Archive for September, 2010
HITECH brings to light how much of a better job the healthcare industry must do to protect the privacy of its patients. Take one look at the Office for Civil Rights (OCR) breach notification website—you’ll find 166 reasons why this is true.
That website is great to have: It is a public list where healthcare organizations can share lessons learned, analyze numbers and trends, and get a good look at which facilities are making big mistakes, some of which affect millions of patients.
But what’s the real take-home when Congress writes a law like HITECH? A law that revamps the HIPAA privacy rules, calls for increased penalties and public scrutiny for violations, and extends the legal power of state attorneys to pursue cases for violators?
Is the goal to instill fear of non-compliance? Is it nabbing a posterchild such as Rite Aid, which paid $1 million to settle potential HIPAA violations? Is it keeping entities on their toes for the HITECH-required periodic audits?
Those are certainly pluses.
But since HITECH was signed into law in February 17, 2009, the best example of how it’s actually worked for the better may be in Connecticut. There, new HITECH powers unleashed a trickle-down effect that ultimately may help that state better comply with HIPAA.
It began back in July, when Connecticut’s state attorney general office announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers’ delay in reporting the breach.
The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
But how does that make other entities better off?
Last month, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state’s insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
If HITECH hadn’t granted new powers to state attorneys general to pursue lawsuits regarding HIPAA, Connecticut AG Richard Blumenthal would not have gone after Health Net, and that case may never have come to the forefront. And without it, the state’s insurance department may never have tightened its belt regarding breach notification.
Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail that the bulletin is in response to “some recent data breaches, which were not reported in what we believe to be a timely manner.”
Though neither OCR nor Connecticut officials would say that the breach notification change in Connecticut is a direct effect of HITECH, OCR did praise Blumenthal’s actions. In an e-mail to HealthLeaders Media, an OCR spokesperson called it an illustration of the strong partnership between federal and state regulators envisioned in the HITECH act.
“The Office for Civil Rights at HHS views the actions of the Connecticut state attorney general in the Health Net matter as demonstrating the effective federal-state partnership to HIPAA compliance as envisioned by the HITECH Act,” he wrote. “These actions can provide greater protections for the residents of Connecticut, and serve to stimulate a more robust culture of compliance among organizations responsible for protected health information.”
The spokesman called the actual breach notification changes in Connecticut a matter “within state jurisdiction and— independent of new HITECH authorities and HIPAA requirements.”
Technically, yes. But it’s hard to argue that the changes are not at least a residual effect of a HITECH-granted power.
The Federal Trade Commission has approved a data breach bill requiring entities that hold consumers’ sensitive information to create a robust data compliance protection plan. The intention of the plan is to enforce strict breach notification requirements.
The FTC submitted testimony for a Senate hearing on the bill and said it “strongly supports” the bill.
“Notification in appropriate circumstances can be beneficial,” the Commission says. “Notification laws that have increased public awareness of the harm breaches can cause. Breach notification at the federal level would extend notification nationwide and accomplish similar goals.”
The bill would serve as a complement to several breach notification laws on a state level already in effect, the FTC says.
U.S. Senators Mark Pryor (D-AR) and Jay Rockefeller (D-WV) filed in August the “Data Security and Breach Notification Act of 2010,” which would be regulated by the FTC.
According to the language in the bill, healthcare entities and their business associates (BAs) would be in the clear so long as they complied with the Health Information Technology for Economic and Clinical Health (HITECH) Act or any other federal laws that satisfy similar or stronger requirements.
It is unclear, however, if compliance with the FTC’s Red Flags Rule for identity theft protections would exempt entities from the requirements in the new bill.
No matter to whom the bill applies, healthcare entities should watch the bill’s progress in light of new privacy and security laws in HITECH that call for greater patient rights to protected health information (PHI) and greater penalties for breaches of unsecured PHI.
The FTC’s testimony this week called for additions to the bill:
- The provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form
- The proposed requirements should be extended so that they apply to telephone companies
- The bill should grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted
The bill extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:
- $5 million for each violation of the security and compliance requirements
- $5 million for all violations of the breach notification requirements
Read more about the bill’s security and compliance requirements.
Q: Patients receive a Notice of Privacy Practices (NPP) at their initial visit that includes information explaining their privacy rights. This includes the patients’ right to opt out of the facility directory. Should the covered entity remind patients of their rights during subsequent visits?
A: Direct care providers are only required to notify patients of their rights as outlined in the provider’s NPP at the time of their initial appointment. The provider is not required to remind patients of their rights, including the right to opt out of the facility directory, during subsequent visits (45 CFR 164.520).
Chris Apgar, CISSP answered this question in the September 2010 issue of the HCPro newsletter Briefings on HIPAA. For more information about this newsletter visit the HCMarketplace.
An employer is also a healthcare provider and provides services to its workforce members through an employee clinic. If one member of the employer’s workforce is evaluated in the clinic and the doctors discover a non-work-related illness such as tuberculosis, may the clinic disclose the individual’s protected health information to the employer without the authorization of the patient?
Chief Privacy and Security Officer
Puerto Rico Medical Services Administration
PCP (primary care physicians) want our facility to automatically fax them clinical reports if their patients are seen in our emergency room; xray, lab, cardio and doctors’ dictation reports.
Would this be a HIPAA Violation?
The PCPs feel that they should be notified if their patients are seen in our emergency room.
We currently list the patients PCP in our computer system (if the patient and or the insurance indicates an assigned PCP) in the event of an emergency and the Emergency Room (ER) physician needs to contact them for medi-cal emergency reasons and or possible inpatient admission.
We currently do not automatically send any type of reports or findings to the PCP for regular ER visits, but the PCPs are requesting us too?