The XY Files in an MT World : Health News

HHS Provides Guidance on Protecting PHI

Jay Vance — Tue, 21 Apr 2009 12:24:00 GMT

When you see a document with a title such as Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements...(read more)

HITECH Makes Business Associates Liable Under HIPAA

Jay Vance — Mon, 02 Mar 2009 16:14:00 GMT

Medical transcription providers should be educating themselves on how the Health Information Technology for Economic and Clinical Health Act (HITECH) portion of the American Recovery and Reinvestment Act of 2009, also known as the stimulus bill, is changing the way HIPAA regulations will apply to business associates. Up to this point, business associates of covered entities were not directly liable under HIPAA for breaches of private health information (PHI). As a result of HITECH, however, business associates, including transcription providers, will now be directly liable for failure to adhere to HIPAA regulations regarding the use of PHI.

According to Ed Jones from hipaa.com:

Application of the Security Rule to business associates of covered entities is a significant change. Previously, if there were a breach involving a business associate of which the covered entity were aware, then the covered entity could just terminate the contract if the breach was not remedied. Responsibility and liability rested with the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. A breach requires notification, which is triggered when there is an incident of "unsecured protected health information." The Secretary of HHS is required to issue guidance on what constitutes "unsecured protected health information" within 6o days of February 17, 2009. In the absence of such guidance in the time specified, then a default definition pertaining to a failure of encryption as endorsed by the National Institute of Standards and Technology (NIST) of such information [applies]. The notification provision requires both covered entities and business associates to notify affected parties directly and individually in a timely manner, and to use appropriate public media for cases involving over 500 individuals. This is a specification that was not defined under HIPAA Administrative Simplification. Increased penalties for a breach by a covered entity are immediately effective.

Writing for WTN News, attorney John Barlament explains further:

For the first time, business associates must comply directly with many of HIPAA's Security Rules. This will require every business associate to take several actions, including appointing a security official, developing written policies and procedures, and training its workforce on how to protect electronic protected health information ("EPHI"). These provisions go well beyond the previous requirements for business associates, where business associates only had to comply with the written business associate agreement.
Business associates also will need to follow HIPAA's Security Rules relating to physical safeguards (such as locking computers that contain EPHI), technical safeguards (such as encrypting emails) and the requirement to adopt written policies and procedures. Failing to do so will - for the first time - subject a business associate to civil monetary penalties and criminal penalties for each notification (and, as discussed below, the civil monetary penalties are now increased).

A covered entity or business associate that has a specified security breach will be required to notify each individual affected by the security breach. This can involve written notification by mail or, if specified by preference by the individual, email. If the covered entity or business associate lacks current contact information, it may be required to post notice of the breach on its website or in newspapers or other broadcast media (e.g., television). For certain large breaches (involving more than 500 residents in a particular area) a "prominent media outlet" must be notified of the breach. The U.S. Department of Health and Human Services ("HHS") also must be contacted, and HHS is to establish a website listing these breaches. There is an exception for certain unintentional breaches.

The Act states that business associates must comply directly with certain HIPAA Privacy Rules, primarily the requirement to have and follow a business associate agreement. The scope of this change is unclear. It could mean that every entity must determine whether it is a business associate with respect to a covered entity. If so, the business associate may be required to enter into a business associate agreement with the covered entity. Previously, it was a covered entity's responsibility to identify all its business associates (a business associate did not need to identify whether it actually was a business associate).

The civil monetary penalties are significantly increased. Currently, the amount of the penalty is generally $100 for each violation. This $100 amount (and its related cap of $25,000 for multiple violations) increases to $1,000 per violation for a violation due to "reasonable cause and not to willful neglect" (with a maximum penalty of $100,000); $10,000 for each violation that was due to willful neglect and is corrected (subject to a $250,000 maximum penalty); and $50,000 for each violation if the violation is not corrected properly (subject to a maximum penalty of $1,500,000 during a calendar year). These changes are immediately effective (i.e., they are in effect today) and represent a dramatic increase in the penalties under HIPAA.
In addition, state attorney generals can now bring a HIPAA enforcement action against a covered entity or business associate that violates these rules. Further, the state attorney general can obtain attorney's fees under such an action (although the attorney's fees are discretionary and not mandatory).
HHS - the main enforcer of HIPAA - now is required to conduct "periodic audits" to ensure that both business associates and covered entities are compliant with these new rules. Audits were possible under the old regulations. However, audits tended to be fairly rare, perhaps due to a lack of funding at HHS. Now, some monetary penalties or settlements collected by HHS are transferred to HHS's Office of Civil Rights to be used for purposes of enforcing HIPAA. This appears to solve the funding issue that HHS had apparently experienced. Thus, clients can expect to see increased HIPAA audits and enforcement.

So what does all this mean for the independent MT contractor and mom-and-pop transcription provider, not to mention regional and national MT service providers? While we don't yet know what the final HHS guidelines will look like, it seems clear to me that a whole boatload of new liability has just been dumped on MTs, whether we're ready for it or not. I'll be following the progress of the HHS rule-setting process with great interest, and will report back as new information becomes available.

Bits & Pieces

Jay Vance — Tue, 17 Feb 2009 20:10:00 GMT

Here are a few items of information from the past week I thought you might be interested in.

1. Transcription Service Provider Runs Afoul of the VA

From a Department of Veterans Affairs press release: During a routine internal inspection, the Department of Veterans Affairs (VA) discovered a contractor providing medical transcription services who was not following the Department's rules for protecting medical information.

Although there is no evidence that any patient information was disclosed as a result of the violation, VA has suspended the contractor from receiving any sensitive information from the Department until the contractor guarantees compliance with VA's standards for information technology (IT) security.

"VA insists that contractors, as well as our own personnel, adhere to the highest standards for protecting personal information," said Secretary of Veterans Affairs Eric K. Shinseki. "When we detect a problem, as happened in this case, we will quickly fix it, and we will ensure such problems are not happening elsewhere."

The issue involves a contractor whose employees create written transcripts of recordings made by health care professionals while performing physical examinations, reporting on surgeries, and taking patients' histories. VA officials found the contractor's employees used computers that do not adhere to government policy on security.

Based on this incident, the Secretary has launched an intensive examination of all VA's contracts to ensure all contractors properly safeguard information about VA patients, Veterans and employees.

2. New PHR Requirements in Stimulus Bill

Health Data Management is reporting that the economic stimulus bill will impose new consumer protection requirements on vendors of personal health records.

The vendors must notify affected individuals following the discovery of a breach of unsecured identifiable health information in PHRs. Vendors also must notify the Federal Trade Commission.

Further, a third-party service provider that provides services to a PHR vendor or covered entities that offer PHRs must notify affected vendors or entities of a breach. "Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired or disclosed during such breach," according to the legislation.

The FTC shall treat violations as unfair and deceptive acts or practices under the Federal Trade Commission Act. The legislation requires the FTC to publish interim final regulations within 180 days of enactment.

The requirements will remain in effect unless Congress enacts new legislation governing PHR breach notifications.

3. Medpedia Opens Public Health Care Technology Platform

TechCrunch is reporting that Medpedia has unveiled a public version of its technology platform for the worldwide health community. Combining social networking with Web 2.0 health information, Medpedia's website offers consumers a Wikipedia for health information, a LinkedIn network for health professionals, and a Facebook-like platform where consumers and experts can have a medical dialogue about treatment and conditions.

Medpedia has developed partnerships with Harvard Medical School, Stanford School of Medicine, Berkeley School of Public Health, University of Michigan Medical School and other health organizations to help bring content and medical networks to the site. Many of the health institutions are offering the content free of copyright restrictions. Already, 25 medical and government institutions in both the U.S. and the U.K. have signed on to Medpedia to use its professional network.

4. U.S. Army Adopting Dragon Speech Recognition

According to FierceHealthIT, the U.S. Army Medical Department is adopting speech recognition technology in a big way as part of an effort to boost its clinicians' satisfaction with the military's electronic medical record system. The new system will allow physicians to speak their notes into the EMR at the patient's bedside, rather than enter them later when their memories aren't as fresh.

The Army is rolling out Dragon Medical speech recognition software to 90,000 clinicians worldwide. It's taking this step as part of a larger program, run by the U.S. Army Surgeon General, designed to help improve providers' experience with AHLTA, the military's EMR. The program, MEDCOM AHLTA Provider Satisfaction, has already invested in touch-screen laptop computers and wireless networks.

A Major Step Forward for PHRs

Jay Vance — Wed, 19 Nov 2008 16:27:00 GMT

On November 12, acting CMS administrator Kerry Weems and HHS Secretary Michael Leavitt announced a pilot program which will enable Medicare members in Arizona and Utah to use their choice of four commercial personal health record (PHR) providers to access their own data from CMS databases. Beginning in early 2009, beneficiaries with Original Medicare will be able to use Google Health, HealthTrio, NoMoreClipboard.com, or PassportMD to maintain a PHR which will include Medicare information from CMS.

Said HHS Secretary Mike Leavitt, "This pilot is a major step forward for Medicare. It will provide information and tools that will empower consumers to manage their health better. Importantly, the pilot provides beneficiaries with a choice of products to meet their individual needs."

What I find remarkable about this new endeavor is that CMS, by all accounts a fairly conservative entity when it comes to sharing its data and embracing new technologies, is actually going to allow both consumers and third-party service providers to access personal health information (PHI) of Medicare beneficiaries. It's hard to see this move as anything less than an explicit endorsement of a "Health 2.0" infrastructure in general and of the concept of PHRs in particular. It would also, evidently, signify that CMS has accepted the HTTPS Internet transmission protocol as secure enough for PHI. From what I hear, in the past CMS has been loathe to allow the transmission of PHI data to or from its databases via the Internet.

CMS funds more than half of the healthcare in the U.S., and isn't shy about attempting to drive adoption and change through its reimbursement policy. I will be very curious to see whether or not, by offering patients access to their own claims data, CMS will create patient expectation that will motivate the private payer community to do the same. It will also be interesting to see what effect this move will have on adoption of PHRs by consumers. Again, it's hard not to see this as a golden opportunity for MTs and others in the health care documentation arena to jump on this bandwagon by providing value-added services to help consumers establish and maintain their own PHRs. CMS and major online players such as Google Health have already done a lot of the marketing work for us with this new initiative.