Kristen Gillibrand, the Senator from New York, criticizes the Pentagon regarding cybersecurity. What does this have to do with HIPAA Security? Nothing directly. However, it does illustrate (again) the visibility of cybersecurity in Washington. There is simply no way that we (the collective we) can be arguing in favor of bolstering our national cybersecurity (i.e. our national defense) and allowing the healthcare industry to continue to lax compliance of the HIPAA Security Rule and the industry moves to electronic health records. The two positions are obviously incongruent and won't stand the light of day. These are different times that we live in. HIPAA was first introduced in 1996 and the Security Rule did not go into effect until 2005 (2006 for small health plans).
HIPAA was not signed into law
until 1996 and the Security Rule did
not go into effect until 2005 (2006 for
small health plans). That is a couple
of lifetimes ago in Internet time.
We simply live in a different world now. A world wherein a computer virus can be programmed to infiltrate Iran's nuclear power control system. It is understandable, with the amount of disruption that is occurring in the healthcare industry, that compliance gets the short end of the stick. Although we all get that, HHS also understands that things must change going forward. That is exactly what the HITECH Act was intended to do and we are not going back to the "good 'ole days" when HIPAA could safely be ignored. Those days are gone.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
The President has designated October as National Cyber Security Awareness Month, and the theme for this year is “Our Shared Responsibility.” The Federal government has had a culture of privacy for decades, going back to at least the Privacy Act of 1974. One of the key foundations of this culture is that any use of technology should be assessed to determine the impact, whether directly or indirectly, to privacy. While many claim that these types of restrictions stifle innovation – these practices also ensure that information about the public and individual privacy is protected when they interact with their government.
We have written previously regarding a Culture of Compliance as a Governance Model and the fact that HHS has been emphasizing the phrase every chance it gets (see this post). Now you might thing this is simply the agency wanting everyone to gather around the fire and sing "Kumbaya." However, I don't think that HHS is simply using the phrase as "feel good" language, but rather signaling what it is going to expect from covered entities and business associates going forward. With "cybersecurity" such a national hot button issue in Washington, there is NO WAY that Congress and White House will continue to look the other way as breaches that implicate millions of patients occur on a regular basis. As the nation moves to EHRs en masse this problem will only get worse.
Notice what the link above says about Social Media sites:
Every week Facebook, Apple,
or other Web 2.0 affiliated companies
find themselves the subject of news
articles about provocative use of
personal information.
That doen't sound to me like an agency that is ready to look the other way. The sounds more like an agency that is ready to crank up its enforcement regime and is signaling the marketplace that this is NOT your daddy's HIPAA any longer.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
•Sec. 13403. Education on health information privacy.
•Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities.
•Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format.
Slide 2
•Sec. 13406. Conditions on certain contacts as part of health care operations.
•Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities.
•Sec. 13408. Business associate contracts required for certain entities.
•Sec. 13409. Clarification of application of wrongful disclosures criminal penalties.
However, if you really want to understand where HITECH's real teeth lie you will focus on 13402 (Breach Notification). Why? Well for lots of reasons but let me provide a quote from a paper recently produced by the National Research Council (to subscribe go here and review subscriptions in the right hand column).
Another example relevant to cybersecurity is the flurry of privacy breach notification laws adopted in 44 states, led by the state of California in 2002.19 Both public and private entities must notify affected individuals when personal data under their control has been acquired by an unauthorized party. The law was intended to ensure that individuals are given the opportunity to protect their interests following data theft, such as when 45 million credit card numbers were stolen from T.J. Maxx’s information technology systems.20 Breach-disclosure laws are also designed to motivate companies to keep personal data secure. Unquestionably, firms are now more aware of the risks of losing personal information, and have directed more investment in preventative measures such as hard drive encryption (Mulligan and Bamberger 2007).
Breach Notification is the 800
pound gorilla of the HITECH Act
and the one provision most likely
to change behavior...just ask TRICARE.
The title of this paper is "Deterring CyberAttacks: Informing Strategies and Developing Options for U.S. Policy" and it is dealing with cybersecurity from a macro/national perspective. However, the authors' clearly understand that every industry must play a part, especially the financial and healthcare industries. Breach Notification is the 800 pound gorilla of the HITECH Act and represents the one provision that is most like to change behavior.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
You get a training video, presentation, and a HITECH Quiz that can be be used to verify HITECH training class attendance within your organization. The training video is well suited for group and/or individual training. In addition, the training material contains live links to the full text of the statute and regulations in order to enhance the educational experience.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
By now most readers are familiar with TRICARE's Massive Data Breach. Yesterday the news broke that TRICARE was hit with a $4.3 Billion class action lawsuit. The intent here is not to pile on TRICARE. We are going to see lots of high profile PHI data breaches as the industry moves forward en masse toward electronic health records. Rather, the intent is to start a discussion as to why the healthcare industry's compliance status quo is DOA (see Five Compliance Strategies Guaranteed to Fail).
HIPAA was an unenforced paper
tiger...whatever compliance
strategy you had in the past is
a non-starter.
HIPAA was an unenforced paper tiger. That means whatever compliance strategy you had in the past is a non-starter. It was never vetted and certainly, by definition, does NOT conform to the HITECH Act. The Ponemon Institute has calculated that it costs $204 per record to notify individuals after a breach. That means that the TRICARE breach could cost nearly a BILLION dollars in notification costs alone. Obviously, even if the notification could be done at 12.5% of what the Ponemon Institute indicates, it stills adds up to a significant amount of money.
Consider that the Ponemon Institute does not appear to factor in any reputational loss into this calculation. Repeated losses of this magnitude and a covered entity may find itself in bankruptcy, or being sold at fire sale prices. Consider how magnified the loss of reputation value is in a Facebook universe. Netflix customers lost confidence after one bad pricing move and the darling of Wall Street got whacked hard. The company simply has lost its luster, and may never get it back.
Bad news travels fast in a
social media world whereas
good news often languishes in
obscurity.
Although reputation value may often be difficult to calculate, in the case of Netflix the loss in its stock price is a good enough proxy. Consumers (read patients) will vote with their wallets. Bad news travels fast in a social media world whereas good news often languishes in obscurity. Covered entities and business associates are missing the elephant in the room if they continue to believe that compliance is not an issue that belongs front and center in the executive suite.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
This article explores how, in a world that is increasingly becoming more complex, where the volume of knowledge often exceeds an individual's ability to assimilate and communicate it, simple tools such as checklists are having a profound and compelling positive impact on dealing with complexity. In particular, this article explores how checklists can be used as HITECH / HIPAA compliance tools.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
Results of a new study from Manhattan Research reveal that an estimated 56 million U.S. consumers have accessed their medical information on an EHR system maintained by their physician. An additional 41 million consumers are interested in accessing such information, according to the pharmaceutical and healthcare market research company’s Cybercitizen Health U.S. 2011 study of consumer digital health trends.
Patients have always had the right to access their PHI (post HIPAA), we wrote about the Privacy Rule sections that provide for this access in our Patient's Bill of Rights post. The HITECH Act expands this access under Section 13405 now allowing for treatment, payment and operations (TPO) usages to be disclosed for the past three years as well (i.e. provided that an EHR is in use).
Covered entities and business
are well advised to have a
streamlined process in place to
provide timely access to PHI.
Covered entities and business associates are well advised to have a well defined process in place for providing this access or they could quickly find themselves in "willful neglect" land. The engaged patient is not going away any time soon. With the boomers retiring en masse you can be sure that this trend is likely to grow significantly.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
There is a significant amount of disruption occurring in the healthcare marketplace and many of these disruptors are likely to qualify as business associates, since these businesses are likely to offer services that interact with a covered entity's PHI in some way, shape, or form. In addition to entering into business associate contracts with covered entities, these new players will need to comply with the HITECH Act and in particular with substantive sections of the HIPAA Security Rule (see further discussion below). These business associates can either view compliance as a necessary evil or as a marketplace differentiator, the most savvy ones will choose the latter. Given the major PHI data breaches that have occured recently, covered entities are likely to be far more cautious regarding their business associate due diligence.
Business associates looking to offer
disruptive services to the healthcare
industry will be better served by viewing
HITECH / HIPAA compliance as a
marketplace differentiator.
Until the HITECH Act was enacted into law on February 17, 2009, as part of ARRA, a business associate's ("BA") compliance with HIPAA's Regulations was mandated only as part of the contract (see 164.504(e)(1) ) with its respective Covered Entity ("CE"). Under HITECH a BA is "directly on the hook" (i.e. via statutory authority) for complying with the following sections of the HIPAA Security Rule("SR"):
BA compliance with the required sections of the SR were to go into effect one year post the enactment of HITECH, however, HHS (circa February 2010) delayed the compliance effective date for BAs, apparently to provide a little more breathing room to the impacted entities (see HITECH Effective Dates One Year Out).
In addition to the sections enumerated above, HITECH Section 13401 states as follows:
The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
In short, a BA must comply with the enumerated sections above in the same way a CE is required to comply, and must also comply with any additional HITECH security requirements imposed upon a CE (e.g.Breach Notification).
Finally, any additional HITECH security requirements must be incorporated into the contract between the respective parties. There is still some debate regarding this latter requirement, but the conservative approach is to review existing BAagreements and to add a HITECH Act addendum to eliminate the guessing game.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH /HIPAA experience?
It seems like twice a week (see below) the Office of Inspector General (OIG) puts out these updates of Medicare "fraudsters" being prosecuted or "whacked" with stiff penalties. It appears to us that the Feds are becoming significantly smarter in their ability to detect fraud using algorithms (e.g. predictive analytics) against large data sets.
The combination of better algorithms
and cheap computing power may
have implications for regulatory
compliance across the board, including
HITECH / HIPAA compliance.
We have no inside information however anecdotally this makes sense. The combination of better algorithms and cheap computing power argues in favor of these results. This strategy may have repercussions for all kinds of regulatory compliance including HITECH / HIPAA compliance.
The HITECH Act provides for mandatory audits although HHS has yet to issue rule making regarding how it intends to carry out this provision. That said, if OCR is better able to profile those providers and business associates more likely to be in willful neglect then the economic windfall to its own coffers could be significant and with the U.S. government starving for revenue, it would not surprise us that to see all options for revenue generation explored.
October 5, 2011; U.S. Attorney; Southern District of New York
Manhattan U.S. Attorney Recovers $995,000 in Damages in Health Care Fraud Lawsuit against Columbia University and New York Presbyterian Hospital http://go.usa.gov/8Wf
October 5, 2011; U.S. Attorney; Southern District of Indiana
Terre Haute Pharmacist Sentenced For Healthcare Fraud and Money Laundering http://go.usa.gov/8Wf
If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?
Our view is that the HIPAA Privacy Rule can be broken down into the categories illustrated below:
This posts discuss what we refer to as the Privacy Rule's Patient's Bill of Rights (PBR) which are contained in Section 164.520 through 164.528. Although the PBR has been part of the HIPAA Privacy Rule since the very beginning (circa 2004) the number of patients that have taken advantage of what it provides is quite small. Cignet Health went rogue and violated the PBR in an egregious manner and got whacked with a $4.3M fine.
Cignet Health went rogue and
violated the PBR in an egregious
manner and got whacked with a $4.3M
fine.
Let's walk through the major components of the PBR in order to provide a sense of what a patient is entitled to. To see why the PBR will become increasingly more important read David Harlow's excellent piece on the proposed expansion of the PBR related to lab data.
§164.520 (a): right to notice for U&D of PHI with some exceptions for group health plans and inmates:
Nothing new here regarding covered entities (CE) providing notice, CE's have been complying with this provision since 2004.
§164.520 (b): content of notice
Likewise CEs clearly understand that certain language must be included in the notice. However, most CE's do not realize that if they run a website then their privacy notice must be prominently displayed electronically.
§164.520 (c): provision of notice
Notice differs depending on the type of CE (e.g health plans versus CEs that provide direct treatment.
§164.520 (d): joint notice by separate CEs allowed under certain conditions
§164.520 (e): notice documentation (see §164.530(j)) (e.g. notices and good faith efforts to obtain must be retained)
Patient has an undisputed right to access their PHI with certain minor exceptions. If CE denies access then it must be well document. Patient can normally request a review "third party review" and said review must be granted. This PBR provision has not been widely used heretofore but you can expect that to change.This provision is what got Cignet Health whacked.
§164.524(b): Request for access and timely action
Generally the CE has 30 days to respond but can ask for a 30 day extension in writing. The fees charged for providing access are regulated.
§164.524(d): Denial of access
As mentioned above if access is denied then CE must document carefully and a patient generally has a right to request review of the denial.
Generally a patient has an undisputed right to amend PHI, with certain exceptions, and the CE must follow a procedural process similar the the access process (e.g. documentation).
Accounting for Disclosures requirements found in§164.528
This is where the PAIN FACTOR for CEs may increase dramatically if patients en masse start asking for disclosures.
§164.528(a): Right to an accounting of disclosures of PHI within six years prior to date of request
Yes indeed, and under HITECH disclosures for treatment, payment and operations are no longer
§164.528(b): Content of the accounting;
The required elements mandated by the regulations.
§164.528(c): Provisioning of disclosure
Disclosure must be provide no longer than sixty (60) days.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Are you for an Internet Lawyer with HITECH /HIPAA experience?