Access To Patient Data Even Without Knowledge of Illegality Can Still Lead to HIPAA Criminal Liability

May 18, 2012 By Leave a Comment

On May 10, 2012, the Ninth Circuit heard United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) criminal misdemeanor provision, 42 U.S.C. § 1320d-6(a)(2), is not limited to defendants who knew their actions were illegal.

The case arose out of the following facts:  Huping Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at University of California at Los Angeles Health System (UHS) as a researcher.  UHS later terminated his employment.  After his termination, Zhou accessed patient records of celebrities and co-workers on at least four separate occasions.  The U.S. Attorney’s Office for the Central District of California brought criminal charges for a misdemeanor violation of HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of HIPAA.  Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information and, therefore, did not act “knowingly.”  The magistrate judge dismissed Zhou’s motion, and Zhou then submitted a conditional guilty plea, reserving the right to appeal the dismissal.  The trial court sentenced Zhou to four months in prison, a $2,000 fine, and a $100 special assessment.

The Ninth Circuit rejected Zhou’s interpretation of the statute as applying only to defendants who knew obtaining the personal healthcare information was illegal.  Rather the court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” the appeals court said.  Thus, the statute did not require a defendant to have knowledge that his or her actions were illegal under HIPAA.

The court’s decision is significant because it sets a relatively low bar for criminal misdemeanor liability under HIPAA.  To access the case click here.

Filed Under: HIPAA, HITECH

ONC Issues Guide on HIPAA Privacy and Security and Meaningful Use

May 8, 2012 By Leave a Comment

ONC has recently released a new “Guide to Privacy and Security of Health Information” which incorporates tips on complying with HIPAA Privacy and Security as well as meeting related meaningful use measures.  The guide is designed for clinical providers and focuses on the following:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

Specifically, with regard to Meaningful Use, the guide describes Meaningful Use measures 12 and 15:

#12. Provide patients with an electronic copy of their health information (including diag­nostics test results, problem
list, medication lists, medica­tion allergies) upon request.  To learn more about this measure click here.

#15. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  To learn more about this measure click here.

If you have questions regarding HIPAA Privacy and Security or Meaningful Use please contact Elana Zana.

 

Filed Under: HIPAA, HITECH, Meaningful Use Tagged With: , ,

$100,000 HIPAA Settlement Due to Misuse of Online Calendar & More

April 18, 2012 By Leave a Comment
The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.  We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.
Filed Under: HIPAA, HITECH Tagged With: ,

Washington State EHR Incentive Program Seminars

April 10, 2012 By Leave a Comment

The Washington State Health Care Authority has announced a traveling seminar on calculating and registering for the Medicaid EHR Incentive Program.  The seminar is aimed at group registration and defining the group proxy methodology to calculate patient volume.

The seminars are as follows:

May 1: Wenatchee
May 3: Spokane
May 8: Yakima
May 16: Seattle
May 17: Mt. Vernon
May 22: Silverdale
May 24: Olympia

To register click here (the link will take you to the Seattle registration, scroll down on that page for other registration links).

 

Filed Under: HITECH, Incentive Payments, Washington Tagged With:

CMS Releases Proposed Rule On Meaningful Use Stage 2

February 23, 2012 By Leave a Comment

CMS announced today its proposed rule (NPRM) on Stage 2 of the EHR Incentive Program Meaningful Use requirements.  These requirements apply to both eligible professionals and hospitals participating in the Medicare and Medicaid EHR Incentive Program.  As previously announced, and proposed within this NPRM, the onset of the Stage 2 meaningful use requirements will not begin until 2014.

The Stage 2 requirements include greater applicability to specialists, changes to the clinical quality measures, and modifications to the core and menu measures.  CMS has issued a fact sheet that briefly summarizes the Stage 2 requirements.

The NPRM will be published in the Federal Register on March 7, 2012.

For questions regarding the Stage 2 proposed requirements or for assistance related to the Medicare or Medicaid EHR Incentive Program please contact Elana Zana.

Filed Under: HITECH, Incentive Payments, Meaningful Use, Medicare

EHR Contracting Tip: Attestation for AIU

January 28, 2012 By

Now that most states have their Medicaid EHR Incentive Program in full swing we have gotten a glimpse of what they are requiring for attesting to “adopt, implement and upgrade” aka “AIU”.  As described in the CMS rules themselves, practices need to show that they have some skin in the game and have actually invested in an EHR product.  Many states are asking that an EP (or group practice) upload the actual EHR software contract (or a redacted version).  Some states (such as California) are requesting a signed vendor statement in lieu of the full contract.  

If you are a practice in the process of negotiating an EHR contract, you may want to consider including a provision in the contract specific to the AIU attestation requirements of the state your practice is in.  For example, requiring in the contract itself that the software vendor execute any documents required by the state to attest to AIU or that the vendor provide a letter acknowledging the practice’s EHR license (if such a letter is acceptable in your state). Similar provisions are recommended in situations where the practice is involved with a Stark donation arrangement or other type of third party contract. 

Setting expectations up front and creating a contractual obligation will help ensure that the software vendor or other third party contractor does not stand in the way of your practice receiving EHR incentive dollars.

For assistance in drafting and negotiating EHR software contracts or the Medicaid EHR Incentive Program in general please contact Elana Zana or Dave Schoolcraft.            

Filed Under: Anti-Kickback/Stark, HITECH, Incentive Payments, Meaningful Use

Stage 2 Meaningful Use – Delayed to 2014

November 30, 2011 By

HHS announced today that eligible professionals (“EPs”) and hospitals who begin participating in the EHR Incentive Program in 2011 will not have to meet the Stage 2 Meaningful Use standards until 2014.  Therefore, those EPs and hospitals  participating in the Medicare EHR Incentive Program in 2011 will be able to show Stage 1 meaningful use in 2011, 2012, and 2013.  Those participating in the Medicaid EHR Incentive Program in 2011 will show Adopt, Implement or Upgrade in 2011, and Stage 1 meaningful use 2012 and 2013.

If you have questions on achieving meaningful use or the Medicare and Medicaid EHR Incentive Programs please contact Elana Zana.

Filed Under: HITECH, Incentive Payments, Meaningful Use

CMS Issues Info Sheets on Meaningful Use

August 12, 2011 By

CMS has issued information sheets on the meaningful use requirements.  Releasing one sheet for eligible professionals and another for eligible hospitals, these sheets are designed to explain each meaningful use objective and its respective measure.  The sheets provide links to each meaningful use objective and then explains the numerator and denominator requirements, attestation requirements and relevant additional information.  To access the information sheets click on the links below:

Stage 1 EHR Meaningful Use Specification Sheets for Eligible Professionals

Stage 1 EHR Meaningful Use Specification Sheets for Eligible Hospitals

CMS is also offering a National Provider call regarding meaningful use on August 18th.  To register for the call click here.

Understanding the meaningful use measures and objectives is sometimes complicated.  For assistance with meaningful use or the EHR Incentive Programs in general contact Elana Zana.

Filed Under: HITECH, Incentive Payments, Meaningful Use, Medicare

Washington Makes Changes To Patient Volume Calculation for Medicaid EHR Incentive Payments

August 7, 2011 By

Washington State recently announced a change to the Medicaid patient volume calculation related to the Medicaid EHR Incentive Program.  Previously, Washington announced that it would provide all eligible professionals and hospitals with ProviderOne data on their respective Medicaid encounters for the time period chosen by the provider.  Pursuant to the Medicaid EHR Incentive Program eligible professionals must show that they have at least a 30% Medicaid patient volume to qualify for the incentive payments (pediatricians can show 20% Medicaid patient volume), hospitals must show that they  have a 10% Medicaid patient volume.  The primary equation for calculating patient volume for eligible professionals is as follows (there is a second equation regarding managed care patients that is not discussed by this blog post, nor is the calculation for hospitals):

Total Medicaid Patient Encounters x 100 ≥ 30%
Total Patient Encounters

Washington, rather than providing the exact number of Medicaid encounters, is allowing the eligible professional to perform the calculation itself.  Due to the eligible professional’s inability to differentiate between Medicaid, State Only payments, and CHIP, the state is providing a multiplier to calculate these ineligible encounters (note that rural health clinics and FQHCs may include CHIP patients in their patient volume calculations).  Based on its analysis of  ProviderOne historical paid fee for service claims and managed care encounter data for 2010 the average proportion of CHIP encounters equals 1% and State Only encounters equals 4%.  Accordingly, the revised formula for eligible professionals will look as follows:

Total Medicaid Patient Encounters * .95 x 100 ≥ 30%
Total Patient Encounters

This new formula will reduce the percentage of Medicaid encounters and may make those eligible professionals who are on the cusp of meeting the 30% requirement ineligible.  In response the state has offered an alternative, which allows any provider to request assistance from the state staff to analyze and report their actual data from ProviderOne.  In addition, those eligible professionals who are audited and who use the multiplier will only be assesed as to whether the total Washington Medicaid encounters were accurately represented, and will not evaluate whether the CHIP and State Only encounters were correctly excluded.

Washington has since modified its State Medicaid Health Information Technology Plan to reflect this change.  In addition, the state has offered an updated webinar on registration and calculation of patient volume, which can be accessed here.

Calculating patient volume can be complicated, especially when attempting to qualify for the incentive payments  using the group practice calculation.  For more information regarding the patient volume calculations or the Medicaid/Medicare EHR Incentive Program in general please contact Elana Zana.

Filed Under: HITECH, Incentive Payments, Washington

Delay of Stage 2 of Meaningful Use

July 7, 2011 By

The Office of the National Coordinator announced yesterday at the HIT Policy Committee meeting its agreement that the Stage 2 meaningful use requirements should be delayed until 2014.  This would mean that eligible professionals and hospitals participating in the Medicare EHR Incentive Program can attest to the Stage 1 meaningful use requirements in 2011, 2012, and 2013 and will only have to begin attesting to the Stage 2 requirements in 2014.  This shift does not necessarily have an effect on participants in the Medicaid EHR Incentive Program, considering the advantage of attesting to “adopt, implement or upgrade” during the first year of the program.

To see the proposed Stage 2 requirements by the HIT Policy Committee click here.

Filed Under: HITECH, Incentive Payments
« Older Posts