HIPAA and Data Issues

Federal scrutiny of physician privacy and security practices is on the rise.  The Department of Health and Human Services’ Office of Civil Rights (OCR) is currently auditing covered entities – including small physician practices – for compliance with HIPAA, including the Security Rule and its requirement to conduct a security risk analysis (SRA).  At the same time, the Centers for Medicare and Medicaid Services (CMS) and its contractor, Figliozzi & Co., is auditing physicians and practices that have participated in the Meaningful Use program.  More than half of those who participated in 2013 are reported to have failed to meet the requirements to successfully report under Meaningful Use.  Similarly, after conducting a pilot audit program in 2011, the OCR found that 47 out of 59 providers audited had no complete SRA, and 58 out of 59 had at least one problem with HIPAA security compliance.  The SRA represents the keystone for a practice’s entire approach to ensuring the security of electronic protected health information and complying with HIPAA.  If your practice hasn’t conducted an SRA, or you are unsure about whether you have, it’s time to start paying attention.   Under the Meaningful Use program, failure to conduct a SRA or meet any of the other Meaningful Use requirements means the participant must return its entire incentive payment, and may subject the participant to a 1% payment reduction for all Medicare payments.  Likewise, failure to comply with Security Rule requirements – many of which require that a SRA have been conducted, may result in the imposition of fines and require a physician to enter into a resolution agreement with the OCR.  Dan Shay explores these issues, and offers practical guidance on how to comply with these requirements, in his chapter for the 2015 HEALTH LAW HANDBOOK, “HIPAA and Meaningful Use Audits and The Security Risk Analysis Nexus.
Patient portals are an increasingly popular mechanism for doctor-patient communication; yet, as in all matters dealing with cyberspace, there are pitfalls lurking in their implementation.  In his article “A Window Into Patient Portals”, Dan explains how they work, and then explores the legal issues associated with them from the contract that makes them available, whether as part of an EHR or stand alone, to HIPAA concerns and more.  This is a must read both for those who have a portal and those considering using one.
More than 25% of existing electronic health record licenses may be replaced next year.  The legal issues that can arise are considerable including, almost above all, getting back the practice's data in a usable format.  How these transitions unfold can be fraught with legal liability.  In "Your EHR License Agreement: Critical Issues" Dan Shay continues his considerations of the pitfalls for the unwary and how to avoid them.
The omnibus regulations published under the HIPAA and HITECH statutes have focused new attention on the frequently swept to the side Notice of Privacy Practices (NPPs) which all Covered Entities under HIPAA must issue.  Since the Office of Civil Rights which enforces HIPAA has made it clear that small physician practices will not be overlooked in its enforcement, by settling a breach case with a two physician cardiology practice for $100,000, all aspects of HIPAA compliance should be a regular part of the physician practice compliance program.  Because NPPs under the new regulations must contain new information for patients, Dan Shay illuminates the new requirements in "Navigating Physician Notices of Privacy Practices".
Social media are increasingly becoming the predicate for lawsuits involving defamation and other allegations, in the world at large.  In health care, while there are risks associated with social media postings that are similar to commercial concerns, there is the extra problem of HIPAA violations.  We have advised clients regarding a range of social media based liabilities, including an employee posting a photo of her breakfast which sat on top of a patient's records, where the name and other identifying information could be easily read.   The risk of inadvertent violations of the law is relatively high in the absence of decent policies addressing the boundaries of social media usage by office staff.  How to utilize social media advantageously and whether physicians should even engage with patients through social media is a particular interest of Dan Shay's which he has addressed in his article "Physician use of social media: Navigating the risks"
Hospital websites have touted their facility's quality for as long as they have existed. Much of what they post is not only puffery ("we have the best" fill-in-the-blank) but most of it is meaningless. Some hospitals, however, do provide on their websites meaningful, transparent information about what they do. In 2013, for the first time, the Leapfrog Group and URAC handed out Hospital Website Transparency Awards to 7 hospitals, two with distinction with honors. The point was to draw attention to the problem of hospital websites potentially misleading consumers. These advertisements are barely regulated, if at all. The two sponsoring groups will make the award again in 2014; but the most interesting aspect of the whole enterprise is the criteria they will use to choose the winners. There are certainly lessons for hospitals there, but physicians should also take heed as they expand their presence on the internet.

With the reemphasis on 'transparency' in health care quality policy, more and more quality information about providers will be made available. The commercial value of provider data is also increasing. Providers enter into many contractual relationships where data about them may be in play, even if that is not the focus of the relationship. For example, a managed care contract, a practice management company relationship, obtaining an electronic medical record from a software vendor, or hiring a billing company are all relationships where significant provider data will be at issue. In "Commerce in Provider Data: What, Why and Provider Contractual Controls" Daniel Shay looks at what is proprietary to a provider, considers who is reporting data and why, and offering actual contract language as well as case law, addresses contractual protections providers should think about in entering into relationships with a range of other entities.

Social media sites are ubiquitous, even if their use reflects generational divides. For physicians, social media can offer opportunities for marketing and patient education, but comes with potential liabilities, as well. In addition, the unique relationship between physicians and patients as viewed by the law, can create challenges for physicians who use social media. In "Physicians and Social Media: Untangling The Web", Dan Shay elucidates the most common social media platforms and explains their differences and functionalities. He considers the potential liabilities for physicians under HIPAA, for malpractice and for defamation which can arise through the use of social media, both personally and professionally. He also addresses how physician office staff can generate problems. Then, he offers practical guidance, illuminating the somewhat different positions taken by various professional organizations including the AMA, AAFP and ACP. We are assisting our physician practice clients in developing policies regarding the use and functions of social media, for themselves, their employees and in relationship to patients. We also assist practices who have experienced improper disclosures or other social media related events associated with the practice and its staff.
With the publication of the HITECH and Security rules, compliance with HIPAA is back in the spotlight. Effective January 1, 2014, new rules will pertain. In our recent article in Family Practice Management, we dispel some myths and provide practical guidance to physicians. The importance of taking HIPAA compliance seriously can be seen in the first settlement of 2013 with the Office of Civil Rights of 2013. There, Idaho State University agreed to $400,000 and enter into a 2-year corrective action plan to settle alleged violations of HIPAA. In investigating the self-reported incident, the Office for Civil Rights found risk analyses and assessments that were "incomplete and inadequately identified potential risks or vulnerabilities," as well as "failure to assess the likelihood of potential risks occurring." The principle problem was a disabled firewall over a period of four years. There was no evidence that any records were accessed or that the security actually was breached. The settlement makes it clear that risk assessment and gap analysis are essential to being able to craft a well-designed, customized plan for HIPAA compliance. This is no longer a matter of choice.
Data demonstrates that physicians are now replacing their electronic health record (EHR) software at an increasing rate. Most apparently do so because they were dissatisfied with their current EHR software or vendor. Some of these dissatisfactions are so great that a class-action suit has been filed in one instance. The rate of replacement increased from 21% to 31% between 2010 and 2013. Many physicians did not have their EHR software licenses (contracts) reviewed on the first go-around. Given the problems of transition as well as changes in the industry, it is vital that physicians have their EHR license agreements reviewed by experienced counsel. As we have repeatedly written [See issues: #246, 10], there are pitfalls awaiting in these documents.
On June 26, 2012, the Department of Health and Human Services' Office of Civil Rights ("OCR") released the audit protocols it is using in auditing covered entities under HIPAA, which is relevant to increased enforcement of the privacy rules. The information, located here, includes audit protocols for both the Security Rule and the Privacy Rule (including the Breach Notification provisions), broken down by Federal Regulation section. For example, when auditing covered entities with respect to their use of de-identified information, auditors are instructed to ask the covered entity’s management team whether a policy or procedure exists to de-identify protected health information, to review such policies and procedures in relation to regulatory criteria, and to verify that they are updated and presented to the covered entity’s workforce. This release provides insight into the OCR’s concerns regarding HIPAA and can assist covered entities in developing their own HIPAA compliance programs. Since even small physician practices have been subjects of enforcement, compliance with the privacy and security rules is yet a new imperative.
The health reform legislation has put a firm stake in the ground with respect to expanding the measurement of quality for many providers.  One of its principle vehicles was to solidify the former Physician Quality Reporting Initiative (PQRI) into a Congressionally mandated Physician Quality Reporting System (PQRS).  Although what is reported has nothing to do with whether either quality standards were met or quality itself improved, with the financial incentives available to those who report voluntarily, the idea is that physicians will learn to report quality effectively. By 2015, physicians who do not report will be penalized. In "PQRS and Its Penumbra", Dan Shay explores the implications of the program, how it relates to meaningful use financial incentives and the pitfalls, including false claims liability, that lurk in ineffective reporting. This program is a must know for physicians.
When the privacy regulations were first adopted back in 2003, there was considerable anxiety among the provider community, and particularly physicians, with regard to the administrative burden of compliance and intrusion in the doctor-patient relationship that would come from the empowerment of patients to complain to the Office of Civil Rights regarding violation of their right to privacy. The OCR has now published data regarding enforcement of HIPAA privacy complaints and there can be no doubt that the number of complaints has indeed gone up substantially. In 2004, the first full year of the program, there were 6500 complaints filed. By 2007, that number had increased to more than 8100. But this is the grand total of all complaints received from all sources throughout the United States of America! Hardly a tsunami of privacy violations. The data on the website reports complaints filed by state and their resolutions. Although the ratios have changed slightly, more cases are determined to have no violation today, than four years ago. By far, most of the complaints are resolved on investigation and review and do not proceed further (69%). Of the cases that proceeded to investigation, last year produced almost 1500 ‘corrective actions’ (type unspecified) and a larger number (750) than before were found to have no violations.

The last five years have heard a relentless call for information technology dissemination to improve quality and lower costs in health care. Electronic health records (EHR) have been touted as the first and most important step to a real technology revolution. For physicians, though, the cost of EHR implementation has often proven prohibitive. The Stark and anti-kickback protections for donated medical records was expected to jumpstart this effort. Not so fast. In his consideration of downstreamed EHR licenses Dan Shay takes his primer on EHR license agreements a step further in explicating the special complications of tri-partite license agreements. What happens on termination is at least as important as what is entailed in implementation.

For quality to advance in this country, it is becoming increasingly clear that universal electronic medical records will be necessary. Proposed regulations to permit hospitals to provide record systems to their physicians have been published under Stark. Many physician practices are looking to obtain these programs. Whatever the source of an electronic health record system, it is certain there will have to be a license agreement by which the practice obtains access to the software, unless they build their own. In "A Primer on Electronic Health Records License Agreements", Daniel Shay reviews the context for these contracts, elucidates their common features, based on reviews of real-life documents, and points out pitfalls that physician practices should avoid in obtaining access to these vital practice accessories. In a practical, easily applied application of the deeper issues addressed in the primer, Daniel has also offered guidance on “Top Ten Questions To Ask When Looking At An EHR License Agreement.”