One, Two HIPAA Penalty Punch from HHS and OCR

Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital -- this time to the The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (aka, "Mass General"). 

The HHS Press Release indicates that Mass General has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.  Mass General signed a Resolution Agreement with HHS on February 14, 2011, which you can review here.  After announcing the Settlement Agreement, OCR Director Georgina Verdugo made this official statement:

We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information

The issue came to the attention of OCR when a patient filed a complaint after PHI involving 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, was lost on March 9, 2009. The impermissible disclosures of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Documents containing the PHI were lost when Mass General employee left the documents on the subway train that were never recovered.

The Corrective Action Plan (CAP) requires that the hospital:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
  • Train workforce members on these policies and procedures; and
  • Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

The OCR Director also added:

To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.   

4.3 Million Penalty Assessed Under HITECH for HIPAA violations

One might say that it looks like HHS and OCR are making up for all those years people have said there has been a lack of enforcement of HIPAA -- 4.3 million dollars worth of "making up for lost time" in just one shot....

HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH.  The 4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights.  Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from "did not know" to "willful neglect" to comply with HIPAA, and established a corresponding tiered monetary penalty system.

Had this been the end of the story, Cignet would have walked away with only a 1.3 million penalty for violating HIPAA.  However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so.  Even after OCR presented Cignet with a subpoena, it continued to not produce the records.  Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records.  Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally.  OCR found Cignet's failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra 3 million was imposed against Cignet.

The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS' ramped up enforcement of HIPAA.  OCR Director Georgina Verdugo stated, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." With a hefty 4.3 million penalty as HHS' "first shot", Covered Entities will certainly take notice and action to avoid coming under fire themselves.

ONC Open Casting Calls

Prepared by Krystyna Nowik, Esq.

Last week, ONC opened a thirty-day window for organizations to apply to become the sole accrediting entity to oversee certifying organizations under the Permanent Certification Program for Health Information Technology (“Certification Program”). The Certification Program ensures certain electronic health record ("EHR") technology includes required capabilities for participation in the Medicare and Medicaid EHR Incentive Programs, which provide incentive payments to certain eligible health care professionals, hospitals and critical access hospitals that demonstrate meaningful use of certified EHR technology to adopt and utilize EHRs (“Meaningful Use”).

Currently, EHR vendors must be tested and certified by one of six ONC-approved entities (ONC-Authorized Testing and Certification Body or ONC-ATCB) under a temporary certification program implemented to ensure certified EHR technology was available for incentive payments beginning this year. Vendors who seek ONC-ATCB certification of their EHR technology as either a “Complete EHR" or an “EHR Module” must demonstrate compliance with certain capabilities, standards, implementation specifications and certification criteria. Once EHR technology has been ONC-ATCB certified, it can be used by health providers and hospitals to meet applicable meaningful use requirements. Complete EHRs provide all applicable certification criteria and the minimum capabilities a participant needs to comply with Meaningful Use. They may also include additional functions. EHR Modules, on the other hand, meet at least one, but not all, of the required certification criteria, and a combination of EHR Modules may be used to comply with Meaningful Use.

With the Final Rule for the Certification Program issued this January, accreditation and oversight is placed in the hands of the ONC Approved Accreditor or ONC-AA, which will be selected competitively every three years. The ONC-AA will be responsible for overseeing the ONC-ATCB entities and accrediting the Authorized Certified Bodies (ONC-ACB) under the Certification Program. Competing organizations for the ONC-AA will have to show what their proposed requirements would be for accrediting the ONC-ACBs, how surveillance of certified EHR technology would be conducted, their requirements for key personnel conducting the accreditation, and investigation and responding to complaints about ONC-ACBs. They also must show how they would adhere to ISO/IEC17011:2004 and experience with ISO/IEC Guide 65:1996, standards developed by the International Standardization Organization that specify general requirements for approving conformity assessment organizations and for product certifying organizations.

The ONC-ACBs replace the ONC-ATCBs created by the temporary certification program. Although ONC-ATCB status ends upon the sunset of the temporary certification program, certifications issued by ONC-ATCBs through the 2011/2012 payment years do not need to be re-certified for those years until ONC-ACB certification processes are in place.

The Notice for submission of requests for ONC-AA status may be found here.

Accounting of Disclosures Proposed Rule up for Review: The Beginning of a Collective Sigh of Relief or Covered Entities' Newest Nightmare?

Prepared by Krystyna H. Nowik, Esq.

The Office of Management and Budget (OMB) has finally received the long-awaited proposed rule addressing HITECH’s accounting of disclosure amendments.  As originally required by the HIPAA Privacy Rule, individuals had the right to request an accounting of disclosures made by a Covered Entity of their protected health information (PHI).  However, Covered Entities did not have to comply with requests for an accounting of certain disclosures, such as for those made for treatment, payment and health care operations (TPO) purposes.  With HITECH, however, came the removal of this exemption for TPO disclosures if the disclosure was made through an electronic health record (EHR) – what many Covered Entities felt was the beginning of one giant administrative and technological nightmare.

Public comment requested by the Office for Civil Rights (OCR), Department of Health and Human Services (HHS), back in May of 2010 sought to identify the burden this requirement would have on Covered Entities and their business associates, as well as the interests individuals had in obtaining an accounting of such disclosures.  In particular, the Request for Information asked for comment on current system capabilities and changes that would be needed, the feasibility of an exclusive EHR model, what elements would be required for inclusion in the accounting, and the ability of Covered Entities subject to the January 1, 2011 deadline, come and gone, to comply by then.

In response, the Medical Group Management Association (MGMA) called the new requirement for TPO disclosures through EHRs “onerous” and “extremely difficult to achieve without an enormous outlay of resources.” Reflecting concerns across the nation, the 21-page letter to the Director of OCR argued that:

  • Accounting for TPO disclosures imposed severe administrative burden on physician practices;
  • Low patient volume of accounting requests made expenditure of resources unreasonable;
  • Accounting for TPO disclosures was burdensome and unnecessary, resulting in needless burden and cost;
  • Accounting for TPO disclosures discouraged adoption of EHRs by physician practices.

Covered Entities still have a long wait ahead before seeing HHS’s much anticipated (and perhaps dreaded) proposed rule.  The OMB generally has up to 90 days to review proposed rules, which, if approved, are then published as Notices of Proposed Rulemaking in the Federal Register. 

U.S. Supreme Court to Consider Whether Prescription Data Mining is Protected under First Amendment

In November 2010, mentioned that the Court of Appeals for the Second Circuit had issued its ruling that Vermont’s drug-marketing restrictions were unconstitutional. Vermont’s law had banned the use, sale or transmission of prescriber-identifiable data without first obtaining the prescriber’s consent. Several data mining companies had brought the suit, alleging that the statute impermissibly infringed upon their freedom of speech under the First Amendment. The Second Circuit overturned the statute, holding that it was unconstitutional for Vermont to restrict speech by data miners and pharmaceutical companies without demonstrating a compelling state interest to do so. Last month, the Supreme Court agreed to consider Vermont’s appeal. The appeal will present the Court with the question on whether nonpublic data can be protected by the government, or instead whether such data should be freely available to buyers and sellers.

Vermont is not the only state that has adopted laws restricting the release of physicians’ prescription information. Maine and New Hampshire both have similar laws, and both have been challenged in federal court by market researchers and drug manufacturers. Unlike in Vermont, the Court of Appeals for the First Circuit upheld the statutes in New Hampshire and Maine, ruling that the laws restricted market research companies’ conduct- specifically the aggregation of data for drug marketing purposes- rather than their speech.  These conflicting rulings reveal a split between the courts over whether regulating the sale of prescription data restrains freedom of speech.  Thus, the upcoming Supreme Court’s decision could broaden the reach of the First Amendment and will largely dictate how our prescription information is bought and sold.

If the Supreme Court follows in the opinion of the Second Circuit, this may have profound implications for prescription privacy. Without restrictions on data mining, database firms and pharmaceutical intelligence companies such as IMS Health, Inc. may increasingly collect, transmit, and sell prescription data for sales purposes. Currently, IMS Health, Inc., a leading pharmaceutical consulting firm, is able to collect pharmaceutical sales and prescription data from  90% of pharmaceutical sales in the U.S. This data is then sold to pharma companies that use the data to target patients and persuade physicians to sell more of their products. This data mining is a multibillion-dollar business, and drug makers say that it is an essential research tool to help educate doctors about prescription drugs in a targeted and expedited manner. However, doctors and consumer advocates have argued that private prescription information should not be used for pharma sales purposes. Specifically, many are worried that aggressive pharma marketing could lead physicians to prescribe drugs too frequently, or to prescribe newer and more expensive drugs that are not necessarily in the patient’s best interests. A recent article by the LA Times voices additional public health and privacy concerns, noting that while prescriptions seem to be de-identified, it is relatively easy to reveal patient identities by comparing prescription data with other records.

When the Supreme Court makes its decision, it should consider all the implications of the practice of data mining, including possible exposure of sensitive physician-patient information. Although drug companies have the right to market their products, the Court must ask if they should also be guaranteed the right to access arguably privileged prescription information for their own marketing purposes, and how this will affect the protection of patient records in the future.

ONC Announces Launch of "Direct Project" Pilots

In a Press Release posted today, February 2nd, ONC announced that providers and public health agencies in Minnesota and Rhode Island began this month exchanging health information using specifications developed by the Direct Project, which is described as an "open government" initiative that calls on cooperative efforts by organizations in the health care and information technology sectors. The ONC Press Release notes that other Direct Project pilot programs will also be launched soon in New York, Connecticut, Tennessee, Texas, Oklahoma and California. The story is also covered today by the New York Times in Steve Lohr's article "U.S. Tries Open-Source Model for Health Data Systems".

The ONC Press Release notes that Direct Project is intended to give health care providers early access to an easy-to-use, internet-based tool that can replace mail and fax transmissions of patient data with secure and efficient electronic health information exchange.  It was designed as part of President Obama’s ‘open government’ initiative to drive rapid innovation, and last year is said to have brought together some 200 participants from more than 60 companies and other organizations. Volunteers worked together to assemble consensus standards that support secure exchange of basic clinical information and public health data. Now, pilot testing of information exchange based on Direct Project specifications is being carried out this year with the aim toward formal adoption of the standards by 2012.

ONC states that information exchange supported by Direct Project specifications address core needs, including standardized exchange of laboratory results; physician-to-physician transfers of summary patient records; transmission of data from physicians to hospitals for patient admission; transmission of hospital discharge data back to physicians; and transmission of information to public health agencies. The Press Release also notes

[t]hat in addition to representing most-needed information transfers for clinicians and hospitals, these information exchange capabilities will also support providers in meeting 'meaningful use' objectives established last year by HHS, and will thus support providers in qualifying for Medicare and Medicaid incentive payments in their use of electronic health records.

If you would like more information about Direct Project, or have questions such as:

  • How does direct exchange fit into the big picture?
  • How is direct exchange different than HIE initiatives?
  • Does direct exchange support or supplant State HIE initiatives?
  • What is the security model for Direct Project?
  • Who issues Digital Certificates for users?
  • What are the limitations of the Direct Project model?

Then, check out the following links for excellent information:



HITECH Takes a Political HIT

A Bill introduced in the House (H.R.408) Spending Reduction Act of 2011, aims to reduce spending by trillions of dollars, including by eliminating funding for Meaningful Use.  Although it is too early to tell if the Bill would get very far, it could make providers already tentative about adopting EMRs based based on the possibility of receiving Meaningful Use incentives even more hesitant. 

Doctors and Patients Mostly Agree on IT

Government Health IT reported yesterday that according to a national survey released January 31st by the Markle Foundation, patient and physicians share many similar views regarding increasing beneficial use of health information technology to improve delivery of care, as well as the necessary privacy protections that should go along with the shift to utlize electronic medical records.  The Markle Foundation states on its website that the Markle Survey of Health in a Networked Life is

[t]he first of its kind to compare the core values of physicians and the general public, referred to here also as patients based on their opinions as consumers of health care, on deployment of information technology in health care.

Key findings in the Markel Survey include:

  • 74% of the doctors surveyed would prefer computer-based means of sharing patient information with each other.
  • 47% of the doctors would prefer computer-based means of sharing records with their patients. (Only 5% do so today.)
  • 74% of doctors said patients should be able to share their information electronically with their doctors and other practitioners.
  • 10% of the public reported currently having an electronic PHR (up from 3% who reported having one in Markle’s 2008 survey).
  • 70% of the public and 65% of the doctors agreed that patients should be able to download their personal health information online.
  • 70% of the public said patients should get a written or online summary after each doctor visit, but only 36% of the doctors agreed. (Only 4% of doctors say that they currently provide all their patients a summary after every visit).

Other findings from the survey include:

  • 70% to 80% of both patients and doctors support privacy-protective practices, such as letting people see who has accessed their records, notifying people affected by information breaches, and giving people mechanisms to exercise choice and correct information.
  • 65% of the public and 75% of doctors agreed that it’s important to have a policy against the government collecting personally identifiable health information for health IT or health care quality-improvement programs.
  • If there are safeguards to protect identity,however, at least 68% of the public and 75% of the doctors expressed willingness to allow composite information to be used to detect outbreaks, bioterror attacks, and fraud, and to conduct research and quality and service improvement programs.
  • 75% of the public and 73% of the doctors said it will be important to measure progress on improving health care quality and safety to ensure the public health IT investments will be well spent. Both groups (each at 69%) agreed on the importance of specific requirements to improve the nation's health in areas like heart disease, obesity, diabetes, and asthma.
  • Many are unaware of the health IT incentives: 85% of the public and 36% of doctors describe themselves as not very or not at all familiar with the health IT incentives program, which makes subsidies available for doctors and hospitals to increase use of information technology.

For a detailed copy of the report, visit Markle Foundation's Latest Surveys.