As most healthcare providers know, HIPAA requires that covered entities or business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (“ePHI”) held by the covered entity or business associate. Providers who receive Meaningful Use incentive payments from the Centers for Medicare and Medicaid Services (“CMS”) for implementing electronic health record (“EHR”) systems into their practices or operations are also likely aware of the fact that one of the many requirements for these incentive payments is to conduct a HIPAA security risk analysis annually. Now, perhaps more than ever before, both CMS and the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) is demonstrating the importance of ensuring that these risk analyses are performed, or providers can face dire consequences. Below are the top reasons to conduct a thorough HIPAA security risk analysis. Continue Reading Top 5 Reasons to Conduct a Thorough HIPAA Security Risk Analysis
A little rain can’t stop SXSW. Husch Blackwell attorneys have attended dozens of interesting presentations and met countless innovative minds. We will continue to post live updates on Twitter (@HBhealthcarelaw) and release brief blog posts related to certain presentations throughout the event. With former VP Joe Biden in town to discuss his cancer moonshot today, our focus is precision medicine.
Precision medicine is an innovative approach to medical treatment that takes into account individual differences in people’s genes, environments, and lifestyles. The promise of precision medicine is delivering the right treatments, at the right time, to the right person. The potential of precision medicine is recognized at the highest levels of government. In his 2015 State of the Union address, former President Barack Obama launched the Precision Medicine Initiative (“PMI”), a bold new research effort to revolutionize health and the treatment of disease. Subsequently, Sylvia M. Burwell, Secretary of the U.S. Department of Health & Human Services (“DHHS”), announced the FY 2016 budget would include $215 million for the PMI, with $200 million of this to be used by the National Institutes of Health (“NIH”) to launch the All of Us program, a national cohort of a million or more Americans who volunteer to share genetic, clinical, and other data to improve research. The funds will also be used to invest in expanding current cancer genomics research and to initiate new studies on how a tumor’s DNA can inform prognosis and treatment choices.
Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.
New technology is being developed to be used in healthcare settings on a near daily basis. Telehealth, mobile apps, medical devices, implantables, robotics, electronic health records, e-prescriptions, digital pills, and wearables are just a few of the innovations that contribute to a patient’s treatment. There are more ways for people to access medical care, and more ways to produce and share patient data with healthcare providers than ever before. At some point in the development stage, you and your team probably asked questions like these:
- What data are we collecting? Where do we keep it?
- How can we use it? How can we not use it?
- Who owns it? Can we own it?
- Does HIPAA apply to us?
- Are there other laws we need to worry about?
- What if we lose some data?
First things first, a quick primer on HIPAA, the law you’re likely generally aware of. HIPAA is comprised of a privacy component and a security component. The HIPAA privacy rule addresses the confidentiality of certain health information and the HIPAA security rule sets basic security standards for certain health information held or transferred in electronic form. These regulations apply to covered entities and their business associates. Generally, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider. A business associate is an individual or entity that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity. Basically, PHI may not be used or disclosed by a covered entity (or a business associate on its behalf) without patient authorization unless an exception applies. One frequently cited exemption relates to the use and disclosure of PHI necessary to carry out treatment, to obtain payment, or to conduct healthcare operations. When PHI is shared between a covered entity and a business associate the parties execute a business associate agreement that governs the business associate’s use and security of PHI.
Innovative technology is pushing the limits of HIPAA. Companies may encrypt and store data for a covered entity but never have access to it, and companies may act purely as a conduit to connect two hospital systems sharing data but never store or alter the data in any way. Should companies like this be subject to HIPAA? This is a point of contention that the government is trying to clarify. This has been done through guidance issued by Health and Human Services addressing the application of HIPAA to cloud service providers (found here). Further, the OCR has developed an online privacy and security portal for mobile app develops (found here) and HIMSS has developed a mobile health security kit (found here). It will be important to remain aware of further guidance that may be issued by multiple government agencies.
But what if you’re not a covered entity and you don’t have a relationship with a covered entity that makes you a business associate? Just because you have access to a medical data does not necessarily mean HIPAA applies. When someone buys a Misfit fitness tracker off the shelf, the data collected by the wearable is not protected by HIPAA. However, if a person receives a wearable from their physician to track certain data, that information likely is protected under HIPAA. This is an important distinction.
So if HIPAA doesn’t apply, what does? The Federal Trade Commission (FTC) has issued the Health Breach Notification Rule to require certain businesses to notify their customers if there’s a breach of unsecured, individually identifiable electronic health information. This applies to any entity that is not subject to HIPAA, but collects or maintains identifiable health information on an individual. Further, the FTC is becoming very active in enforcing its consumer protection laws against companies for misrepresenting how an individual’s data is used or a company’s failure to adhere to its own data use and protection policies.
Finally, states are able to establish rules more stringent than HIPAA so it is very important to take such laws into consideration. A state may expand the definition of a covered entity or business associate, and may have its laws apply to any entity that has access to the health information of a resident of the state. This may mean that the laws of a state where you don’t have a physical location may apply to you through the data you collect.
Emerging Issues in Healthcare Law is coming to the Big Easy. The American Bar Association’s 18th annual conference is slated for New Orleans March 8-11.
Husch Blackwell is a platinum sponsor of this event featuring the most emergent topics facing the healthcare bar. As the industry faces changes and continues to grow under healthcare reform and enforcement, this conference allows attendees a perfect opportunity to stay ahead of the developments. Continue Reading Don’t miss Emerging Issues in Healthcare Law
A California federal court handed down a decision last Friday that may further influence how healthcare entities should approach the Telephone Consumer Protection Act’s (TCPA) “emergency purpose” exception as applied to calls or texts related to patient health and safety. In St. Clair v. CVS Pharmacy, Inc., No. 16-CV-04911-VC, 2016 WL 7489047, at *1 (N.D. Cal. Dec. 30, 2016), the plaintiff alleged that CVS Pharmacy called him multiple times about his prescriptions after he told a customer representative that he no longer wished to be called. CVS moved to dismiss the lawsuit by claiming that all of the calls at issues fell under the emergency purpose exception contained in the statute, and therefore were not subject to the TCPA. Continue Reading St. Clair v. CVS Pharmacy, Inc. and healthcare calls under the TCPA’s emergency purpose exception
Any agreement between two parties begins with the rosy optimism that the good times will last forever. In the world of technology licensing and development, however, we know this is rarely the case. While the Byte Back blog has previously considered data security oversight by the board of directors of the company, it is also important for a company’s legal and procurement teams to establish a plan for the security, use, and transition of its data throughout the contracting process. These issues are particularly important in highly regulated industries such as healthcare.
Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations. Continue Reading Congress’ suggestions for ransomware treatment under HIPAA
On April 29, 2016, the Joint Commission released an update (“Update”) providing for the use of text messaging to submit orders for patient care, treatment, or services to the hospital or other health care settings for all accreditation programs. Back in 2011, the Joint Commission believed that the technology necessary to secure contents of a text message, verify the identity of the person sending the message, and retain the original message within the medical record were not readily available, and, therefore, prohibited the use of text messaging to submit orders. However, this has changed as reasonably accessible technology has been developed which mitigates the security and record retention risks the Joint Commission previously identified. In the Update, the Joint Commission said, “effective immediately, licensed independent practitioners or other practitioners in accordance with professional standards of practice, law and regulation, and policies and procedures may text orders as long as a secure text messaging platform is used and the required components of an order are included.” Continue Reading Orders can be submitted by text – the Joint Commission update
Based on recent news stories and our experience, it appears that cybercriminals may be targeting healthcare providers with ransomware attacks. Publicly reported incidents and others of which we are aware have involved providers ranging from clinics and imaging centers to hospitals, and these entities have had to pay hundreds to thousands of dollars to gain access to their medical records, billing records or other vital computer systems – often after significant interruption of operations. On March 31, 2016, the U.S. Dept. of Homeland Security issued an alert about these attacks as a result of recent attacks on businesses including healthcare facilities and hospitals worldwide. Continue Reading Caution – Vendors are not the only ones charging you to use your EHR/EMR!
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) released its plans for Phase 2 of the HIPAA Audit Program (Phase 2). Whereas Phase 1 was a pilot program conducted by KPMG and intended to assess the controls and processes of 115 covered entities with respect to HIPAA compliance, in Phase 2 OCR will review the policies and procedures adopted and employed by Covered Entities and their Business Associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.
These audits will primarily be offsite desk audits, although some audits may take place onsite, and be limited to compliance with the Privacy, Security, and Breach Notification Rules. OCR will not be reviewing compliance with state laws. All initial communications from OCR to the Covered Entities and Business Associates will be done by email, so it is imperative that potential auditees ensure that correspondence from the email address OSOCRAudit@hhs.gov is not incorrectly classified as spam. OCR will begin Phase 2 with desk audits of Covered Entities and Business Associates. Desk audits should be completed by the end of December 2016.
Step 1 – Initial Contact and Questionnaire
In the first round of Phase 2, Covered Entities of various types (providers, health plans, and health care clearinghouses) will receive email correspondence from OCR to obtain and verify contact information. Following the collection of contact information, Covered Entities will be asked to complete a questionnaire designed to gather data about the size, type, and operations of the Covered Entity. Covered Entities will also be asked to identify and provide contact information for each of their business associates, so it is recommended that Covered Entities begin preparing this list if such a list is not already in place. Failure to respond to the initial email or the follow-up questionnaire will not remove a Covered Entity from the pool of potential auditees. If a Covered Entity fails to respond or fails to provide adequate information, OCR will use publicly available information about the Covered Entity to create its audit pool.
Business Associates will be the focus of the second round of Phase 2. Business Associates will be contacted by OCR in the same manner and will be asked to provide the same information as Covered Entities. Although not expressly stated by OCR, Business Associates should prepare a list of any subcontractor Business Associates that it uses in its relationship to a Covered Entity. As with Covered Entities, failure to respond to the initial email or the follow-up questionnaire will not remove a Business Associate from the pool of potential auditees.
Step 2 – Audit Selection
In Phase 2, OCR is identifying pools of Covered Entities and Business Associates that represent entities of varying size, operation, and geographic location. By looking at a broad spectrum of candidates, OCR believes it can better assess HIPAA compliance across the industry. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
Step 3 – Desk Audit
If a Covered Entity or Business Associate is selected to be audited, OCR will send a notification letter that sets forth the audit team, explains the audit process, and discusses OCR’s expectations in more detail. The letter may also include requests for certain documentation from the audited entity. It is the expectation of OCR that the audited entity responds to the request within 10 days. After OCR’s review, the audited entity will be provided with a draft of OCR’s findings and have 10 days to review and respond with written comments. A final audit report for each entity will be completed within 30 days from receipt of comments and be provided to the audited entity. OCR will not be posting a list of the audited entities or the findings an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.
Step 4 – Onsite Audit
Covered Entities and Business Associates may also be subject to onsite audits during Phase 2. This process will commence with notification being sent to the audited entity and an entrance conference to discuss the audit process and OCR’s expectations. Each onsite audit will be conducted over three to five days. Following the audit, OCR will produce a draft report within 10 days and the audited entity will have 10 days to review and respond with comments. The final report will be completed by OCR within 30 days and delivered to the audited entity. As with the desk audits, OCR will not be posting a list of the audited entities or the findings of an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.
Step 5 – Post Audit
Phase 2 audits are being conducted primarily as a compliance improvement activity, rather than a compliance enforcement activity. It is the OCR’s hope that this audit will help address potential issues prior to a breach. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.
To get prepped for a possible audit, we suggest that HIPAA-Covered Entities and Business Associates compare and contrast their current practices to the audit protocols published on OCR’s website. For those individuals and entities that may be unsure whether they are covered by HIPAA, we recommend quickly making such a determination and taking appropriate measures to implement a HIPAA compliance program if needed.
If you have any questions related to the OCR Phase 2 Audit Process, please contact Deborah Hiser directly at 512-703-5718 or Deborah.Hiser@HuschBlackwell.com.
Stay tuned for more information from us as it develops. In the interim, feel free to check out today’s OCR postings.