Failure to Patch Software Leads to $150K HIPAA Settlement

Anchorage Community Mental Health Services, Inc. (“ACMHS”) a nonprofit mental health provider in Alaska, has agreed to a $150,000 HIPAA settlement and 2 year Corrective Action Plan with HHS following a breach of 2,743 patient records due to malware.  According to the HHS press release:

OCR’s investigation revealed that ACMHS had adopted sample Security Rule policies and procedures in 2005, but these were not followed. Moreover, the security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.

According to the Resolution Agreement, OCR uncovered the following HIPAA violations:

  • ACMHS failed to conduct an accurate and thorough risk assessment.
  • ACMHS did not implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI.
  • ACHMS’ security infrastructure did not appropriately guard against unauthorized access to ePHI that is transmitted over an electronic communications network.  Specifically, HHS noted that ACHMS failed to “ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In addition to the $150,000 HIPAA Settlement, ACMHS will be under HHS’ microscope for the next two years.  The Corrective Action Plan requires ACMHS to implement the following changes:

  • Draft updated and adopt Security Policies and Procedures and submit to HHS within 60 days.
  • Distribute new Security Policies and Procedures to all workforce members and require the workforce members to sign a compliance certification.
  • Provide training on security awareness to all workforce members and annual training thereafter.
  • Perform an accurate and thorough risk assessment.
  • Inform HHS if a workforce member fails to adhere to the Security Policies and Procedures.
  • Provide annual reports to HHS.

ACMHS’ settlement provides three key takeaways for covered entities and business associates:

1) Patch & Update.  Like Community Health Systems, which reported a breach of 4.5 million patient records due to Chinese hackers targeting a heartbleed vulnerability, ACMHS is finding out the hard way the importance of software patching and updating.  Staying up to date on security patches and software updates is not an easy task, but an important one considering that hackers are exploiting these vulnerabilities.

2) Tailor the Security Policies and Procedures.  Simply having in place template Security Rule policies and procedures is insufficient to satisfy the requirements of the HIPAA Security Rule and to ultimately secure ePHI.  HIPAA Security policies need to be tailored for the actual information security infrastructure in place at the covered entity/business associate.  The Security Rule permits flexibility when choosing which tools to deploy to protect ePHI, but requires that the covered entity/business associate actually evaluate its infrastructure to make these decisions.

3) Security Risk Analysis.  Further, once the Security Policies and Procedures are in place they need to be evaluated, and the actual system needs to undergo a security risk assessment (suggestion to do this at least annually).  The process of drafting the Security Policies and Procedures as well as the security risk assessment will aid covered entities/business associates in identifying vulnerabilities, evaluating security options, and ultimately safeguarding their ePHI.  HHS has created a security risk assessment tool to help covered entities (not really business associate focused) in evaluating its security compliance.

For more information about the HIPAA Security Rule or if you need assistance in creating your HIPAA Security Policies and Procedures please contact Elana Zana.

Washington Supreme Court Bans “Psychiatric Boarding”

On August 7, 2014, the Washington State Supreme Court ruled that “psychiatric boarding” under Washington’s Involuntary Treatment Act (“ITA”) is unlawful.

“Psychiatric boarding” is a term used to describe the practice of leaving mentally ill patients in hospital emergency rooms because there is no space at certified evaluation and treatment facilities.  Certified evaluation and treatment facilities are the facilities authorized under the ITA to detain involuntary mental health patients.

County mental health officials began using authority granted under the ITA to issue “single-bed certifications,” which permits mental health officials to leave patients at hospitals which are not certified evaluation and treatment facilities, to address the increasing – and now common – problem of insufficient space at the certified facilities.

In its clear opinion, the court held that the ITA does not authorize single bed certifications to avoid overcrowding at certified facilities.  In doing so, the court recognized that the ITA repeatedly provides that persons who are involuntarily detained under the ITA must be held in certified evaluation and treatment facilities in order to receive the proper evaluation, stabilization and treatment afforded to these patients under the ITA:  “Patients may not be warehoused without treatment because of lack of funds.”

Although the court’s opinion may be a catalyst towards forcing the state to address failures and flaws in its mental health system, the immediate impact of the ruling has left hospitals and county mental health professionals scrambling to figure out what to do.  If mental health professionals are unable to detain psychiatric patients who present at hospital emergency departments and who otherwise meet the criteria for detention but no evaluation and treatment bed is available, hospitals will find themselves in the difficult position of choosing between either allowing a mentally ill patient to leave the hospital or detaining the patient without clear legal authority under the ITA to do so.  The issue is further complicated for hospitals as they must also consider their EMTALA obligations in this situations.

A copy of the court’s ruling can be found here.   For more information about Washington’s Involuntary Treatment Act or mental health services, please contact Lee Kuo.

WA Certificate of Need Waiver for Psych Beds

The Washington Certificate of Need (“CN”) Program recently announced a temporary change in the CN requirements for acute care hospitals to change the use of existing licensed beds to psychiatric care beds.  Acute care hospitals choosing to convert some of their acute care beds to psychiatric beds will not have to undergo the CN review process.  This exemption however does not extend to the addition of new beds added to the hospital’s licensed bed count, only the conversion of existing beds.  Hospitals will also be allowed to return the use of the exempt psychiatric beds to general acute care services (i.e. med/surg) without full CN review.

In order to take advantage of this exemption, acute care hospitals will still have to submit a “Hospital Change of Use Exemption Hospitals Licensed Under RCW 70.41 Proposing Psychiatric Beds” application to the CN Program with an application fee of $1,925.  If the project is approved it must commence within two years of the exemption issue date (unless a 6 month extension is otherwise granted).  Hospitals applying for this exemption will still need to meet the physical plan standards and staffing ratios required for providing psychiatric care.

For more information about this exemption or Certificate of Need generally please contact Elana Zana.

HHS Issues HIPAA Guidance For Mental Health

HHS recently issued HIPAA guidance for mental health practitioners, in an effort to help providers wade through complicated decisions of when disclosures of patient information are permissible.  This guidance, set up in a FAQ format, is designed to incorporate common questions related to the intersection of mental health and privacy laws.  The guidance addresses when healthcare providers are permitted to:

  • Communicate with a patient’s family members, friends, or others involved in the patient’s care;
  • Communicate with family members when the patient is an adult;
  • Communicate with the parent of a patient who is a minor;
  • Consider the patient’s capacity to agree or object to the sharing of their information;
  • Involve a patient’s family members, friends, or others in dealing with patient failures to adhere to medication or other therapy;
  • Listen to family members about their loved ones receiving mental health treatment;
  • Communicate with family members, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and
  • Communicate to law enforcement about the release of a patient brought in for an emergency psychiatric hold.

The guidance also addresses FERPA (privacy laws in a school setting), Federal alcohol and drug abuse confidentiality (42 CFR Part 2 Programs) and the rights of parents to have access to a minor child’s information.    Though not addressed in the guidance, those mental health practitioners practicing in Washington State should also be aware of  the new statutes regulating mental health record disclosures which take effect on July 1, 2014.

For assistance in navigating these privacy rules please contact Elana Zana or Dave Schoolcraft.

Proposed HIPAA Rule to Enhance Criminal Background Check System

On January 7, the U.S. Department of Health & Human Services (HHS) published a notice of proposed rulemaking (NPRM) to revise the HIPAA Privacy Rule expressly permitting certain covered entities to disclose specific information about individuals who are subject to the federal mental health prohibitor to the National Instant Criminal Background Check System (NICS). HHS stated the purpose of this amendment is to help “strengthen the federal background check system to keep guns out of potentially dangerous hands” by removing legal barriers under HIPAA that may prevent reporting relevant information to the NICS.

The NICS is a national system used to conduct background checks on individuals who may be disqualified from purchasing or receiving firearms based on federally prohibited categories or state law. One such category is the federal “mental health prohibitor,” which includes individuals who have been (1) involuntarily committed to a mental institution; (2) found incompetent to stand trial or not guilty by reason of insanity; or (3) determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs.

The proposed amendment would permit HIPAA covered entities that perform the commitments or adjudications that make individuals subject to the federal mental health prohibitor, or that act as repositories of NICS records on behalf of a state, to use and disclose certain information for NICS reporting purposes. These select covered entities would be permitted to disclose only  the “individual’s name; date of birth; sex; a code or notation indicating that the individual is subject to the Federal mental health prohibitor; a code or notation representing the reporting entity; and a code identifying the agency record supporting the prohibition.” Covered entities would not be permitted to disclose clinical or diagnostic information, medical records, or other identifiable health information. Covered entities could disclose the information directly to the NICS or to an entity designated by a state as a data repository for NICS reporting purposes.

Because the proposed rule focuses on covered entities that actually are responsible for ordering involuntary commitments or conducting adjudications, or that act as a designated repository of NICS records, it does not affect most treating providers or covered entities that only engage in treatment functions. Further, this modification would permit, not require, the specified covered entities to disclose information.  The proposed amendment would not include any additional notification requirements to individuals whose information was disclosed and would not require covered entities to change their notice of privacy practices.

HHS is seeking comments, which are due on March 10, on various issues addressed in the NPRM, including whether the permission should be broadened to include reporting on individuals subject to state firearms prohibitions and additional (non-clinical) identifying information.

For more information about the proposed rule or HIPAA in general, please contact Jefferson Lin.

Joint Commission Standards for Boarding and Leadership Collaboration with Behavioral Health Community

Effective January 1, 2014, hospitals, accredited by the Joint Commission, will be required to meet the elements of performance (EPs) related to boarding and leadership collaboration for behavioral health patients, as part of The Joint Commission’s revised standard for managing the flow of patients through the emergency department. Overcrowding and patient boarding in the emergency department has drawn considerable attention recently (see e.g., Seattle Times article on psychiatric boarding), and The Joint Commission recognizes that the problems with patient flow may have multiple factors and stem from other areas within and outside the hospital, not just the emergency department.

Under Leadership Standard LD.04.03.11 or the “Patient Flow” Standard, the following EPs will go into effect for hospitals starting next year:

  • EP 6. The hospital measures and sets goals for mitigating and managing the boarding of patients who come through the emergency department. Note: Boarding is the practice of holding patients in the emergency department or another temporary location after the decision to admit or transfer has been made. The hospital should set its goals with attention to patient acuity and best practice; it is recommended that boarding time frames not exceed 4 hours in the interest of patient safety and quality of care.
  • EP 9. When the hospital determines that it has a population at risk for boarding due to behavioral health emergencies, hospital leaders communicate with behavioral health care providers and/or authorities serving the community to foster coordination of care for this population.

The Joint Commission notes that the four-hour time frame referenced in EP 6 serves as a guideline (not a requirement) to help the hospital set a reasonable goal for its institution. Also, the goal of EP 9 is to “facilitate the more efficient use of limited resources, and build leverage to implement more effective systems of care for individuals at risk of psychiatric emergencies.” Though the communication required in EP 9 will vary depending on the nature of the relationship, The Joint Commission advises that “such communication should occur at least annually and may range from conference calls and correspondence to meetings, education forums, and strategic working groups.”

EP 6 and EP 9 are in addition to the revised EPs that went into effect at the beginning of this year on January 1, 2013.  The other revisions address: the use of data and measures to identify, mitigate and manage issues affecting patient flow; the management of emergency department throughput as a system-wide issue; and the environment of care, staffing, assessment, reassessment and care for patients with behavioral health emergencies.

To help organizations implement these requirements, The Joint Commission released an “R3 Report on Patient Flow through the Emergency Department” that provides the requirement, rationale and references for the updated standards.  If you have questions about these accreditation standards, please contact Don Black or Jefferson Lin.