Filed under 2013 HIPAA Regs

Dialogue With Leon Rodriguez-Director of Office of Civil Rights for HHS. (HIPAA Enforcer In Chief)

It’s a pretty rare opportunity as  HIPAA geek to sit in a room with the Director of the Office of Civil Rights for HHS and hear his perspective and ask him questions.

I got to do that today through my attendance at the HCCA Compliance Institute in National Harbor, MD.

Almost too much for me to take in all it once.

But in the spirit of blogging and sharing knowledge, I was typing and tweeting frantically not wanting to miss a nuance .

Leon Rodriguez was appointed to his role as “HIPAA Enforcer in Chief ” (my term) about twenty months ago.

Here are some things I learned during his talk and some accompanying shifts in my thinking and issues raised in my own mind for further consideration.  (I welcome comments as well)

  • OCR was founded in 1967 after passage of the civil rights act in 1964. Leon Panneta was first OCR director when HHS was known as the Department of  Health, Education and Welfare.  Panneta  chose to enforce desegregation laws, much to chagrin of many in roles of authority.  Mr. Rodriguez shared that at one point,  Attorney General John Mitchell, the architect of Nixon’s “southern strategy,” called Nixon and told him to “fire that prick in the basement of HEW.”  So I gleaned from this bit of history that the OCR director is historically a bit of a scrapper.
  • Patient privacy is deemed to be a kind of civil right.  The role of OCR is to protect the patient’s privacy, because if a patient does not feel secure, the substance abuser won’t get help, the abuse victim won’t get treatment, the mentally ill will be fearful to disclose their suffering and get assistance. From this, I see that OCR views a breach of patient privacy as a civil rights violation although it’s perhaps not equivalent to having to attend a segregated school or drink from a different water fountain.
  • Rodriguez views OCR as being similar to the SEC.  Just as the SEC is supposed to enhance investor confidence in the fairness of the markets, so the OCR is supposed to enhance patient confidence in the confidentiality of their health records.  Query: I wonder if people view these governmental agencies as fulfilling these roles or even know that there are agencies playing these roles?  Another query: does increased enforcement activity enhance patient or investor trust in the healthcare or financial system?
  • There is one OCR investigator for ever 3 million Americans.  They are stretched pretty thin.
  • OCR is becoming even more proactive in their enforcement.
  • Well over half of breaches that occur take place at the Business Associate level.
  • The vast majority of breaches are due to human mistakes and not technological errors.  Major breach causes are theft (51%), unauthorized access and disclosure and loss.
  • Hacking is not a major cause of HIPAA breaches.
  • Electronic records are more secure than paper records.  Paper records account for 25% of breaches.
  • In the first decade of HIPAA we were in “learning” mode.  We are now in “enforcement” mode, which is part of the reason the fines have gone from a maximum of $25,000 per violation to 1.5 million per violation per year.
  •  The most important things a covered entity can do after a breach are to notify affected individuals promptly, identify why the breach occurred and the root cause for it and take decisive action to fix the problem.
  • One reason OCR wants a database of all breaches is to be able to examine and understand where vulnerabilities are industry-wide.
  • Even with all the publicity around fines, it’s still the case that a relatively small portion of cases reported result in any monetary fine.  Majority of cases are resolved through corrective action and technical assistance.
  •  Most big fine cases are usually one of two things  1. A longstanding pattern of repeated violations of multiple violations  2. Cases where you have a particularly unforgivable set of disclosures and a failure to prevent the disclosure.  A common thread present in both 1 and 2 is that the entity discovers the problem and fails to take decisive action.
  • Mr. Rodriguez truly believes enforcement promotes compliance.  He has a strong prosecutorial background.
  • However, he was also a defense lawyer and DOES believe   “Government can overreach”  and that enforcement should be conducted in a balanced and constructive way that focuses monetary fines on the most egregious cases.
  • Another commonality among big fine cases is lack of appropriate risk analysis.  The entity fails to fully inventory the information it has, where the information is kept, and how the information is secured.
  • If an investigation is conducted and OCR sees that a risk analysis is done properly and there are appropriate mitigation and contingency plans, the more likely the office is to settle the violation through corrective rather than monetary fine.
  • Encryption is an addressable requirement under HIPAA.   If an implementation specification is described as “required,” the specification must be implemented. The concept of “addressable implementation specifications” was developed to provide covered entities additional flexibility with respect to compliance with the security standards. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; (c) not implement either an addressable implementation specification or an alternative. The covered entity’s choice must be documented. The covered entity must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity’s risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity makes regarding addressable specifications must be documented in writing.  The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.  Succinctly, show your work!  (Like you were supposed to in 5th grade math!)
  • Mr. Rodriguez takes his job quite seriously.  He sees part of his role as someone who routinely engages with compliance professionals to hear their concerns and educate them.  He is not “hiding the ball” and seems extremely open, transparent and reasonable although oriented towards the interests of the patients rather than the provider which is appropriate given the mission of OCR.

It was great being able to have dialogue with him today!  Grateful for the chance!




HIPAA 2013 – Life’s A Breach and Then You…

HIPAA/HITECH 2009: Into the Breach

 Quick History

Breach notification requirements were first introduced into HIPAA requirements upon passage of HITECH in 2009

Beginning September 23, 2009, covered entities were obligated to notify the HHS Secretary of all breaches of protected health information occurring on or after that date. As of September 23, 2009, covered entities were required to report breaches affecting 500 or more individuals to the Secretary without unreasonable delay and in no case later than 60 days from discovery of the breach, while breaches affecting fewer individuals must be reported to the Secretary within 60 days of the end of the calendar year in which the breach occurred.

This year, the deadline for breach reporting  for 2012 breaches affecting fewer than 500 individuals is February 28!

 HIPAA 2013-Breaches Clarified


In HIPAA 2013, the rule includes final modifications to the Breach Notification Rule, which will replace an interim final rule originally published in 2009 as required by the HITECH Act.  HHS  estimates that they will receive approximately 19,000 breach notifications annually and that those breaches will affect approximately 6.71 million individuals.


HIPAA 2013: No harm, no foul? Not so much!

The Final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants the interim final rule published on August 24, 2009.   It focuses more objectively on the risk that the protected health information has been compromised

This final rule modifies and clarifies the definition of breach and the risk assessment approach outlined in the interim final rule.  Language was added to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.

HHS has clarified their position that breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised  The covered entity or business associate has the burden of proof!

HHS believes that this presumption in the final rule will help ensure that all covered entities and business associates interpret and apply the regulation in a uniform manner.

The new language is consistent with language in  § 164.414, which provides that covered entities and business associates have the burden of proof to demonstrate that all notifications were provided or that an impermissible use or disclosure did not constitute a breach.  This burden is met by demonstrating through a risk assessment that there was a low probability that the protected health information had been compromised   The covered entity or business associate  must maintain documentation sufficient to meet that burden of proof.

The final rule also identifies the more objective factors covered entities and business associates must consider when performing a risk assessment to determine if the protected health information has been compromised and breach notification is necessary.

HIPAA 2013: Encrypt Early and Often

Every time there is a HIPAA data breach penalty for a lost laptop or hard drive, Office for Civil Rights (OCR) Director Leon Rodriguez likes to emphasize that the penalty would have been avoided if the data was encrypted. The HITECH Act of 2009 modified the HIPAA data breach rule by stating that if a device is lost or stolen, the loss is not reportable as a HIPAA data breach if the data is encrypted in compliance with data encryption guidance from the National Institute of Standards and Technology (NIST.)

To avoid the hit to your organization’s reputation and bottom line if you have to ameliorate a breach, it’s strongly suggested that you encrypt data at rest and portable data such as laptops and flash drives.


HIPAA 2013-Timetables


The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule.

 HIPAA 2013-Notice of Privacy Practices Must Change

The final rule also requires covered entities to include in their Notice of Privacy Practices  a statement of the right of affected individuals to be notified following a breach of unsecured protected health information. HHS believes that individuals should be informed of their right to receive and the obligations of covered entities to provide notification following a breach.

HHS indicated  that a simple statement in the Notice of Privacy Practice  that an individual has a right to or will receive notifications of breaches of his or her unsecured protected healht information will suffice for purposes of this requirement.


HIPAA 2013- Costs

HHS estimates that private entities will bear 93 percent of the costs of compliance with the breach notification
requirements, or about $13.5 million. This is because the majority of breach reports are filed by health care providers, all of whose costs were attributable to the private sector.


HIPAA 2013 is loaded with many challenges for covered entities and business associates   Hopefully, your organization has been preparing for these final rules since passage of HITECH.  If you have not, the time is NOW!



Julie Meadows-Keefe

Julie Meadows-Keefe






Tagged , ,

HIPAA 2013-Business Associates Asking “Am I My Brother’s Keeper?”

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013-New World for Business Associates-Of Biblical Proportions?


Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your

brother?” and Cain responds,  “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.

You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

Many haven’t wanted to think about it!

To learn more, please continue reading!  I promise to try and keep it interesting!


Get to Know Business Associates

In mafia movies a “business associate might be the muscular wall of a man who collects overdue loan payments.

In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.

In the HIPAA world, the term has a very distinctive and detailed definition.

What (Or Who)Is A Business

Associate Under HIPAA?

The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.  Examples of business associates include:

  1. Claims processors,  administrators or practice managers.
  2. Accountants, legal advisors, consultants, or data aggrators.
  3. Accrediting services.
  4. Patient safety organizations

In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity  that person or entity is considered a business associate.  Before the HITECH Act,  the Security Rule did not directly apply to business associates.

Business Associate Changes Under HITECH

Life changed for business associates under the  HITECH Act.   Under HITECH,  the Security Rule’s administrative, physical, and technical safeguards requirements  as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule.  Therefore, under HITECH,  business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.

HIPAA 2013-Businesses Associates & Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So,  a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.

There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.

 Drop Dead Dates for Business Associates

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions.   This translates into September 23, 2013.  However, HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.

In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met.  Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.

That brings us to September 23, 2014 to have the updated agreements executed.

Please do not wait until September 1, 2014 to consider this!

 What do Business Associates Need to Know? 

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,
  2. for a failure to provide breach notification to the covered entity
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
  4. for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
  5. for a failure to provide an accounting of disclosures
  6. for a failure to comply with the requirements of the Security Rule.
  7. Business associates remain contractually liable for other requirements of the business associate agreement.
  8. Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
  9. Business associates need to evaluate their subcontractors!

Hopefully now you understand why I started this post with  reference to the biblical story of Cain.  Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling  identifiable health information!

Do you have questions about what you’ve read?

Don’t consider this post legal advice!

Contact me @ or here.

I am friendly and do not bite!

Read the rule for yourself here!  I recommend it, especially if you have trouble sleeping!

Tagged , , ,

HIPAA 2013-Immunization Record-Agreement Instead of Authorization.

HIPAA 2013-Immunization Records Flow

Kids hate shots!  Is there anyone out there who enjoys them?

Yet, we recognize that immunizations are vital to public health because they prevent communicable disease.

As anyone with children in school knows, kids must be up-to-date on immunizations to enter school.  In this way, schools protect public health.

It’s also good public policy that barriers to kids being in school are minimized.

In this way HIPAA 2013 furthers those public policies by “loosening up” on authorization requirements for release of immunization records to schools.

Pre-HIPAA 2013, Release of Immunization Records Generally Required Authorization

Typically, schools ensure compliance with immunization requirements by requesting the immunization records from parents rather than directly from a health care provider.  However, where a covered health care provider is
requested to send the immunization records directly to a school, the Privacy Rule generally required written authorization by the child’s parent before a covered health care provider may do so.

This created an extra layer of difficulty for schools, doctors, clinics, parents and students.

HIPAA 2013 Goes from “Authorization” to “Agreement”

However,  in HIPAA 2013,  Section 164.512(b)(1) adds some language that permits a health care provider to give proof of immunization to the school if the provider gets and documents agreement from the parent or guardian of the child.

The rule does not micromanage how the agreement is documented.  It leaves to the provider whether they will simply make a note in the child’s chart, print out an e-mail request from the parent, or document some other way.  However, the agreement must be an affirmative assent or request by a parent, guardian, or other person acting in loco parentis contacting a child’s health care provider to request proof of immunization be sent to the child’s school.

It’s important to point out that the agreement described here is not the same as a HIPAA-compliant authorization.  Providers are still free to use a HIPAA-compliant authorization, but in situations where that is not practical or expedient, the addition of the “agreement” eliminates the need for it.

Another thing to keep in mind is that the rule points out that he protected health information that is disclosed by “agreement” is limited to proof of immunization.

HIPAA 2013 Advances Easier Transmission of Immunization Information.

You can take a look at the rule here.

Please subscribe to my HIPAA and Health law updates and come back soon!


HIPAA 2013-Public Health Disclosures Without Authorization-What Happened?

HIPAA 2013 Continues to Allow for and


Public Health Reporting



My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.

By necessity, my post on HIPAA 2013 may get a little weedy.  If you hate weeds, take an airboat over them and skip to the end of the post for a quick  summary.

Quick Background on HIPAA & Public Health

HIPAA historically contained an exemption to the authorization requirement for public health reporting.  This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization.  Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.   You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.

Carrying this theme forward,  Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for  public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.

Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent.  It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data.  Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time.  This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting.  However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged.  There had been some discussion about whether this restriction would be made in the new rules.

It was not.  In HIPAA 2013, HHS  did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.

My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue.  The takeaway is that  covered entities should keep their costs fair and reasonable.

Again,  HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.

One small addition was made to  §164.502  to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set  is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers.  There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.


AIRBOAT THROUGH HIPAA 2013 Public Health Reporting

1.  Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.

2.  Covered entities can charge a fee for doing it.  They shouldn’t get too cute with it.

3.  Public health reporting is good public policy and HHS continues to recognize this.



Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.

Sleep well!

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!


The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!


HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).


Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!


Tagged , ,