Health Law Informer

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

In response to the recent Ebola outbreak in West Africa and in light of patients being treated in several hospitals in the U.S., the HHS, OCR (OCR) recently issued a HIPAA Bulletin to remind us that HIPAA covered entities and business associates must maintain the privacy of protected health information (PHI) even in emergency situations (“Guidance”). According to the OCR, the Guidance serves as a reminder “that the protections of the [HIPAA] Privacy Rule are not set aside during an emergency.”

The OCR explains that the HIPAA Privacy Rule requires a balance between the protection of the privacy of PHI against the necessary uses and disclosures of such information “to treat a patient, to protect the nation’s public health, and for other critical purposes” during emergency situations.  Although the OCR introduces no new requirements under the HIPAA Privacy Rule, the Guidance lays out the circumstances under which patient information may be shared in emergencies, such as for/due to:

•  Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
• Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
• Imminent Danger
• Public Health Activities (i.e., to a public health authority; at the direction of a public health authority, to a foreign government agency; and to persons at risk)
• Treatment

The OCR reminds us that most disclosures require covered entities to make “reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary.’” Further, covered entities are also required to: (i) implement “reasonable” safeguards necessary to protect PHI from intentional/unintentional uses and disclosures that are impermissible under HIPAA; and (ii) continue to apply administrative, physical and technical safeguards to protect e-PHI under the HIPAA Security Rule.

Further, according to the OCR, under the Project Bioshield Act of 2004 and Section 1135(b)(7) of the Social Security Act, the Secretary of HHS may waive certain HIPAA Privacy Rule provisions during public health or other emergencies. Such limited waivers require both the President to declare an emergency or disaster and the Secretary of HHS to declare a public health emergency. Additional information regarding the limited waivers appears in the Guidance.

As Ebola remains an emergency of both national and international concern, it not surprising that federal agencies continue to publish updated Ebola guidance. This Guidance reminds all of us, especially covered entities and business associates, that even in emergency situations, patient privacy must be protected, unless the limited waiver is invoked, and if not, covered entities and business associates will face consequences for violating the HIPAA Privacy Rule. For additional information regarding the HIPAA Privacy Rule in the context of emergency situations, see the HHS website.  Also see similar guidance (Bulletin and Bulletin  published by HHS in 2005 in response to Hurricane Katrina.

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

• Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
• According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
• Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
• Since 2009, consumer complaints regarding HIPAA violations continue to rise.
• Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
• Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
• Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
• OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

It has been a busy summer so far for the Centers for Medicare & Medicaid Services (CMS) with respect to Accountable Care Organizations (ACOs), as the agency has proposed altering the quality reporting measures under the Medicare Shared Savings Program (“MSSP”) for 2015 and beyond.  Expect an even busier fall as other, potentially broader, proposed rule changes for ACOs are analyzed by the Office of Management and Budget (OMB) and both sets of proposals wind their way through the public comment process.

The proposed changes concerning quality reporting would revise and update the measures used to evaluate MSSP ACOs’ performance. Overall, the CMS says it would like to focus more on outcome-based measures (as opposed to process-based measures), reduce duplicative measures, and reflect current clinical practices without increasing ACO’s reporting burden.

More specifically, the CMS proposes to add 12 new measures and remove eight, which would increase the total number of quality measures from 33 to 37. The new measures relate to “avoidable” admissions for patients with multiple chronic conditions, heart failure, and diabetes; depression readmission; readmissions to skilled nursing facilities; patient discussion of prescription costs; and updated composite measures for diabetes and coronary artery disease.

The CMS would like to modify the scoring system to award bonus points toward shared savings to ACOs that make year-over-year improvements on individual measures. Moreover, the agency would like to modify its benchmarking methodology to use flat percentages to establish the benchmark for a measure when the national FSS data results in the 90^th percentile being greater than or equal to 95 percent. And, finally, the CMS proposes several ways to align MSSP reporting requirements with other reporting programs, including Medicare’s Electronic Health Records Incentive Program and the Physician Quality Reporting System.

Fewer details are available about the next set of proposed rules changes, which were submitted to OMB on June 26 and will be printed in the Federal Register after review. It is expected that these regulations will include changes to the MSSP’s payment provisions. The proposed changes would apply to existing ACOs and approved ACO applicants starting January 1, 2016. As soon as the text of the rule becomes publicly available, the Health Law Informer will provide more information.

It has been over three years since the Centers for Medicare and Medicaid Services (CMS) announced its proposed rule and guidance on the development and implementation of Accountable Care Organizations.  About four million Medicare beneficiaries are now in an ACO, and over 400 provider groups are participating in ACOs.  See February 19, 2013 Health Affairs Blog. An estimated 14% of the U.S. population is being treated within an ACO. See April 16, 2014 Kaiser Health News.

By all indications, these numbers will continue to grow as the US health system moves away from the fee-for-service model to pay for value models that reward quality and cost savings and require clinical coordination among different types of providers, in many cases providers who are unrelated other than through an ACO or other similar arrangement.  The seamless sharing of data, patient information and collaboration among large, medium and small physician practices, hospitals, post-acute providers, and even private companies like pharmacy chains is critical to the success of these organizations. Continue reading…

As we’ve discussed in previous articles,[1] and as you are no doubt aware by now, the Health Insurance Portability and Accountability Act (HIPAA) recently received a significant facelift.  In addition to extending direct liability to business associates and subcontractors, the updated HIPAA regulations (Updated Regulations), which were authorized by the Health Information Technology for Economic and Clinical Health Act (HITECH), contain many new provisions to address growing privacy concerns for the increasing amount of protected health information (PHI) stored on electronic media.  Covered entities and their business associates and subcontractors must comply with the Updated Regulations by September 23, 2013.  In order to help you prepare for the September 23, 2013 compliance deadline, this article (1) explains the difference between two important compliance deadlines contained in the Updated Regulations, (2) suggests a 5-step process to efficiently update and/or create compliant HIPAA policies and procedures, and (3) discusses a few observations we’ve made as we’ve helped our clients prepare for the September 23, 2013 compliance deadline. Continue reading…

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

Since the implementation of the privacy and security regulations of the Health Insurance Portability and Accountability Act (“HIPAA”) in 2003 and 2005 respectively, business associates (“BAs”) – those entities that perform services for or on behalf of covered entities – had been a weak link in the overall protection of protected health information (“PHI”).   BAs were not directly subject to HIPAA, but were only indirectly subject to its requirements through the business associate agreements – which were generally boilerplate – that covered entities were required to maintain as a condition of sharing PHI.  Thus, under the original regulatory structure, the only risk for a BA was for a breach of contract. Continue reading…

Since the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules became effective in April 2003, there has been minimal enforcement activity by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”).   However, this has changed dramatically over the last two years, as evidenced by some recent high-profile and high-penalty enforcement actions taken by OCR.  In addition to being concerned about OCR investigations, moreover, covered entities and business associates must also be on the alert for enforcement actions by state Attorney Generals, potential class action lawsuits, and OCR’s HIPAA audit program. Continue reading…