Feb 29th is Last Day to Report Breaches of <500 to HHS!

Posted by Helen Oscislawski on February 22, 2012

For those that have been logging their "small" Breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS' Breach reporting website.  While covered entities may opt to report each small Breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small Breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year. 

A couple of important points to note about reporting small breaches to HHS:  

First, the HHS-reporting "buck" stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule the BA's only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS. 

Goldilocks.pngSecond, follow a 'GOLDILOCKS rule'  of 'Not too much, not too little -- just right'. Covered entities must report all relevant information requested on HHS' online reporting form. However, there are several fields that ask for a typed response.  For example, HHS asks for a "brief description of the breach" including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe "other actions taken" in response to the Breach. But, while a covered entity must report what it is required to report by law, offering too much infomation (including impermissibly disclosing patients' PHI, among other things) could land the covered entity in hot water.

Finally, you better have remembered to collect ALL the required information on your Breach Log!  A covered entity that is planning to report small Breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: it's a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along.  Among the information that covered entities should be collecting about each "small" breach includes:

  • Date of the Breach? 
  • Date the Breach was Discovered?
  • Approximate number of individuals affected?
  • What "type" of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
  • Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
  • What type of information was involved? (select : demographic info, financial info, clinical info, other) 
  • What safeguards were in place prior to the Breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics) 
  • Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any "unreasonable delay" in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS).
  • Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other) 

    • Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all Breaches (if there is a positive "Harm" determination) to HHS. HHS specifically points out on its website that "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect."

    For Breach Notification training & education, click our Workshops button.

    HITECH Omnibus and AOD Rules Set for OMB Review

    Posted by Krystyna Monticello on February 16, 2012

    Health Data Management reports that the long-awaited HITECH Omnibus Rule as well as the Accounting of Disclosures (AOD) Rule are set for OMB review.  Expected also are proposed regulations for Meaningful Use Stage 2.  HHS released its semi-annual regulatory agenda in January to the Office of Management and Budget (OMB).  As with other agencies, the agenda identifies key regulatory priorities over the next months.

    The HITECH Omnibus Rule is expected for publication in March of this year with the AOD Rule not until June.  The proposed regulations for Meaningful Use Stage 2 are still expected this month, February.  While OMB review could hypothetically take a matter of weeks, the OMB may take up to ninety (90) days to review regulations before publication, as well as potentially extend the deadline. 

    State AG Brings First HIPAA Lawsuit Against Business Associate

    Posted by Krystyna Monticello on February 08, 2012

    Last month, I posted how treatment of business associates during HIPAA investigations remains unclear as well as assignment of liability for breaches of PHI.  A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains. 

    Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

    Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma and back pain.

    The HIPAA violations are quite extensive, with the complaint alleging:

    • failure to implement policies and procedures to prevent, detect, contain and correct security violations;
    • failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
    • failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
    • failure to identify and respond to suspected or known security incidents and mitigate to the extent practiable harmful effects known to them;
    • failure to implement policies and procedures to limit physical access;
    • faiilure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
    • failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
    • failure to implement policies and procedures as otherwise required by HIPAA.

    Almost more interesting than the alleged HIPAA violations (and what could potentially have been one of the driving forces behind the Attorney General taking action rather than the HIPAA violations), the complaint also alleges deceptive and fraudulent practices in that Accretive failed to disclose how much health information it was collecting on patients and its involvement in their health care, detailing in great length the importance of transparency for patients and the doctor-patient relationship.  In the press release, Attorney General Swanson stated,

    “Accretive showcases its activities to Wall Street investors but hides them from Minnesota patients.  Hospital patients should have at least the same amount of information about Accretive’s extensive role in their health care that Wall Street investors do.”

    This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care.   

    Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.

    For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

    HHS Releases Proposed Rule for Accounting of Disclosures

    Posted by Helen Oscislawski on June 01, 2011

    A Notice of Proposed Rulemaking (NPRM) concerning the accounting of disclosures (AOD)requirement under the HIPAA Privacy Rule was posted last Friday, May 31, 2011.  The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) states in its Press Release regarding the NPRM:

    This proposed rule represents an important step in our continued efforts to promote accountability across the health care system, ensuring that providers properly safeguard private health information . . . We need to protect peoples’ rights so that they know how their health information has been used or disclosed.

    HHS points out that people would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information (PHI). Although covered entities are currently required by the HIPAA Security Rule to track access to electronic PHI, they are not required to share this information with patients.  HHS also points out that the NPRM requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests.

    Interestingly, with regard to health information exchange (HIE) specifically, HHS notes in the Preamble to the NPRM that it considered but rejected requiring that a full accounting of disclosures be made through a HIE at this time.  However, HHS states its intentions to work with ONC to assess whether standards for exchanges of information should include information about the purpose of each transaction.  It also notes that to the extent such information would fall under a disclosure required to be accounted for (e.g., public health), the individual would still have a right to learn of such a disclosure.

    For a summary of the AOD NPRM prepared by Attorneys at Oscislawski LLC, click here.

    Public comments are due by August 1, 2011 and can be submitted by clicking here.

    OCR Will Address Almost Everything in HITECH Omnibus Rule

    Posted by Helen Oscislawski on May 10, 2011

    HealthDataManagementhas quoted Susan McAndrew, deputy director of health information privacy in the Department of Health and Human Services, OCR, as saying that the final rules implementing the HITECH Act are to be released within months, if not weeks.  Deputy Director McAndrew recently spoke at the Safeguarding Health Information conference OCR hosted with the National Institute of Standards and Technology (NIST) in Washington.

    The long-awaited rule will be an "omnibus regulation" that is said will include final versions of:

    • the proposed rule to expand HIPAA privacy and security protections;
    • the Breach Notification Interim Final Rule; 
    • the Enforcement and Compliance Interim Final Rule; and
    • the GINA proposed rule.

    Notably, McAndrew is quoted as saying:

    We want to ensure that when we do the final HITECH action it contains as much activity as we can

    Significantly, HealthDataManagement reports that the omnibus final rule will cover new information protection requirements for:

    • business associates and subcontractors,
    • electronic access,
    • research authorizations,
    • student immunization records,
    • restrictions on marketing,
    • restrictions on fundraising, and
    • prohibition on sale of protected health information.

    McAndrew is also noted to have indicated that a separate proposed rule will be issued after the omnibus regulation, and will govern accounting for disclosures (AOD) even for payment, treatment and health plan operations.  McAndrew is quoted as saying that the AOD proposed rule is “very close” to being ready.

    Oh where, Oh where has the Security Breach Rule gone?

    Posted by Helen Oscislawski on August 05, 2010

    Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

    HHS recently posted on its website the following:

    At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

    So now what?

    For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

    As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

    Continue Reading