Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals. The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year. Specifically, the press announcement states:
The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.
Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.
If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:
We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.
During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant. Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA. These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.
Taking advantage of a federal law passed last year, Connecticut’s Attorney General, Richard Blumenthal, announced yesterday a settlement with HMO Health Net that includes a corrective action plan, a $250,000 payment to the State of Connecticut (with an additional potential pot of $500,000), and increased credit monitoring and ID theft insurance to potential victims. According to Blumenthal’s original lawsuit, Health Net lost or had stolen a disk drive last year containing sensitive information from 1.5 million persons – including 446,000 Connecticut residents. The drive contained names, addresses, social security numbers, HIPAA-protected health information and financial information.
The underlying federal statute relied upon by Blumenthal when bringing suit against Health Net is Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The HITECH Act not only offers financial incentives to prod the use of electronic health records (EHR) but also greatly expands the protections afforded such information. For example, it creates the first federal breach notification law. Covered Entities and Business Associates that “access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose” unsecured personal health information must disclose to the owner notice of a breach. See Sections 13402(a) and (b) of the HITECH Act.
In obtaining yesterday’s settlement, Blumenthal was the first Attorney General to take advantage of the HITECH Act’s grant of HIPAA compliance jurisdiction to state Attorney Generals. It is entirely likely that other states will now jump on this bandwagon – especially those with AGs seeking higher political office. In fact, last month AG’s from across the country were scheduled to receive training on HIPAA compliance from Booz Allen Hamilton.
As for the Health Net settlement, the amounts paid to Connecticut are small compared to what has been spent to date dealing with the breach. According to the settlement agreement, Health Net allegedly has already spent more than $7 million to investigate what happened to the disk drive, notify members and provide credit monitoring and identity-theft insurance to those potentially impacted. It is incidents like these that showcase the value of requiring strong indemnification language backed by an equally strong requirement of data breach insurance coverage for those firms managing or holding your patients’ or members’ sensitive medical information.
As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car. The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer. A review of the seven-page complaint provides no insight as to the terms of the policy in question.
The claim is ultimately based on first-party costs incured by the University of Utah. Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on: (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services.
Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies. Lesson learned: It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.
According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.” Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers.
According to Schmidt, “[o]ne-person physician offices have to be part of this system. They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.” The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs). This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.
Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation. Indeed, some have argued that one of the goals of the Act, i.e., the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.
To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles. This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process. As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address). There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.
On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals. By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website. The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.
Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information. As well, there were a number of instances of hacking with a few involving compromises of business associates.
It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft. What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.
Electronic health records (EHR) should be on the risk management fast track. First, the FTC promulgated regulations that will require most hospitals to implement a written ID theft prevention program by June 2010. California and a few other states have already started requiring that healthcare providers implement technical and physical safeguards to protect patient medical information. And now, Title XIII of the American Recovery and Reinvestment Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), has its implementing regulations just now starting to change the EHR landscape. Thankfully, the HITECH Act provides significant funding for the development of this nationwide health information technology infrastructure. Specifically, the law provides financial incentives through the Medicare program to encourage physicians and hospitals to adopt and use certified EHR .
The keys to the EHR kingdom turn on whether you are actually a “meaningful EHR user”. Although some guidance was provided by a HHS working committee in June 2009, and further guidance in the form of a proposed rule was provided on December 30, 2009, a final rule on the definition has yet to be delivered.
According to the HHS December 30, 2009 Press Release, “The proposed rule would define the term “meaningful EHR user” as an eligible professional or eligible hospital that, during the specified reporting period, demonstrates meaningful use of certified EHR technology in a form and manner consistent with certain objectives and measures presented in the regulation. These objectives and measures would include use of certified EHR technology in a manner that improves quality, safety, and efficiency of health care delivery, reduces health care disparities, engages patients and families, improves care coordination, improves population and public health, and ensures adequate privacy and security protections for personal health information.”
What exactly does this nested and partially circular definition mean to someone looking for guidance? Not very much. Until such time as the term “meaningful EHR user” is finalized, the door remains open as to just how far-reaching the HITECH Act will become.