Will HIPAA Conviction Appeal Loss Open the "Zhou" Gates?


This post is prepared by Christopher Dodson. 

Readers of this blog are probably familiar with the case of Dr. Huping Zhou, who was successfully prosecuted for violating HIPAA's privacy protections.  Zhou accessed the patient records of celebrities and coworkers more than three hundred (300) times over the course of several months, including four times after he was fired. The case is notable, in part, because Zhou's actions were not part of a broader criminal conspiracy. He was not defrauding the government or engaging in identity theft but was merely reading patient records as a matter of curiosity. When he appealed his conviction, the Ninth Circuit ruled that HIPAA's wrongful disclosure provision does not require intent to break the law.

One of the interesting details of the case was that while Zhou accessed several hundred records, he was only charged for the four records he accessed after he was fired. Why did the Department of Justice not charge him for accessing the other records while he was employed?

§ 1320d-6 of HIPAA prohibits anyone from knowingly accessing individually identifiable health information from a covered entity without authorization.

The answer to why Zhou was only charged with four counts may lie in the phrase "without authorization." It is possible that since DOJ was already breaking new ground by prosecuting him for accessing records without criminal intent, they did not want to add a second novel issue in whether he had sufficient authorization while he was employed. 

But now that DOJ has established that criminal intent is not required to violate HIPAA's wrongful disclosure provision, is it possible that the next person in Zhou's position could be charged for inappropriately accessing records while employed?

There is an interesting parallel with the Computer Fraud and Abuse Act. As with HIPAA, the CFAA prohibits certain actions when they occur "without authorization," a phrase which is undefined. There is ongoing debate over what qualifies as authorization for purposes of the CFAA and a split has developed among the circuit courts over a theory relating to authorization for employees. The theory holds that when an employee violates the duty of loyalty, her authorization is canceled as a matter of law even while she is still employed. Under this theory, if an employee has authorization to access a computer system then violates the duty of loyalty and engages in actions prohibited under the CFAA, a court may rule that her authorization to use the computer system was terminated as a matter of law at the time of the offense. In other words, as far as the employee and her employer are concerned she is an authorized user. But sometime later the legal system determines otherwise, leaving her liable under the CFAA.

Because there is a split among the circuit courts, many observers think the issue will wind up before the Supreme Court. If the Supreme Court affirms canceling authorization retroactively based on an employee's actions, it is not a stretch to imagine DOJ developing an argument that the authorization of someone like Zhou was terminated as a matter of law prior to being fired. This would enable DOJ to charge the defendant with all of the record views that occur after the authorization-terminating event.

Christopher is a former software developer and current J.D. candidate at the Earle Mack School of Law of Drexel University.  He is working with the Attorneys at Oscislawski LLC as a summer intern.

Are We Ready for the Nationwide Health Information Network? ONC Releases RFI for Governance of NwHIN

Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN).  According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA).  Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

  1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
  2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
  3. Process for retiring and updating CTEs to address current exchange needs,
  4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
  5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

  1. For purposes of medical treatment;
  2. When information exchange is mandatorily required under law; or
  3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

Legal and Practical Implications of Meaningful Use Attestation

With over $4 billion paid out to eligible professionals (EPs) and hospitals under the Medicare and Medicaid EHR Incentive Programs as of March 2012 according to CMS, many hospitals are gearing up for or have recently completed successful Meaningful Use attestation for their first Stage 1 90-day reporting period.  The online attestation process itself, as experience shows, is fairly straightforward and can be completed in a short amount of time.  But making sure you have everything to support that you were a “meaningful user” during the applicable reporting period requires careful planning and documentation.  

Know what you are attesting to.  The federal False Claims Act imposes liability on any person submitting a claim to the federal government that he or she knows, or should know, is false.  No proof of specific intent to fraud is required and “knowledge” includes (1) actual knowledge of the information; (2) deliberate ignorance of the truth or falsity of the information; or (3) acting in reckless disregard for the truth or falsity of the information.  State laws may also result in civil or criminal penalties for false claims.

By attesting, the hospital or EP is submitting a claim for payment from the government.  As such, any misrepresentations, material omissions, false claims, statements or documents are subject to prosecution under Federal or State criminal laws and potentially civil penalties.  With all hospitals and EPs on the hook for visits from both CMS and the respective State Medicaid auditors, they must be prepared to show proof that they accurately attested to the best of their knowledge to all measures and objectives and other meaningful use requirements having been met.

It is therefore critical, that, before attestation, the hospital or EP reasonably have the knowledge to attest that it was a meaningful user during the applicable EHR reporting period and that all data is (1) accurate and complete to the best of his or her knowledge; (2) includes information on all patients to whom the measure applies; and (3) for CQMs, that the numerators and denominators were generated as output from certified EHR technology. 

At an absolute minimum, the hospital or EP must ensure that all measure thresholds were appropriately met, all patients to whom a measure applied were included in the denominator (or properly excluded), and interpretations of any “grey areas” are clearly documented.  The hospital or EP should be familiar with any clarifying language in the Preamble to the EHR Incentive Programs Final Rule as well as any relevant and available CMS Frequently Asked Questions.    

Other practical considerations to support attestation and defend against potential audit by CMS or the State include:

  • Have all data readily available that must be entered during the attestation process (e.g., CMS EHR Certification Number, method for calculating ED visits, all applicable numerators and denominators).  CMS has made available an Attestation Worksheet for assistance with the online attestation process.
  • Document all certified EHR technology reports and supplemental data reports, as well as measure checklists, screenshots, test results and any assumptions or processes concerning workflows or interpretations for any given individual measure that support meaningful use during the applicable EHR reporting period.  Be prepared to show documentation to support all “yes/no” attestations.  For example, documentation for “exchange key clinical information” could include potentially screenshots of the test information that was sent to the third party health care provider and the testing “script” showing the date and success or failure of the exchange.   
  • When using multiple certified EHR systems, CMS as of April 20, 2012 will permit those numerators and denominators generated by the respective certified EHR systems reports to be added together, rather than requiring the hospital or EP to reconcile the reports to account for unique patients as CMS required in the past.  If a hospital or EP has already attested and reconciled for unique patients, keep all reports used to aggregate the data and that support the numerators and denominators attested to.
  • Keep all documentation to support your meaningful use, including to support patient volume thresholds, and incentive payment calculations for the Medicare and/or Medicaid EHR Incentive Programs, for a period of six years from the date of your attestation (three years to support Medicaid Adoption/Implementation/Upgrade payments).

Remember that for hospitals, July 3, 2012 is the last day to begin your 90-day reporting period for Stage 1.  Be sure also to keep an eye on both the CMS and your State’s EHR Incentive Program websites for additional information regarding audits or updates to the respective Meaningful Use programs.  Subscribing to the CMS EHR Incentive Program Listserv will ensure that you receive any new or updated FAQs from CMS as well as other important information about the EHR Incentive Programs. 

Oscislawski LLC and Blass Affiliates have teamed up to help a number of hospitals successfully attest for Meaningful Use Stage 1.  The experienced consultants at Blass provide hands-on guidance and software compliance management support to help clients succeed with Meaningful Use through ComplyAssistant, its web-based compliance management tool, and the knowledgeable attorneys at Oscislawski LLC keep on top of Meaningful Use regulatory developments and offer legal interpretation and guidance to clients.  

We "Like" Organ Donor Status on Facebook

This post has been prepared by Christina Strong, Esq.

organ donation like.pngThe addition of “organ donor status”  to Facebook is a tremendous boon for the communication of what is fast becoming a social norm, altruistic donation of one’s body, to take place after death.  Unlike other decisions surrounding one’s body, the decision to donate organs is not a health care decision.  It is instead, a charitable gift, to be given post-mortem, the legal equivalent to a gift made through a will.  While privacy advocates and others in the industry are rightfully concerned about inadequate protection for healthcare decisions provided on the web in general and Facebook in particular, there is no privacy law or issue impacted by listing of donor status of Facebook.  First of all, it is extremely unlikely that designation of donor status on Facebook will be considered a document of gift under the Uniform Anatomical Gift Acts of most states. Thus, to state that one is an organ donor on one’s Facebook Timeline is tantamount to saying:

When I die, and if I die in a time frame and manner which allows for the recovery of something from my body, I would like to give something. 

It is an expression of general support for a concept, followed by a call to action “Register with your State Donate Life Registry”, and a link to do so.  The registration itself takes place on a secure website, which performs legally adequate verification of identity, and information, and in many cases, specific choices as to the scope of the gift.  Facebook does not display actual registration or donor information.  Facebook displays the expression of generous intent.

A recent article in Bloomberg Businessweek warns consumers to be hyper-aware about managing their own privacy for this information, and suggests that it can be used against them. While it is not entirely clear if the authors of the article are actually concerned about the privacy of a person's "donor status" or have simply confused this expression with the privacy concerns that arise when true medical information is shared, in any case it is important to understand that the Organ Donor "Status" referred to on Facebook is reflecting merely the willingness to give a post-mortem gift.  This general willingness, or indeed, even the fact of donor registration does not impact any other aspect of life or health care, any more than a decision to be cremated rather than buried might.  One is not treated differently in an insurance policy, an auto accident or at the hospital based on one’s decision, registered or not.  One is not declared dead on any different criteria, simply because one has indicated a preference about donation.  It is a decision about body disposition, and therefore, not considered health information of any kind, under any law, state or federal.  Donor status is a decision people like to share, like “I root for the Giants” or “I support Planned Parenthood”.  It loses any conceivable protection at the point where one voluntarily shares it with the public one chooses to share with. 

If the article intends to point out that once you put your donor status on Facebook others can see it and judge it according to their own lights, then the authors are absolutely correct.  That is the point.

Christina Strong is an attorney in private practice who concentrates in health law, including anatomical gift law, informed consent, healthcare decision-making and healthcare privacy.  She is a trustee of Donate Life America, and a registered organ and tissue donor in the State of New Jersey.  This means that when she dies, if she dies in a manner and a time frame compatible with donation, her organs can save as many as seven lives, and her tissues may be recovered and used to enhance the lives of hundreds.  This is true of her, and 10 million others who have registered their wish to be an organ donor.  With the help of Facebook we hope that 10 million more donors will sign up in 2012.

According to FoxNews.com, the FB Donor Status button and link has spurred thousands of new registrations in just the last few days. To learn more how you can register to become an organ donor through Facebook's links to state registries, visit DonateLife's FB page.

Public Comments for Meaningful Use Stage 2 NPRM Due May 7

The clock is ticking for interested parties to submit comments in response to the CMS and ONC Meaningful Use Stage 2 Notices of Proposed Rulemaking (NPRM).  The deadline for submission of comments is 5pm on Monday, May 7.  CMS has requested public comment on a variety of specific Stage 2 proposed requirements, such as for CQM reporting, transport standards, and the active role of patients proposed for certain objectives and measures. ONC likewise has requested public comment on proposed new and revised standards, implementation specifications and certification criteria. Public comments may also be submitted in general on any of the proposed new or revised Stage 1 and Stage 2 requirements.   

For a summary of the changes proposed by the CMS NPRM, check out my previous posts, Proposed Rule for Meaningful Use Stage 2 Released and Meaningful Use Stage 2 Ramps up HIE.  Formal comments can be submitted directly online through the respective CMS and ONC NPRM websites. Entities currently participating in or considering participating in the Medicare or Medicaid EHR Incentive Programs are strongly encouraged to submit comments on the NPRMs as feedback is critical for improvement of the EHR Incentive Programs and accomplishing the goals of Meaningful Use.