Reed Tinsley, CPA

A client called to my attention that a (seemingly) very HIPAA savvy patient she had recently seen refused to allow her to make a copy of his insurance information. His reason was that copiers store the information and he was concerned about our protecting the copier that holds his PHI. Do copiers indeed store PHI in their little brains? 

YES!  Photocopiers with hard drives DO store copies of each and every image it makes.  You need to make sure you have a plan in place to destroy the PHI when you get rid of the copier/fax/whatever machine it is. This usually involves destroying the hard drive or at least wiping it clean. 

The FTC has a wonderful, free guide on copier data security.  See this page:

http://business.ftc.gov/documents/bus43-copier-data-security

Usually with a multifunction copier hard drive it can be accessed and items printed from the keypad. If removed and not encrypted you can simply slave it to a computer and read the drive images directly. Along with the FTC document, NIST SP800-88 R1 (draft) Table A-4 speaks to copiers. It talks about how to purge, clear or destroy electronic media in equipment, which includes copiers. OCR calls out NIST 800-88 as an approved method for reuse or destruction.

Some copier companies offer encryption, others will destroy and give you a certificate of destruction. You will want to know how they destroy the drives and what protections they have for transport. Of course you always have the option to destroy yourself. I recommend you use a NSA certified destruction vendor. Depending on where you live there are companies that will come onsite and grind the drive to dust in your parking lot. I had over 1000 drives destroyed in this manner.

Compliance with the Privacy and Security Rules of HIPAA is not easy.  However, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR) website is an excellent resource for materials to educate covered entities and business associates on their obligations under HIPAA and how to implement effective measures to comply with such obligations. OCR has posted on its website a series of six factsheets on HIPAA.  While these factsheets are aimed at educating consumers on their rights under HIPAA, providers can also use these educational materials to assist in their compliance efforts, including the training and education of their employees.   The materials are available on OCR’s website at:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers.

OCR has also posted a video entitled The HIPAA Security Rule to assist small providers, such as small physician practices and surgery centers, in their compliance with the requirements of the Security Rule.  The video is available on the HHS OCR YouTube Channel at:

http://www.youtube.com/user/USGovHHSOCR.

Finally, OCR has also launched three modules through Medscape for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules.  You must sign up for a free account with Medscape in order to access the videos.  Each of the modules is a great resource for covered entities and business associates.  Below is a list of the modules along with a link to access each module.

Patient Privacy: A Guide for Providers
http://www.medscape.org/viewarticle/781892?src=ocr

HIPAA and You: Building a Culture of Compliance
http://www.medscape.org/viewarticle/762170?src=ocr

Examining Compliance with the HIPAA Privacy Rule
http://www.medscape.org/viewarticle/763251?src=ocr

On January 25, the Department of Health and Human Resources (HHS) will publish in the Federal Register an update to its HIPAA privacy rule that expands liability of business associates of hospitals, physicians and other HIPAA-covered entities if they release data in ways that violate patient privacy. The rule clarifies when breaches of information must be reported to the Office for Civil Rights, sets new rules on the use of patient-identifiable information for marketing and fundraising, and expands direct liability under the law to the so-called “business associates” of hospitals and physicians and other “HIPAA-covered entities.” Those associates might include a provider's healthcare data-miners and health information technology service providers.

It also restores a limited right of consent to patients to control the release to their insurance company of records about their treatment if the pay for that treatment is out of pocket. And it spells out how the greatly increased penalties for privacy and security violations under the ARRA are to be applied.

These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates. The rule becomes effective March 26, 2013.

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

This document provides guidance about methods and approaches to achieve de-identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule‘s de-identification standard: Expert Determination and Safe Harbor. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de-identified information is created, and the options available for performing de-identification.

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf

1. Find, track, and account for all patient protected health information - this is especially important if you carry PHI on iPhones, computers, and medical equipment.

2. Conduct a self-audit every year - Most all physician practices "think" they are in full HIPAA compliance when in fact very few are.

3. Make sure employees are trained on HIPAA - And make sure this training is documented.

4. Make sure all relevant Business Associate Agreements have been executed - Also make sure your business associates are taking the necessary steps to protect your patients' PHI.

5. Develop, implement, and follow HIPAA policies and procedures within your medical practice - A review of compliance with these policies should be a part of your annual self-audit.

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules. MEEI has also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of their patients’ protected health information and retain an independent monitor to report on MEEI’s compliance efforts. OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the theft of an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects. The information contained on the laptop included patient prescriptions and clinical information. OCR’s investigation indicated that while MEEI’s management was aware of the Security Rule, MEEI failed to take necessary steps to comply with the requirements of the Rule, such as such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained, and transmitted using portable devices, adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices, and adopting and implementing policies and procedures to address security incident identification, reporting, and response.

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement-pdf.pdf

Earlier this month, OCR revealed some preliminary results of these pilot audits at a National Institute of Standards and Technology conference. OCR presented audit results for 20 covered entities. The audits revealed a number of common issues, including the following:

- Lack of written policies and procedures
- Missing business associate contracts
- Improper use and disclosure of information concerning deceased patients
- Failure to verify the identity of the person requesting health information
- Improper disclosures in response to judicial subpoenas and administrative requests
- Denials of patients’ access to their own records
- Lack of ongoing privacy training
- Minimal monitoring of employees’ access to electronic patient records
- Lack of contingency plans in cases of emergencies in order to access electronic records

http://www.garfunkelwild.com/ClientAlerts/AlertPDF/2012/OCRHIPAAAuditResults-OCRpdf.pdf

In this case, the OCR found that, on a daily basis, over a period of four years, Phoenix Cardiac Surgery had transmitted ePHI from an Internet-based email account to the personal Internet-based email accounts of workforce members, underscoring the risks posed to practices by the unregulated or unsupervised use of email for the transmission of ePHI.

Although Phoenix Cardiac Surgery is a small, non-institutional provider, i.e., a physician practice with just two owners, the OCR did not relieve the practice of its obligation to comply with the basic requirements of HIPAA. Instead, the OCR required the practice to pay $100,000 to settle the claims against it and to enter into a one-year corrective action plan (CAP). Pursuant to the terms of the CAP, the practice must develop policies and procedures that comply with the HIPAA Privacy and Security Rules, send them to OCR for approval and fully implement them within 30 days of OCR’s approval. The CAP also requires the practice to obtain a signed statement from every workforce member that he or she has read, understands and will abide by the policies and procedures. The CAP requires the practice to train all workforce members who use or disclose PHI regarding the policies and procedures within 60 days of OCR’s approval of the policies. During the term of the CAP, any violation of the policies and procedures must be reported to OCR, together with steps the practice intends to take to mitigate any harm and prevent recurrence.

OCR's expectation that providers should be in full compliance with the Security Rule - which went into effect seven years ago - is not surprising. This settlement highlights the need to treat security compliance as a continuous process involving regular assessments of the security environment, review of policies and procedures, and workforce training - FOR EVERY MEDICAL PRACTICE, LARGE, MEDIUM, SMALL, AND SOLO.

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCR’s investigation also revealed the following issues:

• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

We live in the data age where every day a new technology is announced in business- and consumer-oriented ecommerce and mobile health (mhealth). In response, in recent years, federal and state legislators have enacted strict data privacy and security laws, such as HIPAA, COPPA, and Gramm-Leach-Bliley, to protect data whether in electronic (IT) or physical form. This data is known as protected health information under HIPAA and personally identifiable information under other statutes. New federal and state laws also mandate comprehensive data breach responses, including notifications to individuals whose PHI or PII was breached and some agencies and state attorneys general. The shared premise behind these laws is that the public expects the highest standard of data protection from businesses and government. (Whether or not this is true – after all we regularly give our credit card numbers to anonymous persons over the phone – is a subject for another day…)

Read more:

http://blogs.duanemorris.com/duanemorrishealthlawblog/entry/test