HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

A Question of Privilege: Protecting Data in a Clinically Integrated Network

clinicallyintegratednetwork

In this emerging era of healthcare reimbursement based on value, many providers are considering different ways to provide services to patients.  The old fee-for-service model, which often awarded providers based on volume, is being replaced with a model that incentivizes providers to provide quality care at reduced costs.

In order to position themselves for value-based reimbursement, many providers have banded together to form clinically integrated networks (CINs) to coordinate and standardize patient care across various service lines.

Whatever term given to these networks (e.g. CINs, accountable care organizations, accountable care networks etc.), the goal of these entities is to enable a diverse array of independent providers to provide high quality, value-based care.

Many CINs have entered into “shared savings” contracts with payors, under which a CIN’s provider-members have the monetary incentive to meet certain quality-based metrics.

In order for these networks to be truly “clinically integrated,” it is critical that provider-members transmit data to the CIN related to their treatment of patients.

For example, in order to ensure the proper care of patients, primary care providers may be required to provide the CIN with the blood pressure levels of patients who are managing high blood pressure.

To incentivize high quality care, the providers whose patients have blood pressure levels consistently within an acceptable range will receive a larger payout of any “shared savings” money than providers whose patients consistently have higher levels.

Without the receipt of detailed treatment data from providers, CINs would not be able to effectively set quality-based metrics, recommend best practices, and incentivize value-based care.

But there is an important question that CINs should consider: Is the data submitted by a CIN’s provider-members privileged and protected from discovery in a lawsuit?

The Peer Review Privilege

The importance of protecting sensitive information related to a healthcare provider’s services is not a new concept.

Many states throughout the country have recognized the “quality improvement” or “peer review” privilege, which protects certain documents and information that are created during the course of a quality assurance review of a provider’s treatment of patients.

The privilege is a critical mechanism to ensure that peer reviewers engage in frank and open discussion of a provider’s practice without the threat of having all of their discussions obtained by a patient or the patient’s attorney.

For example, let’s assume that a peer review committee of a hospital is reviewing the competence of an OB/GYN physician whose patient had complications during childbirth.  The patient has provided her notice of intent to sue the hospital and the physician for malpractice.

In order to ensure that physician-error did not contribute to the bad result, the hospital’s peer-reviewers closely scrutinize the physician’s performance, and also the performance of the hospital’s support staff.  Their objective is to find any deficiencies that can be corrected for future cases.

Without the peer review privilege, the hospital could be forced to release the peer reviewers’ frank discussions related to the providers’ and hospital’s potential culpability to the patient’s malpractice attorney.  These self-critical discussions and documents could be a goldmine for the patient’s case against the hospital.

Clearly, the peer review privilege is essential for a healthcare provider’s risk management.

Peer Review Privilege and Clinically Integrated Networks

Providers and CINs commonly assume that the peer review privilege applies to any data transmitted between the CIN and the CIN’s provider-members.

But this might not be an accurate assumption.

In reality, the peer review privilege in many states is very narrow and only applies if the provider has met strict requirements.

For example, the Washington State peer review privilege solely applies to information created specifically for, and collected and maintained by a regularly constituted “coordinated quality improvement committee.”

The privilege is waived if any of the information or documents are disclosed to anyone outside of the committee.  One key exception is that a coordinated quality improvement committee of one entity may share information with a coordinated quality improvement committee of another entity.

The primary issue for CINs is that Washington State law only allows certain entities, such as hospitals, medical facilities, provider groups of five or more providers, and health carriers, to form a coordinated quality improvement committee.  WAC 246-50-005.

The rules do not explicitly permit a clinically integrated network or accountable care organization that is a separate legal entity from a medical facility or hospital to form a coordinated quality improvement committee.

Therefore, under Washington State law, there is a risk that provider data shared with a CIN will be unprotected from discovery in a lawsuit.

A Possible Alternative: The Patient Safety and Quality Improvement Act

It may come to a surprise to many CINs and providers that data shared between a CIN and a provider could be subject to discovery in a legal proceeding.  However, unless a state law allows a CIN to take advantage of the peer review privilege, quality data received by a CIN is potentially at risk.

One alternative that CINs should consider is the privilege set forth in the federal Patient Safety and Quality Improvement Act (PSQIA).

The PSQIA is federal law enacted in 2005 that created a broad privilege for “patient safety work product,” which a provider may disclose to a “patient safety organization.” These terms are defined as follows:

  • Patient Safety Organization (PSO): A private or public entity (or component of such entity) that is listed as a PSO by the Secretary of Health and Human Services.
  • Patient Safety Work Product (PSWP): Includes any data, reports, records, memoranda, analyses, or written or oral statements which could improve patient safety, health care quality, or health care outcomes; and
    • Which are assembled or developed by a provider for reporting to a PSO and are reported to a PSO; or
    • Are developed by a PSO for the conduct of patient safety activities; or
    • Which identify or constitute a provider’s deliberations, analyses, or reporting related to information disclosed to a PSO.  A provider’s procedures for collecting and reporting information to a PSO are known as the provider’s “patient safety evaluation system” (PSES).

Importantly, PSWP does not include the original medical record of the patient or other information that is collected or maintained separately from the provider’s collection and reporting to the PSO.

Therefore, if a CIN were to create a PSO, quality information shared between a CIN and its provider-members could be protected from discovery in a lawsuit.  Even better, the PSQIA privilege is never waived – even if the information or documents are subsequently improperly disclosed by the PSO.

In comparison to the Washington State peer review privilege, the privilege under the PSQIA appears to be broader and more appropriate for the activities of a CIN.

Creating a PSO for a Clinically Integrated Network

Although the privilege protections of the PSQIA should interest CINs and their participating members, it is important to review the major steps needed for the proper creation of a PSO.

  1. Eligibility: The first step is to confirm that the CIN is eligible to create a PSO.  Under the rules, any private or public entity can create a PSO, so long as the entity is not listed as “excluded” by the PSQIA. The list of excluded entities includes:
    • Health insurers;
    • Regulatory agencies;
    • Accreditation and licensure entities; and
    • Entities that administer a federal, state, local, or tribal patient safety reporting system to which health care providers are required to report.

If one of these types of agencies has an ownership interest in the CIN, it is critical that the CIN’s governing documents make clear that such entities do not exercise any control over the operation of the PSO.

  1. Separate Legal Entity: In order to ensure compliance with the PSQIA, and insulate liabilities, the CIN should considering forming the PSO under a separate legal entity (e.g. limited liability company). The primary mission of the separate PSO entity must be the improvement of patient safety and the quality of health care delivery. Under the PSQIA rules, the PSO would be a “component” of the CIN.
  2. Workforce: The PSO must be staffed by a qualified “workforce,” which must include employed or contracted licensed healthcare providers. The CIN can share staff with the PSO, but such staff members should sign confidentiality agreements stating that they will not improperly disclose PSWP to the CIN.
  3. Policies: The PSO must create policies and procedures to meet the eight patient safety criteria in the PSO:
    • Efforts to improve patient safety and the quality of health care delivery;
    • The collection and analysis of PSWP;
    • The development and dissemination of information with respect to improving patient safety, such as recommendations, protocols, or information regarding best practices;
    • The utilization of PSWP for the purposes of encouraging a culture of safety and of providing feedback and assistance to effectively minimize patient risk;
    • The maintenance of procedures to preserve confidentiality with respect to PSWP;
    • The provision of appropriate security measures with respect to PSWP;
    • The utilization of qualified staff; and
    • Activities related to the operation of a PSES and to the provision of feedback to participants in a PSES.
  1. Participation Agreement: The PSO should enter into a template Participation Agreement with the CIN’s provider-members. Among other requirements, the Agreement should specify a standardized manner for the providers’ transmission of data to the PSO. The PSO and the CIN’s provider-members should also enter into a HIPAA Business Associate Agreement.
  1. Patient Safety Evaluation System: Each provider entity should set up its own policies and procedures for reporting PSWP to the PSO. This reporting structure will be each provider’s “patient safety evaluation system.”
  1. Consent for Disclosure to the CIN: The PSQIA permits a PSO to disclose PSWP back to a participating provider for “patient safety activities.”  However, due to the fact that a CIN is not a “provider” of healthcare services, it is not able to contract with the PSO and receive PSWP. This could be a problem if the CIN needs access to identifiable PSWP in order to develop quality metrics, create best practices for the members, or distribute any shared savings money.  In order to ensure that the CIN is able to receive PSWP from the PSO, each CIN provider-member should sign a consent that permits the PSO to disclose PSWP to the CIN for the purposes of clinical and financial integration.
  1. Apply for Certification: In order to officially become a PSO, the PSO entity should apply for certification from the Agency for Health Research and Quality (https://pso.ahrq.gov/forms/initial/). After approval, the PSO will be listed for a period of three years. The PSO must renew its listing after the three year period.

Please note that this is not an exhaustive list of requirements for PSOs, but it does contain many of the major steps that should be considered in forming a PSO.

By going through the process of forming a PSO, a CIN may have a better chance of protecting sensitive quality data than relying on state peer review privilege laws.

For more information on the peer review privilege, clinically integrated networks, and patient safety organizations please contact Casey Moriarty.

Home Is Where The Patient Is – The New Washington State Telemedicine Bill

It is official. The Washington State Legislature appears to have bought into the promise of telemedicine. For the second year in a row, the Legislature has passed a bill (Senate Bill 6519) that helps reduce the barriers to patient access to remote healthcare.

Senate Bill 6519 builds on the 2015 telemedicine bill in the following ways:

  1.  It establishes a collaborative that is tasked with determining the best course for telemedicine in Washington; and
  2. It requires health insurers to pay providers for telemedicine services provided to a patient who is located at his or her home.

Telemedicine Collaborative

The bill creates a telemedicine collaborative, to be convened by July 1, 2016, whose purpose is to “enhance the understanding and use of health services provided to telemedicine and other similar models in Washington State.”

The members of the collaborative will include representatives from the Washington State House and Senate, academic community, hospitals, clinics, health care providers, insurers, and other interested parties.

The collaborative will focus on developing recommendations on improving telemedicine reimbursement and access to services. It will also determine best practices for telemedicine, including billing and fraud and abuse compliance, and explore other priorities identified by the members.

One specific item that the collaborative must consider is the creation of a “technical assistance center” to support providers in implementing or expanding telemedicine services. The bill does not specify how such a center would be funded.

The collaborative must submit an initial progress report on its activities by December 1, 2016, and follow-up reports by December 1, 2017, and December 1, 2018.

Reimbursement for Home-Based Telemedicine Services

One key requirement in the 2015 telemedicine bill was that insurers must reimburse providers for telemedicine services if:

  1. The insurer provides coverage of the health care service when provided in person by the provider;
  2. The health care service is medically necessary; and
  3. The health care service is a service recognized as an essential health benefit under the Patient Protection and Affordable Care Act.

Also, the bill only required an insurer to pay a provider if the patient receiving telemedicine services was located in a healthcare facility that met the definition of “originating site.”

Under the 2015 bill, if a patient receiving telemedicine services was located in his or her home, the insurer had no obligation to reimburse the provider for the services. This was a major limitation for many healthcare professionals, including mental health providers, who desired to provide telemedicine services to patients in the security and privacy of their home.

The new bill does away with this limitation. A patient’s “home” is now listed as an “originating site.” Therefore, an insurer is required to reimburse a provider for telemedicine services that are provided to a patient located in his or her home.

However, presumably to make the “home” change palatable to insurers, the bill also includes new requirements on telemedicine services, including the following:

  1.  The health care service must be determined to be safely and effectively provided;
  2. The health care service must be provided according to generally accepted health care practices and standards, and
  3. The technology used to provide the health care service must meet the standards required by state and federal privacy and security laws (e.g. HIPAA).

These standards are relatively vague and could allow an insurer to deny reimbursement for a service if it determines that the service did not meet professional standards or HIPAA requirements.

For example, if a patient who is located at his or her home utilizes a video conferencing system to speak with a provider, the provider needs to ensure that the system meets HIPAA standards for the transmission of electronic health information.

Conclusion

The 2016 Washington telemedicine bill is a step in the right direction for remote healthcare in Washington. With that said, the true success of the bill is dependent on the ability of the collaborative to understand and address the current barriers to telemedicine in Washington.

The bill’s option for patients to receive telemedicine services at home could help to remove some of these barriers; however, the usefulness of this change is dependent on how insurers interpret the increased standards that require services to be provided according to “accepted practices” and in accordance with “privacy and security laws.”

For more information about telemedicine, please contact Casey Moriarty.

4 Ways That HIPAA Encourages the Disclosure of Health Information

What’s the first word that comes to mind when you see the term “HIPAA”?

For many individuals in the healthcare market, the word is “NO.”

“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.

But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information.  Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.

Disclosures for Treatment Purposes

Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.

A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.

This is not true.

I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.

This is not true.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.

The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription.  The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.

Patient Access

One common idea is that patients do not have an unfettered right to access their entire medical record.

Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.

This opinion has lead to more than one Office of Civil Rights investigation.

In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.

But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.

Denial of such access could constitute a HIPAA violation.

Disclosures to minimize an imminent danger or assist law enforcement

Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.

HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.

However, these are important exceptions that can prevent danger to members of the community.

Disclosures Required By Law State

Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).

The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.

Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.

Conclusion

HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype.  The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.

However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

For more information about HIPAA, please contact Casey Moriarty.

Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.

The Myth of a HIPAA Compliant Product

Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

You’ve Been Sued: 4 Non-HIPAA Claims in Data Breach Cases

“There is no private right of action under HIPAA.”  This oft-repeated rule is a source of comfort for many health care entities.

Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.

So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.

The Complaint alleges seven different causes of action.  This article will focus on four of the claims.

The Four Causes of Action in the Premera Complaint

  • Negligence: The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.

    The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  • Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.

    In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”

    The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  • Breach of Contract: The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”

    Based on the allegations in the Complaint, the answer appears to be no.

    However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.

  • Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.

    In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.

    Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

Conclusion

In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.

Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.

For more information about data breaches, please contact Casey Moriarty.

Premera Breach: Is HIPAA Compliance Enough?

Many health care businesses assume that HIPAA compliance guarantees protection from data breaches. Unfortunately, this is not a correct assumption.

The health insurance company Premera Blue Cross recently announced that it was the target of a sophisticated cyber attack.  It is estimated that the personal information of eleven million individuals may have been accessed by hackers.

In the days following the breach, the Seattle Times ran an article about an audit conducted by the federal Office of Personnel Management (OPM)  and Office of Inspector General (OIG) on Premera’s operations prior to the breach.

Due to the health insurance coverage that Premera provides to federal employees, OPM and OIG had the right to audit Premera’s systems to ensure the security of the employees’ personal information.  According to the Seattle Times article, the federal agencies warned Premera of potential vulnerabilities with its information technology security prior to the breach.

What Did OPM and OIG Actually Find?

After reading the article, I assumed that the federal agencies found massive problems with Premera’s HIPAA security compliance.  Clearly, Premera would not have suffered the breach if it had complied with the HIPAA Security Rule, right?

Nope.

Page ii of the audit states the following:

Health Insurance Portability and Accountability Act (HIPAA)

Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.

Instead, the security issues that the OPM and OIG found with Premera’s system appear to have involved more advanced features, including:

  • Lack of Piggybacking Prevention; and
  • Although Premera had a “thorough incident response and network security program,” it needed a better methodology for applying software patches, updates, and server configurations.  Note, that failing to appropriately patch software can lead to serious HIPAA violations, including OCR investigations and Settlements.  For more information about patching and HIPAA please read: “Failure To Patch Software Leads to $150,000 Settlement“.

Upon review of the audit report, it appears  that Premera did have fairly robust security safeguards.  For example, although it did not have the physical access control of piggybacking prevention, it had installed a multi-factor authentication key pad for each staff member.

The OPM and OIG certainly found issues with Premera’s security procedures, but the report repeatedly makes it clear that Premera:

  • Had adequate HIPAA privacy and security policy and procedures;
  • Updated its HIPAA policies annually and when necessary; and
  • Required employees to complete HIPAA compliance training each year.

HIPAA Compliance May Not Be Enough

The unfortunate takeaway from Premera’s data breach is that HIPAA compliance may not be enough to ensure security from attacks carried out by sophisticated hackers.

Although a covered entity’s security policies and procedures may technically comply with the HIPAA Security Rule, it is still critical to go further and address any known vulnerabilities that HIPAA may not even require to be addressed.

Contact Casey Moriarty for more information about HIPAA compliance.

Large Data Breach Highlights Risks from Foreign Hackers

Community Health Systems (CHS) has announced that the personal information of approximately 4.5 million patients has been breached.  According to CHS, the information includes patient names, addresses, social security numbers, telephone numbers, and birthdates.

Although the breached records do not contain the details of the patients’ treatment at CHS’ hospitals, the identifying information in the records still meets the HIPAA definition of “protected health information.”  Therefore, CHS will have to follow the HIPAA breach notification requirements.

According to CHS’ filing with the Securities and Exchange Commission, CHS has hired the data security firm, Mandiant, to investigate the breach.  Mandiant has pointed blame at a group originating from China who apparently orchestrated the breach through the use of sophisticated malware.

This large breach should be another reminder for health care providers to safeguard their electronic systems and educate staff members on security policies and procedures.  The type of malware that contributed to the CHS breach can often be installed by a staff member who clicks on a link in an e-mail, or responds to an e-mail from hackers who pose as security personnel.  In addition, health care providers should consider the use of encryption technology that meets the HIPAA breach safe harbor standards.

When in doubt about a suspicious e-mail, phone call, or other communication, staff members should always check with the provider’s information technology personnel and the HIPAA Privacy Officer before taking any action.

If you have any questions about the HIPAA breach notification requirements, please contact Casey Moriarty.

Providing Telemedicine Services? Pay Attention To State Licensing Requirements

Advancements in telemedicine offer exciting treatment possibilities for rural communities. Through audio-visual technology, patients in small communities now have the opportunity to access the expertise of specialists at large medical facilities in metropolitan areas.

However, along with all of the promise of telemedicine technologies, there are also some important legal issues that health care providers need to understand.  One of the most important issues is whether physicians who provide treatment advice to a patient through telemedicine must be licensed in the state where the patient is located.  For example, if a patient is located in Washington State, can a physician who is only licensed in Oregon provide telemedicine services to the patient?

The Federation of State Medical Boards (FSMB) has recently addressed the licensure issue in the Model Policy for the Appropriate Use of Telemedicine Technologies.  The Policy  makes it clear that a physician must be licensed by, or under the jurisdiction of, the medical boards of the state where the patient is located.

It is unclear whether state medical boards will follow the Model Policy from FSMB.  For example, Washington State law currently allows physicians licensed in another state to “practice medicine” in Washington so long as they do not open an office or appoint a place of meeting patients or receiving calls within Washington. (RCW 18.71.030). Of course, this provision could change in the future.

In order to avoid the unlawful practice of medicine when providing telemedicine services, physicians and healthcare facilities should take time to understand the licensing regulations in the state where the patient is located.

For more information on the legal issues related to telemedicine, please contact Casey Moriarty.