HIPAA Blog

[ Tuesday, March 31, 2009 ]

 

Kaiser fires Octomom snoopers: Good.
Jeff [10:40 AM]

[ Thursday, March 26, 2009 ]

 

How complete is hospital adoption of EMR technology? According to this report by the New England Journal of Medicine, not very. 1.5% for complete EMR adoption, with Computerized Physician Order Entry (the easiest and most cost-effective sliver of the EMR universe) adopted by only 17% of hospitals. I gotta admit, that's much lower than I would've expected.

Also, see this.

Jeff [11:33 AM]

[ Tuesday, March 24, 2009 ]

 

Mass. General Data Breach: Another day, another data breach. This time, it's limited to 66 Massachusetts General Hospital patients. Their paper records were left on a subway train. Unlike most data breaches, where the concern is social security numbers or other information that could be used for identity theft, the data here was billing records, which do contain name and date of birth, but also contain diagnoses. Worse yet in that regard, the patients were folks being seen at an infectious disease clinic, which could mean that the records contain embarrasing information.
Jeff [10:13 AM]

[ Monday, March 23, 2009 ]

 

Slightly OT: The (so-called) Stimulus Bill. You can read below my somewhat extensive posts on the HIPAA provisions in the American Recovery and Reinvestment Act (sometimes called the Stimulus Bill, the Porkulus Bill, and various other names, but in the spirit of neutrality we call it ARRA). In putting this together, my associate Virginia Alverson wrote the piece on the financial incentives for adopting (and disincentives for failing to adopt) electronic medical record technology in the ARRA. She was having a very difficult time figuring out how some other commentators had come up with they dollar totals for the financial subsidies; the language of ARRA is insanely confusing, but she still couldn't track how some folks, writing for high-end audiences like Modern Healthcare, came up with their numbers, since they didn't match hers. So, she called the other authors, one of whom explained to her why her thinking was perfectly logical but incorrect: "You're looking at the printed version that came out of the House, not the version with the handwritten changes that was actually passed."

Yes, ladies and gentlemen, our Congress, the finest in the world, actually passed a bill that not only had nobody actually read, but NOBODY HAD EVEN FINISHED THE WORD VERSION AND PRINTED IT OUT!!! Now, I know that at one time all bills were probably hand-written, back, say, in the 18th century. But it's the 21st century. It may be too much to ask that our congresscreatures read the legislation before voting on it; but can't we at least get a good printed "final version" to look at before the voting begins? I guess not.

What does a partially-hand-written law look like? Like this. What's even more frightening -- click on the link within that blog (where it says "by clicking here") and just scroll through the bill and look at the numbers. $258,000,000 for frog spit research, $1,400,000,000 for lint removal technology, etc. The AIG bonuses are just a rounding error in this bill.

Speaking of which, that's exactly how the AIG bonuses got in this bill.

UPDATE: Does it matter that the entire bill violated Senate rules? Nah.

The country is in the best of hands.

Jeff [3:28 PM]

 

Miami Data Breach: Somebody stole a hard drive from Jackson Memorial Hospital with drivers' license data on hospital visitors. No social security numbers, which is good. And it's hard to tell if the information was PHI, based just on what I read in the story. Stolen from a secure area. Doesn't look like an intentional theft of data, more a theft of hardware.
Jeff [12:26 PM]

 

Physician office texting: Here's an interesting story of a physician's office using cell phone text-messaging for patient notifications. Certainly do-able, and probably a cost-saver, but you must make sure you're cellphone numbers are good, you get buy-in from the patients (with easy opt-out), minimize the information flow over the text process (don't discuss test results, just notify of the appointment and not what it's really for, etc.), and keep a close eye on how the process is working; if anything looks funny, check it out and make sure you aren't blasting info where it doesn't belong. I don't think you can encrypt text messages, so that info is almost certainly "unsecured PHI" under the new data breach rules.

Jeff [11:17 AM]

[ Friday, March 20, 2009 ]

 

NoPP on CD: Just received a fairly interesting question on the requirement to deliver a notice of privacy practices (NoPP). HIPAA requires covered entities to provide them to the people whose health information the covered entity will be handling (patients of providers, beneficiaries of health plans). For health plans, they must give the NoPP on first subscription, then every 3 years must either provide another copy or at least remind the beneficiary where they can get another copy. Covered entities are allowed to send a copy by email if the recipient agrees, but must provide a "paper copy" if the covered entity knows the email transmission failed.

What if a health plan gives out a CD to all beneficiaries with health plan information on it, including the NoPP? Does that count as delivery, or must they deliver a paper copy? Do they need specific consent from the employee/beneficiary for this delivery (it's not "email")? Must they ask each recipient if getting a copy on CD is acceptable, or can they just deliver the CD and give a paper copy to any recipient who says they can't use the CD?

In my opinion, delivering a NoPP on a CD is delivering a NoPP for HIPAA purposes, unless the circumstances indicate that would be unreasonable. If the recipients are office workers who deal with computer technology on a regular basis, delivering a document on CD is no different than delivering a paper version (ecologically, it might be better). If you're making the delivery to nomadic Hutu tribesmen, not so much.
Jeff [11:52 AM]

 

NC Named: David Blumenthal, M.D., has been named to be the National Coordinator for Health Information Technology (i.e., the NC in ONCHIT). John Halamka is happy. He's certainly a solid Massachusetts Democrat.
Jeff [11:43 AM]

[ Wednesday, March 18, 2009 ]

 

Into the Cloud: Very interesting article on "cloud computing" and the security and privacy issues raised thereby. This is a very live issue, and draws several articles a day on the InfoWeek website.
Jeff [9:52 PM]

 

Here's a Healthcare Data Breach With a Twist: It seems medical data on a bunch of federal Department of Energy nuclear power employees might have been lost. OK, I can think of several way this could be worse. . . .
Jeff [3:07 PM]

 

Do the New Data Breach Rules Pre-Empt State Data Breach Laws? (And if so, partially or completely?) Excellent question and answer from Edward Shay of Post & Schell: In an exchange on the AHLA's HIT listserv this morning, hipaacrat Shay had the following to say (HITECH is the HIPAA portion of ARRA):

"Yesterday on the HITECH Part I conference call, Dan Orenstein asked me if I thought that HITECH preempted state breach notification laws. I answered with great conviction that it did not and that I thought that was a missed opportunity. Later yesterday, Vadim Schick, one of the bright tech lawyers at Post & Schell, politely pointed out to me that section 13421(a) seemed to do just what I told Dan that HITECH did not do; that is, preempt breach notification laws.

"So, for the record, I spoke in haste and all are directed to 13421(a) and the Conference Report for further consideration. Having read, and re-read 13421, I am now revising my view to say that I simply don’t know. Here’s why.

"Section 13421 appears to carry forward to the provisions of subtitle D of HITECH the preemption methodologies of section 1178 “in the same manner” as it applies to:

"A provision or requirement under part C of title IX, or
"A standard or implementation specification adopted under 1172 through 1174.

"For those who remember the fun of 1178, you will recall that it provides two methods of preemption. The first applies to “contrary state laws” subject to certain exceptions. The “contrary state law” methodology applies only to section 1172 through 1174 and standards thereunder, including the Security Rule. The second method is the more convoluted floor preemption of methodology of section 264(c)(2) that saves more stringent state privacy laws. Section 13421(a) of HITECH would seem to keep both methods of preemption in place and simply carry them forward respectively to security and privacy under HITECH.

"Here’s the sticking spot. Part C of title XI had nothing on breach notification and neither did subsequent security or privacy regulations. I could not tell you if “breach notification” is a security provision (e.g., encryption strength) that would preempt contrary state laws or a privacy standard (e.g. duty to mitigate unauthorized disclosure through notification) that would preempt only more stringent state laws (e.g., allowing states to require notice within 10 days versus HITECH “without unreasonable delay”).

"Having set the record straight, I invite all to listen to HITECH II when better minds
than mine will doubtless resolve this question."

As we wait for regulations, the safe bet is to ensure your healthcare business complies with the data breach notification provisions in ARRA as well as any data breach notification provisions in your state law.
Jeff [11:37 AM]

 

PHRs Get Patients Involved in Their Own Care: This makes sense, and is one of the good reasons why increased use and access of personal health records (as opposed to electronic medical records or electronic health records*, which are the records in doctors' offices and hospitals) is a good thing. In addition to personal portability (the Hurricane Katrina experience) and ease of remembering (if you can't remember the names of all the prescription drugs you take), having a personally-available medical file can help you remember appointments, remember to take your meds, know what foods to avoid, know what exercises to do, etc.


*Allow me a rant here: Another screw-up in ARRA (the so-called Stimulus Bill), in addition to Chris Dodd's AIG bonus legalization provision, is the use of EHR as the acronym instead of EMR. Everyone dealing with this stuff knows that an EMR is what physicians' offices and hospitals have, and PHRs are what individuals have. Using those 2 acronyms, there's only 1 common letter. But sometimes people use "electronic health record" to mean either of the two types of electronic records: professional's medical records, or individual's personal medical records. ARRA does call those personal records PHRs, but instead of using the better acronym EMR, they use the confusing acronym EHR to describe the professional records. Bad form.
Jeff [11:23 AM]

 

Physician Adoption of Technology: According to this article, it's growing, but is hindered by frustration doctors feel in dealing with the technology. It's hard to change over to an EMR, resulting in wasted time; EMR systems too often aren't interoperable; the software designers don't understand what doctors want and need. Sounds like pretty common complaints.
Jeff [11:19 AM]

 

Data Breach at SUNY-Binghamton: (Actually, it now appears to call itself Binghamton University, but still looks like a member of the State University of New York system) Here's a story about some data breaches at Binghamton, which may result in the recently-hired CISO getting fired. Not HIPAA, but this could be a lesson on how not to handle a breach. . . .
Jeff [11:02 AM]

[ Tuesday, March 17, 2009 ]

 

Epilogue on the Stimulus Bill: So what does it all mean? I don't think we can say for sure, but covered entities and business associates should start looking over their policies and procedures, and their forms, and start making some changes.

These provisions have varying start times, and most are subject to further rulemaking by the Secretary of Health and Human Services. Many of these provisions raise as many questions as they answer, so the regulations that are ultimately drafted and adopted will be very important. Until then, entities that deal with medical records or other health information should be prepared to make some changes to their operations and documentation. Specifically, most covered entities will need to make some changes to their BAAs to address the changes noted above. Depending on the specific provisions of the final regulations, some covered providers will want to change their standards and processes for obtaining patient authorizations, particularly to avoid the issues raised by the new definition of marketing, and especially if the covered entity uses an electronic medical record. Providers should also consider whether these changes will require them to revise the “Notice of Privacy Practices” they give their patients on their first visit.

More importantly, given the breach notification requirements and their applicability to “unsecured” PHI, covered entities should review their current IT policies to ensure that they are currently taking (or are ready to adopt once regulations are drafted) the appropriate steps to make the PHI they hold and exchange “unusable, unreadable, or indecipherable to unauthorized users.” Those covered entities that have not adopted strict security provisions such as encryption should start taking those steps now, and be prepared to take further action as soon as regulations are issued.

Jeff [5:49 PM]

 

Stimulus Bill Potpourri for $500, Alex: There's also a passel of additional HIPAA junk in trunk of this bill:

Other Specific Disclosure Rules. There are several additional rules included in the HIPAA provisions of ARRA intended to address specific situations. A patient may now require his doctor not to disclose information to his insurance plan if the patient pays in cash. The existing “minimum necessary” rule continues to apply to non-treatment disclosures of PHI, but the “limited data set” requirements (removing most indentifying information from the PHI) are now treated as the baseline for determining what is the minimum necessary information. The definition of marketing has been significantly tightened by removing many communications from the definition of “health care operations.” Individuals must be given a clear and easy way to “opt out” from receiving fundraising information. Companies that sell electronic “personal health records” (electronic record sets that are primarily controlled by the individual, such as the Microsoft/Google product “HealthVault” or AHIMA’s “myPHR”) are subject to specific breach notification rules. Health information exchanges are specifically defined as business associates.

Probably the most interesting part is the "hide" rule that lets the public cheat their insurance companies by hiding their real health condition. This could have some big unintended consequences: what if a patient hides information from his insurer, so that the insurer later refuses to cover a particular condition or provide a particular treatment because it rules the treatment unnecessary for any patient who hasn't had the treatment that was hidden? The new marketing rules may also have some unintended consequences -- we will see.
Jeff [5:42 PM]

 

More from the Stimulus Bill: There are also changes in HIPAA enforcement. Depending on how you look at it, this could be good; or bad.

Improved Enforcement. There was some confusion whether an employee of a covered entity could be subject to HIPAA criminal penalties. Normally, an employee does not personally meet the definition of a covered entity, and the Department of Justice had released an internal memorandum noting that employees would generally not be subject to prosecution for HIPAA violations; however, most if not all of the federal criminal cases that resulted in convictions for HIPAA violations involved employees who arguably did not meet the definition of a “covered entity.” This possible loophole has now been closed, and employees who wrongfully use or disclose PHI may be prosecuted for a HIPAA violation. Additionally, “willful neglect” is now a potential HIPAA violation. Individuals who were harmed by a wrongful disclosure may now be able to receive a part of any civil monetary penalty recovered for a HIPAA violation, with an increase in possible financial penalties for HIPAA
violations. More importantly, ARRA now specifically authorizes attorneys general from all of the states to independently pursue HIPAA violations that occur in their states.

The employees who violate HIPAA can be prosecuted, so their employers, if they toe the line, probably are more in the clear. What is scary here is that we might be looking at up to 57 different interpretations of what some provision of HIPAA means. AGs can go on witchhunts, so this provision might make for some bad, as well as inconsistent, law.
Jeff [5:35 PM]

 

More Stimulus Bill Issues: Are you an EMR user? The stimulus bill will give you some cash if you become one (and will take away cash if you don't). Like the Persians in "300," you're going to get pushed off that cliff at some point. And when you are, you'll have some special HIPAA rules to abide by:

Special Rules for EHR Users. Covered entities that use electronic health records are subjected to specific HIPAA requirements under ARRA. Under HIPAA, covered entities are required to provide an accounting of disclosures to individuals who ask, but need not account for disclosures made for treatment, payment, or healthcare related reasons. Under ARRA, if the covered entity has an EHR, it must also account for those disclosures, but only for a period half as long as required of other covered entities (i.e., three years). An EHR (or PHI in an EHR) cannot be sold or exchanged for remuneration except in specific situations (as part of a research project, the sale of a practice, etc.). Additionally, a covered entity that uses an EHR must also provide an electronic copy of an individual’s information in the EHR to the individual or any other person the individual designates, and may not charge anything for the service other than the covered entity’s actual labor cost in obtaining the information.

Jeff [5:31 PM]

 

More Stimulus Bill provisions: Data Breach reporting.

Data Breach Notification Requirements. Covered entities and business associates who suffer a “breach” of unsecured PHI must notify all affected individuals. There are several complicating factors here: the definition of “breach” is relatively specific, and excludes some unintentional or inadvertent disclosures; if the PHI was “secured” (again, a specific definition applies, but basically encrypted or otherwise made indecipherable) then no notice is required; the information to be contained in the breach notification is somewhat specific; and it may be difficult to determine exactly when a breach was “discovered,” thereby starting the clock on notification timelines. Furthermore, if a company suffers a data breach involving the unsecured PHI of 500 or more people, the company will have to notify not only the affected individuals, but the Department of Health and Human Services and “prominent media outlets” serving the area.

That there is the "shame" rule: if you don't work hard enough to protect the info and you lose data on 500 people, you've got to call the local media and report yourself to the local news. This one will definitely benefit when regulations are drafted outlining all of the specifics, and when the standards-setting organizations get their acts together. Of course, that all still depends on getting a Secretary of HHS in place. One has been named, but the administration has failed to deliver the confirmation packet to the Senate (probably waiting for her to pay up back taxes).
Jeff [5:24 PM]

 

New Provisions under the Stimulus Bill: what about business associates? Here's my take:

Business Associates Now Covered, Too. Under the original structure of HIPAA, only healthcare providers, health plans, and healthcare clearinghouses were “covered entities;” the vendors and other parties with which they dealt, and which received “protected health information” or PHI from them, were not directly covered by HIPAA, and therefore could not be directly prosecuted for a HIPAA breach. Rather, HIPAA required covered entities to enter into “business associate agreements” (or “BAAs”) these “business associates” to restrict the business associate’s use of the information and effectively apply HIPAA to the business associate via contract. ARRA explicitly (although somewhat inartfully ) directly applies the same HIPAA requirements that are applicable to covered entities to their “business associates.” If a business associate breaches a BAA, it will not simply be at risk of a breach of contract action; rather it will be directly subject to prosecution under HIPAA.

Jeff [5:21 PM]

 

The Stimulus Bill's HIPAA provisions. OK, you've heard about this Stimulus Bill. The one nobody read. Well, I finally read it (or at least the parts dealing with HIPAA), and we rolled those comments into other health industry comments for what we at JW like to call an eBrief (longer than an eAlert, shorter than a HealthBrief article), which should be on the JW website tomorrow (included in our "Opportunities in Economic Crisis" task force feature). But to give you a few early bites at the apple, here's the lede:

In an apparent attempt to stimulate HIPAA lawyers, Congress included in the
American Recovery and Reinvestment Act of 2009 (“ARRA”), known as the Economic Stimulus Package, provisions to revise and increase the scope of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the primary federal statute governing the privacy of an individual’s health information. The primary impact is to increase the number of parties subject to HIPAA; specify when and how HIPAA-covered entities deal with data breaches; and increase the types of activities that can result in a civil or criminal penalty, the people who can be charged with a violation, and the governmental entities that can prosecute a violation of HIPAA.

More specifics to come.

Jeff [5:00 PM]

[ Thursday, March 12, 2009 ]

 

"Free" May Be A Problem: according to this article by Medical Software Advice, there's the additional concern that "free" software EMR solutions, if they come about, won't be the cure either, in no small part because of the "moral hazard" argument. Physicians may not be as likely to embrace a new EMR project, support it, or work with it simply because it's free; the perceived value won't be there.

With one caveat, I would tend to disagree; once a physician practice implements an EMR, there's no parallel system for a physician to use instead of the EMR. The physician won't have any real choice in the matter; he'll have to use it to input and extract medical records and serve his patients. The caveat? If the paper method is left to stand along with the EMR method, the possibility of failure reappears. According to the article, a lot of EMR projects fail; I'd suspect that, in every case, the "analog" paper system was left available alongside the "digital" system. I know you need it as a safety net in case of a catastrophic failure of the EMR at implementation, but if it's only available as an emergency fallback, and otherwise isn't available, the lack of choice will drag physicians into adoption.

At least that's how I see it.
Jeff [5:24 PM]

 

Why WalMart (or more accurately, Sam's Club) Matters: I noted immediately below the story on Sam's Club (partnering with Dell and eClinicalWorks) to provide low-cost EMRs to small physician practices. It's important to note that physicians don't get as much Stimulus money as hospitals do for EMR, it's paid out over time, and the punishment for not going electronic (in the future) will be reductions in Medicare payment rates, which won't matter much to a physician practice with a minimal Medicare/Medicaid patient population (think pediatrics and ob/gyn). As such, the so-called Stimulus Bill might not stimulate much in the way of physician EMR adoption. At least that's what some folks at Avalere Health are saying. If the costs of EMR exceed the Stimulus carrots-and-sticks, unless there's a clear financial benefit otherwise, expect adoption to be less than complete.
Jeff [5:15 PM]

 

Would you buy an EMR system from Sam's Club? Actually, with the partners involved (Dell and eClinicalWorks), it sounds like a pretty good deal. Part of the chicken-and-egg issue of EMR is not buying the tech stuff until everyone uses it, but nobody uses it until everyone buys it. If you can get it out cheap (like Sam Walton can), you can get there. Maybe.
Jeff [7:38 AM]

[ Monday, March 09, 2009 ]

 

Milestone: Yesterday was the 7th anniversary of this blog's first post. You'd think there would be more answers than questions by now. . . .
Jeff [10:26 AM]

[ Thursday, March 05, 2009 ]

 

Will Electronic Medical Records Really Deliver Cost Savings: A doctor expresses his doubts. I guarantee you three things: implementing the technology will cost more than originally thought; the financial benefits will be less than originally thought; and a bunch of problems will pop up that nobody really thought about.
Jeff [3:27 PM]

 

Useful Information on Social Security Numbers: Hat tip to Alan Goldberg for this one. Here's a nice site that compiles a lot of information about social security numbers. Really good information, well put together, with tons of links.
Jeff [3:20 PM]

[ Monday, March 02, 2009 ]

 

(OT) Billing Software: Looking for a flexible, low cost billing software? You may want to check out MPMSoft (link at the left, too).
Jeff [3:47 PM]

 

Legal Privacy Arcana: According to the Supreme Court of Pennsylvania, a breach of confidentiality by a physician is not the same as an invasion of privacy. The claims are similar, but not subsumed within each other. Why does it matter? Because there's a 1-year statute of limitations for invasions of privacy, but a 2-year statute of limitations for torts generally, and a breach of a duty of confidentiality is a "general" tort.

The case is full of law-geekiness, including good discussions of the elements of common-law causes of action for invasion of privacy and breach of a confidential relationship. If you're into that sort of geekiness.
Jeff [12:29 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here