalties have been assessed against providers for violations. At least for now, getting providers into compliance instead of punishing them appears to be OCR’s enforcement policy. (A policy which I think makes a lot more sense.) Admittedly, the data reported is relatively Spartan, but if you are interested in what OCR has been doing with HIPAA the last few years, this is an interesting site.
Permalink
There is an article in today?s New York Times that proves providers are not the only ones who are exceedingly frustrated with HIPAA. To read the article click here Turns out, the patients and their families are just as frustrated. Patients and their families are discovering that providers are very hesitant to release information on patients, even to family members, for fear of violating HIPAA.
It is not clear whether this fear is due to lack of proper training or if HIPAA is being used as an excuse by employees to avoid doing things they simply don?t want to do. Either way, family members who cannot get information on loved ones are becoming increasingly frustrated. The article lists a number of examples, I will only list my personal favorites.
A nursing home stopped having birthday parties for its residents. The nursing home was afraid that having a birthday party violated HIPAA, because it would disclose the resident?s birthdays. (Of course, if disclosing the patient?s birthday is problem, how do you justify calling them by name?)
In another example, a hospital ER refused to call the families of students they were treating for fear of violating HIPAA. The ER made the students friends call. This is an even more extreme example ? if the patients were students, they were very likely minors and disclosing to a parent is, in most cases, disclosing to a personal representative.
Calling the parent identified by the student at the number provided by the student is verification that you have called the correct party. Furthermore, it is an ER, if the patients were truly receiving emergency care and I was the parent, I would be furious that the hospital did not call me directly. This hospital dropped the ball, or an employee was shirking his responsibilities.
One more example in the article is about a family member who reviewed his relatives record in order to demonstrate to the provider they were about to administer a second round of sedatives that would endanger the patient. In this case, the provider threatened to have the gentlemen arrested for looking at his father?s chart. The individual knew better, because he happened to be a HIPAA consultant. But what about the many beneficiaries who are not HIPAA experts? They are having a tough time.
Not only are the beneficiaries having problems getting information, turns out the government is having difficulties as well. This same article includes some examples of government agencies that cannot get information they need. This includes law enforcement. In one state, public health officials are having trouble getting information from providers to establish child immunization registries.
I find this amusing, because there are specific exceptions to the HIPAA rule on non-disclosure relating to public health officials as well as law enforcement. But even with these specific disclosures, providers won?t turn over information to the state.
Of course, some in Congress have heard these stories and are now considering solutions. One solution is to create a new department within CMS to provide additional guidance regarding HIPAA and its requirements. I just don?t think adding more bureaucracy is the solution to the HIPAA problem. HIPAA needs to be simplified.
Providers and their employees need to be able to treat patients and communicate with family members without the fear of violating HIPAA. (Yes, I know they have not imposed a single fine, but providers are still not interested in even the perception of violating HIPAA.)Providers did an excellent job of protecting patient privacy and communicating appropriately with family for years before HIPAA went into effect. They continue to do so and would continue to do so without HIPAA. Perhaps it is time to recognize that HIPAA has created far more problems than it allegedly solved.
Permalink
Yesterday the Office of Civil Rights (OCR) announced a new HIPAA Enforcement website. Click here to view site This website contains information detailing OCR?s enforcement efforts from April 2003 up to March 31, 2007. The website provides information on how OCR investigates Privacy complaints and what responses they obtain. The website mentions that OCR primarily resolves complaints through the voluntary compliance of the covered entity, corrective action, or a resolution agreement. The website does state that if the covered entity is unwilling to cooperate, OCR will impose Civil Monetary Penalties (CMP) on the agency.
Another part of the site provides statistics on OCR?s enforcement actions over the last four years. Interestingly, there is no mention of assessing CMPs against any covered entities. This is not surprising, because there have not been any reports of entities being fined for non-compliance. However, the fact that OCR mentions it on the website could mean that they are preparing to ratchet up enforcement.
The actual numbers they provide are familiar as well. Since April 2003, OCR reports receiving 26,408 complaints. Of those, 20,477 have been resolved. The 20,477 resolved complaints included 6,602 complaints worth investigating. (That means only 32% of the complaints were even worthy of investigating.) Of the 6,602 complaints investigated, corrective action was obtained in 4,447 cases. (That means 22% of complaints filed resulted in covered entity taking corrective action.)
OCR touts their efforts to impose change on providers, which appears to be the case. (Although if your choice is to make some simple changes or pay a heft CMP, you would be foolish not simply go along with them.) But as I have said before, the bigger picture here is that the vast majority of the complaints they receive are not worthy of even investigating further. I think this provides some indication of the efforts by providers to follow the Privacy Rule. It also should reassure providers that even if you make a mistake and a complaint is filed, you will have an opportunity to fix the mistake before you are penalized.
The website does mention that OCR has referred 348 cases to DOJ for criminal prosecution. This should result in some additional insight into DOJ?s position on criminal prosecutions under HIPAA. There have not been many and a few years ago, DOJ indicated it would not be prosecuting cases under HIPAA.
The website also contains case examples of violations for which corrective action was required. In one case a provider would only provide a patient with a summary of the patient?s record. In another, the provider was disclosing information to other entities for arguably business associate but the entities were not proper business associates. (I assume that means they did not have the appropriate contracts in place, as there is no other ?requirement? regarding business associates.)
I had hoped the case examples portion of the website would provide more details on OCR?s position on the alleged violations, as this would serve a function similar to OIG?s advisory opinion website. However, the ?enforcement highlights? are one or two sentence summaries and do not provide any information on what the provider did wrong or why OCR thought is was a violation. If the website contained more facts, other providers could use the information to guide their own compliance efforts. Perhaps in the future OCR will provide more information so that this website will provide additional guidance to providers. There is nothing like real world examples to illustrate what a rule or regulation means.
Permalink
After two days working at my kitchen table, I returned to the office. Our firm is located in Indianapolis and the city spent Tuesday and Wednesday digging out from under the snow. The snow storm and its effects on the area are what lead me to today?s post. The response to the snow storm had me wondering how home health agencies contingency plans were working.
For agencies within Indianapolis, even on Tuesday, as the snow was piling up, it was possible, although not advisable, to get to he office as necessary. For example, to access files. However, in some of the northern counties, I understand it may not have been possible at all. There weren?t any stories related directly to health care, but I did see in the paper how a few other businesses responded. For example, a local realtor rescheduled a client meeting to a local coffee shop, because it was accessible whereas the client?s house was not very accessible at all.
For home health agencies in the Midwest, blizzards should be considered in your contingency planning. If roads are impassable, how do you access patient files? How do you serve your patients? For the latter, unless a patient cannot survive without services, a blizzard most likely means a missed visit and then a follow up as soon as possible. But what if a patient has to be seen? What if the blizzard is accompanied by heavy ice? That can lead to power outages and other problems.
If a blizzard leads to your power being down, it may be down for weeks. My wife, who grew up in Tennessee, spent ten days without electricity one winter because an ice storm/blizzard knocked so many of the power lines in her area down. In a case like this, an agency will need to consider how to operate until the power is restored. This may include an alternate office location.
I know of a business here in Indianapolis that was forced to relocate its offices for six weeks, because of a flood. The flooding wiped out all of its IT and rendered its offices unusable. The time to plan for that type of emergency is before it happens, not after it happens. Even if it is not a likely occurrence, it is still something to think about sooner rather than later.
Having to relocate information systems and other administrative equipment while also digging out from under the snow can be very difficult. Failing to have a plan in place in advance will only delay getting things ?back to normal? even farther.
For our firm, the contingency plan is very simple ? take your laptop and files home with you. But that plan won?t work for most agencies. If you found yourself trying to come up with a contingency plan on Monday night, maybe now is a good time to plan for future contingencies.
Permalink
A reporter at home health line forwarded a story to me last week about another computer related incident. According to the story, Johns Hopkins University has a contractor who routinely makes microfiche backups of certain data. The contractor receives computer tapes with the data and then makes its backups from the tape. The contractor who creates the microfiche uses a courier to pick up and deliver the tapes from the hospital to its offices and then to return the tapes when the backups have been created.
In the reported case, the tapes with patient information never made it to the business associate. The parties think that the courier service?s employee left the tapes at one of his stops on his way to the contractor. The good news is the tapes were apparently incinerated by the party that received them.
Once again, a potential security incident occurred because an individual made a mistake. In this case, it was the contracted courier of a covered entity?s business associate. When you are contracting for services, your contractor may use a subcontractor. This is in compliance with the Privacy Regulation which specifically allows for business associates to use subcontractors. If you look at your business associate agreement, it allows for subcontractors. The agreement simply requires the business associate to pass the assurances on to the subcontractor.
Having business associate agreements in place establishes what your business associate and its subcontractors are supposed to do to protect your PHI, but that will not stop every potential breach. Individuals will make mistakes, either because they are unaware of the appropriate procedures to follow, or because they fail to follow procedures or simply fail to do their job properly at all, as in this case. As a covered entity, you should not let that stop you from using contractors.
One issue that this incident brings to light is the need for your business associate agreements to require prompt notification in the event of these kinds of mistakes, because you will need to move quickly. Unlike dealing with your own employees, you have no way to train your business associates employees on HIPAA. You do not have an obligation to police their compliance, but you will have to respond when a mistake occurs. Thus, the faster you learn about the problem, the better.
Another way to address this problem would be for the covered entity to deal with the courier directly and require confirmation of delivery. This would reduce the amount of time that passed before the covered entity learned that the items were lost in transit, because it would remove a layer of communication. The covered entity could also notify the contractor when its courier picked up the tapes and have the contractor call when they arrived.
Unfortunately, either method will not prevent a mistake, it will simply speed up the notification process. These kinds of mistakes will happen. Your business associates should be prepared to notify you quickly and you should simply be ready to respond.
Permalink
One of the topics that frequently comes up when discussing HIPAA security rule matters is biometric security devices. As technology improves, there are more and more biometric security options, in fact, one popular model of laptop has a built in fingerprint scanning device. Of course, the downside of biometric devices is that they do not always work as efficiently as advertised.
My favorite example of the use of biometric security devices is Disney World. I have previously mentioned the biometric devices used at the entrances to Disney World, but I discovered last week (when my wife and i took our three children to Disney for a vacation) that they have changed to a fingerprint scanning device. For those of you who have not been to Disney World, when you first use a multiple day park ticket, you use the biometric scanner to identify yourself as the ticket?s owner. Every time you use the ticket to get into a park, you have to submit to the same scan, before you can enter the park.Currently, they have a fingerprint scanning device. You put your ticket into the turnstile, put a finger on the scanner and off you go. At least that is how it is supposed to work. As I discovered during my vacation last week, it is not quite that simple. On our second day at Disney World, the fingerprint scanner repeatedly rejected my fingerprint as incorrect. After trying my right index finger three or four times, I switched to my left finger. That solved the problem. (Even though I will swear, that I used my right finger for the initial scan.)Well, I decided I must have forgotten which finger I used. So on day three, when trying to enter the Magic Kingdom, I placed my left index finger on the scanner. Of course, it did not work. The attendant suggested that because the scanner is on the right hand side, I probably used my right hand. I replied that no, I had gained entry to the parks using my left hand the day before. She then proceeded to explain how I should try varying the position of my finger on the scanner. After three or four tries, all of them unsuccessful, she finally just overrode the scanner and let me into the park. (Overriding the repeated failed scans raises another question about the usefulness of the scanner. It appears that if your fingerprint doesn?t match you get in anyway?)I mention, this story, both to explain the lack of posts last week (I was out of town) and to demonstrate the potential downside for biometric security devices ? difficulty in using them. Admittedly, in this case, the operator error was enhanced by a lack of instructions, but nevertheless, when considering potential biometric security devices, one of the considerations you should make is the potential effect use of the device will have on your employees efficiency. In other words, you want to make sure that the devices are user friendly. An employee who spends ten minutes a day trying to get the device to allow him or her access to his computer or other device, is going to become very frustrated very quickly, and will try to avoid using it to the extent that is possible.If you do implement such a system, be sure your employees are trained and familiar with it. Knowing how to properly use the system should go a long ways towards avoiding the frustration that come with a system that does not function ?as advertised.?
Permalink
Over the holidays, HHS issued a new guidance document relating to HIPAA security. This document entitled, ?HIPAA Security Guidance for Remote Use?, was issued on December 28, 2006. According to the introduction, this Guidance was published, because of the number of recent security incidents involving laptops and other portable devices.
The document specifically mentions home health agencies using laptops and other portable devices as an acceptable practice. The guidance covers a number of topics, including list of possible risk management strategies. Some of the risk management strategies listed I would imagine have already been implemented by most providers, for example, password protecting laptops. Every laptop operating system I have seen, allows you to require a username and password to log into the computer. If you are not doing this already, I have to wonder why.
The documents also mentions prohibiting downloading EPHI onto remote systems or devices, prohibiting transmission of EPHI over open networks, using more secure connections and even using encryption. The mention of secure connections and encryption may lead some readers to become concerned that HHS is indicating Encryption is now required for transmission of EPHI. That is not the case. The regulation still lists encryption as an addressable standard. However, in the conclusion to the document, HHS states that this document provides a review of some strategies ?that may be reasonable and appropriate? for certain covered entities to follow.
This means that reasonable and appropriate is still the standard. You should review this document and see if there are any strategies in it you did not consider. You should not review this as HHS telling you ?how to do things.? HHS is offering some strategies to consider, but ultimately it is up to you to determine what is appropriate for your entity. If you probably considered, but rejected some of these strategies, such as encryption, if there has not been any changes in your operating budget, number of employees, etc, your decisions are probably still reasonable.
In my opinion, the best advice in the handout is the advice regarding training. If you recall, the majority of the security incidents that have been reported in the last year (and that have been mention on this blog) were the result of employees failing to follow policies.
Making sure your employees are trained on your policies and understand the penalties for violating the policies is one of the keys to ensuring compliance. As I have said time and time again, if your employees don?t follow your policies, then you don?t have policies. As you review this document, remember that and remember that your employees are the weak link in your security. Whether through intentional misconduct or inadvertence, your employees are far more likely to be the reason for a security incident than it is likely that your policies were unreasonable in the first place.
Permalink
I read an article right before the holidays that I thought was interesting, but due to the holidays, I have only just now gotten around to posting it. According to the article, which appeared on the Hipaadvisory website, the Department of Health and Human Services Office of Civil Rights (?OCR?) has determined that less than a quarter of HIPAA complaints warrant investigation.
According to a survey reported in the article, between April 2003 and September 30, 2006, OCR received 22,664 complaints. Of these complaints, OCR determined only 5,400 required any further investigation or action. Of the 5,400 cases investigated by OCR, OCR determined that 1700 of the providers had not violated the rule.
This means that only 3700 cases required any action by OCR. In other words, only 16% of the complaints resulted in any action by OCR. The article mentioned that the company performing the survey did not know what to make of these numbers. In my opinion, it confirms what most health care providers felt when HIPAA was implemented ? health care providers were already protecting patient privacy.
HIPAA was a major change in patient privacy, especially from the standpoint of notifying patients of their privacy rights and giving them access to their information. But as for patient privacy, providers had been concerned about that long before HIPAA. Health care providers, much like attorneys, are ethically required to maintain patient confidentiality. Patient confidentiality was maintained without federal regulation as a matter of professionalism. HIPAA simply created an additional, and unnecessary, regulatory burden for health care providers.
Some might argue that these statistics might demonstrate a need for even more regulations, because 84% of the complaints were not investigated. The concern would be that if HIPAA were broader, more complaints would be investigated because patients would have more privacy. But that assumes more investigations or stricter privacy requirements would be good simply for he sake of tighter restrictions.
Others who disagree with my conclusion that the statistics support a position that HIPAA was unnecessary will say that the numbers were higher before HIPAA or that we have no way of knowing what went on before HIPAA. I would agree that we may not have similar ?pre-HIPAA? survey results, but the having 84% of patient complaints dismissed demonstrates a fairly high level of compliance, a level that you might not expect if you thought providers were not concerned about patient privacy.
Given the large number of complaints that were facially invalid, I think you can draw another conclusion ? patients have an unreasonable expectation of what HIPAA means. I routinely get calls from individuals who want to sue for a violation of their ?HIPAA rights?. Many of these alleged violations are not violations. Patients seem to understand HIPAA as an absolute moratorium on sharing PHI, but it is not. This misunderstanding of their rights leads to a large number of frivolous complaints. Perhaps patients need as much education as the providers.
Finally, the low number of investigated complaints weighs against the need for more enforcement of HIPAA. In three years, there have only been 3700 violations of HIPAA requiring action. If the community is compliant at an 84% or better rate, OCR would be better off investing its enforcement dollars elsewhere. The provider community appears to be doing much better than many estimated in its efforts to comply with HIPAA.
Permalink
I saw another story from over the weekend regarding the theft of computers containing PHI. This story differs from many of the others you read about, because the computers were stolen out of a locked office. That?s right, the information was on computers in a providers office and someone broke out a window to get into the office. (As I have said many times before, locks only keep the honest people out.)
Having successfully entered the office, the thieves stole two computers containing information relating to Indiana?s Breast and Cervical Cancer Program (?BCCP?). The BCCP is a program that many states have. State law requires health care providers to report certain cancers (and other injuries or illnesses). This information is maintained by the state and used for various public health planning purposes.
Of course, the state does not have the staff to handle all of the related information management and so it contracts with outside companies to handle the data for it. In this case, the computers belonged to a contractor and contained information on 7,700 Indiana women who had been diagnosed with one of those forms of cancer.
What is interesting about this case is that even though the contractor kept the computers in its offices, those offices were locked and the information was protected by two separate passwords, there is still a cry of outrage over the theft. Although it is early, there is no indication yet that the thief (or thieves) was able to access the information on the computers.
The point here is that even if your computers are stolen out of yourlocked office instead of your employees? cars, there will be negative publicity. This reinforces the importance of physical security. You may have all of the electronic security in the world ? firewalls, passwords, biometrics, and encryption, but if somebody is able to physically remove your computers from your office, that additional electronic security will not matter to your patients, etc. (It may prevent any information from being accessed, but you may still face a PR backlash from patients who only see that the computers were stolen.)
The question you should ask is whether your physical security measures are sufficient. Is there anything else you might do, within the Security Rule?s concept of reasonableness, to ensure the physical security of your hardware, for example, a security alarm, or locking computers that store PHI in a central windowless room?
As you ask this, you should remember that while there is almost certainly more you could do, that does not mean it is reasonable to do so. At some point, the additional safeguards provided by the next step of security is not appreciable enough to justify the additional costs, even in light of the potential for negative publicity. Even with thorough physical security, you may still have a burglary.
Because you cannot completely eliminate the possibility, the question, from a compliance standpoint is have you reduced the possible threat to a reasonable level. If you are comfortable with the thought that you have, you should not let stories like this one scare you into costly additional measures.
As an aside, another complaint the patients had in this incident was that someone other than their physician had this information. The patients were apparently unaware of fact that health care providers routinely have to report certain illnesses and injuries. They must not have read the Notice of Privacy Practices.
Permalink
Well, earlier this week I mentioned a recent incident here in Indianapolis in which an employee of a contractor for a local hospital system left CDs containing protected health information on approximately 260,000 employees in a computer bag that was returned to the store. The hospital has now been sued by one of the individuals whose information was disclosed. The article did not explain the plaintiff?s legal theory, but simply said the plaintiff was seeking damages for the disclosure. The plaintiff is seeking certification of a class of 260,000 and asking for $5,000 per patient. (Yes, if you do the math, they potential total for damages is $1.3 Billion.)This is interesting for a few reasons. First, every court that has addressed whether there is a private cause of action (meaning whether an individual can sue a provider) for a HIPAA violation has come to the same conclusion. That conclusion is that HIPAA did not create a right to sue a covered entity for a breach of HIPAA. In fact, courts have specifically mentioned that HIPAA allows for complaints by a patient that feels their rights have been violated.
Even beyond this large legal hurdle, from the provider standpoint, there are a few other problems for the plaintiff. There is no indication that the information on the disks was accessed. The disks were left in a bag that sat at a store until it was purchased. It was only after the bag was purchased that the new owner found the disks. It seems more than highly unlikely that the disks were accessed. Since the disks were still in the bag when they were purchased, for someone to access them they would have had to either do it in the store or take the disks out, access them elsewhere and then return them.
Each of those scenarios raises an interesting problem. If the data were accessed in the store, you would think somebody at the store would have noticed an individual standing in the store actively copying CDs. If the disks were removed from the store, why would the thief bring them back. In other words, if no one accessed the data, what is the harm? The Plaintiffs? attorney says it is the cost and burden of checking credit reports to ensure nothing happened.
Finally, not only does HIPAA fail to create a private cause of action, it does not require health care providers to monitor their business associates. A covered entity is not considered in violation of HIPAA as the result of a violation by its business associate until it is aware of a breach by the business associate. Nowhere in HIPAA is a covered entity required to police its business associates? compliance. If a provider is considered to be in compliance until it is aware of a breach by its business associate, it is hard to imagine how the covered entity can be considered liable for the breach of its contractor.
I mention this to reinforce another point. HIPAA violations come with costs. If a provider can get sued even in a case with as many questions as this one anyone can. Once the suit is filed, you start paying legal fees and associated costs. Even if you do not end up paying a large judgment to a class of plaintiffs, litigation is still expensive. The moral of this story is that even though HIPAA does not give your patients a right to sue you, they still may do so and you should be prepared for that.
Permalink
I meant to mention this article last week, but last week was rather hectic around the office. Nevertheless, I wanted to mention the story in last weeks Indianapolis Star regarding yet another incident of patient information being misplaced. For those of you outside Indianapolis, one of the major hospital systems in town recently reported an incident involving the protected health information of about 260,000 patients. This case was not the result of employee inadvertence, but business associate inadvertence.
The hospital had contracted with a consulting company to assist them with patient billing matters. One of the consultant?s employees downloaded the names and billing information of 260,000 patients onto a number of CDs. Apparently, this was done so that the contractor could work on the project without being at St. Francis. The contractor purchased a new computer bag and placed her laptop and the CDs in the bag. The contractor later returned the computer bag to the store, but left the CDs in the bag.
Luckily, the person who later purchased the bag and found the CDs contacted St. Francis and returned the disks. It turns out that the information on the disks was not encoded, as was required by both the hospital and the business associates policies and procedures.
Again, having policies and procedures in place does you no good if your employees do not follow them. In this case, the business associates policies do you no good if their employees do not follow them. Of course, as a covered entity, you are required to obtain certain assurances in writing from your business associates, but you are not required to police their compliance with either the business associate contract they signed, their policies and procedures, or your policies and procedures.
Unfortunately, this is not a point your patients are likely to care about. Whether the disclosure is your fault or your business associate?s, your patients are going to be concerned that their information was disclosed.
The article mentions that business associates should never be able to download that much information, but if you use a third party to submit your claims to Medicare, Medicaid, or insurance, the business associate may very well receive information regarding all of your patients each billing cycle. The key is going to be how do you get that information to them each month. For other contractors, you should ask some very thorough questions if the contractor is going to be downloading large volumes of information. Remember, you are supposed to use and/or disclose the minimum amount of protected health information necessary for the purpose of the use or disclosure.
I would suggest that your privacy officer be involved in the process to determine what is the minimum necessary amount of PHI. You should have your employees download the information for the business associate. This will ensure that your policies and procedures are followed. While you still cannot guarantee the business associate will not make a mistake, you can at least demonstrate that you did everything in your power to keep the information secured, after having made a specific assessment of the need for the disclosure.
You might also consider language in a business associate agreement that would require the business associate to indemnify you for costs incurred from responding to an unauthorized disclosure of PHI or EPHI. (Because responding can be costly.)
I should mention that HIPPA does not require any kind of ?finding? before you disclose to a business associate, nor does it require special procedures to disclose to a business associate. Frankly, it does not specify how you implement the standards. These suggestions are aimed not just at HIPAA compliance, but also at providing you with a means to respond to the bad PR resulting from an unauthorized disclosure of PHI.
Permalink
Phoenix Health Systems, the company that operates the HIPAAdvisory website reported the results of its most recent HIPAA compliance survey. Yet, again, the survey showed non-compliance to be widespread.
For example, in the security rule context, only 56% of providers claimed to be fully compliant with the security standards. This number is probably high, given that later in the report, it states that of the providers claiming full compliance, many could not confirm that they had implemented all of the key security standards. In other words, only 56% of providers claimed to be compliant, but not all of the providers who claimed to be compliant were compliant.
As for the privacy rule, 22% of providers have still not implemented privacy rule standards. According to the authors of the study, this represents a ?core group? that will never comply. However of the 78% that claim compliance, the survey identified significant compliance gaps. Among those are the implementation of business associate agreements, minimum necessary disclosure requirements and monitoring internal compliance.
I am not surprised to learn that even compliant providers have issues with business associate agreements. Many providers are still not clear on what is a business associate and providers need to identify their business associates before they can implement agreements. I still hear of the occasional case of a treating provider asking another treating provider for a business associate agreement because they treat the same patient. Of course, providers treating a common patient (or patients) are not business associates
Identifying the business associates is only the first hurdle. The providers then need to implement compliant business associate agreements. The privacy and security rules set forth specific requirements for these agreements and often the agreements providers use are insufficient.
This just shows that, even after a number of years of HIPAA, there are still a large number of providers and other covered entities that are uninformed about HIPAA. Just recently, I heard of a state agency telling providers they needed the patient?s consent before they could disclose information for treatment or payment. The consent requirement has been out of the rule for some time and providers never needed an authorization to share information for treatment purposes.
The good news from this survey is that except for a percentage of providers who simply refuse, providers are continuing to work on compliance. It seems, however, that providers may need more education on the rules requirements so that they know what to work on.
Permalink
I was reading this weeks issue of Home Health Line?, as I try to do every week, and noted the lead story involved another HHA who had a laptop stolen when an agency employee left a laptop in her car overnight. The Agency incurred a great deal of expense as a result of the lap top theft, over $170,000 all told. Another agency incurred even more costs and is defending a class action lawsuit.
The costs these agencies incurred may be larger than most agencies, but it reinforces a key point ? the cost of responding to a privacy or security breach can be significant. Even small agencies will have significant costs resulting from notifying patients of a breach.
Now most agencies will not need to set up call centers to handle privacy violation hotline calls, but even small agencies will have to have someone respond to calls regarding the incident. This will take time, time the employee might spend on other work. It is worth considering these costs, because it may lead you to conclude a few more security steps are worthwhile. Especially when you consider the incidents in these case were the result of agency employees failing to follow policies or making obvious security errors.
The first thing to consider is more employee education. For example, making sure your employees do not write their passwords on their computers, something the employee in the HHL story had done. It never ceases to amaze me that even now, people still write their passwords down on their computers. The best security software in the world is absolutely worthless if your employees write their passwords down on or near their computers.
The article pointed out that, after, the incident, the agency checked all of their laptops to see if any other agency employees were doing this. Perhaps, the real lesson here is that if you use laptops, you should consider as part of any ongoing audit process, checking that employees are not writing down passwords and usernames. (you should probably do this for all computers.) This should be accompanied by disciplinary action against any violators and education efforts to your staff to explain to them why they should not write down their passwords on their laptops. (Would they leave their keys in their front door at night or in their cars ignition? Then why would they leave the ?keys? to their laptop in the ?door?.)
Another point to ?audit? and educate employees about is leaving laptops or other electronic devices in their cars overnight. Not only does this pose asecurity risk to your information, but the computer is not cheap. You can bet the employees would not leave their own laptop or PDA in their car overnight. They would be conscious about bringing it inside. They should treat your equipment similarly.
Another aspect of the story was another agency whose employees were taking electronic records home with them as backups, against company policy. Again, the agency has run into huge liability, including a class action, because the agency?s employees failed to follow the agency?s policies.
The moral of these stories is that you should not assume your employees are following your policies. In fact, you should be more proactive in checking to make sure that your policies are being followed and educating your employees ? even on points you may think are obvious.
Permalink
I read an interesting story about a security issue in e-prescribing. It seems that a company that writes medical office suite software that includes an ?e-prescribing? component recently discovered a security flaw that allowed a computer consultant to access a file that contained a demographic information on a large number of patients from Georgetown University hospital.
In this case, the individual who discovered the problem was attempting to install the company?s software on a client?s computer. When he could not get software updates to install, he ?poked around? in the software and discovered a web address, log in name, and password, in the software. The consultant used this information to manually log onto the company?s file server to try to find the updates he needed. When he could not quickly determine what he needed, he downloaded the entire contents of the directory (about 2 gigabytes of information). As the consultant reviewed what he had found, he discovered the patient data. Oops.
The consultant was able to access the server, because the software had security information ?hard coded? into the software. (To allow the program to connect to the server one would suppose.) The software company?s position is that the consultant should not have been poking around in the software that way, but according to a number writers, this was not an inappropriate practice. In fact, one security expert offered the opinion that the software company was at fault, because they should never have included that information directly in the software.
The troubling part of the story is that the consultant was concerned about coming forward with what he learned, because the software industry accuse the individual who discover and reports the problem. According to the article, the consultant was concerned he might be charged with wrongdoing. For covered entities, who contract with software companies, this is not a good thing to see. If you are entrusting your PHI to third parties, you should want them to be grateful if somebody comes forward and helps them to keep your data more secure. This encourages individuals like the consultant in this case to come forward. This is an attitude that should be encouraged. I would analogize it this way, if your neighbor or some one else noticed your house was on fire, you would want them to come tell you and you sure wouldn?t turn around and accuse them of setting the fire.
One might also ask why a file full of patient data was placed on a server that any copy of the company?s software could access. Or at least on a server that apparently was accessed by copies of the software to download software updates. Shouldn?t your information be stored in a separate location from the software updates?
Another point that came up in the story was another cry for ?more HIPAA enforcement.? However, HIPAA enforcement wouldn?t really matter in this kind of case. The software company is most likely not a covered entity. If it is not a covered entity, the Office of Civil Rights (aka the HIPAA Police) has not authority to enforce HIPAA against the company. The company?s compliance is solely a matter of the terms of its business associate agreement. As for the covered entity whose information was at risk, they were not even aware of the problem until after the fact.
Furthermore, the covered entity was under no obligation to police its business associate. This is a good thing, because there is not practical way for the business associate to police this kind of thing. As it is, the circumstances that led to the discovery of the potential security problem were, at best, unique. Placing a heavier burden on providers to police business associates would place the covered entities at risk for enforcement actions for things over which they have little or no control. How would covered entities police these things? Hire consultants to review the code of every piece of software? Review the business associate?s internal security policies and procedures? As it is , health care providers have enough to do to meet their regulatory burdens, the answer to this problem is not more enforcement.
Permalink
Last week, the Department of Health and Human Services Office of Civil Rights (?OCR?) published a ?Privacy Rule Emergency Preparedness Tool.? This is not a tool to help you with overall disaster planning. It is, instead, a tool to help covered entities determine what information they may disclose in responding to requests for PHI as part of disaster preparedness. You can download the flowchart from OCR?s website.
This tool does not address disclosures that may be necessary in responding to a disaster. This tool address the question ?What PHI can I disclose as part of efforts to prepare for a disaster.? This issue has come up as federal, state and local governments have been engaging in disaster planning over the last year. After hurricane Katrina and with the growing concern of the Bird Flu, more federal, state, and local agencies have begun to engage in disaster planning efforts, for example, efforts related to evacuation planning. As a result, many state and local governments are seeking information on individuals to identify those, for example, who would need to be evacuated in advance of a disaster.
This tool was developed in response to specific issues that arose when disaster planning for persons with disabilities. Covered entities needed to know what information they could disclose and to whom they could make the disclosures. However, the tool works for any PHI. The tool is not designed to help you with your own disaster planning, but simply to help you make the correct choices when disclosing PHI as part of disaster planning efforts.
The tool covers not only disclosures to public health authorities, but also to other providers. The tool states that disclosing PHI to another provider in advance can be a treatment disclosure, if it is for purposes of ensuring continuity of care. The tool uses the example of a group home disclosing PHI to another facility to which the group home residents would be evacuated in the event of an emergency. This may not be as important to home health agencies or home health hospices, as you will not be evacuating your clients. An inpatient hospice, on the other hand, may very well need to consider this kind of effort. (For those of us inthe Midwest, evacuations may not be necessary, but you may need a place to move patients if your building is damaged by floods, etc.)
You should also know that this tool is not designed to assist you with disclosures related to responding to an actual disaster. OCR offered some guidance in that area in the wake of Katrina. There are a number of additional avenues to disclose PHI in responding to an actual disaster. For example, you may disclose PHI for treatment purposes and for certain notification purposes.
Permalink
I went to King's Island this weekend with a group of friends. (For those of you reading this from outside of the Midwest, King's Island is an amusement park North of Cincinnati, Ohio.) We were discussing work when one of them shared a "HIPAA" story with me. I share it with you as an illustration as the continued confusion surrounding HIPAA. According to the woman relaying the story, one of her colleagues at work is pregnant. When her colleague told their boss the good news, the boss told her that was great, but that she could not tell her coworkers. When she asked why not, the boss explained that because of HIPAA and medical privacy she needed to keep the information to herself. Of course, this raised a number of questions, the most obvious question being, what was the lady supposed to do when she started to show? Was she supposed to make up a story about gaining weight? (Of course, weight gain can also be a health condition which would appear to implicate the company?s understanding of HIPAA and medical privacy as well.) Perhaps she was just supposed to ignore anyone asking such a question. The lady telling the story asked me if this was really what HIPAA required. I explained that HIPAA restrains covered entities from using or disclosing an individuals protected health information. HIPAA gives individuals certain rights to access their health information. What an individual chooses to do with their own health information is their decision. HIPAA does not prevent an individual from sharing their information with whomever they choose (or putting it on a website or billboard for that matter). An individual may even authorize others to disclose their information to others. Obviously, this employer has a fundamental misunderstanding of HIPAA. The story is funny, but is a reminder that most people, especially those outside of health care, really do not understand HIPAA. The notion that HIPAA prevents you from sharing your own health information is similar to the experience many providers had shortly after HIPAA went into effect of an insurance company refusing to confirm coverage, because HIPAA will not allow us to disclose this information.
It would appear that many people still need some education on what HIPAA actually requires. In the meantime, if your employees want to share their own health information with others, HIPAA does not prohibit that.
Permalink
I was reading one of the many publications I receive each month from the ABA, and came across an article on electronic discovery ? in other words obtaining and using evidence that is stored on computers and other electronic media. The article itself did not have any relation to healthcare, but it did make me think about a few other issues that relate to computer security. As you all know, that relates to the HIPAA Security Rule.
The article mentioned a number of places lawyers should look when engaging in electronic discovery. The author mentioned a number of sources, including PDAs, USB (or flash) drives and Digital Cameras. In discussing flash drives, the author noted that with a USB drive, an individual can remove a large amount of information ?quickly, quietly, and discretely.? The same idea applies to PDAs, because they can be used as USB drives, in many cases.
The first question this might raise for you as a provider is, did you consider flash drives, PDAs, or other similar forms of storage when you performed the risk analysis required by the HIPAA Security Rule?
If you did not consider flash drives and other similar forms of storage overtly, where they discussed when you consider employee activity that could lead to disclosures of electronic protected health information (?EPHI?)? You may have not considered them at the time for any number of reasons, including the fact that USB drives were far more expensive two years ago. (I know when I wrote the HIPAA Security Rule Compliance Resource Manual, they were not as widely used and, therefore, may not have been considered in your risk analysis.)That is no longer the case.
It may be that your network is set up in such a way that an employee couldn?t steal EPHI in this fashion. (For example your clinical record software does not allow files to be stored locally.) However, even if EPHI is not a concern, what about other proprietary or trade secret information? For example, it is much easier to walk out with a large volume of documents such as marketing information, personnel policies, training manuals etc., if they are in an electronic format and stored on a USB drive. It is also harder to prove such items have been stolen. (I am told that forensic computer professionals can find evidence of such file transfers, but that can get expensive.)
I have even heard of cases involving employees installing harddrives and other peripherals onto office computers. Obviously, installing an entire harddrive makes the theft of even larger amounts of information possible. It also makes it harder to demonstrate what was stolen, if you can prove that at all. Most organizations have policies and procedures on installing software, but may not have considered an employee would install hardware of that magnitude. There are ways to secure the computer chassis to prevent the installation of an internal harddrive, but most companies sell very large capacity external harddrives that are relatively small and simply plug into a USB port.
These are examples of how as technology changes (and as certain technologies become cheaper), you will need to be aware of how these changes affect your computer security policies and procedures and be ready to adapt them accordingly.
Permalink
I was watching the news last night and saw the story about the information about 26.5 million veterans that was stolen from a Veteran?s Administration?s employee?s home. According to the report, the employee had taken a laptop home from the office and the information was stolen when someone broke into the employee?s home. This made me think about HIPAA, because of the increasing use of lap top computers in homecare and hospice and the related potential for theft of computers which maintained protected health information (?PHI?).
In the VA?s case, the VA had a clear policy prohibiting taking computers home from the office. Nevertheless, this employee was able to leave the office with the laptop. In contrast, many home care and hospice providers allow employees to take files and/or laptop computers home with them. In most cases, the entire purpose of having a laptop is to allow the employees to take the laptops with them to patient?s homes and often home with them at night. (A similar concern would arise if you allow employees to remotely access your system, if they were to save any PHI on their home computer.)
However, this incident serves as a reminder that your protected health information may be at risk in the employee?s home. Although it is unlikely a burglar would break into an employee?s home looking for PHI, the burglar might see a laptop computer as an item of value to steal, both as a potential repository of identity information as well as an electronic item to pawn.
Although this kind of incident is a legitimate risk, in my opinion, unless your employees live in neighborhoods that have a history of burglaries, etc., the odds of such an intrusion are relatively low. Because the odds of the occurrence are relatively low, there are ways to address the security issues, without forbidding employees from taking computers at of the office.First, you should make sure that all of your computers, laptop or otherwise are password protected. This makes it more difficult for a thief to obtain information from the stolen computer. Second, if your employees are taking computers home, they should be trained to not leave them in the car or out in the open in the home. (remember, your employee?s family members can be a source of disclosures as well.) The employees should be aware of the potential risks of working on the laptop in public places as well.On the other hand, if you decide to enact a policy forbidding employees from taking files or computers home with them, you should have a way to enforce it. As the VA learned, having a policy is not enough, the employee still took the laptop home. You need to be able to prevent the employees from leaving the office with the laptop. In addition, the policy should, provide steep penalties for taking a computer home,
Permalink
I was reviewing the results of a HIPAA Compliance survey performed by the folks over at hipaadvisory.com (Phoenix Health Systems) and noticed a number of interesting things. First, almost three years after the HIPAA Privacy Compliance deadline, only about 80% of providers are HIPAA compliant. That means 20% of providers are three years overdue on Privacy compliance. The surveyors concluded that this 20% has been stable for a while and represents a core group that will simply refuse to comply. They seemed to see that as a negative, but 80% compliance, while not perfect, is pretty good.
Also, a year after the Security rule deadline, only 55% of providers generally have managed to come into compliance with the security rule. Of particular interest is that fact that as a group, the most non-compliant providers are hospitals with more than 100 beds. More than 50% of these large hospitals are still not in compliance with the Security rule. If you are not Security rule compliant, you are not alone. However, do not let that become an excuse for non-compliance. CMS is not more likely to accept “well everyone else was doing it” as an excuse than your parents were.
Providers who were not in compliance were asked what standards they had implemented. The standards that were implemented least often were contingency planning and emergency access. I found this answer rather surprising, given recent history. After all of the coverage of what hurricane Katrina did to New Orleans and other more recent examples of tornadoes and other severe weather in the Midwest, it is hard to fathom that providers are not addressing contingency planning.
For home care providers who think disasters can’t happen to them, I offer the recent tornadoes in the Midwest. Downtown Indianapolis has had a major office building closed for two weeks now, because of storm damage. This has displaced a number of law firms and other companies. Not to mention the damage to Iowa City and in Tennessee and Kentucky. It doesn’t take a hurricane to trigger contingency plans, a sever spring storm or a winter blizzard can leave you unable to reach your office, or worse, your clients.
When a disaster happens is not the time for contingency planning. When you hear the weatherman saying a severe thunderstorm, blizzard (insert other weather phenomenon here) is coming, you should already know what you will do if the storm leaves you without an office, power (insert other contingency here.)
Permalink
Aloha! This is my first post in two weeks, because I have been on vacation. I had intended to post at least once while on vacation, just so I could say Aloha from Oahu or Kauai, but I did not have time (or convenient high speed internet access.) I will briefly say that my wife and I did have a wonderful time in Hawaii. (Nothing like 75 degrees and sunny in February.) As most of you will agree, the first day back from a vacation is always busy, and, therefore, this post will be somewhat shorter. While I was gone, HHS published the final HIPAA enforcement rule. Most of this rule will only concern you if you receive a notice of proposed penalty. There are a few things you should be aware of before then. First, if you receive a notice of proposed penalty, you have ninety days to appeal the notice -- ninety days, not sixty. I point this out, simply because it is another, different timeframe and although it gives an entity more time to evaluate whether it wants to file the appeal or not, it can lead to confusion. I am always in favor of longer timeframes, because it provides a longer time frame in which to try to resolve a matter before having to initiate an appeal. The rule also states the specific requirements for how an entity may request an appeal of a proposed penalty. As with any administrative appeal, failure to meet all of the stated requirements will result in the appeal being dismissed. The rule gives HHS authority to settle and this authority includes the authority to reduce the proposed penalty. The rule also provides affirmative defenses, rights of the parties, and procedures for the appeal of a penalty and an appeal of the ALJ decision. The final rule is effective on March 16, 2006.
Permalink
|
|
News
Health Care
[07/02] UnitedHealth cuts 4,000 jobs and 2008 outlook
[07/02] US contradicts itself over its own ID theft advice
[07/02] Center for medical intelligence expanding
[07/02] Salmonella probe adds foods served with tomatoes
[07/01] Dueling ads pressure Congress on Medicare
[06/26] Fidelity: $85k needed for long-term care costs
[06/25] Health insurance lags most in Southwest, CDC says
[06/24] Jury begins deliberating in Ky. diet drug case
[06/11] Why did food sellers treat tomatoes like hot potatoes?
[06/10] Tomatoes pulled off shelves amid salmonella scare
Read More
Web ResourcesFindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory
|
