Critical Steps to Help Avoid Cybersecurity Attacks

hipaa securityBy: Gary Salman, Guest Contributor

Ransomware attacks are impacting the healthcare community’s HIPAA security at a staggering rate. If a practice has data stolen from their network and they did not report the breach to The Office of Civil Rights (OCR), they could be subject to massive fines for the lack of reporting. Specific steps must be followed to determine if ePHI (electronic protected health information) was compromised. This often involves hiring a forensics company and working with a Cybersecurity company to harden the practice’s infrastructure. When you are the victim of an attack once, you will mostly likely be a victim again because of vulnerabilities in your network that enabled the attack vector (or payload) to infiltrate your system. You cannot simply restore your data and hope for the best.Continue reading

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):Continue reading

Physician Communications: Considerations for Using Text Messages and Social Media

doctor mobile

doctors textingBy: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients.  And although open communication is generally thought of as positive, the medical profession should proceed with caution.  Patients and consulting physicians rely heavily on their communications with their treating physicians.  Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media:Continue reading

HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.

Portal not "Port-All"

doorBy: David Hirshfeld

Whether as a means of satisfying the Stage 2 “meaningful use” requirements of the HITECH Act, or in an effort simply to enhance the efficiency of their practices, many of our clients have been implementing electronic medical records software that includes patient portals.  A “patient portal” is an electronic doorway between patient and practice.  Portals often allow patients to check and download their own treatment records, and to use digital messages as a means of communicating with clinicians.  Portals can be awesome tools with which to enhance your practice, but they need to be implemented thoughtfully.

A portal is often an excellent way in which to add operational efficiencies that reduce costs, increase patient satisfaction, and increase positive outcomes; BUT, if not carefully monitored, they can become inadvertent points of entry for information, the meaning of which can only be appreciated when delivered in a face-to-face office visit, where other aspects of the patient’s condition would be evident (e.g. pallor, swelling, confusion).

Portals should be limited to more benign encounters, such as: patient registration, financial clearance, medical history, appointment scheduling / confirmation, specialty referrals, notification of test results, online bill payment, non-narcotic prescription renewals, follow-up of specific conditions for which there has been a course of in-person treatment that included an agreement as to the use of the portal for follow-up.

I recommend that practitioners train their patients how and to what extent they should use the portal by presenting patients with a “Terms of Use” agreement (that they must sign); and by reminding patients of the Terms of Use if and when they use the portal for an encounter that should have been handled by an in-office visit.

A good “Terms of Use” agreement ought to convey the following information to patients before they use the portal:

  • Identify the proper subject matter to be communicated through the portal and, just as important, the types of communications that should NOT be made through the portal.
  • In addition to communication, what other functions the portal will make available to the patient (e.g. what records can patients view, can they download, can they transmit to other providers, refill prescriptions, help practice to monitor an ongoing condition, etc.).
  • The portal is highly secure, more secure than conventional email, and should be the only way that patients should convey information to the practice other than in-person or, perhaps, on the telephone.
  • Everything conveyed to the practice through the portal will become part of the patient’s medical record.
  • Not only the physician, but other clinicians and practice staff may read communications made through the portal.
  • How quickly, and in what format, will the practice respond to patient communications made through the portal.
  • Whether and on what terms the practice will allow access to records of its minor patients.
  • How modifications to the “Terms of Use” and portal functionality will be conveyed to patients.
  • A primer, as simple as possible, on how to effectively use your practice’s portal.

Portals can be awesome tools with which to enhance your practice; but they need to be implemented thoughtfully, and in conjunction with patient training.

 

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

Final Privacy Rule Affects Clinical Research Organizations

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

FTC Interim Final Red Flags Rule a Reprieve for Health Care Providers

By:  Rodger Hochman, Board Certified in Health Law

On November 30, 2012, the Federal Trade Commission (FTC) issued its interim final “Red Flags Rule” which narrowed the definition of “creditor” in such a way that essentially confirms that most health care service providers are not subject to its requirements.

The Red Flags Rule was originally promulgated in reaction to the perceived risk of identity theft in various transactions involving financial institutions and creditors, and it required them to develop and implement a written identify theft program to combat these risks, including internal processes for identifying “red flags” of identity theft.  The application of the Red Flags Rule to health care service providers was controversial since it advanced a counterintuitive notion that a provider who engaged in ordinary course business activities, such as rendering health care services where insurance or other payment would be received later, was a “creditor” by definition, thus was equated with the business of financial institutions and subject to standards more applicable to the relationship between commercial creditors or lenders and their customers.

Under the original rule, any “creditor” was required to establish an identity theft program.  The definition included “any person who regularly extends, renews, or continues credit…”  The FTC interpreted this expansively to include physicians and other providers who accept insurance as payment or who permit payment plans, where payment in full was not received at the time of service.  Thus, if a physician or hospital were to accept a patient’s insurance coverage or bill the balance not covered by insurance to the patient, that was viewed as an extension of credit to the patient which triggered regulatory compliance obligations by the provider.  Although the FTC later clarified its position in saying that it applied only to creditors that regularly and in the ordinary course of business advance funds, there was still some ambiguity.

The interim final rule now makes clear that advancing funds does not include what is routine health care services billing and collection activities (such as deferring payment of fees in connection with providing services) and that most service providers are not subject to the rule.  Nevertheless, while the interim final rule confirms that most providers are not subject to the Red Flags Rule, entities that collect consumer data should still carefully consider how they collect and use such data.   To the extent that they use or provide patient information in connection with credit reporting services, the Red Flags Rule would apply.  Further, health care providers remain subject to the HIPAA/HITECH privacy and security rules with respect to all patient identifying information regardless of whether they are subject to the Red Flags Rule.

ACOwatch: Kathleen Sebelius: Keynote Speech From 2nd Annual ACO Summit

6/28/2011: ACOwatch.com 
Remarks as prepared for delivery by Secretary Sebelius on June 27th, 2011, Washington, DC.

“Improving care is clearly the best approach to addressing rising costs – especially compared to recent proposals that would simply cut Medicare and Medicaid, without doing anything to address underlying growth in health care spending.  But it’s also clear that we are not improving fast enough.  So our challenge is to speed it up.”

Read more here: http://acowatch.com/

ACOs are S.T.U.P.I.D

We have probably never seen so much enthusiasm and spending on anything in our history as we are on healthcare reform. The point is to slow spending and improve quality by incentivizing cost-saving, quality-enhancing behavior. And the Accountable Care Organization is the new healthcare delivery model designed to save us from our greedy, over-utilizing selves. Here’s how it works:

First, you take a lot of primary care physicians and tell them they will get more money by (1) taking an expanded role in taking care of patients, and (2) reducing the expenses associated with that care. Then you tell them two really special things: first, you tell them “Uh, since we’re afraid that you will improperly reduce the amount of care the patients need, we won’t tell you which patients are in an ACO and which are not.” Second, you tell them “We really mean it when we tell you that we intend for you to make more money, but we won’t tell you exactly how we’re gonna do that. Trust us, ok?”

Second, you empower physicians to lead the charge. After all, they’re the only participants in ACOs that smart people think can control costs and quality. And you do this by telling them to (1) shell out about $26 Million to form an ACO, (2) go to Wharton and get an MBA, (3) educate themselves about all the intricacies of information technology and work out the kinks involved in implementing electronic medical records, and (4) keep taking care of those patients while you do all this. Finally, you keep the identity of patients secret from the physicians so there is no way to prepare care plans that take into account the diseases faced by the patients. No problem.

Third, you let patients run amok. They can go into an ACO…or not. They can go in and out of ACOs. They’re like kids that way, but they’re responsible for reading the 397 pages of ACO regs and then deciding whether they like the idea of not. Oh, and they have absolutely no incentive to sign up for ACO care. And why would they? “Hey, how about you go with this ACO, which will get more money if they spend less on you. How’s that sound?” How could this possibly be sold to Medicare patients? “This ACO will get paid for getting you well! Your primary care doctor that you’ve trusted for 20 years and who helps you get and stay healthy…that person doesn’t have the same incentive to get you well.” NOT.

Simplicity. There is none. Never before in our history have we seen something so simple (patient rationing) become so complicated (rationing = less expensive care). And so many acronyms and governmental departments and positions too! There are one sided models, two sided models and now a Pioneer model, for those who are especially adventurous. And did I mention that the basis for healthcare reform, the one that only the state of Washington has the courage to articulate, is really just rationing?

Troubling to pretty much everyone. Yes. Except for policy makers, there has yet to be any significant support for anything other than the IDEA that healthcare should cost less and be more outcome oriented. Even the Mayo, Geisinger and Cleveland systems have all politely declined at this point.

Unlimited flexibility. Yes, this is true, especially as it relates to patients. See, patients can be in a cost saving ACO or not. They can go in and out of them and the ACO will bear the cost. That’s right: patients can go in and out of them—ACO, non-ACO, and yet only the ACO will be penalized for cost increases. Let’s see, the ACO model is the cost saving model. And the plan is to allow patients to choose for society to save money or not. And the patients have zero incentives for participating in an ACO. And who is responsible for the behavior of these patients? Uh, well, we all are.

Patient accountability. This is completely lacking in the ACO model. There is absolutely nothing to incentivize patients for making healthy decisions and to punish them for making unhealthy ones. Also primary care driven. Not really. There aren’t enough to go around, but some guy who knows a doctor is free to see you now. Oh, also pro competitive, meaning everyone will wanna be an ACO, so that will create competition in the market and a tremendous drive to drive costs down and quality up. Ok, not really, but wouldn’t it be nice if that COULD happen. In fact, healthcare reform is functioning to do one sure thing—reduce competition, since only the biggest, strongest organizations can afford to compete or to be one.

Inexpensive. Nah. While the initial cost projections suggested about a $2 Million price tag for forming one, they are now up in the $12 to 26 Million range.

Direct and demonstrative. NOT. The entire healthcare reform delivery plan is like pushing a mouse through a maze by its tail.

Healthcare reform is like Alice in Wonderland at its best. It only makes sense on mind-altering drugs. Moreover, the shizo message from our policymakers on the whole issue is dumbfounding. “We are committed to lowering healthcare costs. ACOs will do this. Patients can be in them…or not.” Some legislators think they’ve created a panacea with ACOs, but then don’t want to compel them. It’s just political nonsense.

Look, slowing healthcare cost creep and quality enhancement are good things. We all (patients included) ought to be outcome driven and focused so that the end result is actually healthcare. ACOs just don’t and won’t do that, which may have something to do with the recent announcement by Mayo, Cleveland and Geisinger that they’re really not that interested in playing with them.