HHS Announces New HIPAA Breach Settlement

HHS has announced its first HIPAA breach settlement involving less than 500 patients.  The announcement came on January 2, 2013 following a disclosure by the provider, Hospice of North Idaho.  The facts involved the theft of an unencrypted stolen laptop that contained ePHI for 441 individuals.  HHS found that the provider did not do a sufficient analysis of the risk to confidentiality of ePHI after the new rule went into effect and did not have in place appropriate policies or security measures to ensure the confidentiality of ePHI.  To settle the matter, the provider agreed to pay HHS $50,000 and enter into a corrective action plan.  More information about the settlement, including the settlement agreement can be found at this link on the HHS website.

This settlement shows that HHS takes breach notifications seriously.  At the same time, it appears that HHS will be open to entering reasonable settlement agreements to resolve this type of breach.  Mostly this demonstrates what we all know:  don’t put ePHI on unencrypted laptops or other mobile devices.  For more information, contact Dave Schoolcraft, Lee Kuo or Casey Moriarty.

ONC Launches Toolkit on Using Mobile Devices

Theft of mobile devices is one of the most common causes of HIPAA breaches.  Though usage of mobile devices is permitted under HIPAA, users must maintain appropriate security to avoid unauthorized use or disclosure of patient information.  The ONC recently launched a new website entitled: Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information to help providers better use their mobile devices that contain PHI.  The website contains videos, tip sheets, and FAQs.  Providers using mobile devices are strongly encouraged to visit the site and install security safeguards to avoid potential breaches.

For more information about HIPAA and securing mobile devices please contact Elana Zana.

OCR Releases Guidance Regarding De-Identification Methods for PHI

After two years, OCR recently released its Guidance Regarding Methods for De-Identification of PHI in Accordance with HIPAA.  The guidance is designed to help covered entities understand de-identification, how protected health information is de-identified, and the options available for correctly performing de-identification.  De-identification removes identifiers from PHI and reduces privacy risks to individuals allowing the secondary uses of data for other purposes.  Importantly, once PHI has been appropriately de-identified it is no longer considered PHI.  Currently, under HIPAA, Sec. 164.514, there are two methods by which PHI can be de-identified: 1) a formal determination by a qualified expert; or 2) the removal of specified individual identifiers (18) in conjunction with the lack of knowledge by the covered entity that the remaining information could be used alone or in combination with other information to re-identify individuals.

The Guidance delves into the two options for de-identification.  It includes specific details on how to satisfy the expert determination method and what is called the “safe harbor method,” which is the removal of 18 specific identifiers.  The Guidance includes Q&A as well as specific examples to help guide covered entities and business associates.

De-identification can be an important tool for both covered entities and business associates, but if performed incorrectly it could lead to serious breach potential.  For more information on HIPAA and how to correctly de-identify PHI please contact Elana Zana or Dave Schoolcraft.

Verizon Cloud Services Agrees to Sign BAA

Earlier this month Verizon announced its cloud services aimed at healthcare providers.  These services are designed to be HIPAA compliant including providing the necessary physical, technical and administrative safeguards required by the HIPAA Security Rule.  Most notably with this announcement, Verizon has agreed to execute a Business Associate Agreement.  Verizon’s press release expresses its commitment to top security protocols and offers a cloud hosting possibility to traditional healthcare companies that self-host.  Verizon touts the cloud services as a safe, secure and fast mechanism for healthcare providers to efficiently share information with one another.

Verizon is not the only vendor attracting healthcare clients with HIPAA compliance and Business Associate Agreements.  Microsoft announced earlier in the summer its willingness to execute Business Associate Agreements as well with its Windows Azure Core Services.  Amazon has even published a white paper on HIPAA compliance when using its Amazon Web Services platform.

Though willingness to sign a Business Associate Agreement is significant, as well as the acknowledgement that these companies are subject to the HIPAA requirements (per the HITECH Act) healthcare providers contracting with Verizon, Amazon, Microsoft, or any other company should make sure that they are adequately protected, which not only includes the implementation of security safeguards but also sufficient indemnification provisions in case of a breach.  For more information about HIPAA and Business Associate Agreements please contact Elana Zana or Dave Schoolcraft.

HIPAA Violations – Visually Speaking

So how much can a HIPAA violation cost?  Below is a roll-up of some of the larger HIPAA penalties and further information about current enforcement.

HIPAA Violation Infographic

Infographic authored by Inspired eLearning, providers of online security awareness and training programs. To view the original post, check out the original HIPAA violation infographic.

CMS Issues 3 FAQs on Stage 2 Rules and the Medicaid EHR Incentive Program

CMS has responded to several questions following the issuance of its Stage 2 Meaningful Use Final Rule.  Along with publishing new meaningful use guidelines, the Final Rule adds new provisions regarding the calculation of patient volume for Medicaid providers.  CMS has recently published these new FAQs, some of which take effect immediately, while others will start in 2013, giving the states some time to update their guidance.  These new rules will affect all eligible professionals, regardless of their stage in participation in meaningful use.  To see additional FAQs click here.

Medicaid changes to patient volume calculations 

Q: The EHR Incentive Programs Stage 1 Rule stated that, in order for a Medicaid encounter to count towards the patient volume of an eligible provider, Medicaid had to either pay for all or part of the service, or pay all or part of the premium, deductible or coinsurance for that encounter.  The Stage 2 Rule now states that the Medicaid encounter can be counted towards patient volume if the patient is enrolled in the state’s Medicaid program (either through the state’s fee-for-service programs or the state’s Medicaid managed care programs) at the time of service without the requirement of Medicaid payment liability. How will this change affect patient volume calculations for Medicaid eligible providers?  

A: Importantly, this change affecting the Medicaid patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in. Billable services provided by an eligible provider to a patient enrolled in Medicaid would count toward meeting the minimum Medicaid patient volume thresholds.  Examples of Medicaid encounters under this expanded definition that could be newly eligible might include: behavioral health services, HIV/AIDS treatment, or other services that might not be billed to Medicaid/managed care for privacy reasons, but where the provider has a mechanism to verify eligibility.  Also, services to a Medicaid-enrolled patient that might not have been reimbursed by Medicaid (or a Medicaid managed care organization) may now be included in the Medicaid patient volume calculation (e.g., oral health services, immunization, vaccination and women’s health services, telemedicine/telehealth, etc.).

Providers who are not currently enrolled with their state Medicaid agency who might be newly eligible for the incentive payments due to these changes should note that they are not necessarily required to fully enroll with Medicaid in order to receive the payment.

In some instances, it may now be appropriate to include services denied by Medicaid in calculating patient volume.  It will be appropriate to review denial reasons.  If Medicaid denied the service for timely filing or because another payer’s payment exceeded the potential Medicaid payment, it would be appropriate to include that encounter in the calculation.  If Medicaid denied payment for the service because the beneficiary has exceeded service limits established by the Medicaid program, it would be appropriate to include that encounter in the calculation.  If Medicaid denied the service because the patient was ineligible for Medicaid at the time of service, it would not be appropriate to include that encounter in the calculation.

Further guidance regarding this change will be distributed to the states as appropriate.

CHIP patients eligible to be included in Medicaid patient volume totals
Q: The Stage 2 Rule describes changes to how a state considers CHIP patients in the Medicaid patient volume total when determining provider eligibility. Patients in which kinds of CHIP programs are now appropriate to be considered in the Medicaid patient volume total?  

A: States that have offered CHIP as part of a Medicaid expansion under Title 19 or Title 21 can include those patients in their provider’s Medicaid patient volume calculation as there is cost liability to the Medicaid program in either case (under the Stage 1 Rule, only CHIP programs created under a Medicaid expansion via Title 19 were eligible). Patients in standalone CHIP programs established under Title 21 are not to be considered part of the patient volume total (in Stage 1 or Stage 2). This change to the patient volume calculation is applicable to all eligible providers, regardless of the stage of the Medicaid EHR Incentive Program they are participating in.

Changes to the base year of the Medicaid EHR Incentive Program for hospital incentive payment calculation 
Q: Are there any changes to the base year for the Medicaid EHR Incentive Program hospital incentive payment calculation?

A: Yes. Previously Medicaid eligible hospitals calculated the base year using a 12 month period ending in the Federal fiscal year before the hospital’s fiscal year that serves as the first payment year.  In an effort to encourage timely participation in the program, §495.310(g)(1)(i)(B) of the Stage 2 Rule was amended to allow hospitals to use the most recent continuous 12 month period for which data are available prior to the payment year. This change went into effect upon publication of the Stage 2 Rule.  Only hospitals that begin participation in the program after the publication date of the Stage 2 Rule (i.e., program years 2013 and later) will be affected by this change.  Hospitals that began participation in the program prior to the Stage 2 Rule will not have to adjust previous calculations.

 

ICD-10 Compliance Delayed

In response to public encouragement, HHS announced earlier this week that it will delay requirements for ICD-10 compliance from October 1, 2013 to October 1, 2014.  The reconsideration of the compliance date was, according to the final rule,  a result of  “(1) the industry transition to Version 5010 did not proceed as effectively as expected; (2) providers expressed concern that other statutory initiatives are stretching their resources; and (3) surveys and polls indicated a lack of readiness for the ICD-10 transition.”  To view the final rule announcing the compliance delay click here.

New Type of Breach – Hackers Encrypting PHI & Holding for Ransom

Typical breach scenarios often include a stolen laptop or other device and the extraction of medical records by those thieves.  Now a new type of breach has occurred, hackers breaking into systems and holding PHI for ransom.  Bloomberg recently reported a breach in which hackers burrowed into the computer network of a surgical practice in Illinois.  Rather than stealing the data and using it for identity theft purposes, the hackers encrypted the PHI and held it for ransom.  To read the full article click here.

This type of incident would most likely be considered a “breach” under the HITECH Act, requiring breach notification to the affected individuals, unless the NIST encryption standards were already employed providing a safe harbor.  However, other HIPAA requirements are also implicated including obligations under the Security Rule to have technical and physical safeguards, which may include building secure firewalls to prevent such hackers.      Along with maintaining a secure system, it is also advisable to back-up all PHI.

HIPAA Final Rule…Still Waiting

Though the HIPAA Final Rules were expected to be out before the end of the month, it seems that the end is not yet in sight.  Last week, the Office of Management and Budget (OMB) extended its review of the HIPAA Final Rules.  This review consisted of the HITECH updates, including the HIPAA Privacy and Security Rule, Enforcement and the Breach Notification Requirements.  It is unclear  how long the HIPAA Final Rules were extended, the OMB has the option of extending the final rule for thirty days or indefinitely.  Comments from HHS indicate that the HIPAA Final Rules should be out sometime this summer.  But for now, we must wait…

Access To Patient Data Even Without Knowledge of Illegality Can Still Lead to HIPAA Criminal Liability

On May 10, 2012, the Ninth Circuit heard United States v. Zhou, No. 10-50231 (9th Cir. May 10, 2012), and held that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) criminal misdemeanor provision, 42 U.S.C. § 1320d-6(a)(2), is not limited to defendants who knew their actions were illegal.

The case arose out of the following facts:  Huping Zhou was a licensed cardiothoracic surgeon in China who was employed in 2003 at University of California at Los Angeles Health System (UHS) as a researcher.  UHS later terminated his employment.  After his termination, Zhou accessed patient records of celebrities and co-workers on at least four separate occasions.  The U.S. Attorney’s Office for the Central District of California brought criminal charges for a misdemeanor violation of HIPAA’s prohibition of “knowingly” obtaining individually identifiable health information in violation of HIPAA.  Zhou filed a motion to dismiss on the grounds that he did not know it was illegal to obtain the health information and, therefore, did not act “knowingly.”  The magistrate judge dismissed Zhou’s motion, and Zhou then submitted a conditional guilty plea, reserving the right to appeal the dismissal.  The trial court sentenced Zhou to four months in prison, a $2,000 fine, and a $100 special assessment.

The Ninth Circuit rejected Zhou’s interpretation of the statute as applying only to defendants who knew obtaining the personal healthcare information was illegal.  Rather the court held that, “as used in the statute, the term ‘knowingly’ applies only to the act of obtaining the health information,” the appeals court said.  Thus, the statute did not require a defendant to have knowledge that his or her actions were illegal under HIPAA.

The court’s decision is significant because it sets a relatively low bar for criminal misdemeanor liability under HIPAA.  To access the case click here.