UW Medicine Notifies 90,000 Patients of HIPAA Breach

Just before the Thanksgiving holiday, UW Medicine reported a HIPAA security breach, affecting roughly 90,000 patients at Harborview and UW Medical Centers.  In early October, a UW Medicine employee opened an e-mail attachment containing malicious software.  The malware took control of the computer, which had patients’ data stored on it.  The information that was exposed was a subset or extraction of data that was used for billing purposes.  Patient information may have included names, medical record numbers, addresses, phone numbers, dates of service, charge amounts for services received, Social Security numbers or Medicare numbers.

This is the fourth biggest HIPAA security breach this year, according to data from the Department of Health and Human Services.  The other major breaches involved stolen unencrypted computers and laptops (Advocate Health System and AHMC Healthcare) and improper disposal of medical records (Texas Health Harris Methodist Hospital).

The recent UW Medicine incident highlights the need for hospitals, providers, and business associates to monitor and update their virus protection software and firewalls.  Additionally, organizations should implement security awareness and training programs for all workforce members– this may include periodic reminders addressing malicious software or guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders or hoax e-mail.

For assistance with HIPAA and/or the breach notification rules please contact Elana Zana or Jefferson Lin.


Joint Commission Standards for Boarding and Leadership Collaboration with Behavioral Health Community

Effective January 1, 2014, hospitals, accredited by the Joint Commission, will be required to meet the elements of performance (EPs) related to boarding and leadership collaboration for behavioral health patients, as part of The Joint Commission’s revised standard for managing the flow of patients through the emergency department. Overcrowding and patient boarding in the emergency department has drawn considerable attention recently (see e.g., Seattle Times article on psychiatric boarding), and The Joint Commission recognizes that the problems with patient flow may have multiple factors and stem from other areas within and outside the hospital, not just the emergency department.

Under Leadership Standard LD.04.03.11 or the “Patient Flow” Standard, the following EPs will go into effect for hospitals starting next year:

  • EP 6. The hospital measures and sets goals for mitigating and managing the boarding of patients who come through the emergency department. Note: Boarding is the practice of holding patients in the emergency department or another temporary location after the decision to admit or transfer has been made. The hospital should set its goals with attention to patient acuity and best practice; it is recommended that boarding time frames not exceed 4 hours in the interest of patient safety and quality of care.
  • EP 9. When the hospital determines that it has a population at risk for boarding due to behavioral health emergencies, hospital leaders communicate with behavioral health care providers and/or authorities serving the community to foster coordination of care for this population.

The Joint Commission notes that the four-hour time frame referenced in EP 6 serves as a guideline (not a requirement) to help the hospital set a reasonable goal for its institution. Also, the goal of EP 9 is to “facilitate the more efficient use of limited resources, and build leverage to implement more effective systems of care for individuals at risk of psychiatric emergencies.” Though the communication required in EP 9 will vary depending on the nature of the relationship, The Joint Commission advises that “such communication should occur at least annually and may range from conference calls and correspondence to meetings, education forums, and strategic working groups.”

EP 6 and EP 9 are in addition to the revised EPs that went into effect at the beginning of this year on January 1, 2013.  The other revisions address: the use of data and measures to identify, mitigate and manage issues affecting patient flow; the management of emergency department throughput as a system-wide issue; and the environment of care, staffing, assessment, reassessment and care for patients with behavioral health emergencies.

To help organizations implement these requirements, The Joint Commission released an “R3 Report on Patient Flow through the Emergency Department” that provides the requirement, rationale and references for the updated standards.  If you have questions about these accreditation standards, please contact Don Black or Jefferson Lin.

FDA Releases Guidance For Medical Mobile Apps

The Food and Drug Administration (FDA) recently released guidance on how the agency intends to regulate mobile applications (“mobile apps”).  This more complete guidance follows the FDA’s May 21“It has come to our attention” letter to Biosense Technologies regarding a mobile app that can conduct urine analysis.  Given the growing expansion and applicability of mobile apps, this recent guidance contains non-binding recommendations aimed to provide clarity and predictability for manufacturers of mobile medical apps.

The FDA intends to focus its regulatory oversight to only those mobile apps that are medical devices (as defined in the FD&C Act) and whose functionality could pose a risk to a patient’s safety if the mobile app were to not function as intended.  Referred to as “mobile medical apps,” these include mobile apps that:

  • Connect to an existing medical device for purposes of controlling the device or displaying storing, analyzing, or transmitting patient-specific medical device data;
  • Transform the mobile platform into a regulated device by using attachments, display screens, or sensors or by including functionalities similar to those of currently regulated medical devices; or
  • Become a regulated medical device (software) by performing patient-specific analysis and providing patient-specific diagnosis or treatment recommendations.

For other health-related mobile apps that pose a low risk to patients, the FDA intends to exercise “enforcement discretion,” meaning the agency does not intend to enforce requirements under the FD&C Act.  These include mobile apps that:

  • Provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in their daily environment;
  • Provide patients with simple tools to organize and track their health information;
  • Provide easy access to information related to patients’ health conditions or treatments (beyond providing an electronic “copy” of a medical reference);
  • Help patients document, show or communicate to providers potential medical conditions;
  • Perform simple calculations routinely used in clinical practice; or
  • Enable individuals to interact with PHR or EHR systems.

Depending on the classification and the associated regulation for the mobile medical app, a manufacturer would be required to follow a set of regulatory controls. The guidance contains more specific examples of mobile medical app classification and some helpful FAQs.  Specifically, the guidance contains appendices including what the FDA does and does not consider as medical devices and a list of medical devices posing a risk of harming a patients if they malfunction.  For more information regarding FDA guidance on mobile apps specifically, please contact Jefferson Lin.