BACKGROUND
Every organization relies on people, process and technology to carry out business. On a simplistic note, it would be fair to say the people execute the business functions(decision making) by using information made available to them through technology (information process). Organizations may be redefined as cooperative systems with high levels of information processing and decision making at different levels. Hence Information Management (IM) has emerged as an important branch of IT in the recent years.
INFORMATION MANAGEMENT
IM may be regarded as the creation, collection, distribution, storage and retiral of information such that it is made available to the consumer of the information in timely, contextually relevant and accurate form. According to the team that developed the behavioural science theory of management at the Carnegie Mellon University, the desicion making process is mostly sub optimal bounded by the rationality of the user. Considering socio technical aspects in an organization, it may be very expensive and time consuming to have all relevant information available for every decision made. In addition organization culture, rank and structure may prevent rational decision from prevailing. Master Data Management(MDM) is an important part of IM.
MASTER DATA MANAGEMENT
MDM is being recognized as an important activity for oganization wanting to manage their information effectively. All transactional data are tethered to organzation master data. Mostly enterprise system landscape contains a variety of packaged applications from different vendors which means localized master data with different formats and semantics. MDM is not about having a monolithic super database. It is about institutionalizing ownership of data using a software that allow synchronization, deduplication and harmonization of master data from and to different systems. For the sake of performance each packaged application is better off having a copy of the relevant attributes of master data locally. Master data has been traditionally looked at within the individual boundaries of a single application like financial or billing. But as processes begin to span across funcational/departmental lines, it is becomes necessary to have a consistent semantics and accuarate content enterprise wide. Absence of this regimen will lead to inherent inefficiencies. Typically the master data from an upstream application is not contextually relevant to a downsream one in neither semantics nor content and has to be recreated.
DEFINING VALUE - DIRECTIVE FOR LEAN
A lean enterprise is a collection of firms (business partners) involved in the delivery of a service using master and transactional data. It is possible to visualize information as an unit of value distributed intra and inter enterprise through the channels like intranet, extranet and the internet. Information value stream extends beyond the organization boundaries. Lean thinking encourages us to
1. Pull information on demand (Contextual)
2. Eliminate variability and waste in information content by having a golden source (Accuracy)
3. Improve speed of retrieval (Timely)
There is often some kind of a cognitive calculus done in the mind of stakeholder on the value of the information. As with typical Lean engagements the challenge is to establishd the value of information. The key stakeholders and senior management need to understand the value of master data and how it translates into competitive advantage and increased market share.
MDM and HEALTH DELIVERY
A proponent of free market would regard the patient as an unit of market share to be acquired or retained. The most important aspect of patient information is the Electronic Medical Record (EMR). Elements of EMR include master data like patient demographics and patient identifiable information (PII). Hospitals create enterprise master patient index to ensure golden record. It is not uncommon to have upto 30% duplication in patient information in a hospital.
How will the new health reform impact IM/MDM in health delivery.
1. It will be essential to retain and use golden copy of charge master to publish the cost of care.
2. Creation of global patient identifier for interhospital collaboration and exchange of information with the health exchange. The key here is to understand the value of information between different stakeholder groups.
Government - it would mean data for the evidence based research
Hospitals - it will be competitive information
Patient - it means access to medication and charts
Insurance company - it means financial payment.
There is a tremendous potential to get to know the technology needs in the health delivery and how it may be an inadvertent first step towards Lean.
Wednesday, November 11, 2009
HIPAA– Legal and Technological implications
Abstract: This paper covers fundamentals of the Health Insurance Portability and Accountability Act (HIPAA). Through case studies, it examines some of the practical aspects of administration and enforcement of HIPAA. It makes observations on how EHR (Electronic Health Record) and internet are posing new challenges to the healthcare community.
Keywords — PHI, EHR, HIPAA, Internet, Privacy, OCR, HHS, HITECH
I. EXECUTIVE SUMMARY
HIPAA is separated into two sections.
1. The first is called “Health Care Access, Portability, and Renewability”, It relates to two acts: the Employee Retirement Income Security Act and the Public Health Service Act. This part of the Act protects the insurance coverage of workers between jobs or periods of unemployment.
2. The second is called “Preventing Health Care Fraud and Abuse; Administrative Simplification,” It defines HIPAA offenses, sets penalties for HIPAA violations, HIPAA regulations, and creates programs to control fraud and abuse within the healthcare system. The scope of the paper is limited to this part of act.
A. HIPAA and EHR
EHR is a technology aid for automating (not replacing) activities in healthcare provisioning. It ensures better process control, reduces medication errors and provides controlled access to patient information (protected health information (PHI) and patient identifiable information (PII)) under HIPAA. However the very technology poses new risks like misuse of privileges, vulnerability of systems hacking (frail solutions), poor adoption among healthcare staff etc. This warrants organizations to train their staff and build awareness. This has been a challenge far bigger than what most would imagine.
In the next few years we will see rapid EHR rollouts as a result of the Health Information for Economic and Clinical Health Act (HITECH). This opportunity also presents new challenges to be addressed like stronger penalties, stringent enforcement and contractual ramifications for Business Associates.
B. HIPAA and Internet
Pervasive computing has touched almost all areas of our lives. It has altered the channels of communication and the speed at which information is exchanged. However this presents new challenges too. While internet facilitates instant communication, HIPAA has to do a fine balancing between freedom of communication and right to privacy. Some of points to note are below:
• With growing use of internet, social networking and third party PHI storekeepers, the risk of unwarranted PHI disclosure has increased. It is likely that Google and Microsoft will be liable under HIPAA if the provider community collaborates with them as its Business Associates.
• With changing social dynamics, it becomes meaningful to understand how the ownership of PHI has to be shared by both the patient and the provider. Some alternatives are explored in a search to seek answers for these questions.
The paper ends with a brief outline of enforcement statistics and the road ahead.
II. INTRODUCTION TO PRIVACY
The Privacy Protection Safety Commission states that privacy is a personal and fundamental right to the citizen protected by the US Constitution. Privacy violation results from information misuse arising from unauthorised collection and use of protected individual information. A victim of such a wrongdoing is likely to be impacted by one or more of the following:
• Vulnerability
• Emotionally distress
• Humiliation
• Loss of opportunities.
In an ongoing attempt to uphold privacy, a number of acts have been instituted. Some of them are below:
1. Privacy Act of 1974
2. Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
3. Family Educational Rights and Privacy Act (FERPA)
4. Americans with Disabilities Act (ADA)
5. Genetic Information Nondiscrimination Act (GINA)
6. HIPAA
7. Patient Safety and Quality Improvement Act of 2005 (PSQIA).
III. PILLARS OF HIPAA
HIPAA shifts the responsibility of information privacy from the patients (through simple consent forms) to the covered entities. It addresses several major areas:
• Privacy – Prevent misuse of patient information by safeguards
• Security – Protect information during storage and provide authorised access to patient information.
• Master data – Unique identifiers for interacting entities in a healthcare setting
• Standardization - Industry standard information exchange to reduce manual effort and clerical error.
• Business associate contracts – Important in outsourced services.
IV. PENALTIES FOR HIPAA VIOLATION
1 Offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law(Ordinary negligence) $100 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
2 Violation was due to reasonable cause and not willful neglect(Ordinary Negligence) $1,000 for each violation not more than $100,000 cumulative
3 Violation was due to willful neglect and was corrected (Gross negligence) $10,000 for each violation not more than $250,000 cumulative.
4 Violation was due to willful neglect and was not corrected(Gross negligence) $50,000 for each violation and not more than $1,500,000 cumulative.
The Department of Justice (DOJ) says that criminal penalties for a violation of HIPAA are directly applicable to covered entities and even its employees (under “corporate criminal liability”). Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting. In the HITECH Act HHS is provided with new audit authority to conduct periodic audits and ensure BAs and Covered Entities are compliant with new rules.
The DOJ interpreted the "knowingly" (wilfully) element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense.
V. EXAMPLE - HIPAA VIOLATION –INFORMATION SECURITY
The case discussed below highlights the potential magnitude of the impact of a HIPAA violation.
A. Case
The Federal Trade Commission (FTC) opened its investigation into CVS Caremark following media reports from around the country that its retail pharmacies were disposing PHI into open, publicly accessible dumpsters. The PHI was contained on labels on pill containers. The information included patient names, addresses, physicians’ names, medication and dosages; consumers’ personal information, employment applications, social security numbers, payroll information; and credit card and insurance card information. Simultaneously HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA.
CSV was charged with violations for the following
• Lack of sound processes and policies to ensure HIPAA compliance
• Lack of employee training for dealing with PHI
• Lack of internal measures to assess and assure compliance with its policies and procedures for disposing of personal information
• Misleading and superfluous privacy policy statement.
CVS paid HHS $2.25 million to settle the matter.
Discussion: Is CVS a covered entity? Yes it is. Under 1861(s) of the Act, 42 U.S.C. 1395x(s), CVS (Retail Pharmacy chain) provides medical supplies and biological that may not be self administered and that are furnished as an incident to the physician’s professional service. So HIPAA applies to it.
What is the nature of information that CVS failed to handle with reasonable? The FTC press release states that there was sensitive information pertaining to patients and its own employees. It is important to note that patient health information as well as employee medical information falls under HIPAA. CVS compromised PHI and PII.
Where did CVS fail? CVS violated the following tenets under HIPAA even though no discernable harm had been reported
• Security.
• Privacy.
CVS response has included a settlement amount higher than any other payout on HIPAA violation so far.
CVS Caremark made claims such as “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” The FTC alleged that the claim was deceptive and that CVS Caremark’s security practices also were unfair. Unfair and deceptive practices violate the FTC Act. Subsequently CVS entered into a consent order with the FTC to resolve claims made by the latter. As a part of the Corporate Integrity Program, CVS agreed to institute a Corrective Action Plan (CAP). It requires CVS, in the next three years, to create processes for
• Correct disposal of PHI
• Institutionalize a training program
• Have a third party audit to certify the effectiveness of the CAP.
A similar example is found in the case against Providence Health and Services in June, 2008.
What is missing? Some of the missing facts that could have given us a better insight into the magnitude of violation are
1. Total number of records compromised
2. Number of locations where the breach took place
3. Number of medical or financial identity thefts following the time span from when the violation has been happening.
VI. EXAMPLE – LACK OF AWARENESS
As the concerns of HIPAA become pervasive, covered entities are reluctant to share information in a healthcare setting. This has been observed to hamper care in such situations. The case below illustrates this point.
B. Case
An emergency department requested the transfer of a 40-year-old homeless man with a history of schizophrenia and psychotropic dependence to a local hospital for undergoing inpatient treatment. In his psychotic state, the patient was unable to sign for the release of his records. The psychiatrist on call requested the emergency room (ER) to send across the test results and relevant records via fax for review before a decision could be made about transfer. The ER nurse refused to fax the records, stating that doing so would violate HIPAA. Furthermore, the nurse reported that even signed consent to fax the records would not protect her against a HIPAA violation. After the transfer was refused, the records were faxed with the patient's name blacked out.
Discussion: This is a case where the health worker was misinformed about HIPAA law. The Act does not forbid transfer of necessary and pertinent medical information to aid the treatment of the patient. Effective training program for healthcare workers is critical to the success of HIPAA.
VII. EXAMPLE - HIPAA AND INTERNET
With rapid adoption of unconventional communication channels, there is a need to re-assess the applicability of HIPAA laws. A few scenarios are presented below with observations.
A. Case: Patient participates in indiscriminate information sharing
Scenario One: The patient uses the hospital communication network (assuming it is made available) to share PHI to friends. Although the disclosure is by the patient but since the communication has happened over the hospital network which is under HIPAA rules, the hospital could be held liable.
Scenario Two: The patient communicates PHI using public internet and posts it on social networking sites. It is expected that patient will be discrete about his PHI. Should PHI be guarded under HIPAA only as long as the patient is not found being indiscrete, similar to the client-attorney privilege?
Scenario Three: The patient maintains PHI with a third party and not a covered medical entity. (For example Google Health). The privacy is guarded solely on the basis of authorised consent given by the individual to the third party and a declaration by the third party to be discrete with PHI. The PHI in this case is not protected by HIPAA regulations. Internet has always been an unsecured channel for storing and transmitting confidential information. Can HIPAA be extended to cover the third parties as well?
Scenario Four: Posting surgery updates on Twitter. There have been cases when the hospital surgeons have used Twitter to post surgery updates. It is likely that the patient would be discovered if the operation was a one of its kind or if it involved a novel procedure. How can we discourage such practices?
Scenario Five: YouTube advertising. In an attempt to avail lost cost marketing channels, the hospitals are seeking consent from patients to post their surgery on YouTube. It is possible that after the advertisement was posted, the patient develops a complication and suffers at the hands of the providers. Yet the advertisement continues to be featured in the YouTube without any mention of the post surgery complication. This leaves the patient traumatized. Even though the law may offer remedy, most patients are easily intimidated by idea of a legal recourse against their doctors, not to mention the time and money needed to go up against establishments.
VIII. ELECTRONIC HEALTH RECORD AND HIPAA
EHR solution is defined as a system of collecting, using, storing, disseminating and destroying PHI.
The challenges of implementing EHR are few but critical:
1. Adoption of technology by healthcare community. Physicians often find it difficult to work with technological limitations. All EHR rollouts need a strong technology change management to ensure speedy adoption. Health workers are notorious for their tendencies to skirt the process.
2. Under pressure to cut costs, HIPAA compliance may be compromised by undercutting features or robustness. This is particularly true when the solution is based on off the shelf products.
3. While EHR helps reduce human error, it makes HIPAA violations easier to commit. This is accentuated by the lack of organizational commitment to train and create awareness.
HIPAA safeguards in the EHR include the following:
1. Seamless integration to the billing system for transmitting EDI (Electronic Data Interchange) messages between payer and the payee.
2. Maintaining secure communication when employing outsourced talent with emphasis on business associate agreements
3. Instituting role based privileges for data access.
4. Proper budget to train and create awareness on HIPAA to avoid attacks through social engineering and breaches due to unauthorized information sharing. It is said that most unauthorized system access are through social engineering, an act of manipulating people into performing actions or divulging confidential information. This is an important point in a highly computerized environment.
5. Having routine and event based audits
6. Having a security officer to oversee HIPAA compliance and putting checks and balances for physical safeguard and back up of storage spaces for PHI.
7. Having technical safeguards for secure information exchange using encryption protocols and data corroboration
8. Implement privacy policies and risk management programs.
HIPAA violations today seldom remain limited to a violation of privacy. It is usually followed with either an identity theft or false claim or both. The case discussed below examines how HIPAA violations are easily committed with EHR solution in place and how it leads to felony. One critical point to note here is that the medical is owned by the covered entity
A. Case: Violation and Criminal Law
Without authorization or approval from United HealthCare, two of its employees gained access to the company’s electronic database and obtained names and dates of birth of certain patients. The patients had Flexible Spending Accounts and were covered by a prescription drug plan sponsored by the Federal Employees Health Benefit Plan (“FEHBP”). The employees used this information to create fake and unauthorized prescriptions. These were then presented to pharmacies to illegally obtain controlled substances. The drugs were then illegally sold to third parties. The defendants caused a loss of $72,746 to the Federal government by making false claims.
Discussion: In this case the defendants were guilty of HIPAA violation because they acquired the patient information and shared it with others who participated in their plan. Typically it would have been a civil case.
However defendants were guilty of identity theft which is a felony and the criminal law differs from one state to another. In the state of Texas, Fraudulent Use or Possession of Identifying Information is a felony whose degree varies based on the number of records stolen.
In addition, the defendants used the information to defraud the federal government by making false claims for reimbursement. Under False Claims Act this amounts to a felony. The defendants got a 10 year prison sentence and 250,000 in penalty.
IX. SOME MORE HIPAA
This section touches upon other areas where HIPAA has an impact.
• Under HIPAA, peer review documents are typically not discoverable. Unless there is a court issued subpoena, the hospital is not required to share the peer review documentation publicly. Peer review is a platform for physicians to discuss negligence and near negligence incidents without inhibition to ensure that patient safety standards and quality of care is consistently maintained.
• Medical records are owned by the covered entity although the patients have the right to suggest corrections to its contents. Providers may be free to use the information for treatment, operation and payment without any consent from the patient.
X. HIPAA AND HITECH ACT 2009
The HITECH Act has put in following checks and balances with respect to HIPAA. The section below mentions the notable areas impacted.
• Notifications in the event of confidentiality breach
• Business Associate liability
• Disclosures of PHI limited to the “Limited Data Set” or “Minimum Necessary”
• Expanded accountability for individuals
• Sale of EHR or PHI
• Limited use of PHI for marketing purposes and fund raising
• Expanded enforcement measures for HIPAA violations
• HIPAA compliance audits
• Business associate liability – The HITECH Act makes significant changes to the HIPAA laws and rules, many of which will impact relationships between covered entities and their business associates
• HITECH will require BAs to comply with administrative, technical and physical safeguard requirements
• BAs are also required to appoint a security official, develop written policies and procedures, and train its workforce on how to protect electronic protected health information (EPHI)
• BAs will now be directly liable under HIPAA for using and disclosing PHI in violation of their BA agreements
• A violation of the BA agreement will subject the BA to the same civil and criminal penalties as a Covered Entity who violates the Privacy Rule
In case of a breach of HIPAA guidelines, the following have been recommended under HITECH
• Perform a “Risk Assessment”
• Do an impact assessment resulting from the breach. This includes extent of misuse and tracking the parties involved in it. Type and amount of PHI involved -can it reasonably cause financial, reputational or other harm?
• Implement Risk Mitigation procedure
• The Covered Entity or BA has the burden of proof in demonstrating that no breach has occurred.
• Strong documentation of the risk assessment vital.
• Individual notification by first class mail required (unless individual has consented to electronic notice). Substitute notice is required if contact info is out of date. For 10 or more, notification must be either posted on website for 90 days or posted in major print/broadcast media for 90 days. Media and HHS notification required for breach involving 500 or more residents of a state or jurisdiction. For cases involving smaller number of breached records, log files must be maintained on an annual basis.
XI. SUMMARY STATISTICS OF HIPAA ENFORCEMENT
The Department of Health and Human Services (HHS) is under the executive branch of the US constitution charged with protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves. The OCR (Office of Civil Rights) is the primary agency under HHS to receive complaints on HIPAA violations and act upon them. Of the 45,630 complaints received so far, about 80% of the cases have been resolved. During the course of investigation, it has been discovered that almost 50% of the reported cases were not eligible to be tried under HIPAA. This statistics reflects two things
1. There may be gap in how the Act is interpreted. A good number of people do not understand the nuances of HIPAA in statement or spirit
2. There may be a gap in the jurisdiction of the law itself that needs to be addressed in the future.
The top reasons for HIPAA violations have been cited as
1. Unsecured PHI
2. Unauthorized access
3. Inappropriate and impermissible disclosures
4. Unauthorized disclosures
5. Lack of patient access to their PHI
6. Uses or disclosures of more than the minimum necessary protected health information
XII. HIPAA - DOWNSIDE
Restricted access to patient data has its drawbacks.
1. HIPAA has and will continue to have an impact on research as PHI becomes increasingly difficult to acquire. Consent forms have become longer ever since the regulations came into effect. Studies have shown that there is a decline in the participation rate in clinical trials and human research.
2. HIPAA compliance cost money. With static or diminishing healthcare budgets, there is a threat that HIPAA spending could be compensated by a compromise in the quality of care.
XIII. FUTURE – BENEFITS AND ROAD AHEAD
Benefits of HIPAA cannot be over-emphasized. The key ones are:
1. Allows patient information to be securely sent from one provider to another in a seamless and secure way. This will be more effectively felt when the percentage of providers on EHR solution increase.
2. By guarding patient privacy it protects patients from being victims of criminal wrong doings.
3. Patients are very vulnerable when they are in the hands of the providers. HIPAA safeguards ensure that information shared during patient-provider encounters are kept confidential
Its future depends on some best practices and legislations; some of which are mentioned below:
1. Effective training and awareness programs for members of the healthcare community.
2. Recognize that HIPAA is a not a one-time activity. It is part of corporate governance objective.
REFERENCES
[1] David Blumenthal, M.D., M.P.P. Stimulating the Adoption of Health Information Technology [Online] Available: http://healthcarereform.nejm.org/?p=436 , 2009.
[2] Consumer Union Report., To Err is Human - To Delay is Deadly: [Online] Available: http://www.consumersunion.org/pub/core_health_care/011324.html 2009.
[3] HHS Press Release, [Online] Available: http://www.hhs.gov/news/press/2009pres/08/20090819f.html, Aug. 2009.
[4] World Privacy Forum, [Online] Available, http://www.worldprivacyforum.org/hipaa/HipaaGuide3.html.
[5] Center for Democracy and Technology, HIPAA and Health Privacy: Myths and Facts Part 2 — January 2009 [Online] Available: http://www.cdt.org/healthprivacy/20090109mythsfacts.pdf
[6] Augustine Weekly - Holland & Knight HIPAA in Private Tort Litigation [Online] Available: http://www.informlegal.com/articles/view.php?article_id=519, 2008
[7] Press Release, CVS Caremark Settles FTC Charges: [Online] Available 2009. http://www.ftc.gov/opa/2009/02/cvs.shtm
[8] Biometrics Direct, Penalties for HIPAA violation [Online] Available: http://www.biometricsdirect.com/Biometrics/laws/HIPAA/hipaaviolations.htm
[9] American Medical Association, HIPAA Violation and Enforcement [Online] Available: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.shtml.
[10] Bryan K. Touchet, M.D., Stephanie R. Drummond, D.O. and William R. Yates, M.D, Brief Report, The Impact of Fear on HIPAA violation on Patient Care [Online] Available: http://psychservices.psychiatryonline.org/cgi/content/full/55/5/575A.
[11] Internet Article, HIPAA Law and Guidelines for Employers, [Online] Available: http://www.hrhero.com/topics/hipaa.html
[12] Internet Article CVS Pays $2.25 Million in Record HIPAA Settlement [Online] Available: http://www.huntonprivacyblog.com/2009/02/articles/hipaa-1/cvs-pays-225-million-in-record-hipaa-settlement/
[13] Comments by World Privacy Forum, [Online] Available: http://www.ftc.gov/os/comments/cvscaremark/540386-00004.pdf
[14] Privacy Rights Clearing House, Chronology of Data Breaches [Online] Available: http://www.privacyrights.org/ar/ChronDataBreaches.htm
[15] Internet Article [Online] Available: http://www.law.uh.edu/healthlaw/perspectives/2008/(NA)%20blog.pdf
[16] OCR website. [Online] Available: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/numbersataglanceindex.html
[17] U.S. Department of Labor Employee Benefits
Security Administration [Online] Available: http://www.dol.gov/ebsa/publications/top15tips.html
[18] Google Definition [Online] Available: http://www.google.com/search?hl=en&rlz=1R2ADBF_enIN335&defl=en&q=define:Social+engineering+&ei=QfSqSo62B4KntgeEpKDzBw&sa=X&oi=glossary_definition&ct=title
[19] Healthcare Applications and HIPAA [Online] Available: http://citebm.business.uiuc.edu/TWC%20Class/Project_reports_Spring2007/HIPAA/mtmcinto/McIntosh.pdf
Keywords — PHI, EHR, HIPAA, Internet, Privacy, OCR, HHS, HITECH
I. EXECUTIVE SUMMARY
HIPAA is separated into two sections.
1. The first is called “Health Care Access, Portability, and Renewability”, It relates to two acts: the Employee Retirement Income Security Act and the Public Health Service Act. This part of the Act protects the insurance coverage of workers between jobs or periods of unemployment.
2. The second is called “Preventing Health Care Fraud and Abuse; Administrative Simplification,” It defines HIPAA offenses, sets penalties for HIPAA violations, HIPAA regulations, and creates programs to control fraud and abuse within the healthcare system. The scope of the paper is limited to this part of act.
A. HIPAA and EHR
EHR is a technology aid for automating (not replacing) activities in healthcare provisioning. It ensures better process control, reduces medication errors and provides controlled access to patient information (protected health information (PHI) and patient identifiable information (PII)) under HIPAA. However the very technology poses new risks like misuse of privileges, vulnerability of systems hacking (frail solutions), poor adoption among healthcare staff etc. This warrants organizations to train their staff and build awareness. This has been a challenge far bigger than what most would imagine.
In the next few years we will see rapid EHR rollouts as a result of the Health Information for Economic and Clinical Health Act (HITECH). This opportunity also presents new challenges to be addressed like stronger penalties, stringent enforcement and contractual ramifications for Business Associates.
B. HIPAA and Internet
Pervasive computing has touched almost all areas of our lives. It has altered the channels of communication and the speed at which information is exchanged. However this presents new challenges too. While internet facilitates instant communication, HIPAA has to do a fine balancing between freedom of communication and right to privacy. Some of points to note are below:
• With growing use of internet, social networking and third party PHI storekeepers, the risk of unwarranted PHI disclosure has increased. It is likely that Google and Microsoft will be liable under HIPAA if the provider community collaborates with them as its Business Associates.
• With changing social dynamics, it becomes meaningful to understand how the ownership of PHI has to be shared by both the patient and the provider. Some alternatives are explored in a search to seek answers for these questions.
The paper ends with a brief outline of enforcement statistics and the road ahead.
II. INTRODUCTION TO PRIVACY
The Privacy Protection Safety Commission states that privacy is a personal and fundamental right to the citizen protected by the US Constitution. Privacy violation results from information misuse arising from unauthorised collection and use of protected individual information. A victim of such a wrongdoing is likely to be impacted by one or more of the following:
• Vulnerability
• Emotionally distress
• Humiliation
• Loss of opportunities.
In an ongoing attempt to uphold privacy, a number of acts have been instituted. Some of them are below:
1. Privacy Act of 1974
2. Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
3. Family Educational Rights and Privacy Act (FERPA)
4. Americans with Disabilities Act (ADA)
5. Genetic Information Nondiscrimination Act (GINA)
6. HIPAA
7. Patient Safety and Quality Improvement Act of 2005 (PSQIA).
III. PILLARS OF HIPAA
HIPAA shifts the responsibility of information privacy from the patients (through simple consent forms) to the covered entities. It addresses several major areas:
• Privacy – Prevent misuse of patient information by safeguards
• Security – Protect information during storage and provide authorised access to patient information.
• Master data – Unique identifiers for interacting entities in a healthcare setting
• Standardization - Industry standard information exchange to reduce manual effort and clerical error.
• Business associate contracts – Important in outsourced services.
IV. PENALTIES FOR HIPAA VIOLATION
1 Offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law(Ordinary negligence) $100 for each violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000
2 Violation was due to reasonable cause and not willful neglect(Ordinary Negligence) $1,000 for each violation not more than $100,000 cumulative
3 Violation was due to willful neglect and was corrected (Gross negligence) $10,000 for each violation not more than $250,000 cumulative.
4 Violation was due to willful neglect and was not corrected(Gross negligence) $50,000 for each violation and not more than $1,500,000 cumulative.
The Department of Justice (DOJ) says that criminal penalties for a violation of HIPAA are directly applicable to covered entities and even its employees (under “corporate criminal liability”). Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting. In the HITECH Act HHS is provided with new audit authority to conduct periodic audits and ensure BAs and Covered Entities are compliant with new rules.
The DOJ interpreted the "knowingly" (wilfully) element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense.
V. EXAMPLE - HIPAA VIOLATION –INFORMATION SECURITY
The case discussed below highlights the potential magnitude of the impact of a HIPAA violation.
A. Case
The Federal Trade Commission (FTC) opened its investigation into CVS Caremark following media reports from around the country that its retail pharmacies were disposing PHI into open, publicly accessible dumpsters. The PHI was contained on labels on pill containers. The information included patient names, addresses, physicians’ names, medication and dosages; consumers’ personal information, employment applications, social security numbers, payroll information; and credit card and insurance card information. Simultaneously HHS opened its investigation into the pharmacies’ disposal of health information protected by HIPAA.
CSV was charged with violations for the following
• Lack of sound processes and policies to ensure HIPAA compliance
• Lack of employee training for dealing with PHI
• Lack of internal measures to assess and assure compliance with its policies and procedures for disposing of personal information
• Misleading and superfluous privacy policy statement.
CVS paid HHS $2.25 million to settle the matter.
Discussion: Is CVS a covered entity? Yes it is. Under 1861(s) of the Act, 42 U.S.C. 1395x(s), CVS (Retail Pharmacy chain) provides medical supplies and biological that may not be self administered and that are furnished as an incident to the physician’s professional service. So HIPAA applies to it.
What is the nature of information that CVS failed to handle with reasonable? The FTC press release states that there was sensitive information pertaining to patients and its own employees. It is important to note that patient health information as well as employee medical information falls under HIPAA. CVS compromised PHI and PII.
Where did CVS fail? CVS violated the following tenets under HIPAA even though no discernable harm had been reported
• Security.
• Privacy.
CVS response has included a settlement amount higher than any other payout on HIPAA violation so far.
CVS Caremark made claims such as “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” The FTC alleged that the claim was deceptive and that CVS Caremark’s security practices also were unfair. Unfair and deceptive practices violate the FTC Act. Subsequently CVS entered into a consent order with the FTC to resolve claims made by the latter. As a part of the Corporate Integrity Program, CVS agreed to institute a Corrective Action Plan (CAP). It requires CVS, in the next three years, to create processes for
• Correct disposal of PHI
• Institutionalize a training program
• Have a third party audit to certify the effectiveness of the CAP.
A similar example is found in the case against Providence Health and Services in June, 2008.
What is missing? Some of the missing facts that could have given us a better insight into the magnitude of violation are
1. Total number of records compromised
2. Number of locations where the breach took place
3. Number of medical or financial identity thefts following the time span from when the violation has been happening.
VI. EXAMPLE – LACK OF AWARENESS
As the concerns of HIPAA become pervasive, covered entities are reluctant to share information in a healthcare setting. This has been observed to hamper care in such situations. The case below illustrates this point.
B. Case
An emergency department requested the transfer of a 40-year-old homeless man with a history of schizophrenia and psychotropic dependence to a local hospital for undergoing inpatient treatment. In his psychotic state, the patient was unable to sign for the release of his records. The psychiatrist on call requested the emergency room (ER) to send across the test results and relevant records via fax for review before a decision could be made about transfer. The ER nurse refused to fax the records, stating that doing so would violate HIPAA. Furthermore, the nurse reported that even signed consent to fax the records would not protect her against a HIPAA violation. After the transfer was refused, the records were faxed with the patient's name blacked out.
Discussion: This is a case where the health worker was misinformed about HIPAA law. The Act does not forbid transfer of necessary and pertinent medical information to aid the treatment of the patient. Effective training program for healthcare workers is critical to the success of HIPAA.
VII. EXAMPLE - HIPAA AND INTERNET
With rapid adoption of unconventional communication channels, there is a need to re-assess the applicability of HIPAA laws. A few scenarios are presented below with observations.
A. Case: Patient participates in indiscriminate information sharing
Scenario One: The patient uses the hospital communication network (assuming it is made available) to share PHI to friends. Although the disclosure is by the patient but since the communication has happened over the hospital network which is under HIPAA rules, the hospital could be held liable.
Scenario Two: The patient communicates PHI using public internet and posts it on social networking sites. It is expected that patient will be discrete about his PHI. Should PHI be guarded under HIPAA only as long as the patient is not found being indiscrete, similar to the client-attorney privilege?
Scenario Three: The patient maintains PHI with a third party and not a covered medical entity. (For example Google Health). The privacy is guarded solely on the basis of authorised consent given by the individual to the third party and a declaration by the third party to be discrete with PHI. The PHI in this case is not protected by HIPAA regulations. Internet has always been an unsecured channel for storing and transmitting confidential information. Can HIPAA be extended to cover the third parties as well?
Scenario Four: Posting surgery updates on Twitter. There have been cases when the hospital surgeons have used Twitter to post surgery updates. It is likely that the patient would be discovered if the operation was a one of its kind or if it involved a novel procedure. How can we discourage such practices?
Scenario Five: YouTube advertising. In an attempt to avail lost cost marketing channels, the hospitals are seeking consent from patients to post their surgery on YouTube. It is possible that after the advertisement was posted, the patient develops a complication and suffers at the hands of the providers. Yet the advertisement continues to be featured in the YouTube without any mention of the post surgery complication. This leaves the patient traumatized. Even though the law may offer remedy, most patients are easily intimidated by idea of a legal recourse against their doctors, not to mention the time and money needed to go up against establishments.
VIII. ELECTRONIC HEALTH RECORD AND HIPAA
EHR solution is defined as a system of collecting, using, storing, disseminating and destroying PHI.
The challenges of implementing EHR are few but critical:
1. Adoption of technology by healthcare community. Physicians often find it difficult to work with technological limitations. All EHR rollouts need a strong technology change management to ensure speedy adoption. Health workers are notorious for their tendencies to skirt the process.
2. Under pressure to cut costs, HIPAA compliance may be compromised by undercutting features or robustness. This is particularly true when the solution is based on off the shelf products.
3. While EHR helps reduce human error, it makes HIPAA violations easier to commit. This is accentuated by the lack of organizational commitment to train and create awareness.
HIPAA safeguards in the EHR include the following:
1. Seamless integration to the billing system for transmitting EDI (Electronic Data Interchange) messages between payer and the payee.
2. Maintaining secure communication when employing outsourced talent with emphasis on business associate agreements
3. Instituting role based privileges for data access.
4. Proper budget to train and create awareness on HIPAA to avoid attacks through social engineering and breaches due to unauthorized information sharing. It is said that most unauthorized system access are through social engineering, an act of manipulating people into performing actions or divulging confidential information. This is an important point in a highly computerized environment.
5. Having routine and event based audits
6. Having a security officer to oversee HIPAA compliance and putting checks and balances for physical safeguard and back up of storage spaces for PHI.
7. Having technical safeguards for secure information exchange using encryption protocols and data corroboration
8. Implement privacy policies and risk management programs.
HIPAA violations today seldom remain limited to a violation of privacy. It is usually followed with either an identity theft or false claim or both. The case discussed below examines how HIPAA violations are easily committed with EHR solution in place and how it leads to felony. One critical point to note here is that the medical is owned by the covered entity
A. Case: Violation and Criminal Law
Without authorization or approval from United HealthCare, two of its employees gained access to the company’s electronic database and obtained names and dates of birth of certain patients. The patients had Flexible Spending Accounts and were covered by a prescription drug plan sponsored by the Federal Employees Health Benefit Plan (“FEHBP”). The employees used this information to create fake and unauthorized prescriptions. These were then presented to pharmacies to illegally obtain controlled substances. The drugs were then illegally sold to third parties. The defendants caused a loss of $72,746 to the Federal government by making false claims.
Discussion: In this case the defendants were guilty of HIPAA violation because they acquired the patient information and shared it with others who participated in their plan. Typically it would have been a civil case.
However defendants were guilty of identity theft which is a felony and the criminal law differs from one state to another. In the state of Texas, Fraudulent Use or Possession of Identifying Information is a felony whose degree varies based on the number of records stolen.
In addition, the defendants used the information to defraud the federal government by making false claims for reimbursement. Under False Claims Act this amounts to a felony. The defendants got a 10 year prison sentence and 250,000 in penalty.
IX. SOME MORE HIPAA
This section touches upon other areas where HIPAA has an impact.
• Under HIPAA, peer review documents are typically not discoverable. Unless there is a court issued subpoena, the hospital is not required to share the peer review documentation publicly. Peer review is a platform for physicians to discuss negligence and near negligence incidents without inhibition to ensure that patient safety standards and quality of care is consistently maintained.
• Medical records are owned by the covered entity although the patients have the right to suggest corrections to its contents. Providers may be free to use the information for treatment, operation and payment without any consent from the patient.
X. HIPAA AND HITECH ACT 2009
The HITECH Act has put in following checks and balances with respect to HIPAA. The section below mentions the notable areas impacted.
• Notifications in the event of confidentiality breach
• Business Associate liability
• Disclosures of PHI limited to the “Limited Data Set” or “Minimum Necessary”
• Expanded accountability for individuals
• Sale of EHR or PHI
• Limited use of PHI for marketing purposes and fund raising
• Expanded enforcement measures for HIPAA violations
• HIPAA compliance audits
• Business associate liability – The HITECH Act makes significant changes to the HIPAA laws and rules, many of which will impact relationships between covered entities and their business associates
• HITECH will require BAs to comply with administrative, technical and physical safeguard requirements
• BAs are also required to appoint a security official, develop written policies and procedures, and train its workforce on how to protect electronic protected health information (EPHI)
• BAs will now be directly liable under HIPAA for using and disclosing PHI in violation of their BA agreements
• A violation of the BA agreement will subject the BA to the same civil and criminal penalties as a Covered Entity who violates the Privacy Rule
In case of a breach of HIPAA guidelines, the following have been recommended under HITECH
• Perform a “Risk Assessment”
• Do an impact assessment resulting from the breach. This includes extent of misuse and tracking the parties involved in it. Type and amount of PHI involved -can it reasonably cause financial, reputational or other harm?
• Implement Risk Mitigation procedure
• The Covered Entity or BA has the burden of proof in demonstrating that no breach has occurred.
• Strong documentation of the risk assessment vital.
• Individual notification by first class mail required (unless individual has consented to electronic notice). Substitute notice is required if contact info is out of date. For 10 or more, notification must be either posted on website for 90 days or posted in major print/broadcast media for 90 days. Media and HHS notification required for breach involving 500 or more residents of a state or jurisdiction. For cases involving smaller number of breached records, log files must be maintained on an annual basis.
XI. SUMMARY STATISTICS OF HIPAA ENFORCEMENT
The Department of Health and Human Services (HHS) is under the executive branch of the US constitution charged with protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves. The OCR (Office of Civil Rights) is the primary agency under HHS to receive complaints on HIPAA violations and act upon them. Of the 45,630 complaints received so far, about 80% of the cases have been resolved. During the course of investigation, it has been discovered that almost 50% of the reported cases were not eligible to be tried under HIPAA. This statistics reflects two things
1. There may be gap in how the Act is interpreted. A good number of people do not understand the nuances of HIPAA in statement or spirit
2. There may be a gap in the jurisdiction of the law itself that needs to be addressed in the future.
The top reasons for HIPAA violations have been cited as
1. Unsecured PHI
2. Unauthorized access
3. Inappropriate and impermissible disclosures
4. Unauthorized disclosures
5. Lack of patient access to their PHI
6. Uses or disclosures of more than the minimum necessary protected health information
XII. HIPAA - DOWNSIDE
Restricted access to patient data has its drawbacks.
1. HIPAA has and will continue to have an impact on research as PHI becomes increasingly difficult to acquire. Consent forms have become longer ever since the regulations came into effect. Studies have shown that there is a decline in the participation rate in clinical trials and human research.
2. HIPAA compliance cost money. With static or diminishing healthcare budgets, there is a threat that HIPAA spending could be compensated by a compromise in the quality of care.
XIII. FUTURE – BENEFITS AND ROAD AHEAD
Benefits of HIPAA cannot be over-emphasized. The key ones are:
1. Allows patient information to be securely sent from one provider to another in a seamless and secure way. This will be more effectively felt when the percentage of providers on EHR solution increase.
2. By guarding patient privacy it protects patients from being victims of criminal wrong doings.
3. Patients are very vulnerable when they are in the hands of the providers. HIPAA safeguards ensure that information shared during patient-provider encounters are kept confidential
Its future depends on some best practices and legislations; some of which are mentioned below:
1. Effective training and awareness programs for members of the healthcare community.
2. Recognize that HIPAA is a not a one-time activity. It is part of corporate governance objective.
REFERENCES
[1] David Blumenthal, M.D., M.P.P. Stimulating the Adoption of Health Information Technology [Online] Available: http://healthcarereform.nejm.org/?p=436 , 2009.
[2] Consumer Union Report., To Err is Human - To Delay is Deadly: [Online] Available: http://www.consumersunion.org/pub/core_health_care/011324.html 2009.
[3] HHS Press Release, [Online] Available: http://www.hhs.gov/news/press/2009pres/08/20090819f.html, Aug. 2009.
[4] World Privacy Forum, [Online] Available, http://www.worldprivacyforum.org/hipaa/HipaaGuide3.html.
[5] Center for Democracy and Technology, HIPAA and Health Privacy: Myths and Facts Part 2 — January 2009 [Online] Available: http://www.cdt.org/healthprivacy/20090109mythsfacts.pdf
[6] Augustine Weekly - Holland & Knight HIPAA in Private Tort Litigation [Online] Available: http://www.informlegal.com/articles/view.php?article_id=519, 2008
[7] Press Release, CVS Caremark Settles FTC Charges: [Online] Available 2009. http://www.ftc.gov/opa/2009/02/cvs.shtm
[8] Biometrics Direct, Penalties for HIPAA violation [Online] Available: http://www.biometricsdirect.com/Biometrics/laws/HIPAA/hipaaviolations.htm
[9] American Medical Association, HIPAA Violation and Enforcement [Online] Available: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.shtml.
[10] Bryan K. Touchet, M.D., Stephanie R. Drummond, D.O. and William R. Yates, M.D, Brief Report, The Impact of Fear on HIPAA violation on Patient Care [Online] Available: http://psychservices.psychiatryonline.org/cgi/content/full/55/5/575A.
[11] Internet Article, HIPAA Law and Guidelines for Employers, [Online] Available: http://www.hrhero.com/topics/hipaa.html
[12] Internet Article CVS Pays $2.25 Million in Record HIPAA Settlement [Online] Available: http://www.huntonprivacyblog.com/2009/02/articles/hipaa-1/cvs-pays-225-million-in-record-hipaa-settlement/
[13] Comments by World Privacy Forum, [Online] Available: http://www.ftc.gov/os/comments/cvscaremark/540386-00004.pdf
[14] Privacy Rights Clearing House, Chronology of Data Breaches [Online] Available: http://www.privacyrights.org/ar/ChronDataBreaches.htm
[15] Internet Article [Online] Available: http://www.law.uh.edu/healthlaw/perspectives/2008/(NA)%20blog.pdf
[16] OCR website. [Online] Available: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/numbersataglanceindex.html
[17] U.S. Department of Labor Employee Benefits
Security Administration [Online] Available: http://www.dol.gov/ebsa/publications/top15tips.html
[18] Google Definition [Online] Available: http://www.google.com/search?hl=en&rlz=1R2ADBF_enIN335&defl=en&q=define:Social+engineering+&ei=QfSqSo62B4KntgeEpKDzBw&sa=X&oi=glossary_definition&ct=title
[19] Healthcare Applications and HIPAA [Online] Available: http://citebm.business.uiuc.edu/TWC%20Class/Project_reports_Spring2007/HIPAA/mtmcinto/McIntosh.pdf
Subscribe to:
Posts (Atom)