Experiencing Healthcare: Words You Don’t Want to Hear

HIPAA 2013

Julie Meadows-Keefe

Experiencing Healthcare: Words You Don’t Want to Hear

“We can’t do this procedure today.”

These are words you don’t want to hear after you sit in a waiting room for over one hour drinking cupfuls of glow-in-the-dark foul tasting Kool-Aid and watching front yard makeovers on HGTV.

These are words you don’t want to hear when you’re wearing one of those fashionable exam gowns with an IV needle in your arm and with that arm bent outside of a CT scanner after being told “don’t breathe” so a scout image can be taken to get the general geography of your abdomen and colon.

Yet these are the words I heard last week when I went for an abdominal CT with contrast to determine the etiology of some rather intense abdominal pain and nausea.

What the Heck Happened?

Why was this procedure terminated almost before it started?

What we had was a failure to communicate.

You see, the day before the attempt at CT, I had another diagnostic procedure done at another facility-a hospital here in my town. The hospital procedure the day before was a barium swallow. This, like the radioactive Kool-Aid, was also delightful. You first take a shot of bitter pop-rock-type crystals on your tongue and chase it with water. Then you drink a thick barium shake, followed by a thinner barium shake and x-rays are taken as the material eases down your digestive tract. Being an engaged patient, at one point I was watching the action on the screen. (Since there was no HGTV).

As I was leaving the hospital after the barium swallow I was exhorted several times to “drink copious amounts of water” to expedite the barium’s departure from my system. I was NOT told to “refrain from abdominal CT scans for the next few days.

One reason the hospital didn’t tell me that was because they didn’t know I had it scheduled for the next day. They didn’t ask and I didn’t tell. It didn’t occur to me.

So the next day I present myself at the imaging facility and they ask on the history form if I’ve had other tests and I write “barium swallow.” They didn’t ask me the date of the swallow and I didn’t tell. It didn’t occur to me. And, it didn’t occur to the facility to ask either, before treating me to the kool-aid.

And, most disturbingly, it did not occur to the doctor’s office that they should not have scheduled me for a CT the day after a barium swallow. The doctor’s office does not use electronic ordering and the nurse was literally calling the different facilities to get dates for the procedures and to hand me my written orders. She was very stressed with papers and charts stacked on her desk.

This problem probably would not have arisen had I been scheduled for both procedures at the hospital. However, cost most likely figured into the equation of where I was sent for the procedures. The imaging center did not have the equipment or staff for the barium swallow.

The imaging center was also not equipped to be able to communicate electronically with the hospital or my physician’s office.

And there was no system in place at the doctor’s office that would alert a scheduler that she shouldn’t schedule an abdominal CT the day after a barium swallow.

So after the IV was removed from my arm and I was dressed and ready to go, the technologist at the imaging center was able to show me the picture of my belly with all the barium. I swore that I had followed the edict to drink lots of water after the barium swallow. He advised me that even if I had consumed enough water to fill a small pool, the barium would still have interfered with the acuity of the CT.
Much Anger and Frustration Ensued

I left the imaging center furious at the time I had wasted. I began asking myself what purpose such a fruitless morning could serve in my life and then it occurred to me that it perfectly illustrated the need for Health Information Exchange which is something near and dear to my heart. When systems can’t communicate and when data is not integrated, time is wasted and resources are unnecessarily consumed. This leads to higher costs and inferior care. Also, the miscommunication with my studies didn’t lead to any life-threatening issues, which could occur in more complicated procedures and situations.

My experience with the CT also exemplified the virtues of an intuitive EHR which would have built in a way to alert a provider that tests shouldn’t be scheduled at certain intervals. Much like a pharmacist is alerted by an automated system when you have a potentially harmful drug interaction, an EHR with electronic ordering would have been reminded that the CT should have been done first.

Should I Have Just Gone to the ER?

As I was driving home from the CT that wasn’t, I also thought back to a night earlier in the week when I was up because of the pain. It was around 11:30 pm and I thought that I should just go to the ER and have it solved. I wasn’t sleeping anyway and when I checked the ER’s website it told me that the wait time was less than 10 minutes. Granted, the co-pay is hefty but the benefit was that I arguably could have gotten all the testing I needed at one time, in one location and with pain meds to boot. However, having worked in healthcare so long I know that ER overuse is a huge problem and that my pain was not a true emergency. So I self-rationed.

Why Write About It?

I had to write a blog post about this so I could say I got something beneficial from the experience. The benefit is that I saw the value in systems I spend a lot of time working with and thinking about and that I am passing the experience along so that it can benefit others and show an example of how precious and costly healthcare resources are wasted when providers can’t readily communicate with one another. Plus now I have a story to tell!

And, one piece of advice: if you just had a barium swallow yesterday, don’t drink the Kool-Aid today.

Tagged ,

Learning and Teaching about Crisis Management

I enjoy my time at MIT in the summer lecturing and learning about disaster recovery and crisis communication. This morning I am on deck but first we are getting an introduction to the course and all the great students here at the course. Sold out crowd with people from twenty countries.

Right now, we are about to learn the Basics of Crisis Management and Business Continuity from Dr. Steve Goldman.
There are no hard and fast rules. Common sense should prevail. It is an art and not a science. Thus, you must adapt this and all such information to your specific needs and organization.

Before you have an emergency/crisis/incident you can determine who what where how and why but don’t know when.

With proper planning you can survive. Think about your management unit, implement your emergency response, assemble you crisis management team and assist your business units to resume, recover and restore business operations.

Management in companies is expected to be prepared to respond to a crisis. Management needs to provide leadership throughout the crisis. They should also take appropriate actions to resolve the crisis through teamwork.

You should communicate with all affected stakeholders and deal with the human side of a crisis.

Remember back to the Tylenol crisis in 1982. 19% of J&J profit was from Tylenol. Seven people died. A VP was appointed to manage the crisis. The first thing they did was to go public, alert FBI, and recalled the drug. Set up call centers and rewards. They got 30,000 calls. They even destroyed products they knew were safe. !00 million in tables gone. They then implemented a tamper proof lid. A competitive advantage was therefore obtained by Tylenol over time as other companies had to implement the same lids. To this day, they have found out who poisoned the Tylenol. The FBI approached J&J and said please don’t recall what is on shelves because they wanted more people to get the laced capsules so they could obtain more evidence. J&J understandably demurred.

Software plans are advantageous because they are easy to access (assuming your plants or IT system doesn’t go down or isn’t impacted by the crisis). Plans are easier to access for most employees if they just get 2 or 3 pages of instructions.

In addition to combating the crisis, you must continue and restart your key business operations. In your planning, don’t forget to account for you busiest time of the year. (IE, April for the IRS). During all your response, always be communicating.

After the disaster, mitigate your risks, conduct your Business Impact Assessment and Risk Assessment. IT and business must be linked and work together. IT must be able to not only restore the applications but also the DATA.

Bring PR people in early as well. Respond quickly. Your company’s image will be determined by tour communications staff. Your response is the story much of the time.

A crisis is company’s defining moment. Define yours right because you may never get another chance.

Florida Turf War Over Nurse Practitioner Independence

Today I attended a hearing at the Florida House on a proposed committee bill that seeks to broaden the things that Advanced Registered Nurse Practitioners (ARNP’s) can do independently.

The House Select Committee on Health Care Workforce Innovation conducted a three hour hearing on Proposed Committee Bill 14-01 and both committee members and interested parties provided varying viewpoints.

The proposed bill would allow ARNP’s to prescribe controlled substances if their protocols with their supervising physician permit it.   The bill would also allow ARNPs to seek the designation of  “Independent Advanced Practice Registered Nurse” (IAPRN) from the Florida Board of Nursing if they meet certain criteria such as ARNP certification, full time practice for three years and the completion of a graduate level pharmacology course.  Once the nurse received this designation, that nurse could practice independently without supervision or protocol with a physician, could prescribe controlled substances and could sign, certify or verify any endorsement that a physician may currently provide.

Rather predictably, there were representatives of Nurse Practitioner groups advocating for increased autonomy and physician groups voicing opposition.

Proponents of the bill argued that giving ARNP’s more independence increases patient access to healthcare, especially in rural and traditionally under served areas and that patient safety would not be compromised.  Conversely, the bill’s opponents pointed out that there was no guarantee the independent ARNPs would practice in geographically under served regions and that patient safety is maximized with continued physician supervision.

The bill does not expand services that the ARNP provides, it simply removes the supervisory requirement for those ARNP’s designated as IAPRN’s.  The bill also provides for administrative discipline for IAPRN’s.

As in the past, the strength of special interests may well determine the outcome of this proposed legislation.

Julie Meadows-Keefe

Julie Meadows-Keefe




Tagged , , , ,

Dialogue With Leon Rodriguez-Director of Office of Civil Rights for HHS. (HIPAA Enforcer In Chief)

It’s a pretty rare opportunity as  HIPAA geek to sit in a room with the Director of the Office of Civil Rights for HHS and hear his perspective and ask him questions.

I got to do that today through my attendance at the HCCA Compliance Institute in National Harbor, MD.

Almost too much for me to take in all it once.

But in the spirit of blogging and sharing knowledge, I was typing and tweeting frantically not wanting to miss a nuance .

Leon Rodriguez was appointed to his role as “HIPAA Enforcer in Chief ” (my term) about twenty months ago.

Here are some things I learned during his talk and some accompanying shifts in my thinking and issues raised in my own mind for further consideration.  (I welcome comments as well)

  • OCR was founded in 1967 after passage of the civil rights act in 1964. Leon Panneta was first OCR director when HHS was known as the Department of  Health, Education and Welfare.  Panneta  chose to enforce desegregation laws, much to chagrin of many in roles of authority.  Mr. Rodriguez shared that at one point,  Attorney General John Mitchell, the architect of Nixon’s “southern strategy,” called Nixon and told him to “fire that prick in the basement of HEW.”  So I gleaned from this bit of history that the OCR director is historically a bit of a scrapper.
  • Patient privacy is deemed to be a kind of civil right.  The role of OCR is to protect the patient’s privacy, because if a patient does not feel secure, the substance abuser won’t get help, the abuse victim won’t get treatment, the mentally ill will be fearful to disclose their suffering and get assistance. From this, I see that OCR views a breach of patient privacy as a civil rights violation although it’s perhaps not equivalent to having to attend a segregated school or drink from a different water fountain.
  • Rodriguez views OCR as being similar to the SEC.  Just as the SEC is supposed to enhance investor confidence in the fairness of the markets, so the OCR is supposed to enhance patient confidence in the confidentiality of their health records.  Query: I wonder if people view these governmental agencies as fulfilling these roles or even know that there are agencies playing these roles?  Another query: does increased enforcement activity enhance patient or investor trust in the healthcare or financial system?
  • There is one OCR investigator for ever 3 million Americans.  They are stretched pretty thin.
  • OCR is becoming even more proactive in their enforcement.
  • Well over half of breaches that occur take place at the Business Associate level.
  • The vast majority of breaches are due to human mistakes and not technological errors.  Major breach causes are theft (51%), unauthorized access and disclosure and loss.
  • Hacking is not a major cause of HIPAA breaches.
  • Electronic records are more secure than paper records.  Paper records account for 25% of breaches.
  • In the first decade of HIPAA we were in “learning” mode.  We are now in “enforcement” mode, which is part of the reason the fines have gone from a maximum of $25,000 per violation to 1.5 million per violation per year.
  •  The most important things a covered entity can do after a breach are to notify affected individuals promptly, identify why the breach occurred and the root cause for it and take decisive action to fix the problem.
  • One reason OCR wants a database of all breaches is to be able to examine and understand where vulnerabilities are industry-wide.
  • Even with all the publicity around fines, it’s still the case that a relatively small portion of cases reported result in any monetary fine.  Majority of cases are resolved through corrective action and technical assistance.
  •  Most big fine cases are usually one of two things  1. A longstanding pattern of repeated violations of multiple violations  2. Cases where you have a particularly unforgivable set of disclosures and a failure to prevent the disclosure.  A common thread present in both 1 and 2 is that the entity discovers the problem and fails to take decisive action.
  • Mr. Rodriguez truly believes enforcement promotes compliance.  He has a strong prosecutorial background.
  • However, he was also a defense lawyer and DOES believe   “Government can overreach”  and that enforcement should be conducted in a balanced and constructive way that focuses monetary fines on the most egregious cases.
  • Another commonality among big fine cases is lack of appropriate risk analysis.  The entity fails to fully inventory the information it has, where the information is kept, and how the information is secured.
  • If an investigation is conducted and OCR sees that a risk analysis is done properly and there are appropriate mitigation and contingency plans, the more likely the office is to settle the violation through corrective rather than monetary fine.
  • Encryption is an addressable requirement under HIPAA.   If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.  Succinctly, show your work!  (Like you were supposed to in 5th grade math!)
  • Mr. Rodriguez takes his job quite seriously.  He sees part of his role as someone who routinely engages with compliance professionals to hear their concerns and educate them.  He is not “hiding the ball” and seems extremely open, transparent and reasonable although oriented towards the interests of the patients rather than the provider which is appropriate given the mission of OCR.

It was great being able to have dialogue with him today!  Grateful for the chance!




Health Information Exchange Governance Valentine from Dr. Farzad!

Health Information Exchange Valentine


I listened in on this town hall this afternoon!


Happy Valentine’s day to me!


I did not expect Dr. Farzad Mostashari, the National Coordinator of ONC to wish me (and all participants) a happy Valentines day as he was flying on an airplane to a far-flung local.  He spoke quickly about how he “hearted” all the “listening” and open discussion going on involving health information exchange-especially around the issue of governance.  Since his plane was landing, he had to cut his remarks short so other ONC staff took the reins for a really robust and interactive webinar session on the issue.

A Rational & Non-Regulatory Approach to Health Information Exchange Governance


It was reassuring to hear the ONC staff verify that they are committed to a listening approach rather than a pure regulatory approach to health information exchange governance.   This is a real relief to those of us who are still wading through the HIPAA Omnibus Rules.  They emphasized that they are in a listening and “information collecting” mode at present and plan to continue this way.  The ONC has had other townhalls on this and other topics.

My opinion: The complexity and level of detail that would need to exist in regulations is overwhelming, and with Health Information Exchange being a fairly new creature, regulation is just not pratical at this time.  It would also chill implementation, adoption and participation!  Who wants to have to deal with even MORE regulations and the associated penalties and costs?

There were several main themes developed throughout this town hall meeting:

  1.  Information should securely and privately follow the patient.
  2.  Trust is key. Trust policies are HUGE.  Providers, organizations and patients need to trust in the exchange.
  3.  Meaningful patient relationships and engagement regarding use of HIE. (Like understanding what it IS!)
  4. How will patients be able to get their data?  There was an advocate on the call for patient mediated exchange.
  5.  Increasing interoperability is crucial.
  6. Costs need to decrease.follows patient and there is trust in the organizations that are handling the information.
  7. Adopting best practicies for exchange. 
  8. Whether HIE’s will agree to exchange information with one another or whether they will “hoard” the data, especially if there is a profit-based incentive for doing so.  There is currenly no requirement that this sharing occur.
  9. Crossing boundaries of current EHR vendors.
  10. Closing “digital divide” barriers to implementation and meaningful exchange.

The ONC  plans to monitor the exchange ecosystem and evaluate what activites are occuring and what problems or issues arise which may benefit from “national activity.”   The ONC is the entity to monitor and potentially come up with regulations if they were later required,

My opinion: If people can’t play nicely and fairly in the sandbox the ONC will be willing to regulate.  It seems like the equivalent to a mom hearing kids fighting outside over buckets and shovels and saying “Don’t MAKE me come out there!”

An aside…there does not seem to be a lot of love for EPIC.  They might the be the kid in the sandbox preventing others from digging in.  Just an undertone I got. (opinion)

HIPAA Components to Health Information Exchange Governance

Joy Pritts, the Nations Chief Privacy officer offered some comments on understanding how the new HIPAA Omnibus rules should be interpreted as they pertain to Health Information Exchange.  She suggested that by looking at the preamble to the final rule, one can find guidance about whether HIE’s will be considered business associates.  From my own reading, the analysis will depend on whether the HIE is “pushing” or “pulling” data.

Overall, the call was quite informative and a great way to spend Valentine’s Afternoon!




Tagged , , , ,

HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified


In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.


HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.


HIPAA 2013-Timetables


The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.


HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.


HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!



Julie Meadows-Keefe

Julie Meadows-Keefe






Tagged , ,

HIPAA 2013-Business Associates Asking “Am I My Brother’s Keeper?”

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013-New World for Business Associates-Of Biblical Proportions?


Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your

brother?” and Cain responds,  “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.

You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

Many haven’t wanted to think about it!

To learn more, please continue reading!  I promise to try and keep it interesting!


Get to Know Business Associates

In mafia movies a “business associate might be the muscular wall of a man who collects overdue loan payments.

In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.

In the HIPAA world, the term has a very distinctive and detailed definition.

What (Or Who)Is A Business

Associate Under HIPAA?

The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.  Examples of business associates include:

  1. Claims processors,  administrators or practice managers.
  2. Accountants, legal advisors, consultants, or data aggrators.
  3. Accrediting services.
  4. Patient safety organizations

In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity  that person or entity is considered a business associate.  Before the HITECH Act,  the Security Rule did not directly apply to business associates.

Business Associate Changes Under HITECH

Life changed for business associates under the  HITECH Act.   Under HITECH,  the Security Rule’s administrative, physical, and technical safeguards requirements  as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule.  Therefore, under HITECH,  business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.

HIPAA 2013-Businesses Associates & Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So,  a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.

There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.

 Drop Dead Dates for Business Associates

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions.   This translates into September 23, 2013.  However, HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.

In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met.  Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.

That brings us to September 23, 2014 to have the updated agreements executed.

Please do not wait until September 1, 2014 to consider this!

 What do Business Associates Need to Know? 

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,
  2. for a failure to provide breach notification to the covered entity
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
  4. for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
  5. for a failure to provide an accounting of disclosures
  6. for a failure to comply with the requirements of the Security Rule.
  7. Business associates remain contractually liable for other requirements of the business associate agreement.
  8. Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
  9. Business associates need to evaluate their subcontractors!

Hopefully now you understand why I started this post with  reference to the biblical story of Cain.  Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling  identifiable health information!

Do you have questions about what you’ve read?

Don’t consider this post legal advice!

Contact me @ julie@esq140.com or here.

I am friendly and do not bite!

Read the rule for yourself here!  I recommend it, especially if you have trouble sleeping!

Tagged , , ,

HIPAA 2013-Immunization Record-Agreement Instead of Authorization.

HIPAA 2013-Immunization Records Flow

Kids hate shots!  Is there anyone out there who enjoys them?

Yet, we recognize that immunizations are vital to public health because they prevent communicable disease.

As anyone with children in school knows, kids must be up-to-date on immunizations to enter school.  In this way, schools protect public health.

It’s also good public policy that barriers to kids being in school are minimized.

In this way HIPAA 2013 furthers those public policies by “loosening up” on authorization requirements for release of immunization records to schools.

Pre-HIPAA 2013, Release of Immunization Records Generally Required Authorization

Typically, schools ensure compliance with immunization requirements by requesting the immunization records from parents rather than directly from a health care provider.  However, where a covered health care provider is
requested to send the immunization records directly to a school, the Privacy Rule generally required written authorization by the child’s parent before a covered health care provider may do so.

This created an extra layer of difficulty for schools, doctors, clinics, parents and students.

HIPAA 2013 Goes from “Authorization” to “Agreement”

However,  in HIPAA 2013,  Section 164.512(b)(1) adds some language that permits a health care provider to give proof of immunization to the school if the provider gets and documents agreement from the parent or guardian of the child.

The rule does not micromanage how the agreement is documented.  It leaves to the provider whether they will simply make a note in the child’s chart, print out an e-mail request from the parent, or document some other way.  However, the agreement must be an affirmative assent or request by a parent, guardian, or other person acting in loco parentis contacting a child’s health care provider to request proof of immunization be sent to the child’s school.

It’s important to point out that the agreement described here is not the same as a HIPAA-compliant authorization.  Providers are still free to use a HIPAA-compliant authorization, but in situations where that is not practical or expedient, the addition of the “agreement” eliminates the need for it.

Another thing to keep in mind is that the rule points out that he protected health information that is disclosed by “agreement” is limited to proof of immunization.

HIPAA 2013 Advances Easier Transmission of Immunization Information.

You can take a look at the rule here.

Please subscribe to my HIPAA and Health law updates and come back soon!


HIPAA 2013-Public Health Disclosures Without Authorization-What Happened?

HIPAA 2013 Continues to Allow for and


Public Health Reporting



My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.

By necessity, my post on HIPAA 2013 may get a little weedy.  If you hate weeds, take an airboat over them and skip to the end of the post for a quick  summary.

Quick Background on HIPAA & Public Health

HIPAA historically contained an exemption to the authorization requirement for public health reporting.  This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization.  Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.   You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.

Carrying this theme forward,  Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for  public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.

Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent.  It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data.  Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time.  This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting.  However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged.  There had been some discussion about whether this restriction would be made in the new rules.

It was not.  In HIPAA 2013, HHS  did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.

My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue.  The takeaway is that  covered entities should keep their costs fair and reasonable.

Again,  HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.

One small addition was made to  §164.502  to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set  is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers.  There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.


AIRBOAT THROUGH HIPAA 2013 Public Health Reporting

1.  Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.

2.  Covered entities can charge a fee for doing it.  They shouldn’t get too cute with it.

3.  Public health reporting is good public policy and HHS continues to recognize this.



Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.

Sleep well!

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!


The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!


HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).


Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!


Tagged , ,