flag_160540827This is the seventh article in our series on the effect of a “slow repeal” of the ACA. This week’s discussion focuses on the potential impact on healthcare technology.

Industry experts are predicting that a slow repeal of the ACA will have very little, if any, negative impact on healthcare technology. Healthcare technology grew at an unprecedented pace under the ACA, in part because the ACA contains provisions which provide healthcare technology with incentives to develop and implement new systems aimed at increasing efficiency. Despite the significant amount of uncertainty with a slow repeal of the ACA for many players in the healthcare industry, healthcare technology appears to be poised for continued growth through value-based care, telemedicine, and the increased need for interoperability.

Continue Reading Slow Repeal of the ACA and Its Effect on Healthcare Technology

dataLocks148650499Backing up electronic health record data may become an important aspect of complying with and mitigating risk under the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) if the U.S. Health and Human Services Office of Civil Rights (OCR) heeds legislators’ recommendations. Continue Reading Congress’ suggestions for ransomware treatment under HIPAA

WaveCrashingThe Anthem breach sent alarm waves through the health care industry and the employer health plan community. With 78.8 million affected individuals for Anthem and 11 million for the companion breach of Premera Blue Cross, the combined size ranks among the largest data breaches in history.

The Anthem and Premera breaches signal a sea change in the threat environment for health plans, a new reality that requires a fresh look at data security. Prudent employers with group health plans should take that fresh look now, by strengthening the data security provisions in their business associate agreements (BAAs) with third-party plan administrators, and also by updating their HIPAA-required security risk assessments. Continue Reading Data Security for Employer Health Plans Post-Anthem

Seemingly picking up where we left off in our recent white paper and Advisory Board article, the Obama administration released a 166-page draft plan January 30th intended to drive providers and patients toward a common set of electronic clinical information and a commitment to more fully connected EHR systems by the end of 2017. Continue Reading Interoperability 2017 – Will the latest government plan be the golden spike that connects the EHR rails?

In the Electronic Health Records (EHR) space, unconnected and competing systems carry the potential for organizational train wrecks.

Until robust, efficient, and mandatory interoperability standards emerge, providers should consider linking systems through other means, as failure to do so may lead to malpractice and regulatory compliance issues.

A new White Paper, Driving the Golden Spike: Avoiding Liability with Connected EHR Systems, is now available here.

Marketing Involving PHI

The HIPAA Omnibus Rule made changes to the rules related to marketing involving PHI.  A marketing communication, as defined by HIPAA, is a communication about a product or service that encourages the recipient to purchase that product or service.  Previously, PHI could not be used or disclosed for a marketing communication without authorization unless an exception applied.  One exception allowed the use and disclosure of PHI for treatment-related marketing communications for which financial remuneration was received, provided the individual was given notice and an opportunity to opt out. Now, marketing communications about a third party’s products or services for which financial remuneration is received by the covered entity almost always require authorization from the individual, irrespective of whether they are treatment related, unless an exception applies. As long as the marketing communication is only about health-related product[s] or service[s] that the covered entity is offering, no prior authorization is required.

The few exceptions to the authorization requirement for marketing include:

  1. Face-to-face marketing communications;
  2. Promotional gifts of nominal value; and
  3. Prescription refill reminders, if the remuneration received by the covered entity is reasonably related to the cost of making the marketing communication.

If your organization uses PHI to market its own, or a third party’s, products and services, your organization should:

  1. Draft a form authorization to cover multiple, ongoing marketing communications;
  2. Implement or refine a process for tracking marketing communications and related authorizations to ensure that the recipients have signed authorizations or an exception applies; and
  3. Ensure that business associates and their subcontractors follow procedures that are materially the same.

Sale of PHI

Under the proposed regulation, the “sale of PHI” was prohibited without express authorization from the individual.  Unfortunately, the “sale of PHI” was not a defined term and there was uncertainty as to how extensively the prohibition was to be applied.  Now, we know that a “sale” covers the disclosure of PHI wherein direct or indirect remuneration was provided to the covered entity or business associate in exchange for the disclosure.  Unlike in the marketing context, remuneration can include non-monetary exchanges such as an in-kind transaction. It also covers situations in which the party providing payment for the PHI is not the party who is receiving the PHI.

If your organization participates in the sale of PHI, the authorization to release the PHI must specifically state that the covered entity is receiving remuneration in exchange for the PHI.

Also note that data use agreements for limited data sets must be brought into compliance with these requirements by September 23, 2014.

In case you missed them, here are the first two installments in the series:

HIPAA: Are you up to date?

Omnibus Rule Changes to Breach Notification and Business Associates

Are healthcare providers at your facility texting patient information to each other?  This type of communication is becoming more and more common, but such text messages are often in violation of HIPAA.  To address this issue, Sprint announced last week that it is now offering two texting products that provide the proper security for PHI as required by HIPAA.   

To provide this service, Sprint has partnered with TigerText, a privately held provider of secure text messaging services.  Sprint is offering two levels of service.  The basic service is only available to Sprint customers, but is less expensive and is aimed at companies that want to support internal text messaging between clinicians.  The more advanced service works across platforms and carriers.

With either service, messages are sent through a secure server after users download an app on their phone.

Our Insight.  Your Advantage.  Our extensive knowledge of the healthcare industry allows us to recognize when new technology may help our clients provide better care at less cost. But we also identify and address legal issues that may arise with use of new technology tools.  For example, e-communications technology has profound compliance and risk repercussions for covered entities and business associates under HIPAA/HITECH and also for Meaningful Use.  If you are evaluating specific changes in your e-communications systems, or if you are planning to conduct an overall HIPAA Security Rule risk assessment, we can help.

On Thursday, March 7, 2013, the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services (CMS) released a notice and request for information concerning using additional policy levers to accelerate the adoption of electronic health record systems (EHRs). In part, the agencies are looking to increase the number of provider practices satisfying the core requirements for Meaningful Use under the Health Information Technology for Clinical and Economic Health (HITECH) Act.

In the notice, the agencies state that they are looking to accomplish this acceleration by “engaging other policy areas” within the jurisdiction of the U.S. Department of Health & Human Services (HHS), and may include a combination of incentives, payment adjustments, and new requirements. The agencies have identified three main areas in which to use the policy levers:

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services issued its final rule modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The final rule becomes effective on March 26, 2013, and compliance is required by September 23, 2013. At 138 pages, the rule addresses a number of topics, but one key change involves the breach notification requirements first enacted under the HITECH Act.

Currently, a “breach” is defined as an inappropriate use or disclosure of protected health information (PHI) involving significant risk of financial, reputational, or other harm. The final rule changes the definition by stating that an impermissible use or disclosure of PHI is presumed to be a breach, unless the covered entity or business associate, as applicable, can demonstrate that there is a low probability that the PHI has been compromised.

The rule further provides that the determination of whether PHI has been compromised should be evaluated based on at least the following four factors:

  1. The nature and extent of the PHI involved;
  2. The identity of the unauthorized person who used the PHI or to whom the PHI was disclosed;
  3. Whether the PHI was actually accessed or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

To access the final rule, click here

Our Insight.  Your Advantage.  While these factors are similar to those that may have been assessed under prior risk of harm analyses, their increased importance and the presumption of a breach under the new rule could have a significant impact on breach reporting. Accordingly, covered entities and business associates should review their breach notification policies and procedures prior to the September 23, 2013 compliance date to ensure they are consistent with these changes.