Reed Tinsley, CPA

In this case, the OCR found that, on a daily basis, over a period of four years, Phoenix Cardiac Surgery had transmitted ePHI from an Internet-based email account to the personal Internet-based email accounts of workforce members, underscoring the risks posed to practices by the unregulated or unsupervised use of email for the transmission of ePHI.

Although Phoenix Cardiac Surgery is a small, non-institutional provider, i.e., a physician practice with just two owners, the OCR did not relieve the practice of its obligation to comply with the basic requirements of HIPAA. Instead, the OCR required the practice to pay $100,000 to settle the claims against it and to enter into a one-year corrective action plan (CAP). Pursuant to the terms of the CAP, the practice must develop policies and procedures that comply with the HIPAA Privacy and Security Rules, send them to OCR for approval and fully implement them within 30 days of OCR’s approval. The CAP also requires the practice to obtain a signed statement from every workforce member that he or she has read, understands and will abide by the policies and procedures. The CAP requires the practice to train all workforce members who use or disclose PHI regarding the policies and procedures within 60 days of OCR’s approval of the policies. During the term of the CAP, any violation of the policies and procedures must be reported to OCR, together with steps the practice intends to take to mitigate any harm and prevent recurrence.

OCR's expectation that providers should be in full compliance with the Security Rule - which went into effect seven years ago - is not surprising. This settlement highlights the need to treat security compliance as a continuous process involving regular assessments of the security environment, review of policies and procedures, and workforce training - FOR EVERY MEDICAL PRACTICE, LARGE, MEDIUM, SMALL, AND SOLO.

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCR’s investigation also revealed the following issues:

• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)

Read more:

http://blogs.duanemorris.com/duanemorrishealthlawblog/entry/test

As you are probably aware, the government has begun the first round of HIPAA compliance audits - these audits have included physician practices. So the million dollar question is: Is your medical practice really in HIPAA compliance? I find most are not even though they think they are.

A good first step to HIPAA compliance is to conduct an internal HIPAA risk assessment. At a minimum, a risk assessment must include these questions:

• What types of protected health information (PHI) do we possess, receive, store or transmit?

• How sensitive is this data in what it reveals about patient medical conditions, procedures, diagnoses and prescriptions? Data about sexually transmitted diseases, sexual health, pregnancies and mental health are considered especially sensitive.

• How valuable or desirable might this data be to criminals? Inclusion of social security numbers, mother's maiden names, home addresses, payment details and long-term medical history are considered sensitive because they can be used by criminals to commit financial and healthcare fraud.

• What steps and procedures are in place in our medical practice right now to protect the PHI we possess, receive, store or transmit?

• Finally, what additional steps, procedures, or technologies are necessary to bring our data protections into line with generally accepted information-technology standards or with National Institute of Standards & Technology (NIST)?

Last month, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published details about its new HIPAA Privacy and Security Audit Program at its website. This new HIPAA Audit Program is being established pursuant to the American Recovery and Reinvestment Act of 2009 (in Section 13411 of the HITECH Act) which requires HHS to perform periodic audits of covered entities and business associates to ensure that they are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

Initially, only covered entities (e.g., health plans, health care providers, etc.), will be selected for audit, but business associates will be included in future audits. OCR plans to audit 150 covered entities during this initial pilot phase, which will last from November 2011 until April 2012.

Entities who have been selected for an audit will receive a letter introducing the contractor that has been selected to perform the audit (currently KPMG), explaining the process and expectations in more detail, and describing the initial document and information requests. Entities are expected to provide the requested information within 10 business days of receiving the request.

OCR plans to notify a selected entity 30-90 days prior to the anticipated onsite visit, which is expected to last 3-10 business days, depending on the organization. Within 20-30 days of completion of the onsite visit, the auditor is expected to provide a draft final report to the entity; the entity will have 10 business days to review the draft and provide written comments to the auditor. Within 30 days of receiving the entity’s response, the auditor will complete a final audit report, which will be submitted to OCR.

Although OCR has stated that these audits will be conducted primarily to improve compliance with HIPAA and to help OCR determine what types of technical assistance should be developed and what types of corrective action are most effective, if an audit report indicates a serious compliance issue, OCR may initiate a separate compliance review to address any identified problems. OCR has indicated that it will not post a list of the entities that have been audited or the findings of any individual audit that clearly identifies the audited entity.

Given this new focus on audits, both covered entities and business associates would be well advised to review their HIPAA privacy and security compliance programs and ensure that they are up to speed.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/sample-ocr_notification_ltr.pdf

The HIPAA Privacy Rule is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA. On that date, OCR began accepting complaints involving the privacy of personal health information in the health care system.

Privacy Rule Enforcement Results as of the Date of This Summary as of April 2011

OCR lacks jurisdiction under HIPAA – such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule;

the complaint is untimely, or withdrawn or not pursued by the filer;

the activity described does not violate the Rule – such as when the covered entity has disclosed protected health information in circumstances in which the Rule permits such a disclosure.

In summary, since the compliance date in April 2003, HHS has received over 60,550 HIPAA Privacy complaints. We have resolved over ninety-one percent of complaints received (over 55,141): through investigation and enforcement (over 13,503); through investigation and finding no violation (7,022); and through closure of cases that were not eligible for enforcement (40,025).

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

1. Private Practices;
2. General Hospitals;
3. Outpatient Facilities;
4. Health Plans (group health plans and health insurance issuers); and,
5. Pharmacies.

What safeguards should physicians who treat family members consider? Reasonably ensure the maintenance of relevant audit logs. Also, consider a regular review of patient charts for family members treated regularly. These measures are necessary to reasonably ensure that access to the medical record, whether paper or electronic, is related to treatment, payment, or healthcare operations only.

Securing the charts of family members in a locked receptacle or cabinet is a wise precaution. These charts may be provided to physicians for appointments with family members or when a chart review or consultation is necessary. The HIPAA Privacy Rule does not require these measures; they are merely additional steps to help protect the practice, family members, and physician if the physician is later accused of accessing family members’ files for reasons other than treatment.

Reproduced from HIPPA Weekly Advisor © 2008 HCPro, Inc., 200 Hoods Lane, Marblehead, MA 01945. 781/639-1872. www.hcpro.com. Used with permission.

Under HITECH, a business associate has the same responsibilities for breaches as the healthcare entity does, but it is the healthcare organization’s responsibility to have an updated, signed business associate agreement in place that describes and addresses this new responsibility.  So if you haven’t done so, you’ll need to revise your business associate agreement and get it re-executed with all related parties working your physician practice. If you need an example of a revised business associate agreement, follow this link and look under “publications.”

http://www.nchica.org/HIT_HIE/ARRA.htm

A staff member recognizes an acquaintance, realizes the acquaintance is a patient, and shares this information with someone else. Has the staff member violated HIPAA? The answer is yes if the staff member shared this information for reasons not related to his or her job. Recognizing the patient would be considered an incidental disclosure. Disclosing this information to another person, however, would be considered an inappropriate release of PHI.

Reproduced from HIPAA Weekly Advisor © 2010 HCPro, Inc., 200 Hoods Lane, Marblehead, MA 01945. 781/639-1872. www.hcpro.com. Used with permission.

A patient steals the wallet of a health care worker while at the hospital.  The credit cards are used before they can be canceled.  The health care worker views the videotape at one of the stores and recognizes the patient.   Can the health care worker report the theft and indicate the name of the person seen on the tape (and no more)? The answer is yes. Section 164.512(f) states that a covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.