HIPAA Mandates, Coverage Set to Expand in Near Future

Introduction

As many of you are aware, the American Recovery and Relief Act of 2009, better known as the “Bailout Bill”, did much more than funnel government spending in an effort to boost the economy.  Within the Bailout Bill package, Congress enacted a separate act known as the Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act.  HITECH included several important changes to substantive law, and mandated the Department of Health and Human Services (HHS) to promulgate new regulations under HIPAA.  On August 24, 2009, HHS issued interim final regulations, effective September 23, 2009, implementing several of the changes mandated by HITECH.  Other changes will not take effect until February 2010.  Health Care providers and their Business Associates subject to HIPAA requirements should be aware of several fundamental reforms contained within the law. 

Breach Notification 

HITECH requires any Covered Entity (such as a health plan, health care clearinghouse, or health care provider) holding or using “unsecured” protected health information to notify the affected individuals in the even there is a breach of that individual’s protected health information (“Breach Notification”).  Any breach must also be reported to HHS and, under some circumstances, to the local media as well.  Essentially, covered entities and business associates are now required to act as their own whistleblowers.  This Breach Notification requirement was promulgated in an interim final rule on August 24, 2009 and takes effect September 23, 2009.

The Breach Notification rule requires that Covered Entities must notify affected individuals “without unreasonable delay” and in no case more than 60 days after the breach is “discovered”.  A breach is treated as discovered when it is known to the entity, employee, or agent of the entity.  An unknown breach will be treated as discovered if it would have been known had the entity exercised “reasonable diligence”.   This highlights the importance of having internal policies in place to ensure that any breach will be promptly discovered, reported, and dealt with.

As mentioned above, Covered Entities are also required to provide notice to the Secretary of HHS and, in some cases, local media outlets.  If the breach affects more than 500 residents of a state or jurisdiction, the entity must notify “prominent media outlets” “without unreasonable delay” and in no case more than 60 days after discovery of the breach.  In the case of such a large breach, the entity must notify HHS contemporaneously with the sending of individual notices, according to the procedure on the department’s website.   If the breach affects less than 500 residents, there is no requirement to notify the local media.  There is also no immediate requirement to notify HHS.  Instead, the entity is required to maintain a log of all breaches and notify HHS within 60 days of the end of the calendar year of all breaches during the prior year according to the procedure outlined on HHS’s website. 

The new regulations list specific guidance regarding the content of the required notice.  The notice must be in writing and sent via first-class mail, unless the individual has otherwise agreed to electronic notification.  Five topics are required to be addressed within the contents, all written in “plain language”.

Business Associates of Covered Entities (anyone handling protected health information on behalf of a Covered Entity) are required to notify the covered entity for which they are providing services of any breach discovered by the Business Associate.  Again, this notice must be given without unreasonable delay and in no case more than 60 days after the discovery of the breach.  Rules similar to those imposed on covered entities for the determination of when a breach is “discovered” also apply to Business Associates.    

Only those covered entities or business associates dealing in “unsecured” protected health information are subject to the Breach Notification requirements.  To avoid being deemed to be operating “unsecured”, the Covered Entity or Business Associate may conform to the guidance for technologies and methodologies issued by HHS on April 27 in order to qualify for a safe harbor from the definition of using “unsecured” protected health information.  To the extent feasible, Covered Entities and Business Associates should comply with this guidance to avoid being subject to the embarrassing requirements of the Breach Notification rule.

Expansion of HIPAA Coverage

In addition to the Breach Notification rule, HITECH imposes both the HIPAA Security Rule and the HIPAA Privacy Rule directly on Business Associates of Covered Entities.  Prior to this change, Business Associates were not directly subject to the security and privacy requirements of HIPAA.  Instead, Covered Entities were required to obtain “satisfactory assurance” that their Business Associates would safeguard protected health information.  These assurances are typically exchanged through a written Business Associate Agreement.  Only Covered Entities were subject to the civil and criminal penalties of HIPAA should there be a violation of the security or privacy rules, even if such breach was committed by the Business Associate.  The Covered Entity’s recourse against the Business Associate was limited to initiating a lawsuit based on a breach of the Business Associate Agreement.  HITECH changes all this.

Under HITECH, the security and privacy rules of HIPAA are made directly applicable to Business Associates effective February 17, 2010.  Business Associates will thereafter be subject to direct HIPAA enforcement, including the imposition of civil and criminal penalties, for a breach of either rule.  HITECH still contemplates the use of Business Associate Agreements and requires that they be updated to reflect the Breach Notification rule outlined above.

Summary

Several significant changes to HIPAA and its implementing regulations were made by the Bailout Bill.  Health care providers which are Covered Entities under HIPAA and their Business Associates should be prepared to meet the new legal and administrative requirements of such changes.  If you would like to discuss the matters discussed in this article, or any other matter regarding your health care practice, feel free to contact Parsonage Vandenack Williams LLC at your convenience.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

What is the Difference Between Consent & Authorization Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule permits, but does not require, a covered entity to voluntarily obtain patient consent for uses and disclosures of protected health information (“PHI”) for treatment, payment, and health care operations. Covered entities that obtain patient consent have complete discretion to design a process that best suits their needs.

On the other hand, an authorization under the HIPAA Privacy Rule is a detailed document that gives covered entities permission to use PHI for specified purposes, which are usually other than treatment, payment, or health care operations, or to disclose PHI to a third party designated by the individual.  An authorization must specify a number of elements, including a description of the PHI to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some instances, the purpose for which the information may be used or disclosed.

The Privacy Rule requires authorization for uses and disclosures of PHI not otherwise allowed under HIPAA. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of PHI unless it also satisfies the requirements of a valid authorization.

© 2009 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

NIST Releases Final HIPAA Security Rule Guidance

The National Institute for Standards and Technology (“NIST”) has released the final version of its guidance on the HIPPA security rule.  It had previously released a draft version of the guidance.  Although the guidance is intended for use by federal agencies, it can also be used by private physician groups and hospitals on a voluntary basis.

                 The guidelines provide a comprehensive explanation of the security rule and give a structured, but flexible, framework for choosing, specifying, employing, and assessing the security controls in information systems of covered entities and their business associations.

                 The NIST guidelines are a helpful tool for both federal health care agencies and the private sector and can be accessed at:

 http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf.

 © 2009 Parsonage Vandenack Williams LLC
 For more information, contact info@pvwlaw.com

HHS Releases Guidance on Sharing Patient Information With Family and Friends

On September 16, 2008, the HHS Office for Civil Rights (“OCR”) released new guidance on how to interact with a patient’s family or friends without violating the HIPAA privacy regulations.  OCR released two separate guides on this issue: one for patients and one for providers.

The guides are in a question-and-answer format and address common and sometimes confusing situations about when a physician or other medical staff member can share information on a patient’s condition with his or her family members.  For instance, the provider’s guide asks, “If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a health care provider to discuss the patient’s health information with the patient’s family, friends, or others involved in the patient’s care or payment for care?”  The guide states that the provider may have such discussions if the patient agrees.  “A health care provider also may share information with these persons if, using professional judgment, he or she decides that the patient does not object. In either case, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care,” OCR says.

Another question addresses sharing information when the patient is not present or is incapacitated. “[A] health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care,” it says.  ”The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment.”  Still, providers should not reveal past medical problems that are unrelated to the patient’s current condition.

The provider and patient guides are available at www.hhs.gov/ocr/hipaa/privacy.html.

 

 © 2009 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com

 

Provider Information: Steps to Take to Prevent Incidents of Medical Identity Theft

          Health care providers need to implement approaches to detect, prevent and respond to medical identity theft incidents.  No single solution applies to all providers because of each provider’s unique size, overhead and available resources.  Therefore, providers should implement a variety of techniques, including patient authentication, training and awareness, and risk assessment.

          Providers should especially be awate of medical identity theft concerns because they could increase as the industry moves toward electronic health records and a national health information network.  If networks do not have adequate privacy and security protections, huge volumes of health information could be improperly accessed and used for medical identity theft, as well as other purposes.

          In many cases, providers have not yet considered the unique characteristics of medical identity theft as a part of their overall risk assessment.  It is important for providers to evaulate whether there are any gaps in their policies and procedures that might lead to medical identity theft.  The best time for this evaluation is during routine risk assessments.

         Although entities covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are required to implement a security awareness and training program for their workforce, medical identity theft is raraly addressed as a separate, individual risk.  Requiring patient authentication – in the form of picture identification as well as a health insurance card – is one way to combat medical identity theft.

        In addition to using education and training to prevent incidents of medical identity theft, providers should consider conducting training following an incident to ensure that employees and contractors have responded appropriately.  This allows staff to debrief , identiry and apply lessons learned, and to continuously improve the quality of privacy and security process and procedures.  It will also help providers respond and mitigate any threats as well as learn steps that can be implemented in the future to prevent similar incidents from occurring.

 Guide to Medical Privacy and HIPAA.  Health Care Series.  December 2008, vol. 7, no. 11.

                

© 2008 Parsonage Vandenack Williams LLC

 For more information, contact info@pvwlaw.com

                                                                                                                                                     

 

                                                                                                                                                                 

Portable Devices Pose Challenges to Protecting Patient Privacy

Covered entities (“CEs”) need to be aware that their wireless networks and portable devices such as iPhones and BlackBerrys are not necessarily secure.

Almost twelve people have been charged with various counts of computer intrusion, fraud and identity theft, among other charges, for participating in a crime ring that allegedly hacked into nine major retailers’ wireless computer networks.  The feds believe that the conspirators stole credit and debit card numbers through “wardriving,” which involves one person who drives a car around while another person in the car attempts to gain access to a wireless network through a laptop computer.

CEs could be targeted in similar schemes and should make sure that their wireless networks are properly encrypted.  CEs should have already converted from using the Wired Equivalent Privacy (“WEP”) system of encryption to the more secure Wi-Fi Protected Access (“WPA”) protocol.  WEP encryption was more common until about a year ago, when researchers discovered weaknesses in it.

Additionally, CEs should remind staff members to use portable devices with care. There are two main risks: (1) if a doctor is in a public place and is using an unsecured network to transmit PHI [i.e., protected health information], then people could intercept that traffic if it is not encrypted or if it is encrypted with a weaker method; and (2) piggybacking on a signal to get into a laptop.  The second risk is much more difficult to accomplish, but it can be done so that perpetrators can look at the traffic coming from the device.

Use of portable devices like laptops and iPhones falls under HIPAA’s workstation use and security policies.  Therefore, CEs should remind staff members about where they can or cannot use these devices.  An airport is a particularly risky place to use such devices because anyone can log in for wireless access with a credit card and can intercept information.  Also, employees should use the locking features of the devices so that no one can open them without a password.  Finally, CEs should go over what kind of information is acceptable to transmit.  This will help to ensure that patient information is protected and HIPAA compliance is maintained at all times.

Health Business Daily, Sept. 17, 2008.

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Medical Blogging Creates Potential Privacy Concern

What Is the Shelf Life of a Patient’s Dislosure Authorization in Nebraska?

Under HIPAA, a patient’s written authorization for a health care provider to disclose the patient’s protected health information to a third party must, by its terms, expire either upon a) the occurrance of a specified event or b) a date certain.  HIPAA puts no limit on how long these time periods can be.

Therefore, when creating a HIPAA-compliant authorization form, a provider can select as long a time period as desired.  However, under Nebraska law, an authorization to release a patient’s medical records must expire no more than 180 days after the patient signs it.  This particular Nebraska statute is not preempted by HIPAA.

Although some Nebraska providers use authorization forms that limit the period for all disclosures to 180 days from execution, Nebraska law only limits authorizations to disclose medicial records to 180 days.  Therefore, a single authorization form can be drafted in such a way as to provide that it will expire in 180 days only for purposes of authorizing medical records releases, but have a much longer shelf life for purposes of disclosures other than releases of medical records. 

The main reason many providers (wisely) require all patients to sign a disclosure authorization is to cover the frequent and ongoing verbal discussions they have with others who accompany patients to their appointments and/or assist them with paying their bills (such as the adult children of elderly patients or the parents of college students).  Rather than having patients re-execute authorizations every 180 days to cover these types of discussions, providers may wish to consider using an authorization form with a 180 day expiration that is limited to the authorization to release medical records.  Then, after 180 days, the provider can have the patient execute a new authorization if medical records need to be released.  Otherwise, the authorization will remain good for the type of day-to-day disclosures it is mainly intended to cover.

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

HIPAA Beyond the Office: Laptops, PDAs, and Home Computers

For all the complexity of HIPAA, the greatest provider liability often arises from easily correctable security lapses, such as the failure to password protect a physician’s BlackBerry.  The failure of physicians to password protect PDAs used to store or transmit patient information is a glaring HIPAA violation, but, lamentably, one that still frequently occurs.

HIPAA Security Rule requirements for protected health information in electronic format apply not just with regard to computers in the office, but also personal laptops, home-based personal computers, PDAs and smart phones.     

Remote access and use of ePHI should be strictly limited to legitimate business or medical purposes, and procedures should be put in place to mitigate identified risks.  For example, to mitigate the risk of unauthorized access via portable devices, which are highly susceptible to theft due to their size, two-factor authentication is an advisable condition of access.  To mitigate the risk of unauthorized viewing of what appears on the screen of a physician’s home desktop computer, which is susceptible to being viewed by other residents or visitors to the physician’s home, a session time-out should be set.

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com

Medical Blogging Poses Risk of Being Treated as Hipaa privacy violation

Ever since the Hipaa privacy rules came into effect, there has been a proliferation of complaints based on privacy violations.  The most recent form of complaint is coming as a result of medical blogging gaining in popularity.  Medical bloggers subject to the Hipaa privacy rules should exercise great care in blogging.  Avoid any mention of patient specifics.  Privacy violations can result simply from disclosing facts sufficient to allow someone to put two and two together and identify the patient and the patient’s issue.  To the extent of blogging on medical concerns, stay with general comments.  Be sure to include a disclaimer indicating that your blogging is not medical advice.  Mary E. Vandenack

 

© 2008 Parsonage Vandenack Williams LLC

 

For more information, contact info@pvwlaw.com