End of the Public Health Emergency means end of HIPAA Enforcement Discretion. Been on Zoom or Teams lately? Worked from home? Telecommuted? The Covid Pandemic changed a lot of things about the way we work, including a dramatic increase in telehealth services. In healthcare (primary care particularly), there was firehose-level adoption of Zoom, FaceTime, and similar technology at the very early stages of the pandemic, as providers tried to find ways to keep their patients healthy without having them come to the office.
However, these new technologies raised potential HIPAA issues: were they safe enough? Had the adopting practices done sufficient due diligence understand the risks they posed to the confidentiality, integrity, and availability of the PHI that would be transmitted? OCR wasn't about to simply say "Zoom is HIPAA-compliant" (as any reader of this blog knows, that's not how that works); however, at the same time, OCR wasn't about to stand in the way of Covid-safe healthcare delivery.
As is usually the case*, OCR took a balanced, reasonable approach: if providers agree to take reasonable steps to layer on the best privacy and security safeguards they can, OCR will agree not to prosecute you for a HIPAA violation if you use one of these video technologies. They called it "enforcement discretion:" OCR will exercise the discretion granted to it to not prosecute Zoom and FaceTime users for HIPAA violations. Now, OCR didn't say Zoom or FaceTime were otherwise improper under HIPAA; keeping a neutral stance, they simply said that, for the time being, we won't hold it against a covered entity that they chose to use such a technology.
OCR made clear that this was a pandemic-related decision, and subject to the circumstances. That meant that, when the pandemic ends, so does the enforcement discretion. And lo, it came to pass, that the pandemic will officially end (as far as the federal government is concerned) on May 11, when the Public Health Emergency declaration ends. OCR will give covered entities and business associates 90 additional days (from May 12 through August 9) to become compliant. OCR's declaration is here.
Bottom line: if you are a covered entity and adopted Zoom or some other telehealth technology, now is a good time to take a look at how you're using it, and make sure it fits within your HIPAA policies and procedures. It would be a good idea to have a specific policy/procedure to address use of telehealth technologies (ask me if you need a form). Make sure you cover ALL instances where you use Zoom, especially if you use it for non-patient-care purposes -- for example, staff meetings where PHI is discussed.
It might also be a good idea to leverage off of that review to freshen up your overall HIPAA risk analysis. Are there other practices you adopted during the pandemic that might have HIPAA risk? It doesn't mean you have to actually change anything, and in fact you might be doing everything as safely as possible. But it's a good idea to look, because technology changes, as to threats.
* I've been accused of being a cheerleader or fanboy for OCR, but that's not true. I think the civil rights arm of OCR has been pretty lousy, with a heavy thumb on the scale for leftist woke claptrap and a clear bias against traditional religious rights. But the HIPAA enforcement part of OCR has really been a partner to the healthcare industry it regulates from the beginning of HIPAA in 1999-2000. I give credit where due, and when the government does something right, it deserves mention.
Did you know that I have a blog? Good, because it seems I keep forgetting.
There's been a lot going on in HIPAA (comparatively) in the last few weeks, but I've not been very good at posting about it. I'll try to be better.
New HIPAA Standards for attachments and electronic signatures: I saw this in December and tagged it for blogging, but lost it in my overcrowded email folders. This is one of those super-insider-HIPAA deals, but CMS is proposing a new HIPAA standard transaction for attachments and e-signatures. As you may know (or not), one of the original purposes of HIPAA was to standardize (and thus simplify) many of the mundane daily transactions that providers and payors engage in when providing and paying for medical care. Originally, 9 separate transaction standards were adopted:
The new proposal relates to several of these, particularly 276-278 and 837. Attachments have always been a non-standard add-on to standard transactions, which in many ways defeats the purpose of the standardization. The new rule won't completely fix the non-standardized attachments problem, but will streamline a portion of the process. It'll take awhile for providers and payors to get the new processes rolled out, but once they're done, it should result in some cost-savings.
CMS' fact sheet is here, and the Federal Register posting is here.
Anniversary: I meant to post something yesterday, but got a little distracted. As of yesterday, this blog is now old enough to drink in all 50 states. Yes, I started this blog on March 8, 2002. Hard to imagine.
HHS issues advisory on "Clop" strain of ransomware. Spring is in the air, and as regularly as the seasons changing, there's a new varietal of ransomware. This one is from a Russian group calling itself "Clop," which exploits a flaw in GoAnywhere. HHS and HSCCC have issued an alert. One thing that sets Clop apart is that it specifically targets the healthcare sector.
The usual defensive tactics apply: train your staff to avoid phishing, patch your software, manage your fenceline, backup your data, have your system mapped, use DLP, and put alarms on traffic flows.
HHS is committed to reduce the backlog of HIPAA investigations. Complaints to OCR are now over 50,000 a year (2/3 of which are HIPAA-related), and OCR just isn't designed to meet that level of demand. So HHS s going to reorganize OCR, with specific divisions addressing policy, strategic planning, and enforcement. I don't think that's particularly useful.
Seems to me like OCR should be split into civil rights (discrimination and the like) and HIPAA/health data privacy and security. The HIPAA side should also be split, with policy, planning, and guidance on one side, and breach/complaint on another branch, and enforcement as a third division. The breach/complaint side should also be split into breach issues and non-breach issues (such as access).
At least that's how I'd do it.
The Lesson of Good Rx: Don't forget the FTC. Obviously, I tend to focus on HIPAA here, as do many HIPAA-covered entities (and HIPAA-adjacent but non-CE industry players). But the FTC's recent settlement with Good Rx over patient data handling practices should be a lesson. Good Rx used tracking pixels to glean data from patients, and allowed Meta and Google to access the data; that resulted in Good Rx users getting targeted ads based on the information they had given Good Rx (which Good Rx had stated in its privacy policies would be kept confidential).
According to recent guidance from HHS, the use of tracking pixels can result in a HIPAA violation, if (i) the pixel use results in disclosure of PHI and (ii) the recipient isn't a rightful recipient or there's no BAA in place. Tracking pixels are ubiquitous on webpages everywhere, since they are useful to the webpage owner to know what's working on their webpage and what isn't. And there's normally no problem with the webpage owner having that data; the problem is if the webpage owner shares that data with others, without warning the customer first.
Bad pixel use could easily result in a HIPAA enforcement action. But even if HIPAA isn't applicable, there's always the FTC.
Banner Health Settlement: It appears that Banner Health has reached a settlement with OCR over its 2016 hacking incident that potentially exposed PHI of almost 3 million people.
New Vision Dental HIPAA violation: Thanks to Jamie Sorley for tipping me off to this at the Dallas Bar Association Health Law Section's holiday party last night (sponsored by Bradley -- thanks for the excellent tequila!), HHS has issued a settlement with a dental practice that doesn't involve access. The practice disclosed PHI on social media when responding to patient complaints and bad reviews. The good news for the practice, the fine was only $23,000.
It's tough when a patient posts a false negative review. But a provider has to be very careful that any response does not involve any disclosure of PHI. The safest route is to ignore it, but if you must respond, do so with global statements, not anything that could specify any particular patient. For example, if the patient says he/she had to wait 3 hours in the waiting room on the day before Thanksgiving, the practice could respond and say it reviewed all of its sign-in sheets and the time-stamp of every patient encounter during the month of November and the longest any patient waited between sign-in and being taken to an exam room was 45 minutes. That response does not disclose any patient's PHI. On the other hand, saying "Mrs. Jones says she waited 3 hours, but she signed the sign-in sheet at 1:30 and was in the chair at 2:15" would be an improper disclosure of PHI.
Healthcare Industry Cybersecurity Advice: Last month, Sen. Mark Warner issued a white paper, "Cybersecurity is Patient Safety," on the current state of healthcare cybersecurity and ways to improve it. This month, the American Hospital Association has responded with a letter to Sen. Warner, providing a section-by-section response.
Ransomware, data breaches, and other cybersecurity issues are a huge problem in the healthcare industry. While care-denying ransomware attacks are relatively rare, healthcare is a critical data-driven industry that suffers much more than others when hit with an attack. A strong governmental and industry focus on cybersecurity is welcome.
But much of the advice relates to ways the government can spend more money, which is a premise that it's wise to question. The money wasted on the Covid response (not just the huge amounts of fraud, but the crippling effects of long-term unemployment insurance and deficit-ballooning cash grants to just about every business and government entity in sight -- many of which are now being spent on wasteful and unnecessary "infrastructure" and other pet projects that have only the most tangential connection to healthcare, much less the coronavirus) has put a huge weight on the US economy that it will take at least a generation to overcome. Virtually all our current economic woes (inflation, supply chain disruptions, business failures, historically low labor participation rates) are directly attributable not to Covid, but to the Covid response.
What we need is more clear and specific guidance from OCR, ONC, and HHS generally on what to do. The 405(d) program is great, but should be more specifically tied to what constitutes "reasonable safeguards" under the Security Rule. OCR need not abandon the flexibility granted in 45 CFR 164.306(b), but could provide a "safe harbor" reference to a concise and current list of specific security practices. Subpart C of 45 CFR Part 164 (the core Security Rule provisions, 164.302 et seq.), is clear and concise, and a fraction of the size of Subpart E (the Privacy Rule provisions), but finding your way to the specific technical guidance in the 405(d) program (or wading through the dozens of overly-wordy HHS data security resources) can take a lifetime.
Most of us who practice regularly in healthcare cybersecurity are aware of the 405(b) program and the technical guidance for small, medium, and large healthcare organizations, but very few providers are aware of it. Turning the technical volume attachments into a safe harbor would go a long way toward alleviating some of the health industry's ransmoware exposure and risk.
Business Associates Get Hacked, are Threat Vectors: Half of the most recent 10 big HIPAA breaches involved business associates. As a covered entity, your first task is to make sure you have BAAs in place with your vendors. But the second task is to make sure your business associates aren't risky. They may be your weakest link, and your patients won't be happy with your excuse that "it wasn't my fault, it was the guys I hired and gave your data to."
Tracking Technologies: HHS has issued guidance to HIPAA covered entities and business associates regarding the risks of using tracking technologies to understand patient activities and behaviors, including when pixel use (such as with Facebook Pixel/Meta Pixel advertising tools). I haven't fully digested the guidance but will update this post when I do.
Part 2: OCR announced earlier this week that they want to revise "Part 2" to more closely align with HIPAA. For those who don't know, 42 CFR Part 2 is a federal regulation that prohibits the disclosure of information regarding patients at federally-supported substance abuse treatment facilities. It's a remnant of an era when the government was concerned that drug addicts would not seek treatment due to fear that their presence at a drug treatment facility would be used as proof of drug crimes. Part 2 serves as sort of a super-HIPAA: with few exceptions, no data can be released about a patient without the patient's consent.
I haven't yet read what OCR's proposing, but I'll let you know what I think when I do.
8 Common-Sense Ideas for Defending Against Cyberattacks: This is focused on hospitals, which are seeing a rash of attacks, but these steps will work for every organization.
Data minimization and the Drizly case. News hit earlier this week when a proposed settlement between the Federal Trade Commission (FTC) and the Uber alcohol-delivery subsidiary Drizly was disclosed. The consent order is remarkable on its face because it applies to the CEO of the company both while at Drizly and at any other company where he takes a management role. While that is very unusual, of greater importance is probably the focus of the FTC on data minimization.
Drizly suffered a data breach when a hacker got the credentials of an employee and was able to log on and access a lot of information about Drizly's customers. And Drizly collected a lot of customer and employee information -- much more information than Drizly needed to deliver drinks to thirsty customers. The proposed consent order will require Drizly to limit the data it collects and keeps and requires James Cory Rellas to implement similar restrictions at any future employer.
The FTC's goal is data minimization. Often companies will collect more information than they need to do the job at hand, because it might otherwise be valuable at some point in the future for basic or new purposes. This is particularly true at initial customer sign-in, or with start-up companies, since they don't know what data them might find useful in the future, and they might not be able to collect it later.
However, while that data may or may not be valuable to the company, there's a truism in data privacy that pushes in the opposite direction: you cannot lose what you don't have. A data breach can only get the data that is in the database, so the less data you retain, the less you have to protect.
Expect to see not only the FTC, but other privacy enforcement agencies focus more often on data minimization as a breach mitigation strategy.
FBI Warns About Unpatched and Legacy Devices: Virtually all data storage and usage systems have vulnerabilities to hackers; it's just a matter of time and effort before some hacker finds a way to hack in. Software designers address this by issuing patches whenever vulnerabilities are discovered; however, once a device or system is obsolete (usually when there are a few iterations of replacement versions), the designers stop pushing out patches, and instead encourage users to replace the old systems. Software-laden medical devices and legacy data systems used by healthcare providers are no different.
Failure to patch or replace means those known vulnerabilities are there, ready for a hacker to exploit. The FBI recently issued a notice to healthcare facilities and systems to keep up patching and/or replace old systems to avoid risks to the data held by such devices and systems. In some cases, providers can't afford to replace old, unsupported devices, or replacement devices aren't even available; in those cases, facilities should take other steps to protect the devices or data: disconnecting the devices from the internet, clearing data regularly, resetting the device to original settings (or a current specific update), etc.
Cyberattacks are costly in many ways: This shouldn't be news to anyone whose been paying attention, but two recent articles point out recent studies into the effects cyberattacks have on healthcare organizations. A recent Modern Healthcare article points out that almost 9 in 10 healthcare organizations suffered at least one cyberattack within the past year, with the average organization suffering almost one attempted attack per week. Successful attacks average $4.4 million in costs.
Dollar costs aren't the only damage cyberattacks cause. A HealthIT Security article illustrates that cyberattacks also impact patient safety, causing increase in hospital stays and increased mortality.
Cyberattacks cost money and health, if not lives. Treat them seriously; defend your organization and your patients.
I received the following yesterday in an email from the OCR HIPAA listserv:
Is your organization using the SRA Tool to help conduct a security risk assessment (SRA)? The Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services are hosting a webinar in September about the Security Risk Assessment Tool. In this webinar, we will focus on how to review and update an assessment from a previous session. We will also cover a basic overview of the tool and highlight some new enhancements in version 3.3. There will be an opportunity for participants to ask questions and give feedback during the session.
There are two dates available for this webinar. Registration is limited to 3,000 participants for each presentation. The presentation will be the same for both sessions. A recording will be made available after the final webinar session.
Register for a session:
As you probably know, the existence of a good security risk assessment is a major item for review when OCR investigates a covered entity for a potential HIPAA violation. And OCR definitely gives covered entities a lot of credit for using their own version of the security risk analysis. It's pretty clunky and takes a lot of time to get through, but risk analysis is in fact pretty hard to do with a one-size-fits-all tool, so the difficulty of the tool is a little bit understandable.
I'd highly recommend attending the webinar if you can. It's always good to know what the regulators are thinking
Chapter 11: Documenting HIPAA: the Notice of Privacy Practices
This is a continuation of my series of 20 posts celebrating the 20th anniversary of the HIPAA Privacy Rule and the 20th anniversary of the beginning of this blog.
As discussed above, the first and greatest (the “paladium,” if you will) right granted (or recognized as belonging) to individuals under HIPAA is the right to know the “rules of the road.” Prior to HIPAA, most healthcare providers required patients to sign a consent document, upon becoming a patient, that clearly gave the patient’s consent to the provider using and disclosing the patient’s information to the patient’s insurer, for example. Providers knew (i) they were subject to patient confidentiality requirements (either statutory or common law), (ii) they’d be using the information that way, and (iii) it was easy enough to do at patient onboarding. As originally drafted in the Clinton Administration, HIPAA also required covered entities to obtain a specific consent from patients prior even for uses such as treatment, payment, and healthcare operations (TPO).
The Bush Administration removed the consent requirement, since it was unwieldy: a specialist physician would not even be able to look at the medical records of a patient referred to him for a consult until the patient arrived and signed a consent; a pharmacy would not be able to pre-fill your prescription until you showed up and signed a form. This would result in unnecessary delays to patient care. The fix would be to allow the expected and otherwise permitted types of disclosures without specific consent, as long as the covered entity properly disclosed the general types of uses that were to be expected. Thus, HIPAA allows covered entities to use and disclose PHI without the authorization or consent of the patient for PTO, as required by law, or for certain other purposes; however, the covered entity must provide the patient, upon first contact, with a document outlining what those permitted uses and disclosures are, and which ones the covered entity is going to be engaging in. It’s only fair: we remove the burden of pre-consent for those standard “ordinary course of business” uses and disclosures, but add the burden of fair disclosure when it becomes feasible.
The Notice of Privacy Practices (sometimes referred to as the NPP, although I prefer NoPP – adds one letter when you’re writing it, but eliminates 2 syllables when you’re saying it) has 3 main required elements, the first being a discussion of the types of uses and disclosures to be expected. This fulfills the “fair warning” of the “rules of the road” concept inherent in the Bush Administration’s removal of the consent requirement. In order to meet the requirements, the NoPP should provide a list of each general type of expected use and disclosure, with a more detailed description or example of the major types. For example, legally-required disclosures for law enforcement or public health purposes could be described in just so many words, but treatment or payment disclosures should include an example.
The second required element is a description of the individual’s rights with respect to their information. There is a “fair notice” element at play here, but it as much serves as a governor on covered entities that might otherwise want to run roughshod over their patients, by forcing them to acknowledge what they must do for their patients, and arming the patients with that information.
As noted above, the right to receive the NoPP is the first right of individuals, but there are 5 others: the right to access your PHI, the right to request amendments, the right to an accounting of disclosures, the right to request communications in a different format or at a chosen location, and the right to request specific privacy protections. These rights must be discussed in the NoPP.
Finally, the NoPP must provide a description of how a patient can file a complaint and seek his/her PHI. The complaint instructions should include a description of how to complain to the provider itself, as well as how to skip straight to the enforcement agency and file a complaint with the Office for Civil Rights.
The NoPP must also be written in plain language, and must be available in other languages if the covered entity has a large enough population of non-English speakers. Given the amount of information that must be conveyed (for example, if a covered entity does not specifically include a particular permitted use or disclosure in the NoPP, it cannot so use or disclose the patient’s PHI without an authorization), there is pressure to make the NoPP as long and legalistic as possible. The plain language requirement is intended to prevent this. These competing goals of generality and granularity means that covered entities must seek the “Goldilocks” level of sophistication and earthiness for their NoPPs; good luck with that.
Currently, the covered entity must attempt to obtain a “receipt” signature of the individual upon delivery of the NoPP; if the individual cannot or refuses to sign, the covered entity should simply note the failure or refusal, but cannot condition care or services upon receipt of the signature. So why go to the trouble? Conceptually, this requirement is a sort of “good faith” enhancer to (i) ensure the covered entity delivers the NoPP and (ii) ensure the patient/beneficiary understands the importance of the NoPP and the need to review (or at least understand) the information in it (most people pay more attention to the contents of a document they must sign than they do to one simply handed to them). Recent proposed revisions to the HIPAA regulations have indicated that the signature requirement may go away, but hold your tickets, that might not make it through to the final rules.
OCR fines New England Dermatology for Bad Data Disposal: The dermatology practice must pay $300,640 for putting specimen containers with a patient PHI printed on labels in the regular trash bin. Not the first fine for bad trash disposal methods; there have even been actions against pharmacies that threw out pill containers with patient names on them. It's a reminder: if there are patient identifiers on anything, whether it's paper or not, you need to make sure you dispose of it in a secure manner.
Also, why the extra $640?
Zeppelin: Healthcare IT News reports that that the FBI and Cybersecurity and Infrastructure Security Agency (CISA) branch of the Department of Homeland Security have issued an advisory warning the healthcare industry in particular of the dangers of the newest ransomware variant, known as Zeppelin.
This is totally off-topic: a family beach story.
It seems now that we went as a family to the beach every Sunday after church during the summer, but I know it mustn’t have been that often. After mass at St. Hyacinth, we would change into our “beach clothes” and load up the station wagon with beach chairs, a tarp with all of its attendant paraphernalia (poles, stakes, cords), a shovel, charcoal and lighter fluid, a hammer, suntan lotion, towels and more towels, a conch shell with the small end sawed off to be blown like a trumpet when it was time to come in, and a radio (one that looked like it had enough bands to pick up Russian radio broadcasts, short wave, and marine channels but that never seemed to be able to pick up anything on any band other than AM and FM).
There were ice chests full of food, beer for the adults in cans without pull tabs that required a church key to punch little triangular holes, and sodas for us kids. The beer was always Falstaff or Texas Pride or some other off brand, and the soft drinks were never Cokes or Pepsis (although we called all soft drinks “Cokes,” like some people call all tissue “Kleenex”), but Cragmont or Shasta or some other store brand. We never knew we were missing anything.
Sometimes we’d take the Interstate down to the island, and sometimes we would take old Highway 146 through the industrial wasteland of Texas City, past the smelly Union Carbide plant that was so rusted it appeared to be rotting. The risk of taking 146 was the drawbridge, but the bridge normally wasn’t up except for the trip back home. Watching the sailboats go past -- when we got caught by the bridge but were close enough to be on the bridge’s incline -- was an added treat that made the wait more bearable, but we were beach people, not boat people.
Once we got to the beach, we operated with the efficiency of a military advance team parachuting in behind enemy lines. The first thing to do was select the site for the tarp. This took some careful strategy, based on wind, the location of other bathers, and the position of the car. Once the tarp was up (raised like a circus tent, the older kids and adults playing roustabouts), the lawn chairs and coolers were placed in the shade of the tarp, and the serious beach business could get under way. As fair skinned children (all except Greg, who took after Dad’s coloring), we were lathered with suntan lotion as soon as the tarp was up.
While we kids were playing in the surf, the adults would sit under the tarp and enjoy the day at the beach, drinking beer and listening to the radio. Dad would dig the pit for the charcoal fire on which lunch would be cooked, the exercise a combination of archaeology and engineering. After lunch, we weren’t allowed to go back into the water for an hour (so we wouldn’t get cramps and drown), and we all had to put our shirts back on so that we didn’t get too much sun.
When it was time to go, the remnants of lunch that didn’t burn off the grill were washed away in the salt water and scrubbed away in the sand at the waterline. Dad would get a bucket of water from the Gulf and put it by the car door, and each of us would dip our feet in the bucket as we got in the car, in a marginally successful effort to avoid tracking sand all over the car. We would drive back home, tired and happy and glowing with the sunlight that we had captured in our skin that afternoon, sunlight that we would release in little doses over the next few days until our suntans and sunburns faded or peeled. We were happy and contented then, before college entrance exams, midterms and finals, before the Law School Admissions Test, criminal law, torts and civil procedure, before the State Bar exam, billable hours, and the partnership track. Before the general public had concerns about skin cancer, and before the family had to deal with metastasized breast cancer, heart bypasses, high blood sugar, and kidney failure.
The last time I saw my mother alive was in the summer of 1982 at the University of Texas Medical Branch hospital in Galveston, very near to that beach we had played on so often. Several days before, her doctor told my father, his sister, and me (I was there to drive Dad and Aunt Mary back home from the hospital) that she had a very short time left. She came home for a few days, one of which was great because she was up and about, full of her usual spirit. People dropped by the house, the great extended family that included us six kids and all our friends, and she was entertained and entertaining. But the next day, she couldn’t get out of bed, and by late in the day, she asked Dad to put her back into the hospital.
She had had breast cancer, underwent a mastectomy, followed by chemotherapy and radiation that cost her her hair and her strength. The treatments normally left her sick, and once I drove her down to Galveston for her treatment because she didn’t want to have to drive back afterward. It was the summer of 1981, between my freshman and sophomore years in college, and I didn’t have to work that day, so I agreed. After the treatment, she thanked me for taking her. I shrugged it off, saying that I didn’t mind at all, and that just being near the beach and smelling the salt air was my reward. “Let’s drive down to the beach,” she suggested. “It’s a shame to come this close and not go down there.”
I agreed, and off we went to East Beach, the beach I had favored in high school after the family’s beach trips trailed off, after West Beach was closed to traffic, and after I began to frequent the beach with my friends rather than my family, more interested in surfing and watching girls than in sand castles, the buddy system and Shasta grape soda. I parked the car on the beach, outside the area of the beach where you have to pay to get on. Mom just wanted to sit in the car and enjoy the breeze and the fresh salty smells in the air that only exist at the beach. I got out and took a short stroll down the beach. After we left the beach, we didn’t talk for a long time. We were probably off the island before I thanked her for suggesting we go to the beach. We weren’t there long, and while we were there I didn’t even think about all of those family trips to the beach as a kid, but I remember it now as clearly as if it was last week.
That last night in the hospital, I was among the earlier group to go down to Galveston to see her. I wanted to be sure that not everyone in the family was down there at once. I had read or heard that, when a sick person realizes that everyone has come to see them, when people who normally wouldn’t be there arrive to visit, they know that the end is near and they let go. I wasn’t ready for her to let go, so I was really angry when I got there and found out that all my siblings were on their way down as well. But they had been called, since the doctor said she had very little time left. We were all assembled in her room when she said she just wanted to go home. “We’re all here now, Mom,” Shawn said. “This is home.” I was in the hallway when she slipped away, telling Colleen how I wanted to go to the beach right then, to walk in the sand and try to figure out what was happening and why. I wanted to hear the sounds of the waves that threw the first forms of life onto the earth, to smell the unmistakable smell of the beach, fresh and rancid at once, the odor of the beginning and the ending of life.
The worst part about losing a loved one is that your memory of that person slips away from you from that moment on. You try to remember all you can, and some things will stay in your memory like a movie you’ve seen too many times, but the other things, the little things, disappear. Each time you gather together your memories of her, there are a few more missing. You don’t really notice them gone; it just seems as though there used to be so much more. Those memories are like a sand castle on the beach. You can construct it as well as you’re capable, embed it with seashells to protect it from the wind, build a berm to prevent the tide from reaching it, but try though you may, each passing minute will see the loss of a parapet, the softening and rounding of a once-square corner, the erosion of a tower. There’s nothing, ultimately, that you can do to protect it, and despite your best diligence, the finely constructed castle just becomes a lump of sand on the beach.
Sometimes, however, something will spark an old memory that you thought you’d lost, the way the smell of dust on old books always reminds me of the books from the top shelf of our old living room, the books that got neglected and forlorn waiting to be rediscovered. It is in knowing that these triggers exist that I can live with the fact that ever since I was 29 my direct ancestors live only in my faulty, leaky memory, and that even though my memories may only amount to a lump in the sand, every time I see a shell-encrusted sand castle or a well-carved tower, old memories will float to the surface like the turning of the tide. I’ll take my children to the beach and tell them stories about the ancestors they never knew, and hand my memories over to them so that the collective consciousness of who I am and, ultimately, who they are can instill in them a sense of belonging and an understanding of life, infinity, and the sea.
337: That's how many large (over 500) breaches were reported to OCR for "wall of shame" purposes. This is a slight drop from last year; however, more were "malicious" (usually a hacker, and often ransomware-related) this year, which isn't really surprising.
OCR Announces 11 More Access Enforcement Actions: OCR has adopted a special enforcement focus on covered entities that fail to provide patients with access to their PHI. These cases often involve lower fines than we usually see for breaches and larger/more systemic failures to comply with HIPAA obligations. Last week, OCR announced 11 new access enforcement actions.
The fines range from $3,500 to $240,000, and 9 of the 11 matters have fines of $65,000 or less.
Oklahoma State University: OSU got hacked, and the hacker was able to access a server where staff stored some PHI. End result: a fine of $875,000.
News We Already Knew: Consistent and regular security training helps prevent ransomware and other cybersecurity incidents.
Professional Finance Company Breach: I don't think I've ever heard of this entity, but apparently Professional Finance Company provides accounts receivable management services to about 600 healthcare provider organizations, including large hospital systems. Apparently, they were subjected to a hack and ransomware attack that may have put a lot of PHI at risk. Nobody's said how many individuals might be affected, but given the size of some of the PFC clients who have been named, I'd expect it to be in the millions at least.
How about No? A group of Democrat Senators have asked HHS to immediately begin the process of amending HIPAA to protect abortion information in the wake of the Dobbs decision. Specifically, they want to prevent providers from sharing information relating to abortion with law enforcement.
How about no? HIPAA as drafted works perfectly well to balance the need for patient privacy and confidentiality with the need for proper access for appropriate law enforcement purposes. And there is no reason at all to select out certain types of medical care as getting "special" treatment, at least not within HIPAA. HIPAA is a broad set of policies and rules that works effectively across multiple platforms, service types, business entities, industries, situations, and circumstances. It specifically incorporates reasonability and scalability into its standards, and puts appropriate decision-making where it belongs: with the patient in some cases, or within the professional judgment of a provider in others. It's pretty amazing that the exact same set of regulations can effectively govern a huge multi-hospital health system or a trillion-dollar insurance company as well as a single-doctor, single-location medical practice. There is just no reason to think that HIPAA needs to be changed because the governance of a single type of medical procedure has been returned to the states.
Different states treat medical marijuana differently, but there's no specific HIPAA provision specifically protecting medical marijuana information. Some states outlaw or restrict certain therapy services (such as transgender services or conversion therapy), but there's no specific HIPAA provision protecting health information relating to those services.
That's because there needn't be.
MCG Health Breach: MCG Health, a business associate of a number of large healthcare institutions that provides data analytics and research involving PHI, was hacked and suffered a data breach that may affect up to 1.1 million individuals. At least 5 suits have already been filed, most seeking class action status.
Hat tip: HIPAA Journal.
Chapter 10: The Privacy Rule: Rule, Rights, and Responsibilities (3)
This is a continuation of my series of 20 posts celebrating the 20th anniversary of the HIPAA Privacy Rule and the 20th anniversary of the beginning of this blog.
The Transactions and Code Sets rule really came first, but that’s a pretty much self-actuating rule: once everyone uses the same forms, it’s easier for everyone else to follow along. As for the parts of HIPAA that require work, the Privacy Rule came first in HIPAA. The first set of regulations addressed privacy, and it was 2 years later that the Security Rule came out. Of course, we’ll get to security soon enough.
In keeping with our theme of “threes” (3 types of covered entities, 3 digits in the transaction codes), the Privacy Rule has three major components: the overall “rule” for using and disclosing PHI; the “rights” individuals have with respect to their PHI; and the “responsibilities” of covered entities to provide protection.
The Rule: The basic purpose of the Privacy Rule can be described as a “thou shalt not” rule: a covered entity may not use or disclose PHI unless specifically permitted by HIPAA. It’s not “unless the patient gives permission or consent;” there are plenty of ways a covered entity can use or disclose PHI without getting consent, but “patient’s authorization” is one of the permitted ways. The primary permitted way is if the use or disclosure is for treatment, payment, or healthcare operations. If the use or disclosure is for one of the “TPO” purposes, the consent of the individual is not required. The vast majority of uses and disclosures of PHI in the healthcare industry are for TPO. Of course, if the patient gives a specific type of consent (HIPAA uses the terminology “authorization”), the use or disclosure is permitted as well.
The Privacy Rule includes several specific types of disclosures that are permitted without authorization, in addition to PTO. In certain circumstances and subject to some specific requirements, uses and disclosures of PHI are permitted: for research purposes; in connection with judicial proceedings; for law enforcement; where required by other laws; with respect to inmates and prisoners or military affairs; for coroners, medical examiners, and organ donation organizations; and a few other instances.
But if the use and disclosure of PHI is not for TPO, pursuant to an authorization, or for a specifically permitted purposes, it can’t be done by a HIPAA covered entity.
The Rights: There are 6 rights of individuals enshrined in HIPAA: the right to receive a Notice of Privacy Practices (see more below), the right to access your PHI, the right to request amendments, the right to an accounting of disclosures, the right to request communications in a different format or at a chosen location, and the right to request specific privacy protections. Not all of these are absolute: for example, a covered entity can refuse a request for an amendment of PHI if the existing PHI is correct, and a covered entity doesn’t have to agree to alternative means of communication or additional privacy protections if the requests aren’t reasonable. Additionally, the right to access and amendment only apply to PHI the covered entity maintains in a “designated record set;” if the covered entity has patient names and addresses in a client management database or holiday card mailing list, that doesn’t have to be provided to the patient when they ask for access or amended when they ask.
One other thing to note about the access right: the patient obviously has the right to ask for access themselves, but they can also ask for access and ask that the copies be sent to a third party. Some providers see the third party recipient and think the disclosure should be treated as a disclosure pursuant to the authorization of the patient. This can be confusing, but the best way to look at it is: who is asking for the information to be sent to the third party, the patient (that would be access) or the recipient or covered entity (you need a signed authorization authorization). Additionally, since getting an authorization usually takes an extra step (but is safer for the covered entity since it makes it clear that the patient authorized it), it could at times be seen as imposing an unnecessary burden on the patient. This becomes important if the refusal to disclose the PHI until the patient signs an authorization reaches the level of “data blocking” (we’ll discuss data blocking later). Just remember, the patient generally has the right to access their PHI, with very few and limited exceptions.
The Responsibilities: The third major component of the Privacy Rule imposes certain responsibilities on covered entities. These generally relate to the way the covered entities provide privacy and data security (and prove that they do so). Most covered entities are required to give individuals a “Notice of Privacy Practices” explaining how their PHI will be used. They are required to enter into “business associate agreements” (or “BAAs”) with any vendor or subcontractor that might deal with PHI. They must adopt certain policies and procedures to protect PHI. They must respond to complaints and ensure the individuals may exercise their rights. And they have to document all the way they do these things.
The basic result of the Responsibilities should be to impose on covered entities the obligation to operate in a manner that fosters a culture or privacy and confidentiality with respect to PHI. Many of these obligations do not have checklist-style methods of proving compliance; that’s more visible in the Security Rule. Here, it’s more cultural. But the underlying emphasis of the Responsibilities is ultimately to enforce the Rule and ensure the Rights are protected.
HHS Issues Guidance on Audio-Only Telemedicine Services: The guidance is pretty straight-forward and common-sensical: audio-only telehealth is fine from a HIPAA standpoint as long as reasonable steps are taken to protect privacy: no speakerphones except in private spaces, and verify the identity of the patient.
Of course, doctors have been talking to patients over the phone for some time . . .
AND, just because it's OK under HIPAA, that doesn't mean it qualifies for payment under Medicare, Medicaid, or private insurance; check your provider agreement before billing.
Yuma (AZ) Regional Medical Center Hit by Ransomware Attack: This one sounds bad. The attack happened in April, and according to this June news report, and Yuma is still working with security experts to bring its systems back online. Yuma was able to stay open, but had to go to paper records. AND, data files were exfiltrated.
Is Your Doctor's Sign-in Program Stealing Your PHI? There's a somewhat alarmist story in the Washington Post this week on physician office registration software provider Phreesia. The implication is that your doctor's office has sold your data to pharmaceutical companies. That seems like a pretty gross mischaracterization.
Remember in the old days, whenever you went into the doctor's office, you had to fill out 5-10 pages or paperwork listing your ailments, medical history, etc.? In the old days, the doctor's staff would take those pages and stick them into a paper file; when electronic medical records came along, the staff would retype those pages into the electronic record; somewhat more recently, they'd scan them in as PDF copies.
Phreesia provides software for doctors' offices to use during patient sign-in. Patients are given an iPad or other tablet device and asked to fill in their information, which is instantaneously and effortlessly filed into the patient's electronic record. This saves doctors' offices the cost of staff time, and ensures that the information is in a more usable electronic format.
I suspect that what Phreesia charges doctors' offices for the use of the software does not cover Phreesia's costs of operations and developing the software. Why would Phreesia sell the software below its costs? Because Phreesia also gets funding from advertisers. Those advertisers are going to be companies who specifically want to get their ads to people in doctors' offices, and really want their ads going to people who might need their products (and not to people who don't need, and won't ever buy, their products).
So, does Phreesia (and by implication your doctor) sell your data to pharmaceutical companies? The Post story says, "Phreesia says it does not 'sell' your data" (Note the snarky "Phreesia says," which the Post reporter doesn't dispute). In fact, Phreesia does not, nor does your doctor. No pharmaceutical company ever sees your information. Rather, the Phreesia software has a certain number of different ads loaded. It does use your data to determine which ad gets displayed. No data is sent out to anyone.
The Post story notes that you can click "no" and you won't get targeted ads. You may still get ads, though; they'll just be randomly generated from whatever ads are loaded on the system. Even if you click yes, if you don't want to see the ad, you can just turn the tablet over, or turn it back into the receptionist's desk. Either way, once you've turned in tablet, you'll get to sit down and watch ads on the TV or in the magazines in the waiting room -- ads which are likely tailored to the specific type of patients that frequent that doctor's services).
Look, you're going to see an ad; would you rather it be something that you might, maybe, be interested in, or just some random sales pitch, or perhaps something you'll never want or need? Let's say you're (i) a woman (ii) who is not in a relationship with a man with erectile disfunction. If that describes you, there's probably a 99% or greater chance that you have no interest in seeing Viagra or Cialis ads. If I could guarantee that, even though you'll see the same number of ads as before, but none of them would be for ED drugs, would you take that offer?
Kaiser Permanente. The Kaiser Foundation of Washington health plan apparently was the victim of an email hijacking attack, probably from an employee clicking on a bad link. 80,000 individuals were affected. In all odds, no data was disclosed, but when you can't determine with a high level of certainty, you've got to treat it as a breach and report it.
Shields Health Breach: Massachusetts imaging and ambulatory services provider Shields Health has reported a hack that may have exposed personal information (including Social Security Numbers) of as many as 2 million individuals.
News from the Cyberinsurance Market: Healthcare entities are finding that cybersecurity insurance is getting harder to find. Insurers are leaving the market, and prices are going up. Having cyberinsurance has always been a good call, from the time the insurance first hit the market, because (i) the risk is so hard to quantify, (ii) a really bad incident will undoubtedly bankrupt the company, and (iii) the prices have been so reasonable. And if you are a business associate, (i) many covered entities require cyberinsurance, and (ii) many business associates use their cyberinsurance to support indemnification and liability caps in their business associate agreements.
Early in the cyberinsurance market, many insurers jumped in. The risk, while hard to quantify in size of claims and hard to tell which insureds were most likely to get hit, were still not great -- most cyber incidents result in costs of remediation, notification, and vague reputational damage, but don't end up with large settlements to customers or regulatory fines. Some of this reshuffling of the market is just insurers figuring out that either they're not great at running the business, don't have enough business in the portfolio to make it worthwhile, or are blanching at the ever-increasing number of breaches and increasing knowledge of and reliance by insured in taking advantage of the insurer when any event occurs that they would otherwise have taken on themselves.
FTC Blog Post on Breach Notification: Getting any sort of guidance from regulatory agencies on the agency's concerns and thoughts about prosecuting violators is always good, even though I'd prefer clearer regulations so that guidance isn't necessary. Notwithstanding that nit, the FTC has issued a blog post highlighting their concerns regarding the strong rationale for notifying individuals in the event of a breach (whether it's a HIPAA breach or entirely unrelated to healthcare). While HIPAA covered entities must meet HIPAA's breach notification requirements, and all 50 states have their own state-specific breach notification requirements, if your analysis ever leads you to believe that you don't have an obligation to report under HIPAA or state law (e.g., you're not technically a HIPAA-covered entity), don't forget FTC's requirements as well.
How to stop snoopers: Humans are naturally curious, and most people are curious about their friends, family, and peers. That natural impulse may be a major contributor to of one of the biggest risks HIPAA covered entities face to data security: insiders accessing information improperly, a lot of which is nothing but pure snooping.
However, a new study published in JAMA Network Open has found an effective way to stop snoopers after the first bite: an email telling them to stop. The study looked at all non-care-team access to records at a large academic medical center over a 6-month period. Half of the offending snoopers got an email telling them their access was improper and warning them not to do it again; the other half got no warning. Only 2% of the warned group went on to snoop again, but 40% of the control group resumed snooping.
That sounds like an extremely effective strategy. I've always been in favor of rehabilitative-but-highly-visible responses to HIPAA violations: people make mistakes and shouldn't be whacked too hard for one-off judgment errors, but showing a serious response to even minor HIPAA issues can set a good tone for the organization. This study seems to back that up.
Class Action Status sought in SuperCare Health Data Breach: The breach resulted in exposure of data of over 300,000 individuals, but it's not clear that specific harm has come to any of them from the breach. It will be interesting to see if class status is granted, and whether the failure to specify the harm will result in an early dismissal.
Chapter 9: Privacy, Security, and TCS (3 rules; 3 digit transaction numbers)
As initially noted above, the HIPAA statute itself is a bit of a hodgepodge, with 5 separate Titles covering everything from actual insurance portability to health savings accounts to, of course, health information privacy and security. But when we talk about HIPAA, we’re really talking about a subtitle of Title II known as “administrative simplification.”
Adminsimp, as we like to call it, is mainly composed of 3 separate components (there we go with the number 3 again): the “Transactions and Code Sets Rule,” which standardizes the form, format, and content of specified electronic transactions in the healthcare industry; the “Privacy Rule,” which establishes a set of rules and standards for the protection of the privacy of an individual’s health information; and the “Security Rule,” which establishes minimum requirements for protecting the security of that information.
As discussed above, one of the motivating factors of HIPAA (after addressing “job lock” caused by actual insurance portability, as the name implies) was the twin goal of improving the efficiency of the healthcare system by increasing the amount and ease of electronic transactions. This meant determining some specific transactions that happen over and over in the industry, finding a way to convert those transactions into electronic data interchange transactions, and standardizing those electronic transactions so that they would become more popular, easier, and ubiquitous.
There are a total of 9 transactions that were targeted and standardized, several of which are reciprocal. To perform the standardization, HHS turned to the American National Standards Institute, which does everything from standardizing the size or light bulbs and electric plugs to shipping containers. The standardized transactions represent exchanges of information between providers and payors, and between insurers and employers, and are each signified by an ASC X12 number, as shown here:
Prior to HIPAA, each health plan had a slightly different form that providers had to fill out to submit a bill electronically. They were all roughly based on the standard billing form used by Medicare for its electronic billing, but each had some differences, which meant that providers either needed more staff to do the billing and complete the different forms for each payor, or had to hire a healthcare clearinghouse to do the translation for them. Since HIPAA now requires that covered entities use these forms when conducting these transactions, the cost and inefficiency of different standards should be reduced. Of course, it’s not really as easy as that: there are still supporting documentation, pre-authorization and post-claim reviews, and the like (surely you understand that payors make money if they can delay claims even a little bit). But the goal was certainly admirable, and almost certainly has been beneficial overall.
The Transactions and Code Sets Rule, as you can see, is really a technical rule. If you engage in these specific transactions in electronic format, you have to do so in the prescribed forms. As we’ll see below, the Privacy rule is more of a cultural/administrative rule: it changes the way healthcare businesses operate by requiring the adoption of a culture of privacy with respect to patient information. The Security rule is really a little of both – it’s mostly about implementing specific safeguards (or more accurately, safeguards addressing specific matters) and meeting technical requirements, but it’s also about the way things are done.
As for the specifics of the Privacy Rule and the Security Rule: well, they deserve their own sections, below.
Chapter 8: The What: Protected Health Information.
[A continuation of my 20th anniversary of blogging/20th anniversary of HIPAA enforceability global recap]
Now that we’ve discussed the who, let’s turn to the “what:” only certain people are subject to HIPAA, and are only restricted with regard to certain types of information. HIPAA defines that as “protected health information,” which we usually shorthand to PHI.
Obviously, health industry participants have access to all kinds of data, but not all data is sensitive. As with most privacy rules (whether the US sectoral laws, the GDPR, the FDA’s “common rule” for research, etc.), it’s only the data involving specific individuals that warrants protection, so it’s only PHI that the HIPAA rules cover.
The definition of PHI is still broad, though, and generally consists of 2 major components: information relating to a single person’s health, where the identity of the individual is discernable. The “health information” component is exceedingly broad: it can relate to health history, conditions, treatment, or payment; it can relate to the past, the present, or the future; and it can relate to physical or mental health. If you can imagine any way that it involves health, it meets the first prong of the definition.
The second prong is identifiability. Certainly, name, social security number, driver’s license number, credit card number, or some other specific identifier counts. However, if it’s reasonable that someone with a sufficient amount of knowledge could determine the identity of the person who is the subject of the information, then it meets the identifiability prong. This is not a clearly circumscribed definition – the edges are pretty fuzzy, since it’s hard to tell what information would be sufficient to allow someone else to identify the individual. Thus, as with the question about whether it relates to health, it’s wise to err on the side of considering the information identifiable.
There are some sets of identifiable health information that are specifically excluded from the definition of PHI, largely for practical reasons. Information in education records (school immunization records, for example), employment records (pre-employment physicals, on the job accident reports, Family Medical Leave Act documents, drug test results, return-to-work doctor letters, etc.), and records of an individual who has been dead for 50 years (an exception designed to help researchers) are all specifically excluded from the definition. Of course, as you can surmise, even if you are dead, your records are still PHI for 50 more years.
The definition of PHI is not limited to current medical records, or “official” medical records. While in certain instances (e.g., where an individual has a right to access or amend the information) HIPAA only addresses information in a “designated record set,” the general rules relating to HIPAA’s restrictions on uses and disclosures apply to any PHI that a covered entity has. This can lead to some unexpected circumstances. Here’s an entirely apocryphal story I tell my students when we discuss HIPAA:
A Dallas doctor with a thriving medical practice invites his friend, a Kansas City lawyer, to a Cowboys game. The visiting team is the Chiefs, and the lawyer is a huge Patrick Mahomes fan. The night before the game, the doctor is watching the local news, and hears that Mahomes cut his throwing hand badly while preparing guacamole, and will not be able to play. Sunday afternoon, while in their seats at the JerryWorld stadium, the Chiefs’ offense takes the field with, much to the chagrin of the lawyer, the backup quarterback. The lawyer turns to the doctor and says, “What! Where’s Mahomes?” The doctor turns to him and says, “I saw on the news last night that he got sideways with an avocado, severely cut his hand, and is unable to play.” In that instance, the HIPAA Police descend from the rafters of AT&T Stadium, arrest the doctor, and haul him off to HIPAA jail.
Apocryphal, as I said. However, that is technically a HIPAA violation: the doctor is a covered entity (assuming that a thriving surgical practice accepts insurance payments electronically), and the information is PHI (it’s about health and identifies Mahomes). Mahomes is not the doctor’s patient, but that doesn’t matter. The information was already in the public knowledge, having been disclosed by the NFL and the local sports anchor, but that doesn’t matter. The information was not part of a medical record maintained by the doctor, but that doesn’t matter. It’s still PHI, and that’s all that matters.
There are also certain categories of PHI that, while still PHI, are subject to particular rules. Psychotherapy notes are PHI but are not subject to the patient’s rights to access (discussed below), and have stricter limits on disclosure. Keep in mind that “psychotherapy notes” have a peculiar definition: the mere fact that the information relates to a patient’s psychiatric or psychologic state does not make it a psychotherapy note. Rather, psychotherapy notes are PHI kept separate from the main medical record, are recordings of a conversation involving the patient, are kept by the analyst, and do not contain information such as therapy start/stop times, prescription information, etc. Generally, psychotherapy notes are supposed to be notes that the analyst keeps for him/herself regarding the patient; in other words, notes that are only intended for the analyst’s own review, and never intended to be disclosed to the patient. So, before you decide that you can block a patient from accessing his/her PHI because it’s psychotherapeutic, check the definition of “psychotherapy notes.”
Likewise, PHI that relates to research, specifically research under the FDA’s “common rule” or which is subject to an Institutional Review Board’s oversight, is subject to specific rules that allow for broader disclosure and use. The rationale for this is that the IRB will provide the protection, while greater use is necessary for legitimate purposes.
This will be discussed more below, but encrypted PHI is still PHI. It is still subject to the same rules, even though it’s encrypted (the benefits of encryption really relate to breaches and other Security Rule requirements). And also discussed below, “electronic PHI” is a component of PHI, which matters for Security Rule compliance.
If it’s a fragment of information that came from PHI, it continues to be PHI, if it still meets the 2 prongs. In other words, something as simple as name and address, in correlation with the name of a healthcare provider, is PHI. A HIPAA covered entity can’t use the mailing addresses of its patients for a non-permitted purpose (for example, to send out advertisements for entirely unrelated businesses), even if uses no other information that what is generally publicly available in the phone book or voter rolls; the fact that it came from PHI means it remains PHI, unless it is specifically “de-identified” (thus losing the 2nd prong of the definition of PHI).
HIPAA allows covered entities to “de-identify” PHI by stripping away identifiability. Keep in mind that health information must be “identifiable” to be PHI, and the definition of “identifiable” is somewhat malleable; likewise, it might be hard to tell if the PHI has truly been de-identified. For that reason, HIPAA provides 2 “safe harbors” for de-identification: one allows a covered entity to employ a de-identification expert to certify that “the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.” Hiring experts can be costly, so the second safe harbor allows the covered entity to simply remove 18 specific identifiers, such as names, addresses more specific than the 1st 3 digits of a zip code, dates other than years, identifying numbers, etc., with the resulting data being, by definition, not PHI.
As you can see, the definition of “identifiability” is amorphous, but the definition of de-identification is specific. This raises a conundrum: many people use the definition of “de-identified” to form an analog definition of “identified:” if it contains any of the 18 identifiers, it’s PHI, but if it doesn’t, it isn’t. That’s not exactly right – while you could take the information and remove the 18 elements and thus meet the safe harbor, the original information that didn’t contain any of the 18 elements might still be PHI. Like the HIPAA police at Cowboys’ Stadium, this is a theoretical issue that will likely never be solved (or even argued over), so I’ll leave it there.
4 New Enforcement Actions. The OCR issued a press release last night outlining 4 recent HIPAA enforcement action settlements. Three takeaways:
50,000,000. That's an estimate of how many medical records were exposed in breaches in 2021.
Not all providers aren't covered by HIPAA.
So, the always-prescient Noah Speck asked:
In case you needed a reminder: OCR Director Urges Healthcare to Prioritize Cybersecurity This Year.
Annual "small breach" reporting deadline is approaching: As you should know if you're reading this blog, when you have a breach of unsecured PHI that affects 500 or more people, you have to report to HHS, as well as local media, when you report to affected individuals. When you have a breach of less than 500, you still must provide notice to the individual, but there is no immediate reporting requirement to HHS and local media. But, for those small breaches, you do have to make an annual reporting to HHS.
The "small breach" reporting requirement is that you report all small breaches by the end of February the next calendar year. Thus, you need to report all small 2021 breaches by Monday, 2/28
Reporting to HHS is easy; you can find the reporting forms for both large and small breaches here.
Hat tip: thanks to Rebecca L. Williams and Amy Kabaria of Davis Wright Tremaine for the reminder.
Chapter 7: The Who: Plans, Providers, and Clearinghouses, and the First of the Rule of 3s.
In most of my lectures and seminar presentations about HIPAA, I point out that one of the most confused elements of the general public’s understanding of HIPAA stems from how it is limited and focused. I’ve previously discussed (Chapter 3) how privacy law in the US is sectoral: HIPAA for healthcare, FERPA for education, GLB for banking and finance, etc. HIPAA is specifically limited in who and what is subject to the law (I’ll discuss the “what” in Chapter 8).
HIPAA only applies to specifically listed types of persons and entities, called “covered entities” in the law. The HIPAA statute listed three types of entities that would be subject to the law: healthcare providers, health plans, and healthcare clearinghouses. Because the law limited its own scope to those 3 types of entities, the regulations also had to be so limited: despite the deference granted to regulators under the Chevron doctrine, the regulations can’t add things that aren’t within the scope of the statute. Many people think that HIPAA has some type of general applicability: for example, there’s a common complaint that a business (such as airline, or your employer) has no right to ask your vaccination status because to do so would violate your HIPAA rights (or, more likely, your “HIPPA” rights). Obviously, that’s not so.
(Note: there are a lot of groupings of "threes" in HIPAA, as you'll see later. This is the first)
That limitation also meant that a great many entities that commonly hold medical records would not be subjected to the law and regulations. For example, billing companies, lawyers, accountants, pharmacy benefit managers, and the like will often come into contact with medical records if their clients or customers are in the healthcare business, but since they are not health plans, providers or clearinghouses, they are not (directly) subject to HIPAA under the law, which means they can’t be subject (directly) to the regulations, at least not until the law itself was amended by HITECH. That ultimately resulted in the concept of the “business associate;” more on that in Chapter 12.
Each type of covered entity has its own peculiar issues.
Healthcare Providers: The definition of a healthcare provider in HIPAA is pretty expansive. The Stark Law, for example, only applies to physicians, but in HIPAA, pretty much any person or entity involved in the provision of pretty much anything having to do with health constitutes a “healthcare provider.” However, not all healthcare providers are subject to the law: only those healthcare providers “who [transmit] any health information in electronic form in connection with a transaction covered by” HIPAA. HIPAA specifically regulates 9 electronic transactions between healthcare providers, payors, and employers, such as a provider submitting bills for healthcare services to a payor, or a payor checking with an employer to determine which employees are to be covered. Generally speaking, if a healthcare provider does not submit bills electronically to insurers, he/she/it will not be a covered entity under HIPAA. That leads to the anomaly that some healthcare providers are more like airlines, at least as far as HIPAA goes.
However, it’s useful to note that even those providers who are not subject to HIPAA generally follow the same rules with regard to privacy and security as providers who engage in HIPAA-covered transactions. First, there are other privacy laws (including the FTC’s general privacy and data security rules) that these providers are subject to. Secondly, even without privacy laws, most providers are subject to ethical and legal requirements to protect patient privacy and data security. Finally, providers have general a duty to provide services subject to a reasonable standard of care, and HIPAA is the de facto standard of care for data privacy and security in today’s world. Thus, even if not all providers are HIPAA-covered entities, they are strongly encouraged to live up to the same standards as HIPAA-covered providers.
Health Plans: Pretty much any entity that pays for or arranges for the payment for healthcare services is a covered entity under HIPAA. That means that Medicare and Medicaid are subject to HIPAA. But most Americans get their health insurance from their employers, and contrary to common knowledge, most employers don’t simply buy insurance from United HealthCare or Blue Cross: rather, most employers with more than just a few employees actually establish their own in-house insurance plan under the law known as ERISA. Those self-insured plans then contract with United HealthCare or Blue Cross to manage and administer their health plan (“hey, we’re a trucking company, what do we know about running an insurance company?”), which helps lead to the confusion. But the plan itself isn’t United HealthCare, it’s Joe’s Trucking Company Employee Health Benefit Plan.
Most ERISA plans (or employer self-insured plans) are just that: a plan established by the employer, with bank accounts that pay for some of the healthcare, some insurance for care that goes beyond what the employer pays directly, and the third-party administrator to run the program, arrange for the panel of physicians, etc. These ERISA plans aren’t separate companies, but more like a trust: not really an entity, and certainly not a legal entity. However, under HIPAA, they are “covered entities,” even though they are not “entities” at all. Funny, huh?
One additional thing to note with regard to plans: the US is alone in having employer-provided health insurance as the norm. That’s neither good nor bad in itself, but that relationship, and the structure ERISA encourages of employers having their own plan rather than just buying insurance from an insurer, means that your employer might know a lot more about you than they would if you got your health insurance the way you got your car or homeowner’s insurance. That crossover also is addressed by provisions in HIPAA that require certain degrees of separation between your employer as employer and your employer as the health plan it provides. A health plan can only share limited information with the plan sponsor (the employer), and the employer is prohibited from using health plan information to make employment-related decisions.
Healthcare Clearinghouses: The best way to describe a healhcare clearinghouse is as a data translation company. They take data on one format (for example, the way a particular healthcare service is described in electronic format by a physician practice’s business software) and translate it into a different format (for example, the format required to submit a bill to a particular insurance company). These entities are specifically covered by HIPAA. However, remember that one of the initial goals of HIPAA was to standardize all of these electronic transactions that occur in the healthcare arena. If those transactions are all standardized, who needs healthcare clearinghouses?
Don’t know if you’re a clearinghouse? Then you almost certainly aren’t one. There aren’t that many, but they know who they are.
So, as originally written by Congress, HIPAA only applies to certain “covered entities:” healthcare clearinghouses, health plans, and healthcare providers who engage in HIPAA-covered transactions. If that’s not you, you’re not covered by HIPAA. Unless you’re a “business associate;” yeah, we’ll get to that in Chapter 12.