Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Ransomware: Preparing for the Storm That’s A Brewin’

On July 11, 2016, the Office for Civil Rights (“OCR”) published guidelines for ransomware attack prevention and recovery, including the role HIPAA has in assisting covered entities and business associates to prevent and recover from such attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack. According to the OCR report, there have been 4,000 daily ransomware attacks since early 2016, up 300% from 2015. Earlier this week a healthcare IT Security Consultant told me the chatter he hears is that the hackers out there are working on stronger, more aggressive, more deadly hacks to unleash, and he fears a hacking storm a brewin’. Time to get serious and batten down the hatches, folks!

8-3The OCR report describes what a ransomware attack is, and explains that maintaining strict HIPAA Security Rule compliance can help prevent the introduction of malware, including ransomware. Some of the required security measures discussed include:

  • Implementing a security management process, which includes conducting a risk analysis and taking steps to mitigate or remediate identified threats and vulnerabilities;
  • Implementing processes to guard against and detect malicious software;
  • Training users on malicious software protection; and
  • Implementing access controls.

Since ransomware  gets into your system and then ties up your data, denying you access to your data (usually through encryption), and then directs you to pay a ransom to the hacker in order to receive a decryption key, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Again, HIPAA compliance protects entities because the Security Rule requires covered entities and business associates to implement a data backup plan as part of maintaining an overall contingency plan, which includes periodic testing of the plan to be sure it works.

The presence of ransomware – or any malware – is considered a security incident and triggers the need to initiate security incident response and reporting procedures. Based upon an analysis of the investigation results, breach notification may be required. Additionally, if there is an impermissible disclosure of PHI in violation of the privacy rule there is a presumed breach which may trigger notification. Whether or not the presence of ransomware would be a breach under HIPAA Rules is thus fact specific. However, unless the entity demonstrates there is a “…low probability that the PHI has been compromised,” a breach of PHI is presumed to have occurred and the entity must comply with the applicable breach notification provisions.

Further information and a copy of the OCR report can be found here.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

HIPAA – Are you ready for an audit?

HIPAA (the Health Insurance Portability and Accountability Act) is well known to all health care providers, as it governs the privacy of patient information, among other things. The basic parameters of the Privacy Rule should be known to all providers who handle protected health information.

The Office of Civil Rights for the U.S. Department of Health and Human Services (“OCR”) has launched a new audit initiative to make sure that health care providers are complying with HIPAA. Concerning its initiative, OCR says, “OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.” Providers would be well advised to ensure that they are ready for a HIPAA audit and are in full compliance with the Privacy Rule.

HHS/OCR Issues Guidance on HIPAA and Workplace Wellness Programs

Many employers view wellness programs as a way to lower health care costs and promote healthy behavior. With the growth of workplace wellness programs, new guidance from the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) is timely. HHS/OCR recently issued guidance in the form of frequently asked questions about HIPAA and workplace wellness programs.

5-19The applicability of HIPAA to a workplace wellness program depends on how the program is structured. An employer may sponsor its own wellness program or offer it through the employer’s group health plan. When a workplace wellness program is offered as part of a group health plan, individually identifiable health information collected from wellness program participants is protected under HIPAA because the group health plan is a covered entity under HIPAA. However, a workplace wellness program that is not offered as part of a group health plan but is offered by an employer directly is not covered by HIPAA since HIPAA applies only to covered entities and business associates, but not to employers in their capacity as employers. However, other federal and state laws may apply to the collection and/or use of information by an employer that directly offers a workplace wellness program.

The guidance also addresses whether a group health plan may allow an employer as plan sponsor access to protected health information about participants in a wellness program offered through the plan. If the employer does not administer the health plan, the group health plan can disclose to the employer as plan sponsor only information on which individuals are participating in the health plan and summary health information if requested for the purposes of modifying the plan or obtaining premium bids for coverage.

The guidance states that  the group health plan can provide an employer that is a plan sponsor and performs administrative functions on behalf of the group health plan with access to protected health information necessary to perform its plan administrative functions, but only if certain conditions are met. These conditions, which the employer as plan sponsor must include in plan documents and certify agreement to, include the following:

  • There must be adequate separation between employees who perform plan administrative functions and those who do not;
  • Protected health information cannot be used or disclosed for employment-related actions or other prohibited purposes under the privacy rule; and
  • There must be reasonable and appropriate administrative, technical, and physical safeguards to protect any electronic protected health information.

As employers and group health plans begin developing and implementing workplace wellness programs this year, they should review OCR’s recent guidance to ensure that they are in compliance with HIPAA.

 

Image courtesy of Flickr by Robert Gourley

Responding to Medical Record Requests: Changes in Colorado Law Affect Health Care Facilities

Last year Colorado, like many other states, passed new legislation that affects patient requests for medical records and the fees that may be charged for copies of the medical records.  House Bill 14-1186, codified at C.R.S. § 25-1-801, with related regulations at 6 CCR 1011-1, Ch. 1, Part 5.  The law changes the fees that may be charged for providing copies of records and adds provisions relating to the delivery of records in electronic format.  These provisions apply to medical records in the custody of a broad range of health care facilities (see C.R.S. § 25-1.5-103(1)) , including hospitals, nursing homes, assisted living residences, and hospice.

Colorado law requires that health care facilities make medical records available for inspection by a current patient or the patient’s personal representative at reasonable times and upon reasonable notice, except for certain records withheld in accordance with 45 § C.F.R. 164.524(a).  A reasonable time for inspection should normally not exceed 24 hours from the date of the request (excluding weekends and holidays) for an inpatient or current resident.  The patient or designated representative may not be charged for inspecting the records.

With regard to a discharged patient or resident, a health care facility must make a copy of the record available or make the record available for inspection within a reasonable time from the date of the signed request, normally not to exceed ten days, excluding weekends and holidays.  However, if the health care provider or designated representative is not available to acknowledge the request, the facility shall inform the patient of the situation and provide the records as soon as possible.  Discharged patients or their representatives cannot be charged for inspecting patient records.

Health care facilities should be aware of certain provisions of Colorado law relating to electronic records and films.  Medical records must be delivered in electronic format if the records are requested in electronic format, they are stored in electronic format, and are readily producible in electronic format.  Finally, a health care facility must release the original film if a licensed health care professional determines that a copy is not sufficient for diagnostic or other treatment purposes.

The amount that may be charged for medical records varies, depending upon the requesting party.  When a patient or a personal representative requests a copy of medical records, the fees are set in accordance with HIPAA.  Under HIPAA, a covered entity may charge a patient or a personal representative a reasonable, cost-based fee for providing a copy of medical records; this fee may encompass the cost of copying (including the cost of supplies for and labor of copying) and postage.  However, health care facilities may charge third parties fees that are established under state law.  Thus, the HIPAA fee limitations do not apply  when records are released under other HIPAA-compliant situations, such as requests that are based on an individual’s authorization.

Colorado law establishes the following reasonable fees that a health care facility may charge a third party.  The fees may not exceed the following:

  • For the first ten pages:  $18.53
  • For the next thirty pages (pages 11 through 40):  85 cents per page
  • Each additional page after page 40 :  57 cents per page (all records except those stored on microfilm) or $1.50 per page (records stored on microfilm)
  • Actual reproduction costs for each copy of a radiograph
  • Certification of medical records, if requested:  $10.00 fee
  • Actual postage and electronic media costs if applicable
  • Applicable taxes

Under certain circumstances, third parties may not be required to pay any fees or a different fee schedule may apply.  If a patient record is requested under the Laura Hershey Disability-Benefit Support Act, C.R.S. §§ 24-30-2201 through 2207, the third party may obtain one free copy of the record for the application process or for an appeal or reapplication when required by the disability benefits administrator.  Where a statute or rule for a state or local government entity establishes maximum rates, these rates prevail.  Finally, the statutory fee schedule does not apply to coroners requesting medical records.

Health care facilities should review their policies on releasing and charging for copies of medical records to ensure that they are in compliance with recent changes in Colorado law.

HIPAA Privacy and Public Health Emergency Situations

In light of the Ebola outbreak, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) has issued a bulletin reminding health care providers that the protections under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are not set aside during an emergency.  OCR reminds covered entities that “the protections of the Privacy Rule are not set aside during an emergency.”  OCR cautions that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures.  Thus, covered entities and their business associates should review the HIPAA Privacy Rule to ensure that uses and disclosures in emergency situations are appropriate, as well as provide training and reminders to employees.

HIPAA recognizes that under certain circumstances it may be necessary to share patient information without authorization.  OCR’s bulletin notes that covered entities may disclose protected health information without a patient’s authorization as necessary to treat the patient or a different patient.  HIPAA also allows covered entities to release patient information without authorization for certain public health activities.  A covered entity may disclose protected health information to a public health authority that is authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability.  Information may also be shared at the direction of a public health authority to a foreign government that is acting in collaboration with the public health authority.   In addition, health information may be shared with persons at risk of contracting or spreading a disease or condition if authorized by law.  Finally, health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public consistent with applicable law and ethical standards.

There are additional circumstances that allow the disclosure of protected health information.  A covered entity may disclose protected health information to a patient’s family members, relatives, friends, or other persons who the patient identifies as being involved in the patient’s care and disaster relief organizations.  Covered entities should review the specific circumstances that allow the release of this information.

Covered entities should also review whether the minimum necessary requirement applies.  For most disclosures, but notably not disclosures to health care providers for treatment purposes, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose.

Although the media has reported many details about Ebola patients, HIPAA is not suspended when providing information to the media about Ebola or other public health emergencies.  Therefore, covered entities should carefully review the rules surrounding disclosures to the media or others not involved in the care of the patient.  If the media requests information about a particular patient by name, a health care facility may release limited facility directory information to acknowledge that the individual is a patient and provide basic information about the patient’s condition in general terms, if the patient has not objected or restricted the release of this information, but information about an incapacitated patient may only be released if the disclosure is believed to be in the patient’s best interest and is consistent with the patient’s prior expressed preferences.   General information about a patient’s condition includes critical or stable, deceased, or treated and released.  OCR cautions that affirmative reporting or disclosure to the media or the public at large about an identifiable patient or  specific information may not be done without the patient’s or an authorized personal representative’s written authorization, unless one of the limited circumstances described elsewhere in OCR’s bulletin is applicable.

Although HIPAA is not suspended during a public health or other emergency, the HHS Secretary may waive certain provisions under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.  The limited waiver applies to certain sanctions and penalties of the Privacy Rule if the President declares an emergency or disaster and the HHS Secretary declares a public emergency.  The waiver only applies in the emergency area and for the emergency period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours after the hospital implements its disaster protocol.  Once the Presidential or Secretarial declaration ends, a hospital must comply with the entire Privacy Rule, even if less than 72 hours have elapsed since the hospital implemented its disaster protocol.

Are Medical Marijuana Dispensaries Covered Entities Under HIPAA?

I was talking to a colleague recently and she raised an interesting question – are medical marijuana dispensaries covered entities under the Health Insurance Portability and Accountability Act (HIPAA)?  I represented the Colorado Medical Marijuana Registry while at the AG’s office, so my colleagues usually come to me with medical marijuana questions.

My first follow-up was to ask what personal health information (PHI) the dispensary was holding.  After all, in my experience, most dispensaries function on a strict transaction-by-transaction business model.  A patient-customer comes in, shows his or her medical marijuana registry card and an ID, and makes the purchase in cash.  My colleague reminded me that some dispensaries have opted to go with a “wellness center” approach and offer health care services in addition to medical marijuana, and these expanded service providers sometimes will retain patient records that might fall under the PHI umbrella.

So with that resolved, I started digging a little into the underlying question.  This is actually a difficult question.  Based on second-hand reports, it appears that the Department of Health and Human Services (HHS) takes the position that because a physician “prescription” is required, a dispensary is providing health care services under the HIPAA analysis.  (Note:  This is technically inaccurate, at least in Colorado.  A physician must certify that the patient in question suffers from a chronic or debilitating disease or medical condition, but the applicable statutes and regulations avoid using the term “prescription.”)

But that isn’t the end of the inquiry.  Not all providers are covered entities under HIPAA.  In fact, as this helpful chart from the Centers for Medicare and Medicaid Services (CMS) demonstrates, the provider in question must transmit “covered transactions” electronically.  A CMS regulation, in turn, defines covered transactions to be “[a] request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care,” or “if there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.”

Insurance companies don’t pay for medical marijuana, so the first of those doesn’t apply.  With respect to the second type of covered transaction, another CMS regulation specifies what will and what won’t be encompassed by the definition.  There are a dozen different examples, but it should suffice to say that all of them involve the electronic transmission of health or claims information.  And remember what I said above?  In my experience, medical marijuana dispensaries aren’t in the business of receiving or sending any health information, electronic or otherwise.  They run a storefront and fill requests for medical marijuana on a cash-only basis.  In that paradigm, because no health or claim information is transmitted electronically, the dispensary wouldn’t be a HIPAA-covered entity.

That said, if a “wellness center”-model dispensary stores patient health information and transmits it for some reason, then it’s possible that the dispensary might be a covered entity.  As noted above, HHS certainly thinks so.  But I would guess that such centers are few and far between – and it certainly would behoove individuals considering operating that model of dispensary to think about the ramifications of their decision.

HHS Releases Risk Assessment Tool to Assist With HIPAA Compliance Efforts

The Department of Health and Human Services (HHS) announced a new tool to help health care providers in small to medium-size offices with compliance efforts under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA requires organizations to conduct self-assessments to identify potential weaknesses and address vulnerabilities in the systems used to protect the security of patient health information.  This new tool will guide health care providers in conducting risk assessments.

A downloadable application and a tutorial video are available here.  Health care providers can also give feedback on the tool until June 2, 2014.

Text Messaging and HIPAA Compliance Risks

Like everyone else, health care workers have become accustomed to the convenience of communicating by text message.  Although using text messages can make communications more efficient in the health care setting, transmitting protected health information (PHI), including photographs, in text messages raises Health Insurance Portability and Accountability Act compliance risks.  Some of the compliance risks include the following:

  • Many people do not password-protect a mobile device, making it easy for another user to access PHI stored in texts.  This access can occur when the device is shared, lost, or stolen.
  • Text messages often are not encrypted, unlike e-mail.
  • The use of personal mobile devices to send texts or photographs is common, unlike email, which most often is sent on work-issued computers or tablets.
  • Text messages can remain on a mobile device indefinitely.

HC BLOG_textingThe U.S. Department of Health & Human Services (HHS) and the Office of the National Coordinator for Health Information Technology (ONC) have gathered tips to safeguard PHI when using mobile devices.  They make the following suggestions about how to protect and secure information on mobile devices, which applies to developing a policy on transmitting PHI by text message.

  • Use a password or other user authentication.
  • Install and enable encryption.
  • Install and activate remote wiping and/or remote disabling.
  • Maintain physical control of the mobile device.
  • Delete all stored health information before discarding or reusing the mobile device.

HHS and ONC have resources to assist in updating or developing policies for mobile device use.  They recommend the following five steps for policy planning.  These steps can assist health care organizations in developing a policy on using text messages to transmit PHI.

1.   Decide whether mobile devices will be used to access, receive, transmit or store PHI.

2.   Conduct a risk analysis to identify risks and perform a risk analysis periodically whenever there is a new mobile device, a lost or stolen device, or suspicion of compromised health information.  After conducting a risk analysis, document:

  • which mobile devices are used to communicate with your organization’s internal networks or system; and
  • what information is accessed, received, stored, and transmitted by or with the mobile device.

In addition, organizations should review HHS “HIPAA Security Series: Basics of Risk Analysis and Risk Management” for guidance on conducting a risk analysis.

3.   Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.   The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

4.   Develop, document, and implement your policy.  HHS and ONC suggest that the organization consider the following.

  • mobile device management, including identifying and tracking devices;
  • whether personal mobile devices can be used and whether they can be used to connect to the organization’s internal network or system;
  •  whether the device can be used away from the organization;
  • whether the device can be used to text;
    • security/configuration settings on mobile devices;
    • restrictions on information that can be stored on mobile devices;
  • procedures for addressing misuse of mobile devices; and
  • recovery and deactivation to wipe or disable lost or stolen devices or devices of employees who leave the organization.

5.   Provide training on mobile device use.

Image courtesy of Flickr by Jhaymesisviphotography