cellphone137457731Today kicks-off one of Austin’s largest and best-known events, the South by Southwest Interactive Conference. In the spirit of Husch Blackwell’s involvement in several aspects of the conference, this post will touch on emerging health technology and pushing the limits of HIPAA.

New technology is being developed to be used in healthcare settings on a near daily basis. Telehealth, mobile apps, medical devices, implantables, robotics, electronic health records, e-prescriptions, digital pills, and wearables are just a few of the innovations that contribute to a patient’s treatment. There are more ways for people to access medical care, and more ways to produce and share patient data with healthcare providers than ever before. At some point in the development stage, you and your team probably asked questions like these:

  • What data are we collecting? Where do we keep it?
  • How can we use it? How can we not use it?
  • Who owns it? Can we own it?
  • Does HIPAA apply to us?
  • Are there other laws we need to worry about?
  • What if we lose some data?

First things first, a quick primer on HIPAA, the law you’re likely generally aware of.  HIPAA is comprised of a privacy component and a security component. The HIPAA privacy rule addresses the confidentiality of certain health information and the HIPAA security rule sets basic security standards for certain health information held or transferred in electronic form. These regulations apply to covered entities and their business associates. Generally, a covered entity is a health plan, a healthcare clearinghouse, or a healthcare provider. A business associate is an individual or entity that creates, receives, maintains or transmits PHI in the course of performing services on behalf of a covered entity. Basically, PHI may not be used or disclosed by a covered entity (or a business associate on its behalf) without patient authorization unless an exception applies. One frequently cited exemption relates to the use and disclosure of PHI necessary to carry out treatment, to obtain payment, or to conduct healthcare operations. When PHI is shared between a covered entity and a business associate the parties execute a business associate agreement that governs the business associate’s use and security of PHI.

Innovative technology is pushing the limits of HIPAA. Companies may encrypt and store data for a covered entity but never have access to it, and companies may act purely as a conduit to connect two hospital systems sharing data but never store or alter the data in any way. Should companies like this be subject to HIPAA?  This is a point of contention that the government is trying to clarify.  This has been done through guidance issued by Health and Human Services addressing the application of HIPAA to cloud service providers (found here). Further, the OCR has developed an online privacy and security portal for mobile app develops (found here) and HIMSS has developed a mobile health security kit (found here). It will be important to remain aware of further guidance that may be issued by multiple government agencies.

But what if you’re not a covered entity and you don’t have a relationship with a covered entity that makes you a business associate? Just because you have access to a medical data does not necessarily mean HIPAA applies. When someone buys a Misfit fitness tracker off the shelf, the data collected by the wearable is not protected by HIPAA. However, if a person receives a wearable from their physician to track certain data, that information likely is protected under HIPAA. This is an important distinction.

So if HIPAA doesn’t apply, what does?  The Federal Trade Commission (FTC) has issued the Health Breach Notification Rule to require certain businesses to notify their customers if there’s a breach of unsecured, individually identifiable electronic health information. This applies to any entity that is not subject to HIPAA, but collects or maintains identifiable health information on an individual. Further, the FTC is becoming very active in enforcing its consumer protection laws against companies for misrepresenting how an individual’s data is used or a company’s failure to adhere to its own data use and protection policies.
Finally, states are able to establish rules more stringent than HIPAA so it is very important to take such laws into consideration. A state may expand the definition of a covered entity or business associate, and may have its laws apply to any entity that has access to the health information of a resident of the state. This may mean that the laws of a state where you don’t have a physical location may apply to you through the data you collect.

If you have any questions about what privacy laws may apply to your operations, please feel free to contact me directly at (214) 999-6132 or john.ferguson@huschblackwell.com.

dataLocks148650499Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations. Continue Reading Congress’ suggestions for ransomware treatment under HIPAA

The U.S. Department of Health & Human Services Office for Civil Rights (OCR) released its plans for Phase 2 of the HIPAA Audit Program (Phase 2). Whereas Phase 1 was a pilot program conducted by KPMG and intended to assess the controls and processes of 115 covered entities with respect to HIPAA compliance, in Phase 2 OCR will review the policies and procedures adopted and employed by Covered Entities and their Business Associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

These audits will primarily be offsite desk audits, although some audits may take place onsite, and be limited to compliance with the Privacy, Security, and Breach Notification Rules. OCR will not be reviewing compliance with state laws. All initial communications from OCR to the Covered Entities and Business Associates will be done by email, so it is imperative that potential auditees ensure that correspondence from the email address OSOCRAudit@hhs.gov is not incorrectly classified as spam. OCR will begin Phase 2 with desk audits of Covered Entities and Business Associates. Desk audits should be completed by the end of December 2016.

Step 1 –  Initial Contact and Questionnaire

In the first round of Phase 2, Covered Entities of various types (providers, health plans, and health care clearinghouses) will receive email correspondence from OCR to obtain and verify contact information. Following the collection of contact information, Covered Entities will be asked to complete a questionnaire designed to gather data about the size, type, and operations of the Covered Entity. Covered Entities will also be asked to identify and provide contact information for each of their business associates, so it is recommended that Covered Entities begin preparing this list if such a list is not already in place. Failure to respond to the initial email or the follow-up questionnaire will not remove a Covered Entity from the pool of potential auditees. If a Covered Entity fails to respond or fails to provide adequate information, OCR will use publicly available information about the Covered Entity to create its audit pool.

Business Associates will be the focus of the second round of Phase 2. Business Associates will be contacted by OCR in the same manner and will be asked to provide the same information as Covered Entities. Although not expressly stated by OCR, Business Associates should prepare a list of any subcontractor Business Associates that it uses in its relationship to a Covered Entity. As with Covered Entities, failure to respond to the initial email or the follow-up questionnaire will not remove a Business Associate from the pool of potential auditees.

Step 2 – Audit Selection

In Phase 2, OCR is identifying pools of Covered Entities and Business Associates that represent entities of varying size, operation, and geographic location. By looking at a broad spectrum of candidates, OCR believes it can better assess HIPAA compliance across the industry. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

Step 3 – Desk Audit

If a Covered Entity or Business Associate is selected to be audited, OCR will send a notification letter that sets forth the audit team, explains the audit process, and discusses OCR’s expectations in more detail. The letter may also include requests for certain documentation from the audited entity. It is the expectation of OCR that the audited entity responds to the request within 10 days. After OCR’s review, the audited entity will be provided with a draft of OCR’s findings and have 10 days to review and respond with written comments. A final audit report for each entity will be completed within 30 days from receipt of comments and be provided to the audited entity. OCR will not be posting a list of the audited entities or the findings an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.

Step 4 – Onsite Audit

Covered Entities and Business Associates may also be subject to onsite audits during Phase 2. This process will commence with notification being sent to the audited entity and an entrance conference to discuss the audit process and OCR’s expectations. Each onsite audit will be conducted over three to five days.  Following the audit, OCR will produce a draft report within 10 days and the audited entity will have 10 days to review and respond with comments. The final report will be completed by OCR within 30 days and delivered to the audited entity. As with the desk audits, OCR will not be posting a list of the audited entities or the findings of an individual audit, but it is important to note that such information may be subject to release under the Freedom of Information Act.

Step 5 – Post Audit

Phase 2 audits are being conducted primarily as a compliance improvement activity, rather than a compliance enforcement activity. It is the OCR’s hope that this audit will help address potential issues prior to a breach. Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective action would be most helpful. However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.

To get prepped for a possible audit, we suggest that HIPAA-Covered Entities and Business Associates compare and contrast their current practices to the audit protocols published on OCR’s website. For those individuals and entities that may be unsure whether they are covered by HIPAA, we recommend quickly making such a determination and taking appropriate measures to implement a HIPAA compliance program if needed.

If you have any questions related to the OCR Phase 2 Audit Process, please contact Deborah Hiser directly at 512-703-5718 or Deborah.Hiser@HuschBlackwell.com.

Stay tuned for more information from us as it develops. In the interim, feel free to check out today’s OCR postings.

Image copyright Catherine Lane 2015My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

risk level conceptual meterCancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program. Continue Reading $750K HIPAA settlement highlights importance of risk analysis, device control policy

WaveCrashingThe Anthem breach sent alarm waves through the health care industry and the employer health plan community. With 78.8 million affected individuals for Anthem and 11 million for the companion breach of Premera Blue Cross, the combined size ranks among the largest data breaches in history.

The Anthem and Premera breaches signal a sea change in the threat environment for health plans, a new reality that requires a fresh look at data security. Prudent employers with group health plans should take that fresh look now, by strengthening the data security provisions in their business associate agreements (BAAs) with third-party plan administrators, and also by updating their HIPAA-required security risk assessments. Continue Reading Data Security for Employer Health Plans Post-Anthem

spinningPlatesiStock_000011904878_LargeIt’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. The healthcare industry is a prime target, especially given the premium value of health information on the black market. And healthcare entities face not only PHI breach exposures, but also security risks for other forms of protected information, such as PII and, for many, cardholder data.

Healthcare organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking. Continue Reading The 10 Key Activities for Effective Data Breach Response – Are You Prepared?

Due diligence is often perceived as a mundane part of the mergers & acquisitions (M&A) process, but its importance in healthcare transactions is critical. Due diligence is one of the first steps of any transaction and involves a buyer undertaking an in-depth examination of the target to evaluate the business and uncover potential issues or liabilities. In the healthcare industry, diligence is especially important considering the heavy regulation of the industry, the unique areas of risk, and the significant liabilities that could be imposed upon a buyer if issues and liabilities are not identified before the transaction closes. Continue Reading Unique Considerations in Healthcare M&A Part 1 – Due Diligence

A Dec. 1 Strafford webinar on the legal and regulatory challenges of Ebola will feature five Husch Blackwell attorneys. The 90-minute CLE webinar with interactive Q&A will provide guidance to healthcare counsel and their clients in addressing HIPAA and EMTALA concerns when treating Ebola patients.

The panel will discuss state and federal mandatory reporting requirements, employment issues and lessons learned from the first U.S. Ebola cases. Continue Reading Husch Blackwell attorneys address Ebola challenges

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) released a bulletin on Nov. 10 reminding entities covered under the Health Insurance Portability and Accountability Act (HIPAA) that the protections continue to be in effect during emergencies, including Ebola and other outbreaks. HHS wants to make sure healthcare providers are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in emergency situations. Continue Reading HHS releases reminder about HIPAA rules in wake of Ebola outbreak