HHS Thinks Rite Aid Disposal Policies Are "In the Dumps"

Posted by Helen Oscislawski on August 18, 2010

Prepared by Krystyna Nowik. 

In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters.  The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process.  It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI.  Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.   

The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI.  Covered entities should ask themselves:

  1. Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
  2. Are employees properly trained on how to dispose of PHI? How is training documented?
  3. What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
  4. How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
  5. Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?

Read the full Rite Aid Resolution Agreement posted on HHS's website.  For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful.  The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.

Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 

HIE Liability and Insurance

Posted by Helen Oscislawski on August 10, 2010

Liability continues to be a central concern for HIEs and their stakeholders. In general, liability may arise from the acts or omissions of a party that fails to meet a responsibility or legal duty.  Last year, I discovered an excellent resource that summarizes liability coverage issues for Regional Health Information Organizations (RHIOs) that I would like to pass along to readers. Specifically, the Agency for Healthcare Research and Quality (AHRQ) published a Report in June 2009 that looked at key liability issues identified by RHIOs, as well as insurance options.  

Here are some of the key points the Report makes regarding liability concerns, as well as a few thoughts of my own:

  • Liability for Data Storage and Management.  How data is stored and managed (e.g., by the RHIO versus by its participants) will affect the distribution of liability. In general, the more authority and responsibility that the RHIO possesses in connection with the data, the more liability coverage it will need to take on. I agree.
  • Liability for Accuracy and Completeness.  Both data suppliers and data users are concerned about their respective liability in relation to data being accurate and complete.  RHIOs often will contractually limit their liability for accuracy of data supplied, or received and used.  However, if the RHIO manipulates the data in transit in anyway, it could be held responsible for such intervening acts. I note that data senders and receivers are also typically required to carry insurance and assume contractual responsibility for supplying accurate and complete data to the RHIO.
  • Duty to Review.  In a previous blog post, I discussed providers’ concerns that joining a RHIO/HIE will create a duty to review all information about a patient contained in the RHIO/HIE, and this will potentially expose them to an increased risk of “missing” relevant information. In my post, I noted why I thought that the role of HIEs in connection with the "standard of care" is still evolving. The Report additionally notes that:

there are no widely recognized standards for reasonable physician behavior in seeking or reviewing electronically available data, or for the extent to which that data should inform his/her clinical decisions.

  • Liability for Audit Logs.  The Report points out that some RHIOs have recently been compelled via subpoena to provide audit information for malpractice lawsuits involving the RHIOs participants. Although a RHIO may be legally obligated to respond to a subpoena, I note that it is still important that HIPAA’s standards for releasing PHI in response to a subpoena are complied with. 
  • Extending Liability to IT Vendors.  If the IT vendor provides any software, integration services, and operational services for the RHIO, the vendor should assume responsibility for their actions.  The Report noted that one factor that strongly influenced the amount of liability assigned to IT vendors was the negotiating power of the RHIO. The type of coverage in their liability insurance that the IT vendors were asked to carry varied, but typically total liability coverage ranged between $1 million and $3 million.

With regard to insurance coverage, the Report made the following additional points: 

  • Researching, negotiating and obtaining liability coverage takes time. Get started early.
  • There remains a high degree of uncertainty with regard to what constitute adequate coverage.
  • Insurance policy options for RHIOs are growing, but remain limited.
  • There is wide variability in liability insurance practices across RHIOs.
  • Sovereign immunity has its advantages and disadvantages. On this last point, the paper notes that while some are strong proponents of State immunity for RHIOs, citing such benefits as increased stakeholder participation, decreased start-up costs, and long-term sustainability, others are skeptical and noted that if State immunity is available, RHIOs may not be as rigorous in establishing privacy and security controls, and that stakeholders may then be targeted for lawsuits instead.  

In sum, the Report illustrates some of the complex liability questions that are being addressed in the RHIO context, and this is without even getting into other areas such as directors' and officers' liability, as well as security breaches across RHIO participants. Navigating this complex and uncertain landscape continues to be challenging, but those getting started now have some benefit from lessons learned by others over the last year, and well as a slightly more mature insurance market primed to RHIO and HIE risks.

Oh where, Oh where has the Security Breach Rule gone?

Posted by Helen Oscislawski on August 05, 2010

Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

HHS recently posted on its website the following:

At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

So now what?

For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

Continue Reading

Aetna "forgets" file cabinet full of patient information

Posted by Helen Oscislawski on July 21, 2010

A reminder to all covered entities out there that may be considering selling their business – don’t forget your file cabinet!! (or computers .. or disks ... or seemingly “empty” boxes where PHI may be lurking…..well, you get the picture).

NJ Times reports today that Aetna is notifying 7,250 people after paper files containing their PHI was accidentally left in a file cabinet that was being sold after an office move. The press release indicates that over 2,346 New Jersey residents were affected and over 4,013 in Pennsylvania, as well as a few in Connecticut and Delaware. Apparently, the files were voluntarily returned to Aetna after the individual who purchased the file cabinet discovered them. Aetna issued a press release indicating that it “has no reason to believe the information will be misused in any manner." Nevertheless, Aetna is notifying affected individuals and offering them a credit-monitoring service. Aetna also indicates that it has many privacy policies and processes in place, but corrective action will be taken to ensure that such a “mistake” does not happen again.

The Aetna “breach” raises a number of interesting questions, many which I often am asked about in similar contexts. Specifically: 1) Can PHI be disclosed in connection with a sale of a business? 2) Must a seller purge or maintain PHI that is not transferred in connection with the sale of such business? and, 3) Who do I have to notify in the event of a breach?

I’ll tackle Questions #1 & #2 in today’s post, and save #3 for follow-up.

HIPAA actually does not require a patient’s written authorization to use or disclose PHI in connection with the sale of a business, in certain limited circumstances. A sale of a business is considered a “health care operation,” which is defined in the HIPAA Privacy Rule to include:

“the business management and general administrative activities of the covered entity including, but not limited to … (iv) the sale, transfer, merger, or consolidation of all or part of such entity with another covered entity, or an entity that following such activity [or completed purchase] will become a covered entity, and the due diligence related to such activity.” See §164.501.

Therefore, if Aetna had sold its filing cabinet to an entity that was acquiring its health plan business, then there would have been no breach under the federal standards. However, in this situation, it appears that the patients’ files were simply inadvertently left in Aetna’s file cabinet after furniture was sold to a random buyer in connection with an office move.  As such, there appears to have been a lapse in either following or implementing adequate safeguards.

The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI from intentional and unintentional use or disclosure that is in violation of the Privacy Rule (see § 164.530(c)(1)-(2). However, it is the Security Rule that provides more detailed guidance on the types of safeguards that may be useful. Specifically, the Security Rule requires covered entities to:

“implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within a facility.” (see §164.310(d)(1).

The Rule goes on then to require covered entities to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored (see §164.310(d)(2)(i)-Disposal). The Security Rule also requires covered entities to maintain a record of the movements of hardware and electronic media and any person responsible therefore. (see §164.310(d)(2)(iii)–Accountability).

Although the Security Rule technically applies only to electronic PHI, the Aetna situation illustrates why it makes sense to implement similar sorts of controls for paper PHI. After all, if it makes sense to keep track of computers that store electronic PHI so that such information does not inadvertently end up in the hands of someone who should not have it, would it not make sense to implement similar safeguard controls for a file cabinet that “houses” paper PHI?

It would seem so.

HIE Standard of Care -- What You Don't Join Can't Hurt You.. or Could it?

Posted by Helen Oscislawski on July 19, 2010

It should come as no surprise that many providers are still leery about joining a HIE due to concerns over becoming potentially exposed to new liabilities. Questions such as “Who owns the data” “How can I be certain of data accuracy and completeness” and “Is the HIE secure?” are very common to hear during discussions with providers who are evaluating joining a HIE. Providers are also concerned that participation in a HIE will create a new obligation to access and review seemingly endless electronic reams of information about a patient, and many want to know if in the event that they “miss something” buried deep in the electronic HIE abyss, can they be sued and held liable for malpractice?

Whether or not a provider will be held liable for “misses” will always depend on the facts and circumstances surrounding a particular case. However, the “standard of care” in medicine evolves over time, especially when dealing with new technologies. Therefore, what may not yet be the standard of care today, may very well be just that in the very near future. Sooner or later, this will likely hold true with use of electronic medical record (EMR) and HIE technology as well.

To get a different perspective on the question, I decided to ask an old law school friend who now happens to be a successful medical malpractice attorney (I try not to hold that against him!) what he thought about HIEs and malpractice.  Initially, we both agreed that if the relevant information is hidden deep inside the HIE and is not reasonably accessible to the busy practicing provider, is not presented in a way that is of value or conducive to making clinical judgments, or it is just plain too expensive to join the HIE, then it will be unlikely that the physician's "failure" to “find” or “access” such information would be found by a jury to be negligent or falling below the “standard of care.” However, my friend then did a 180º on me when he said the following…

But, if joining the HIE is not cost prohibitive, and the information was available to the physician in a meaningful, easily-accessible and useful way that, had it been accessed through the HIE, could have prevented harm to the patient, but the physician did not join the HIE simply because he/she did not want the new obligation and burden of having to review such information, then I would definitely sue the physician for not joining the HIE and not accessing the information because it could have prevented harm to my client…

Now, I have to admit I did not see that one coming and immediately thought to myself "so, is this a case of 'damned if you do' and 'damned if you don’t'”?  I don’t think so. However, the reasons why providers decide not to join a HIE should be very carefully considered and weighed against the potential benefits joining a HIE may have for their patients, namely potentially improving safety and quality of care. That said, before HIE technology can become a standard of care, at a minimum it must be easy to use, offer useful information, be secure, and not cost prohibitive to the busy practicing provider. Once that happens, however, what will happen if providers don’t join and patients suffer as a result? .... well, I guess my old law school friend may be waiting!

The 800-Pound HIE Gorilla Tiger in "Meaningful Use"

Posted by Helen Oscislawski on July 09, 2010

There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant.  In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

Continue Reading

HIE-ho, HIE-ho, it's off to Court ACLU Goes

Posted by Helen Oscislawski on July 08, 2010

The Director of the Rhode Island Department of Health (RI-DOH) was sued last week in connection with RI-DOH's proposed rules for implementing and enforcing the State's health information exchange(HIE) under the Rhode Island Health Information Exchange Act of 2008 (HIE Act).

The Rhode Island chapter of the American Civil Liberties Union (ACLU) filed the Complaint alleging that:

the proposed rules failed to comply with the HIE’s statutory mandates by not addressing provisions in the statute that require adoption of regulations on certain specific issues to further promote the confidentiality, security, due process and informed consent due the affected patients

The ACLU argues that the RI-DOH cannot supplement gaps in the proposed rules through the adoption of policies and that the RI-DOH must address these concerns through Rhode Island's public rulemaking process in order to fulfill its obligations under the HIE Act. However, the RI-DOH has countered that the policies provide sufficient safeguards to protect patients' information while offering more flexibility to make adjustments quickly as national standards for privacy and security in the HIE context continue to evolve rapidly.

The lawsuit serves as an example of how important these concerns are to the public as well as highlights the potential for challenges to others developing HIE regulations. This case is worth watching closely to see how it develops.

This post was prepared by Krystyna Nowik.  Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 

Foreword

Posted by Helen Oscislawski on July 07, 2010

Hello, and welcome to Legal HIE.  My name is Helen Oscislawski – but, for obvious reasons many simply call me 'Helen O'. Either way, I am the founding member of Oscislawski LLC, a boutique health law practice in Princeton, New Jersey. I have been advising the health care sector on legal issues for over a decade, and am particularly known for my experience with guiding many through the legal minefields of electronic health information exchange (HIE).

In 2009, Governor Corzine appointed me to serve on the New Jersey Health Information Technology Commission as the 'attorney with demonstrated expertise in privacy law issues.' In 2007, I was instrumental in advising one of the first HIE initiatives in New Jersey when I helped a large health care system develop a privacy and patient consent framework based upon federal and state law. Since then, I have provided legal guidance to dozens upon dozens of organizations, health care providers, and other stakeholders on the various aspects of planning and implementing a Regional Health Information Organization (RHIO), and with regard to engaging in HIE. I have also prepared many key documents needed for HIE, including trust agreements, licensing contracts, policies, and various compliance materials, as well as helped clients navigate around fraud and abuse laws, privacy laws, and state regulations, among others, which can be implicated in HIE.

Because HIE continues to evolve at lightning speed, I dedicate time every day to stay on top of legal developments in this specific niche area. I also continue to be integrally involved as HIE takes shape at the state level, and beyond. Recently, I assisted with preparing certain components of New Jersey’s HIT Plan submitted to the federal Office of National Coordinator. I am also lending my insight to legislators and others considering potential legislation to better align HIE with standards that support beneficial and secure exchange of health information.

As the HIE journey continues across the nation, I often have observations and thoughts that I want to share and exchange with others in the industry. This was the impetus for starting the Legal HIE Blog. My goal is to make Legal HIE thought-provoking, insightful, and informative – and, at times, maybe even mildly entertaining. I hope that you find all of these qualities in the coming posts.

Thanks for taking the time to read my personal introduction. I hope that you will visit this Blog often, and share with others the items of interest you come across on Legal HIE.

Best Regards,

Helen O.