Zeppelin: Healthcare IT News reports that that the FBI and Cybersecurity and Infrastructure Security Agency (CISA) branch of the Department of Homeland Security have issued an advisory warning the healthcare industry in particular of the dangers of the newest ransomware variant, known as Zeppelin.
This is totally off-topic: a family beach story.
It seems now that we went as a family to the beach every Sunday after church during the summer, but I know it mustn’t have been that often. After mass at St. Hyacinth, we would change into our “beach clothes” and load up the station wagon with beach chairs, a tarp with all of its attendant paraphernalia (poles, stakes, cords), a shovel, charcoal and lighter fluid, a hammer, suntan lotion, towels and more towels, a conch shell with the small end sawed off to be blown like a trumpet when it was time to come in, and a radio (one that looked like it had enough bands to pick up Russian radio broadcasts, short wave, and marine channels but that never seemed to be able to pick up anything on any band other than AM and FM).
There were ice chests full of food, beer for the adults in cans without pull tabs that required a church key to punch little triangular holes, and sodas for us kids. The beer was always Falstaff or Texas Pride or some other off brand, and the soft drinks were never Cokes or Pepsis (although we called all soft drinks “Cokes,” like some people call all tissue “Kleenex”), but Cragmont or Shasta or some other store brand. We never knew we were missing anything.
Sometimes we’d take the Interstate down to the island, and sometimes we would take old Highway 146 through the industrial wasteland of Texas City, past the smelly Union Carbide plant that was so rusted it appeared to be rotting. The risk of taking 146 was the drawbridge, but the bridge normally wasn’t up except for the trip back home. Watching the sailboats go past -- when we got caught by the bridge but were close enough to be on the bridge’s incline -- was an added treat that made the wait more bearable, but we were beach people, not boat people.
Once we got to the beach, we operated with the efficiency of a military advance team parachuting in behind enemy lines. The first thing to do was select the site for the tarp. This took some careful strategy, based on wind, the location of other bathers, and the position of the car. Once the tarp was up (raised like a circus tent, the older kids and adults playing roustabouts), the lawn chairs and coolers were placed in the shade of the tarp, and the serious beach business could get under way. As fair skinned children (all except Greg, who took after Dad’s coloring), we were lathered with suntan lotion as soon as the tarp was up.
While we kids were playing in the surf, the adults would sit under the tarp and enjoy the day at the beach, drinking beer and listening to the radio. Dad would dig the pit for the charcoal fire on which lunch would be cooked, the exercise a combination of archaeology and engineering. After lunch, we weren’t allowed to go back into the water for an hour (so we wouldn’t get cramps and drown), and we all had to put our shirts back on so that we didn’t get too much sun.
When it was time to go, the remnants of lunch that didn’t burn off the grill were washed away in the salt water and scrubbed away in the sand at the waterline. Dad would get a bucket of water from the Gulf and put it by the car door, and each of us would dip our feet in the bucket as we got in the car, in a marginally successful effort to avoid tracking sand all over the car. We would drive back home, tired and happy and glowing with the sunlight that we had captured in our skin that afternoon, sunlight that we would release in little doses over the next few days until our suntans and sunburns faded or peeled. We were happy and contented then, before college entrance exams, midterms and finals, before the Law School Admissions Test, criminal law, torts and civil procedure, before the State Bar exam, billable hours, and the partnership track. Before the general public had concerns about skin cancer, and before the family had to deal with metastasized breast cancer, heart bypasses, high blood sugar, and kidney failure.
The last time I saw my mother alive was in the summer of 1982 at the University of Texas Medical Branch hospital in Galveston, very near to that beach we had played on so often. Several days before, her doctor told my father, his sister, and me (I was there to drive Dad and Aunt Mary back home from the hospital) that she had a very short time left. She came home for a few days, one of which was great because she was up and about, full of her usual spirit. People dropped by the house, the great extended family that included us six kids and all our friends, and she was entertained and entertaining. But the next day, she couldn’t get out of bed, and by late in the day, she asked Dad to put her back into the hospital.
She had had breast cancer, underwent a mastectomy, followed by chemotherapy and radiation that cost her her hair and her strength. The treatments normally left her sick, and once I drove her down to Galveston for her treatment because she didn’t want to have to drive back afterward. It was the summer of 1981, between my freshman and sophomore years in college, and I didn’t have to work that day, so I agreed. After the treatment, she thanked me for taking her. I shrugged it off, saying that I didn’t mind at all, and that just being near the beach and smelling the salt air was my reward. “Let’s drive down to the beach,” she suggested. “It’s a shame to come this close and not go down there.”
I agreed, and off we went to East Beach, the beach I had favored in high school after the family’s beach trips trailed off, after West Beach was closed to traffic, and after I began to frequent the beach with my friends rather than my family, more interested in surfing and watching girls than in sand castles, the buddy system and Shasta grape soda. I parked the car on the beach, outside the area of the beach where you have to pay to get on. Mom just wanted to sit in the car and enjoy the breeze and the fresh salty smells in the air that only exist at the beach. I got out and took a short stroll down the beach. After we left the beach, we didn’t talk for a long time. We were probably off the island before I thanked her for suggesting we go to the beach. We weren’t there long, and while we were there I didn’t even think about all of those family trips to the beach as a kid, but I remember it now as clearly as if it was last week.
That last night in the hospital, I was among the earlier group to go down to Galveston to see her. I wanted to be sure that not everyone in the family was down there at once. I had read or heard that, when a sick person realizes that everyone has come to see them, when people who normally wouldn’t be there arrive to visit, they know that the end is near and they let go. I wasn’t ready for her to let go, so I was really angry when I got there and found out that all my siblings were on their way down as well. But they had been called, since the doctor said she had very little time left. We were all assembled in her room when she said she just wanted to go home. “We’re all here now, Mom,” Shawn said. “This is home.” I was in the hallway when she slipped away, telling Colleen how I wanted to go to the beach right then, to walk in the sand and try to figure out what was happening and why. I wanted to hear the sounds of the waves that threw the first forms of life onto the earth, to smell the unmistakable smell of the beach, fresh and rancid at once, the odor of the beginning and the ending of life.
The worst part about losing a loved one is that your memory of that person slips away from you from that moment on. You try to remember all you can, and some things will stay in your memory like a movie you’ve seen too many times, but the other things, the little things, disappear. Each time you gather together your memories of her, there are a few more missing. You don’t really notice them gone; it just seems as though there used to be so much more. Those memories are like a sand castle on the beach. You can construct it as well as you’re capable, embed it with seashells to protect it from the wind, build a berm to prevent the tide from reaching it, but try though you may, each passing minute will see the loss of a parapet, the softening and rounding of a once-square corner, the erosion of a tower. There’s nothing, ultimately, that you can do to protect it, and despite your best diligence, the finely constructed castle just becomes a lump of sand on the beach.
Sometimes, however, something will spark an old memory that you thought you’d lost, the way the smell of dust on old books always reminds me of the books from the top shelf of our old living room, the books that got neglected and forlorn waiting to be rediscovered. It is in knowing that these triggers exist that I can live with the fact that ever since I was 29 my direct ancestors live only in my faulty, leaky memory, and that even though my memories may only amount to a lump in the sand, every time I see a shell-encrusted sand castle or a well-carved tower, old memories will float to the surface like the turning of the tide. I’ll take my children to the beach and tell them stories about the ancestors they never knew, and hand my memories over to them so that the collective consciousness of who I am and, ultimately, who they are can instill in them a sense of belonging and an understanding of life, infinity, and the sea.
337: That's how many large (over 500) breaches were reported to OCR for "wall of shame" purposes. This is a slight drop from last year; however, more were "malicious" (usually a hacker, and often ransomware-related) this year, which isn't really surprising.
OCR Announces 11 More Access Enforcement Actions: OCR has adopted a special enforcement focus on covered entities that fail to provide patients with access to their PHI. These cases often involve lower fines than we usually see for breaches and larger/more systemic failures to comply with HIPAA obligations. Last week, OCR announced 11 new access enforcement actions.
The fines range from $3,500 to $240,000, and 9 of the 11 matters have fines of $65,000 or less.
Oklahoma State University: OSU got hacked, and the hacker was able to access a server where staff stored some PHI. End result: a fine of $875,000.
News We Already Knew: Consistent and regular security training helps prevent ransomware and other cybersecurity incidents.
Professional Finance Company Breach: I don't think I've ever heard of this entity, but apparently Professional Finance Company provides accounts receivable management services to about 600 healthcare provider organizations, including large hospital systems. Apparently, they were subjected to a hack and ransomware attack that may have put a lot of PHI at risk. Nobody's said how many individuals might be affected, but given the size of some of the PFC clients who have been named, I'd expect it to be in the millions at least.
How about No? A group of Democrat Senators have asked HHS to immediately begin the process of amending HIPAA to protect abortion information in the wake of the Dobbs decision. Specifically, they want to prevent providers from sharing information relating to abortion with law enforcement.
How about no? HIPAA as drafted works perfectly well to balance the need for patient privacy and confidentiality with the need for proper access for appropriate law enforcement purposes. And there is no reason at all to select out certain types of medical care as getting "special" treatment, at least not within HIPAA. HIPAA is a broad set of policies and rules that works effectively across multiple platforms, service types, business entities, industries, situations, and circumstances. It specifically incorporates reasonability and scalability into its standards, and puts appropriate decision-making where it belongs: with the patient in some cases, or within the professional judgment of a provider in others. It's pretty amazing that the exact same set of regulations can effectively govern a huge multi-hospital health system or a trillion-dollar insurance company as well as a single-doctor, single-location medical practice. There is just no reason to think that HIPAA needs to be changed because the governance of a single type of medical procedure has been returned to the states.
Different states treat medical marijuana differently, but there's no specific HIPAA provision specifically protecting medical marijuana information. Some states outlaw or restrict certain therapy services (such as transgender services or conversion therapy), but there's no specific HIPAA provision protecting health information relating to those services.
That's because there needn't be.
MCG Health Breach: MCG Health, a business associate of a number of large healthcare institutions that provides data analytics and research involving PHI, was hacked and suffered a data breach that may affect up to 1.1 million individuals. At least 5 suits have already been filed, most seeking class action status.
Hat tip: HIPAA Journal.
Chapter 10: The Privacy Rule: Rule, Rights, and Responsibilities (3)
This is a continuation of my series of 20 posts celebrating the 20th anniversary of the HIPAA Privacy Rule and the 20th anniversary of the beginning of this blog.
The Transactions and Code Sets rule really came first, but that’s a pretty much self-actuating rule: once everyone uses the same forms, it’s easier for everyone else to follow along. As for the parts of HIPAA that require work, the Privacy Rule came first in HIPAA. The first set of regulations addressed privacy, and it was 2 years later that the Security Rule came out. Of course, we’ll get to security soon enough.
In keeping with our theme of “threes” (3 types of covered entities, 3 digits in the transaction codes), the Privacy Rule has three major components: the overall “rule” for using and disclosing PHI; the “rights” individuals have with respect to their PHI; and the “responsibilities” of covered entities to provide protection.
The Rule: The basic purpose of the Privacy Rule can be described as a “thou shalt not” rule: a covered entity may not use or disclose PHI unless specifically permitted by HIPAA. It’s not “unless the patient gives permission or consent;” there are plenty of ways a covered entity can use or disclose PHI without getting consent, but “patient’s authorization” is one of the permitted ways. The primary permitted way is if the use or disclosure is for treatment, payment, or healthcare operations. If the use or disclosure is for one of the “TPO” purposes, the consent of the individual is not required. The vast majority of uses and disclosures of PHI in the healthcare industry are for TPO. Of course, if the patient gives a specific type of consent (HIPAA uses the terminology “authorization”), the use or disclosure is permitted as well.
The Privacy Rule includes several specific types of disclosures that are permitted without authorization, in addition to PTO. In certain circumstances and subject to some specific requirements, uses and disclosures of PHI are permitted: for research purposes; in connection with judicial proceedings; for law enforcement; where required by other laws; with respect to inmates and prisoners or military affairs; for coroners, medical examiners, and organ donation organizations; and a few other instances.
But if the use and disclosure of PHI is not for TPO, pursuant to an authorization, or for a specifically permitted purposes, it can’t be done by a HIPAA covered entity.
The Rights: There are 6 rights of individuals enshrined in HIPAA: the right to receive a Notice of Privacy Practices (see more below), the right to access your PHI, the right to request amendments, the right to an accounting of disclosures, the right to request communications in a different format or at a chosen location, and the right to request specific privacy protections. Not all of these are absolute: for example, a covered entity can refuse a request for an amendment of PHI if the existing PHI is correct, and a covered entity doesn’t have to agree to alternative means of communication or additional privacy protections if the requests aren’t reasonable. Additionally, the right to access and amendment only apply to PHI the covered entity maintains in a “designated record set;” if the covered entity has patient names and addresses in a client management database or holiday card mailing list, that doesn’t have to be provided to the patient when they ask for access or amended when they ask.
One other thing to note about the access right: the patient obviously has the right to ask for access themselves, but they can also ask for access and ask that the copies be sent to a third party. Some providers see the third party recipient and think the disclosure should be treated as a disclosure pursuant to the authorization of the patient. This can be confusing, but the best way to look at it is: who is asking for the information to be sent to the third party, the patient (that would be access) or the recipient or covered entity (you need a signed authorization authorization). Additionally, since getting an authorization usually takes an extra step (but is safer for the covered entity since it makes it clear that the patient authorized it), it could at times be seen as imposing an unnecessary burden on the patient. This becomes important if the refusal to disclose the PHI until the patient signs an authorization reaches the level of “data blocking” (we’ll discuss data blocking later). Just remember, the patient generally has the right to access their PHI, with very few and limited exceptions.
The Responsibilities: The third major component of the Privacy Rule imposes certain responsibilities on covered entities. These generally relate to the way the covered entities provide privacy and data security (and prove that they do so). Most covered entities are required to give individuals a “Notice of Privacy Practices” explaining how their PHI will be used. They are required to enter into “business associate agreements” (or “BAAs”) with any vendor or subcontractor that might deal with PHI. They must adopt certain policies and procedures to protect PHI. They must respond to complaints and ensure the individuals may exercise their rights. And they have to document all the way they do these things.
The basic result of the Responsibilities should be to impose on covered entities the obligation to operate in a manner that fosters a culture or privacy and confidentiality with respect to PHI. Many of these obligations do not have checklist-style methods of proving compliance; that’s more visible in the Security Rule. Here, it’s more cultural. But the underlying emphasis of the Responsibilities is ultimately to enforce the Rule and ensure the Rights are protected.
HHS Issues Guidance on Audio-Only Telemedicine Services: The guidance is pretty straight-forward and common-sensical: audio-only telehealth is fine from a HIPAA standpoint as long as reasonable steps are taken to protect privacy: no speakerphones except in private spaces, and verify the identity of the patient.
Of course, doctors have been talking to patients over the phone for some time . . .
AND, just because it's OK under HIPAA, that doesn't mean it qualifies for payment under Medicare, Medicaid, or private insurance; check your provider agreement before billing.
Yuma (AZ) Regional Medical Center Hit by Ransomware Attack: This one sounds bad. The attack happened in April, and according to this June news report, and Yuma is still working with security experts to bring its systems back online. Yuma was able to stay open, but had to go to paper records. AND, data files were exfiltrated.
Is Your Doctor's Sign-in Program Stealing Your PHI? There's a somewhat alarmist story in the Washington Post this week on physician office registration software provider Phreesia. The implication is that your doctor's office has sold your data to pharmaceutical companies. That seems like a pretty gross mischaracterization.
Remember in the old days, whenever you went into the doctor's office, you had to fill out 5-10 pages or paperwork listing your ailments, medical history, etc.? In the old days, the doctor's staff would take those pages and stick them into a paper file; when electronic medical records came along, the staff would retype those pages into the electronic record; somewhat more recently, they'd scan them in as PDF copies.
Phreesia provides software for doctors' offices to use during patient sign-in. Patients are given an iPad or other tablet device and asked to fill in their information, which is instantaneously and effortlessly filed into the patient's electronic record. This saves doctors' offices the cost of staff time, and ensures that the information is in a more usable electronic format.
I suspect that what Phreesia charges doctors' offices for the use of the software does not cover Phreesia's costs of operations and developing the software. Why would Phreesia sell the software below its costs? Because Phreesia also gets funding from advertisers. Those advertisers are going to be companies who specifically want to get their ads to people in doctors' offices, and really want their ads going to people who might need their products (and not to people who don't need, and won't ever buy, their products).
So, does Phreesia (and by implication your doctor) sell your data to pharmaceutical companies? The Post story says, "Phreesia says it does not 'sell' your data" (Note the snarky "Phreesia says," which the Post reporter doesn't dispute). In fact, Phreesia does not, nor does your doctor. No pharmaceutical company ever sees your information. Rather, the Phreesia software has a certain number of different ads loaded. It does use your data to determine which ad gets displayed. No data is sent out to anyone.
The Post story notes that you can click "no" and you won't get targeted ads. You may still get ads, though; they'll just be randomly generated from whatever ads are loaded on the system. Even if you click yes, if you don't want to see the ad, you can just turn the tablet over, or turn it back into the receptionist's desk. Either way, once you've turned in tablet, you'll get to sit down and watch ads on the TV or in the magazines in the waiting room -- ads which are likely tailored to the specific type of patients that frequent that doctor's services).
Look, you're going to see an ad; would you rather it be something that you might, maybe, be interested in, or just some random sales pitch, or perhaps something you'll never want or need? Let's say you're (i) a woman (ii) who is not in a relationship with a man with erectile disfunction. If that describes you, there's probably a 99% or greater chance that you have no interest in seeing Viagra or Cialis ads. If I could guarantee that, even though you'll see the same number of ads as before, but none of them would be for ED drugs, would you take that offer?
Kaiser Permanente. The Kaiser Foundation of Washington health plan apparently was the victim of an email hijacking attack, probably from an employee clicking on a bad link. 80,000 individuals were affected. In all odds, no data was disclosed, but when you can't determine with a high level of certainty, you've got to treat it as a breach and report it.
Shields Health Breach: Massachusetts imaging and ambulatory services provider Shields Health has reported a hack that may have exposed personal information (including Social Security Numbers) of as many as 2 million individuals.
News from the Cyberinsurance Market: Healthcare entities are finding that cybersecurity insurance is getting harder to find. Insurers are leaving the market, and prices are going up. Having cyberinsurance has always been a good call, from the time the insurance first hit the market, because (i) the risk is so hard to quantify, (ii) a really bad incident will undoubtedly bankrupt the company, and (iii) the prices have been so reasonable. And if you are a business associate, (i) many covered entities require cyberinsurance, and (ii) many business associates use their cyberinsurance to support indemnification and liability caps in their business associate agreements.
Early in the cyberinsurance market, many insurers jumped in. The risk, while hard to quantify in size of claims and hard to tell which insureds were most likely to get hit, were still not great -- most cyber incidents result in costs of remediation, notification, and vague reputational damage, but don't end up with large settlements to customers or regulatory fines. Some of this reshuffling of the market is just insurers figuring out that either they're not great at running the business, don't have enough business in the portfolio to make it worthwhile, or are blanching at the ever-increasing number of breaches and increasing knowledge of and reliance by insured in taking advantage of the insurer when any event occurs that they would otherwise have taken on themselves.
FTC Blog Post on Breach Notification: Getting any sort of guidance from regulatory agencies on the agency's concerns and thoughts about prosecuting violators is always good, even though I'd prefer clearer regulations so that guidance isn't necessary. Notwithstanding that nit, the FTC has issued a blog post highlighting their concerns regarding the strong rationale for notifying individuals in the event of a breach (whether it's a HIPAA breach or entirely unrelated to healthcare). While HIPAA covered entities must meet HIPAA's breach notification requirements, and all 50 states have their own state-specific breach notification requirements, if your analysis ever leads you to believe that you don't have an obligation to report under HIPAA or state law (e.g., you're not technically a HIPAA-covered entity), don't forget FTC's requirements as well.
How to stop snoopers: Humans are naturally curious, and most people are curious about their friends, family, and peers. That natural impulse may be a major contributor to of one of the biggest risks HIPAA covered entities face to data security: insiders accessing information improperly, a lot of which is nothing but pure snooping.
However, a new study published in JAMA Network Open has found an effective way to stop snoopers after the first bite: an email telling them to stop. The study looked at all non-care-team access to records at a large academic medical center over a 6-month period. Half of the offending snoopers got an email telling them their access was improper and warning them not to do it again; the other half got no warning. Only 2% of the warned group went on to snoop again, but 40% of the control group resumed snooping.
That sounds like an extremely effective strategy. I've always been in favor of rehabilitative-but-highly-visible responses to HIPAA violations: people make mistakes and shouldn't be whacked too hard for one-off judgment errors, but showing a serious response to even minor HIPAA issues can set a good tone for the organization. This study seems to back that up.
Class Action Status sought in SuperCare Health Data Breach: The breach resulted in exposure of data of over 300,000 individuals, but it's not clear that specific harm has come to any of them from the breach. It will be interesting to see if class status is granted, and whether the failure to specify the harm will result in an early dismissal.
Chapter 9: Privacy, Security, and TCS (3 rules; 3 digit transaction numbers)
As initially noted above, the HIPAA statute itself is a bit of a hodgepodge, with 5 separate Titles covering everything from actual insurance portability to health savings accounts to, of course, health information privacy and security. But when we talk about HIPAA, we’re really talking about a subtitle of Title II known as “administrative simplification.”
Adminsimp, as we like to call it, is mainly composed of 3 separate components (there we go with the number 3 again): the “Transactions and Code Sets Rule,” which standardizes the form, format, and content of specified electronic transactions in the healthcare industry; the “Privacy Rule,” which establishes a set of rules and standards for the protection of the privacy of an individual’s health information; and the “Security Rule,” which establishes minimum requirements for protecting the security of that information.
As discussed above, one of the motivating factors of HIPAA (after addressing “job lock” caused by actual insurance portability, as the name implies) was the twin goal of improving the efficiency of the healthcare system by increasing the amount and ease of electronic transactions. This meant determining some specific transactions that happen over and over in the industry, finding a way to convert those transactions into electronic data interchange transactions, and standardizing those electronic transactions so that they would become more popular, easier, and ubiquitous.
There are a total of 9 transactions that were targeted and standardized, several of which are reciprocal. To perform the standardization, HHS turned to the American National Standards Institute, which does everything from standardizing the size or light bulbs and electric plugs to shipping containers. The standardized transactions represent exchanges of information between providers and payors, and between insurers and employers, and are each signified by an ASC X12 number, as shown here:
Prior to HIPAA, each health plan had a slightly different form that providers had to fill out to submit a bill electronically. They were all roughly based on the standard billing form used by Medicare for its electronic billing, but each had some differences, which meant that providers either needed more staff to do the billing and complete the different forms for each payor, or had to hire a healthcare clearinghouse to do the translation for them. Since HIPAA now requires that covered entities use these forms when conducting these transactions, the cost and inefficiency of different standards should be reduced. Of course, it’s not really as easy as that: there are still supporting documentation, pre-authorization and post-claim reviews, and the like (surely you understand that payors make money if they can delay claims even a little bit). But the goal was certainly admirable, and almost certainly has been beneficial overall.
The Transactions and Code Sets Rule, as you can see, is really a technical rule. If you engage in these specific transactions in electronic format, you have to do so in the prescribed forms. As we’ll see below, the Privacy rule is more of a cultural/administrative rule: it changes the way healthcare businesses operate by requiring the adoption of a culture of privacy with respect to patient information. The Security rule is really a little of both – it’s mostly about implementing specific safeguards (or more accurately, safeguards addressing specific matters) and meeting technical requirements, but it’s also about the way things are done.
As for the specifics of the Privacy Rule and the Security Rule: well, they deserve their own sections, below.
Chapter 8: The What: Protected Health Information.
[A continuation of my 20th anniversary of blogging/20th anniversary of HIPAA enforceability global recap]
Now that we’ve discussed the who, let’s turn to the “what:” only certain people are subject to HIPAA, and are only restricted with regard to certain types of information. HIPAA defines that as “protected health information,” which we usually shorthand to PHI.
Obviously, health industry participants have access to all kinds of data, but not all data is sensitive. As with most privacy rules (whether the US sectoral laws, the GDPR, the FDA’s “common rule” for research, etc.), it’s only the data involving specific individuals that warrants protection, so it’s only PHI that the HIPAA rules cover.
The definition of PHI is still broad, though, and generally consists of 2 major components: information relating to a single person’s health, where the identity of the individual is discernable. The “health information” component is exceedingly broad: it can relate to health history, conditions, treatment, or payment; it can relate to the past, the present, or the future; and it can relate to physical or mental health. If you can imagine any way that it involves health, it meets the first prong of the definition.
The second prong is identifiability. Certainly, name, social security number, driver’s license number, credit card number, or some other specific identifier counts. However, if it’s reasonable that someone with a sufficient amount of knowledge could determine the identity of the person who is the subject of the information, then it meets the identifiability prong. This is not a clearly circumscribed definition – the edges are pretty fuzzy, since it’s hard to tell what information would be sufficient to allow someone else to identify the individual. Thus, as with the question about whether it relates to health, it’s wise to err on the side of considering the information identifiable.
There are some sets of identifiable health information that are specifically excluded from the definition of PHI, largely for practical reasons. Information in education records (school immunization records, for example), employment records (pre-employment physicals, on the job accident reports, Family Medical Leave Act documents, drug test results, return-to-work doctor letters, etc.), and records of an individual who has been dead for 50 years (an exception designed to help researchers) are all specifically excluded from the definition. Of course, as you can surmise, even if you are dead, your records are still PHI for 50 more years.
The definition of PHI is not limited to current medical records, or “official” medical records. While in certain instances (e.g., where an individual has a right to access or amend the information) HIPAA only addresses information in a “designated record set,” the general rules relating to HIPAA’s restrictions on uses and disclosures apply to any PHI that a covered entity has. This can lead to some unexpected circumstances. Here’s an entirely apocryphal story I tell my students when we discuss HIPAA:
A Dallas doctor with a thriving medical practice invites his friend, a Kansas City lawyer, to a Cowboys game. The visiting team is the Chiefs, and the lawyer is a huge Patrick Mahomes fan. The night before the game, the doctor is watching the local news, and hears that Mahomes cut his throwing hand badly while preparing guacamole, and will not be able to play. Sunday afternoon, while in their seats at the JerryWorld stadium, the Chiefs’ offense takes the field with, much to the chagrin of the lawyer, the backup quarterback. The lawyer turns to the doctor and says, “What! Where’s Mahomes?” The doctor turns to him and says, “I saw on the news last night that he got sideways with an avocado, severely cut his hand, and is unable to play.” In that instance, the HIPAA Police descend from the rafters of AT&T Stadium, arrest the doctor, and haul him off to HIPAA jail.
Apocryphal, as I said. However, that is technically a HIPAA violation: the doctor is a covered entity (assuming that a thriving surgical practice accepts insurance payments electronically), and the information is PHI (it’s about health and identifies Mahomes). Mahomes is not the doctor’s patient, but that doesn’t matter. The information was already in the public knowledge, having been disclosed by the NFL and the local sports anchor, but that doesn’t matter. The information was not part of a medical record maintained by the doctor, but that doesn’t matter. It’s still PHI, and that’s all that matters.
There are also certain categories of PHI that, while still PHI, are subject to particular rules. Psychotherapy notes are PHI but are not subject to the patient’s rights to access (discussed below), and have stricter limits on disclosure. Keep in mind that “psychotherapy notes” have a peculiar definition: the mere fact that the information relates to a patient’s psychiatric or psychologic state does not make it a psychotherapy note. Rather, psychotherapy notes are PHI kept separate from the main medical record, are recordings of a conversation involving the patient, are kept by the analyst, and do not contain information such as therapy start/stop times, prescription information, etc. Generally, psychotherapy notes are supposed to be notes that the analyst keeps for him/herself regarding the patient; in other words, notes that are only intended for the analyst’s own review, and never intended to be disclosed to the patient. So, before you decide that you can block a patient from accessing his/her PHI because it’s psychotherapeutic, check the definition of “psychotherapy notes.”
Likewise, PHI that relates to research, specifically research under the FDA’s “common rule” or which is subject to an Institutional Review Board’s oversight, is subject to specific rules that allow for broader disclosure and use. The rationale for this is that the IRB will provide the protection, while greater use is necessary for legitimate purposes.
This will be discussed more below, but encrypted PHI is still PHI. It is still subject to the same rules, even though it’s encrypted (the benefits of encryption really relate to breaches and other Security Rule requirements). And also discussed below, “electronic PHI” is a component of PHI, which matters for Security Rule compliance.
If it’s a fragment of information that came from PHI, it continues to be PHI, if it still meets the 2 prongs. In other words, something as simple as name and address, in correlation with the name of a healthcare provider, is PHI. A HIPAA covered entity can’t use the mailing addresses of its patients for a non-permitted purpose (for example, to send out advertisements for entirely unrelated businesses), even if uses no other information that what is generally publicly available in the phone book or voter rolls; the fact that it came from PHI means it remains PHI, unless it is specifically “de-identified” (thus losing the 2nd prong of the definition of PHI).
HIPAA allows covered entities to “de-identify” PHI by stripping away identifiability. Keep in mind that health information must be “identifiable” to be PHI, and the definition of “identifiable” is somewhat malleable; likewise, it might be hard to tell if the PHI has truly been de-identified. For that reason, HIPAA provides 2 “safe harbors” for de-identification: one allows a covered entity to employ a de-identification expert to certify that “the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information.” Hiring experts can be costly, so the second safe harbor allows the covered entity to simply remove 18 specific identifiers, such as names, addresses more specific than the 1st 3 digits of a zip code, dates other than years, identifying numbers, etc., with the resulting data being, by definition, not PHI.
As you can see, the definition of “identifiability” is amorphous, but the definition of de-identification is specific. This raises a conundrum: many people use the definition of “de-identified” to form an analog definition of “identified:” if it contains any of the 18 identifiers, it’s PHI, but if it doesn’t, it isn’t. That’s not exactly right – while you could take the information and remove the 18 elements and thus meet the safe harbor, the original information that didn’t contain any of the 18 elements might still be PHI. Like the HIPAA police at Cowboys’ Stadium, this is a theoretical issue that will likely never be solved (or even argued over), so I’ll leave it there.
4 New Enforcement Actions. The OCR issued a press release last night outlining 4 recent HIPAA enforcement action settlements. Three takeaways:
50,000,000. That's an estimate of how many medical records were exposed in breaches in 2021.
Not all providers aren't covered by HIPAA.
So, the always-prescient Noah Speck asked:
In case you needed a reminder: OCR Director Urges Healthcare to Prioritize Cybersecurity This Year.
Annual "small breach" reporting deadline is approaching: As you should know if you're reading this blog, when you have a breach of unsecured PHI that affects 500 or more people, you have to report to HHS, as well as local media, when you report to affected individuals. When you have a breach of less than 500, you still must provide notice to the individual, but there is no immediate reporting requirement to HHS and local media. But, for those small breaches, you do have to make an annual reporting to HHS.
The "small breach" reporting requirement is that you report all small breaches by the end of February the next calendar year. Thus, you need to report all small 2021 breaches by Monday, 2/28
Reporting to HHS is easy; you can find the reporting forms for both large and small breaches here.
Hat tip: thanks to Rebecca L. Williams and Amy Kabaria of Davis Wright Tremaine for the reminder.
Chapter 7: The Who: Plans, Providers, and Clearinghouses, and the First of the Rule of 3s.
In most of my lectures and seminar presentations about HIPAA, I point out that one of the most confused elements of the general public’s understanding of HIPAA stems from how it is limited and focused. I’ve previously discussed (Chapter 3) how privacy law in the US is sectoral: HIPAA for healthcare, FERPA for education, GLB for banking and finance, etc. HIPAA is specifically limited in who and what is subject to the law (I’ll discuss the “what” in Chapter 8).
HIPAA only applies to specifically listed types of persons and entities, called “covered entities” in the law. The HIPAA statute listed three types of entities that would be subject to the law: healthcare providers, health plans, and healthcare clearinghouses. Because the law limited its own scope to those 3 types of entities, the regulations also had to be so limited: despite the deference granted to regulators under the Chevron doctrine, the regulations can’t add things that aren’t within the scope of the statute. Many people think that HIPAA has some type of general applicability: for example, there’s a common complaint that a business (such as airline, or your employer) has no right to ask your vaccination status because to do so would violate your HIPAA rights (or, more likely, your “HIPPA” rights). Obviously, that’s not so.
(Note: there are a lot of groupings of "threes" in HIPAA, as you'll see later. This is the first)
That limitation also meant that a great many entities that commonly hold medical records would not be subjected to the law and regulations. For example, billing companies, lawyers, accountants, pharmacy benefit managers, and the like will often come into contact with medical records if their clients or customers are in the healthcare business, but since they are not health plans, providers or clearinghouses, they are not (directly) subject to HIPAA under the law, which means they can’t be subject (directly) to the regulations, at least not until the law itself was amended by HITECH. That ultimately resulted in the concept of the “business associate;” more on that in Chapter 12.
Each type of covered entity has its own peculiar issues.
Healthcare Providers: The definition of a healthcare provider in HIPAA is pretty expansive. The Stark Law, for example, only applies to physicians, but in HIPAA, pretty much any person or entity involved in the provision of pretty much anything having to do with health constitutes a “healthcare provider.” However, not all healthcare providers are subject to the law: only those healthcare providers “who [transmit] any health information in electronic form in connection with a transaction covered by” HIPAA. HIPAA specifically regulates 9 electronic transactions between healthcare providers, payors, and employers, such as a provider submitting bills for healthcare services to a payor, or a payor checking with an employer to determine which employees are to be covered. Generally speaking, if a healthcare provider does not submit bills electronically to insurers, he/she/it will not be a covered entity under HIPAA. That leads to the anomaly that some healthcare providers are more like airlines, at least as far as HIPAA goes.
However, it’s useful to note that even those providers who are not subject to HIPAA generally follow the same rules with regard to privacy and security as providers who engage in HIPAA-covered transactions. First, there are other privacy laws (including the FTC’s general privacy and data security rules) that these providers are subject to. Secondly, even without privacy laws, most providers are subject to ethical and legal requirements to protect patient privacy and data security. Finally, providers have general a duty to provide services subject to a reasonable standard of care, and HIPAA is the de facto standard of care for data privacy and security in today’s world. Thus, even if not all providers are HIPAA-covered entities, they are strongly encouraged to live up to the same standards as HIPAA-covered providers.
Health Plans: Pretty much any entity that pays for or arranges for the payment for healthcare services is a covered entity under HIPAA. That means that Medicare and Medicaid are subject to HIPAA. But most Americans get their health insurance from their employers, and contrary to common knowledge, most employers don’t simply buy insurance from United HealthCare or Blue Cross: rather, most employers with more than just a few employees actually establish their own in-house insurance plan under the law known as ERISA. Those self-insured plans then contract with United HealthCare or Blue Cross to manage and administer their health plan (“hey, we’re a trucking company, what do we know about running an insurance company?”), which helps lead to the confusion. But the plan itself isn’t United HealthCare, it’s Joe’s Trucking Company Employee Health Benefit Plan.
Most ERISA plans (or employer self-insured plans) are just that: a plan established by the employer, with bank accounts that pay for some of the healthcare, some insurance for care that goes beyond what the employer pays directly, and the third-party administrator to run the program, arrange for the panel of physicians, etc. These ERISA plans aren’t separate companies, but more like a trust: not really an entity, and certainly not a legal entity. However, under HIPAA, they are “covered entities,” even though they are not “entities” at all. Funny, huh?
One additional thing to note with regard to plans: the US is alone in having employer-provided health insurance as the norm. That’s neither good nor bad in itself, but that relationship, and the structure ERISA encourages of employers having their own plan rather than just buying insurance from an insurer, means that your employer might know a lot more about you than they would if you got your health insurance the way you got your car or homeowner’s insurance. That crossover also is addressed by provisions in HIPAA that require certain degrees of separation between your employer as employer and your employer as the health plan it provides. A health plan can only share limited information with the plan sponsor (the employer), and the employer is prohibited from using health plan information to make employment-related decisions.
Healthcare Clearinghouses: The best way to describe a healhcare clearinghouse is as a data translation company. They take data on one format (for example, the way a particular healthcare service is described in electronic format by a physician practice’s business software) and translate it into a different format (for example, the format required to submit a bill to a particular insurance company). These entities are specifically covered by HIPAA. However, remember that one of the initial goals of HIPAA was to standardize all of these electronic transactions that occur in the healthcare arena. If those transactions are all standardized, who needs healthcare clearinghouses?
Don’t know if you’re a clearinghouse? Then you almost certainly aren’t one. There aren’t that many, but they know who they are.
So, as originally written by Congress, HIPAA only applies to certain “covered entities:” healthcare clearinghouses, health plans, and healthcare providers who engage in HIPAA-covered transactions. If that’s not you, you’re not covered by HIPAA. Unless you’re a “business associate;” yeah, we’ll get to that in Chapter 12.
Sorry for the light blogging recently. No real excuse, to be honest, just some laziness and a certain lack of real activity in the HIPAA universe.
Last April I did start a series of posts explaining HIPAA down to its roots. The timing was set to coincide with the 20th anniversary of the publication of the Privacy Rule, so I decided to post 20 different long-form blog posts about HIPAA: what it is, how it started and why, how it works, how it's changed, and what's likely to happen next. I've published 6, and will have Chapter 7 out soon. I've outlined the remaining 13 chapters, but just need to get to writing them.
So if I get the whole year to celebrate the 20th anniversary of HIPAA, I'll have to finish by April. Wish me luck. . . .
FTC's healthcare data breach reporting requirements: don't forget that HIPAA isn't the only show in town if you have a potential data breach. In addition to state laws, the FTC has its own data breach notification rule specifically for the healthcare industry. More information here.
Memorial Health System in Marietta, WV was hit by a ransomware cyberattack which resulted in an intrusion into their computing systems around July and August, 2021. PHI of 200,000 patients was potentially exposed, but no known exfiltration or improper use has been detected.
Time to catch up on some recent data breach enforcement actions.
First, Massachusetts General and Brigham & Women's, along with Dana Farber Cancer Center, have agreed to settle a lawsuit for $18.4 million. The lawsuit accuses the hospitals of allowing their researchers to use apps that allowed access to as many as 10,000 patients.
Next, a class action suit has been filed against BioPlus Specialty Pharmacy, accusing it of insufficient HIPAA protections, which allowed unknown hackers access to company files containing patient PHI.
Next, EHR provider QRS is facing a class action suit in connection with a breach affecting 320,000 individuals.
More to come, I'm sure. And of course I still owe the rest of the 20-at-20 chapters, celebrating the Privacy Rule's first 20 years. I promise to finish before the Privacy Rule turns 21 and starts drinking. . . .
This is probably not surprising, but health industry data breaches in 2021 have exceeded the previous record in 2020. I'm thinking 2022 will be the next record year, but maybe we'll improve more than the hackers. A guy can hope, right?
Access Enforcement Continues: The Office for Civil Rights announced today that it has settled 5 more cases where covered entities were fined for failing to provide patients with access to their medical records. The fines range from $10,000 to $100,000.
New Jersey Infertility Clinic Settles State Law and HIPAA Violations: Diamond Institute, a NJ infertility clinic, recently settled a matter involving allegations of state law and HIPAA violations relating to failure to maintain data security safeguards, including encryption. The clinic paid a $500,000 fine and agreed to implement new data security measures.
OCR guidance on applicability of HIPAA to worker vaccination information: The OCR has issued guidance in the form of FAQs to help the public understand how HIPAA applies to questions about vaccination status posed to employees or customers. Generally, HIPAA does not apply: if the business asking the questions is not a HIPAA covered entity (generally, a healthcare provider or a health insurance plan), then the business isn't a covered entity at all, so HIPAA doesn't apply. If the business is a HIPAA covered entity but the information relates to its employees (for example, a hospital asking its employees whether they have been vaccinated), the information is likely "information . . . in employment records," which is a category of information that is specifically excluded from the definition of Protected Health Information (or PHI). Of course, if the business is a HIPAA covered entity and it is asking non-employees (its patients or visitors, for example), then the entity cannot use or disclose that information except for purposes permitted under HIPAA. However, if an airline, restaurant, or concert venue asks a customer for proof of vaccination, HIPAA is not implicated.
HIPAA only applies to covered entities (and their business associates), and only applies to PHI. Is the entity a covered entity, and is the information PHI? Unless both answers are "yes," then HIPAA does not apply. Simple as that.
FTC's New Push for Health Data Breach Notification: Ok, sorry for being so light with the blogging recently, but I've been somewhat busy with other things. I'm still working on the "20 Chapters" project to celebrate the 20th anniversary of the publication of the Privacy Rule, and I really will try to finish before year end (and not extend it into next April, which would give myself a full year).
But anyway: " The U.S. Federal Trade Commission issued a policy statement this week confirming that connected devices and health apps that use or collect consumers' health information must notify users and others when that data is breached. Failure to comply, the agency said, could result in a penalty of up to $43,792 per violation per day."
What's getting the FTC's attention is the fact that so many health apps and IOT devices collect so much health information, yet those apps and device makers are not HIPAA-covered entities. And those apps and devices are exploding in popularity, usage, and ubiquity. So the FTC is going to start enforcing its 10-year-old (but previously never enforced) data breach notification rule. They issued a statement to that effect here.
Wait, the FTC has a health data breach reporting rule? I never knew that! Anyway, it's here; I'll be reading it over the weekend, and will likely report back on the overlap (and lack of overlap) between it and the HIPAA data breach reporting requirements.
Hurricane Ida. As has become a common pattern, yesterday OCR announced a limited waiver of HIPAA sanctions and penalties for covered entities affected by Hurricane Ida. As usual, the waiver is narrowly drawn to reflect the types of things that can result in HIPAA being a hinderance to emergence care and operations, such as more flexibility to families looking for lost family members. The waiver can be found here.
The US Cybersecurity and Infrastructure Security Agency produced a fact sheet to help government and private sector organizations prevent and respond to ransomware attacks. I highly recommend you take a look:
Good take on HIPAA by Kirk Nahra.
Small HIPAA Settlement: When I first saw this $25,000 settlement, I figured it was another access issue. But it's not; it's a lack of risk analysis/policies and procedures fine. Still, interesting to see smaller fines coming out.
Not Everyone Wants the Proposed HIPAA Revisions: The AMA, AAMC, and others have taken advantage of the expanded comment period to question the timing and scope of the HIPAA revisions proposed at the end of the Trump Administration. No need to rush into changes that might have unintended consequences.
I'm ambivalent. The proposed changes surely aren't sweeping, and are more clarifying than expansive. In my opinion, there's a bigger issue baked into the Anti-Data-Blocking Rule, which won't be impacted by changes to HIPAA. We will see -- if I were to predict, I'd say that these won't happen any time soon; the Biden Administration seems to be pretty consistent to being reflexively opposed to anything done by the Trump Administration, whether reasonable or not.
Chapter 6: Laws Versus Regulations: the American Administrative Leviathan’s Outsized Impact.
I teach a graduate level class at The University of Texas at Dallas to students seeking their Masters of Healthcare Leadership and Administration, entitled Healthcare Law, Policy and Regulation. I’ve always thought it should be “Regulation” first, since there’s a hell of a lot more regulation in health law than law. One of my exam questions is, what’s the most legitimate complaint about the administrative state: that it lacks technical legitimacy, democratic legitimacy, or constitutional legitimacy? Presumably, the agencies are full of people with technical expertise. And they are headed by a democratically-elected president. But the Constitution never envisioned the vast federal bureaucracy. But here we are.
For decades, Congress has virtually failed to legislate. While Twain’s aphorism (“Nobody’s life, liberty or property is safe while Congress is in session”) still rings true, when things do need fixing (at least on a national level), it may require Congress to fix them. Legislating is hard: it’s usually an attempt to fix a problem, often an intractable one. And even if the true causes are known and there’s political will to actually address them, all actions have collateral, often unexpected or at least unintentional, effects. So in recent years, Congress has been content to highlight the problem, perhaps even point in a general direction for a fix, and task the administrative agencies to actually do the true legislating with regulations that are given the effective force of law. The result is that the Executive Branch does the job the Legislative Branch is tasked with in the Constitution. HIPAA is a prime example of that.
As I noted above, the original 1996 HIPAA statute gave Congress 2 years to come up with the Privacy Rule; obviously, that didn’t happen, so the heavy lifting of HIPAA was done by HHS: the Privacy Rule, as well as the Security Rule. Despite gripes by Senators Clinton and Kennedy, Congress never did anything to revise HIPAA from 1996, until the HITECH Act in 2009. As a result, HIPAA isn’t nearly so much a matter of law, but a matter or regulation.
HITECH itself was a part of the American Recovery and Reinvestment Act (known colloquially as the Stimulus Bill, and derisively as the Porkulus Bill), intended to help the US economy “recover” from the 2008 recession. It was, in fact, a horrific example of how not to pass legislation. Drunk on the success of the Obama election and majorities in the House and Senate (including a filibuster-proof 60 Senate seats), Democrats were determined to push through highly partisan bills stuffed to the gills with any and all wish-list items, the worst of which were HITECH and the even-worse Obamacare. HITECH was largely drafted by lobbyists, ran thousands of pages long, and was passed despite the fact that no lawmaker had read it. In fact, while it was being debated in the Senate, the copy under debate was amended by pen to fix a calculation error that hadn’t been discovered before the debate copy was printed. I guess that’s the government we deserve . . . (although the gods of the copybook headings would ask, “who won the next election?”).
HIPAA wasn’t the main focus of HITECH, but HITECH was the first statutory amendment to HIPAA. Did it wrap up needed changes? Of course not; additional regulations were needed in the form of the Omnibus Rule, finalized in January 2013. But HITECH did address a few specific fixes:
Business Associates: as noted above, business associates weren’t covered by HIPAA initially, and HHS had to invent the concept in the Privacy Rule and make them “contractually” obligated to follow HIPAA. HITECH made Business Associates directly liable for certain obligations under HIPAA, but it didn’t actually define what a Business Associate is; rather, it adopted the regulatory definition of HHS. It’s just not right that a Congressional statute depends for its defined terms on the regulatory agency. What if the agency changes the definition to something Congress didn’t intend? By definition (heh), this is a delegation of legislative authority.
Breach Notification: This probably deserves its own entry (number 21? 22?). HITECH added the breach notification requirement as well. As more fully discussed in Chapter 3 above, after California began the series of state data breach notification laws, HITECH added in a similar requirement with respect to HIPAA breaches. It must be a breach of unsecured PHI to be reportable, and while the definition of what constitutes a breach is pretty broad, there are several exceptions for common, low-harm occurrences. You’ll note that this approach is similar to the Privacy Rule’s basic “Rule” (see Chapter 9): state a general principle, but allow exceptions for common or anticipated events that aren’t problematic under the general principle. The first of the breach notification regulations did provide a very generous reportability exception for breaches that had a “low risk of financial, reputational, or other harm, ” which those of us who follow HIPAA for a living considered an Easter Egg, but it didn’t last; when the Omnibus Rule was passed, the “low risk of harm” standard was replaced with a “low risk of compromise” threshold, with 4 factors considered in determining the risk level: the identifiability or the PHI (but not the sensitivity; PHI is PHI whether it’s your perfectly normal blood pressure readings or your bizarre sexually-transmitted diseases), the entity receiving the PHI, whether the PHI was actually viewed, and whether the incident could be mitigated. Low risk of compromise is still a wild card, but it’s not nearly as broadly encompassing as low risk of harm.
The ”Hide” Rule: This is clearly the stupidest part of the HITECH Act, and was most clearly written by activists without a clue as to how healthcare information is normally used. The rule doesn’t really have a name, but I’ve deemed it the “hide” rule because its sole purpose is to allow a patient to hide information from his insurer. You know, I don’t like insurers either, but this is ridiculous. The language of the statute is sloppy and imprecise: it says if the individual “pays in full, out of pocket” for a medical service, and asks the provider to not provide information about the service to the patient’s insurer, the provider must comply. What if the patient is wearing an outfit without pockets? What if she takes her wallet out of her purse; is that a payment “out of pocket”? That’s not the type of language that should end up in a statute; it’s stupid, and shows what a clown show the entire HITECH process was. Laws should be specific and accurate; there’s no purpose for a “c’mon, you know what I meant” component of a law: it the law does not clearly and unambiguously state the requirements for compliance, it should not even be enforceable. But they felt good about it: “let’s stick it to the man!” But when it’s activists writing the legislation, what you’ll get is emotion, not logic.
Not only is the hide rule poorly composed, it doesn’t make any sense. If the patient pays for the first procedure “out of pocket” but wants the second one charged to insurance, or if the procedure results in the need for further care or prescription drugs, the insurer will rightfully decline to pay: there’s no medical necessity for the second procedure if there wasn’t a first procedure. Even HHS, when drafting the hide rule regulations, threw up their hands and told providers to just do their best. Like I said, ridiculous.
Potpourri: There were a handful of other components in HITECH and the Omnibus Rule, such as stricter limitations on sales of PHI, revisions to marketing requirements, genetic information issues. These were more incremental, as might be expected of an administrative agency fine-tuning existing rules.
There will be more regulations, certainly. In fact, some components of HITECH are still in limbo, awaiting new regulations. HITECH required covered entities using an EMR to provide an accounting of all treatment, payment, and healthcare operations disclosures, which were originally exempted from the disclosure requirement. The geniuses who wrote HITECH thought that if you used an EMR, you’d be able to track all disclosures, so that accounting for TPO disclosures would be easy. But that’s not true for most EMRs, and for those where it’s possible, it’s often logistically difficult. HHS proposed rules to address this, and to require accountings not just of disclosures, but of all access to a medical record; those proposed regulations were met with such objection from the industry that HHS quickly surrendered and pulled the regulations, promising to revise and republish them. It’s been almost 10 years, but there’s been no more action on an expansion of the accounting rule (trust me, that’s actually a good thing).
HITECH also set up a structure for victims of harm cause by a HIPAA violation to receive a portion of the fine levied by OCR. As you may know, there’s no private cause of action for a HIPAA breach, so while OCR can levy a multi-million dollar fine, the individual injured by the HIPAA violation gets nothing. However, OCR does get to keep the fines and they go towards OCR’s general budget. Congress tried to fix that, not by giving the patient (and the plaintiff’s bar) a private cause of action, but by allocating some of the fine to a type of restitution to the victim. However, HHS hasn’t drafted regulations yet to explain how that might work. Hmm, I wonder why not?
There are also some non-HITECH changes that should be expected (revisions to the Notice of Privacy Practice standards were actually published by the Trump administration, but have been pulled back off the table by the Biden administration). Certainly, there will be more to come from HIPAA. But statutory changes are not likely. Any revisions will almost certainly be from the administrative branch.