HIPAA and Data Issues

Social determinants of health have risen to the forefront of changes in payment to acknowledge that factors such as food, housing and other environmental issues can have a direct impact on the health of people for whom the government (and private payers) pay for care.  Both government and private payors traditionally have not offered any payment for services that address social determinants of health directly.  That, however, is changing in the new health care environment.  In “Finding an Oasis in the Food Desert: Legal Issues in One Social Determinant of Health”, Dan Shay explores the new payments and programs that are available to support people with diabetes, hypertension and other conditions affected by nutrition and food availability.  In addition to new payment potentials, both for providers and patients in Medicare and Medicaid, there are a range of legal issues that can arise in providing or arranging for food support, from compliance risks associated with beneficiary inducements, to Medicare enrollment, to HIPAA, to documentation issues and more. Dan considers all of these, as well as practical issues that health care providers may face, clarifying a rapidly developing area of both social and health care policy combined, which should be of interest to those who represent a wide range of providers.
Since the early 2000s, electronic health records (EHR) software has become a central aspect of health care.  But as technology marches ever onward, and yesterday’s state-of-the-art hardware becomes today’s obsolete junk, many health care providers find themselves needing to change their EHR software. In “Switching EHRs: Common issues and lessons learned”, Dan examines how such changes implicate a range of legal issues, including preservation of records for HIPAA, medical malpractice, and compliance considerations, end-user license agreement quirks that may complicate transitions from one system to another, and practical and logistical problems associated with staging the adoption of new software.

The Health Insurance Portability and Accountability Act (HIPAA) and its regulations have existed for over twenty years. Although most health care providers are familiar with its requirements, most health care providers are less familiar with the ways in which HIPAA is enforced. They are likewise unaware of how HIPAA investigations are initiated, the processes they follow, nor the types of information the Department of Health and Human Services’ Office for Civil Rights (OCR) requires in the course of an investigation. Many also fear the imposition of stiff penalties, likely as a result of seeing headlines about multi-million dollar settlements by other providers. In “HIPAA Enforcement On the Books and In Practice: When It all Goes Wrong,” Dan addresses HIPAA enforcement, explaining both the regulatory provisions that govern it, and how that enforcement plays out in practice. In addition to explaining the enforcement rule and how the OCR actually employs it, Dan also offers practical guidance based on personal experience in helping clients navigate HIPAA breaches without having to pay penalties or enter into settlement agreements.

On December 20, 2022, the Department of Justice announced an almost $45 million settlement with BioTelemetry, Inc. and its subsidiary CardioNet, LLC to resolve allegations of False Claims Act violations arising from submitting claims to federal health care programs for cardiac monitoring tests. The claims were alleged to be false because a portion of the monitoring services were performed overseas. More specifically, CardioNet had sent certain tests for federal health care beneficiaries to be reviewed by technicians based in India. Medicare will not pay for services that are performed outside of the United States or United States territories (e.g., Guam, Puerto Rico). Because the services in question were performed in India, this rendered the claims false. The settlement arose from a whistleblower lawsuit brought by two former CardioNet employees. Dan has examined these issues and the complications associated with using offshore personnel to perform services in “The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions,”

In recent months, generative AI has become all the rage, with OpenAI’s ChatGPT launching for public use in November, 2022, and several other competitor systems launching as well, such as Google Bard and Microsoft Bing Chat. Generative AI programs such as these take massive amounts of information, compile it, and then learn to generate outputs that are statistically likely when a user submits a prompt. With programs like ChatGPT, one can ask it to create a story in the style of the Bronte sisters, write a traditional 3-bar blues song, or provide the user with the most recent copy of a Medicare manual. Moreover, the prompts required can be “natural language” prompts. Thus, instead of learning specific search terms or ways to filter out specific results, one can simply write naturally and ask “What is the definition of PHI under the HIPAA Privacy Rule?” and the software should produce the proper result. We say “should,” however, because there are instances in which the software can “hallucinate” results; in other words, the software uses its knowledge base to create a result that is based on elements commonly found in the material the user is asking about, but which the program has itself created out of whole cloth. For example, consider the recent case in New York in which lawyers used ChatGPT to conduct caselaw research, only to have ChatGPT produce cases that did not actually exist. Our own clients have fallen prey to such AI “hallucinations” when attempting to research Medicare compliance issues. In one instance, a client used two different AI chat programs to look up a Medicare rule, only to have each program provide a different answer, and where each answer was completely created by the AI program and was wrong. (We know. We checked. Neither the specific chapters and section numbers existed, nor the actual content presented by the chat bot.) Despite these hurdles, it is likely that generative AI will improve over time and become more reliable. Nevertheless, we strongly encourage our clients not to rely solely on such resources and to consult with us when provided with information from such software. In the future, AI may prove to be a powerful tool for use within healthcare, but given the risks posed by relying upon an “hallucinated” result, we advise consulting with legal counsel first. We will not be relying on these resources, either.

In May, 2023, the Office for Civil Rights (OCR) in the Department of Health and Human Services updated its website to add new data on its HIPAA enforcement efforts over the years. Since April, 2003, when HIPAA covered entities were first required to comply with the HIPAA Privacy Rule, the OCR has investigated and “resolved” more than 30,000 cases in which it required corrective action or provided “technical assistance” (or both) to covered entities and business associates, entered into settlements or imposed civil money penalties in 133 cases leading to recoveries of more than $135 million. Overall, the OCR has received more than 331,100 HIPAA complaints in the last 20 years. Although the vast bulk of cases (approximately 223,000) were determined to be ineligible for enforcement. Over this time, the OCR determining that there no violation occurred in only 14,519 investigations. In approximately 55,000 other cases, the OCR intervened early and provided technical assistance, without the need for an in-depth investigation. While most cases do not result in the imposition of civil money penalties or settlements that require paying fines, our own clients have been investigated by the OCR, and the process can be lengthy, time-consuming and difficult, even when the OCR does not impose penalties or require corrective actions. Dan examines HIPAA enforcement overall, and explores enforcement trends in “HIPAA Enforcement On the Books and In Reality: When It All Goes Wrong,”  Given the prevalence of HIPAA complaints and the hardship of navigating an investigation, our advice is to work to develop and maintain a HIPAA compliance plan.
Federal scrutiny of physician privacy and security practices is on the rise.  The Department of Health and Human Services’ Office of Civil Rights (OCR) is currently auditing covered entities – including small physician practices – for compliance with HIPAA, including the Security Rule and its requirement to conduct a security risk analysis (SRA).  At the same time, the Centers for Medicare and Medicaid Services (CMS) and its contractor, Figliozzi & Co., is auditing physicians and practices that have participated in the Meaningful Use program.  More than half of those who participated in 2013 are reported to have failed to meet the requirements to successfully report under Meaningful Use.  Similarly, after conducting a pilot audit program in 2011, the OCR found that 47 out of 59 providers audited had no complete SRA, and 58 out of 59 had at least one problem with HIPAA security compliance.  The SRA represents the keystone for a practice’s entire approach to ensuring the security of electronic protected health information and complying with HIPAA.  If your practice hasn’t conducted an SRA, or you are unsure about whether you have, it’s time to start paying attention.   Under the Meaningful Use program, failure to conduct a SRA or meet any of the other Meaningful Use requirements means the participant must return its entire incentive payment, and may subject the participant to a 1% payment reduction for all Medicare payments.  Likewise, failure to comply with Security Rule requirements – many of which require that a SRA have been conducted, may result in the imposition of fines and require a physician to enter into a resolution agreement with the OCR.  Dan Shay explores these issues, and offers practical guidance on how to comply with these requirements, in his chapter for the 2015 HEALTH LAW HANDBOOK, “HIPAA and Meaningful Use Audits and The Security Risk Analysis Nexus.

When things go wrong with software and IT providers, it is often almost impossible to find relief because of the way their contracts are written, Amazingly, a New Jersey health-care provider was allowed to proceed with its lawsuit against two health-care information technology firms that represented they could convert patient files from NextGen to Allscripts, computer software programs physicians use to track all aspects of patient care. Nearly 200,000 patient charts were corrupted when the conversion attempt failed. The plaintiff sued under the New Jersey Consumer Fraud Act and the defendants argued the Act didn’t apply. The court had none of it. They found the defendants apparently offered a guarantee of results, and professed to have expertise in the conversions when they had never done it before. The court found the risk of harm was obvious, the nature of the data was of public significance and that the case could proceed. It offers tantalizing possibilities in contracting with IT and software vendors.

Physician practices continue to struggle with legal and practical issues when they switch electronic health records (EHR) software systems.  These problems include the transfer of data between EHR systems (including what happens when such a transfer is not possible), the HIPAA implications of such switches, and concerns raised by physicians changing employers or practices merging.  Daniel has written in previous years about EHR license agreements, but now addresses these new concerns in his article “Physicians Switching EHRs”.  This article examines the spread of EHRs – including the history of the Federal government’s involvement in encouraging their adoption – and the impact that has had on physicians.  It also explores common reasons why physicians switch EHRs, including data from recent surveys of thousands of physicians on the subject.  From EHR vendors holding practice data “hostage,” to the HIPAA requirements to preserve access to records for patients, to former employers claiming ownership of patient records to which physicians need access, Dan addresses the legal and practical problems that arise, and offers practical guidance in navigating these issues.  As EHR software agesamid the continuing dynamism in health care generally, these problems are likely to persist. Physicians, be prepared!

The use of off shore services and personnel to contribute to the delivery of health care has a long standing presence in health care. Yet, state law, federal reimbursement principles and other federal laws create barriers to the use of overseas personnel, resources, information technology and more in the delivery of health care.  Issues of whether supervision can be rendered from afar, licensure requirements, HIPAA restrictions and Medicare reimbursement prohibitions create a challenging context to make these arrangements work.  Dan Shay explores all of this and offers practical contractual language to use in any of these undertakings in his article "The Lure of Foreign Shores: Outsourcing of Overseas Health Care Functions" in the 2021 edition of the Health Law Handbook.

On December 13, 2016, Congress passed the 21st Century Cures Act, which, among other things, sought to promote electronic health record (“EHR”) interoperability by prohibiting the practice known as “information blocking” – where an EHR prevents the sharing of electronic health information (“EHI”). In addition, the Act sought to promote patient access to their own EHI. In May, 2020, the Office of the National Coordinator for Health Information Technology (the “ONC”) published a final implementing rule for compliance by April 5, 2021.

Health care providers (including physicians), health information exchanges (HIEs), health information networks (HINs), and software developers must share with patients a specified range of information with some exceptions. While the right of a patient to access their records already exists under HIPAA, this new rule requires that information to be provided to patients immediately, such as through a patient portal. The regulations are complex, and include similar terminology to that used in the HIPAA regulations, but with different definitions (e.g., a “health care provider” is defined differently under the two sets of rules). Blocking of data includes the delay of data availability.

As a practical matter, health care providers must examine their policies and procedures, and revisit how and when they provide patients access to their EHI. This issue may be especially concerning to physicians who are not used to providing patients with such wide-ranging access to their records, or who otherwise place limits on how and when information is shared with patients. (e.g., “We don’t send lab results to the patient portal until 2 days after the doctor has reviewed them.”) Existing practices and policies that may restrict patient access to information will need to be carefully considered. Dan has developed a DFS List as a practical checklist to begin confronting this challenge.

Patient portals are an increasingly popular mechanism for doctor-patient communication; yet, as in all matters dealing with cyberspace, there are pitfalls lurking in their implementation.  In his article “A Window Into Patient Portals”, Dan explains how they work, and then explores the legal issues associated with them from the contract that makes them available, whether as part of an EHR or stand alone, to HIPAA concerns and more.  This is a must read both for those who have a portal and those considering using one.
More than 25% of existing electronic health record licenses may be replaced next year.  The legal issues that can arise are considerable including, almost above all, getting back the practice's data in a usable format.  How these transitions unfold can be fraught with legal liability.  In "Your EHR License Agreement: Critical Issues" Dan Shay continues his considerations of the pitfalls for the unwary and how to avoid them.

Electronic health records (“EHRs”) are a fact of life in the current healthcare industry, with adoption of EHRs having increased steadily since the early 2000s, and especially in connection to Medicare’s Meaningful Use program. But most physician practices will not keep the same EHR software forever. Changes in certification requirements, software obsolescence and patches that change how the software functions, as well as practice mergers and sales can all lead physicians and physician practices to switch EHRs. In “Maintaining EHR Records Access – Legal and Technical Risks”, Dan discusses what happens to physicians’ records when switching EHRs. It is a physician’s duty to maintain access to their records, and this article provides insight into issues surrounding this subject.

In “What Are the Legal Risks Associated with Social Media and Online Review Sites?”, Dan examines potential problems for health care practitioners in the social media context, and with respect to online review sites. Managing one’s online reputation is a relatively new business aspect for those in health care, and sometimes one’s initial instincts may not be the smartest move. This article discusses both practical and legal considerations that health care practitioners should bear in mind before deciding how and when to respond online.

The omnibus regulations published under the HIPAA and HITECH statutes have focused new attention on the frequently swept to the side Notice of Privacy Practices (NPPs) which all Covered Entities under HIPAA must issue.  Since the Office of Civil Rights which enforces HIPAA has made it clear that small physician practices will not be overlooked in its enforcement, by settling a breach case with a two physician cardiology practice for $100,000, all aspects of HIPAA compliance should be a regular part of the physician practice compliance program.  Because NPPs under the new regulations must contain new information for patients, Dan Shay illuminates the new requirements in "Navigating Physician Notices of Privacy Practices".
Social media are increasingly becoming the predicate for lawsuits involving defamation and other allegations, in the world at large.  In health care, while there are risks associated with social media postings that are similar to commercial concerns, there is the extra problem of HIPAA violations.  We have advised clients regarding a range of social media based liabilities, including an employee posting a photo of her breakfast which sat on top of a patient's records, where the name and other identifying information could be easily read.   The risk of inadvertent violations of the law is relatively high in the absence of decent policies addressing the boundaries of social media usage by office staff.  How to utilize social media advantageously and whether physicians should even engage with patients through social media is a particular interest of Dan Shay's which he has addressed in his article "Physician use of social media: Navigating the risks"

With the reemphasis on 'transparency' in health care quality policy, more and more quality information about providers will be made available. The commercial value of provider data is also increasing. Providers enter into many contractual relationships where data about them may be in play, even if that is not the focus of the relationship. For example, a managed care contract, a practice management company relationship, obtaining an electronic medical record from a software vendor, or hiring a billing company are all relationships where significant provider data will be at issue. In "Commerce in Provider Data: What, Why and Provider Contractual Controls" Daniel Shay looks at what is proprietary to a provider, considers who is reporting data and why, and offering actual contract language as well as case law, addresses contractual protections providers should think about in entering into relationships with a range of other entities.

Social media sites are ubiquitous, even if their use reflects generational divides. For physicians, social media can offer opportunities for marketing and patient education, but comes with potential liabilities, as well. In addition, the unique relationship between physicians and patients as viewed by the law, can create challenges for physicians who use social media. In "Physicians and Social Media: Untangling The Web", Dan Shay elucidates the most common social media platforms and explains their differences and functionalities. He considers the potential liabilities for physicians under HIPAA, for malpractice and for defamation which can arise through the use of social media, both personally and professionally. He also addresses how physician office staff can generate problems. Then, he offers practical guidance, illuminating the somewhat different positions taken by various professional organizations including the AMA, AAFP and ACP. We are assisting our physician practice clients in developing policies regarding the use and functions of social media, for themselves, their employees and in relationship to patients. We also assist practices who have experienced improper disclosures or other social media related events associated with the practice and its staff.
With the publication of the HITECH and Security rules, compliance with HIPAA is back in the spotlight. Effective January 1, 2014, new rules will pertain. In our recent article in Family Practice Management, we dispel some myths and provide practical guidance to physicians. The importance of taking HIPAA compliance seriously can be seen in the first settlement of 2013 with the Office of Civil Rights of 2013. There, Idaho State University agreed to $400,000 and enter into a 2-year corrective action plan to settle alleged violations of HIPAA. In investigating the self-reported incident, the Office for Civil Rights found risk analyses and assessments that were "incomplete and inadequately identified potential risks or vulnerabilities," as well as "failure to assess the likelihood of potential risks occurring." The principle problem was a disabled firewall over a period of four years. There was no evidence that any records were accessed or that the security actually was breached. The settlement makes it clear that risk assessment and gap analysis are essential to being able to craft a well-designed, customized plan for HIPAA compliance. This is no longer a matter of choice.
Data demonstrates that physicians are now replacing their electronic health record (EHR) software at an increasing rate. Most apparently do so because they were dissatisfied with their current EHR software or vendor. Some of these dissatisfactions are so great that a class-action suit has been filed in one instance. The rate of replacement increased from 21% to 31% between 2010 and 2013. Many physicians did not have their EHR software licenses (contracts) reviewed on the first go-around. Given the problems of transition as well as changes in the industry, it is vital that physicians have their EHR license agreements reviewed by experienced counsel. As we have repeatedly written [See issues: #246, 10], there are pitfalls awaiting in these documents.
On June 26, 2012, the Department of Health and Human Services' Office of Civil Rights ("OCR") released the audit protocols it is using in auditing covered entities under HIPAA, which is relevant to increased enforcement of the privacy rules. The information, located here, includes audit protocols for both the Security Rule and the Privacy Rule (including the Breach Notification provisions), broken down by Federal Regulation section. For example, when auditing covered entities with respect to their use of de-identified information, auditors are instructed to ask the covered entity’s management team whether a policy or procedure exists to de-identify protected health information, to review such policies and procedures in relation to regulatory criteria, and to verify that they are updated and presented to the covered entity’s workforce. This release provides insight into the OCR’s concerns regarding HIPAA and can assist covered entities in developing their own HIPAA compliance programs. Since even small physician practices have been subjects of enforcement, compliance with the privacy and security rules is yet a new imperative.
The health reform legislation has put a firm stake in the ground with respect to expanding the measurement of quality for many providers.  One of its principle vehicles was to solidify the former Physician Quality Reporting Initiative (PQRI) into a Congressionally mandated Physician Quality Reporting System (PQRS).  Although what is reported has nothing to do with whether either quality standards were met or quality itself improved, with the financial incentives available to those who report voluntarily, the idea is that physicians will learn to report quality effectively. By 2015, physicians who do not report will be penalized. In "PQRS and Its Penumbra", Dan Shay explores the implications of the program, how it relates to meaningful use financial incentives and the pitfalls, including false claims liability, that lurk in ineffective reporting. This program is a must know for physicians.
When the privacy regulations were first adopted back in 2003, there was considerable anxiety among the provider community, and particularly physicians, with regard to the administrative burden of compliance and intrusion in the doctor-patient relationship that would come from the empowerment of patients to complain to the Office of Civil Rights regarding violation of their right to privacy. The OCR has now published data regarding enforcement of HIPAA privacy complaints and there can be no doubt that the number of complaints has indeed gone up substantially. In 2004, the first full year of the program, there were 6500 complaints filed. By 2007, that number had increased to more than 8100. But this is the grand total of all complaints received from all sources throughout the United States of America! Hardly a tsunami of privacy violations. The data on the website reports complaints filed by state and their resolutions. Although the ratios have changed slightly, more cases are determined to have no violation today, than four years ago. By far, most of the complaints are resolved on investigation and review and do not proceed further (69%). Of the cases that proceeded to investigation, last year produced almost 1500 ‘corrective actions’ (type unspecified) and a larger number (750) than before were found to have no violations.

The last five years have heard a relentless call for information technology dissemination to improve quality and lower costs in health care. Electronic health records (EHR) have been touted as the first and most important step to a real technology revolution. For physicians, though, the cost of EHR implementation has often proven prohibitive. The Stark and anti-kickback protections for donated medical records was expected to jumpstart this effort. Not so fast. In his consideration of downstreamed EHR licenses Dan Shay takes his primer on EHR license agreements a step further in explicating the special complications of tri-partite license agreements. What happens on termination is at least as important as what is entailed in implementation.

For quality to advance in this country, it is becoming increasingly clear that universal electronic medical records will be necessary. Proposed regulations to permit hospitals to provide record systems to their physicians have been published under Stark. Many physician practices are looking to obtain these programs. Whatever the source of an electronic health record system, it is certain there will have to be a license agreement by which the practice obtains access to the software, unless they build their own. In "A Primer on Electronic Health Records License Agreements", Daniel Shay reviews the context for these contracts, elucidates their common features, based on reviews of real-life documents, and points out pitfalls that physician practices should avoid in obtaining access to these vital practice accessories. In a practical, easily applied application of the deeper issues addressed in the primer, Daniel has also offered guidance on “Top Ten Questions To Ask When Looking At An EHR License Agreement.”