PSBJ Article on HIPAA Interviews OMW Attorney David Schoolcraft

The Puget Sound Business Journal issued an article today on HIPAA and the impact on business associates.  The article interviewed Ogden Murphy Wallace Attorney David Schoolcraft because of his expertise in healthcare privacy law and health information technology.  The article focuses on the impact HIPAA has on health IT start-ups and their relationships with HIPAA covered entities.  To read the article click here (subscription required).

Increase in Costs for Copies – But Don’t Forget HIPAA (Updated)

Effective July 1, 2013, medical providers in Washington may increase their charges for searching and duplicating medical records.  The Department of Health (“DOH”) recently released the updated fee schedule for providers. The revised charges are as follows:


Current Fee Schedule

Fee Schedule Effective
July 1, 2013

Copying for First 30 Pages



Additional Pages



Clerical Fees
(for searching and handling records)




Providers who personally edit confidential information from the record are allowed to charge their usual fee for a basic office visit.  Pursuant to HIPAA, this fee may be charged when the medical record is validly requested by someone other than the individual.

HIPAA Limitations Relating to Medical Record Requests by Patients

Though the WAC allows certain charges, HIPAA limits these charges when a patient requests duplication of his/her medical record.  Fees charged by providers may only include:

  1. Labor for copying the protected health information (whether electronic or paper form);
  2. Supplies for creating the paper copy or electronic media;
  3. Postage fees (when the individual has requested the copy by mail); and
  4. If, agreed to in advance by the patient, the cost of preparing an explanation or summary of the protected health information.

Applying both the WAC and HIPAA in combination, the clerical fee of $24.00 cannot be charged to a patient requesting a copy of his/her medical record; but a reasonable clerical fee for the labor of copying the medical record may be assessed.  Providers may not charge a fee equal to a basic office visit to the patient, but may charge a reasonable fee if a summary is provided.  Copying fees up to the maximum allowed by the WAC are permissible.  In addition, the HITECH Act amends HIPAA to allow a provider to impose a fee for the labor costs associated with copying an electronic medical record.

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.

EHR Incentive Program Meaningful Use Stage 1 Updated

CMS has recently published a tip sheet consolidating for eligible professionals and hospitals the revisions made to the Stage 1 meaningful use measures that are effective in 2013.  These changes modify the following meaningful use objectives:

  • Public Health Reporting Objectives
  • Electronic Exchange of Key Clinical Information
  • Computerized Physician Order Entry (CPOE)
  • Record and Chart Changes in Vital Signs
  • Electronic Prescribing
  • Electronic Copy of and Electronic Access to Health Information (changes only applicable starting in 2014)

Some of the changes in the measures are required, while others are optional for 2013 but become required for 2014.  To view the Stage 1 changes tip sheet click here.

At the same time CMS also revised its Stage 1 Meaningful Use table of contents and tip sheets for each objective/measure for eligible professionals and hospitals/CAH.

If you have questions regarding the Medicare or Medicaid EHR Incentive Programs or meaningful use generally please contact Elana Zana.

Recent HIPAA Settlement Illustrates the Importance of Performing Risk Assessments.

Last month, the Department of Health and Human Services (HHS) entered into a resolution agreement with Idaho State University (ISU) to settle HIPAA violations related to ISU’s electronic health records system.  Under the agreement, ISU agreed to pay $400,000 to HHS to settle the claims. ISU’s HIPAA violations resulted from its failure to detect disabled firewalls in its electronic system.  The disabled firewalls left the health information of over 17,000 patients unsecured for ten months.

After investigating ISU’s security policies and procedures, HHS discovered multiple HIPAA violations in addition to the disabled firewalls, including the following:

  • From 2007 to 2012, ISU failed to conduct any risk assessments related to its electronic health information;
  • From 2007 to 2012, ISU failed to implement any measures to address vulnerabilities in its health information security; and
  • From 2007 to 2012, ISU failed to implement policies and procedures to review activity on its electronic health records system to discover any improper access.

The ISU case illustrates the importance of closely following the HIPAA Security Rule’s requirements to safeguard electronic health information.  Perhaps the most important of these requirements is the obligation to conduct a thorough risk assessment.  If ISU had performed a proper self-analysis of its health information security risks, it is possible that it could have detected and addressed the risks from a disabled firewall before the incident occurred.

To learn more about HIPAA or for assistance on conducting HIPAA risk assessments please contact Casey Moriarty.

2013: A Critical Year for Medicare Incentive Programs

Amid all the recent attention given to the long-awaited modifications to HIPAA under the HITECH Act published earlier this year, it may be easy for Medicare providers to overlook the fact that 2013 is an important year for three Medicare payment incentive programs:  (1) the Physician Quality Reporting System Program; (2) the Electronic Prescribing Program; and (3) the Medicare Electronic Health Record Incentive Program.  As discussed below, there are important milestones and deadlines in 2013 for each of these programs associated with either receiving incentive payments or avoiding payment adjustments.

Physician Quality Reporting System (PQRS) Program

The PQRS Program is intended to promote the reporting of quality information by eligible professionals (EPs).  The incentives and payment adjustments for the PQRS program are based on whether an EP satisfactorily reports data on program-specified quality measures for covered physician fee schedule (PFS) services furnished to Medicare Part B fee-for-service (FFS) beneficiaries.  EPs can qualify to receive an incentive based on the 2013 reporting year (i.e. January 1, 2013 – December 31, 2013) equal to 0.5% of an EP’s total estimated Medicare PFS allowed charges for the 2013 reporting period.

The 2013 reporting year is also a critical year for the PQRS program because it is the first reporting year that will be used to apply the program’s payment adjustments.  Although the payment adjustments do not begin until 2015, the adjustments are based on information reported in the two-year “look back” reporting period, i.e., the 2013 reporting year for the 2015 payment adjustments, the 2014 reporting period for the 2016 payment adjustments, etc.  To avoid the payment adjustment for a particular year, an EP must satisfactorily report data in the applicable reporting period.  CMS will penalize EPs for failing to participate in the PQRS program in 2013 by reducing the 2015 Medicare PFS allowed charges by 1.5%.

Furthermore, one way an EP practicing in a group practice can report data for the PQRS program is through the group practice reporting option (GPRO).  Under the GPRO, a group practice may make PQRS reports for all individual EPs in the same group practice.  The deadline for a group practice to elect to report using the GPRO is October 15, 2013.

Electronic Prescribing (eRx) Incentive Program

The eRx Incentive Program is intended to encourage electronic prescribing by EPs.  2013 is the last year that EPs who are successful e-prescribers can qualify to earn an incentive payment.  The incentive payment for 2013 is equal to 0.5% percent of an EP’s total estimated Medicare PFS allowed charges for the 2013 reporting period (i.e., January 1, 2013 – December 31, 2013).  At the same time, the 2013 six-month reporting period from January 1, 2013 – June 30, 2013 is the final reporting period to avoid the 2014 eRx payment adjustment.  The 2014 payment adjustment for EPs who are not successful e-prescribers is equal to 2.0% of the EP’s Medicare PFS allowed charges.  An EP may be exempt from the 2014 eRx payment adjustment if the EP meets one of the payment adjustment exclusion criteria or the EP requests and CMS approves a hardship exemption.  An EP must qualify for one of the 2014 payment adjustment exclusion criteria or submit a hardship exemption request to CMS by June 30, 2013 to avoid the 2014 payment adjustment.

Medicare EHR Incentive Program

This program is intended to encourage Medicare EPs, hospitals and critical access hospitals to achieve “meaningful use” of certified EHR technology.  Payment adjustments for the Medicare EHR Incentive Program begin in 2015.  However, because of the two-year “look back” period adopted by CMS for the adjustments, EPs must demonstrate “meaningful use” in 2013 to avoid payment adjustment in 2015.  EPs who first demonstrate meaningful use in 2013 must demonstrate meaningful use for a 90-day reporting period in 2013 to avoid payment adjustments in 2015.  This means that October 3, 2013 is the last day for EPs who are demonstrating meaningful use for the first time to begin their 90-day reporting period.  EPs who first demonstrated meaningful use in 2011 or 2012 must demonstrate meaningful use for the full year in 2013 to avoid the 2015 payment adjustments.  The payment adjustment amount for 2015 is 1% of the EP’s PFS allowed charges for services furnished by the EP in 2015.

Summary of Key 2013 Dates:

June 30, 2013:

  • eRX: End of the 2013 six-month reporting period to avoid the 2014 payment adjustment
  • eRx: Last day for an EP to submit hardship exemption request to CMS to avoid the 2014 payment adjustment

October 3, 2013:

  • Medicare EHR: Last day for EPs to begin 90-day reporting period for Medicare EHR incentive (if 2013 is the EP’s first year of program participation)

October 15, 2013:

  • PQRS:  Deadline for group practices to submit self-nomination statement for group reporting option for PQRS program
  • PQRS:  Last day for EPs to elect the administrative claims option to avoid the 2015 PQRS payment adjustment

December 31, 2013:

  • PQRS:  End of period to avoid the 2015 PQRS payment adjustment
  • PQRS, eRx, Medicare EHR:  Participation year ends for all programs

In sum, Medicare providers should take note of the above dates related to the PQRS, eRx and Medicare EHR Incentive Programs, especially those dates associated with actions which they will need to take or achieve in order to avoid the applicable program payment adjustments beginning in 2015.

For more information about the Medicare incentive programs discussed above, please contact Lee Kuo.


The HITECH Act Final Rule’s GINA-Related Modifications to HIPAA

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits health insurers and health plans from discriminating against beneficiaries on the basis of genetic information.  The HITECH Act Final Rule makes some important GINA-related changes to HIPAA.

In general, the changes related to genetic information are solely of interest to health insurers and health plans.  With that said, the Final Rule’s amendment to the definition of “health information” to include genetic information is relevant to all covered entities.  Under this new definition, all HIPAA covered entities must ensure that the following information is protected and secured under the HIPAA Privacy and Security Rules:

1. Any information related to genetic tests of an individual.

2. The genetic tests of family members of an individual.

3. The manifestation of a disease or disorder in family members of an individual. “Manifestation” means a disease, disorder, or pathological condition that an individual has been or could reasonably be diagnosed with by a health care professional with appropriate training and expertise in the field of medicine involved.

4. Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by an individual or any family member of the individual.

Additional GINA-related changes to HIPAA under the Final Rule include an explicit prohibition on the use or disclosure of genetic information for a health insurer’s or health plan’s underwriting purposes. There is an exception for underwriting performed by issuers of long-term care policies.

The Final Rule also requires a health plan or health insurer to include a statement in its notice of privacy practices that it will not use or disclose genetic information of an individual for underwriting purposes. Again, there is an exception for issuers of long-term care policies.

If you would like more information about the Final Rule’s GINA-related modifications to HIPAA, please contact Casey Moriarty.

The HITECH Act Final Rule’s Requirements for Using Health Information for Fundraising Purposes

With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes.  The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities.  Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.

One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes.  This list now includes:

1. Demographic information, including name, address, other contact information, age, gender, and date of birth;

2. Dates of healthcare provided to an individual;

3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);

4. Treating physician;

5. Outcome information (including death or sub-optimal treatment); and

6. Health insurance status.

Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications.   For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.

While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:

1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.

2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials.  The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”.  Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards.  If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).

3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.

Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.

HIPAA Final Rules Eliminates Covered Entities’ Discretion to Comply with Individuals’ Requests for Restriction of PHI Disclosure in Certain Cases

This article marks our first in a series of articles pertaining to the new HIPAA Final Rules implementing the HITECH Act.

Before the Final Rule, covered entities  were required under HIPAA to permit individuals to request that covered entities restrict the use or disclosure of protected health information (PHI) for treatment, payment and health care operations purposes.  Covered entities were not, however, required to agree to any such requests.  The Final Rule, which was released by HHS on January 17, 2013, eliminated covered entities’ discretion as to whether to comply with an individual’s request for restriction on disclosure of PHI to a health plan provided certain requirements are met.  Under the Final Rule, a covered entity must agree to an individual’s request to restrict disclosure of PHI if:  (a) the disclosure is for payment or health care operations and is not otherwise required by law, and (b) the PHI pertains solely to a health care item or service for which the individual or other person on behalf of the patient (other than a health plan) has paid the covered entity in full.

To ward off concern that providers would need to create separate medical records to segregate PHI subject to a restricted item or service, HHS commented that covered entities only need to employ some method to flag the restricted PHI or to make a notation in the record regarding the PHI that is restricted.

In cases where an individual requests a restriction with respect to only one of several health care items or services in a single patient encounter, HHS imposed upon providers the expectation that they counsel the patient on their ability to unbundle the items or services and the impact of doing so.  For example, even if an item or service is unbundled, providers should warn the patient that it is possible that the context may allow the health plan to determine the service performed and that unbundling the service may cost the patient more.

HHS fell short of requiring providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan, however it encouraged providers to counsel patients that it is the patient’s obligation to request a restriction and to pay out of pocket with other providers in order for the restriction to apply to the disclosures by such providers.

In addition, HHS encourages covered entities to engage in an “open dialogue” with patients to ensure they are aware that any previously restricted PHI may be disclosed to the patient’s health plan for follow-up care unless the patient requests an additional restriction and pays out of pocket for the follow-up care.

Please contact Carrie Soli if you have any questions about HIPAA’s requirements regarding individuals’ requests for restrictions on disclosure of PHI.

OMW Hosting Webinar on HIPAA Changes

2013 – HIPAA Readiness Program


Join us for a Webinar on March 21

Space is limited.
Reserve your Webinar seat now at:
New HIPAA rules were recently finalized and will go into effect in 2013.  This webinar program will provide important information to help your organization prepare for the implementation of these new rules, including details on:

• Business Associates
• Revisions to the Notice of Privacy Practices
• Breach Notification Requirements
• Individual Rights related to the Release of PHI

Join Ogden Murphy Wallace attorneys David Schoolcraft and Elana Zana as they explore these HIPAA modifications and help you form a compliance action plan to avoid HIPAA violations.


Title: 2013 – HIPAA Readiness Program
Date: Thursday, March 21, 2013
Time: 12:00 PM – 1:00 PM PDT


After registering you will receive a confirmation email containing information about joining the Webinar.

If you have questions about this Webinar or HIPAA in general please contact Elana Zana.