Terms and Conditions May Apply: Consequences of Email-Provider Email Scanning

This guest blog post was written by Van Zimmerman, Esq. Van is currently the Privacy and Security Officer at Jersey Health Connect, a New Jersey health information exchange network. Van has over 18 years experience in health IT, privacy and security, and compliance.  

Yahoo’s recent trip to the courthouse regarding its email content scanning gives us a healthy reminder to think about what we send, how it is used, and how that impacts entities subject to HIPAA and their (or their recipients’) ability to use free hosted email services.  Spoiler - don’t, at least not for any patient-related communication.  Those terms and conditions do matter.

“Yahoo requires its subscribers to consent to the interception, scanning, analysis, and storage of email in exchange for Yahoo Mail Services” and requires users to notify non-Yahoo users with whom they communicate of such “feature”.  In re Yahoo Mail Litig., 2015 U.S. Dist LEXIS 68585 at 9 (N.D. Ca., May 26, 2015).  

 Yahoo’s privacy policy states:

“Yahoo! provides personally relevant product features, content, and advertising, and spam and malware detection by scanning and analyzing Mail, Messenger, and other communications content. Some of these features and advertising will be based on our understanding of the content and meaning of your communications.”  In re Yahoo Mail Litig., at 11.

While it is unclear if this sentence was removed in the court’s opinion or wasn’t present in Yahoo’s policy at the time, the current policy continues, “For instance, we scan and analyze email messages to identify key elements of meaning and then categorize this information for immediate and future use.” 

Other major email providers have “privacy” policies which permit substantial use of the contents of email sent through their systems.  For example, Google provides as of December 19, 2014:

“Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.”  

Google made that addition in their December 19, 2014 revisions to their Privacy Policy, although such practices appear to have gone back in time much farther.  See In re Google Inc. Gmail Litig., 2014 U.S. Dist LEXIS 36957 (N.D. Ca., March 18, 2014).  Compare those statements to the privacy policy of a paid-only service which provides a much more privacy-friendly policy.  Even Google makes an explicit distinction between free and paid email services:

“What kind of data scanning or indexing of end-user data is done?

Google for Work does not scan your data or email in Google Apps Services for advertising purposes. Our automated systems scan and index your data to provide you with your services and to protect your data, such as to perform spam and malware detection, to sort email for features like Priority Inbox and to return fast, powerful search results when users search for information in their accounts. The situation is different for our free offerings and the consumer space. For information on our free consumer products, be sure to check Google's Privacy and Terms page for more consumer tools and information relating to consumer privacy.”

In practice, this seems to go beyond just displaying advertisements, it goes farther than some would consider (Google Tracks Hotel Reservations).  

So why does this matter?  Putting aside the consequences of breaches an email provider may suffer (e.g. Midwest Orthopaedics), the email provider is receiving, maintaining, and possibly transmitting on behalf of the sender. If that sender is a covered entity or business associate, and the email contains PHI, the sender and the provider would need to have a business associate agreement in place.  45 C.F.R. §§ 164.308(b), 164.314, and 164.504(e). 

Even if there were a BAA in place (good luck getting one for free services, Yahoo appears to not under any circumstances, although Google will for paid services), knowing that the email provider is going to use the contents of messages for marketing purposes, possibly in violation of HIPAA at 45 C.F.R. 164.508(a)(3) (remuneration for marketing) or § 164.504(e)(2)(i) (BAA can’t permit BA to use PHI to violate Privacy Rule), may be problematic in light of the termination language in § 164.504(e)(1)(ii) or (iii).  That is, if a pattern or practice is known in advance, it is probably not reasonable to enter into such an arrangement in the first place, and in any event, continued use of such a service would be problematic.

A more interesting question arises when the sender maintains their own email system, but may from time to time send email to external addresses hosted by a provider which performs content analysis of emails for advertising.  Assuming some of those emails will have PHI, is it acceptable to send to those addresses?  An address might belong to another health care provider, or perhaps a patient. 

This is problematic for so many reasons. 

  • Is the destination email provider a BA of the sender, as it is receiving, maintaining, and transmitting PHI on the sender’s behalf?  
  • If the recipient is another BA or covered entity, is the destination email provider a BA of the intended recipient, since it is doing the same for them?  
  • Are all the necessary BAAs in place?  
  • Even if emailing a patient, are you disclosing PHI to them, or are you disclosing it to a third party for subsequent transmission to the patient? 

In any event, an email provider scanning email for advertising (or other) purposes isn’t treatment, payment, or operations, and isn’t otherwise listed as a HIPAA permitted use or disclosure. 45 CFR 164.512 (authorization or opportunity to agree or object not required).  Does an authorization (and NPP) cover such use?  Even if it did, is an email provider going to honor revocation of that authorization?

Is the data encrypted and hashed on the way to the destination email server (possibly, but not necessarily guaranteed)?  Is the data encrypted and hashed in storage once it gets there?  It almost certainly isn’t encrypted such that the email provider can’t scan it.

Does the email provider’s scanning of that email constitute a Breach?  What about email provider’s use of that information for subsequent aggregation and identity tracking or otherwise sharing with a third party? 

What about the Security Rule’s general requirement to “[p]rotect against any reasonably anticipated uses or disclosures…that are not permitted or required under [the Privacy Rule]”?

This isn’t just a healthcare issue.  What are the consequences for privilege, whether attorney-client, doctor-patient, etc., when those communications have no reasonable expectation of privacy?  Does the analysis in Stengart v. Loving Care Agency, Inc., 201 NJ 300 (2010) change if there is no reasonable expectation of privacy?  A number of email providers have adopted language similar to that suggested in United States v. Warshak, 631 F.3d 266, at 287 (6th Cir., 2010) [note-an interesting read for a discussion of the Stored Communication Act, marginalization of the 4th Amendment, and what actually happened to all those Enzyte commercials].  Does it change if those email providers actively engage in activities beyond using email content for directed advertising, such as actively parsing email for illegal content?  Would the privilege consequences be different in civil vs. criminal proceedings?

Perhaps we would be best serve to heed Elliot Spitzer’s advice, "Never write when you can talk. Never talk when you can nod. And never put anything in an e-mail." At least not where free services are involved.

Deciphering the HITECH Omnibus Rule: Business Associates

Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released.  As of this past Thursday, we all finally have some guidance on how to implement provisions of the HITECH Act, including but not limited to provisions governing business associate and subcontractor liability, individual access rights, fundraising, marketing, breach standards, and much more. 

True to its name, the HITECH “Omnibus” Rule or Final Rule packs in a lot of changes to the HIPAA Privacy and Security Rules, enforcement provisions and breach notification requirements of the HITECH Act, as well as amendments to GINA and handling of genetic information.  To make dissecting this 500+ page rule manageable, the next few posts will focus on key aspects of the HITECH Final Rule, starting today with the provisions of the Final Rule which impact business associates and their subcontractors

A covered entity is and has been required by HIPAA to enter into a HIPAA Business Associate Agreement (HIPAA BAA) with any entity that would create, receive or transmit PHI for or on their behalf in connection with certain health care operations purposes.  However, before the implementation of the HITECH Act, business associates of covered entities were not directly liable for improper uses or disclosures of protected health information (PHI) in the performance of services or functions. 

Ultimately, only covered entities were responsible in the event a business associate failed to appropriately safeguard the PHI they were provided with or used/disclosed it improperly. However, as you know, HITECH made provisions of the Privacy and Security Rules directly applicable to business associates, with the NPRM proposing several modifications to the definition of a “business associate”, including adding Patient Safety Organizations and patient safety activities as well as certain health information exchange organization (HIOs) and personal health record (PHR) activities. 

The HITECH Final Rule modifies the definition of “business associate” to mean that a business associate is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI.  PHRs vendors will also be considered business associates where they provide PHRs for or on behalf of a covered entity, rather than simply establishing a connection for the covered entity to send PHI to the individual’s PHR.  Rather than acting simply as a “conduit”, the PHR vendor is maintaining PHI on behalf of the covered entity for the benefit of the individual. 

For HIOs and other entities, they will be considered business associates where they (1) provide data transmission services with respect to PHI and (2) require routine access to the PHI.  The Preamble to the HITECH Final Rule clarifies “access on a routine basis” to mean circumstances where an entity requires access to PHI in order to perform services and functions on behalf of a covered entity, such as management of an exchange network through use of record locator and other services on behalf of its participants.  However, HHS recognizes that it will depend upon the circumstances and states its intention of issuing future guidance in this area. 

Most importantly, and perhaps a sore point for business associates and their subcontractors, the HITECH Final Rule makes subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate likewise HIPAA business associates.  Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to.  Each business associate now also is required to have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long. 

HHS recognized that,

“The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for [PHI] lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.  Allowing such a lapse in privacy and security protections could allow business associates to avoid liability….”

Furthermore, the Preamble stated, “applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive [PHI] in order for the covered entity to perform in health care functions.”

The HITECH Final Rule also provides some clarification as to when a business associate will be an “agent” of a covered entity.  Although generally determinations of whether a business associate will be acting as an agent of a covered entity are fact specific, the Preamble to the Final Rule makes it clear that federal common law agency principles will be applied, regardless of whether the parties consider or state themselves to be independent contractors.  If the covered entity has the right to control or direct any given service or function provided or performed by the business associate, then an agency relationship will likely be created (i.e., how a business associate will make available access to PHI by an individual).  

Liability for a business associate’s actions, however, will only extend to the scope of the agency. For example, if a business associate fails to limit PHI disclosed to the minimum necessary while performing services it was engaged by a covered entity to perform (as an agent), then the business associate is likely acting within the scope of agency.  However, a business associate’s conduct is outside the scope of agency where it acts for its own benefit or for that of a third party. 

Business associates are also subject to the HITECH marketing requirements, to be discussed in a future blog post.  And finally, the HITECH Final Rule applies certain other provisions of the Privacy Rule directly to business associates.  Business associates will have direct liability for impermissible uses or disclosures in violation of the HIPAA BAA or the Privacy Rule, as well as:

  • failure to disclose PHI where required by the Secretary;
  • failure to disclose PHI for access rights;
  • failure to limit PHI used/disclosed to the minimum necessary;
  • failure to obtain a HIPAA compliant BAA with subcontractors;
  • failure to provide breach notification;
  • failure to provide an accounting of disclosures (subject of a separate future rulemaking)

Covered entities and business associates are permitted under the Final Rule transition provisions to continue operating under existing HIPAA BAAs for up to one year beyond the compliance date of the Final Rule, or initial renewal/modification, whichever earlier.  The minimum requirements of a HIPAA BAA were slightly modified by the Final Rule, and now:

  1. Must include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
  2. Must include the requirement that a business associate, to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
  3. Need not include the requirement that the covered entity report a business associate to the Secretary for patterns or practices which constitute a material breach or violation of the HIPAA BAA.

Stay tuned for a discussion of the new Breach Presumption and Risk Assessment requirements implemented by the Final Rule...

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

"Final Countdown" to the HITECH Omnibus Rule

The date for publication of the HITECH "Omnibus Rule" has become a contest for some. Data breach consultant, IdExperts, has launched a "Final Coundown" contest for individuals to guess the date on which the Omnibus Rule will actually be published as well as the total page count of the rule.   

Originally submitted to the Office of Management and Budget back in March, the Omnibus Rule was due at the end of summer according to Farzad Mostashari but has been delayed indefinitely pending further review.  The Omnibus Rule would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA).  Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions.

Contestants who enter have a chance to win an Amazon giftcard, as well as have $2,500 donated in his or her name to the Wounded Warrier Project, a non-profit organization that provides benefits and services to veterans wounded during service.  To guess the date of publication and final page count, visit IdExperts.

HITECH Omnibus Rule Out by End of Summer

HealthDataManagement reports that the HITECH "Omnibus Rule" is due to be released by the end of the summer, according to Farzad Mostashari, the National Coordinator for Health Information Technology within the Office of the National Coordinator for Health Information Technology (ONC).  The announcement was made during his keynote given at the 2nd International Summit on the Future of Heath Privacy last week.  The two-day Summit brought together leading experts in health privacy, focusing on the privacy implications of the digitization and electronic exchange of health information. 

The long-awaited Omnibus Rule, which would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA), was sent for review before publication to the Office of Management and Budget (OMB) at the end of March.  Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions. 

Of particular interest are regulations expected to clarify business associate liability, new restrictions on marketing and fundraising, and data breach enforcement and penalties, among others.  A final regulation on the HITECH changes to the HIPAA Accounting of Disclosure requirements is also expected, although it is unclear whether it will be released part and parcel with the HITECH Omnibus Rule. The Proposed Accounting of Disclosures Rule was published for public comment in May of 2011. 

During the keynote, Mostashari emphasized the importance of technical and cultural considerations to keep privacy protections at the center of ONC's efforts and activities, expanding the adoption of EHRs, and increasing public trust in electronic exchange of health information, saying,

"You can't get information exchange unless there's trust. We can't get a learning health system unless there's trust."

Mostashari noted that ONC is currently working with vendors to develop information system privacy functionalities "by design", with the goal of having privacy protections built into each information system, for example, encrypting personal identifiers when exchanging data. Stating that patients should never hear,

"Sorry, I can't give you your health records because of HIPAA",

Mostashari also noted the need for patients to be better educated on their privacy rights, in particular, how their information is used and how to submit complaints about violations or concerns, as well as for providers themselves to have a better understanding of their obligations under HIPAA. 

HITECH Omnibus and AOD Rules Set for OMB Review

Health Data Management reports that the long-awaited HITECH Omnibus Rule as well as the Accounting of Disclosures (AOD) Rule are set for OMB review.  Expected also are proposed regulations for Meaningful Use Stage 2.  HHS released its semi-annual regulatory agenda in January to the Office of Management and Budget (OMB).  As with other agencies, the agenda identifies key regulatory priorities over the next months.

The HITECH Omnibus Rule is expected for publication in March of this year with the AOD Rule not until June.  The proposed regulations for Meaningful Use Stage 2 are still expected this month, February.  While OMB review could hypothetically take a matter of weeks, the OMB may take up to ninety (90) days to review regulations before publication, as well as potentially extend the deadline. 

Helen Oscislawski Invited to Speak at National HIPAA Summit

I attend the annual National HIPAA Summit in Washington D.C. eHIPAA Summit.pngvery year to keep on top of developments with HIPAA and related topics, and so I was thrilled to find out that one of the Co-Chairs of the ONC Privacy and Security Tiger Team recommended that I be asked to speak on HIPAA and its implications on Health Information Exchange (HIE) at this year's event. The 20th National HIPAA Summit will run from March 26-28th and take place at the Renaissance Hotel in Washington, D.C.  You can review the full intenerary here.

I am scheduled to speak on HIPAA and HIE during the afteronnon session of March 27 (Day 2), and will be joining Dr. William R. Braithwaite, MD, PhD (aka "Dr. HIPAA"), Joy Pritts, Esq., the Chief Privacy Officer for the ONC, and Deven McGraw, Esq., Co-Chair of the ONC Privacy and Security Tiger Team, who will be speaking on related topics during this afternoon segment.

The annual HIPAA Summit will provide the most up-to-date information on the status and schedule for publication of the new regulations. Comprehensive presentations by leading regulators from the Centers for Medicare & Medicaid Services, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology, provide unique insights. Private sector leaders will add practical advice from their many experiences in implementation. The HIPAA Summit will address privacy and security and data breach changes and challenges and the legal and policy issues implicated, as well as electronic health record adoption issues. It will also cover developments and requirements for transactions and code sets and operating rules about how they are being implemented. It will also include training sessions for HIPAA privacy and security professionals who intend to apply for certification. 

see www.hipaasummit.com/overview.html

This is an event not to be missed by anyone who needs to keep on top of the most recent trends and developments in health care information privacy, and security.

To register for the HIPAA Summit, visit www.hipaasummit.com/registration.php

For other events which Attorneys at Oscislawski are participating in, visit our new Upcoming Events page.

Security Breach Response: Lessons Learned from the Epsilon Breach

Does the notice below look familiar?

Chase is letting our customers know that we have been informed by Epsilon, a vendor we use to send e-mails, that an unauthorized person outside Epsilon accessed files that included e-mail addresses of some Chase customers.  We have a team at Epsilon investigating and we are confident that the information that was retrieved included some Chase customer e-mail addresses, but did not include any customer account or financial information.

If it does, congratulations on being one of the unlucky millions affected by the data breach which occurred at Epsilon last week.  The largest distributor of "permission-based" email marketing, Epsilon serves some 2,500+ clients from JPMorgan and Chase to Target and Walgreens, sending over 40 billion emails on their behalf each year. 

At some point on Wednesday, March 30, Epsilon's systems were hacked, resulting in millions of email addresses and names being stolen, presumably in order for hackers to send mass spam and convincing "phishing" emails to consumers.  The first I became aware of the breach was Monday, April 4, when I received the above notice from Chase, followed quickly by Target, 1-800-Flowers and a variety of other smaller companies over the next two days. 

As I received the latest emails this morning (World Financial Network National Bank, or WFNNB, and Citibank), I couldn't help but be impressed with how quickly Epsilon was able to detect the data breach, notify law enforcement, and notify its clients affected by the breach, reportedly about 50 companies.  The turnaround time within which many of the affected clients notified their consumers was equally impressive, especially given that these companies likely only received notice from Epsilon right before or over the weekend.

I automatically wondered: would such a response have been equally efficient and effective if the data breach had occurred within the HIT systems of a business associate of a hospital or within the hospital itself?  Maybe yes and maybe no. 

HITECH places stringent security breach notification requirements and timeframes on covered entities and business associates who experience breaches of PHI.  In addition, state laws such as the New Jersey's Identity Theft Prevention Act, also place breach notification requirements on these and other entities with regard to certain personal information.   

Covered entities, as we are all too aware, are certainly not immune from the risk of security breaches.  Many covered entities may not have detailed policies and procedures for detecting and responding to breaches of PHI.  For those that do, are these procedures effectively communicated to key management and employees so that they know how to appropriately react from the first sign of a breach through the sending of required notices?  In addition, how soon and by what mechanisms are business associates required to report breaches, or even suspected breaches, of PHI to the covered entity?

Although only emails and names were hacked, the Epsilon breach stresses how important it is for covered entities to assess their security breach notification policies and procedures and ensure key personnel know the steps for detecting, assessing and mitigating breaches of PHI and their respective roles and responsibilities BEFORE these individuals are placed in such a situation.

A mere five calendar days (including the weekend) is quite impressive for a breach response involving so many different companies.  Although perhaps five days might be improbable or even impossible for a covered entity under the circumstances of a given breach, immediate and efficient action and communication are still crucial to an effective breach response.

One, Two HIPAA Penalty Punch from HHS and OCR

Just as gasps from the 4.3 million dollar penalty OCR assessed against Cignet Health of Maryland started to subside, OCR delivers a whopping 1 million dollar penalty to another hospital -- this time to the The General Hospital Corporation and Massachusetts General Physicians Organization Inc. (aka, "Mass General"). 

The HHS Press Release indicates that Mass General has agreed to pay the U.S. government $1,000,000 to settle potential violations of the HIPAA Privacy Rule.  Mass General signed a Resolution Agreement with HHS on February 14, 2011, which you can review here.  After announcing the Settlement Agreement, OCR Director Georgina Verdugo made this official statement:

We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information

The issue came to the attention of OCR when a patient filed a complaint after PHI involving 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, was lost on March 9, 2009. The impermissible disclosures of PHI involved the loss of documents consisting of a patient schedule containing names and medical record numbers for a group of 192 patients, and billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of providers for 66 of those patients. Documents containing the PHI were lost when Mass General employee left the documents on the subway train that were never recovered.

The Corrective Action Plan (CAP) requires that the hospital:

  • Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General’s premises;
  • Train workforce members on these policies and procedures; and
  • Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments of Mass General’s compliance with the CAP and render semi-annual reports to HHS for a 3-year period.

The OCR Director also added:

To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules . . . A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.   

4.3 Million Penalty Assessed Under HITECH for HIPAA violations

One might say that it looks like HHS and OCR are making up for all those years people have said there has been a lack of enforcement of HIPAA -- 4.3 million dollars worth of "making up for lost time" in just one shot....

HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH.  The 4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights.  Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from "did not know" to "willful neglect" to comply with HIPAA, and established a corresponding tiered monetary penalty system.

Had this been the end of the story, Cignet would have walked away with only a 1.3 million penalty for violating HIPAA.  However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so.  Even after OCR presented Cignet with a subpoena, it continued to not produce the records.  Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records.  Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally.  OCR found Cignet's failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra 3 million was imposed against Cignet.

The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS' ramped up enforcement of HIPAA.  OCR Director Georgina Verdugo stated, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." With a hefty 4.3 million penalty as HHS' "first shot", Covered Entities will certainly take notice and action to avoid coming under fire themselves.

Accounting of Disclosures Proposed Rule up for Review: The Beginning of a Collective Sigh of Relief or Covered Entities' Newest Nightmare?

Prepared by Krystyna H. Nowik, Esq.

The Office of Management and Budget (OMB) has finally received the long-awaited proposed rule addressing HITECH’s accounting of disclosure amendments.  As originally required by the HIPAA Privacy Rule, individuals had the right to request an accounting of disclosures made by a Covered Entity of their protected health information (PHI).  However, Covered Entities did not have to comply with requests for an accounting of certain disclosures, such as for those made for treatment, payment and health care operations (TPO) purposes.  With HITECH, however, came the removal of this exemption for TPO disclosures if the disclosure was made through an electronic health record (EHR) – what many Covered Entities felt was the beginning of one giant administrative and technological nightmare.

Public comment requested by the Office for Civil Rights (OCR), Department of Health and Human Services (HHS), back in May of 2010 sought to identify the burden this requirement would have on Covered Entities and their business associates, as well as the interests individuals had in obtaining an accounting of such disclosures.  In particular, the Request for Information asked for comment on current system capabilities and changes that would be needed, the feasibility of an exclusive EHR model, what elements would be required for inclusion in the accounting, and the ability of Covered Entities subject to the January 1, 2011 deadline, come and gone, to comply by then.

In response, the Medical Group Management Association (MGMA) called the new requirement for TPO disclosures through EHRs “onerous” and “extremely difficult to achieve without an enormous outlay of resources.” Reflecting concerns across the nation, the 21-page letter to the Director of OCR argued that:

  • Accounting for TPO disclosures imposed severe administrative burden on physician practices;
  • Low patient volume of accounting requests made expenditure of resources unreasonable;
  • Accounting for TPO disclosures was burdensome and unnecessary, resulting in needless burden and cost;
  • Accounting for TPO disclosures discouraged adoption of EHRs by physician practices.

Covered Entities still have a long wait ahead before seeing HHS’s much anticipated (and perhaps dreaded) proposed rule.  The OMB generally has up to 90 days to review proposed rules, which, if approved, are then published as Notices of Proposed Rulemaking in the Federal Register. 

"Psychotherapy Notes" may Come Out From the Drawer

Currently, "psychotherapy notes" remains a very, very narrowly defined term under the Privacy Rule, and does not include general mental health information, including progress notes.  The exact definition is:

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes [specifically] excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.  

See 45 CFR 164.501.  In the Preamble to the Privacy Rule, the government discusses that these are essentially the notes in the psychiatrist's drawer.

However, back in February 2009, the HITECH Act (H.R. 1) required that a study be completed to determine whether the definition of psychotherapy notes should include:

Test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation in such definitions and may, based on such study, issue regulations to revise such definition.

see H.R. 1 Section 13424(f) on pg 165.  On October 7th, HHS and SAMSA (Substance Abuse and Mental Health Services Administration) will debate the topic of whether and to what extent the definition of "psychotherapy notes" should be expanded.  In addition to this potential expanded definition, the Proposed HITECH Rule would require that a statement be included in the NPP that disclosure of psychotherapy notes requires prior patient written authorization.  It may go without saying that if prior written authorization will be required before any mental health tests or other data is released, this will be a major shift in how such information currently flows between health care providers.


Aetna "forgets" file cabinet full of patient information

A reminder to all covered entities out there that may be considering selling their business – don’t forget your file cabinet!! (or computers .. or disks ... or seemingly “empty” boxes where PHI may be lurking…..well, you get the picture).

NJ Times reports today that Aetna is notifying 7,250 people after paper files containing their PHI was accidentally left in a file cabinet that was being sold after an office move. The press release indicates that over 2,346 New Jersey residents were affected and over 4,013 in Pennsylvania, as well as a few in Connecticut and Delaware. Apparently, the files were voluntarily returned to Aetna after the individual who purchased the file cabinet discovered them. Aetna issued a press release indicating that it “has no reason to believe the information will be misused in any manner." Nevertheless, Aetna is notifying affected individuals and offering them a credit-monitoring service. Aetna also indicates that it has many privacy policies and processes in place, but corrective action will be taken to ensure that such a “mistake” does not happen again.

The Aetna “breach” raises a number of interesting questions, many which I often am asked about in similar contexts. Specifically: 1) Can PHI be disclosed in connection with a sale of a business? 2) Must a seller purge or maintain PHI that is not transferred in connection with the sale of such business? and, 3) Who do I have to notify in the event of a breach?

I’ll tackle Questions #1 & #2 in today’s post, and save #3 for follow-up.

HIPAA actually does not require a patient’s written authorization to use or disclose PHI in connection with the sale of a business, in certain limited circumstances. A sale of a business is considered a “health care operation,” which is defined in the HIPAA Privacy Rule to include:

“the business management and general administrative activities of the covered entity including, but not limited to … (iv) the sale, transfer, merger, or consolidation of all or part of such entity with another covered entity, or an entity that following such activity [or completed purchase] will become a covered entity, and the due diligence related to such activity.” See §164.501.

Therefore, if Aetna had sold its filing cabinet to an entity that was acquiring its health plan business, then there would have been no breach under the federal standards. However, in this situation, it appears that the patients’ files were simply inadvertently left in Aetna’s file cabinet after furniture was sold to a random buyer in connection with an office move.  As such, there appears to have been a lapse in either following or implementing adequate safeguards.

The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI from intentional and unintentional use or disclosure that is in violation of the Privacy Rule (see § 164.530(c)(1)-(2). However, it is the Security Rule that provides more detailed guidance on the types of safeguards that may be useful. Specifically, the Security Rule requires covered entities to:

“implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within a facility.” (see §164.310(d)(1).

The Rule goes on then to require covered entities to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored (see §164.310(d)(2)(i)-Disposal). The Security Rule also requires covered entities to maintain a record of the movements of hardware and electronic media and any person responsible therefore. (see §164.310(d)(2)(iii)–Accountability).

Although the Security Rule technically applies only to electronic PHI, the Aetna situation illustrates why it makes sense to implement similar sorts of controls for paper PHI. After all, if it makes sense to keep track of computers that store electronic PHI so that such information does not inadvertently end up in the hands of someone who should not have it, would it not make sense to implement similar safeguard controls for a file cabinet that “houses” paper PHI?

It would seem so.

The 800-Pound HIE Gorilla Tiger in "Meaningful Use"

There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant.  In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.

In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest?  In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria

This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception".  In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).

Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular.  For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:

As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...

The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.

Continue Reading