NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
Data Privacy Blog > Categories
OCR releases new set of FAQs to address health plans’ use of PHI for care coordination and continuity of care

On June 26, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released a new FAQ document to address how the HIPAA Privacy Rule allows health plans to share PHI in certain circumstances.

The first FAQ addresses care coordination and care management disclosures between two health plans. OCR emphasized that both these activities are included in the definition of health care operations as provided by the HIPAA Privacy Rule. Disclosures for health care operations purposes must be based on the two entities having a relationship with the individual who is the subject of the requested PHI and the PHI pertains to that relationship. Therefore, OCR noted the Privacy Rule permits one health plan to share PHI about an individual in common with a second health plan for care coordination purposes without the individual’s authorization. In terms of an individual switching health plans, OCR provided that the Privacy Rule would also allow an individual’s previous health plan to disclose PHI to the new health plan without the individual’s authorization as well.

The second FAQ addresses health plans using and disclosing PHI to inform individuals about other available health plans that it offers without the individual’s authorization. Generally, health plans are prohibited from using or disclosing PHI for marketing purposes without an individual’s authorization. There are, however, certain exceptions to the marketing authorization requirement and also there are specific activities that are not included in the definition of marketing. OCR provided that one exclusion from the definition of marketing is for communications to individuals regarding replacements to, or enhancements of, existing health plans so long as the health plan is not receiving financial remuneration for the communications. To demonstrate this exclusion, OCR provided that when a “Plan A” discloses PHI about an individual to “Plan B,” which is a separate covered entity, Plan B is allowed to send communications to the individual regarding Plan B’s health plan options to replace the individual’s current plan (e.g., discussion of Medicare plans when reaching age of eligibility) so long as there is no remuneration received by Plan B for sending this communication to the individual and such disclosure complies with any applicable business associate agreement(s).

The OCR FAQ document can be found here.

Failure to conduct risk analysis leads to OCR penalties for business associate

On May 23, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Medical Informatics Engineering, Inc. (MIE) had agreed to pay $100,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

MIE provides software and electronic medical record services to health care providers. On May 26, 2015, MIE found suspicious activity on one if its servers and upon further examination determined that unauthorized access to its network began on May 7, 2015, leading to hackers accessing electronic PHI (ePHI) of approximately 3.5 million people. Access was based on a compromised user ID and password.

On July 23, 2015, MIE filed a breach report to OCR and OCR’s investigation determined in part that MIE did not conduct a comprehensive risk analysis, as required by the HIPAA Security Rule, prior to the breach by the hackers. OCR Director Roger Severino stated “[e]ntities with medical records must be on guard against hackers” and “[t]he failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

MIE’s corrective action plan requires MIE in part to develop a complete inventory of all of its facilities, categories of electronic equipment, data system and applications that create, receive, transmit or maintain ePHI and subsequently conduct a risk analysis that evaluates the risks to ePHI on MIE’s inventory.

Interestingly, the day after OCR’s MIE settlement press release, OCR issued a press release providing that it has issued a new fact sheet to list out all HIPAA provisions through which a business associate can be held directly liable for HIPAA compliance.

OCR’s press release about this settlement can be found here and OCR’s press release about the new fact sheet for business associates can be found here.

OCR revises HIPAA annual penalty limits to address culpability

In April 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties (the Notification). OCR published the Notification to alert the public that OCR is exercising its discretion in assessing Civil Money Penalties under HIPAA as amended by the HITECH Act.  

In February 2009, the HITECH Act established four categories for HIPAA violations with increasing penalty tiers based on the level of culpability. It also amended HIPAA by eliminating the prohibition on the penalties for a covered entity if it did not know and with reasonable diligence would not have known of a HIPAA violation. The four categories for HIPAA violations became the following:

  • No Knowledge: The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision
  • Reasonable Cause: The violation was due to reasonable cause, and not willful neglect
  • Willful NeglectCorrected: The violation was due to willful neglect that is timely corrected
  • Willful NeglectNot Corrected: The violation was due to willful neglect that is not timely corrected

While the HITECH Act applied four different annual penalty limits (ranging from $25,000 to $1,500,000) based on the level of culpability, in the Interim Final Rule to implement the enhanced penalty provisions of the HITECH Act, OCR applied the highest annual cap of $1.5 million to all violations regardless of the level of culpability (see first table below). OCR provided that applying the highest annual limit for all levels of culpability was “the most logical reading” of the HITECH Act since this was “consistent with Congress’ intent to strengthen enforcement.”

Culpability

Minimum Penalty/Violation

Maximum Penalty/Violation

Annual Limit

No Knowledge

$100

$50,000

$1,500,000

Reasonable Cause

$1,000

$50,000

$1,500,000

Willful NeglectCorrected

$10,000

$50,000

$1,500,000

Willful NeglectNot Corrected

$50,000

$50,000

$1,500,000

 

However, the Notification provides that upon further review OCR has concluded that a “better reading of the HITECH Act” is to apply annual limits based on the level of culpability (see second table below).

Culpability

Minimum Penalty/Violation

Maximum Penalty/Violation

Annual Limit

No Knowledge

$100

$50,000

$25,000

Reasonable Cause

$1,000

$50,000

$100,000

Willful NeglectCorrected

$10,000

$50,000

$250,000

Willful NeglectNot Corrected

$50,000

$50,000

$1,500,000

OCR will use the above penalty tier structure, as adjusted for inflation, until further notice and plans to have future rulemaking to modify the penalty tiers in the current regulation “to better reflect the text of the HITECH Act.”

Given the significant decrease of the annual limits for all but one category for HIPAA violations, covered entities and business associates may welcome OCR’s revised reading of the HITECH Act. This change in the annual limits may be especially welcomed since OCR under the previous penalty tiers collected $28.7 million from settlements and cases in 2018 (see February 27, 2019 NP Privacy Partner Blog Post).

Three million dollar settlement emphasizes the importance of a robust HIPAA compliance program

On May 6, 2019, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with Touchstone Medical Imaging (Touchstone), a diagnostic medical imaging services provider, requiring a three million dollar financial settlement and a two-year Corrective Action Plan.

 

There are a number of lessons that HIPAA covered entities and business associates can glean from the Touchstone enforcement action, a notable one being that an entity should promptly and thoroughly investigate any security incident or potential data breach. Both OCR and the Federal Bureau of Investigation (FBI) notified Touchstone that one of its FTP servers was allowing uncontrolled access to patients’ protected health information (PHI). After initially denying the exposure, Touchstone eventually reported a breach of more than 300,000 social security numbers and other PHI. OCR found that both Touchstone’s investigation of the incident, as well as its notification, were not handled in a timely manner.

 

In investigating Touchstone, OCR also found that the entity did not conduct an accurate and thorough risk analysis—a key enforcement priority of OCR in recent years. As part of its Corrective Action Plan, Touchstone is required to conduct an enterprise-wide risk analysis, including creating an inventory of all of its equipment, systems, applications and off-site storage facilities that contain PHI. This is a key element for any organization in order to decide what systems and processes best secure PHI and other sensitive data.

 

In addition, OCR detailed that Touchstone failed to execute business associate agreements with its vendors, including its information technology vendors, prior to the disclosure of PHI. Similar to prior settlements, the Touchstone settlement emphasizes the importance of understanding which vendors will receive or have access to an organization’s PHI and having the parties involved execute a business associate agreement at the outset of the arrangement. 
OCR releases new set of FAQs to address transmission of ePHI to apps

On April 18, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) released new FAQs relating to HIPAA right of access to ePHI. Specifically, the FAQs address applications or other software (collectively “apps”) designated by patients to receive ePHI from a covered entity’s EHR (electronic health record) system. The FAQs discuss liability for transmission of ePHI and the apps’ subsequent use or disclosure of health information, business associate relationships and agreements with apps, and whether a covered entity may refuse to disclose ePHI to an app.

OCR emphasized that once ePHI is disclosed to an app, as directed by a patient, a covered entity will not be liable under HIPAA for uses or disclosures of ePHI by the app so long as the app is not a business associate of the covered entity. A business associate relationship will not exist when the app was not developed for or provided by or on behalf of the covered entity. Subsequently, OCR noted an app’s access to a patient’s ePHI at the patient’s request alone would not trigger a business associate relationship or require a business associate agreement to be put in place for the transmission of ePHI from a covered entity.

OCR provided there would be a business associate relationship between a covered entity and an app developer when the app is one a covered health care provider uses to provide services to individuals involving ePHI. In that case, OCR noted the covered health care provider may be liable under the HIPAA Rules if the covered entity’s patient selects that app and that app impermissibly discloses the ePHI it receives.

OCR also provided that under the individual’s right of access to their ePHI, a patient may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. Therefore, a patient could request to a covered entity that their unencrypted ePHI be transmitted to an app as a matter of convenience. OCR noted that the covered entity would not be responsible for unauthorized access to the patient’s ePHI while being transmitted to the app. However, OCR recommended that covered entities notify patients of the potential risks of unsecure transmission of ePHI at least the first time the patient makes such a request.

Also based on an individual’s right of access to their ePHI, OCR stated that a covered entity may not refuse to disclose ePHI to an app chosen by an individual solely because of concerns about how the app will use or disclose the patient’s ePHI. Examples of impermissible refusals provided by OCR included denying disclosure to an app because the app will share the patient’s ePHI for research purposes or because the app does not encrypt the patient’s data when at rest.

OCR FAQs can be found here.

Amazon opens its “HIPAA-eligible” environment to certain Alexa skills

Earlier this month, Amazon announced that it is opening its “HIPAA-eligible” environment to select Amazon Alexa skills that will transmit and receive identifiable patient information.  This allows users of the Alexa virtual assistant to begin using the device for select health-related services.

Amazon defines its HIPAA-eligible services as those that enable HIPAA-regulated covered entities and business associates to process and store identifiable patient information, or HIPAA protected health information, in its Amazon Web Services environment.  At this time, Amazon is offering the opportunity to develop a skill for its HIPAA-eligible environment on an invitation-only basis. 

The first six HIPAA-eligible Alexa skills focus on an individual’s management of their care at home.  For example, the Livongo Blood Sugar Lookup skill allows users to ask their Alexa device to provide their latest blood glucose reading.  Cigna’s Health Today skill allows Cigna enrollees to monitor their wellness program goals and receive health tips. Through the Express Scripts skill, an individual can track prescription delivery and receive notification through the Alexa device when a prescription is delivered.

Although Amazon’s addition of these skills to its HIPAA-eligible environment represents significant progress toward the use of virtual assistants to meet individuals’ medical needs, it is important to note that these skills are limited. Amazon is not presenting a framework to allow for skills that capture data in an operating room or emergency room, for example, nor do the six HIPAA-eligible skills allow patients to correspond with clinicians for treatment or diagnosis of medical needs. 

For people to use Alexa in these types of environments, not only will Amazon have to deem the relevant skills to be HIPAA-eligible and execute HIPAA business associate agreements with the skill developers, but the facilities and clinicians using Alexa for these services will have to ensure that they have the capability to do so in a manner that complies with the HIPAA requirements governing patient privacy and security.  Some key considerations for facilities and clinicians will be to establish protocols to prevent people who are not authorized to access or hear an individual’s identifiable information from doing so on the Alexa device, as well as ensure that Alexa captures the data in a way that attributes individual patients’ data properly.

Final OCR settlement of 2018 nets $3 million penalty

On February 7, 2019, the Department of Health and Human Services, Office for Civil Rights (OCR) released information about its settlement with Cottage Health, a California hospital system.  Following two breach reports from Cottage Health, OCR conducted an investigation that concluded with a resolution agreement and a settlement for $3 million.

The first breach resulted from a Cottage Health contractor’s removal of electronic security protections from one of the system’s servers.  This caused protected health information (PHI) of approximately 50,917 individuals to be available to anyone with access to Cottage Health’s server.  The second breach, affecting 11,608 individuals, resulted from an employee misconfiguring a server, leading to PHI — including Social Security numbers — being accessible on the internet.

In its investigation, OCR determined that Cottage Health did not conduct a thorough and accurate risk assessment and failed to implement a risk management plan.  In addition, highlighting that these security risk assessments are “living” documents, OCR found that Cottage Health did not periodically evaluate its technical and non-technical processes after environmental or operating changes that affected the security of its electronic PHI.

These breaches highlight two areas of compliance weakness for HIPAA covered entities and business associates: personnel and vendors.  While there may not be a way to completely mitigate all risk that comes from the involvement of human actors and third-party vendors, an entity can take a number of steps to lessen its risk.

With respect to vendors, first and foremost, an entity must ensure that it has a HIPAA business associate agreement in place if PHI will be accessed, created or transmitted as part of the arrangement; OCR found that Cottage Health did not have a written business associate agreement with its contractor.  A covered entity or business associate also should perform reasonable diligence of its potential vendors to ensure that they understand their privacy and security obligations and maintain robust HIPAA compliance programs.

Covered entities and business associates also are required to ensure that their workforces are trained in HIPAA compliance.  In addition to education about regulatory requirements, an entity should train its personnel in the nuances of its compliance program specific to the services that it provides, the systems and processes that it employs, and the types of data that are relevant to an individual’s job duties.

As part of its release about the Cottage Health enforcement action, OCR tallied its 2018 settlements and cases from HIPAA enforcement actions, which totaled $28.7 million.

The OCR press release can be found here and the resolution agreement can be found here.

Failure to have business associate agreement in place leads to OCR penalties for Florida physician group

On December 4, 2018, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Advanced Care Hospitalists PL (ACH) had agreed to pay $500,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.

ACH provides internal medicine physicians to hospitals and nursing homes. Its physicians serve more than 20,000 patients annually. Between November 2011 and June 2012, ACH obtained billing data processing services from an individual who claimed to represent a third-party billing company named Doctor’s First Choice Billings, Inc. (First Choice). Without knowledge or permission of First Choice, the individual provided medical billing services to ACH using First Choice’s name and website. ACH never entered into a business associate agreement with First Choice or the individual allegedly representing First Choice.

A local hospital notified ACH on February 11,2014, that patient information was viewable on the First Choice website, including but not limited to social security numbers and clinical information. The website was shut down and removed from internet access on February 12, 2014. ACH filed a breach notification report to OCR on April 11, 2014, and a supplemental breach report thereafter finding that over 9,000 patients could have been affected.

OCR’s investigation determined that not only did ACH fail to enter into a business associate agreement before disclosing PHI to the individual as required by HIPAA, ACH also failed to have policies in place requiring business associate agreements for sharing of PHI until April 2014. Furthermore, OCR noted that although ACH had been operating since 2005, it failed to conduct a risk analysis as provided by the HIPAA Security Rule until March 4, 2014.

ACH’s corrective action plan in part requires ACH to annually submit an accounting of ACH’s business associates and copies of the business associate agreements that it maintains, conduct a risk analysis, develop a risk management plan and review and revise its policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules.

OCR’s press release about this settlement can be found here.

PHI disclosure to media leads to OCR enforcement

On November 26, 2018, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services released a $125,000 settlement and corrective action plan with a small physician practice for potential HIPAA violations related to disclosures of protected health information (“PHI”) to the media.

As part of a civil rights complaint, a patient alleged that Allergy Associates of Hartford, P.C. (“Allergy Associates”), a three-physician practice that provides medical services to patients with allergies, impermissibly disclosed the patient’s PHI. OCR initiated an investigation and determined that, in responding to a reporter’s questions regarding a dispute with the patient at issue, an Allergy Associates physician improperly disclosed the patient’s PHI to the reporter.

This is not the first time that OCR has held a health care provider liable for improper disclosures to the media. These settlements emphasize that providers have to take care in what they disclose when discussing patient issues with third parties, such as the media. To the extent that they do not already, covered entities and business associates should consider including examples in their HIPAA training of workforce members of information that can and cannot be disclosed to the media.

The settlement also emphasizes the importance of maintaining and complying with a sanctions policy for personnel who may violate HIPAA. OCR found that Allergy Associates did not discipline the physician who disclosed PHI to the media, even after the organization was aware that OCR had initiated an investigation.

OCR’s press release about this settlement can be found here and the Resolution Agreement and Corrective Action Plan can be found here.

Updated tool assists HIPAA covered entities and business associates complete mandatory security risk analysis

The HIPAA Security Rule has long required covered entities and business associates to conduct an enterprise-wide security risk analysis. This analysis must assess the potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (“ePHI”) held by the entity. This analysis should, in part, identify where entity holds ePHI, how it receives ePHI and what the threats are to the entity’s information systems that contain ePHI.

While there is no single method of conducting a risk analysis that equates to compliance with the HIPAA Security Rule, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the HHS Office of the National Coordinator for Health Information Technology (ONC) developed a Security Risk Assessment Tool (the “SRA Tool”) to assist covered entities and business associates in completing this required task. OCR and ONC state that the SRA tool is designed to be used by small or medium-sized health care practices or other covered entities and business associates, but its concepts can be applied to covered entities and business associates of all sizes.

In October 2018, OCR and ONC announced changes to the SRA Tool to make it more user-friendly and more broadly applicable. The updated version follows comprehensive testing of the prior model with health care practice managers. One major update is enhanced ways for an entity to document how it can implement or plan for security measures to protect its ePHI. It also includes new features, such as a progress tracker, a method of tracking business associates and assets and improvements to ratings of threats and vulnerabilities.

The updated SRA Tool is one more way in which OCR indicates the importance of conducting security risk analyses. Failure to conduct such an analysis can put an entity’s ePHI at a higher risk, and can be a major factor weighing in favor of penalties or other enforcement if OCR audits or investigates a covered entity or business associate. Many of the OCR enforcement actions over the past several years reference lack of a security risk analysis as part of the identified compliance issues (see our prior summaries here here, and here).

The updated SRA Tool can be found here.  OCR and ONC note that the update is compatible with Windows operating systems only; iPad users can continue to use the prior version.

1 - 10 Next

Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Categories
Category