Posted in January 2013

HIPAA 2013-Business Associates Asking “Am I My Brother’s Keeper?”

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013-New World for Business Associates-Of Biblical Proportions?

 

Maybe you are familiar with the bible story of when Cain slew Abel and God asks Cain, “Where is your

brother?” and Cain responds,  “Am I my brother’s keeper?” If we’ve read the story, we know things weren’t too great for Cain after that! He is held responsible for his brother, as he should have been, but initially tried to say it wasn’t his problem. Like Cain, business associates under HIPAA 2013 cannot deny responsibility for data within their control.

You may zone out on me before you get to the end of this blog post, so the crux is that business associates, by definition, are now (and have been for a while) separately and directly liable for violations of the Security Rule and for violations of the Privacy Rule for impermissible uses and disclosures pursuant to their business associate contracts.

Many haven’t wanted to think about it!

To learn more, please continue reading!  I promise to try and keep it interesting!

 

Get to Know Business Associates

In mafia movies a “business associate might be the muscular wall of a man who collects overdue loan payments.

In other, more realistic worlds, a business associate would be someone with whom one worked-either as a co-worker or perhaps a colleague in another company.

In the HIPAA world, the term has a very distinctive and detailed definition.

What (Or Who)Is A Business

Associate Under HIPAA?

The HIPAA Rules define ‘business associate’’ generally to mean a person who performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information.  Examples of business associates include:

  1. Claims processors,  administrators or practice managers.
  2. Accountants, legal advisors, consultants, or data aggrators.
  3. Accrediting services.
  4. Patient safety organizations

In short, if the person or organization is providing services to a covered entity and the provision of the service involves the disclosure of individually identifiable health information from such covered entity  that person or entity is considered a business associate.  Before the HITECH Act,  the Security Rule did not directly apply to business associates.

Business Associate Changes Under HITECH

Life changed for business associates under the  HITECH Act.   Under HITECH,  the Security Rule’s administrative, physical, and technical safeguards requirements  as well as the Rule’s policies and procedures and documentation requirements HHS made business associates primarily liable for violations of the security rule.  Therefore, under HITECH,  business associates are civilly and criminally liable for violations of these provisions. HHS believes that many business associates have not appreciated, fully understood or implemented necessary compliance practices.

HIPAA 2013-Businesses Associates & Subcontractors

The final rule applies the business associate provisions of the HIPAA Rules to subcontractors and thus, provides in the definition of ‘business associate’’ that a business associate includes a ‘‘subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.’’

HHS also updated the definition of a subcontractor to reflect that ‘‘a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.’’ So,  a subcontractor is a person to whom a business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity or business associate. A subcontractor is then a business associate where that function, activity, or service involves the creation, receipt, maintenance, or transmission of protected health information.

There will be increased costs to many business associates to bring their subcontracts into compliance with business associate agreement requirements; and costs to a portion of business associates to achieve full compliance with the Security Rule.

 Drop Dead Dates for Business Associates

The final rule is effective on March 26, 2013. Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule come into compliance with most of the final rule’s provisions.   This translates into September 23, 2013.  However, HHS has built another year of cushion for covered entities to update their business associate agreements.  So the new documents must be fully executed no later than September 23, 2014.

In the span of time between September 23, 2013 and September 23, 2014, covered entities must ensure that they obtain satisfactory assurances from their business associates that the requirements are being met.  Furthermore, business associates must also receive satisfactory assurances from their subcontractors no matter how far down the chain the information flows. Again, organizations must be COMPLIANT by September 23, 2013 and have another year to execute new business associate agreements.

That brings us to September 23, 2014 to have the updated agreements executed.

Please do not wait until September 1, 2014 to consider this!

 What do Business Associates Need to Know? 

Business associates are now directly liable under the HIPAA Rules for the following:

  1. impermissible uses and disclosures,
  2. for a failure to provide breach notification to the covered entity
  3. for a failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the agreement)
  4. for a failure to disclose protected health information where required by the Secretary to investigate or determine the business associate’s compliance with the HIPAA Rules
  5. for a failure to provide an accounting of disclosures
  6. for a failure to comply with the requirements of the Security Rule.
  7. Business associates remain contractually liable for other requirements of the business associate agreement.
  8. Business associates will also have to comply with new requirements for notification of breaches. (coming in a future post!)
  9. Business associates need to evaluate their subcontractors!

Hopefully now you understand why I started this post with  reference to the biblical story of Cain.  Although these changes may not be of biblical proportions, they do represent increased levels of responsibility for any entity handling  identifiable health information!

Do you have questions about what you’ve read?

Don’t consider this post legal advice!

Contact me @ julie@esq140.com or here.

I am friendly and do not bite!

Read the rule for yourself here!  I recommend it, especially if you have trouble sleeping!

Tagged , , ,

HIPAA 2013-Immunization Record-Agreement Instead of Authorization.

HIPAA 2013-Immunization Records Flow

Kids hate shots!  Is there anyone out there who enjoys them?

Yet, we recognize that immunizations are vital to public health because they prevent communicable disease.

As anyone with children in school knows, kids must be up-to-date on immunizations to enter school.  In this way, schools protect public health.

It’s also good public policy that barriers to kids being in school are minimized.

In this way HIPAA 2013 furthers those public policies by “loosening up” on authorization requirements for release of immunization records to schools.

Pre-HIPAA 2013, Release of Immunization Records Generally Required Authorization

Typically, schools ensure compliance with immunization requirements by requesting the immunization records from parents rather than directly from a health care provider.  However, where a covered health care provider is
requested to send the immunization records directly to a school, the Privacy Rule generally required written authorization by the child’s parent before a covered health care provider may do so.

This created an extra layer of difficulty for schools, doctors, clinics, parents and students.

HIPAA 2013 Goes from “Authorization” to “Agreement”

However,  in HIPAA 2013,  Section 164.512(b)(1) adds some language that permits a health care provider to give proof of immunization to the school if the provider gets and documents agreement from the parent or guardian of the child.

The rule does not micromanage how the agreement is documented.  It leaves to the provider whether they will simply make a note in the child’s chart, print out an e-mail request from the parent, or document some other way.  However, the agreement must be an affirmative assent or request by a parent, guardian, or other person acting in loco parentis contacting a child’s health care provider to request proof of immunization be sent to the child’s school.

It’s important to point out that the agreement described here is not the same as a HIPAA-compliant authorization.  Providers are still free to use a HIPAA-compliant authorization, but in situations where that is not practical or expedient, the addition of the “agreement” eliminates the need for it.

Another thing to keep in mind is that the rule points out that he protected health information that is disclosed by “agreement” is limited to proof of immunization.

HIPAA 2013 Advances Easier Transmission of Immunization Information.

You can take a look at the rule here.

Please subscribe to my HIPAA and Health law updates and come back soon!

 

HIPAA 2013-Public Health Disclosures Without Authorization-What Happened?

HIPAA 2013 Continues to Allow for and

Encourage

Public Health Reporting

 

Preface

My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.

By necessity, my post on HIPAA 2013 may get a little weedy.  If you hate weeds, take an airboat over them and skip to the end of the post for a quick  summary.

Quick Background on HIPAA & Public Health

HIPAA historically contained an exemption to the authorization requirement for public health reporting.  This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization.  Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.   You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.

Carrying this theme forward,  Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for  public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.

Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent.  It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data.  Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time.  This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting.  However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged.  There had been some discussion about whether this restriction would be made in the new rules.

It was not.  In HIPAA 2013, HHS  did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.

My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue.  The takeaway is that  covered entities should keep their costs fair and reasonable.

Again,  HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.

One small addition was made to  §164.502  to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set  is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers.  There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.

 

AIRBOAT THROUGH HIPAA 2013 Public Health Reporting

1.  Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.

2.  Covered entities can charge a fee for doing it.  They shouldn’t get too cute with it.

3.  Public health reporting is good public policy and HHS continues to recognize this.

 

Tomorrow!

Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.

Sleep well!

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!

 

The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!

 

HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).

HIPAA 2013 HINT

Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!

 

Tagged , ,

Identity Theft Often Begins at the Workplace

The law is just a part of my identity

Julie Meadows-Keefe

Identity Theft and the Mythical Evil Hacker Across the World.

 

When we think about identity theft, maybe we tend to think about evil hackers in foreign countries trying to gain access to our data.

Or maybe we think about cerebral kids with nothing better to do than to try and gain access to confidential databases for the sheer love of doing it.

We may also picture paper medical records being thrown into the trash and being retrieved by someone who uses them to take out credit cards, loans or apply for benefits.

Sometimes the last thing we think of is malicious data theft by employees we hire to serve our patients.

Identity Theft Under Our Noses!

This recently occurred at a clinic serving low income patients in Palm Beach County, Florida.  Here, the individual had been collecting the data to sell as part of a fraud scheme.  Fortunately, a delivery truck driver who grew suspicious of the woman who ostensibly wanted to spend $36.00 to ship a card overnight.  The driver  opened the package and discovered lists with clients’ information.  Information included client’s social security numbers.  The employee was fired and has been arrested on several counts of fraud.

Additionally, in Texas there have been several reports of similar identity thefts.

A former Texas Department of Health and Human Service worker in Mount Pleasant assumed the identity of clients receiving immunizations and other services at the Texas Department of Health and Human Services. She then used this client information and applied for credit cards online and – once approved – made as many purchases as the credit card would allow.  The former employee was arrested and several hundreds of patient names and social security numbers were retrieved from her residence.

The former employee has been charged with Fraudulent Use or Possession of Identifying information, a 2nd Degree Felony, and Credit Card Abuse, a State Jail Felony.

What Can Be Done to Prevent Identity Theft By Trusted Employees?

Unfortunately, it is impossible to filter all bad apples out of the barrel of potential job applicants.  Perhaps employees fall on hard times and feel that stealing confidential information is a quick way out of financial difficulty.  They may not seek employment involving confidential data with the intent to steal it.  They may also think there is a low likelihood they will be caught.  This is where there logic falls apart.

Most employers storing and utilizing confidential data electronically are deploying tracking software.  This allows them to see what employees are accessing what data and when it’s being accessed.  Assuming that the employer has someone assigned to check those logs, it can be easy to detect unauthorized access-thereby decreasing the likelihood that improperly accessed patient data can be used for identity theft purposes.  If you have not deployed tracking software, this should be a top priority to accomplish in 2013.

Next, employers should be consistently training on HIPAA Privacy and Secutiy Policies. This training should contain ample “scare tactics” of what happens to people who violate the policies.  I’ve included two examples in this post.  Jobs are lost, arrests are made, lives are ruined.

It is gratifying to see that both employers in the above example appear to have acted appropriately in terminating the employees, communicating with authorities and potentially affected patients and reflecting transparently on what other measures they are taking to assure these incidents do not occur again.

If you are cultivating a culture of compliance in your organization, it goes a long way towards making sure that identity thieves do not feel welcomed as employees.

 

 

HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.


Tagged , , ,

What Are Physical Safeguards?

Julie Meadows-Keefe

Julie Meadows-Keefe

What Are Physical Safeguards?

 

 

 

Physical Safeguards are important.

You never know who your patient (or patient’s mom) is…..

A few nights ago my daughter was sick enough to warrant a trip to the ER. (She’s fine now, thank you).

In my haste to get her there, I left my cell phone at home so on two occasions I used the phone at a station in the ER. On one occasion, I was led to the phone where the staff member dialed 9, let me dial the number and left me standing in front of the computer screen on the desk. It had identifiers for the current patients in the pediatric ER. I deliberately averted my eyes.

On the next occasion, the staff member dialed 9 and the number I wanted and instructed me to stand behind the computer screen.

Props to staff member number 2. She used what’s known as physical safeguards….which simply means that she used measures to prevent me from seeing other people’s information.

HIPAA’s Definition of Physical Safeguards

HIPAA defines physical safeguards as policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.  Therefore, health care providers like the ER must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. HIPAA also requires that health care providers implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

In this example, a provider serving mainly HIV patients entered into a resolution agreement with Health and Human Services that required them to reposition its computer monitors to prevent patients from viewing information on the screens. The practice installed computer monitor privacy screens to prevent impermissible disclosures.

Physical Safeguards Are Important

This isn’t meant to call out a “wrongdoing”-just to illustrate how easy it is to forget to protect someone’s data and how easy it is to protect it.

Training staff on practices using actual scenarios like mine and repeating the training often are keys to success. Ingrain it so it can’t be forgotten easily. Kind of like those ubiquitous “employees must wash hands before returning to work” signs.

Have you ever seen anyone’s data by mistake? What did you see?

Tagged , ,