The Myth of a HIPAA Compliant Product

Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

You’ve Been Sued: 4 Non-HIPAA Claims in Data Breach Cases

“There is no private right of action under HIPAA.”  This oft-repeated rule is a source of comfort for many health care entities.

Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.

So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.

The Complaint alleges seven different causes of action.  This article will focus on four of the claims.

The Four Causes of Action in the Premera Complaint

  • Negligence: The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.

    The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  • Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.

    In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”

    The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  • Breach of Contract: The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”

    Based on the allegations in the Complaint, the answer appears to be no.

    However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.

  • Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.

    In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.

    Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

Conclusion

In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.

Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.

For more information about data breaches, please contact Casey Moriarty.

Premera Breach: Is HIPAA Compliance Enough?

Many health care businesses assume that HIPAA compliance guarantees protection from data breaches. Unfortunately, this is not a correct assumption.

The health insurance company Premera Blue Cross recently announced that it was the target of a sophisticated cyber attack.  It is estimated that the personal information of eleven million individuals may have been accessed by hackers.

In the days following the breach, the Seattle Times ran an article about an audit conducted by the federal Office of Personnel Management (OPM)  and Office of Inspector General (OIG) on Premera’s operations prior to the breach.

Due to the health insurance coverage that Premera provides to federal employees, OPM and OIG had the right to audit Premera’s systems to ensure the security of the employees’ personal information.  According to the Seattle Times article, the federal agencies warned Premera of potential vulnerabilities with its information technology security prior to the breach.

What Did OPM and OIG Actually Find?

After reading the article, I assumed that the federal agencies found massive problems with Premera’s HIPAA security compliance.  Clearly, Premera would not have suffered the breach if it had complied with the HIPAA Security Rule, right?

Nope.

Page ii of the audit states the following:

Health Insurance Portability and Accountability Act (HIPAA)

Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.

Instead, the security issues that the OPM and OIG found with Premera’s system appear to have involved more advanced features, including:

  • Lack of Piggybacking Prevention; and
  • Although Premera had a “thorough incident response and network security program,” it needed a better methodology for applying software patches, updates, and server configurations.  Note, that failing to appropriately patch software can lead to serious HIPAA violations, including OCR investigations and Settlements.  For more information about patching and HIPAA please read: “Failure To Patch Software Leads to $150,000 Settlement“.

Upon review of the audit report, it appears  that Premera did have fairly robust security safeguards.  For example, although it did not have the physical access control of piggybacking prevention, it had installed a multi-factor authentication key pad for each staff member.

The OPM and OIG certainly found issues with Premera’s security procedures, but the report repeatedly makes it clear that Premera:

  • Had adequate HIPAA privacy and security policy and procedures;
  • Updated its HIPAA policies annually and when necessary; and
  • Required employees to complete HIPAA compliance training each year.

HIPAA Compliance May Not Be Enough

The unfortunate takeaway from Premera’s data breach is that HIPAA compliance may not be enough to ensure security from attacks carried out by sophisticated hackers.

Although a covered entity’s security policies and procedures may technically comply with the HIPAA Security Rule, it is still critical to go further and address any known vulnerabilities that HIPAA may not even require to be addressed.

Contact Casey Moriarty for more information about HIPAA compliance.

CMS Announces Intent to Modify Meaningful Use

CMS announced today its intent to make significant changes to the EHR Incentive Program beginning in 2015.  The proposed changes, though not yet codified in a proposed rule, include a much desired ease of the program requirements in 2015.  They include:

  1. Aligning hospital EHR reporting periods to the calendar year (rather than the fiscal year) to allow hospitals to have more time to incorporate 2014 CEHRT into their workflows;
  2. Shortening the EHR reporting period in 2015 to 90 days to accommodate these changes; and
  3. Adjusting other portions of the program to “match long-term goals, reduce complexity, and lessen providers’ reporting burdens.”

These new rules are expected this spring.  CMS clarified in its announcement that these proposed modifications will not be forthcoming in the Stage 3 proposed rule which is expected to be released in early March.  CMS also indicated that it proposes to limit the scope of the Stage 3 proposed rule to criteria for meaningful use in 2017 and beyond.

To learn more about meaningful use and the EHR Incentive Program contact Elana Zana.

Failure to Patch Software Leads to $150K HIPAA Settlement

Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware.  According to the HHS press release:

OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

According to the Resolution Agreement, OCR uncovered the following HIPAA violations:

  • ACMHS failed to conduct an accurate and thorough risk assessment.
  • ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
  • ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network.  Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years.  The Corrective Action Plan requires ACMHS to implement the following changes:

  • Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
  • Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
  • Provide training on security awareness to all workforce members and annual training thereafter.
  • Perform an accurate and thorough risk assessment.
  • Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
  • Provide annual reports to HHS.

ACMHS’ settlement provides three key takeaways for covered entities and business associates:

1) Patch & Update.  Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating.  Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.

2) Tailor the Security Policies and Procedures.  Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI.  HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate.  The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.

3) Security Risk Analysis.  Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually).  The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI.  HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.

For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.

Patient Engagement and Meaningful Use

I am very excited this week to present with my colleague Dave Schoolcraft at MGMA in Las Vegas.  We have two presentations on Tuesday, the first at 10:15 entitled the Legal Aspects of Meeting Patient Engagement, the second at 2:45 entitled Double Dipping for EHR Funding.

Vegas is all about the money, and Double Dipping for EHR Funding will focus on how physician practices can still obtain money for Electronic Health Record systems.  The presentation will focus on Stark/Anti-Kickback Donation Arrangements and Meaningful Use dollars.  If you are looking to upgrade to 2014 CEHRT this is a presentation you don’t want to miss. Prior to joining our presentation, I suggest reading two articles we published earlier in the year: Understanding Stark/Anti-Kickback Compliant EHR Donation Arrangements and Key Lessons Related to Stark Compliant EHR Donation Arrangements.

As for Legal Aspects of Meeting Patient Engagement – this presentation focuses both on HIPAA Compliance and Meaningful Use. Stage 2 Meaningful Use includes five patient engagement related objectives, and this time CMS means business.  Two of these five objectives include measures requiring that at least 5% of patients take an action.  These five measures makes the implementation and use of patient portals essential, as portals are a key means of communication with patients and is an appropriate mechanism for each of these Meaningful Use objectives.

The relevant patient engagement Meaningful Use objectives I am referring to here include:

I have added links to the CMS Eligible Professional Specification Sheets for Stage 2 above because I find them very helpful in deciphering what each of these measures require.  Meeting these requirements is not a walk in the park, and my clients have expressed difficulty getting patients to send secure messages or login to  a portal.  Often the CEHRT itself makes these tasks quite difficult.  Patient engagement is core to growing a practice, especially as patients begin to pay for their healthcare and start to demand physician interaction via e-mail and other technologies.

If you are interested in learning more about these patient engagement requirements in Meaningful Use stop on by our presentation, or contact me directly.

 

Meaningful Use Hardship Exception Deadline Extended to November 30, 2014

Still not able to meet meaningful use this year? CMS recently announced that it has reopened submission and extended the deadline for eligible professionals and eligible hospitals to submit a hardship exception application for not demonstrating “Meaningful Use” of Certified Electronic Health Record Technology (CEHRT). The CMS hardship application can be found here.

Under the HITECH Act, eligible hospitals, critical access hospitals, and eligible professionals had to demonstrate “meaningful use” of a CEHRT, or face reductions in their Medicare payment. Under certain circumstances, the Secretary of Health and Human Services has discretion to consider hardship exceptions on a case-by-case basis to avoid payment penalties, including issues related to difficulties with vendors obtaining certification.

The original hardship exception application deadlines of April 1, 2014 (for eligible hospitals) and July 1, 2014 (for eligible professionals) were extended to November 30, 2014.

According to CMS, the reopened hardship exception application submission period applies to eligible professionals and eligible hospitals that:

  • Have been unable to fully implement 2014 Edition CEHRT due to delays in 2014 Edition CEHRT availability; AND
  • Eligible professionals who were unable to attest by October 1, 2014, and eligible hospitals that were unable to attest by July 1, 2014, using the flexibility options provided in the CMS 2014 CEHRT Flexibility Rule.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

Meaningful Use Audit Outcomes – Guest Blog Post

October brings a flurry of Meaningful Use attestations, and this October is no different.  Eligible Hospitals finished up their attestation and are wrapping up the 2014 year; Eligible Professionals are checking their numbers and gearing up for their last run at achieving Meaningful Use before the end of the year.  Lingering in the background is ensuring that you have maintained documentation sufficient to meet the auditor’s standards.

Our guest blog post author, Steve Spearman from Health Security Solutions, researched the CMS audit results, and for hospitals the results are not too bad – but the same can’t be said for Eligible Professionals.  Here are the highlights:

Prepayment Audits for Eligible Professionals: 21.5% failed the audit.

Post-Payment Audits for Eligible Professionals:  24% failed the audit.

Post-Payment Audits for Hospitals:  4,7% failed the audit.

Steve’s blog article provides a deep dive into the audit results and the reasons for failure for both Eligible Professionals and hospitals.  To read his terrific blog article click here.  If you are interested in learning more about the audit statistics click here for Jim Tate’s blog article as well.

More audits are coming and making sure that you have double checked your numbers before attesting and performed your security risk analysis, including an implementation plan and completion dates, is necessary.  For assistance in preparing for audits or if you recently received an audit please contact Elana Zana.

 

Meaningful Use Attestation in 2014 – Picture Update

CMS and the Office of the National Coordinator (ONC) recently announced modifications to the meaningful use attestation requirements for 2014. Following significant lobbying from EHR vendors, eligible professionals (EPs), and hospitals, CMS issued a brief reprieve to meeting Stage 2 meaningful use in 2014 – for some lucky participants. Recognizing that EPs and hospitals may still be using 2011 certified EHR technology (CEHRT) or a mixture of 2011 and 2014 CEHRT, CMS created a chart of decision points meant to enable flexibility for EPs and hospitals alike. These options also accommodate EPs and hospitals that have upgraded to the 2014 CEHRT but are still unable to meet the Stage 2 requirements within the mandatory timetables.

However, this flexibility comes with a caveat: EPs and hospitals must explain that their failure to meet Stage 2 in 2014 as scheduled is because they could not “fully implement 2014 Edition CEHRT for the EHR reporting period in 2014 due to delays in 2014 Edition CEHRT availability.” So who is allowed to claim this exception? Though CMS does not provide an exhaustive list of examples, its published comments in the final rule provide some insights and helpful explanations.

Below are maps of decision points and examples of acceptable and unacceptable justifications for not meeting an EP’s scheduled meaningful use stage in 2014, whether it be the 2014 Stage 1 or Stage 2 objectives and measures. Any EPs or hospitals that attest for a different stage than what they were scheduled for must be prepared to defend this decision in an audit, understanding that each case will be evaluated individually; this defense should therefore be very well documented.

MU_GRAPHIC_FIRST OR SECOND YEAR-FINALMU_GRAPHIC_THIRD OR FOURTH YEAR_FINAL

Michelle Holmes, consultant with ECG Management Consultants co-authored this post.

Washington Earns “F”s on its Telemedicine Report Card

On September 9, 2014, the American Telemedicine Association issued two reports in which it graded all fifty states on telemedicine gaps in coverage and reimbursement and  physician practice standards and licensure.  Not surprisingly, in the area of telemedicine parity Washington received predominantly failing grades.  Washington fared better in the area of Medicaid coverage and conditions of payment but still racked up three failing grades in the ten categories that were graded.  In the report on physician practice standard and licensure, Washington averaged less than a C.

On September 23, 2014 Ogden Murphy Wallace presented the first of two webinar sessions on telemedicine covering CMS, Joint Commission, and Washington rules pertaining to the ability of a site receiving telemedicine services to rely on the credentialing and privileging of the site from which the services are provided.  On October 7, 2014, Ogden Murphy Wallace will present the second session of its telemedicine webinars addressing additional regulatory requirements relevant to telemedicine services in Washington including licensure, informed consent, Washington’s Stark, Anti-Kickback and Anti-Rebating laws, HIPAA compliance and reimbursement.  To register for the October 7 telemedicine webinar click here.

For more information regarding telemedicine laws in Washington please contact Greg Montgomery.