Yet Another Class-Action Filed After Breaches of Patient Data

In what appears to be the trend in California for 2011, another class-action lawsuit has been filed, this time by patients of the University of California-Los Angeles (UCLA) Health System affected by a data breach in early September of this year.  An external hard drive was stolen from the home of a former UCLA physician that contained the EHR data of over 16,000 patients from July 2007 to July 2011.  No social security numbers, insurance information or credit/account information was included. Although the hard drive was encrypted, a piece of paper with the password was also missing.

Filed in mid-December, the UCLA class-action seeks as much as $16 million, asking $1,000 for each member as well as attorneys fees and other costs. The underlying data breach is hardly the first headache UCLA has had to dealt with, as UCLA paid a handsome $865,500 fine to OCR and developed a plan of corrective action this summer to settle privacy allegations that three UCLA hospitals improperly disclosed the medical records of celebrity patients as a result of employee snooping.

Several other health care entities in California have also recently had class-action lawsuits filed against them recently.  Stanford Hospital and Clinics (SHC) experienced a data breach in August of 2011 when patient information was mistakenly made available online by one of its third-party vendors and its subcontractor.  Patient names, admittance and discharge dates, and other information remained available on a commercial website for over one year, affecting approximately 20,000 patients.  The class-action lawsuit was filed in October of 2011 and alleges negligence in safeguarding patient information and delays in notifying affected patients.

Sutter Health experienced a data breach in October of 2011 when a rock was thrown into the window of the Sutter Medical Foundation business office. An unencrypted computer was stolen containing names, addresses, birthdates, phone numbers, medical diagnoses and procedures of over 4 million patients.  The class-action lawsuit against Sutter Health was filed in late November on behalf of over 900,000 patients, according to KCRA, and seeks certification of class-action status for the 4+ million patients affected. 

Notably, HIPAA does not authorize private causes of action for violations of the HIPAA Privacy and Security Rules.  The class-action lawsuits were brought under California's confidentiality laws, which, like HIPAA, set forth permissible and prohibited disclosures of patient medical information. 

The California Confidentiality of Medical Information Act gives individuals the right to bring a cause of action for negligent releases of their confidential information or records.  it also grants compensatory and punitive damages, as well as certain attorney fees, to individuals who have suffered economic loss or personal injury from a violation of their confidentiality. In addition, persons and entities face stiff administrative penalties for violations of patient information up to $2,500 per violation for negligent disclosures and $10,000-$25,000 for subsequent violations.

OIG Releases New Fraud and Abuse Advisory Opinion Involving EHR Data Exchange

On December 7, 2011, the Office of the Inspector General (OIG) released an Advisory Opinion regarding a proposed coordination service to facilitate the electronic exchange of data for patient referral purposes.  A health IT company requested the opinion to determine whether its proposed services would be subject to OIG sanctions or civil monetary penalties (CMP) under the Anti-kickback Statute (AKS). The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit or receive any remuneration to induce or reward referrals of items or services which are reimburseable by a Federal health care program.  

Three types of services were offered by the health IT company: billing services, electronic health record (EHR) management services, and automated messaging services for communicating with patients.  These services could be purchased as a package deal or on a monthly basis for a subscription fee.  The Proposed Arrangement, however, would provide a new service that would provide coordination services for referrals and managing patients receiving services from other health care professionals (the "Coordination Service"). 

Through the Coordination Service, a trading partner could send referrals as well as all necessary medical records in addition to insurance and billing information.  The patient information would be accessed and exchanged through an electronic database network.  Although purchase of the EHR services offered by the health IT company was required in purchasing the Coordination Services because of the need for all patient medical, demographic and other information contained within to be available for referral purposes, the Proposed Arrangement would offer a discount on a monthly EHR subscription fee of approximately 25-35%. Other transmission, functionality and service fees would be assessed, depending upon the complexity of the services performed and per referral.

Although the Proposed Arrangement did not fit into an AKS Safe Harbor, the OIG determined it would not impose administrative sanctions upon the health IT company if it proceeded with offering the Coordination Services.  Although health care professionals were paying fees in connection with the receipt and transmission of referrals, these did not result in enhanced access to a referral stream.  Health care professionals also were not required to enter into an agreement with the health IT company or purchase the Coordination Service in order to receive a referral through the network.

In addition, the fees reflected the fair market value of the services provided and were based upon the level of services that were provided, as well as assessed regardless of whether a patient followed through on a referral and actually received the referred services, therefore distinguished from traditional per-click success fees. The Opinion stated that the independent value provided by the services which were actually paid for was unrelated to inducing referrals, and fees charged,

would not vary based on the value of the items or services that a receiving health professional might ultimately provide to Federal health care program beneficiaries.

OIG Advisory Opinions may only be legally relied upon by the party requesting the opinion but can prove useful guidance to other entities in structuring arrangements to comply with the Anti-kickback Statute. You can read the full Advisory Opinion here.  CMS also issues Advisory Opinions pursuant to its authority under the Stark physician self-referral laws.   


OCR Director Reaffirms Commitment to Strengthening Privacy and Security of EHRs

It's no secret that since the days of its enactment, HIPAA enforcement has been lacking on both civil and criminal fronts from the Office of Civil Rights (OCR) and the Department of Justice (DOJ).  However, with increased penalties under HITECH and a renewed committment by OCR and DOJ towards cracking down on HIPAA violations, Covered Entities and Business Associates have even more reason now to dot their i's and cross their t's, especially with HIPAA audits kicking off this past November.

As providers and hospitals increasingly adopt and utilize EHR systems as part of the Medicare and Medicaid EHR Incentive Programs, the security of these systems (and authority over the system vendors) becomes a critical focus.  The new Director of OCR, Leon Rodriguez, in a recent interview with the Boston Globe said that his office would take a tougher stance on HIPAA with the goal of improving public acceptance of EHRs and that his office was ready to work with EHR providers on security.

Critical to the security of EHRs are the privacy and security responsibilities of Business Associates (and their contractors and subcontractors).  Although HITECH imposed certain HIPAA requirements directly on Business Associates, the Business Associate regulations and a model Business Associate Agreement incorporating the new requirements have yet to be released.  The Notice of Proposed Rulemaking, however, is expected to be forthcoming "soon", according to Director Rodriguez in a presentation given on November 17 at the ONC Grantee and Stakeholder Summit.  In addition, for the time being, the HIPAA Privacy and Security audits will not be conducted directly on Business Associates, but rather, only on those Business Associates connected with a covered entity being audited.

This leaves significant room for confusion in how Business Associates, and in particular, their contractors and subcontractors, will be dealt with by OCR during the course of a HIPAA investigation and who ultimately will be held responsible for a breach of EHR and other patient data.  A great example of this can be found in a recent blog by the President and CEO of the Massachusetts eHealth Collaborative, which as a result of a theft of an employee laptop last year experienced a security breach affecting over 14,000 patients.  

As Deven McGraw, director of the Health Policy Project at the Center for Democracy and Technology, stated, stronger enforcement of HIPAA is critical to the success of EHRs, noting,

"We're just on the back side of the curve of adoption of more robust security.  I'm hoping that in another year, we'll have a little bit of a different picture, but it's not pretty right now."

For a more in-depth look at the issues concerning Business Associates and HIPAA, see the Center for Democracy and Technology's December 15, 2011 post examining the need for clarification in the Business Associate rules.  And, in the words of Director Rodriguez, "stay tuned" for these proposed rules to come "soon". 

California HIE Demonstration Projects to Move Ahead with Opt-In Framework

This past Wednesday, the California Office of Health Information Integrity (CalOHII) released a comprehensive whitepaper examining patient consent and other HIE framework efforts for entities participating in the HIE Demonstration Projects and HIE throughout the state of California. CalOHII is the state entity designated for overseeing HIE in California as well as establishing and administering HIE demonstration projects within the state.  

The whitepaper builds upon initial recommendations of the California Privacy and Security Advisory Board (CalPSAB).  Although originally CalPSAB had proposed a bifurcated consent policy (i.e., opt-out for treatment, opt-in for other purposes or where sensitive information was contained in the medical record), the Board withdrew this recommendation after public concern regarding cost effective workability of the policy. 

Ultimately, CalPSAB recommended an "opt-in" patient consent framework which this whitepaper incorporates, implementing generally an affirmative consent framework for the demonstration projects.  The demonstration project participants would be required to use CalOHII approved consent forms and adopt CalOHII recommended privacy and security policies and procedures.

Although adopting a stricter approach, the whitepaper echoes the ONC Tiger Team's emphasis on meaningful patient consent, stating,

  ...CalOHII believes that the reading of an informing document and the signing of a consent form is the step at the end of a process - the process of education.  The education of the patient on the various aspects of the electronic exchange of health information, is to guide the patient in making a meaningful decision in giving or not giving his/her consent.

The whitepaper would permit certain exceptions allowing information to be accessed through an HIE without patient consent, namely for public health reporting and emergency "break the glass" situations.  In addition, the HIE demonstration projects are permitted under certain circumstances to request to "Demonstrate Alternative Requirements" (DAR process) in order to present other policies and requirements for implementing patient consent and privacy and security requirements. 

The two demonstration projects chosen for 2011 are the Western Health Information Network (WHIN) and the San Diego Beacon eHealth Community.  Both demonstration projects are currently set to test the opt-in framework as well as the CalOHII privacy and security policies that are to be developed.  The purpose of the demonstration projects is to help evaluate solutions for HIE and to test and develop innovative privacy and security practices.  Regulations for the demonstration projects are expected to be finalized shortly. 

Federal Government Releases Updated DURSA for NHIN Participants

An Amended and Restated DURSA dated May 3, 2011 was released November 30, 2011.  The DURSA is an acronym for the "Data Use and Reciprocal Support Agreement."  It is a comprehensive agreement to govern the exchange of health data through the Nationwide Health Information Network Exchange (NHIN).  It is a multi-party single agreement that establishes the rules of engagement and obligations to which all Participants agree and that all Participants sign as a condition of joining the NHIN community. A clean copy of the updated DURSA can be downloaded from the NHIN's Participant "Onboarding" Website, or by clicking here. The Office of National Coordinator (ONC) has also posted a Redline version comparing the most recent May 2011 version of the DURSA against its predecessor (scroll all the way down to the "DURSA" subcategory). 

According to a PowerPoint posted by the ONC that summarizes all the changes to the November 2009 version of the DURSA, here are some of the more significant ones that NHIN Participants can expect:

  • The term “Nationwide Health Information Network” is defined more broadly, and ONC is phasing out its use altogether.
  • The composition of the Coordinating Committee is being downsized/reduced significantly. ONC indicated that the current composition is not scalable given the rapid growth in the number and type of Participants.
  • The definition of "Permitted Purposes" has been revised to support varied types of transactions and not preclude legitimate reasons to transact Message Content including treatment, payment, limited healthcare operations with respect to the patient that is the subject of the data being exchanged, public health activities, meaningful use and disclosures based on an authorization from the individual.
  • Each Participant is required to (i) validate information about its Users prior to issuing the User credentials; (ii) use the credentials to verify the identity of its Users before enabling the User to transact Message Content; and (iii) provide truthful assertions.  The November 2009 version did not specifically require Participants to “identity proof” their Users or explicitly require a Participant to submit truthful information in the assertions and statements that accompany a Message.  At the time, the DURSA developers assumed that these issues would be addressed in the Specifications, but they were not.
  • Combines duties of a responder and requestor into duties of a Submitter, and adds that Messages must comply with Applicable Law, the DURSA, Operating P&P, applicable Performance and Service Specifications. Submitter must represent that all assertions or statements related to the submitted Message are true and accurate. Also, it is the responsibility of the Submitter – the one disclosing the data – to make sure that it has met all legal requirements before disclosing the data, including, but not limited to, obtaining any consent or authorization that is required by law applicable to the responding Participant.
  • Removed 24 notice requirement to Coordinating Committee before suspending a Participant.  Recognized that process is onerous.  Participant can now be voluntarily suspend from 5-10 days.

The government noted that the process has proven itself inefficient and has impeded the ability to amend [Operating Policies and Procedures, and technical specifications]......

  • The November 2009 version required 2/3 of non-governmental and 2/3 of governmental Participants to approve all changes to the Operating policies and procedures.  The government acknowledged that this process has proven itself inefficient and has impeded the Coordinating Committee’s ability to revise the Operating Policies and Procedures.  In the May 2011 version, the process for revising and adopting new Operating Policies & Procedures has been revised.  Prior to approving new Operating P&Ps, Coordinating Committee will solicit comments from the Participants.  There will be a 30 day objection period once the Coordinating Committee approves new or amended Operating P&P.  New or amended Operating P&Ps go into effect unless 1/3 of the Participants object.  If 1/3 object, then 2/3 of non-governmental and 2/3 of governmental Participants must approve before the new or amended OP&Ps become effective.
  • In the Nov 2009 version, approval of new or amended Performance and Service Specifications required the Coordinating Committee to make a determination of “materiality,” which then dictates the Technical Committee’s process of approving the Spec change.  The government noted that the process has proven itself inefficient and has impeded the ability to amend the Performance and Service Specifications and adopt new Performance and Service Specifications.  With the new May 2011 version of the DURSA, new and amended Performance and Service Specifications will be approved in the same way that new and amended Operating P&Ps are approved.