HHS Publishes Ransomware Guidance

HHS has published guidance for hospitals and other covered entities in light of recent prominent ransom attacks on hospital data.  The Q&As address Security Rule safeguards which can prevent ransomware and other malware, and also assist in identifying, investigating, responding to and mitigating ransomware attacks. Specifically, HHS notes that the presense of ransomware or any malware on a covered entity or its business associate's systems is a "security incident" as defined under HIPAA.  HHS also notes that, although a breach determination is a fact-specific inquiry,

When [ePHI] is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a "...low probabilkity that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.

HHS provides the following examples for consideration as part of the risk assessment which must be conducted to determine whether there is a low probabiity that the ePHI was compromised:

  •  the exact type and variant of malware discovered;
  • algorithmic steps undertaken by the malware
  • communications, including exfiltration attempts between the malware and attackers' command and control services
  • whether the malware propagated to other systems, potentially affecting additional sources of ePHI. 

HHS further states,

Correctly identifying the malware involved can assist an entity to determine what algorithmic steps the malware is programmed to perform.  Understanding what a particular strain of malware is programmed to do can help determine how or if a particular malware variant may laterally propagate throughout an entity's enterprise, what types of data the malware is searching for, whether or not the malware may attempt to exfiltrate datam or whetheror not the malware deposits hidden malicious software or exploits vulnerabilities to provide future unauthroized access, among other factors. 

The full ransomware guidance can be found here.  

Moving Forward with Meaningful Use Stage 3 and MACRA

A little over a month ago, CMS Acting Administrator Andy Slavitt delivered some unexpected news.   

Now that we effectively have technology into virtually every place care is provided, we are now in the process of ending Meaningful Use and moving to a new regime culminating with the MACRA implementation. 

The Meaningful Use program as it has existed, will now be effectively over and replaced with something better. Since late last year we have been working side by side with physician organizations across many communities — including with great advocacy from the AMA — and have listened to the needs and concerns of many. We will be putting out the details on this next stage over the next few months, but I will give you a themes guiding our implementation.

Andy Slavitt, JP Morgan Annual Health Care Conference, January 11, 2016 (emphasis my own).

The comments left many wondering if they heard him correctly.  After all, the final Stage 2 modification and Stage 3 rule (the “MU Stage 3 Rule”) was just published in October this past year despite criticism and calls from health care providers and other stakeholders to delay Stage 3. Furthermore, the statutory basis of the program would hinder a compelte death toll for Meaningful Use. Others took to their Twitter feeds and blog posts proclaiming MU effectively “dead” as a result of Mr. Slavitt’s comments.

There was more to come from CMS.  Mr. Slavitt, along with Karen DeSalvo, Acting Assistant Secretary for HHS, released a follow up “sorry, not sorry” blog post clarifying next steps for Meaningful Use and stating the following:    

  1. The current law requires that we continue to measure the meaningful use of ONC Certified Health Information Technology under the existing set of standards. While MACRA provides an opportunity to adjust payment incentives associated with EHR incentives in concert with the principles we outlined here, it does not eliminate it, nor will it instantly eliminate all the tensions of the current system. But we will continue to listen and learn and make improvements based on what happens on the front line.
  2. The MACRA legislation only addresses Medicare physician and clinician payment adjustments. The EHR incentive programs for Medicaid and Medicare hospitals have a different set of statutory requirements. We will continue to explore ways to align with principles we outlined above as much as possible for hospitals and the Medicaid program.
  3. The approach to meaningful use under MACRA won’t happen overnight. Our goal in communicating our principles now is to give everyone time to plan for what’s next and to continue to give us input. We encourage you to look for the MACRA regulations this year; in the meantime, our existing regulations – including meaningful use Stage 3 – are still in effect.

To give some background, the Medicare Access and CHIP Reauthorization Act (“MACRA”) was signed into law in early 2015.  Several provisions relate to improvement of health care delivery, including a Merit-based Incentive Payment System (“MIPS”) and Alternative Payment Models (“APMs”).  CMS released a request for information regarding implementation of many of these provisions shortly before news of the MU Stage 3 Rule broke, and detailed MACRA regulations are expected later this year.  A key component of MACRA is meaningful use of CEHRT (i.e., demonstration of the requirements of Meaningful Use). Up to 25% of an EP’s score under the MIPS is tied to successful demonstration of Meaningful Use. 

MACRA did not (and CMS and HHS cannot through rulemaking) repeal the current statutory framework of Meaningful Use.  Furthermore, MACRA only applies to clinicians, leaving hospitals and CAHs out in the cold for now.  Any real change to Meaningful Use would require substantial changes at the statutory and/or regulatory level. 

The Meaningful Use Program has seen its share of changes over the years, as CMS responded to pressure and concerns from various stakeholders (albeit dragging its feet the entire way). This would appear to be just another evolution for Meaningful Use through MACRA, and not a complete end to or replacement of Meaningful Use. Whatever Meaningful Use will look like in the coming months, it is apparent that the focus will turn more to quality outcomes for patients, as opposed to mere use of health technology. Given that the current Stage 3 regulations seek to align reporting between eligible providers and hospitals/CAHs, we can expect to see changes to Meaningful Use not only for clinicians as a result of the MACRA regulations, but also for hospitals. 

We could potentially see the MACRA regulations at the end of March, as has been hinted, or over the summer.  Providers will have to wait until then with bated breath to see what direction CMS and HHS will take moving forward with Meaningful Use. 

Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning

This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.  

Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services.  Spoiler - don’t, at least not for any patient-related communication.  Those terms and conditions do matter.

“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”.  In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).  

 Yahoo’s privacy policy states:

“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.”  In re Yahoo Mail Litig., at 11.

While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.” 

Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems.  For example, Google provides as of December 19, 2014:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”  

Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther.  See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014).  Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy.  Even Google makes an explicit distinction between free and paid email services:

“What kind of data scanning or indexing of end-user data is done?

Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.”

In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).  

So why does this matter?  Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place.  45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e). 

Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii).  That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.

A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising.  Assuming some of those emails will have PHI, is it acceptable to send to those addresses?  An address might belong to another health care provider, or perhaps a patient. 

This is problematic for so many reasons. 

  • Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?  
  • If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?  
  • Are all the necessary BAAs in place?  
  • Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient? 

In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required).  Does an authorization (and NPP) cover such use?  Even if it did, is an email provider going to honor revocation of that authorization?

Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)?  Is the data encrypted and hashed in storage once it gets there?  It almost certainly isn’t encrypted such that the email provider can’t scan it.

Does the email provider’s scanning of that email constitute a Breach?  What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party? 

What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?

This isn’t just a healthcare issue.  What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy?  Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy?  A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials].  Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content?  Would the privilege consequences be different in civil vs. criminal proceedings?

Perhaps we would be best serve to heed Elliot Spitzer’s advice, "Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail." At least not where free services are involved.

CMS Releases Guidance on Stage 2 Summary of Care Measure

CMS release guidance yesterday that it has discontinued the NIST EHR-Randomizer effective today, July 1. Hospitals and providers were previously required to conduct a test with the NIST EHR-Randomizer as part of their demonstration of the Stage 2 Summary of Care Record if they were unable to exchange a summary of care record with another provider with different CEHRT. CMS now permits hospitals and providers to retain documentation if they were not able to interact with a provider with different CEHRT in common practice, and attest "Yes" to this measure nonetheless.  

The text of the FAQ is available below.  For additional guidance on the Stage 2 Summary of Care Record measure, visit the CMS FAQ page.   

Question: When reporting on the Summary of Care objective in the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program, how can eligible professionals and eligible hospitals meet measure 3 if they are unable to complete a test with the CMS designated test EHR (Randomizer)?

Answer: CMS is aware of difficulties related to systems issues that eligible professionals, eligible hospitals, and critical access hospitals (CAHs) are having in use of the CMS Designated Test EHRs (NIST EHR-Randomizer Application) to meet measure 3 of the Stage 2 Summary of Care objective, therefore, we will be discontinuing this option effective July 1, 2015.

Providers may still meet the Stage 2 Summary of Care objective measure #3 by using one of the following actions:

  1. Exchange a summary of care with a provider or third party who has a different CEHRT as the sending provider as part of the 10% threshold for measure #2 (allowing the provider to meet the criteria for measure #3 without the CMS Designated Test EHR). This exchange may be conducted outside of the EHR reporting period timeframe, but must take place no earlier than the start of the year and no later than the end of the EHR reporting year or the attestation date, whichever occurs first.
  2. If providers do not exchange summary of care documents with recipients using a different CEHRT in common practice, they may retain documentation on their circumstances and attest “Yes” to meeting measure #3 if they have and are using a certified EHR which meets the standards required to send a CCDA (§ 170.202).

8 Things to Know about the Next Evolution of Meaningful Use

CMS recently released proposed changes to Stage 2 Meaningful Use as well as a proposed rule for Stage 3 which has been scheduled to begin for all participants in 2018. The comment period for the Stage 3 Notice of Proposed Rulemaking (“Stage 3 NPRM”) closed this past Friday, however, the comment period for the Stage 2 Notice of Proposed Rulemaking (“Stage 2 NPRM”) remains open until June 15.

Unless you've been living without social interaction or the Internet for the past few months (not an option for most of us), you are well aware of the changes CMS has proposed for moving forward with Meaningful Use. Some are drastic and have invited a host of public comment. Others are welcomed changes moving forward in this year and with Meaningful Use in general.  Here is our list of the top 8 changes to be aware of. 

  1. Stage 3 is the END.  But not Really.  All providers will be responsible for Stage 3 in 2018, regardless of their year of participation. CMS has stated that Stage 3 will be the final “Stage” of Meaningful Use.  However, it acknowledges that changes may be required as the program advances.  From past experience, we all know future rulemaking is a given. 
  2. Reporting Periods have Changed.  For 2015, the Stage 2 NPRM proposed to shorten the reporting period from a full calendar or fiscal year to a 90 day calendar reporting period - this is despite CMS specifically refusing to do so last summer in its 2014 CEHRT delay rule. In 2016, all participants will supposedly be on a full calendar year reporting period, including hospitals and critical access hospitals, except for new Medicaid participants. 
  3. Maxed-out Incentive Payments.  For many hospitals and EPs, 2014 was the last year the hospital or EP received an incentive payment.  That means moving forward, any CEHRT upgrades are solely on the hospital or EP’s dime.  However, failing to continue participation will result, at least for purposes of Medicare, in payment adjustments for each year that a hospital or EP does not successfully participate. Providers will need to each determine whether it is worth the cost to continue to participate in subsequent years.
  4. Vendor Certification Requirements.  The requirements for vendors to get their products certified to 2015 Edition CEHRT pose a significant time and resource burden.  Since we likely won’t see a final version of the Stage 3 NPRM or its accompanying certification rule until the fall, vendors have only a little over two years to develop or retool the necessary software, get it certified, and roll it out in time for the providers to start their own reporting clocks on January 1, 2018. It remains to be seen what impact this timetable will have on smaller CEHRT vendors, and more importantly, whether this is truly enough time to prepare everyone for Stage 3.      
  5. Elimination of Core/Menu Distinctions.  For Stage 3, CMS has proposed a single set of core objectives, with some flexibility options built in.  This means physicians and hospitals are expected to demonstrate measures that previously may not have been applicable to them.  To help move hospital and EPs towards this, similar changes are proposed for Stage 2. Both the Stage 2 and Stage 3 NPRMs also eliminate measures which CMS considers to be redundant, duplicative or “topped out” although data will still need to be collected on certain former objectives, such as Vital Signs or Smoking Status.  CMS states that its goal is to streamline, simplify, and reduce the burden on providers, while at the same time advancing the goals of Meaningful Use.  
  6. API.  The Stage 3 NPRM proposed changes to the former Stage 2 Patient Access and other measures would permit (or potentially require) use of an Application Program Interface.   It’s a set of programming protocols that would allow a third party application access to pull a patient’s health information from the provider.  CMS has requested comment whether providers should be given the option to use either an API or a Portal, both, or just an API to demonstrate this measure. 
  7. Patient-Generated Data.  The Stage 3 NPRM would require incorporation of patient-generated data in some format into a provider’s CEHRT.  This is information not originating with another EP or hospital, but from other sources such as home health and even medical device data.  A lot of questions remain open about how this data would be incorporated, how a provider would obtain such data, and the scope of data that would be covered (i.e., Fitbits?)
  8. Patient Access Modifications.  The Stage 2 NPRM proposes to eliminate the 5% percentage requirement that patients actually view, download or transmit their health information in favor of an “at least 1” requirement.  CMS acknowledges in the Stage 2 NPRM the difficulties providers have due to lack of control over this measure, yet for Stage 3, would nonetheless ramp this percentage up to 25%.  Although additional flexibility is proposed by permitting hospitals and EPs to choose 2 out of 3 to meet the threshold for, they still hinge upon factors which may be difficult for providers to control.

Several prominent industry groups are already calling on CMS to delay Stage 3 finalization, for example, because it is too soon to  overhaul Meaningful Use without fully measuring how the industry has responded to the first two stages. Comments posted to the Stage 3 NPRM up until the close of their acceptance reflected a mixed bag of support for flexibility but concern for implementation and timing.  However, we will almost certainly see material changes in the finalized versions of the rules if CMS's past regulatory history is any measure.  

As a reminder, the deadline for EPs to apply for a Hardship Exception for their inability to successfully participate in 2014 is July 1.  Although any EP who did not successfully participate last year will lose his or her incentive payment, filing for a Hardship Exception can potentially avoid the 2% reduction in Medicare payments which will begin January 2016.  The applications can be found on the CMS Payment Adjustments and Hardship Exceptions page.  There is no payment reduction for Medicaid participants.  

"Top 10" List for Security Law Compliance

As we bid farewell to late night comedy host David Letterman, I thought it appropriate and timely david letterman.pngto give a nod to one of Letterman's most iconic segments, his "Top 10", with my own Top 10 list for complying with applicable Security Law:

#10.  THE HIPAA SECURITY AUDIT.  If you are feeling overwhelmed and anxious with every new Big Data breach announced (hello Anthem!) and don't know where to start with getting your own Security Compliance program up to snuff, start with the HIPAA Security Audit.  Not only is it legally required under HIPAA (see 45 C.F.R. 164.306), the comprehensive checklist of Technical, Administrative and Physical Implementation Specifications that must each be evaluated, if done right, will get your organization well on its way to identifying risks and allowing it to hopefully prevent a breach before it happens.  Unfortunately, many organizations either do not complete the Security Audit properly (not thorough enough) or do not do enough to mitigate the gaps that are identified.  Concentra recently ended up paying the feds (HHS) $1.7Million because although they identified 254 of their 597 laptops were NOT encrypted, they did NOTHING until a breach caused ePHI to be compromised when an unencrypted laptop was stolen.  So the moral of the story here is complete the HIPAA Security Audit, do it right, and if you identify gaps in security, fix them!

# 9.  LEARN FROM RESOLUTION AGREEMENTS.  The Federal Department of Health and Human Services (HHS) posts every resolution agreement it enters into with a covered entity for HIPAA non-compliance (and in the near future, we expect to see resolution agreements with Business Associates too!) To date, there are 24 Settlement Agreements posted and one lucky winner (Cignet) that was assessed Civil Monetary Penalties.  You can read them all here: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.  Why are these important for Security Law compliance?  Because they highlight areas where others have fallen short, and what issues HHS has focused on and looks for in an effective security compliance program.  Resolution Agreements are a GREAT opportunity to learn from others' mistakes.  Failure to complete updates to the Security Analysis, failure to encrypt devices, improper disposal, lack of policies and processes, and failure to implement security measures are among the mistakes HHS has no tolerance for, and that your organization cannot afford to make.  We know this because others have made the same mistakes, and the Resolutions Agreements tell us that these failures resulted in hefty settlement amounts, to the tune of millions in some cases, that Covered Entities had to pay to HHS.

# 8.  LEARN FROM BIG BREACHES.  We all shake our heads when the next big data breach hits the headlines -- "Anthem hacked, 80 Million records compromised";  "Premera breached, 11 Million records compromised"; "TRICARE unencrypted back up tapes stolen, 4.9 Million records compromised" -- and the list goes on, and on.  Indeed, these headlines induce uncontrollable head-shaking in shock, in disgust, in exasperation.  But, these cases also offer another opportunity to LEARN from others' mistakes.  With each new BIG BREACH case announced, we should be asking "what went wrong?" and "how to I prevent that from happening to my organization?"   In Anthem, while the facts are sill coming to light, it is known that the access credentials of a System Administrator were somehow obtained and this led to an external hack.  The employee realized this when he saw queries being run across the database, which he did not initiate (good catch, employee!).  This was immediately reported, and notifications were issued to individuals without delay. One take away here is to ask why or how the access credentials were compromised.  Employees should be WELL educated and trained regarding not sharing access credentials, not writing them down (and throwing them out), not storing their user name and passwords in unsecured electronic devices, and not responding to "phishing" emails where someone poses as "IT personnel" and asks for the employee's access credentials.  Do your employees all have a heightened sensitivity to phishing for access credentials?  Does your organization have policies that prohibit IT personnel or others from requesting access credentials by email or other unsecured or unauthenticated means?  If you don't, you should -- or you might end up like Anthem.

# 7.  GET CONTROL OVER YOUR BUSINESS ASSOCIATES. I know. Trying to get Business Associate Agreements in place with vendors is as easy as herding cats. But, it must be done.  All vendors that require access to PHI to perform a function or service on behalf of a covered entity are business associates (note: if they don't require access to PHI, then the vendor is not a BA and a BAA is not needed).  Once you have identified all your BA vendors, getting contractual language in place is critical;  and, I don't mean just "HIPAA-compliant" BAA language. There is a lot at stake when an organization hands over their PHI to a third party, and although BAs are now directly liable for non-compliance with the HIPAA Security Rule, a basic bare bones HIPAA BAA does not address a LOT OF OTHER STUFF.  There are many other important issues to be addressed, such as allocating responsibility as to who secures ePHI and when, allocating risk, allocating costs and liability, and migration of the data post termination of the relationship (and who pays and how much?!).  The time to address these issues and manage these risks is during the contracting process with your BA vendors, because later it will be too late. 

# 6.  SOCIAL MEDIA & THE INTERNET.  Does your organization have policies specifically regarding social media use and the Internet?  If it doesn't, it should.  Use of professional chat groups and other social media may be appropriate, but disclosing PHI on such sites, either inadvertently or negligently, is not.  Things I've seen: a video is posted on You Tube for what seems like a good cause, but when you zoom in on the video, you can see a whiteboard with patient names and other identifiable information in the background (this is a breach); a doctor posts a case on a professional chat circle to see what other colleagues think about the case, but while she does not disclose her patient's name, she discloses sufficient other general information that someone on the chat group coincidentally was able to identify the patient (this is a breach); a nurse posts a picture of a patient's echo cardiogram on her Facebook site that shows a very, very rare disease. Since it's just a picture, she thinks there is no way that the patient can be identified.  However, one of her distant "friends" knows what hospital she works at, and knows that her neighbor has spoken about having a rare cardiac condition that lines up to the picture and so in all likelihood can identify the patient (this is a breach). Social media and the Internet pose a new wild wild west and challenge for security. Corralling in this relatively new security risk starts with developing good policies on these topics, and then educating employees on what is and what is not allowed when it comes to the Internet and social media use.

# 5.  NO SNOOPING!  The temptations can be great, but employees must be made aware of the repercussions of snooping.  Snooping violates patient privacy and security.  In Walgreens v. Hinchy, a jury awarded a patient/customer 1.44 Million dollars because a Walgreen's pharmacist snooped in a patient record for her own personal purposes (she wanted to know if her husband's ex-girlfriend had prescription for a condition that she believed her husband contracted).  In the Walgreens case, the corporation was forced to pay up under legal theories of resondeant superior, making an employer essentially liable for the illegal act of it's employee. But this case might have been avoided with better training and internal sanctions.  Employees should also be made aware that State AGs have CRIMINALLY PROSECUTED individuals, including doctors, nurses and other staff, who have snooped in patient records with NO legitimate purpose.  Therefore, the stakes are high (for both the employer and the employee), but the solution is easy.  If the reason one wants to access a record is not an "authorized" purpose (i.e. treatment, payment, health care operations etc), then the access is prohibited.  Period.

# 4.  E-MAIL & TEXTING. Gmail, msn, iCloud, yahoo, hotmail etc. THEY ARE ALL UNSECURE!  Patient information should NOT be sent through unsecured email and texting. Unfortunately, employee non-compliance is high as they do not want to give up the efficiency of using these easy means to "quickly" send a file or other patient information.  Unfortunately, the speed at which the information travels does NOT directly correlate to the level of security those methods offer.  With all the focus HHS is placing on encryption and how breaches could have been avoided with encryption, I would not recommend allowing emailing and texting (there is an exception HHS allows if a patient requests for their PHI to be sent directly to them by email, and is informed of the security risk of the provider/covered entity doing so). Luckily, secure alternatives and solutions are continuing to pop up, such as DIRECT messaging, encrypted patient portals, Tiger Text and PingMD.  Look into them, and get your employees to stop texting patient information!

# 3.  ENCRYPT.  This includes data-in-motion and data-at-rest.  If you do not encrypt devices that house or facilitate ePHI, you better have a very, very exceptional reason why you do not -- AND you have to document it (per the HIPAA Security Rule), otherwise you will be getting no sympathy from HHS when data is breached.  Encryption is also a Safe Harbor under the Breach Notification Rule, so if a device is lost, stolen or hacked but the ePHI is encrypted, you do not have to notify HHS or individuals (at least under HITECH, but check your individual state's breach laws).

# 2.  REPORT BREACHES & SECURITY INCIDENTS.  Here, I am talking about the internal kind of reporting. Employees are the "eyes and ears" of an organization.  A covered entity must notify HHS and individuals of a Breach as soon as it is discovered or "should have been discovered with reasonable diligence" (see 45 C.F.R. 164.404(a)).  That means that as soon as an employee is aware of a breach, the 60-day time frame within which an organization has to make its notifications starts ticking.  For this reason, it is critical for employees to know who they must report such knowledge too.  If they don't, then the covered entity can be assessed additional penalties for every patient and every day late the notices were made.  Delay in notifying individuals about a breach or in discovering a breach may also lead to larger volume of data being compromised and for a longer period of time ---which is why time is of the essence when getting information from the employee to a person who is able to properly act on it.

# 1.  EDUCATE & TRAIN.  The human factor is probably one of the weakest links in Security compliance.  The only way to begin to try and manage this risk and weakness is to start with establishing a culture at your organization that Security is vitally important.  Then, employees must be constantly educated and trained on the organization's policies and expectations.  I've found that the most effective method to training employees is through use cases. What should the employee do when he/she discovers about a breach?  What kinds of phishing emails might you see, and how to respond.  A well-educated and trained workforce that is given constant Security Reminders on the latest and greatest hacking schemes and security vulnerabilities will better insure that your Security program is more effective and your organization is hopefully less vulnerable to breaches. 

CMS Extends Hospital Deadline for Meaningful Use Attestation

Hospitals can breathe a little easier this Thanksgiving.  CMS announced on Monday that it was extending the attestation deadline for hospitals attesting to Meaningful Use in 2014.  Hospitals now have until December 31, 2014 to attest for their 2014 Medicare incentive payments. Hospitals participating in electronic reporting of Clinical Quality Measures (eCQM) likewise have until December 31 to submit their eCQMs through QualityNet.

EPs and hospitals will need to separately comply with any attestation deadlines for their 2014 Medicaid incentive payments.  Payment adjustments will be applied at the beginning of FY 2016 (Oct 1, 2015) for Medicare hospitals that do not demonstrate Meaningful Use in 2014. There are no Medicaid payment adjustments.

As a reminder, CMS also reopened the hardship exemption application deadline in the beginning of November for hospitals and EPs to avoid 2015 Medicare payment adjustments.  This deadline of November 30, 2014 remains the same, despite the extention of the attestation deadline. The application deadline was extended only for the following providers who:

  • Have been unable to fully implement 2014 Edition CEHRT due to delays in 2014 Edition AND 
  • Were unable to attest by October 1, 2014 (EPs) or were unable to attest by July 1, 2014 (hospitals) using the flexibility options provided in the CMS 2014 CEHRT Flexibility Rule. CEHRT availability

CMS Releases Final Meaningful Use CEHRT Extension Rule

Happy Labor Day and Back-to-School Week! September is here, which means hospitals and EPs participating in Meaningful Use are rapidly approaching deadlines for their respective 2014 reporting periods. Hospitals are in the closing stretch and have until September 30th when their reporting period closes for the 2014 FY. For EPs, October 1 is the last date to begin their reporting period for the 2014 calendar year.  

As a holiday weekend present to us all, CMS finalized regulations this past Friday granting flexibility to certain EPs and hospitals participating in Meaningful Use.  Too little, too late, the final rule comes as hospitals have already finished or are in the last month of their 2014 reporting period, and only a month before the last possible date for EPs to begin their reporting period for the year.

The final rule permits EPs and hospitals having difficulty implementing 2014 Edition CEHRT to demonstrate Stage 1 or Stage 2 of Meaningful Use using 2011 Edition CEHRT, 2014 Edition CEHRT, or a combination thereof, for their 2014 reporting periods.  You can review your participation options in the CMS "Quick Guide". Although the flexibility is welcomed by many, the final rule is still not a get-out-of-jail-free card, as providers need to be able to demonstrate that they were unable to fully implement 2014 Edition CEHRT in order to take advantage of the extension.  

Although this flexibility may buy EPs a few more months to finish working through all the technical and workflow difficulties with implementing the new versions of their 2014 Edition CEHRT, a hospital must be up and running on 2014 Edition CEHRT and begin its 2015 reporting period on October 1, less than thirty days from now. Citing delays to the progress of health IT infrastructure and misalignment with other quality programs, CMS declined to change the requirement that all EPs and hospitals demonstrate Meaningful Use using 2014 Edition CEHRT in 2015, nor the full-year reporting period requirement for Stage 2 in 2015. 

The final rule is scheduled for publication tomorrow, September 4, 2014.  A copy of the full rule is available online at the Federal Register website.  

SAMHSA Public Session to Discuss Part 2 Regulations & HIE

The Part 2 regulations which govern and protect information created by drug and alcohol rehabilitation providers have caused challenges for electronic health information exchange ever since HIE became a household term (....ok, well at least in the homes of the people working tirelessly in this space!)  Finally, tomorrow SAMHSA (the Substance Abuse and Mental Health Services Administration) is finally taking a hard look at Part 2 to see if the time has come to introduce amendments that align how such information flows in a new world of coordinated care and networked HIE.

I am registered and will participate in the public listening session tomorrow Wednesday, June 11, 2014 from 9:30-4:30.  The agenda is posted here.  Notice of the public session was previously announced in the Federal Registrar on May 12, 2014

Here is a list of identified "issues" with Part 2 that SAMHSA is reviewing:

1. Applicability

Part 2 currently applies to federally funded individuals or entities that “hold themselves out as providing, and provide, alcohol or drug abuse diagnosis, treatment or treatment referral” including units within a general medical facility that hold themselves out as providing diagnosis, treatment or treatment referral (§ 2.11 Definitions, Program). The U.S. health care system is changing and more substance abuse treatment is occurring in general health care and integrated care settings which are typically not covered under the current regulations. It has also posed difficulties for identifying which providers are covered by Part 2; whether a provider or organization is covered by Part 2 can change depending on whether they advertise their substance abuse treatment services (i.e. `hold themselves out'), which can change over time.

SAMHSA is considering options for defining what information is covered under 42 CFR Part 2. Covered information could be defined based on what substance abuse treatment services are provided instead of being defined by the type of facility providing the services. For example, the regulations could be applied to any federally assisted health care provider that provides a patient with specialty substance abuse treatment services. In this scenario, providers would not be covered if they provided only substance abuse screening, brief intervention, or other similar pre-treatment substance abuse services.

  • How would redefining the applicability of 42 CFR Part 2 impact patients, health care provider organizations, HIEs, CCOs, HIT vendors, etc.?
  • Would this change address stakeholder concerns?
  • Would this change raise any new concerns?

2.   Consent

SAMHSA has heard a number of concerns from individuals and stakeholders regarding the current consent requirements of 42 CFR Part 2. 42 CFR 2.31 requires the written consent to include the name or title of the individual or the name of the organization to which the disclosure is to be made. This is commonly referred to as the “To Whom” consent requirement. Some stakeholders have reported that this requirement makes it difficult to include programs covered by 42 CFR Part 2 in HIEs, health homes, ACOs and CCOs. These organizations have a large and growing number of member providers and they generally do not have sophisticated consent management capabilities. Currently, a Part 2 compliant consent cannot include future un-named providers which requires the collection of updated consent forms whenever new providers join these organizations. As a result, many of these organizations are currently not including substance abuse treatment information in their systems.

While technical solutions for managing consent collection are possible, SAMHSA is examining the consent requirements in § 2.31 to explore options for facilitating the flow of information within the health care context while ensuring the patient is fully informed and the necessary protections are in place. Specifically, we are analyzing the current requirements and considering the impact of adapting them to:

1. Allow the consent to include a more general description of the individual, organization, or health care entity to which disclosure is to be made.

2. Require the patient be provided with a list of providers or organizations that may access their information, and be notified regularly of changes to the list.

3. Require the consent to name the individual or health care entity permitted to make the disclosure.

4. Require that if the health care entity permitted to make the disclosure is made up of multiple independent units or organizations that the unit, organization, or provider releasing substance abuse related information be specifically named.

5. Require that the consent form explicitly describe the substance abuse treatment information that may be disclosed.

SAMHSA welcomes comments on patient privacy concerns as well as the anticipated impact of the consent requirements on integration of substance abuse treatment data into HIEs, health homes, ACOs, and CCOs.

  • Would these changes maintain the privacy protections for patients?
  • Would these changes address the concerns of HIEs, health homes, ACOs, and CCOs?
  • Would these changes raise any new concerns?

3.     Redisclosure

SAMHSA has also heard numerous concerns regarding the prohibition on redisclosure (§ 2.32). Currently most EHRs don't support data segmentation. Without this functionality, EHR systems must either keep alcohol and drug abuse patient records separate from the rest of the patient's medical record or apply the 42 CFR Part 2 protections to the patient's entire medical record if such record contains information that is subject to 42 CFR Part 2.

SAMHSA is considering revising the redisclosure provision to clarify that the prohibition on redisclosure only applies to information that would identify an individual as a substance abuser, and allows other health-related information shared by the Part 2 program to be redisclosed, if legally permissible. This would allow HIT systems to more easily identify information that is subject to the prohibition on redisclosure enabling them to utilize other technological approaches to manage redisclosure. If data are associated with information about where the data were collected (data provenance) which reveals that the data were collected by a practice that exclusively treats addiction, the data would still be protected under the proposed change.

  • Would this type of change facilitate technical solutions for complying with 42 CFR Part 2 in an EHR or HIE environment?
  • Would these changes maintain the privacy protections for patients?

4.     Medical Emergency

SAMHSA has heard concerns regarding the medical emergency exception of 42 CFR Part 2 (§ 2.51). The current regulations state that information may be disclosed without consent “for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention.” The statute, however, states that records may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency. SAMHSA is considering adapting the medical emergency exception to make it more in-line with the statutory language and to give providers more discretion as to when a bona fide emergency exists. For example, amending this standard to allow providers to use the medical emergency provision to prevent emergencies or to share information with a detoxification center when a patient is unable to provide informed consent due to their level of intoxication.

  • What factors should providers take into consideration in determining whether a medical emergency exists?
  • Are there specific use cases SAMHSA should take into consideration?
  • Are there patient concerns about the impact of this change on their privacy?

5.     Qualified Service Organization (QSO)

SAMHSA has also heard concerns from payers and health management organizations related to disclosing information that is subject to 42 CFR Part 2 to health care entities (ACOs/CCOs) for the purpose of care coordination and population health management; helping them to identify patients with chronic conditions in need of more intensive outreach. Under the current regulations, substance abuse information may not be shared for these purposes without consent.

SAMHSA is analyzing the regulations to identify options for allowing Part 2 data to flow to health care entities for the purpose of care coordination and population management while maintaining patient protections. One potential solution includes expanding the definition of a qualified service organization (QSO; § 2.11) to explicitly include care coordination services and to allow a QSO Agreement (QSOA) to be executed between an entity that stores Part 2 information, such as a payer or an ACO that is not itself a Part 2 program, and a service provider.

  • Are there other use cases we should be taking into consideration?
  • Are there specific patient concerns about the impact of this change on their privacy?

6.     Research

Under the current regulations, the Part 2 “program director” has to authorize the release of information for scientific research purposes. This issue has been brought to SAMHSA's attention from organizations that store patient health data, including data that are subject to Part 2, which may be used for research (e.g. health management organizations). Under the current regulatory framework, absent consent, these organizations do not have the authority to disclose Part 2 data for scientific research purposes to qualified researchers or research organizations. This issue can be addressed by expanding the authority for releasing data to qualified researchers/research organizations to other health care entities that receive and store Part 2 data, including third-party payers, HIEs, and care coordination organizations for the purposes of research, audit, or evaluation.

SAMHSA is considering expanding the authority for releasing data to qualified researchers/research organizations to health care entities that receive and store Part 2 data, including third-party payers, health management organizations, HIEs, and care coordination organizations.

  • Are there factors that should be considered related to how current health care entities are organized, how they function or how legal duties and responsibilities attach to entities that make up an umbrella organization?
  • Would this change address concerns related to research?
  • Are there specific privacy concerns associated with expanding the authority or releasing data to qualified researchers/research organizations in this way?
  • Are there additional use cases that should be considered in the research context?

7.     ePrescribing and Prescription Drug Monitoring Programs

Part 2 protections include a prohibition on the redisclosure of information received directly from a Part 2 program. A pharmacy that receives electronic prescription information directly from a Part 2 program must obtain patient consent to send that information to a PDMP, and patient consent is also required for the PDMP to redisclose that information to those with access to the PDMP. Pharmacy data systems do not currently have mechanisms for managing patient consent or segregating data that are subject to Part 2 and preventing the data from reaching the PDMP. Pharmacy systems also lack the ability to identify which providers are subject to Part 2, making it difficult to prevent the Part 2 data from reaching the PDMP.

If a patient does not consent to sharing their data via e-prescribing, their only option for filling their prescription is to bring a paper prescription to the pharmacy. In this instance, since the information is given by the patient, it is not protected by 42 CFR Part 2. They, therefore, cannot prevent the information from reaching the PDMP which in some states is accessible by law enforcement and has the potential to lead to investigation/arrest and other forms of discrimination.

  • How do pharmacy information system vendors anticipate addressing this issue? Are there specific technology barriers SAMHSA should take into consideration?
  • Are there other concerns regarding 42 CFR Part 2 and PDMPs? Please describe relevant use cases and provide recommendations on how to address the concerns.
  • Are there patient concerns about the impact of e-prescribing and PDMPs on their privacy?




Reminder: Public Comment Period Open for Meaningful Use NPRM

Last month, CMS and ONC released a Notice of Proposed Rulemaking ("NPRM") which would grant flexibility to providers participating in Meaningful Use who are having trouble implementing 2014 Editions of their CEHRT. The public comment period is open until July 21, at 11:59pm and I encourage you to take a few minutes to submit your comments, concerns and questions online.  All of them. 

The general gist of the NPRM is that CMS and ONC have finally acknowledged the frustration and concern of vendors and providers with having 2014 Edition CEHRT up and running in time to demonstrate Meaningful Use for the 2014 reporting period.  Despite concerns regarding insufficient timing after the Stage 2 rule's publication for vendors to certify to the 2014 requirements and roll-out upgraded products to their consumers (not to mention all the steps taken on the provider side for implementation), CMS plowed ahead with its original timeframes and requirements.  

CMS now seems to be regretting this decision and is offering potential solutions for all providers, regardless of Stage.  Can't implement 2014 Editions in time? Don't worry about it, says CMS, just take your pick from one of the following options:   

  • Stage 1 (2013 Definition) using 2011 Edition CEHRT, or using a combination of 2011 and 2014 Edition CEHRT;
  • Stage 1 (2014+ Definition) using 2014 Edition CEHRT; or
  • Stage 2 (2014+ Definition) using 2014 Edition CEHRT.

This is not entirely a "get-out-of-jail free card" from CMS. A provider would need to be able to demonstrate that it had trouble fully implementing 2014 Edition CEHRT required to demonstrate Meaningful Use in its applicable stage of participation.  

There are plenty of problems with CMS's proposed solution.  First of all, the public comment period is open until July 21 at 11:59pm. That means there won't be any formal action taken by CMS until the end of July at the earliest.  This is an entire month into the last available reporting period for hospitals in FY 2014.  

Secondly, providers that have been working tirelessly to implement the necessary changes for the 2014 Edition CEHRT may not be able to reverse gears at this point and go back to the 2011 Editions where needed. And third, (but certainly not the last of the concerns), even if they can switch gears, all providers still need to be ready to go with 2014 Edition CEHRT for the 2015 reporting period.  For hospitals, this means midnight on October 1, 2014.  

CMS may have had good intentions, but the proposed solution is creating more confusion than alleviating concerns. Let's hope we see some more clarity in the final rule, whatever it may look like.  Until then, keep calm and carry on.    

Older Posts