Archive for April, 2013
OCR will be providing additional guidance on the HIPAA “mega rule,” the all-in-one HIPAA game-changer published in the Federal Register in January.
HealthIT Security reported April 26 that HHS attorney Iliana Peters said the department will be offering the additional guidance.
Rachel Seeger, senior health information privacy outreach specialist for OCR, told HealthIT Security:
“Before publishing the Omnibus Rule, HHS carried out an extensive process, incorporating input from a wide range of stakeholders. To clarify Ms. Peters’ comments, we will be issuing additional compliance guidance and technical assistance to covered entities and business associates that was not addressed in the preamble of the Omnibus Rule given space limitations. We hope to publish these materials on OCR’s website soon.”
The updated agenda for the NIST/OCR Conference & Webcast, Safeguarding Health Information: Building Assurance through HIPAA Security to be held Tuesday, May 21, and Wednesday, May 22, is now available.
Visit the conference web page for more information and registration.
A hospital employee has been in jail for HIPAA violations since January. But the hospital is not off the hook yet.
A federal district court judge January 18 sentenced a former registration clerk to 12 months and one day in federal prison for his role in stealing the information of Florida Hospital patients. As part of his sentence, Dale Munroe, II, 35, of Winter Haven, Fla., was also ordered to serve a two-year term of supervised release. Munroe pleaded guilty on October 22, 2012.
Now the hospital involved in the case has been sued in a class action suit for “failing to safeguard its patients sensitive information. Florida Hospital “breached its statutory obligation and express promise by maintaining its patients’ sensitive information in an electronic database that lacked crucial–and statutorily required–security measures and protocols, in addition to failing to adequately train or monitor its employees’ access of patients’ sensitive information.”
Samantha O’Lenick, spokeswoman for Florida Hospital, told the Orlando Business Journal the hospital is “reviewing the claim and trying to understand what the issues are, and that they aren’t able to say anything more.”
According to court documents, Munroe was hired at the Celebration, Fla., location of Florida Hospital in July 2006. During his employment, he worked as a registration representative in the Emergency Department, where he would register patients as they came in the main emergency entrance. From January 2009, until his termination in July 2011, Munroe used his position to obtain individually identifiable health information of patients of Florida Hospital who had been involved in motor vehicle accidents.
Munroe would then disclose that information to Sergei Kusyakov, who was involved in the operation of two chiropractic clinics (Metro Chiropractic and Wellness Center and City Lights Medical Center). Kuskyakov and other conspirators would then use the stolen information to solicit Florida Hospital patients for chiropractic and legal services. Kusyakov would pay Munroe for his role in providing the stolen information. On July 12, 2011, Munroe was terminated by Florida Hospital for a patient data breach that was unrelated to the conspiracy described above.
Approximately a week after his termination, Katrina Munroe, 30, of Winter Haven, Munroe’s wife and also an employee of Florida Hospital, was recruited by the conspirators to take over the role of stealing patient data and providing it to Kusyakov. In August 2012, Katrina Munroe was terminated from her position at the hospital, after becoming a suspect in a data breach incident. In December 2012, she pleaded guilty to her role in the conspiracy. She faces a maximum penalty of five years in federal prison. Her sentencing hearing has been set for March 11, 2013.
On January 7, 2013, Sergei Kusyakov (38, Davenport) pleaded guilty to one count of conspiracy and four counts of wrongful disclosure of individually identifiable health information. He faces a maximum penalty of 45 years in federal prison.
HHS on April 19 reported an executive action to address unnecessary legal barriers under HIPAA that may prevent some states from reporting information to the National Instant Criminal Background Check System (NICS), according to a release from Leon Rodriguez, OCR director.
In the wake of the Newtown tragedy, President Obama proposed a comprehensive plan to reduce gun violence by keeping guns out of dangerous hands, banning military-style assault weapons and high-capacity magazines, making schools safer, and increasing access to mental health services. In addition to calling on Congress to pass common sense legislation, the President announced that his administration would take 23 executive actions.
Concerns remain that HIPAA may be preventing some states from sending complete records to the NICS. That’s why HHS is initiating a rulemaking process to assess and address unnecessary legal barriers under HIPAA that may be a barrier to this reporting.
“I know that there are many misperceptions about how the NICS works and what information is or is not in the system,” Rodriguez writes in the statement. “It is important to reiterate that the NICS is not a mental health registry and this rulemaking process will not create a mental health registry.”
The NICS was created by the Brady Act and ensures that guns are not sold to those prohibited by law from buying them, including felons, those convicted of domestic violence, and individuals involuntarily committed to a mental institution or found to be a danger or unable to manage their affairs due to a mental health condition.
While this background check system is the most efficient and effective way to keep guns out of the hands of potentially dangerous individuals, it is only as effective as the information that is available to it. According to a 2012 Government Accountability Office report, 17 states had submitted fewer than 10 records of individuals prohibited for mental health reasons.
Here are some facts:
- If an individual is prohibited from purchasing a firearm due to specific mental health reasons as set by law, the following information is submitted to the NICS: (1) basic identifying information about the individual such as name, social security number, and date of birth, (2) the name of the state or federal agency that submitted the information, and (3) a notation on which of the ten prohibited categories is applicable to the individual, which allows the individual to appeal and seek to correct incomplete or inaccurate information.
- The database that houses information on individuals prohibited from possessing firearms for reasons related to mental health – called the NICS Index – does not contain medical or mental health records.
- When federally licensed firearms dealers request a NICS background check for a potential buyer, the only information they get back is that the potential buyer is approved, denied, or additional investigation is needed. The dealer does not receive any information about why an individual is denied and does not ever have access to any records of potential buyers, including health records.
- Only the individual who was denied, if he or she wants to appeal and seek to correct incomplete or inaccurate information in the system, can go back to the NICS directly and request information about the reason for the denial.
This rulemaking process – and all of the proposals in the President’s gun violence reduction plan – is based on an understanding that the vast majority of people struggling with mental illnesses are not violent, and in fact they are more likely to be the victims than perpetrators of a crime. That’s why the President’s plan includes initiatives to make it easier for people with mental illness to get the treatment and support they need.
The Advance Notice of Proposed Rulemaking announced asks for the public’s input on the problems HIPAA may pose to state reporting of mental health information to NICS, and on ways to ensure that changes to the HIPAA rules will not discourage individuals from seeking mental health services.
Six Republican senators who released a 28-page white paper in April, “REBOOT: Re-examining the Strategies Needed to Successfully Adopt Health IT,” that outlined concerns about current federal health IT policy. The senators also sent a letter to HHS Secretary Kathleen Sebelius requesting information about the agency’s progress in promoting EHR adoption through the meaningful use program.