HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Archive for July, 2010

If your organization is paying close attention to the HIPAA proposed rule published in the Federal Register July 14, keep paying attention.

However, perhaps lost in the shuffle of the proposed rule is the July 6 announcement by Connecticut Attorney Richard Blumenthal’s office of the $250,000 settlement Health Net and its affiliates agreed to pay for a breach of protected health information (PHI) affecting nearly a half million Connecticut enrollees.

The settlement is a landmark one. Blumenthal’s office is the first to cash in on the new HITECH-granted authority for state attorneys general to pursue HIPAA lawsuits.

How eager was Connecticut’s state attorney general to use the HITECH power?

HHS has yet to levy any civil penalties against any covered entities (and now business associates) since the HIPAA Privacy Rule was in force April 14, 2003, according to Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR.

That’s more than seven years. Blumenthal’s settlement with Health Net came a little more than one year after HITECH became law.

Blumenthal isn’t alone.

Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, puts adding state attorneys general to the HIPAA enforcement mix this way: “There are 50 new sheriffs in town.”

“Most state AGs are elected, and almost all of them do everything they can to get re-elected,” says Drummond, who will be a co-presenter on the HCPro, Inc. August 31, 2010, audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations.”

“That means they’ll be much more susceptible to public or political pressure to pursue HIPAA violations, particularly if there’s a ‘good story’ behind the breach. They want to be seen as protecting the little guy, and they’re much more incentivized” than the Office for Civil Rights (OCR), which enforces HIPAA for HHS.

Drummond says the power to state attorneys general also means 50 additional state courts where litigation may occur, which could “lead to multiple different interpretations of particular provisions of HIPAA.”

“So, it’s almost a certainty that there will be more enforcement litigation, and that litigation will likely lead to different standards in different states,” Drummond adds.

Now, it’s a matter of waiting to see what other states besides Connecticut will do, Apgar notes.

“California didn’t wait for HITECH and enacted its own laws that already have had an impact on healthcare entities in California,” Apgar says. “Given that, I would not be surprised to see the California AG getting into the act in the near future.”

Naturally, state attorneys general are not the only enforcers of HIPAA. OCR will release an enforcement audit plan per HITECH. It already posts names of entities reporting breaches of unsecured PHI affecting 500 or more individuals; that number, since the breach notification website went live in February, is up to 121 as of Monday, July 26.

Further, this month’s proposed rule clarifies that the HHS secretary will investigate any HIPAA violations involving “willful neglect,” or when a covered entity or business associate has no control over preventing a breach and does nothing to correct other breaches.

However, state attorneys general in the enforcement mix means covered entities and BAs are more on the hook for breaches than ever—starting with Health Net.

“The damage to Health Net is the adverse publicity and the potential for the filing of civil suits by individuals who believe they have been harmed,” says Apgar. “Given the size of Health Net there isn’t really any sting from the fine itself— more the publicity and the aftermath.”

According to Blumenthal’s office, Health Net allegedly lost a computer disk drive in May 2009 containing PHI and other private information on more than 500,000 Connecticut citizens and 1.5 million consumers nationwide. The missing disk drive contained names, addresses, social security numbers, protected health information and financial information.

The company delayed notifying consumers and law enforcement authorities for about six months from the time of the breach, Blumenthal’s office reported.

The settlement between Health Net and the state includes:

  • Two years of credit monitoring by Health Net
  • $1 million of identity theft insurance and reimbursement for the costs of security freezes
  • “Corrective Action Plan,” including:
    • Continued identity theft protection
    • Improved systems controls
    • Improved management and oversight structures
    • Improved training and awareness for its employees
    • Improved incentives, monitoring, and reports
  • $250,000 payment to the state representing statutory damages
  • Additional contingent payment to the state of $500,000, if the lost disk drive is accessed and personal information used illegally, impacting plan members

Timeline of the Attorney General’s Office:
Connecticut Attorney General Richard Blumenthal’s actions regarding data breaches after HITECH was signed into law February 17, 2009:

July 14, 2010—Attorney General Urges Identity Theft Protections, Explanation For Teachers Impacted By Security Breach

July 6, 2010—Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info

April 20, 2010—Attorney General Seeks More Details About Student Loan Data Breach Involving 3.3 Million

March 29, 2010— Attorney General Investigating Alleged Unauthorized Access Of Patient Information At Griffin Hospital

January 13, 2010— Attorney General Sues Health Net For Massive Security Breach Involving Private Medical Records And Financial Information On 446,000 Enrollees

December 7, 2009—Attorney General Says Health Net Security Breach Concerns Worsen After Report Reveals Breach Was Likely Theft

November 9, 2009— Attorney General Investigating Blue Cross Blue Shield Data Breach Affecting 18,000 CT Health Care Professionals, Seeks Additional Protection For Victims

June 23, 2009—Attorney General Announces State To Receive Almost $400,000 From TJMaxx Owner In Data Breach Settlement

Source: Connecticut AG website: http://www.ct.gov/ag/site/default.asp

Comments (2)

Q. The Red Flags Rule references service providers. What are examples of service providers?

A. The Red Flags Rule defines a service provider as “a person that provides a service directly to the financial institution or creditor.” For providers required to comply with the rule, this includes business associates (BAs) such as billing agencies, collection agencies, auditors, and software vendors with access to the billing systems.

Creditors—in this case, providers—must reasonably ensure that service providers implement an identity or medical identity theft prevention program. Practically speaking, this means amending BA contracts to include this new requirement.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy, and Security Forum.


 

Comments (0)
Jul
23

Digesting the HIPAA proposed rule

Posted by: | Comments (0)
Email This Post Print This Post

The proposed rule that modifies the HIPAA privacy, security, and enforcement rules has been published in the Federal Register for about a week.
And while it may not be time to flip your HIPAA compliance program upside down—it is, after all, a proposed rule that could go final anytime after the last comment is sealed by HHS Sept. 13—you should take note of several items from the rule.
The following items are courtesy of Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. Herold will be co-hosting the HCPro, Inc. audio conference, “HIPAA’s New Proposed Rule: Prepare for Changes to Privacy, Security and Enforcement Regulations,” Tuesday, August 31:

  • HIPAA and HITECH applies to business associates (BAs). “Including clear indication that HIPAA and HITECH applies to BAs is a great idea,” Herold says. “I’ve spoken to many BAs who still believe that they only have to have the BA agreement in place, and I’ve had multiple covered entities (CEs) point out that the HHS has never explicitly stated that they needed to do more than provide a BA agreement for their BAs. If accepted and implemented as worded, the changes in the [proposed rule] make it much clearly that the CEs’ responsibilities must go beyond just having a BA agreement.”
  • New definition of “standard.” Herold calls replacing “individually identifiable health information” with “protected health information” in the definition of “standard” a strong idea. “This has always been a point of confusion for many/most CEs, and then last year for BAs.”
  • Subcontractors now BAs. Many subcontracted entities handle PHI, and it makes sense to make them BAs by definition and liable for breaches. “Including subcontractors is a very good thing,” Herold says. “They provide many of the breaches.” It’s also a good thing to see the following entities included under HITECH, such as:
    • Patient Safety Organizations (PSOs)
    • Health Information Organizations (HIO)
    • E-Prescribing Gateways
    • Other persons that facilitate data transmission, as well as vendors of personal health records
  • Updated definition of “Electronic Media.” The original definition became outdated quickly, Herold says. “The new one does allow for ongoing technological innovation and changes to be covered,” Herold says. “Pointing to a NIST definition is a good way to have it more consistent with other laws and regulations that also use this definition.”
  • No protection of PHI for those who have been deceased for more than 50 years. According to the proposed rule, “We believe this will reduce the burden on both covered entities and on those seeking the protected health information of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons.”
  • Required changes to the Notice of Privacy Practices (NPP). This will require changes throughout all the CEs, Herold says. “The trick will be how to get the wording to a point where the average patient/consumer can understand what it is saying,” she says. “This has been a problem in the past.”
    The proposed amendments to the NPP would include:

    • Language about the use and disclosures of PHI that would require an authorization under the proposed rule
    • Changes to language regarding the CE contacting an individual to provide appointment; contacting the individual for fundraising; or to disclose information to the health plan
  • HHS statements on BA compliance. Herold says organizations should note the following passage from HHS in the proposed rule: “In the absence of reliable data to the contrary, we assume that business associates’ compliance with their contracts range from the minimal compliance to avoid contract termination to being fully compliant. The burden of the proposed rules on business associates depends on the terms of the contract between the covered entity and business associate, and the degree to which a business associate established privacy policies and adopted security measures that comport with the HIPAA Rules. For business associates that have already taken HIPAA-compliant measures to protect the privacy and security of the protected health information in their possession, the proposed rules with their increased penalties would impose limited burden. For those business associates that have not already adopted HIPAA-compliant privacy and security standards for protected health information, the risk of criminal and/or civil monetary penalties may spur them to increase their efforts to comply with the privacy and security standards.”
  • Asking CEs and BAs to step up compliance teaching efforts. The proposed rule “more clearly and explicitly establishes that CEs and BAs must take a more active role in ensuring their associated BAs are in compliance with HIPAA/HITECH,” Herold says, “and that they will be held liable for doing so.”

Q: One of my colleagues made a website accessible to invitees only. He plans to upload a spreadsheet that contains clients’ names and diagnoses. The spreadsheet will be password-protected. Will this website compromise our HIPAA compliance?

A: Posting patient-identifiable health information on any website, even if it is password-protected, could result in a breach of patient confidentiality. This situation requires a detailed review by your organization’s compliance officer before your colleague proceeds any further.

Chris Apgar, CISSP answered this question in the June 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.

Comments (0)

Check out the details.

Categories : Uncategorized
Comments (0)