Finally! Washington Has A Telemedicine Bill. But What’s In It?

After many years of effort, the Washington State Legislature has sent a telemedicine bill to the Governor for signature.

It is an exciting achievement, but now that the bill has passed, we need to answer an important question: “What is actually in the bill?”

Payment for Professional Telemedicine Services

The primary purpose of the bill is to require health insurance companies, Medicaid managed care plans, and health plans offered to Washington State employees to reimburse health care providers who provide professional services via telemedicine technology.

This is critical because, prior to the bill, insurance companies had no obligation to reimburse providers for telemedicine services.

One unfortunate aspect of the new law is that it does not set the specific reimbursement rate for telemedicine services. In other words, nothing requires health plans to pay for telemedicine services at the same rate as an in-person encounter.

Instead, the rate for telemedicine services will be whatever the health plan and provider agree upon in the negotiated provider agreement between the parties.

Additionally, in order to receive the negotiated rate, providers must pay special attention to the detailed reimbursement requirements of the bill:

Health Care Providers

The bill states that only “health care providers” are entitled to reimbursement for telemedicine services. Fortunately, “health care provider” is defined broadly and includes any of the licenses listed in Title 18 of the Revised Code of Washington.

A health plan need only reimburse health care providers that are contracted with the health plan.

“Out of network” reimbursement is not required.

Types of Technology

The bill applies to both real time “telemedicine” technology and “store and forward” services.

“Telemedicine” technology is a real-time, interactive, video and audio conference between a patient and a provider.  Think “Skype.”

“Store and forward” technology is a system by which information is sent to an intermediate location where it is kept and, at a later time, sent to the intended destination.

This type of technology is very common in the teleradiology and teledermatology fields in which specialists provide reads for digital images of patients.

Unlike telemedicine technology, the bill has some critical restrictions on the use of store and forward technology:

  • The bill requires an associated office visit between the patient and referring health care provider if store and forward technology is used. The use of “telemedicine” technology, as defined above, can meet the office visit requirement; and
  • A health plan only has the obligation to provide reimbursement for a service provided via store and forward technology if the service is specified in the negotiated agreement between the health plan and the provider.

The second restriction is a big deal.

Under this restriction, the bill does not require a health plan to pay a provider for services rendered via store and forward technology if such services are not explicitly covered in the provider agreement between the provider and health plan.

Therefore, it is critical that providers using store and forward technology pay close attention to their provider agreements with health plans.

Types of Telemedicine Services

The bill is clear that health plans only have the obligation to provide reimbursement for services that meet all of the following criteria:

  • Reimbursement is only required if the health plan provides coverage of the same service when it is provided in person;
  • The service must be an “essential health benefit” under the Affordable Care Act; and
  • The service is medically necessary.

Health plans have no requirement to provide reimbursement if these three requirements are not met.

Payment For Facility Fees

In discussing the facility fee issue, it is important to understand that there are always two different sites in a telemedicine encounter:

  • The Originating Site: This is the location where the patient is physically located. For reimbursement purposes, originating sites can be hospitals, rural health clinics, federally qualified health centers, health care provider offices, community mental health centers, skilled nursing facilities, or renal dialysis centers (except independent renal dialysis centers).
  • The Distant Site: This is the location where the health care provider is physically located at the time telemedicine services are rendered.

As described above, the bill requires health plans to reimburse providers for the professional services they perform at the distant site during a telemedicine encounter.

But what about the originating site facility where the patient is located? Are health plans required to reimburse these facilities?

The answer is no.

According to the bill, originating site providers are only entitled to facility fees if such fees have been negotiated in the provider’s contract with the health plan.

The bill does not require any health plan reimbursement to the originating site if a health plan refuses to include reimbursement for facility fees in its provider agreement.

This is unfortunate for rural providers who would have benefited from the requirement for health plans to pay facility fees for telemedicine.

Hospital Credentialing and Privileging of Telemedicine Physicians

Aside from reimbursement, another important part of the bill is the changes to the requirements for hospital credentialing and privileging of telemedicine physicians.

In the hospital world, a physician can only provide services at a hospital if the physician is properly credentialed and privileged.  Therefore, a physician that provides telemedicine services an originating site hospital technically must be credentialed and privileged by the hospital.

Prior to the bill, Washington law required hospitals to engage in a detailed credentialing process of requesting information from a physician who was applying for privileges.  The hospital also had to request information from hospitals and facilities that had granted privileges or employed the physician.

This cumbersome process could unnecessarily delay the provision of telemedicine services.

Under the bill, the credentialing requirements no longer exist for telemedicine physicians.

The bill states that an originating site hospital may rely on a distant site hospital’s decision to grant or renew privileges for a telemedicine physician if the originating site enters into a written contact with the distant site.

The contract must have the following provisions:

  • The distant site hospital providing the telemedicine services must be a Medicare participating hospital;
  • Any physician providing telemedicine services at the distant site hospital must be fully privileged to provide such services by the distant site hospital;
  • Any physician providing telemedicine services must hold and maintain a valid license to perform such services issued or recognized by the state of Washington; and
  • The originating site hospital must have evidence of an internal review of the distant site physician’s performance of the privileges and sends the distant site hospital performance information for use in the periodic appraisal of the distant site physician.

Conclusion

There is much to like in Washington’s new telemedicine bill.

For the first time, private health plans are required to pay for telemedicine services. Additionally, the process of hospital credentialing and privileging of telemedicine physicians has been streamlined.

But the bill is not perfect.

Without specific requirements on rates, health plans have the ability to reimburse telemedicine services at a much lower rate than in-person services.  Large health systems may have leverage to negotiate for higher reimbursement in provider agreements, but smaller and rural providers may not have this luxury.

Additionally, teleradiology and teledermatology providers must pay close attention to their negotiated provider agreements with health plans.  Under the bill, health plans have no requirement to pay professional services for services rendered via “store and forward” technology if the services are not explicitly covered in the provider agreement.

With that said, no bill is perfect, and the new Washington bill is a good first step into improving the prospects for telemedicine in Washington State.

For more information about telemedicine, please contact Casey Moriarty.

The Myth of a HIPAA Compliant Product

Purchasing a “HIPAA compliant” technology product does not guarantee HIPAA compliance.

There. I said it.

In today’s healthcare marketplace, a vendor’s representation that its product is “100% HIPAA Compliant” is an important assurance for covered entities and business associates. Due to the complex and confusing HIPAA regulations, the idea of “purchasing” compliance can be very attractive.

Unfortunately, you cannot buy HIPAA compliance. To explain, allow me to use the example of encryption technology.

HIPAA Compliant Encryption

Nearly every vendor of an encryption product that targets the healthcare market will claim that the product is HIPAA compliant. This representation is critical because health information that is properly encrypted is exempt from the HIPAA breach notification rules.

But when a vendor states that its encryption product is “HIPAA compliant,” the vendor is merely stating that the product meets the HIPAA encryption guidelines for data at rest (stored data) and data in motion (data that is transmitted over networks).

In reality, the HIPAA Security Rule requires more than merely using technology that meets the encryption guidelines.

The HIPAA Security Rule – What Product is “Reasonable and Appropriate”?

The HIPAA Security Rule standard related to encryption states that covered entities and business associate must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”

Because this standard is “addressable,” an entity must carefully analyze its operations to determine what type of encryption product is reasonable and appropriate for its business.

The analysis must focus on a number of different factors related to the entity, including:

  • The entity’s size, complexity and capabilities;
  • The entity’s technical infrastructure, hardware and software security capabilities;
  • Costs of encryption measures; and
  • Probability and criticality of potential risks to electronic PHI.

For example, if a small entity simply wants to send a limited number secured e-mails containing patient information, a top-of-the-line encryption product for all IT systems may not be necessary. Rather, a basic e-mail encryption product may suffice.

However, if a large health system regularly transmits a large amount of health information over public networks, a basic e-mail encryption product is probably not appropriate.

The vendor of the e-mail product might claim that its product is “HIPAA compliant,” but under the Security Rule, a deluxe encryption solution for the health system’s various IT systems probably makes more sense.

In all cases, it is important for the entity to document why it believes that a selected encryption product is appropriate for its operations.

Conclusion

The takeaway is that HIPAA compliance takes real work. While the idea of buying compliance might be attractive, HIPAA requires covered entities and business associate to look inward and conduct a thorough analysis of their operations.

Do not be misled by thinking that HIPAA compliance can be achieved by entering credit card information and pushing a button.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

Premera Breach: Is HIPAA Compliance Enough?

Many health care businesses assume that HIPAA compliance guarantees protection from data breaches. Unfortunately, this is not a correct assumption.

The health insurance company Premera Blue Cross recently announced that it was the target of a sophisticated cyber attack.  It is estimated that the personal information of eleven million individuals may have been accessed by hackers.

In the days following the breach, the Seattle Times ran an article about an audit conducted by the federal Office of Personnel Management (OPM)  and Office of Inspector General (OIG) on Premera’s operations prior to the breach.

Due to the health insurance coverage that Premera provides to federal employees, OPM and OIG had the right to audit Premera’s systems to ensure the security of the employees’ personal information.  According to the Seattle Times article, the federal agencies warned Premera of potential vulnerabilities with its information technology security prior to the breach.

What Did OPM and OIG Actually Find?

After reading the article, I assumed that the federal agencies found massive problems with Premera’s HIPAA security compliance.  Clearly, Premera would not have suffered the breach if it had complied with the HIPAA Security Rule, right?

Nope.

Page ii of the audit states the following:

Health Insurance Portability and Accountability Act (HIPAA)

Nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations.

Instead, the security issues that the OPM and OIG found with Premera’s system appear to have involved more advanced features, including:

  • Lack of Piggybacking Prevention; and
  • Although Premera had a “thorough incident response and network security program,” it needed a better methodology for applying software patches, updates, and server configurations.  Note, that failing to appropriately patch software can lead to serious HIPAA violations, including OCR investigations and Settlements.  For more information about patching and HIPAA please read: “Failure To Patch Software Leads to $150,000 Settlement“.

Upon review of the audit report, it appears  that Premera did have fairly robust security safeguards.  For example, although it did not have the physical access control of piggybacking prevention, it had installed a multi-factor authentication key pad for each staff member.

The OPM and OIG certainly found issues with Premera’s security procedures, but the report repeatedly makes it clear that Premera:

  • Had adequate HIPAA privacy and security policy and procedures;
  • Updated its HIPAA policies annually and when necessary; and
  • Required employees to complete HIPAA compliance training each year.

HIPAA Compliance May Not Be Enough

The unfortunate takeaway from Premera’s data breach is that HIPAA compliance may not be enough to ensure security from attacks carried out by sophisticated hackers.

Although a covered entity’s security policies and procedures may technically comply with the HIPAA Security Rule, it is still critical to go further and address any known vulnerabilities that HIPAA may not even require to be addressed.

Contact Casey Moriarty for more information about HIPAA compliance.

Employees & Social Media Use

In the Three D, LLC d/b/a Triple Play Sports Bar and Grille decision issued on August 22, the National Labor Relations Board (NLRB) ruled against a non-union restaurant based on management terminating employees as the result of the employees’ Facebook postings.  The decision illustrates why both unionized and non-union employers need to be aware of the Board’s positions on employee use of social media.

Employee use of social media has become a hot button enforcement issue for the NLRB.  The basis for the NLRB aggressively pursuing the issue is the Board’s position that social media postings may constitute “concerted activity” protected by the National Labor Relations Act (NLRA).  The NLRA may apply regardless of whether the employer is union or non-union, and the Board enforces the Act based on its interpretations of the Act’s provisions.

In Three D, LLC, the non-union restaurant made a payroll mistake resulting in employees owing more in taxes than expected.  Unhappy employees posted comments to Facebook regarding the situation, and the employer responded by terminating employees who had posted.  The employer also interrogated one of the employees prior to termination, and threatened legal action based on the employee’s online comments.  The Board found these actions violated the NLRA’s protections for employees discussing their terms and conditions of employment including wages paid or owed.  Based on the violations, the Board ordered that the employees be reinstated and receive back pay, lost benefits, and removal of the discharge records from the employee personnel files.  As the employer based its decisions in part on the employer’s internal policies, the Board also ordered that the organization revise its policies and distribute the revised versions to workers.

There are several considerations for management following this decision:

1.            Be aware that regardless of union presence, the Board may have jurisdiction over an employer. The Board has been more aggressive in recent years in pursuing potential violations of the NLRA against non-union employers.  Employers need to know that simply lacking a union presence will not protect them against Board enforcement action if they are not acting in compliance with the NLRA.

2.            Be cautious when considering disciplining employees based on social media use.  Social media use and related policies have become hot topics for the NLRB.  Under the NLRA, employees are entitled to discuss terms and conditions of employment with other workers.  Employers need to be careful before taking action.  For example, a negative posting on hours or wages by one employee which is responded to by other employees may be protected as multiple workers are discussing protected issues making the discussions potentially protected “concerted activity.”  A negative posting by one worker that does not generate any responses or discussion may instead be considered “griping” and not protected under the NLRA.  Each situation will have to be assessed on its particular facts.

3.            Check and possibly re-write organization social media and communication policies.  The Board has been increasingly aggressive over the last several years in scrutinizing both union and non-union employer social media and communication policies and practices.  Three D, LLC is the latest decision in this recent string.  Many organizations have policies written before the Board began pursuing the social media issue.  These policies may not be in compliance with current Board interpretations of the NLRA and what employees are allowed to post or discuss online.  Employers should double-check to make sure that practices and policies are consistent with what is permissible under the Act as the Board interprets it.

Patrick Pearce is a member (equivalent to partner) at Ogden Murphy Wallace, PLLC, and practices with the firm’s Employment and Labor and Hospitality groups.  He is available at 206-447-7000 or ppearce@omwlaw.com to address questions on this or other employment and labor law issues.

 

 

BAAs and Beyond: Meeting the 9-22 HIPAA Deadline

Reprinted blog post from DocuSign. Interview between Jennifer Royer of DocuSign and Dave Schoolcraft.

In under two weeks, Covered Entities and Business Associates are required to complete renewed Business Associate Agreements (BAA) to comply with more stringent HIPAA regulations for BAAs that were in place prior to January 2013. We sat down with Dave Schoolcraft, who leads the healthcare law practice at Ogden Murphy Wallace, to help our healthcare and technology partners navigate HIPAA legislation and complete these BAA renewals on time. As Dave explains, digital workflow solutions transform the task at hand from a daunting ordeal to a manageable process, all while reducing time, money and fear associated with 11th hour deadline blues.

What is the significance of the September 22nd BAA deadline?

Simply put, the BAA invokes business operations where Protected Health Information (PHI) is handed over to an outside vendor. For example, say I am the managing physician in a small medical clinic and I decide to hire a consultant and help us figure out how we can efficiently manage billing and reimbursement. I provide this consultant with a spreadsheet of PHI (protected health information). This act requires a BAA, which protects the PHI and the medical clinic against any liabilities. Without the updated BAA, the medical clinic and the consultant directly violate HIPAA. Even if I have longstanding relationship, I still need to sign an updated agreement.

The process – an additional 6 or 7 different paragraphs — is admittedly an administrative burden as most BAAs span multiple pages. If the agreement only covers what HIPAA requires, the process is fairly straightforward. However, BAAs are heavily negotiated and include indemnification provisions. Therefore, manually executing all updated agreements slows down the process as each existing vendor contract must be signed and completed.

What is the most common inquiry you receive from clients regarding the updated BAA requirements?

With the deadline a blink away, I consistently hear, “Do we really have to update all our BAA contracts?”

The answer is a resounding “yes,” because our digital habits and business environment led to an updated and strengthened HIPAA (let’s call this HIPAA 2.0) back in 2009. With the release of the new HIPAA rules in January 2013, healthcare providers have had ample time to coordinate new BAAs with outside vendors whose services involve PHI.

As we inch closer towards September 22nd, it is important to remember that even if a healthcare provider has a longstanding relationship with a vendor, the new BAA, as part of HIPAA 2.0, offers enhanced language that strengthens risk management against ‘cyber-spillage.’ Specifically, the new HIPAA language requires that the Business Associate comply with the HIPAA Security Rule and provide notice of a breach of unsecured PHI. In short, this is smart business.

Risk management sounds like a great idea. Would you explain what you mean by “smart business?”

Sure, let’s use a common situation as our example. When a healthcare provider engages with an outside vendor – perhaps a SaaS company – that analyzes or works with PHI, there is risk of mishandling or ‘spillage.’ If you handed over 10,000 records of patient data to a digital marketing vendor, you need to both protect the data and yourself from the probability that the marketing vendor will send the PHI to sub-contractors for portions of the scope of work.

The new BAA is a bulwark against unforeseen security breaches: you add armor to the trust you place in vendors and their teams. While you may deem renewing all BAAs a hassle, consider this an opportunity to audit all your vendors and evaluate the risks and value from that relationship.

If you do not follow this approach, then you honestly proceed at your own peril.

What happens if healthcare providers don’t comply with the new BAA requirements and fail to update their BAA contracts on time?

That is actually the second most frequently asked question that we field. Technically a healthcare practice faces statutory penalties for any improperly used or leaked PHI. For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI. And with the data breaches in the news recently, you really don’t want to take that risk.

Let’s look closer at a data breach scenario. Say a vendor lost a thumb drive containing a high volume of PHI. Per HIPAA 2.0, it is now the vendor’s responsibility to notify the healthcare provider. A vendor needs to self-confess the data breach, regardless of who is at fault, per the new BAA standards. When the government officials arrive to investigate, they will ask if an updated BAA was in place. Healthcare providers shouldn’t rely on trust with vendors. Mistakes happen. And if a bad one occurs, like the theft of an unencrypted laptop containing thousands of patient records, the healthcare provider and the vendor will be held responsible by the government for both the data breach and the failure to comply with the BAA requirements.

Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the Cloud – an increasing trend for providers and payers. The previous HIPAA requirements for a BAA didn’t place direct liability and responsibility on the vendor for failure to sufficiently secure and protect the patient data. With the proliferation of Cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur. Renewal of these BAAs also give healthcare providers the opportunity to ensure that there are sufficient indemnification and insurance provisions in place so that if a breach does occur the healthcare provider can expect reimbursement and defense from the responsible party.

How Can DocuSign assist in the process of updating all BAAs?

There is an administrative burden to getting these documents signed. When we talk about redoing all existing BAAs, that’s the classic e-mail/print/sign/scan/fax headache. Multiply one process by the number of vendors. That’s an unreasonable burden, and an expensive one if you think about the time and money that one might spend overnighting documents.

For all businesses handling such an exceptional volume of paperwork, a Digital Transaction Management platform, like DocuSign’s, simplifies the process by automating the retrieval of signatures and storing all documents in a single, secure Cloud-based portal. Furthermore, it is crucial to be able to access compliance documents, like BAAs and provider agreements, within a click of a mouse, should there be an audit. The alternative is hiring lawyers to spend a month in your document basement – we have been there with clients, and that is an expensive, tedious, and stressful process for all parties involved.

Any final words or digital best practices for providers and payers?

It’s important to remember that HIPAA dates all the way back to the mid ‘90s – think about the evolution and revolution that has occurred in terms of digital platforms! There has been a great acceleration – on the clinical data side – in moving from paper to digital. The rules that led to the updated BAAs were passed in conjunction with approximately $20billion in stimulus funds directed towards health information technology. Those funds are being used to incentivize healthcare providers’ digital adoption, as part of the “Meaningful Use” regulations. A large portion of these funds have also been earmarked to enforce the new and more stringent HIPAA regulations that were put in place when the government recognized additional risks posed by digital adoption.

In essence, the government decided to add more teeth to HIPAA enforcement. They have hired additional enforcement agents, and as such, more healthcare providers have inquiries and audits – a striking evolution from the old days of HIPAA 1.0. Offenders now face more serious penalties: now, more than ever, it is crucial to comply with the renewed HIPAA regulations. What was once a slap on the wrist is now quite serious – around the $1 million mark depending on the egregiousness of the incident.

Essentially, you don’t want to be out of HIPAA compliance should there be an incident or a proactive audit – and one of the first questions HIPAA enforcement agents ask is whether you have an updated BAA with your vendors.

If you face an administrative burden or are losing sleep over getting your BAAs completed on time, consider Digital Transaction Management to simplify the process now and moving forward.

Thank you, Dave for explaining the implications of the updated HIPAA legislation and offering tips for beating the BAA deadline.

For more information about the September 22 deadline and Digital Transaction Management contact Elana Zana or Dave Schoolcraft or:

Rady HIPAA Breach – Access Controls & Training

Rady Children’s Hospital in San Diego announced this week that it has discovered two instances of impermissible disclosure of patient information – both disclosures arising from employees sending spreadsheets containing PHI to job applicants.  Surprisingly, Rady employees did not learn the lesson from their northern California neighbor, Stanford, which recently settled a lawsuit for $4 Million based on similar circumstances of a vendor releasing patient information to a job applicant.  In both the Rady situations (and at Stanford) identifiable patient information was sent to job applicants in order to evaluate those applicants’ skill sets.  The spreadsheets contained names, dates of birth, diagnoses, insurance carrier, claim information, and additional information.  Combined, the breach affected over 20,000 patients.

Rady has announced that it will take the following actions to prevent future events:

• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.

Though these steps are important, it is quite alarming that breaches such as these are still happening.  Why are job applicants receiving spreadsheets with patient information?  As Rady notes above, training exercises are commercially available.  Breaches, such as the one at Rady and at Stanford, reveal several flaws in HIPAA compliance – but two in particular rise to the surface.

1.  Access Controls.  The HIPAA Security Rule stresses the importance of access controls both internally and externally within a covered entity (and now business associates). Who gets access to the PHI, who gives that person access, and what access do they have?  The administrative, physical, and technical safeguard requirements all touch on whether access to PHI for workforce members is appropriate.  For example, a technical safeguard requirement specifically addressing access controls requires that covered entities, and business associates “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”  45 CFR 164.312.  Covered entities and business associates alike should evaluate who within their organizations actually need access to PHI to perform job functions.  Does the HR Department or an internal/external recruiter, arguably in charge of hiring new staff, need PHI in order to perform their job duties?  (Note, I do not opine here as to whether access to PHI was properly granted to the workforce members at Rady, as I lack sufficient information to make that judgment).  Determining if access to PHI is appropriate is both a requirement of the HIPAA Security Rule (though it is “addressable” you still need to address it!) and is a good mitigation tactic to avoid impermissible breaches, such as the one here.

2.  Training.  All covered entities and business associates are responsible for HIPAA Security training for all members of the workforce.  45 CFR 164.308.  Though training may vary depending on the workforce member’s use of PHI, all staff must be trained.  Training does not end following an initial session.  Periodic security updates are specifically identified in the Security Rule as an implementation specification.  These updates do not have to be limited to information about new virus protection software installed on the system. They can include valuable tidbits like case studies, HIPAA rule reminders, and HIPAA related headlines.  For some workforce members HIPAA may not be top of mind (specifically for those in business roles that may not deal with patients or patient information on a routine basis).  Providing periodic training updates and reminders, including examples of other HIPAA breaches (i.e. Stanford here) may be very useful in driving home how easy HIPAA breaches can be…and how expensive they are.

Avoidance of HIPAA breaches altogether is nearly impossible, but proper access controls and training can help mitigate against breaches such as the one that occurred here.

For more information about HIPAA Security contact Elana Zana.

 

$4.8 Million HIPAA Settlement – Patient Data on the Web

On May 7, 2014, HHS announced that New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date. The organizations settled charges that they potentially violated the HIPAA Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”).

NYP and CU operate a shared data network that links patient information systems containing ePHI. On September 27, 2010, the two entities submitted a joint breach report following the discovery that the ePHI of 6,800 individuals had been impermissibly disclosed due to a deactivated server, resulting in ePHI being accessible on internet search engines. The ePHI included patient statuses, vital signs, medications, and laboratory results.

HHS Office for Civil Rights’ (“OCR”) subsequent investigation determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan to address potential threats and hazards to ePHI security. Further, OCR found that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with internal policies on information access management.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In addition, both entities agreed to Corrective Action Plans that require each entity to:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise policies and procedures on information access management and device and media controls;
  • Develop an enhanced privacy and security awareness training program; and
  • Provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of ePHI it maintains.

This settlement again highlights the necessity for healthcare organizations and business associates to create and implement Security policies and procedures, and to engage in a security management process that ensures the security of patient data.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana or Jefferson Lin.

 

Stolen Laptops Lead to $2 Million in HIPAA Settlements

Last week HHS announced close to $2 Million dollars in HIPAA settlements with Concentra and QCA Health Plan due to the theft of unencrypted laptops.  However, the message from HHS is not just the importance of data encryption, rather its performance and follow through with security risk analysis and implementation of security policies and procedures.  Further, the close to $2 million in fines do not include the additional costs and time it will take both of these health care organizations to comply with the OCR corrective action plans.

Concentra

The larger settlement and corrective action plan involved Concentra Health Services, a subsidiary of Humana, Inc., which operates more than 300 medical clinics nationally, including urgent care, occupational and physical therapy, and wellness services.  Concentra agreed to a $1,725,220 settlement with HHS for potential violations resulting from the breach notification associated with a stolen unencrypted laptop.  Specifically, the Resolution Agreement identified the following two deficiencies:

(1) Concentra failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate, from October 27, 2008, until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.312(a)(2)(iv)).

(2) Concentra did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level from October 27, 2008, (date of Concentra’s last project report indicating that 434 out of 597 laptops were encrypted) until June 22, 2012 (date on which a complete inventory assessment was completed and Concentra immediately took action to begin encrypting all unencrypted devices) (see 45 C.F.R. § 164.308(a)(1)(i)).

Interestingly, while the Security Rule allows for flexibility in implementation for certain measures, including data encryption under 45 CFR 164.312, this high settlement amount indicates that healthcare organizations (including now business associates) who choose not to implement encryption standards must be able to explain themselves.  HHS, in the Resolution Agreement, faults Concentra not only for failing to encrypt the data, but in light of a decision not to encrypt, Concentra was faulted for failing to implement an alternative to encryption (though unclear what a reasonable alternative to encryption would be).  Now, not only does Concentra have this large settlement payment due to HHS, but it has to comply with the corrective action plan, which includes the implementation of a security management plan (with a security risk analysis baked in), encryption obligations, security awareness training, and annual reports to HHS.  And if Concentra fails to comply, HHS has reserved its right to impose civil monetary penalties (which were significantly increased under the HITECH Act).

QCA Health Plan of Arkansas

The smaller settlement of $250,000 was with QCA Health Plan of Arkansas, a healthcare insurance provider.  The impetus for this settlement and corrective action plan was the theft of an unencrypted laptop from an employee’s car which contained PHI belonging to 148 individuals (note that this breach affected less than 500 individuals).  The Resolution Agreement determined that:

A.  QCA did not implement policies and procedures to prevent, detect, contain, and correct security violations, including conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held, and implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 C.F.R. § 164.306 from the compliance date of the Security Rule to June 18, 2012.

B. QCA did not implement physical safeguards for all workstations that access ePHI to restrict access to authorized users on October 8, 2011.

C. QCA impermissibly disclosed the ePHI of 148 individuals on October 8, 2011.

Unlike Concentra, QCA was not directly faulted for failing to encrypt its laptops, or failing to implement a reasonable alternative. Rather, this settlement focused instead on the lack of sufficient HIPAA Security policies and procedures, inadequacy in conducting a security risk assessment, and the failure to implement security measures, most specifically physical safeguards. The corrective action plan is also noticeably different, with a focus instead on workforce training and reporting of workforce non-compliance, rather than on encryption requirements (the press release notes that QCA encrypted its laptops following the breach).

Though like most breach cases the simple solution is to encrypt the data to avoid an actual breach, these settlements expose the depth of compliance obligations and monetary consequences associated with the failure to securely protect the PHI.  Concentra and QCA, like other health care organizations who have settled with HHS, will have years of compliance reporting obligations and security management requirements that will likely create significant cost burdens in addition to the monetary settlement obligations.  HHS has made it quite clear in its press releases and corrective action plans, healthcare organizations and business associates must create and implement Security policies and procedures, and must engage in a security management process that ensures the security of patient data post the initial implementation.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana.

HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

$4 Million Stanford Settlement – Business Associate Pays Majority

Remember the $20 Million class action law suit against Stanford due to the posting of an Excel file online by a Business Associate?  The law suit, driven by California state privacy laws recently settled for $4 Million, with the Business Associate paying the bulk of the settlement.  The class action suit, one of five large Stanford related large HIPAA breaches, stems from a 2010 disclosure of emergency room patient data affecting 20,000 patients. The majority of the settlement fund, $3.3 million will come from Stanford’s business associate. Stanford is contributing $500,000 for a vendor education fund and is paying $250,000 in settlement administrative costs.  Though a significant reduction from the $20 Million original claim, the $4 Million settlement price tag is not a drop in the bucket.

The major lesson to glean from this case is that covered entities should better investigate their vendors before transmitting PHI.  Meaning not just simply executing a Business Associate Agreement with an indemnification and insurance provision (though advisable), but also reviewing/evaluating their current security policies, staff training, use of subcontractors, and encryption standards.  For more information about HIPAA please contact Elana Zana.