Good take on HIPAA by Kirk Nahra.
Small HIPAA Settlement: When I first saw this $25,000 settlement, I figured it was another access issue. But it's not; it's a lack of risk analysis/policies and procedures fine. Still, interesting to see smaller fines coming out.
Not Everyone Wants the Proposed HIPAA Revisions: The AMA, AAMC, and others have taken advantage of the expanded comment period to question the timing and scope of the HIPAA revisions proposed at the end of the Trump Administration. No need to rush into changes that might have unintended consequences.
I'm ambivalent. The proposed changes surely aren't sweeping, and are more clarifying than expansive. In my opinion, there's a bigger issue baked into the Anti-Data-Blocking Rule, which won't be impacted by changes to HIPAA. We will see -- if I were to predict, I'd say that these won't happen any time soon; the Biden Administration seems to be pretty consistent to being reflexively opposed to anything done by the Trump Administration, whether reasonable or not.
Chapter 6: Laws Versus Regulations: the American Administrative Leviathan’s Outsized Impact.
I teach a graduate level class at The University of Texas at Dallas to students seeking their Masters of Healthcare Leadership and Administration, entitled Healthcare Law, Policy and Regulation. I’ve always thought it should be “Regulation” first, since there’s a hell of a lot more regulation in health law than law. One of my exam questions is, what’s the most legitimate complaint about the administrative state: that it lacks technical legitimacy, democratic legitimacy, or constitutional legitimacy? Presumably, the agencies are full of people with technical expertise. And they are headed by a democratically-elected president. But the Constitution never envisioned the vast federal bureaucracy. But here we are.
For decades, Congress has virtually failed to legislate. While Twain’s aphorism (“Nobody’s life, liberty or property is safe while Congress is in session”) still rings true, when things do need fixing (at least on a national level), it may require Congress to fix them. Legislating is hard: it’s usually an attempt to fix a problem, often an intractable one. And even if the true causes are known and there’s political will to actually address them, all actions have collateral, often unexpected or at least unintentional, effects. So in recent years, Congress has been content to highlight the problem, perhaps even point in a general direction for a fix, and task the administrative agencies to actually do the true legislating with regulations that are given the effective force of law. The result is that the Executive Branch does the job the Legislative Branch is tasked with in the Constitution. HIPAA is a prime example of that.
As I noted above, the original 1996 HIPAA statute gave Congress 2 years to come up with the Privacy Rule; obviously, that didn’t happen, so the heavy lifting of HIPAA was done by HHS: the Privacy Rule, as well as the Security Rule. Despite gripes by Senators Clinton and Kennedy, Congress never did anything to revise HIPAA from 1996, until the HITECH Act in 2009. As a result, HIPAA isn’t nearly so much a matter of law, but a matter or regulation.
HITECH itself was a part of the American Recovery and Reinvestment Act (known colloquially as the Stimulus Bill, and derisively as the Porkulus Bill), intended to help the US economy “recover” from the 2008 recession. It was, in fact, a horrific example of how not to pass legislation. Drunk on the success of the Obama election and majorities in the House and Senate (including a filibuster-proof 60 Senate seats), Democrats were determined to push through highly partisan bills stuffed to the gills with any and all wish-list items, the worst of which were HITECH and the even-worse Obamacare. HITECH was largely drafted by lobbyists, ran thousands of pages long, and was passed despite the fact that no lawmaker had read it. In fact, while it was being debated in the Senate, the copy under debate was amended by pen to fix a calculation error that hadn’t been discovered before the debate copy was printed. I guess that’s the government we deserve . . . (although the gods of the copybook headings would ask, “who won the next election?”).
HIPAA wasn’t the main focus of HITECH, but HITECH was the first statutory amendment to HIPAA. Did it wrap up needed changes? Of course not; additional regulations were needed in the form of the Omnibus Rule, finalized in January 2013. But HITECH did address a few specific fixes:
Business Associates: as noted above, business associates weren’t covered by HIPAA initially, and HHS had to invent the concept in the Privacy Rule and make them “contractually” obligated to follow HIPAA. HITECH made Business Associates directly liable for certain obligations under HIPAA, but it didn’t actually define what a Business Associate is; rather, it adopted the regulatory definition of HHS. It’s just not right that a Congressional statute depends for its defined terms on the regulatory agency. What if the agency changes the definition to something Congress didn’t intend? By definition (heh), this is a delegation of legislative authority.
Breach Notification: This probably deserves its own entry (number 21? 22?). HITECH added the breach notification requirement as well. As more fully discussed in Chapter 3 above, after California began the series of state data breach notification laws, HITECH added in a similar requirement with respect to HIPAA breaches. It must be a breach of unsecured PHI to be reportable, and while the definition of what constitutes a breach is pretty broad, there are several exceptions for common, low-harm occurrences. You’ll note that this approach is similar to the Privacy Rule’s basic “Rule” (see Chapter 9): state a general principle, but allow exceptions for common or anticipated events that aren’t problematic under the general principle. The first of the breach notification regulations did provide a very generous reportability exception for breaches that had a “low risk of financial, reputational, or other harm, ” which those of us who follow HIPAA for a living considered an Easter Egg, but it didn’t last; when the Omnibus Rule was passed, the “low risk of harm” standard was replaced with a “low risk of compromise” threshold, with 4 factors considered in determining the risk level: the identifiability or the PHI (but not the sensitivity; PHI is PHI whether it’s your perfectly normal blood pressure readings or your bizarre sexually-transmitted diseases), the entity receiving the PHI, whether the PHI was actually viewed, and whether the incident could be mitigated. Low risk of compromise is still a wild card, but it’s not nearly as broadly encompassing as low risk of harm.
The ”Hide” Rule: This is clearly the stupidest part of the HITECH Act, and was most clearly written by activists without a clue as to how healthcare information is normally used. The rule doesn’t really have a name, but I’ve deemed it the “hide” rule because its sole purpose is to allow a patient to hide information from his insurer. You know, I don’t like insurers either, but this is ridiculous. The language of the statute is sloppy and imprecise: it says if the individual “pays in full, out of pocket” for a medical service, and asks the provider to not provide information about the service to the patient’s insurer, the provider must comply. What if the patient is wearing an outfit without pockets? What if she takes her wallet out of her purse; is that a payment “out of pocket”? That’s not the type of language that should end up in a statute; it’s stupid, and shows what a clown show the entire HITECH process was. Laws should be specific and accurate; there’s no purpose for a “c’mon, you know what I meant” component of a law: it the law does not clearly and unambiguously state the requirements for compliance, it should not even be enforceable. But they felt good about it: “let’s stick it to the man!” But when it’s activists writing the legislation, what you’ll get is emotion, not logic.
Not only is the hide rule poorly composed, it doesn’t make any sense. If the patient pays for the first procedure “out of pocket” but wants the second one charged to insurance, or if the procedure results in the need for further care or prescription drugs, the insurer will rightfully decline to pay: there’s no medical necessity for the second procedure if there wasn’t a first procedure. Even HHS, when drafting the hide rule regulations, threw up their hands and told providers to just do their best. Like I said, ridiculous.
Potpourri: There were a handful of other components in HITECH and the Omnibus Rule, such as stricter limitations on sales of PHI, revisions to marketing requirements, genetic information issues. These were more incremental, as might be expected of an administrative agency fine-tuning existing rules.
There will be more regulations, certainly. In fact, some components of HITECH are still in limbo, awaiting new regulations. HITECH required covered entities using an EMR to provide an accounting of all treatment, payment, and healthcare operations disclosures, which were originally exempted from the disclosure requirement. The geniuses who wrote HITECH thought that if you used an EMR, you’d be able to track all disclosures, so that accounting for TPO disclosures would be easy. But that’s not true for most EMRs, and for those where it’s possible, it’s often logistically difficult. HHS proposed rules to address this, and to require accountings not just of disclosures, but of all access to a medical record; those proposed regulations were met with such objection from the industry that HHS quickly surrendered and pulled the regulations, promising to revise and republish them. It’s been almost 10 years, but there’s been no more action on an expansion of the accounting rule (trust me, that’s actually a good thing).
HITECH also set up a structure for victims of harm cause by a HIPAA violation to receive a portion of the fine levied by OCR. As you may know, there’s no private cause of action for a HIPAA breach, so while OCR can levy a multi-million dollar fine, the individual injured by the HIPAA violation gets nothing. However, OCR does get to keep the fines and they go towards OCR’s general budget. Congress tried to fix that, not by giving the patient (and the plaintiff’s bar) a private cause of action, but by allocating some of the fine to a type of restitution to the victim. However, HHS hasn’t drafted regulations yet to explain how that might work. Hmm, I wonder why not?
There are also some non-HITECH changes that should be expected (revisions to the Notice of Privacy Practice standards were actually published by the Trump administration, but have been pulled back off the table by the Biden administration). Certainly, there will be more to come from HIPAA. But statutory changes are not likely. Any revisions will almost certainly be from the administrative branch.
Einstein subjected to class action suit over breach: These generally don't stand up because it's hard to show damages that are consistent across the class, but plaintiff's lawyers continue to pursue them because eventually someone will win one. So, these are always good to keep an eye on.
Chapter 5: Bush v. Gore, and the Dynamics of Regulatory Timing.
You’re not going to believe this, but at the end of 2000, most Americans thought we had just seen the craziest, most ridiculous election we were ever going to see. What could get crazier than this?
It started election night. I was very much a political junkie then, and was only mildly surprised when the networks called Florida for Gore pretty much as soon as the polls closed in the eastern time zone; the Republican-leaning panhandle counties in the central time zone were still voting, and Bush was leading in early returns, but the networks still called it for Gore. Exit polling was pretty trusted at that point in time, and early returns tended to count places where conservatives would do better. But as the Bush lead persisted, the networks began to report that the Bush team was livid that the networks were calling it (especially before the Panhandle counties had closed their polls.
Eventually the networks put Florida back in the undecided column, as state by state fell aside and it became clear that the election was a dead heat, and Florida’s electoral votes would be the tiebreaker. Tim Russert’s whiteboard ended up with just one word: “Florida.” Al Gore conceded, then un-conceded. I went to bed around 4 am; my wife woke up, asked who won, and I said, “we don’t know.”
You know how it turned out: Bush won the vote, Gore challenged, a recount occurred, Bush still won, Gore sued to force a re-recount, and Bush won at the Supreme Court, thus confirming that a Republican would be replacing a Democrat in the White House. Thus, the Clinton Administration spent its last month knowing that there would be a change in the administrative agencies, not a continuation of the same policies.
That’s important, because the Clinton Administration went all in to push through any regulations that were in the work, not matter how half-baked, in order to try to tie up the conservative administration with enforcing liberal rules, at least until they could change them back. Other administrations had done similar things, but nothing nearly at this scale. One of those regulations was the Privacy Rule.
The Privacy Rule had been proposed already on November 3, 1999 (the Security Rule was originally proposed in 1998), and tens of thousands of comments had been received. On December 28, 2000, with just over 3 weeks left in the Clinton Administration, probably about the time some staffers started thinking about prying the “w” key off of the keyboards in the White House, the Privacy Rule was published in final form.
What do you expect a new administration to do, entering office in such hostility and faced with this avalanche of regulations? They did what subsequent administrations have done: put all recently-passed regulations on hold for further 60 days to allow for further regulatory review. In February of 2001 the regulations were re-opened for comments, and in March and August of 2002 they were re-issued, with the April 2003 effective date remaining in place.
The result was a slightly-revised Privacy Rule; the only major change was removal of the requirement to obtain signed consent prior to using PHI for permitted purposes (treatment, payment, and health care operations).
This was greeted with predictable, and predictably dumb, howls from the likes of Ted Kennedy and Hillary Clinton, decrying how this would weaken patient privacy. Actually, it does nothing of the sort, and in fact eliminates a pretty dumb requirement that would do absolutely no good but would hinder effective healthcare. But it’s a useful reference: when you hear complaints from extreme partisans, take them with a grain of salt.
As drafted in the Clinton regulations, no healthcare provider could use PHI until it had the consent of the patient. Seems reasonable, until you think about how healthcare providers use PHI. This seems reasonable: you go to your primary care doctor and sign a consent before he sees you; okay, that is reasonable. But let’s say your PCP determines that you have a very serious condition, and urgently need a particular prescription drug, and need to see a specialist that afternoon. He sends a prescription to a pharmacy, and sends your medical record to the specialist he’s referring you to. So far, so good. You drive to the pharmacy to pick up the drug, but it’s not ready. Why not? The pharmacist could not even look at the prescription and begin filling it until you arrive and sign an authorization. Why? Reading and working on your prescription is a “use” of your PHI, and he can’t get started until you sign a consent. You get to the specialist, but he hasn’t even LOOKED at your medical records yet. Why? Reading your chart and thinking about what you need would be a “use” of your PHI, and can’t be done until you sign a consent. Under the revised rules, your prescription is ready and your specialist is prepared to treat you immediately.
And the provider (i) is STILL prohibited from using or disclosing PHI other than for permitted purposes, and (ii) must give the patient a Notice of Privacy Practices (“NoPP”) that outlines what the provider may and may not do; if it’s a use or disclosure that is permitted under HIPAA but not described in the NoPP, the provider needs consent; if it’s a use or disclosure not permitted under HIPAA, the provider needs an authorization.
One other unintended consequence unseen by Ted and Hillary: under the original rule, the provider could refuse to treat the patient unless the patient signed the consent; under the revised rule, the provider must give the NoPP to the patient as soon as possible and try to get a signature, but if the patient refuses to sign the NoPP, the provider cannot refuse to provide the patient with care. Thus, under the old rules, the provider could add provisions into the consent to provide additional protections to the provider (and to the detriment of the patient), making the consent a contract of adhesion: if you want my services, you have to give me what I want. Bush’s rules are a real improvement for patients, as well as for providers.
The pushing of the regulations, the retraction of them, and the reaction to the revisions all highlight the torturous path the Privacy Rule took to get where it is. Yes, it’s somewhat of a Frankenstein’s monster, cobbled together from parts. But 20 years on, it’s actually a very workable bit of regulatory machinery.
For a long time after I started giving lectures and presenting at seminars about HIPAA, I always tried to explain the machinations surrounding the issuance of the Privacy Rule by asking attendees to “harken back to December 2000; remember what was going on then?” Seems kinda quaint now, doesn’t it?
Chapter 4: Nancy and Ted and the Nature of Legislation.
If you’ve paid much attention to Congress in recent years, you’ll have gotten the impression that they don’t tend to get a lot of legislative action done, and whenever they do, it’s a whole bunch of related – and often entirely unrelated – stuff jammed into one big piece of legislation. The number of “omnibus” or even “comprehensive omnibus” bills, particularly when slapped together as a “continuing resolution” or a “reconciliation act” of some sort, sure seems to outnumber anything else Congress does.
Occasionally, you’ll get a rifle-shot bill that addresses a single issue that is either (i) incredibly pressing and must have some resolution, (ii) something pushed through on a purely partisan basis while one party holds both houses of Congress and the Presidency, or (iii) universally accepted. Usually, though, it’s a hodge-podge of items, mainly poorly drafted, that are the final result of an endless series of horse-trades. A law relating to home mortgages is included in a bill requiring certain classroom requirements in all elementary schools; neither had a chance of passing on its own, but the people wanting the education deal dropped their objections to the mortgage deal and vice versa. Some of the worst examples in recent years have been the USA Patriot Act on the right (at least it had the excuse of coming on the heels of a terrorist attack), and the American Reinvestment and Recovery Act on the left (the source of the HITECH Act).
The other type of grand multi-faceted law is what I like to call a Christmas Tree: it’s a generally-well-regarded legislative idea, usually one that’s bipartisan and not objectionable to anybody, but a hobby horse for some, that gets amended and adorned with additional provisions addressing related but different legislative initiatives, so that it turns out to be adorned with so many new ideas that it’s like a Christmas tree laden with ornaments. HIPAA started out like that.
If you’re young and not from the midwest, you may not remember that Nancy Kassebaum was a mainline conservative Republican Senator from Kansas in the 1990s; unless you’re really new here, you probably know that Ted Kennedy was a liberal Democrat Senator from Massachusetts at the same time (he’ll appear in this series again, don’t worry). In 1996, Kennedy and Kassebaum co-sponsored a bill intended to address the issue of “job-lock.” This would turn out to be of great provenance.
The American health care industry is unique; it’s not just that the US is the world leader in research and level of care (seriously, despite all the jeremiads about how American health care is the “worst,” if money were no object, to what country with “better outcomes” would you flee for health care services?), we are also the only country in the world with a principal reliance on employer-provided healthcare. That’s mainly an accident of history.
At the end of World War II, most of the world’s industrial capacity lay in ruins: besides the US, the great industrial powers before the war (Europe and Japan) had seen their manufacturing sectors bombed into near oblivion. By happy accident of geography, the US was spared. Not that the US was not impacted: millions of soldiers returning from war were trading their rifles for wrenches, which could have been a huge burden on US industry to re-incorporate them. But US industry was now the world’s industry, and American industrial capacity, already dramatically expanded to conduct the war effort, was switching from building tanks and warplanes for the American war effort to building cars and commercial planes (not to mention refrigerators, washing machines, and all manner of industrial equipment) for the rest of the world. The supply of workers was expanding dramatically, but the demand for American industrial output, to supply the entire world, was expanding even more.
However, from a policy standpoint, US industry was still operating under government “war rules,” such as wage restrictions (here’s a long-time truth: once the government starts regulating something, it doesn’t easily give up its regulatory powers, even if the reason for their initial implementation is gone). Employers in many cases were limited by law in how much they could pay employees, so it was difficult for Ford, say, to attract workers away from GM. While they couldn’t offer a higher per-hour wage, an employer could throw some fringe benefits out to attract more new workers. The concept of employer-sponsored healthcare coverage was not invented then (actually, HMOs themselves had been invented [Kaiser-Permanente, if I remember correctly] as a way for employers to keep their employees healthy and on the job), but if did become the most common way for Americans to receive healthcare payment coverage. And now, the US pretty much stands alone in terms of the breadth and size of its employer-provided private insurance markets.
However, there’s a downside to tying a major personal-life benefit to your employer. We don’t get our auto or home insurance from our employers (although we may get some life insurance), so why should be get our health insurance there, instead of from Allstate or State Farm? Given a particular truth about the insurance industry, this connection between your employer and your insurance raises a couple of interesting issues, one of which I’ll address here (for the other, see chapter 7).
First, a word or two about insurance (you’d know all this if you ever really thought about it, but you probably haven’t). No insurance company ever made money by paying claims. That is a fact – they make money by collecting premiums, and if they avoid paying claims, the keep more money for their owners, investors, employees, and executives. Insurers are, therefore, incentivized to limit paying claims wherever reasonably possible; they can’t refuse to pay ANY claims, or nobody will buy the product, but the less they pay, the better (for the insurance company). Part of this is necessary: the pool of money should only be paid out for legitimate covered expense, and the insurance payment system needs to be structured to prevent “free riders” who obtain outsized benefits from the insurer without taking part in the risk (of paying and not needing/getting). In fact, you need your insurer to be stingy (at least toward bad claims) to assure that there will be money there if you really need it. If the insurer doesn’t collect enough in premiums to cover whatever claims it does pay, it must raise premiums or it goes bankrupt, leaving the latecomers with no coverage at all.
And the basic premise behind buying insurance is to cover risk. For example, you buy homeowners insurance because you can’t afford to replace your entire house it were to burn down or be destroyed by a tornado, but you can afford to pay a monthly premium for insurance. Most years, you won’t make a claim: like buying a losing lottery ticket, you spent a dollar and got nothing (actually, even though you didn’t collect the Powerball winnings, you did get something: the thrill of playing the game). Insurance is similar: in most years you pay your premium and get no cash payout in return: however, you did get the risk of loss during that year covered, and maybe the peace of mind that goes with that as well. Most years insurance is a losing bet, but in a year when you need it, it’s can be life saver (literally, with health insurance).
But like I said, there must be enough money in the insurance plan to pay the expected claims, so the insurance company must make sure that the risk is evenly spread among the participants paying in, based on what they are paying in. Let’s take home fire insurance example. Say you have a neighborhood of 1000 houses, each costing $100,000. Statistically speaking, in our example, one house burns to the ground every year. In order to cover for that annual community risk, the community needs to raise $100,000 each year to cover that loss. Rationally, if every homeowner paid $100 in insurance premiums, the homeowner whose house burned to the ground each year would be covered. In any given year, 999 families don’t need insurance, but one does; for 999 families, their $100 is “wasted,” but for one, their $100 is a lifesaver, because it generated $100,000 to rebuild their house. However, they all pay in $100 to an insurance pot each year (1000 x $100 = $100,000), and the money goes to the one guy who lost the lottery that year. Of course, the homeowners have to pay for someone to run the program, so actually you have to pay a little more than $100, but let’s keep this simple.
Now, what if not everyone participates? Let’s say that 10 people don’t play – they have $100,000 in a trust fund they can use if their house burns down, or just don’t have the $100 (“hey, I got gambling money”). Now, instead of a pool of $100,000 each year, we have a pool of $99,000. Two things the remaining 990 participants can do: everyone pays an extra dollar (and a penny) to get back to $100,000, or have the one fire victim each year only receive $99,000 to rebuild their $100,000 house. Either way, the insurance plan is in balance.
So, imagine you’re one of the 10 non-participants, and you smell smoke. Quickly, you call the insurance administrator, run over with $100 (or $101.01), and now you’re insured. Of course, the smoke is your house burning down. But it’s OK, you’re insured! And best of all worlds, you’ve managed to save that extra $100 you paid each preceding year, unlike the rest of those suckers. This homeowner is the free-rider: taking advantage of the benefits but not sharing in the risks.
You can see the problem there, can’t you? Word gets around, and next year, instead of 990 participants, there’s only 900; an additional 90 people join the original 10 and say, I’ll just get the insurance once my house is on fire. The 900 now have to pay $111.11 each to fill up the $100,000 bank account needed for the year. Suckers. The next year, instead of 900, only 500 participate; the cost is now $200 per household. Eventually, nobody participates.
So, back to employer-sponsored plans. A life insurer or auto insurer can turn down a customer who looks like a bad risk (or at least charge them a much higher premium), but an employer-sponsored plan can’t practically do that. You don’t normally have to give a blood sample when you apply for a job. So how does an employer-sponsored insurer prevent the free-rider? Pre-existing conditions.
This much-maligned concept is actually a good common-sense way to run an insurance plan. A pre-existing condition is the house already afire: it’s not a conceptual or theoretical risk, it’s a known expense. Employer-sponsored plans can’t turn down employees, like a home insurer could exclude a customer whose house is already burning. But it is reasonable and sensible that they would want to deny coverage for the part of your body’s house that is on fire. Especially if that person is a free-rider, who didn’t buy coverage previously but only wanted to put money into the insurance system once he knew he’d be taking a lot more money out.
But what if the person isn’t a free-rider? He started working at Ford, had health insurance through Ford, and was diagnosed with his condition while working at Ford and covered by Ford’s insurance. Now, he wants to take a better-paying job at GM; but if he goes to GM, GM’s insurer will say, “no, we aren’t covering your chronic condition: it’s a pre-existing condition.” So our man is stuck at Ford with no way out. If we all bought health insurance like we bought other insurance, this would not be a pre-existing condition, and he’d just stay with his existing insurer; to his existing insurer, he’s not a free-rider, but to the new insurer, he is.
And thus our man is stuck. He can’t leave Ford because he won’t have health insurance. He is, in a word, locked into his job. He is job-locked.
Now, while it’s fair for GM’s insurer to say not want to cover this new guy, it’s not fair to him because he’s not a free-rider. And you know who really wants him to go to GM? Ford. And there’s just as likely someone at GM who wants to go to Ford and is also job-locked: Ford’s insurer doesn’t want her, and GM’s insurer wants to get rid of her.
Like I said, pre-existing condition exclusions make sense, and prevent free-riders from ruining the market at the expense of those who play by the rules. But because of the peculiarities of the American way of employer-sponsored health insurance, we have a problem here. That’s where Nancy and Ted come in.
The goal of the Kennedy-Kassebaum Bill was to address this unique American problem of pre-existing condition exclusions hurting those who played by the rules and didn’t wait until their house was on fire to buy insurance. The basic proposal was this: if you were covered for some medical condition at your old job, and you want to change jobs, the new employer’s insurance can’t exclude a pre-existing condition. In other words, if you weren’t a free-rider at your old job, your new job’s insurer can’t treat you like one. You get credit with your new insurer for your previous coverage; let’s call it “creditable coverage.”
What’s not to like? It’s good for Ford and GM; it’s good for the guy at Ford wanting to go to GM, and the gal at GM who wants to go to Ford. It’s good (or at least not bad) for GM’s and Ford’s insurers – they’re as likely to lose expensive beneficiaries as they are to gain them.
Back to my original point and the title of this chapter: the Kennedy-Kassebaum Bill was one of those political rarities: a piece of legislation that solved an actual, everyday, otherwise-intractable problem in a way that made everyone better off. That type of legislative idea is like a Southern Pacific locomotive: if you’re another Congressman with a related issue or a wish-list item and you can attach your issue to this locomotive, you can get it passed.
And that happened: first, while we’re dealing with health insurance and the healthcare industry, let’s fix the industry’s adherence to paper records, by pushing standardization of electronic data interchange in the healthcare industry. Then, let’s fix the issue of different payors using different forms, and get everyone on the same page. Of course, more electronic data means greater risk to privacy and security, so let’s fix that too. And while we’re at it, let’s add in some rules for health savings accounts. How about some fraud and abuse provisions, while we’re at it? Sure, and maybe a little malpractice reform as well. A nice simple idea, and we end up with an Act with 5 Titles, dozens of subtitles (all of what we are talking about when we talk about HIPAA is actually the Administrative Simplification subtitle of Title II of HIPAA), and hundreds of pages of law, not to mention thousands of pages of regulations generated just by the Administrative Simplification subtitle.
So what started as a bill to end job-lock ended up as the Health Insurance Portability and Accountability Act. That’s one P, two A’s (huge pet peeve: “HIPPA.” Do that in my health law class and you’ll lose a point or two). And the P stands for Portability, which was the locomotive that pulled all these other parts over the finish law and into the US Code.
All this privacy and security stuff? That’s just gravy, baby.
Chapter 3: Federalist Silos: a Sectoral Approach to Privacy Legislation
How do we think about privacy, as a body politic, and how should we? Liberal democratic political systems like ours are built on a theory of liberty – the government should not hinder the liberty of the people except where reasonably necessary.
As you may know, I teach a Health Law, Policy and Regulation class in the Masters of Healthcare Leadership and Administration program at the University of Texas at Dallas, and I like to draw a continuum on the whiteboard to make this point. At one end is Order, and at the other is Liberty:
Liberty ß-----------------------à Order
With absolute liberty, every man (and woman, I’m using traditional English) is free to do whatever he wants; however, what happens when one man’s wants conflict with another’s? Your freedom to swing your fist ends at the tip of my nose: if your exercise of liberty conflicts with mine, who’s wins? Thus the state must put some limits on liberty. But as no man is an island, in some way almost anything you do impacts me, at least in some remote fashion (the old “beating of a butterfly’s wing” scenario). That can lead to further erosion of liberty. In fact, the more you erode liberty, the more order you get (think of totalitarian countries: there is much order – the trains run on time – but much misery).
Western civilizations run much toward the liberty side, and so we often speak of things in terms of “rights” of citizens. You sould say we fetishize “rights” in the US: we even have the Bill of Rights in the Constitution.
And so you’ll often hear talk of a “right to privacy.” Of course, the word “privacy” does not appear in the Constitution. But Samuel Warren and future Supreme Court Justice Louis Brandeis wrote a famous Harvard Law Review article in 1890 entitled “The Right to Privacy,” based on a concept of “the right to be let alone.” And of course, the Supreme Court basically invented it as a constitutional right (a penumbra of an emanation) in Roe v. Wade (with a concurrence from Potter Stewart, who in the predecessor case of Griswold v. Connecticut noted that “With all deference, I can find no such general right of privacy in the Bill of Rights, in any other part of the Constitution, or in any case ever before decided by this Court.”).
Likely due in large part to this lack of a central “right of privacy” in American jurisprudence, US law does not view privacy as an inherent right in individuals. Rather, privacy rules tend to eminate from specific types of information or specific relationships between individuals where privacy and confidentiality expected or required. For example, ethical and legal obligations bind attorneys, physicians, psychologists, and clergy to maintain the confidences of their clients, patients, or penitents. Likewise, certain information in certain hands is also often the subject of statutory or regulatory grants of privacy, due to the particularly sensitive nature of the information: banking information, educational information, tax information.
This results in the US having a legal privacy framework built into certain areas of business and life: in other words, the US has a “sectoral” approach to privacy. Compare instead the European approach: the General Data Protection Regulation (“GDPR”) is based on a nearly-Constitutional concept of a right of privacy in citizens of EU countries. There, the right to privacy exists as a force of nature, and law must bend to it. In the US, the underlying right isn’t nearly so insistent, so the law has more flexibility (and if there is no specific law on point, there is no right to privacy).
I could get pretty esoteric about why the US sytems is better. The “privacy” we are talking about here is the privacy of information about a person (not the right of someone to put a camera in your bathroom), and information wants to be free. I can gain information about you just by looking at you: the color of your hair, your mannerisms. That is your information; if you have an absolute right to privacy of information about you, then theoretically I can’t tell someone else what color hair you have, without your permission. But while the information is about you, should it be yours? If so, you should be able to make me give it back to you; but I can’t unsee your hair color or your mannerisms. That’s no way to run a legal system.
Anyway, weren’t we talking about HIPAA? Sorry for the digression.
So, the US has a sectoral system: federally, we have HIPAA for health information, Gramm-Leach-Bliley for banking information, and FERPA for educational records. We have COPPA to protect kids, CAN-SPAM and other laws regulating e-commerce and the internet, and an FTC rule that requires businesses to have “reasonable” data privacy and security protections.
As a federal system of government, we also have other laws at the state and local levels. Many states have their own version of HIPAA, and all have specific laws binding physicians and hospitals to maintain the privacy of medical records. Some states have other, general data privacy laws (the California Consumer Privacy Act brings GDPR-style regulation to businesses operating in California, for example), laws regarding biometric information (the Illinios BIPA is the source of much litigation against Facebook), and laws requiring specific data security measures (Nevada and Massachusetts both require personal information in electronic form to be encrypted in transit and at rest).
In 2003, California passed the nation’s first data breach notification law, requiring businesses in California to notify affected individuals if they are aware of a breach of computerized data that contains “personal information.” Other states followed suit, and in 2018, Alabama became the last state to enact a similar law. These laws are all similar: usually it’s only electronic or computerized data, but statutes vary in the definitions of what information triggers the duty is different, the timing of resporting, and whether governmental entities should be notified. In 2009, as part of HITECH, HIPAA added its own data breach notification law*, but it applies to all data, not just computerized data.
The purposes of these laws is to let the individual know that their data is “in the wild;” none of these breach notifications laws assume that the reporting entity is in violation of the law or liable for damages: it’s entirely possible that a reporting entity complied with every law and took all reasonable precautions, but was still attacked by a bad actor or suffered some other calamity that was of no fault of their own. But even if the reporting entity is innocent, the need to report is still there: the individual needs to know so they can protect themselves.
That’s the American solution to privacy: all these privacy laws, each in its silo, each tailored to the peculiarities of the industry in question. This sectoral approach helps explain some of the limitations on HIPAA: it only applies to certain entities and certain data (see Chapters 7 and 8). But it also allows the rest of the business of healthcare to continue to operate as it should. As I noted above, perfect privacy is the enemy of good health care, and HIPAA’s structure (such as allowing uses and disclosures for treatment, payment, and healthcare operations without the need for consent or authorization) is a brilliant fix.
Should we have a more general law? Maybe: many states have followed California’s lead in one way or another, with general privacy laws for their citizens, and some privacy oriented congressmen (such as Senator Ron Wyden of Oregon) regularly sponsor general national data privacy bills, but so far none has come forward. Personally, I think the sectoral approach has served us well, and balances the equities well. I would not want a US version of the GDPR: some provisions, such as the “right to be forgotten,” would do violence to our American concept of personal rights and private property. If I have obtained information about you fair and square (you told me freely, I observed it, it is public knowledge, etc.), and I can use that data (combined with other data, for example) for a profitable purpose, why shouldn’t I be able to do so? The data’s about you, but if I have it fair and square (I did the research, I gathered the information, etc.), the data I’ve got should be my property. That’s the American way.
*Ed. note: I considered giving breach notification its own Chapter; but the Privacy Rule is turning 20, not 21. Then again, given the lack of speed with which I’m getting through this, it might be time for a 21st by the time I’m done.
Chapter 2: The Dynamic Tension Between Privacy and Good Healthcare.
Butthat’s not exactly the point I’d like to make here. What I want to point out here is that all things taken to an extreme can be bad, and that includes privacy. Can you have too much privacy? Yes, in fact, you can.
Perfect Healthcare ß------------------------à Perfect Privacy
Note: On April 14, 2001, the first bit of HIPAA regulation, the HIPAA Privacy Rule, became effective. It was not enforceable for 2 more years, and was followed by the Security Rule, HITECH, the Breach Notification Rule, etc., but the “s*#t got real” 20 years ago today (I started this blog on March 8, 2002). And so, today begins a series of 20 big blog posts celebrating and explaining 20 big ideas, facts, stories, or peculiarities about HIPAA. It’s an opportunity for me to pull back and highlight some major themes and lessons I’ve learned playing in this space for the last 21 years.
Chapter 1: “Who is that behind those Foster Grants (with the huge stack copies of the Federal Register)?”
Facebook got sued under the Telephone Consumer Protection Act, which puts restrictions on spam callers (according to my cell phone, not nearly enough restrictions!!), for sending texts to members. But the court noted that Facebook used numbers it already knew from members it already had, not randomly generated or sequentially stored numbers. In other words, the TCPA rules don't apply if there's some sort of intelligence or customer-related information that determines who gets the call or text.
This helps providers who want to use patients' cell phone numbers they have to send text reminders, but can't charge for them, must allow opt-out/unsubscribe, and can't do billing, advertising, or marketing that way. That's nice, but the key is you must still comply with HIPAA, and there's a lot of good reasons to say that texting might not be HIPAA-compliant at all.
I don't think texting automatically violates HIPAA, but some patients do. Texting definitely isn't as secure as using encrypted email or a portal -- most people set their phones so they can see the name of the sender and the first line of the most recently received text before unlocking the phone. That means random people picking up the phone can see who sent the text and some of the content. Obviously, that's problematic.
If you're considering this, think about ways to limit your HIPAA exposure. Have the patients sign a consent anyway, making sure they understand the risks before agreeing to accept texts. Allow them to opt out at any time. Make the "sender" name as generic as possible, especially if the provider name is obviously connected to a particular disease. Make sure the first line or two is a generic greeting; the less PHI visible, the better.
There's more, obviously. Definitely something you want competent HIPAA counsel to help you with. So, text me, OK?
Leglslation and regulations generally require certain behaviors; the threat of fines, jail time, and lawsuits are often enough to spur compliance. But sometimes, in order to obtain specific behavior over and above the minimum requriements, legislatures will give benefits in addition to penalties, adding a carrot along with the stick.
Utah has just done so with regard to companies that suffer a data breach. If the data holder creates, maintains, and complies with a reasonable cybersecurity program, including safeguards in a framework at an appropriate scale for the data holder, that can serve as a defense for a suit relating to a data breach.
Utah and Ohio now have such laws; I'd expect a few states (particularly red ones) to adopt similar legislation in the coming years.
Didn't I just say 17? How about number 18?
Access Case #17: CMS continues its string of settlement actions with covered entities that fail to give patients proper access to their medical records. Again, it's a covered entity that got in trouble for failing to give access, got "techincal assistance" from OCR (meaning a complaint was filed, they were contacted by OCR and OCR told them how to fix the problem), but failed a second time to give access to the same patient. This time, the winning covered entity is Arbour Hospitals, a behavioral health provider in Massachusetts; Arbour's "prize" is a fine of $65,000.
As you probably know, on December 10 HHS proposed some HIPAA revisions (which I briefly noted) to clear up permissions for use and sharing PHI for population health issues, as well as some changes to the NoPP requirements (it wasn't published in the Federal Register until January 21, 2021). However, since December 10 was the Trump Administration and January 21 was the Biden Administration, the new administration put a hold on the regulations. Now, they have extended the comment period from it's stated termination, March 22, to May 6. So, if you got comments, but are lazy, you now have some extra time.
On this date in 2002, I posted this item as the first post ever on HIPAAblog. True to my work, my blogging laziness has been unsurpassed. Just how lazy a blogger am I? I am too lazy to stop.
That said, the next two months will mark the 20th anniversary of the publication of the first final version of the Privacy Rule. The true original was published December 28, 2000, in the dying days of the Clinton administration, but was included in the set of regulations suspended for 90 days by the Bush administration. The slightly revised regulations were published March 27, 2001, with an effective date of April 14, 2001 (but a 2-year enforcement moratorium until April 14, 2003). So, March/April 2021 really mark the 20th anniversary of the Era of HIPAA.
So, in honor of my 19 years of blogging, and HIPAA's 20th birthday, over the next 2 months I plan a series of 20 long(ish) posts highlighting HIPAA's history, progress, and mutation, its successes and failures, and it's on-going relevance. I haven't got all 20 posts in my head yet, so there might be some preditions, too (no promises, though).
So, keep checking in. As I've said often on this blog, more to come.
Better Late than Never: Sometime in 2017, a hacker got into Gore Medical Management's information systems and stole files containing PHI of 79,000 patients. They didn't find out until November 2020, when the FBI notified them it found the files on an unrelated computer. 2 bit of good news, one bit of bad news: First, Gore had already discovered the technical issue and corrected it (apparently just didn't know files had been taken). Second, the information did not contain any clinical information. However, it did contain social security numbers.
HHS officially announced yesterday that it will waive penalties for use of online scheduling tools for distributing Covid-19 vaccines. This is consistent with other actions during the pandemic, and really indicative of the way HIPAA works -- there are very few things that "you just can't do," because almost everything is a facts-and-circumstances analysis.
Annual breach reports due this week: If you are a HIPAA covered entity and suffered a "small" (<500 affected people) breach of unsecured PHI during 2020, you need to report the incident to OCR this week if you haven't done so already.
When a covered entity suffers a HIPAA data breach, the patient must be notified without unreasonable delay, and no later than 60 days. If the breach is big, involving 500 or more people, the covered entity must also notify OCR and major media in the area at the same time; if it's less than 500, only the patient needs to be notified immediately, and there's no requirement to notify the newspapers at all. OCR still needs to be notified, but the covered entity is required to notify OCR of all of its small breaches at the same time: during January or February of the next calendar year. The filing is pretty easy, it's mostly fill-in-the-blank and menu-driven choices. Thus, if you had any small breaches in 2020, you need to report them by the end of this week.
Free ransomware protection: The program, which the Center for Internet Security has been offering to public hospitals, is now available for free to any US hospital. It's not an ironclad shield, but it does appear to block malicious domains that are often associated with phishing and other malware.
21st Century Cures Act impact on HIPAA documentation. The Cures Act imposes a lot of general rules designed to prevent information blocking. I just happen to be revising some standard HIPAA documentation (hint: if you're a member ot the Texas Medical Association and use the HIPAA forms provided by them, some slightly revised documents will be rolling out sometime in 2021), and thought it might be a good idea to point out that a couple of semi-hidden provisions of the Cures Act might trigger a good reason to revise some of your documents.
The underlying purpose of the Cures Act, for these purposes, is to prevent "information blocking." While HIPAA is about protecting PHI, it also allows (and sometimes requires) PHI to be shared when appropriate. Many EHR providers intentionally try to limit the ability of their EMRs to communicate with other EMRs (they want to put up hurdles to keep their customers from easily migrating to a competitor EMR), and some health care providers try to prevent patients from sending their PHI to other providers, who they consider competitors. That type of information blocking is the focus of recent rules from CMS and ONC.
There's an obvious tension between HIPAA's requirement to generally prevent uses and disclosures of PHI, and the Cures Act Rules prohibiting most activities that could be considered information blocking (data privacy is, by definition, information blocking). It should be noted that the ONC Cures Act Rule recognizes that nondisclosures because they are prohibited by law (e.g., a general refusal to provide PHI to an unknown requestor due to HIPAA Privacy Rule prohibitions) are not information blocking, the ONC Rule is careful to say that only applies for disclosures that are actually prohibited. Thus, if a provider withholds data because it is permitted to do so, it will be in compliance with HIPAA, but could be in violation of the ONC data-blocking rule. It's tricky.
For health care providers, the general requirement is to not engage in activities that could be information blocking; at its most basic level, if a provider is granting patients access to their records in the manner required by HIPAA, it's unlikely they could be considered to be engaging in information blocking, but it's probably a good idea to make sure your documentation doesn't unintentionally commit you to activities that could be considered information blocking by a disgruntled patient.
Consider revising your BAA: Section 4006 of the Cures Act itself revised HITECH (which revised HIPAA), to include a requirement that might make you want to consider revising your standard form BAA. HITECH now says:
"If the individual makes a request to a business associate for access to, or a copy of, protected health information about the individual, or if an individual makes a request to a business associate to grant such access to, or transmit such copy directly to, a person or entity designated by the individual, a business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual."
Due to this, you might consider amending the "Access" provision of your BAA to allow the business assocate to make the disclosure of an individual's PHI directly to the individual or to the person indicated by the individual, if the individual approaches the business associate directly. Most BAAs simply require the business associate to provide the PHI to the covered entity upon request, and many require the business associate to communicate to the covered entity before providing the PHI to the patient. In fact, most business associates don't want to be responsible for making the decision about whether they should grant access to the patient. If you are a health care provider, you should consider revising your BAA to allow the business associate to make the disclosure directly, with a requirement that the business associate notify you if they have done so.
Consider revising your NoPP (all providers): The CMS and ONC Cures Act Rules prohibit covered entities from refusing to disclose PHI if doing so would be information blocking. In other words, if the covered entity is asked to disclose the information and refusing to do so is data blocking, then in fact the covered entity is now required by law (the Cures Act) to make the disclosure. While this might not have a real practical impact, you should consider revising the "required by law" section of your Notice of Privacy Practices to include a reference to disclosures required to avoid information blocking.
Consider revising your NoPP (Medicare/Medicaid hospitals): The CMS Cures Act Rule revises the Medicare/Medicaid Conditions of Participation (CoPs) for hospitals to require that the hospital automatically send electronic notifications upon a patient's admission to (including ER registration) or discharge or transfer from the hospital ("ADT Notice"). The ADT notice should be automatically sent to appropriate post-acute care service providers, as well as to the patient's primary care provider or group and any other provider designated by the patient. Since these notifications will happen automatically, and the patient might be surprised to hear that their primary care doctor (who maybe they didn't like that much anyway) found out they were admitted, or annoyed to get calls from post-acute providers seeking to provide the patient with services, it might be a good idea for hospitals to revise their NoPPs to warn the patients about these disclosures.
Food for thought.
Here are a couple of questions regarding a recent seminar I conducted for Lorman Education Services:
Q: The patient passes away, what do we need from family/life insurance policies in order to release records?
A: The answer depends on the specifics of state law, but the person who is "authorized to act on behalf of a deceased individual or the individual's estate" becomes the "personal representative," and has all rights the deceased person would have had if they were still alive. This is usually the executor or administrator of the estate, or the holder of letters testamentary. If a family member provides court papers that indicate he/she has been appointed executor, then the covered entity should treat that person as if he/she were the patient.
More enforcement discretion: HHS announces that OCR will exercise enforcement discretion with respect to providers who use on-line or web-based scheduling applications in good faith to schedule individual patients for the Covid vaccine. This is in line with earlier Covid-related regulatory relief. On-line and web-based scheduling platforms have been the source of some HIPAA breaches, and if they aren't set up right, can be problematic. Just like Zoom, FaceTime, and the like. But for the same reason, the benefits of speed, low contact, and easy accessability in the time of Covid are worth the risks.
Interestingly, the same day that the Fifth Circuit kicked out a $4.3 million fine against MD Anderson, Excellus BC/BS in upstate NY agreed to a $5.1 million settlement with OCR. Granted, the Excellus breach was much, much bigger and lasted much longer, but it's still a little curious; I wonder if Excellus has "settler's remorse" now?
MD Anderson fought the law, and . . .
MD Anderson actually won. At least at the 5th Circuit. I'll want to read the opinion before I can predict whether OCR will appeal to the Supreme Court, but I think it's likely they will. So, keep in mind that I'm operating a little in the dark here, but would you like my initial take?
Here's the chronology:
Between 2011 and 2015, MD Anderson lost one laptop and two flash drives (actually, the laptop was stolen in a home burglary, and the flash drives were lost by an intern and a visiting research physician. The media had research-related ePHI of 35,000 patients involved in Anderson's research projects. In 2006, Anderson had adopted policies requiring encryption of ePHI, but neither the laptop nor the flash drives were encrypted.
Anderson reported the incidents in 2012 and 2013, triggering an investigation by OCR. OCR stated that they tried to reach an informal resolution with Anderson over the course of their investigation, but were unable to do so. I don't have any inside detail, but it sounds like Anderson might've ignored or rebuffed OCR's outreach efforts, just as Children's Medical Center in Dallas did.
Since Anderson and OCR did not reach a settlement agreement, in March 2017, OCR issued a "Notice of Proposed Determination" in which it imposed a $4,348,000 fine for multiple HIPAA violations, including failure to encrypt (encryption itself is an addressable issue, not a required one, but given Anderson's 2006 policies, they internally addressed it and determined that it was necessary). Anderson challenged the proposed determination, which sent the matter to an Administrative Law Judge. Anderson's defense included that encryption was not required (cf. their own policies), the information was for research so not covered by HIPAA (it's still PHI, and Anderson is still a covered entity), that no known harm was determinied to have come to any of the affected individuals (you still get a ticket even if your reckless driving doesn't cause any accidents), and that OCR lacked the authority to levy fines against state agencies (HIPAA specifically applies to Medicare and Medicaid, and OCR has fined plenty of governmental entities). They also argued that the fines were unreasonable (now, that's an argument I can buy). They later specifically argued that the fines violated the 8th Amendment to the Constitution, which specifically prohibits "excessive fines."
The ALJ upheld the penalty, in relatively harsh words, in June 2018. Anderson appealed inside the administrative law system, to the Departmental Appeals Board, which upheld the ALJ's award. Anderson also appealed to federal court system, seeking a determination that OCR's fine was unreasonable and beyond the authority of OCR to impose. In April 2019, OCR issued guidance, and a Notification of Enforcement Discretion, indicating that it now believed that lower fine limits were applicable; Anderson appealed the DAB ruling to the Fifth Circuit, adding the fine limits to its arguments against the penalty.
In the HITECH Act, Congress authorized OCR to levy higher penalties; however, as with much of the language in the shoddily-drafted and hastily passed ARRA (also known as the Stimulus Bill [or "porkulus if you're a deficit hawk], of which HITECH is a part), the penalty language is poorly drafted. While the Omnibus Rule (passed by Obama's HHS) included adoption of the apparent new higher limits, the Notice of Enforcement Discretion (passed by Trump's HHS) finally recognized this, and instituted a tiered system of penalties, based on culpability. While the Notice of Enforcement Discretion could be read as forward-looking only, its underlying rationale gave Anderson a good toe-hold to fight the fines against it (in my opinion, the only really good argument they had).
Ultimately, the Fifth Circuit determined that OCR's fine was "arbitrary, capricious, and contrary to law;" even OCR has acknowledged that it can no longer defend the portion of the fine in excess of $450,000, under the rationale in the Notice of Enforcement Discretion. The court did not rule on Anderson's argument that it is not a "person" under HIPAA because it is a state agency (if the court had sided with Anderson, that would've made an appeal to the Supreme Court by OCR much more likely).
Obviously, I'll chime back in once I read the actual ruling, if that changes any of the above.