Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.

Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach

Earlier this month Stanford reported its 5th HIPAA breach since 2009.  This is Stanford’s third largest breach, affecting nearly 13,000 patients.   A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford.  The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians.  Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.

Stanford’s other breaches include a disclosure  of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year.  This breach has resulted in a $20 Million class action law suit under California law.

Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car.  In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office.  Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.

Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches.  Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.

Lessons learned from Stanford’s misfortunes:  encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).

For assistance with  HIPAA and/or the breach notification rules please contact Elana Zana.

The HITECH Act Final Rule’s GINA-Related Modifications to HIPAA

The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits health insurers and health plans from discriminating against beneficiaries on the basis of genetic information.  The HITECH Act Final Rule makes some important GINA-related changes to HIPAA.

In general, the changes related to genetic information are solely of interest to health insurers and health plans.  With that said, the Final Rule’s amendment to the definition of “health information” to include genetic information is relevant to all covered entities.  Under this new definition, all HIPAA covered entities must ensure that the following information is protected and secured under the HIPAA Privacy and Security Rules:

1. Any information related to genetic tests of an individual.

2. The genetic tests of family members of an individual.

3. The manifestation of a disease or disorder in family members of an individual. “Manifestation” means a disease, disorder, or pathological condition that an individual has been or could reasonably be diagnosed with by a health care professional with appropriate training and expertise in the field of medicine involved.

4. Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by an individual or any family member of the individual.

Additional GINA-related changes to HIPAA under the Final Rule include an explicit prohibition on the use or disclosure of genetic information for a health insurer’s or health plan’s underwriting purposes. There is an exception for underwriting performed by issuers of long-term care policies.

The Final Rule also requires a health plan or health insurer to include a statement in its notice of privacy practices that it will not use or disclose genetic information of an individual for underwriting purposes. Again, there is an exception for issuers of long-term care policies.

If you would like more information about the Final Rule’s GINA-related modifications to HIPAA, please contact Casey Moriarty.

The HITECH Act Final Rule’s Requirements for Using Health Information for Fundraising Purposes

With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes.  The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities.  Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.

One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes.  This list now includes:

1. Demographic information, including name, address, other contact information, age, gender, and date of birth;

2. Dates of healthcare provided to an individual;

3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);

4. Treating physician;

5. Outcome information (including death or sub-optimal treatment); and

6. Health insurance status.

Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications.   For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.

While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:

1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.

2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials.  The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”.  Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards.  If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).

3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.

Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.

Health Data Privacy Protections to Increase

As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html

Impact of “Big Data” in Health Care

A Recent report from McKinsey & Company on the evolution of information technology focuses on health care as a sector to watch: “For instance, if US health care could use big data creatively and effectively to drive efficiency and quality, we estimate that the potential value from data in the sector could be more than $300 billion in value every year, two-thirds of which would be in the form of reducing national health care expenditures by about 8 percent.” Full report at http://www.mckinsey.com/mgi/publications/big_data/index.asp

HHS Says Push for EHRs Overlooks Security Gaps

It seems HHS is laying the groundwork for the issuance of the updates to HIPAA privacy and security rules under the HITECH Act.  As reported May 16th in the Washington Post:

“The nation’s push to computerize medical records has failed to fully address longstanding security gaps that expose patients’ most sensitive information to hackers and snoops, government investigators warn.”

http://www.washingtonpost.com/politics/hhs-inspector-general-says-push-for-electronic-medical-records-overlooks-some-security-gaps/2011/05/16/AFpaH54G_story.html

HIPAA Breach Notification Rules Issued

On August 19th, HHS issued new rules requiring HIPAA covered entities to notify individuals when their health information is breached.  The breach notification rules implement provisions of the HITECH Act, passed as part of the federal stimulus legislation in February.  A full copy of the new rules is available here.

The breach notification requirements will become effective on September 23rd, 2009.

Significant changes to HIPAA include:

  • Notice must be provided to individuals within 60 days from discovery of a breach.
  • The notice must contain detailed elements specified in the rules.
  • For breaches involving more than 500 individuals, the notice must notify “prominent media outlets”, as well as HHS, within 60 days.
  • All breaches must be reported to HHS on an annual basis. 
  • Covered entities must change policies and procedures as necessary to comply with these new rules.
  • Workforce members must be trained about the impact of the new data breach requirements.

Note that the policy development and training requirements apply to all covered entities. 

In addition, the regulations contain updated guidance on what it will take to adequately secure (whether through encryption or otherwise) health information in order to minimize the impact of the notification rules. 

Health care organizations need to move quickly to ensure compliance with these complex new rules in an extremely compressed time frame.