Category: HIPAA / HITECH Enforcement

Cyber Security, Data Breach, HIPAA / HITECH Enforcement, OCR HIPAA Audits, Settlements

Improper Disclosure of Research Participants’ PHI Results in $3.9 million HIPAA Settlement

Rose

Readers, please make sure you read all the way to the end because this article points out a significant part of the Corrective Action Plan in this settlement, and the previous one.

March 17, 2016

From the HHS Press Office media@hhs.gov

Improper Disclosure of Research Participants’ Protected Health Information Results in $3.9 million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html

A notable and consistent theme present in the Corrective Action Plan (Appendix A) of both of the recent settlement agreements is the following section, “As a part of this process, [ENTITY] shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store [ENTITY] ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis.”  This is of significant note for two reasons:

  1. As consultants in the performance of risk analysis activities, we have seen that accurate inventory of data, systems, and applications is a Unicorn. It is both a beautiful thing, and non-existent.
  2. The requirement of the CAP includes personally owned devices which will then be incorporated into its risk analysis. Wow! This is a huge scope change for a risk analysis, and requires Physicians, APNs, Therapists, Executives, and others to allow their devices’ security to be assessed.

Hopefully the OCR will offer some clarification on this point either in presentations or through other methods as this small phrase in one sentence has huge implications!

Sponsored by: RISC Management and Consulting, LLC http://www.riscsecurity.com/

Appendix A

Corrective Action Plan Between The Department Of Health And Human Services And The Feinstein Institute For Medical Research may be found on the OCR website at http://www.hhs.gov/sites/default/files/FIMR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan.pdf

Cyber Security, Data Breach, Education, HIPAA / HITECH Enforcement, Meaningful Use, News Events, Risk Analysis/Risk Management, Tip of the Week

Challenges of Meaningful Use

Rose

Challenges of Meaningful Use

Meaningful Use (MU) is the adoption of a certified Electronic Health Record (EHR) technology with a focus on improving quality, safety, efficiency, and reducing health disparities in the clinical/hospital setting. The idea is to increase patient engagement to improve care coordination while maintaining the privacy and security of the patient’s Protected Health Information (PHI).

According to Milan (July 27, 2015) “After a day spent hearing from health IT experts about information blocking practices, Republican Sen. Lamar Alexander, chair of the Senate Health, Education, Labor & Pensions Committee, said Thursday afternoon that he’s asked HHS to consider a delay of Stage 3 meaningful use”. The Department of Health and Human Services (HHS) is the U.S. government’s main agency for enhancing and protecting the health and well-being of all Americans.

Here are some quotes from Senator Lamar Alexander:

“Let’s not impose on physicians and hospitals a system that doesn’t work…”

“We want something physicians buy into, rather than something they dread…”

It is important to update and improve our current way of keeping health records as well as a more appropriate way to share health information with other providers. The quality of the EHR tool becomes the most desirable trait it seems. Remembering HIPAA where the importance of assessing all of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all Protected Health Information (PHI) is required. However, each medical provider is unique in their operational environment with their own set of variables and must be factored in to the equation.

Another important piece of information according to McCarthy (July 22, 2015):

“Stage 3 of meaningful use for EHR implementation requires providers to send electronic summaries for 50 percent of patients they refer to others, receive summaries for 40 percent of patients that are referred to them and reconcile past patient data with current reports for 80 percent of such patients. If other providers do not send electronic summaries, however, the provider who was supposed to receive them will fail to meet the second and third requirements.”

Probst (2014) mentioned from an interview that Intermountain Healthcare is Stage 2 Certified in 2014 but will not be attesting at this time.

The Agency for Healthcare Research and Quality (AHRQ, March 26, 2015) provided some research data on barriers to meeting the stage 3 criteria for Meaningful Use:

  • Lack of provider and practice staff time – 69%
  • Complexity of required workflow changes – 68%
  • Difficulty with electronic exchange of information – 65%
  • Direct Financial Costs – 54%
  • EHR design and functions do not easily support care coordination – 51%

Readiness to meet criteria results:

  • Only 11% of those who participated in the research are able to meet all of the criteria

AHRQ’s mission is to “bring about evidence to improve health care quality and safety, increase accessibility, equitability and affordability within the HHS and other partners. Their objective is to ensure that the evidence is understood and employed.

Stages of MU

For more information on Stages of Meaningful Use Click the link above

These are only some views on the subject of Meaningful Use, but there are many standards, policies, ideas that are available from other organizations that might be helpful.

Our work here at RISC Management has enabled us to view firsthand the privacy and security challenges of Meaningful Use, and of course HIPAA and HITECH. These are significant challenges that the Providers must meet, but they are reasonable and attainable.

OFFICIAL RISC Logo

For more information on Risk Analysis Click the link above

References

Agency for Healthcare Research and Quality. (March 26, 2015). Informing stage 3 meaningful use requirements through evidence: Webinar. Retrieved from https://www.youtube.com/watch?v=nQrMKcq0VAM

McCarthy, Jack. (July 22, 2015). Stage 3 meaningful use ignores market realities. Retrieved from http://www.healthcareitnews.com/news/brookings-meaningful-use-stage-3-ignores-market-realities

Meaningful Use. (2015) Definition. Retrieved from http://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives

Miliard, Mike. (July 23, 2015). Senate suggests stage 3 MU delay. Retrieved from http://www.healthcareitnews.com/news/senate-call-stage-3-mu-delay?mkt_tok=3RkMMJWWfF9wsRohuKTPZKXonjHpfsX57e8uUKOylMI%2F0ER3fOvrPUfGjI4GRMVkI%2BSLDwEYGJlv6SgFQ7LHMbpszbgPUhM%3D

Probst (2014). CIO on MU stage 2: Certified but not attesting. Retrieved from http://bcove.me/kt82385m