Tagged with Privacy

HHS Is Serious About Privacy and Security!

HHS is Serious About Privacy & Security

HHS is serious about privacy and security! Last week, HHS again demonstrated this on January 2, 2013, when HHS announced the first HIPAA breach settlement involving less than 500 patients. The provider, Hospice of North Idaho, (HONI) settled with HHS for $50,000.

This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

HONI entered into a 2 year CAP (corrective action plan) with HHS which included the following findings related that demonstrate that HHS is serious about privacy and security

  1. HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012. In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
  3. HONI was required to designate an authorized representative to be the point of contact with HHS throughout the 2 year corrective action plan.
  4. HONI has to report to HHS any violations of its Privacy and Security policies and detail remedial actions they have taken to respond to the violation.
  5. Any further HIPAA violations can result in additional civil money penalties.

The Resolution Agreement can be found here.

You should know that the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

So many problems can be averted through diligent and consistent usage of encryption and common-sense measures that staff may use when traveling with computers and other mobile devices.

HHS is serious about Privacy and Security.  You and your practice should be too.

Tagged , , ,

Privacy and Meaningful Use Stage Two Proposed Rule

Meaningful Use Stage Two

As you might know, this week the Center for Medicare and Medicaid released its proposed rule for Meaningful Use Stage II.

You will note that the proposed rule emphasizes direct contact with patients, patient safety (especially in medication administration to those hospitalized) and a modicum of flexibility in order to reduce burdens upon providers and vendors.  There didn’t appear to be much discussion of HIPAA/privacy.

I spend a great deal of time in my practice thinking about issues of privacy and security and HIPAA compliance and was therefore interested in seeing how the draft rules dealt with these.

Where is Privacy Considered Within Meaningful Use?

A rudimentary word search revealed that the first reference to privacy was found on page 77 of a 445 page document.  That particular reference basically exorts eligible providerss”Oh, and hey, by the way, remember that thing called HIPAA!”  Actually, the reference goes on to redeem itself a bit, because it then explicitly tells provider that HIPAA does not restrict a provider from giving the patient access to his/her clinical summaries.  Indeed, the rule requires the patients be provided with their clinical summaries within 24 hours 50 percent of the time.

The next two references were music to this breach avoidance evangalist’s ears!  The draft points out the vital nature of encryption and states that almost 40 percent of large breaches rep0orted to HHS involve lost or stolen devices.  If these devices are properly encrypted, covered entities basically “get out of jail free.”  Thorough risk analysis and security updates are  also highlighted.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf

The rule drafters take pains to highlight that discussion of certain  HIPAA requirements within the context of defining Stage Two Meaningful Use does not in any way diminish the requirement that eligible providers adhere to all requirements of the HIPAA Privacy and Security Rules as well as state confidentiality rules.  Additionally, those providing substance abuse and mental health services are reminded to review SAMHSA regulations.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf

Stage Two also includes a requirement that Eligible Providers give patients the ability to access view, download and transmit their own health information within 4 business days of the information being available to the Eligible Provider.  This is less a nod to HIPAA than it is to Fair Information Practice Principles, implemented in the 1970’s, which set forth minimum standards for allowing citizens access to information collected about them.  http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf.  These principles were instrumental in HIPAA’s development.

Meaningful Use Presupposes Some meaningful protection of PHI.

In sum, the Proposed Rule defining Stage Two of Meaningful Use highlight the need to ensure adequate protection for protected health information.

The #: meaningfuluseprivacy

The 140:  Meaningful Use Stage 2 mentions HIPAA compliance & incorporates by reference more than emphasizing it.










Tagged , , ,

Nurse’s Case Against ARRA Thrown Out Again

The 140: Nurses#ARRA-based federal case against HHS dismissed again…#meaningfuluse didn’t prove her case.

The hash: #dismissed

On June 25, 2009, Plaintiffs Beatrice M. Heghmann and Robert A. Heghmann filed a lawsuit against Defendant Kathleen Sebelius, Secretary, Department of Health and Human services alleging constitutional violations in connection with the health care provisions of the American Recovery and Reinvestment Act of 2009 (the “Stimulus Act”),  (2009).     Ms. Heghmann’s husband served as her attorney.   Specifically, Ms. Heghman alleged that provisions of ARRA violation provisions of the Health Insurance Portability and Accountability Act of 1996.

The complaint alleged that the electronic health record system being developed utilizing federal dollars would undermine patient privacy.  The aspirational goal set forth in ARRA that every person in America possess an electronic health record by 2014 also concerned Plaintiff because she believed there was insufficient assurance that patient could maintain control over who could access their health information. She alleged that she and other could potentially suffer harm if their protected health information was inappropriately disclosed.

The Court granted HHS’s Motion to Dismiss on May 13, 2010, on the grounds that Plaintiffs lacked standing to bring this lawsuit. Judgment was entered for the Defendant on May 24, 2010. On June 2, 2010, Plaintiffs filed a notice of appeal to the Court of Appeals for the Second Circuit. On March 11, 2011, and after appellate briefing had begun, Plaintiffs stipulated to dismissal of their appeal. On May 4, 2011 , Plaintiffs filed a motion for relief from judgment under Federal Rules of Civil Procedure,  asking the Court to vacate its order of dismissal. Specifically, Plaintiffs argue that the Final Rule promulgated on July 2 8, 2010 by the Department of Health and Human Services (“Final Rule”) under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the Stimulus Act, refutes the Court’s previous conclusions that (1) the policies and incentives authorized by the HITECH Act are voluntary, and (2) Plaintiffs failed to establish that they would suffer a direct injury-in fact sufficient to confer standing.  The rule pointed to by Plaintiff was the long awaited rule defining “meaningful use” of electronic health records.  This federal rule sets specific objectives that eligible professionals  and hospitals must achieve to qualify for federal incentive payments authorized in ARRA.  Plaintiffs’ motion was denied by the US District Court for the Southern District of New York on January 3, 2012.

This case highlights the concern many patients have about the privacy of their most personal information in the world of HITECH.  They wonder how or if they can opt out of electronic sharing of their health information.  Practitioners may wonder how they would deliver care to a patient who did not want their information exchanged in electronic form

For now, this particular case appers to have reached a conclusion.


S.D.N.Y.,2012. Heghmann v. Sebelius Slip Copy,(S.D.N.Y.)
1:09cv05880 (Docket) (Jun. 25, 2009)


Tagged , ,