CVS & HHS: Partners in Compromising Your Privacy

June 28, 2010 by James Christiano · Leave a Comment
Filed under: Health Law, Prescription Drugs, Privacy

cvs-receipt On January 16, 2009, the Department of Health and Human Services (HHS) and CVS entered into a resolution agreement requiring CVS to pay a $2.25 million fine and implement a corrective action plan for “potential violations of the HIPAA [The Health Insurance Portability and Accountability Act of 1996] privacy rule.” Why? CVS had allegedly been placing prescription bottles and labels into dumpsters that were accessible to the public. The bottles/labels contained protected health information (PHI), which CVS was required to safeguard under federal law.

Although HHS appears to regard the settlement as a success, given its prominence on the HIPAA enforcement section of HHS’s website, it is nothing of the sort. The agreement provides that CVS “expressly den[ies] any violation of HIPAA or the Privacy Rule, and further den[ies] any wrongdoing,” while HHS does not concede that CVS is “in compliance with the Privacy Rule.” HHS did agree with itself, however, releasing an FAQ (accompanying the press release) stating that under its Privacy and Security Rules: “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Why is this old news important? This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey. While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer. Each prescription was inside a small bag to which a customer receipt was attached. The receipts in the front row of the storage bins were readable from the counter. The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:

1) Full name,

2) Address,

3) Telephone number,

4) Day and month of birth,

5) Drug name and dosage, and

6) Prescriber.

HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA. So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations? Well, I asked the pharmacist on duty. The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter. However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable. Upon requesting the contact information for CVS’s privacy officer, the pharmacist readily provided such information and stated that she would “appreciate” someone actually reporting the apparent violation.

HHS was recently provided with additional enforcement tools under the HITECH provisions of the American Recovery and Reinvestment Act of 2009. Unfortunately, it does not appear that HHS is serious about enforcing its own regulations or resolution agreements; nor, if the flagrantly violative placement of prescriptions is indicative of mindset, is CVS serious about HIPAA compliance.

Tags: Health Care Reform, Health Reform, HIPAA, Prescription Drugs, Privacy, Protected Health Information, The HITECH Act Compliance

HIPAA Administrative Simplification: Enforcement

May 24, 2010 by Guest Blogger · 1 Comment
Filed under: Compliance, Health Law

By Laura Sunyak

In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action. In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision. A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule. As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent. The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations. If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.

Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between. Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties. The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties. The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.

The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009. (For an explanation of the meaning of “interim final rule,” click here. According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000. For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation. If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000. If the penalty is not timely corrected, each violation will be fined $50,000. The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.

According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.

When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information. With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information. With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.

As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions. The remaining provisions, which are not yet effective, will be addressed in the near future.

Tags: Health Care Reform, Health Reform, HIPAA, The HITECH Act, The HITECH Act Compliance

Breach Notification for Unsecured Protected Health Information

May 6, 2010 by Guest Blogger · 1 Comment
Filed under: EMR, Electronic Medical Records

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Tags: EHR, Electronic Medical Records, EMR, Health Care Reform, Health Reform, HIPAA, The HITECH Act Compliance

Recent Developments in the Implementation of the Patient Safety and Quality Improvement Act of 2005

April 25, 2010 by Guest Blogger · Leave a Comment
Filed under: Health Law, Medical Malpractice

By Jeanine Juillet

Semaphore signal for error. Image by Denelson83 via Wikimedia

In 2000 the Institute of Medicine (IOM) published a report entitled “To Err is Human: Building a Safer Health System.” The report estimated that as many as 98,000 people die in America each year due to medical errors. In order to combat this problem, the IOM recommended that providers should voluntarily report errors and the results should be evaluated to discover weaknesses in the health care delivery system in the United States.

Congress responded to this appeal for reform by passing the Patient Safety and Quality Improvement Act of 2005. The Act calls for voluntary and confidential self-reporting by health care providers and creates independent local or regional Patient Safety Organizations (PSOs) to collect and analyze safety events in the hope of uncovering problems with the current system. Hospitals, physicians or other health care professionals submit reports, memoranda, analyses, or written or oral statements referred to as a patient safety work product (PSWP), describing adverse events. PSWP may include details identifying the providers involved in the event as well as protected patient information as defined by the Health Insurance Portability and Accountability Act (HIPAA). Based upon an assessment of the data, PSOs develop insights into underlying problems contributing to patient safety events. Moreover, in order to aggregate data on a larger scale, the Act provides for the establishment of a Network of Patient Safety Databases (NPSD); PSOs contribute PSWP information after removing patient and provider identifiers before submission to the NPSD. The database includes definitions and reporting formats in order to facilitate analyses of information. Through use of the NPSD, large volumes of data are available in order to rapidly identify patterns with the goal of developing strategies to avoid, mitigate or eliminate risks and hazards in the delivery of patient care nationally.

The success of the Act depends on providers voluntarily reporting medical errors. To this end, the Act includes federal privilege and confidentiality protections for PSWP. This protection alleviates provider concerns that reported information will be used against them in civil and criminal actions, specifically, medical malpractice litigation. Further, the Act forbids disciplinary actions as a result of a provider’s report. In order to ensure confidentiality of patient information, the Office for Civil Rights (OCR) will investigate allegations of violations and the HHS Secretary has the power to impose civil money penalty (CMP) of up to $10,000 per violation.

The Act vests oversight responsibilities in the Health and Human Services (HHS), Agency for Healthcare Research and Quality (AHRQ). The Patient Safety and Quality Improvement Final Rule (Patient Safety Rule), the regulation implementing the Act, was published on November 21, 2008 and became effective on January 19, 2009. The Patient Safety Rule provides a framework for PSOs by identifying 15 distinct statutory criteria that an organization must meet before it is qualified by the AHRQ. These public or private entities do not receive federal funding to fulfill this role and cannot be a health insurance issuer or be owned, managed or controlled by a health insurance issuer. Additionally, employees of PSOs must have expertise in analyzing patient safety events. The Patient Safety Rule also authorizes AHRQ to conduct PSO site visits to assess continued compliance with the eligibility requirements.

Supporters are excited that specialized organizations will be analyzing providers’ adverse events in order to identify common patterns that will minimize risks associated with health care delivery. Not only will this save lives, it will also reduce health care costs. Medical mistakes are expensive and needlessly waste resources. The Act also encourages the submission of information by providing protection for reporters from legal liability and professional sanctions. Additionally, it protects the patients by requiring that all information submitted to the database comply with HIPAA regulations. Further, the NPSD represents the largest effort to collect data from various providers across the country and the immense amount of information gathered may be able to identify improvements that could not be identified otherwise.

Opponents of the Act are particularly critical of the exceptions to the Patient Safety Work Product including disclosure exceptions. It remains to be seen how broadly these exceptions will be interpreted since the Act has a limited history. Additionally, by not offering federal funding for PSOs and by forbidding insurance companies from providing capital, the source of revenue to support these organizations is uncertain. Providers are also skeptical that standardized data gathered by PSOs will be effective in curtailing medical errors or that PSOs will be able to provide useful information for various provider structures (i.e., hospitals, doctors offices, etc.) in states across the country. Critics also argue that the existing state organizations, which currently collect this information, are likely to be more effective than PSOs. On the other hand, such peer review protections are limited in their scope and do not offer the same confidentiality protection.

Another area as yet to be defined is the overlap between this initiative and FDA measures to evaluate drug effects in a more thorough and timely manner. These latter initiatives include the Observational Medical Outcomes Partnership (OMOP), which will assess the feasibility of using a range of analytical methods against multiple data sources to evaluate safety events. Moreover, through the Sentinel initiative, claims databases and electronic health records will be integrated nationally, linking data from 25 million patients by July 1, 2010 and 100 million by July 1, 2012. Thus, both OMOP and the Sentinel Network taken together may be used to identify and evaluate safety risks for marketed products. These initiatives, while focused on drug and device safety, will need to be integrated with similar data generated from the NPSD.

The underlying purpose of the Act — to collect data and identify weaknesses in the health care system — is an unprecedented and laudable goal. However, it is unclear whether the Act will achieve its stated goals. The rules establishing a critical element of the Act, PSOs, have only been in effect for little more than a year. The success of the Act requires more time for implementation in order to adequately assess the effectiveness of this ambitious effort.

Tags: Health Care Reform, Health Reform, HIPAA, Medical Malpractice, Patient Safety and Quality Improvement Act of 2005, Patient Safety Rule, Sentinel Initiative

HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

August 6, 2009 by Jordan T. Cohen · 7 Comments
Filed under: EMR, Electronic Medical Records, IT

Photo by Jonathunder

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA. This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent, at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL. It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically focusing on EHRs or PHRs. Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself. To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force. But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals. Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more

Tags: Add new tag, Electronic Medical Records, EMR, FTC, Google, Health Care Reform, Health Reform, HIPAA, Personal Health Records, PHR, Privacy, Proposed Legislation, The HITECH Act

Recent Posts

Contesting Depression

Renewed Efforts to Reduce Industry Funding of CMEs

Good News for Health Care Reform Implementation

New Interim Federal External Review Process for Health Insurance Appeals Announced

Center for Health & Pharmaceutical Law & Policy Submits Comments on Conflicts of Interest in Research to the National Institutes of Health

Florida Attorney General McCollum Falls Victim to Collective Mandate, Loses Bid for GOP Nomination for Governor

PPACA and the Growing Shortage of Pediatric Subspecialists

Missouri Votes Against Individual Mandate, May Impact Standing Argument in Federal Court

Trouble Brewing for Pharmaceutical Companies

Secretary of State Hillary Clinton on the Global Health Initiative

We May Need More Than A Spoonful Of Sugar To Help Our Medicine Go Down

Limit Physicians’ Off Label Prescribing Practices?

Doctors, Patients and a Failure to Communicate

An ERISA Defense Conference with Nine “Renowned Federal Judges”

Recommended Reading: Recent Legal Scholarship on Issues in Global Public Health

How Much Does PPACA Really Benefit Women?

Recommended Reading: Recent Scholarship on Medical Decisionmaking for Children

Judge Rules, Virginia Moves Forward Against Individual Mandate

New Rules for Insurance Appeals Under PPACA

Recommended Reading, “Regulating Conflicts of Interest in Research: The Paper Tiger Needs Real Teeth”

Developments In Domestic and Global HIV/AIDS Strategies

Places Cited

Posts from Health Reform Watch have been cited by media sources throughout the country, including Kaiser Health News, The Health Care Blog, NPR's Planet Money Blog, Duke Univ. Med. Center News, American Health Line Alerts, BusinessWeek.com, Concurring Opinions, Balkinization, The New England Journal of Medicine, Harvard's Nieman Foundation for Journalism, The New York Times, Washington Post, L.A. Times, Las Vegas Sun, Maggie Mahar, Ezra Klein, Tom Geoghegan, and the official homepage of the Office of the Democratic Majority Leader of the House of Representatives, Steny Hoyer.
Audio Presentations

Click on the blue links to play, click again to pause:
Hunt Lecture From the original post: During his week-long visit to Seton Hall Law School, Paul Hunt, Professor of Law, University of Essex School of Law, provided several lectures to students and faculty ...Read More Maizel Lecture From the original post: A noted expert in the restructuring of health care business debts, both in and out of court, Sam Maizel treated Seton Hall to a one hour crash course on the fiscal crisis ...Read More PPACA Discussion From the original post: On Friday, April 9th, Seton Hall was treated to an expert round table discussion on the new health reform measures. Visiting professor Tim Greaney ...Read More
Kaiser
The Commonwealth Fund
- Kathleen Sebelius and David Durenburger on How the ACA Will Improve Health Care Delivery
  On the Commonwealth Fund Blog, HHS Sec. Kathleen Sebelius discusses how the health reform law will help ensure coordinated and patient-centered health care delivery, and Senator David Durenberger explains why he's optimistic about the law's implementation.
- Health Care Opinion Leaders' Views on Delivery System Innovation and Improvement
  Nearly nine of 10 leaders in health care and health care policy believe current financial interests and lack of incentives for integration are barriers to the growth of accountable care systems, according to the latest Health Care Opinion leaders survey. Also see blog posts by HHS Sec. Kathleen Sebelius and former U.S. Senator David Durenberger.
- The Commonwealth Fund/Modern Healthcare Health Care Opinion Leaders Survey: Views on Delivery System Innovation and Improvement
  Nearly nine of 10 leaders in health care and health care policy believe current financial interests and lack of incentives for integration are significant barriers to the growth of accountable care systems.
- Experts Believe Lack of Incentives and Financial Interests Are Barriers to Integrated and Accountable Care
  Nearly nine of 10 leaders in health care and health care policy think that the lack of incentives and current financial interests of providers and other stakeholders are barriers to moving health care toward more integrated and accountable delivery models.
- The Triple Aim Journey: Improving Population Health and Patients' Experience of Care, While Reducing Costs
  These three case studies of organizations participating in the Institute for Healthcare Improvement's Triple Aim initiative shed light on how partnering with providers and organizing care can improve the health of a population and patients' experience while lowering—or at least reducing the rate of increase in—the per capita cost of care.
RWJF Health Reform News
- 'Recession Effect' Hits Spending on Health
  Health care spending this year has grown at its slowest rate in a half-century, a sign that people are forgoing medical care during the recession, a USA Today analysis of government data finds.
- Health Insurance Tax Credit Likely to Affect Small Part of Small-Business Workforce
  About 16.6 million workers are employed by small businesses that are eligible for health insurance tax credits under the new health-care law, according to estimates that were to be released by a nonpartisan research foundation Thursday.
- Health Care 'No' Hurts Minnesota
  "All executive branch departments and agencies are directed that no application shall be submitted to the federal government in connection with requests for grant funding for programs and demonstration projects deriving from the Patient Protection and Affordable Care Act ... unless otherwise required by law, or approved by the office of the governor. […]
- The Ugly Truth Behind America’s Objection To Health Care Reform
  As we head into the November elections, much is being made of the failing support for health care reform.
- Medicare Drug Premiums to Remain Stable in 2011
  Average monthly premiums for seniors enrolled in the Medicare drug benefit will increase by only $1 in 2011, bringing the total average premium to $30, the Centers for Medicare & Medicaid Services announced Aug. 18.
NY Times Health Policy
- Sanofi’s Bid Puts Pressure on Genzyme
  The French drug maker Sanofi-Aventis disclosed its $18.5 billion bid for the American biotechnology firm Genzyme.
- Employers Push Costs for Health on Workers
  Employers passed all of the increases in insurance premiums this year to their employees, a survey found.
- Deal Would Provide Dialysis to Illegal Immigrants in Atlanta
  The deal, if completed, would end a yearlong impasse that has come to symbolize the health care plight of the country’s uninsured immigrants and the hospitals that end up caring for them.
- Stem Cell Ruling Will Be Appealed
  The head of the National Institutes of Health said a judge’s decision would most likely force the cancellation of dozens of experiments in diseases ranging from diabetes to Parkinson’s.
- U.S. Rejected Hen Vaccine Despite British Success
  British farmers virtually wiped out salmonella in eggs, but American regulators decided against a mandate.
WaPo Health
- Employers shifting health-care costs to workers, survey shows
  Amid high unemployment and a weak economy, employers have been shifting health care costs to workers, according to a study released Thursday. Health care - United States - Health care reform - Insurance - Politics
- Inspectors find unsanitary conditions at egg farms
  Federal investigators found piles of manure up to eight feet tall, live mice, pigeons and other birds inside the hen houses at two egg farms suspected of causing a nationwide outbreak of salmonella illness, officials said Monday. Business - Poultry - Meat and Seafood - Food and Related Products - Associations
- New workout programs show that pools can attract exercisers of all ages
  Sean Stephens hasn't told his friends he does water aerobics. "I guess until now," the 36-year-old joked last week as we wiggled into the pool at LivingWell, the health club at the Washington Hilton. United States - Recreation - Camps - Day - Health
- Physicians use photos from patients' cellphones to deliver 'mobile health'
  In May, an emergency physician at George Washington University Hospital began a six-month study examining how accurately emergency doctors and physician assistants could diagnose wounds from patient-generated cellphone images. Medicine - Health - Mobile - Facilities - Health Systems
- Be skeptical of health-care credit cards
  These days, you may leave your dentist's office with more than a toothbrush and dental floss in your bag. Thousands of dentists are offering patients health-care credit cards to cover the work that needs to be done, with seemingly hard-to-resist repayment terms. If you need care and don't have in... Credit card - United States - Business - C […]
Boston Globe Health Blog
- Time to tighten rules on tanning beds, skin doctors say
  It's hard to fathom, but tanning beds are in the same medical device category as tongue depressors, according to US regulators, while the World Heath Organization classifies them as carcinogens. But the US Food and Drug Administration is poised...
- Today's Globe
  Massachusetts Attorney General Martha Coakley said yesterday that the board of Beth Israel Deaconess Medical Center should do some soul-searching about chief executive Paul Levys ability to continue leading the hospital, after her office concluded that his longtime personal...
- AG concludes review of Levy case
  The Massachusetts Attorney General's Office said today that a personal relationship between Paul Levy, chief executive of Beth Israel Deaconess Medical Center, and a female employee "clearly endangered the reputation of the institution and its management," and it found that "his continued, repeated and acknowledged failure to appreciate a […]
- Drinking story comes with a cautionary chaser
  Did you lift a glass to toast the new study on moderate drinkers outliving teetotalers? Hold that thought before you pour yourself another one. Although the study fits in with a large body of research linking a few drinks...
- MassHealth may be losing money on imaging, auditor says
  Massachusetts' Medicaid program could be losing millions of dollars on potentially unnecessary imaging tests and by paying more than Medicare, according to a report released by the state auditor today. Auditor Joseph DeNucci said dramatic increases in the use...
LA Times Health Blog
Health Affairs Blog
- Firms Shifting Burden To Workers For Family Coverage
  Workers on average are paying nearly $4,000 this year toward the cost of family health coverage — an increase of 14 percent, or $482, above what they paid last year, according to the benchmark 2010 Employer Health Benefits Survey released today by the Kaiser Family Foundation and the Health Research & Educational Trust (HRET). Selected [...]
- The Latest Health Wonk Review
  Henry Stern at InsureBlog hosts the latest edition of the Health Wonk Review. As always, the Review highlights many interesting posts. Among them: “New Ideas In Medicare Financing,” a Health Affairs Blog post by Michael O’Grady and Jennifer Young. Copyright � 2010 Health Affairs Blog. This Feed is for personal non-commercial use only. All […]
- New Ideas In Medicaid Financing
  The Medicaid program is facing major new challenges. The new health care law puts both significant new responsibilities and financial burdens on the program. At the same time, Medicaid, as one of the three major federal entitlement programs, is a top priority for policy makers trying to address the federal government’s staggering budget deficits. Unf […]
- Health Affairs Briefing: Medical Liability And ER Use
  The September 2010 issue of Health Affairs is devoted to two issues that arguably were insufficiently addressed by the Affordable Care Act: medical liability and patient safety; and the growing nonemergency use of the nation’s hospital emergency rooms. The issue contains new estimates of how much medical liability costs the health care system overall; of […]
- Robert Butler’s Legacy
  Editor’s note: Earlier this summer, on July 7, Robert Butler died of leukemia. Butler was the founding director of the National Institute on Aging, a Pulitzer Prize-winning author, and one of the nation’s leading authorities on aging and geriatrics. With the essay below by Christine Cassel, president and CEO of the American Board of Internal Me […]

Center News, Programs & Papers

Fourth Annual Student Health Law Conference To Be Held at Seton Hall Law on October 22nd

Seton Hall University School of Law Launches European Healthcare Compliance Certification Programme in Paris

Seton Hall Law Announces Frank Pasquale as the Schering-Plough Professor in Health Care Regulation and Enforcement

Former UN Special Rapporteur Paul Hunt on International Law & Health as a Human Right & the Human Rights Responsibilities of Pharmaceutical Companies

Recording of Sam Maizel’s Discussion of Distressed Hospitals

Recording of Professors Tim Greaney, John Jacobi, Frank Pasquale, and Sidney Watson Discussing Health Reform

Seton Hall Announces Summer Study Abroad International Health Law Program

Online Graduate Certificate Program in Health & Hospital Law to Launch in April 2010

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy Issues White Paper Calling for Major Reforms in the Financing and Oversight of Clinical Research

Risks to Directors and Trustees of Health Care & Life Sciences Companies: Corporate Compliance in a Distressed Economy

Third Annual Student Health Law Conference, Friday, October 16th at Seton Hall Law

Position Paper In Support of the “New Jersey Compassionate Use Medical Marijuana Act”

Seton Hall Law School’s Center for Health & Pharmaceutical Law & Policy Releases White Paper Recommending Reform of Drug and Device Promotion

Tags
501(c)(3) Center White Papers Position Papers Conferences & Presentations Children Chronic Conditions CMS Conflicts of Interest Constitutional Cost Control Drug & Device Drug and Device Elderly Electronic Medical Records EMR FDA Fraud and Abuse Governmental Reports Health Care Health Care Reform Health IT Health Law Health Policy Community Health Reform HHS Hospital Finances Industry Sources Medicaid Medical Journals Medicare National Newspapers & Media Obama Obama Administration Pharma Physician Compensation PPACA Prescription Drugs Private Insurance Proposed Legislation Public Option Public Plan Quality Improvement Seton Hall Law State Initiatives Think Tanks Unconstitutional Uninsured
Meta

Acronym

Phrase

General Definition (see 160.103 for regulatory language)

PHI

Protected Health Information

Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.

CE

Covered Entity

BA

Business Associate

Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.

EHR

Electronic Health Record

An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.

PHR

Personal Health Record

An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Recent Posts

Sibelius Watch

Health Reform Law (PPACA) Complete Text

News Sources

Noteworthy Blogs

Of Interest

Resources

Wordpress

Categories

Places Cited

Audio Presentations

Center News, Programs & Papers

Tags

Meta

General Definition
(see 160.103 for regulatory language)