ONC Sells Successes of Health IT Adoption to Congress in Annual Report

The ONC released its second annual report on the adoption of health IT this past June.  The report provides a snapshot of the nation's efforts and continuing barriers to health IT adoption.  Although EHRs have been lambasted lately by Congress, the report primarily covers the ongoing big "wins" for health IT adoption: increased participation in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use") in 2012, increased adoption of EHR technology among physicians and hospitals and increased rRx, and various federal and state HIE and HIT efforts. 

For example, CMS is more than happy to report that over half of the nation's eligible professionals have received payments through Meaningful Use as of April 2013, with about 80% of eligible hospitals receiving incentive payments as well. Among the 50 States, only 8 do not have mechanisms broadly available statewide for directed exchange, whether fully implemented or in pilot phases, of which New Jersey is one of. And 36 states have query-based exchange available either statewide or through at least certain regions.   

The report also highlights the variety of programs, pilots and regulatory efforts undertaken by CMS and ONC, among others, and the success these have had since the passage of the HITECH Act. However, ONC acknowledges the barriers that remain for health IT, particularly interoperability, and remains committed to developing flexible, modular standards and policies for the interaction and exchange of information among various types of systems. 

To help support interoperability, the State HIE Program recently released a set of online training modules for providers, supporting the roll-out of Meaningful Use Stage 2 set to kickoff this October for eligible hospitals, and January 2014 for eligible providers. The Standards and Interoperability ("S&I") Framework continues to work with stakeholders in the vendor and provider communities to identify barriers and their solutions to achieving national interoperability.  And the public/private partnership through the national eHealth Exchange (formerly the Nationwide Health Information Network or NwHIN) continues as ONC's "incubator of innovation" in HIE. 

Additional efforts highlighted by ONC include:

  • improving consumer and provider confidence and trust in health IT and HIE;
  • engaging consumers in their ehealth and identifying solutions for consumers to better control and direct the flow of their information through HIE;
  • gathering data through various public forums and surveys on privacy and security concerns for safeguarding health information in health IT;
  • development of interactive tools for providers to assess mobile device security as well as general security tools for safeguarding electronic PHI and EHRs, and minimizing breaches;
  • identifying strategies for improving coordination and integration of behavioral health providers into broader health IT efforts, including launching an interstate Direct behavioral health pilot; and
  • identifying stragegies for improving coordination and integration of long-term and post-acute care providers into broader health IT efforts.

For the entire snapshot of the nation's health IT status, read the full report with its easy-to-read charts and graphs.  You may be surprised at how much ONC has been involved with and that has happened in the evolution of health IT and HIE.  

Deciphering the HITECH Omnibus Rule: Business Associates

Since the HITECH Notice of Proposed Rulemaking (NPRM) was released in July of 2010, covered entities and business associates have been waiting (im)patiently for the Final HITECH Omnibus Rule to be released.  As of this past Thursday, we all finally have some guidance on how to implement provisions of the HITECH Act, including but not limited to provisions governing business associate and subcontractor liability, individual access rights, fundraising, marketing, breach standards, and much more. 

True to its name, the HITECH “Omnibus” Rule or Final Rule packs in a lot of changes to the HIPAA Privacy and Security Rules, enforcement provisions and breach notification requirements of the HITECH Act, as well as amendments to GINA and handling of genetic information.  To make dissecting this 500+ page rule manageable, the next few posts will focus on key aspects of the HITECH Final Rule, starting today with the provisions of the Final Rule which impact business associates and their subcontractors

A covered entity is and has been required by HIPAA to enter into a HIPAA Business Associate Agreement (HIPAA BAA) with any entity that would create, receive or transmit PHI for or on their behalf in connection with certain health care operations purposes.  However, before the implementation of the HITECH Act, business associates of covered entities were not directly liable for improper uses or disclosures of protected health information (PHI) in the performance of services or functions. 

Ultimately, only covered entities were responsible in the event a business associate failed to appropriately safeguard the PHI they were provided with or used/disclosed it improperly. However, as you know, HITECH made provisions of the Privacy and Security Rules directly applicable to business associates, with the NPRM proposing several modifications to the definition of a “business associate”, including adding Patient Safety Organizations and patient safety activities as well as certain health information exchange organization (HIOs) and personal health record (PHR) activities. 

The HITECH Final Rule modifies the definition of “business associate” to mean that a business associate is any person who “creates, receives, maintains, or transmits” PHI on behalf of a covered entity, in order to clarify that any entity that maintains PHI, such as a data storage organization, is a business associate even if it does not access or view the PHI.  PHRs vendors will also be considered business associates where they provide PHRs for or on behalf of a covered entity, rather than simply establishing a connection for the covered entity to send PHI to the individual’s PHR.  Rather than acting simply as a “conduit”, the PHR vendor is maintaining PHI on behalf of the covered entity for the benefit of the individual. 

For HIOs and other entities, they will be considered business associates where they (1) provide data transmission services with respect to PHI and (2) require routine access to the PHI.  The Preamble to the HITECH Final Rule clarifies “access on a routine basis” to mean circumstances where an entity requires access to PHI in order to perform services and functions on behalf of a covered entity, such as management of an exchange network through use of record locator and other services on behalf of its participants.  However, HHS recognizes that it will depend upon the circumstances and states its intention of issuing future guidance in this area. 

Most importantly, and perhaps a sore point for business associates and their subcontractors, the HITECH Final Rule makes subcontractors of a business associate that create, receive, maintain or transmit PHI on behalf of such business associate likewise HIPAA business associates.  Therefore, these downstream subcontractors will be subject to the same requirements that the first business associate is subject to.  Each business associate now also is required to have a HIPAA compliant BAA in place with its subcontractors, its subcontractor with its own subcontractors, and so forth down the chain of subcontractors no matter how long. 

HHS recognized that,

“The intent of the proposed extension of the Rules to subcontractors was to avoid having privacy and security protections for [PHI] lapse merely because a function is performed by an entity that is a subcontractor rather than an entity with a direct relationship with a covered entity.  Allowing such a lapse in privacy and security protections could allow business associates to avoid liability….”

Furthermore, the Preamble stated, “applying HIPAA privacy and security requirements directly to subcontractors also ensures that the privacy and security protections of the HIPAA Rules extend beyond covered entities to those entities that create or receive [PHI] in order for the covered entity to perform in health care functions.”

The HITECH Final Rule also provides some clarification as to when a business associate will be an “agent” of a covered entity.  Although generally determinations of whether a business associate will be acting as an agent of a covered entity are fact specific, the Preamble to the Final Rule makes it clear that federal common law agency principles will be applied, regardless of whether the parties consider or state themselves to be independent contractors.  If the covered entity has the right to control or direct any given service or function provided or performed by the business associate, then an agency relationship will likely be created (i.e., how a business associate will make available access to PHI by an individual).  

Liability for a business associate’s actions, however, will only extend to the scope of the agency. For example, if a business associate fails to limit PHI disclosed to the minimum necessary while performing services it was engaged by a covered entity to perform (as an agent), then the business associate is likely acting within the scope of agency.  However, a business associate’s conduct is outside the scope of agency where it acts for its own benefit or for that of a third party. 

Business associates are also subject to the HITECH marketing requirements, to be discussed in a future blog post.  And finally, the HITECH Final Rule applies certain other provisions of the Privacy Rule directly to business associates.  Business associates will have direct liability for impermissible uses or disclosures in violation of the HIPAA BAA or the Privacy Rule, as well as:

  • failure to disclose PHI where required by the Secretary;
  • failure to disclose PHI for access rights;
  • failure to limit PHI used/disclosed to the minimum necessary;
  • failure to obtain a HIPAA compliant BAA with subcontractors;
  • failure to provide breach notification;
  • failure to provide an accounting of disclosures (subject of a separate future rulemaking)

Covered entities and business associates are permitted under the Final Rule transition provisions to continue operating under existing HIPAA BAAs for up to one year beyond the compliance date of the Final Rule, or initial renewal/modification, whichever earlier.  The minimum requirements of a HIPAA BAA were slightly modified by the Final Rule, and now:

  1. Must include the requirement that a business associate report any Breach of which it becomes aware to the covered entity, in addition to security incidents;
  2. Must include the requirement that a business associate, to the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements that apply to the covered entity in the performance of such obligation; and
  3. Need not include the requirement that the covered entity report a business associate to the Secretary for patterns or practices which constitute a material breach or violation of the HIPAA BAA.

Stay tuned for a discussion of the new Breach Presumption and Risk Assessment requirements implemented by the Final Rule...

Kaiser Permanente Faces Investigation Over Inappropriate Storage of Patient Records by Contractor

Kaiser Permanente is facing investigation over the handling of approximately 300,000 patient records by a contract storage firm.  According to an article in the LA Times, Kaiser contracted with small business Sure File Filing System ("Sure File") to organize and clear out older patient records on its behalf.  As it turns out, the storage firm kept those patient records in a warehouse shared with an individual's party rental business and Ford Mustang, then in the storage firm's owner's personal garage and home.

Although Kaiser retrieved the paper records Sure File possessed upon termination of the contract in 2010, Kaiser recently filed suit, allerging that all of the patient records had not been returned or destroyed when its contract with Sure File was terminated. Patient records, according to Kaiser, were still maintained on hard drives that Stephan and Liza Dean, the couple who own and run Sure File, allegedly kept in their garage with the door open. When Kaiser sued for breach of contract and to recover the files, the hard drives were apparently relocated from the garage to the couples' home, and the patient records only deleted as of this past New Year's Eve.

The LA Times article states that HHS officials were notified last year when the Deans filed a complaint.  You read that right. The individuals responsible for storing the data in an unsecured warehouse, their garage and their house apparently were the ones who filed the complaint that patient records had not been handled appropriately by Kaiser. 

In addition, Stephan Dean reportedly threatened to contact patients directly to inform them of how Kaiser had mishandled their health information.  According to the article, Dean claims Kaiser employees repeatedly failed to maintain the privacy of patient information, citing multiple emails sent by hospital employees to him requesting and including patient-specific information such as social security numbers in an insecure manner.

Kaiser was confident that patient information was not disclosed or accessed inappropriately, although employees were disciplined for failing to follow policies.  Kaiser spokesman John Nelson stated,

 "Kaiser Permanente is committed to protecting the medical and personal privacy of its patients. In retrospect, we certainly wish we'd never done business with Mr. Dean."

It is not likely that Kaiser is squeaky clean in this mess, given it appears Kaiser failed at a minimum to have a proper HIPAA business associate agreement (HIPAA BAA) in place prior to releasing patient records to the contractor.  However, a bigger question is, if OCR is indeed investigating the mishandling of Kaiser's patient records, what liability may exist for the contractor?

Business associates are independently liable as a result of the HITECH Act for certain of the HIPAA Security Rule requirements, in particular, administrative, physical and technical safeguards for electronic PHI.  However, given the uncertainty surrounding business associate liability in the absence of a HITECH final rule, and because the majority of the activities associated with the contract took place prior to 2010, the contractor might only be on the hook contractually for failing to safeguard, return and/or destroy the patient records. Although enacted in 2009, many provisions of HITECH did not take effect until February of 2010.

Assuming Kaiser had obtained an appropriate HIPAA BAA from Sure File, at a minimum, the contractor would have agreed to implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic protected health information and/or appropriate safeguards to prevent use or disclosure of PHI other than as provided for by its contractI think we would all agree that storing hard drives with hundreds of thousands of patient records in your garage or home, or records in an unsecured shared warehouse space, is a far cry from implementing reasonable and appropriate safeguards, however reckless the other party may also have acted with regard to the information. 

"Final Countdown" to the HITECH Omnibus Rule

The date for publication of the HITECH "Omnibus Rule" has become a contest for some. Data breach consultant, IdExperts, has launched a "Final Coundown" contest for individuals to guess the date on which the Omnibus Rule will actually be published as well as the total page count of the rule.   

Originally submitted to the Office of Management and Budget back in March, the Omnibus Rule was due at the end of summer according to Farzad Mostashari but has been delayed indefinitely pending further review.  The Omnibus Rule would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA).  Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions.

Contestants who enter have a chance to win an Amazon giftcard, as well as have $2,500 donated in his or her name to the Wounded Warrier Project, a non-profit organization that provides benefits and services to veterans wounded during service.  To guess the date of publication and final page count, visit IdExperts.

HITECH Omnibus Rule Out by End of Summer

HealthDataManagement reports that the HITECH "Omnibus Rule" is due to be released by the end of the summer, according to Farzad Mostashari, the National Coordinator for Health Information Technology within the Office of the National Coordinator for Health Information Technology (ONC).  The announcement was made during his keynote given at the 2nd International Summit on the Future of Heath Privacy last week.  The two-day Summit brought together leading experts in health privacy, focusing on the privacy implications of the digitization and electronic exchange of health information. 

The long-awaited Omnibus Rule, which would implement HITECH modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as well as address the Genetic Information Non-Discrimination Act (GINA), was sent for review before publication to the Office of Management and Budget (OMB) at the end of March.  Ordinarily, the OMB has 90 days to review regulations, subject to certain extensions. 

Of particular interest are regulations expected to clarify business associate liability, new restrictions on marketing and fundraising, and data breach enforcement and penalties, among others.  A final regulation on the HITECH changes to the HIPAA Accounting of Disclosure requirements is also expected, although it is unclear whether it will be released part and parcel with the HITECH Omnibus Rule. The Proposed Accounting of Disclosures Rule was published for public comment in May of 2011. 

During the keynote, Mostashari emphasized the importance of technical and cultural considerations to keep privacy protections at the center of ONC's efforts and activities, expanding the adoption of EHRs, and increasing public trust in electronic exchange of health information, saying,

"You can't get information exchange unless there's trust. We can't get a learning health system unless there's trust."

Mostashari noted that ONC is currently working with vendors to develop information system privacy functionalities "by design", with the goal of having privacy protections built into each information system, for example, encrypting personal identifiers when exchanging data. Stating that patients should never hear,

"Sorry, I can't give you your health records because of HIPAA",

Mostashari also noted the need for patients to be better educated on their privacy rights, in particular, how their information is used and how to submit complaints about violations or concerns, as well as for providers themselves to have a better understanding of their obligations under HIPAA. 

Are We Ready for the Nationwide Health Information Network? ONC Releases RFI for Governance of NwHIN

Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN).  According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA).  Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

  1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
  2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
  3. Process for retiring and updating CTEs to address current exchange needs,
  4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
  5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

  1. For purposes of medical treatment;
  2. When information exchange is mandatorily required under law; or
  3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

Feb 29th is Last Day to Report Breaches of <500 to HHS!

For those that have been logging their "small" Breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS' Breach reporting website.  While covered entities may opt to report each small Breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small Breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year. 

A couple of important points to note about reporting small breaches to HHS:  

First, the HHS-reporting "buck" stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule the BA's only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS. 

Goldilocks.pngSecond, follow a 'GOLDILOCKS rule'  of 'Not too much, not too little -- just right'. Covered entities must report all relevant information requested on HHS' online reporting form. However, there are several fields that ask for a typed response.  For example, HHS asks for a "brief description of the breach" including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe "other actions taken" in response to the Breach. But, while a covered entity must report what it is required to report by law, offering too much infomation (including impermissibly disclosing patients' PHI, among other things) could land the covered entity in hot water.

Finally, you better have remembered to collect ALL the required information on your Breach Log!  A covered entity that is planning to report small Breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: it's a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along.  Among the information that covered entities should be collecting about each "small" breach includes:

  • Date of the Breach? 
  • Date the Breach was Discovered?
  • Approximate number of individuals affected?
  • What "type" of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
  • Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
  • What type of information was involved? (select : demographic info, financial info, clinical info, other) 
  • What safeguards were in place prior to the Breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics) 
  • Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any "unreasonable delay" in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS).
  • Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other) 
  • Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all Breaches (if there is a positive "Harm" determination) to HHS. HHS specifically points out on its website that "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect."

    For Breach Notification training & education, click our Workshops button.

    HITECH Omnibus and AOD Rules Set for OMB Review

    Health Data Management reports that the long-awaited HITECH Omnibus Rule as well as the Accounting of Disclosures (AOD) Rule are set for OMB review.  Expected also are proposed regulations for Meaningful Use Stage 2.  HHS released its semi-annual regulatory agenda in January to the Office of Management and Budget (OMB).  As with other agencies, the agenda identifies key regulatory priorities over the next months.

    The HITECH Omnibus Rule is expected for publication in March of this year with the AOD Rule not until June.  The proposed regulations for Meaningful Use Stage 2 are still expected this month, February.  While OMB review could hypothetically take a matter of weeks, the OMB may take up to ninety (90) days to review regulations before publication, as well as potentially extend the deadline. 

    State AG Brings First HIPAA Lawsuit Against Business Associate

    Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

    Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

    Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

    The HIPAA violations are quite extensive, with the complaint alleging:

    • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
    • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
    • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
    • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
    • failure to implement policies and procedures to limit physical access;
    • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
    • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
    • failure to implement policies and procedures as otherwise required by HIPAA.

    Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

    “Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

    This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

    Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

    For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

    HHS Releases Proposed Rule for Accounting of Disclosures

    A Notice of Proposed Rulemaking (NPRM) concerning the accounting of disclosures (AOD)requirement under the HIPAA Privacy Rule was posted last Friday, May 31, 2011.  The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) states in its Press Release regarding the NPRM:

    This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information . . . We need to protect peoples’ rights so that they know how their health information has been used or disclosed.

    HHS points out that people would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information (PHI). Although covered entities are currently required by the HIPAA Security Rule to track access to electronic PHI, they are not required to share this information with patients.  HHS also points out that the NPRM requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests.

    Interestingly, with regard to health information exchange (HIE) specifically, HHS notes in the Preamble to the NPRM that it considered but rejected requiring that a full accounting of disclosures be made through a HIE at this time.  However, HHS states its intentions to work with ONC to assess whether standards for exchanges of information should include information about the purpose of each transaction.  It also notes that to the extent such information would fall under a disclosure required to be accounted for (e.g., public health), the individual would still have a right to learn of such a disclosure.

    For a summary of the AOD NPRM prepared by Attorneys at Oscislawski LLC, click here.

    Public comments are due by August 1, 2011 and can be submitted by clicking here.

    OCR Will Address Almost Everything in HITECH Omnibus Rule

    HealthDataManagementhas quoted Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services, OCR, as saying that the final rules implementing the HITECH Act are to be released within months, if not weeks.  Deputy Director McAndrew recently spoke at the Safeguarding Health Information conference OCR hosted with the National Institute of Standards and Technology (NIST) in Washington.

    The long-awaited rule will be an "omnibus regulation" that is said will include final versions of:

    • the proposed rule to expand HIPAA privacy and security protections;
    • the Breach Notification Interim Final Rule; 
    • the Enforcement and Compliance Interim Final Rule; and
    • the GINA proposed rule.

    Notably, McAndrew is quoted as saying:

    We want to ensure that when we do the final HITECH action it contains as much activity as we can

    Significantly, HealthDataManagement reports that the omnibus final rule will cover new information protection requirements for:

    • business associates and subcontractors,
    • electronic access,
    • research authorizations,
    • student immunization records,
    • restrictions on marketing,
    • restrictions on fundraising, and
    • prohibition on sale of protected health information.

    McAndrew is also noted to have indicated that a separate proposed rule will be issued after the omnibus regulation, and will govern accounting for disclosures (AOD) even for payment, treatment and health plan operations.  McAndrew is quoted as saying that the AOD proposed rule is “very close” to being ready.

    Oh where, Oh where has the Security Breach Rule gone?

    Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

    HHS recently posted on its website the following:

    At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

    So now what?

    For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

    As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

    Continue Reading