HIPAA Blog

[ Friday, August 27, 2004 ]

 

New FAQ on HIPAA applicability to State agencies: OCR has issued a new "frequently asked question" (actually, it's the answer that's important, natch) discussing the intersection of HIPAA and state "open records" requirements. This is a pretty interesting intersection, because it is overlaid by the preemption issue.

HIPAA says covered entities must keep PHI private. A governmental agency can be a covered entity, so it's obligated by HIPAA to keep PHI private. But most governmental agencies must be open and accountable to the public under "open records" or "sunshine" laws. What happens when HIPAA says keep quiet, but Open Records says make it public?

The general rule is that HIPAA says keep it quiet, but that general rule has exceptions. One exception is disclosures that are permitted or required by law. OCR focuses in on that exception, and settles the HIPAA/Open Records dispute on whether the Open Records law is a "permitted" or "required" disclosure. If the Open Records law is a required disclosure, a governmental covered entity must disclose the information. If it's a permitted disclosure, the governmental covered entity can disclose, but has the option not to disclose. Most Open Records issues involved required disclosures, so that's the answer in most cases.

However, there is one interesting aspect of this intersection that OCR doesn't address, and that's preemption. HIPAA preempts state laws that are less protective of privacy. But HIPAA also allows a covered entity to disclose if the disclosure is "required by [state] law." Well, if the state law requires the disclosure but, if the state law weren't there, HIPAA would prevent the disclosure, isn't HIPAA more protective of privacy, and doesn't that mean HIPAA preempts the state law? Wouldn't that analysis make the "required by law" component of HIPAA allowable disclosures nonsensical? Hmmm.

Jeff [11:19 AM]

 

Don't know much about OSHA . . . : But I know HIPAA when I see it. The AFL-CIO sent a letter to the Occupational Safety and Health Administration seeking guidance on an intersection of HIPAA and OSHA. OSHA requires employers to file injury and illness reports, apparently known as the OSHA 300 log, listing names of employees and the injuries and illnesses they suffer, I suspect from on-the-job accidents and conditions. This list has to be available to employers, former employers, and employee representatives (which I suppose is how the AFL-CIO came in). Some employers apparently were taking off the names of the employees, due to HIPAA concerns. OSHA said they have to keep names on the logs, since it's "required by law." I'm no expert on OSHA, but there is apparently an exception to putting or keeping the names on the logs if there are "privacy concern cases." I'm not sure what that means, but I'd guess it doesn't include a blanket HIPAA prohibition to disclosing any and all names.

Jeff [9:18 AM]

[ Friday, August 20, 2004 ]

 

BIG, BREAKING NEWS: The first criminal conviction and, as far as I can tell, first criminal charge of a violation of HIPAA has been entered in Washington state. Richard Gibson was an employee of the Seattle Cancer Care Alliance, and was able to get hold of the social security number and date of birth of a cancer patient. He used the information to get 4 credit cards, on which he charged about $9,000 worth of video games, jewelry, clothes, and, of course, porcelain figurines. He pleaded guilty as part of plea bargain yesterday, and agreed to a sentence of 10 to 16 months (which could be served in home confinement -- surrounded by the porcelain figurines), as well as restitution to the credit card companies as well as the identity theft victim. This all assumes that the judge accepts the plea, which I suspect he will.

Two lessons here: first, don't ever forget the criminal aspect of HIPAA. Keep it in mind for yourself when you're deciding whether to comply with the picky intricacies and banalaties of HIPAA, but also keep it in mind when you're trying to hammer on your staff the importance of keeping PHI private. Secondly, note that this is an identity theft case with a healthcare component. Gibson didn't steal medical information, but he did violate HIPAA, because PHI includes identifying information like birth dates and social security numbers. And he stole the social security number because therein lay the profit; while there may be some value in oncological medical information for a third party, the bigger risk is in the simpler identity theft opportunity. Keep that in mind when doing your risk analysis and implementing your HIPAA plans.

BNA report here (paid registration needed), US Attorney John McKay's press release here, copy of the plea bargain agreement here, Puget Sound Business Journal article here (free registration may be required).

One final point/issue (thanks, John Cody): was Gibson a covered entity? He was an employee of a covered entity, and not an actual covered entity. The issue of whether HIPAA can be enforced against a person who is not a covered entity has generated more heat than light, but here you have a likely non-covered entity admitting to guilt under HIPAA. Interesting.

Jeff [10:31 AM]

[ Wednesday, August 18, 2004 ]

 

Compliance and confusion: As this article in the Kansas City Business Journal indicates (free subscription may be required), many providers are still having some HIPAA teething troubles. The article also illustrates the difficulty in keeping all the moving parts straight. For example, it starts with a discussion of how EDI interfaces are causing more claims errors to occur; that's a "transactions and code sets" problem, and those regs were enforceable against providers in October of 2002 (at the latest), not April of 2003.

Reading between the lines, though, the article confirms that the biggest impacts of HIPAA are on patient interface and dealing with family members and others involved in care. Claims rejections have a bottom-line impact and will obviously get the attention of providers, but the rubber hits the road when the professional comes into contact with the personal: determining how to deal with patients' family members, and dealing with public contact (such as in the line at the pharmacy). Well thought-out policies and procedures, including physical layout of the public/professional workspace, are the key to compliance.

Jeff [9:32 AM]

 

HIPAA and Law Enforcement: Interesting article in the Minneapolis Star Tribune: Police take a suspect to the hospital ER early Sunday morning and request the doctor to take a blood sample. Suspect may have been drinking, and is accused of stabbing another man (who eventually died). Doctor refuses to take the blood, citing HIPAA and hospital policy against "invasive" or "intrusive" procedures without patient consent. Police wake up a judge, who calls the doctor and tells him he better take the blood sample, but he still refuses (hospital policy requires a "signed" court order to do the procedure without patient consent). Judge signs a court order, which is delivered at 9 Sunday morning, and blood is taken, 5 hours after the original request. Doctor is arrested, questioned, and released.

As the article points out, the police can demand and hospitals can take blood without consent if the life or death of a person may be involved, as was the case here. But the doctor does have a point; the law is unclear, the Supreme Court precedents were set before HIPAA became the law, and when in doubt, it's not unreasonable to err on the side of privacy. However, there was another step the doctor could've taken: take the blood sample, store it in a way that will preserve its evidentiary value (or test it as would be indicated), but don't deliver the sample and/or test results to the police until the court order arrives. That's not a completely square solution: you still have a potential claim for battery for taking the blood without an informed consent, and ordering the test may be considered a "use" of PHI that's not for treatment, payment, or healthcare operations (although that raises an interesting question itself: is the blood itself PHI, or is obtaining PHI by testing the blood a use?), but since there's virtually no risk in taking blood from a patient, it is SOP in emergency rooms to do so, and any treatment actually given to the patient in the ER might reasonably need the extraction and testing of the blood (although the testing for BAC might not be standard, that would still allow extraction and protective storage).

At the least, this case highlights the need to have clear policies if your operations ever involve police action or requests where time is of the essence. Even if time is not of the essence, you should have policies for disclosures to law enforcement officials, attorneys in litigation, and other reasonably anticipated legally-required or -requested disclosures.


UPDATE: According to the latest Strib story (which unfortunately calls the law HIPA), charges have been dropped against the doctor. Still no outing of the doctor's name, which is probably appropriate. There is a real confusion in the law between HIPAA's requirements and law enforcement standards. While it's not an unreasonable search or seizure for the police to obtain a blood sample from an unwilling suspect if there's probable cause and evidence spoilation issues, it just might be a HIPAA violation. Add to that the fact that the police probably can't force an unwilling doctor to take a blood sample if the doctor doesn't want to. This is definitely an area where HIPAA could have been better drafted.

Jeff [8:31 AM]

[ Tuesday, August 17, 2004 ]

 

Texas Attorney General Update: Back in February I noted that the Texas AG had issues an opinion on HIPAA and the state Public Information Act ("PIA"). I also noted that the AG didn't really answer too many questions. HIPAA only applies to covered entities, but also applies to PHI that a non-covered state entity (like a cop) gets from a covered entity. Also, the PIA itself has exceptions for personal, private information. So, generally, there's some way to keep the information secret if it's more than something like the general observations of the first responder reaching the scene of the accident.

Now, the lack of clarity in AG Abbott's opinion has come back to haunt him. His proclamation that HIPAA is preempted by the PIA has led two separate state agencies to sue him over whether they are required to release information or required to keep it secret. The Texas Department of Mental Health and Mental Retardation and the Texas Department of Human Services have sued the AG, seeking some judicial clarification of the issue. It is unfortunate, since HIPAA and the PIA are actually much more alike than they are different, and generally can be interpreted in a compatible fashion.

That said, what the MHMR is trying to avoid disclosing is fairly ridiculous. A TV station wanted a breakdown of sexual assault charges by MHMR location. MHMR would give state-wide statistics, but not facility-by-facility information. Even though no information was sought on any individuals at any particular facility, MHMR feels that because the location of the facility is also the address of the residents at that facility, disclosing that information would be disclosing a part of the PHI of those residents. If that's the case, disclosing the location of the facilities in a state directory or any other fashion would be a HIPAA violation. That's preposterous. If the information requested doesn't relate to specific individuals, or is not tied to those individuals by anything more than the coincidence of the individual living at that facility, the disclosure isn't even PHI. HIPAA is hard enough; they shouldn't work so hard to make it harder.

Jeff [10:56 PM]

 

A little late summer spring cleaning: I've got a bunch of stuff in my e-mail inbox that I've been holding until I got the chance to blog on it.

Electronic Medical Records: Here's an article from the NY Times on hospitals going paper-less. Obviously there are some benefits, such as reduction in errors and streamlining of information processing, making the same information available to all care providers across the enterprise, etc. Obviously there are some downfalls, such as the risk of a system crash taking all medical records off-line, greater privacy and security risks, etc. Not quite so obviously, there are some hurdles to making this type of thing work, not the least of which is physicians who are used to doing things on paper or their way, or those who have migrated to electronic records but using a different platform than the hospital. Hat tip: Alan Goldberg.


Risk Analysis: Here's a WEDI (Workinggroup for Electronic Data Interchange) white paper on HIPAA Security Rule risk analysis, including examples of how some covered entities have approached the process. Hat tip: Gordon Apple.


HIPAA Security: As part of your risk analysis, you do need to figure out which of your systems need to be audited, and keep audit logs. In making those determinations, look at systems, look at applications, and look at data to determine what needs auditing. Make it realistic, based on what you think you can catch, what you can analyze and deal with, and what you really need to worry about. Don't try to look at everything, and definitely don't capture more information than you'll be able to review and deal with effectively. Don't make your logs so big you can't easily store them. And most importantly, don't make the auditing process negatively impact the delivery of care. It needs to be effective, but if it hinders care, or slows down the nurses or physicians, they you'll get push-back (and rightfully so).

Thinking about going wireless? First, identify your risks: is PHI stored on mobile devices, is it encrypted, and is access protected? Wireless systems don't come in HIPAA-compliant and non-compliant; compliance depends on your usage and protections. Secondly, train your staff. Make sure your tech people know that they must play be the rules, and make the rules simple and clean. And make sure you teach your doctors, and if they're likely to leave their PDAs sitting around, make sure there's some access protection built into the system. Encrypt if you need to. And document what you've done and why. If you make a bad choice but you can prove it was for a good reason, you're much less likely to find yourself in hot HIPAA water. Hat tip: Hospital Compliance Wire's e-mail service.

Jeff [10:56 PM]

 

Encryption issues: When you're e-mailing PHI, when do you need to encrypt it? That's the question that the AHLA health information technology listserv has been wrestling with over the last few days. The ultimate answer is that it depends. Encryption is not a required element under the Security Rule, but it is an addressable one, so if you e-mail PHI, you need to have considered whether you need to encrypt, and document your decision.

Obviously, the specifics of your situation will dictate whether you need to encrypt. Sending PHI over an insecure network, especially generally e-mailing over the internet, is a lot different than sending e-mail over a closed network within a healthcare provider like a hospital. In addition to the level of security of the network, the level of confidence that no one but the intended recipient will receive the e-mail will impact the decision to encrypt.

Many HIPAAcrats believe that encryption is required if PHI is sent over the internet. Not so, says one of the Security Rule's original drafters, John Parmigiani. Encryption is an addressable issue, so deciding not to encrypt isn't necessarily a wrong decision, if you've done your risk analysis and (reasonably) determined that, given the circumstances, encryption isn't a necessary part of your risk management scheme. John gave as an example provider-patient e-mail communication where the patient has agreed to receive unencrypted e-mail because of lack of technical expertise or lack of concern over the risk of improper access. Obviously, where the patient-physician relationship is close and the patient is informed of but not particularly concerned about the security risks of over-the-internet e-mail, let 'er rip!

Two things worth emphasizing: even though most HIPAAcrats will say you must use encryption for internet transmissions, encryption is still an addressable item and just because everyone says it's so doesn't mean it's so; and the key to Security Rule compliance is still going through your processes and systems and checking off how you will comply with the required elements and how you will address the addressable ones (i.e., risk analysis and risk management).

Jeff [10:56 PM]

 

Great Logos in history: Check out this one from the District of Columbia Department of Health. They could've been DCDH, but decided on Homer Simpson's favorite, DOH!

Jeff [5:21 PM]

 

It's Pete Stark's Fault! I just knew it: according to this GAO report (abstract here), the adoption of new healthcare IT advancements like electronic medical records has been hindered by a hodge-podge of laws and other legal issues, including Stark and Anti-Kickback laws. Doctors are afraid to take IT services offered by hospitals (and hospitals may be wary about offering them) because of the fear that the provision of services would trigger a payment-for-referrals claim. Antitrust laws, tax laws, state licensing laws, intellectual property and malpractice concerns, and other laws also hinder the IT revolution. The GAO faults HHS for not removing thses barriers and uncertainties.

Apparently, HHS disagrees with the GAO, stating that the GAO didn't take into account all HHS has done with regard to privacy and security. Several articles on the issue are here and here, as well as in BNA and Modern Healthcare (subscriptions required).

Jeff [4:15 PM]

[ Wednesday, August 11, 2004 ]

 

Top 5 Drivers of EMR/EHRs: This week's Modern Healthcare (Aug 2, page 32) includes a Medical Records Institute survey of the top factors driving the need for electronic medical/health records:

1. Need to improve quality of care (87.4%)
2. Need to improve clinical processes/workflow efficiency (84.9%)
3. Need to improve clinical documentation in support of billing (74.8%)
4. Need to reduce medical errors (73.1)
5. Need to share patient information among providers (70.6%)

Jeff [3:48 PM]

 

E-Prescribing Gets a Shot in the Arm: A consortium of vendors, producers and service providers in the electronic prescription industry has initiated a new project to push e-prescribing. Called CafeRx, their mission is to remove the technical and legal barriers to the growth of electronic prescribing and prescription filling. Obviously, the use of electronic prescribing could speed up prescription filling, streamline the supply process, get drugs where they are needed faster, and reduce errors that can come from pharmacists trying to decipher physician handwriting. Some very big players are involved (Microsoft, for example), but the consortium is pretty much open to any IT companies who want to push the e-prescribing bandwagon forward.

Jeff [3:41 PM]

[ Tuesday, August 10, 2004 ]

 

Security Tip for the Day: Scramble your static information. As this interesting article from InfoWorld magazine points out, access control systems and other efforts to address the protection of PHI at input, output, and transmission are the primary focus of folks looking at HIPAA compliance from the security side. However, stop for a second and look at your static information: data bases that simply sit there with tons of PHI, waiting for someone to access them. Sure, you have access controls to make sure you keep out improper eyes. But what if someone defeats that system? Wouldn't it make sense if the information sitting there was actually encrypted*?

The analog is a locked filing cabinet or medical records room. The lock on the door is a good first-line of security. But if the records themselves were all mixed up? For example, what if there were no names on the files, only numbers, and the key for correlating numbers to names was elsewhere? Or what if the information on a particular patient was actually in several different files, and each file had information on several different patients? Or what if the information in the files was scrambled so that an intruder would not be able to make sense of it without a correlating key?

That's the idea: work hard on making sure you control access to your employees with need-to-access the particular file. That will help keep an unauthorized employee from accessing information on your systems. But you should also encrypt your static information. That won't keep out the hackers and other outsiders who might get around your access control system (and who your access control systems don't focus on), but it will keep them from being able to use any information they get.

*(nota bene: the article actually discusses various ways to manipulate information in ways that make it unviewable or unusable without decoding. I use the word "encryption" to describe all of that, but more technophilic folks like the the article author use encryption to describe just one of these procedures.)

One last tip: The author makes a pretty good point on the last page of the article: you've got to audit your systems for security problems, but while you want to keep secret the tricks you use to encrypt the data, you want your audit procedures to be very, very visible. Have you ever noticed how people pick their noses when they're alone in their cars, but not when they're in equally visible places like eating in a restaurant? The closed doors and windows, the radio playing, they all give the driver an illusion of privacy, and people will act differently when they think they're not being watched than they will when they think they're in public. It doesn't matter how often you audit your system, or even which system you audit, if your employees think you audit everything all the time. If they never think they're in the privacy of their own car, they'll never pick their nose.

Hat tip (on the article, not the nose-picking analogy): Megan Charlesworth at Cook Group.

Jeff [10:03 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 June 2012 July 2012 August 2012 September 2012 October 2012 November 2012 December 2012 January 2013 February 2013 March 2013 April 2013 May 2013 June 2013 July 2013 August 2013 September 2013 October 2013 November 2013 December 2013 January 2014 February 2014 March 2014 April 2014 May 2014 June 2014 July 2014 August 2014 September 2014 October 2014 November 2014 December 2014 January 2015 February 2015 March 2015 April 2015 May 2015 June 2015 July 2015 August 2015 September 2015 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 April 2016 May 2016 June 2016 July 2016 August 2016 September 2016 October 2016 November 2016 December 2016 January 2017 February 2017 March 2017 April 2017 May 2017 June 2017 July 2017 August 2017 September 2017 October 2017 November 2017 December 2017 January 2018 February 2018 March 2018 April 2018 May 2018 July 2018 August 2018 September 2018 October 2018 November 2018 December 2018 January 2019 February 2019 March 2019 April 2019 May 2019 June 2019 July 2019 August 2019 September 2019 October 2019 November 2019 December 2019 January 2020 February 2020 March 2020 April 2020 May 2020 June 2020 July 2020 August 2020 September 2020 October 2020 November 2020 December 2020 January 2021 February 2021 March 2021 April 2021 May 2021 June 2021 August 2021 September 2021 October 2021 November 2021 December 2021 January 2022 February 2022 March 2022 April 2022 May 2022 June 2022 July 2022 August 2022 September 2022 October 2022 November 2022 December 2022 February 2023 March 2023 April 2023 June 2023 July 2023 August 2023 September 2023 October 2023 November 2023 December 2023 January 2024 February 2024 March 2024 April 2024

[ Advertisers ]

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
PracticeSuite Practice Management Blog
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here