The HITECH Act Final Rule’s Requirements for Using Health Information for Fundraising Purposes

With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes.  The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities.  Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.

One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes.  This list now includes:

1. Demographic information, including name, address, other contact information, age, gender, and date of birth;

2. Dates of healthcare provided to an individual;

3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);

4. Treating physician;

5. Outcome information (including death or sub-optimal treatment); and

6. Health insurance status.

Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications.   For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.

While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:

1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.

2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials.  The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”.  Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards.  If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).

3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.

Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.

HHS Announces New HIPAA Breach Settlement

HHS has announced its first HIPAA breach settlement involving less than 500 patients.  The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho.  The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals.  HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI.  To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan.  More information about the settlement, including the settlement agreement can be found at this link on the HHS website.

This settlement shows that HHS takes breach notifications seriously.  At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach.  Mostly this demonstrates what we all know:  don’t put ePHI on unencrypted laptops or other mobile devices.  For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.

ONC Launches Toolkit on Using Mobile Devices

Theft of mobile devices is one of the most common causes of HIPAA breaches.  Though usage of mobile devices is permitted under HIPAA, users must maintain appropriate security to avoid unauthorized use or disclosure of patient information.  The ONC recently launched a new website entitled: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information to help providers better use their mobile devices that contain PHI.  The website contains videos, tip sheets, and FAQs.  Providers using mobile devices are strongly encouraged to visit the site and install security safeguards to avoid potential breaches.

For more information about HIPAA and securing mobile devices please contact Elana Zana.

OCR Releases Guidance Regarding De-Identification Methods for PHI

After two years, OCR recently released its Guidance Regarding Methods for De-Identification of PHI in Accordance with HIPAA.  The guidance is designed to help covered entities understand de-identification, how protected health information is de-identified, and the options available for correctly performing de-identification.  De-identification removes identifiers from PHI and reduces privacy risks to individuals allowing the secondary uses of data for other purposes.  Importantly, once PHI has been appropriately de-identified it is no longer considered PHI.  Currently, under HIPAA, Sec. 164.514, there are two methods by which PHI can be de-identified: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers (18) in conjunction with the lack of knowledge by the covered entity that the remaining information could be used alone or in combination with other information to re-identify individuals.

The Guidance delves into the two options for de-identification.  It includes specific details on how to satisfy the expert determination method and what is called the “safe harbor method,” which is the removal of 18 specific identifiers.  The Guidance includes Q&A as well as specific examples to help guide covered entities and business associates.

De-identification can be an important tool for both covered entities and business associates, but if performed incorrectly it could lead to serious breach potential.  For more information on HIPAA and how to correctly de-identify PHI please contact Elana Zana or Dave Schoolcraft.

New Type of Breach – Hackers Encrypting PHI & Holding for Ransom

Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves.  Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom.  Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois.  Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom.  To read the full article click here.

This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor.  However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers.      Along with maintaining a secure system, it is also advisable to back-up all PHI.

ONC Issues Guide on HIPAA Privacy and Security and Meaningful Use

ONC has recently released a new “Guide to Privacy and Security of Health Information” which incorporates tips on complying with HIPAA Privacy and Security as well as meeting related meaningful use measures.  The guide is designed for clinical providers and focuses on the following:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

Specifically, with regard to Meaningful Use, the guide describes Meaningful Use measures 12 and 15:

#12. Provide patients with an electronic copy of their health information (including diag­nostics test results, problem
list, medication lists, medica­tion allergies) upon request.  To learn more about this measure click here.

#15. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.  To learn more about this measure click here.

If you have questions regarding HIPAA Privacy and Security or Meaningful Use please contact Elana Zana.

 

$100,000 HIPAA Settlement Due to Misuse of Online Calendar & More

The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.  We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.

Health Data Privacy Protections to Increase

As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html

HHS Says Push for EHRs Overlooks Security Gaps

It seems HHS is laying the groundwork for the issuance of the updates to HIPAA privacy and security rules under the HITECH Act.  As reported May 16th in the Washington Post:

“The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn.”

http://www.washingtonpost.com/politics/hhs-inspector-general-says-push-for-electronic-medical-records-overlooks-some-security-gaps/2011/05/16/AFpaH54G_story.html

HIPAA Breach Notification Rules Issued

On August 19th, HHS issued new rules requiring HIPAA covered entities to notify individuals when their health information is breached.  The breach notification rules implement provisions of the HITECH Act, passed as part of the federal stimulus legislation in February.  A full copy of the new rules is available here.

The breach notification requirements will become effective on September 23rd, 2009.

Significant changes to HIPAA include:

  • Notice must be provided to individuals within 60 days from discovery of a breach.
  • The notice must contain detailed elements specified in the rules.
  • For breaches involving more than 500 individuals, the notice must notify “prominent media outlets”, as well as HHS, within 60 days.
  • All breaches must be reported to HHS on an annual basis. 
  • Covered entities must change policies and procedures as necessary to comply with these new rules.
  • Workforce members must be trained about the impact of the new data breach requirements.

Note that the policy development and training requirements apply to all covered entities. 

In addition, the regulations contain updated guidance on what it will take to adequately secure (whether through encryption or otherwise) health information in order to minimize the impact of the notification rules. 

Health care organizations need to move quickly to ensure compliance with these complex new rules in an extremely compressed time frame.