By: Helen Oscislawski, Esq.

On March 7, CVS Caremark (CVS) hit the HIPAA spotlight again, and not in a good way.  Back in 2009, CVS was the target of a joint U.S. Department of Health and Human Services (HHS) Offices for Civil Rights (OCR) and Federal Trade Commission (FTC) investigation after media reports alleged that certain CVS locations were disposing of pill bottles containing patient information in unsecured dumpsters.  Although CVS denied the allegations, CVS shelled out a $2.25 million settlement as well as took corrective action to settle both potential HIPAA and FTC violations.  As a result, CVS is being actively monitored by HHS until 2012 and by the FTC for the next 20 years.  Then this past October, CVS was sued by six Texas pharmacies for trade secret misappropriation and Racketeer and Influenced and Corrupt Organizations Act (RICO) violations as a result of certain CVS data-mining practices. The plaintiffs, who are board members of the American Pharmacies, alleged that CVS denied patients choice of pharmacies and smothered business competition as well as used patient PHI in violation of HIPAA.

Bloomberg News recently reported that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca, and Bayer.  Allegedly, CVS accepted remuneration from pharmaceutical manufacturers in exchange for use of protected health information to encourage physicians to prescribe their drugs to patients. "CVS encouraged physicians to do so through letters which included patient names, dates of birth, and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services." The lawsuit accuses CVS of unfair trade practices, unjust enrichment, and violating consumer protection laws.

HIPAA as amended by HITECH generally prohibits any Covered Entity or their Business Associate from marketing and selling PHI without first obtaining patient authorization.  Only under very limited circumstances may patient information be "sold" or released without authorization for such purposes.  Investigation by OCR is even more likely given that CVS has been under OCR's watchful eye since 2009.  In addition, CVS's actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water.

By Helen Oscislawski, Esq.

HHS and OCR held nothing back as the first civil money penalty was assessed under the new categories and increased penalty amounts created by HITECH.  The $4.3 million penalty was imposed against Cignet Health in Prince George County, Maryland, for violating HIPAA patient access rights.  Cignet had denied access to the medical records of 41 patients upon their request between September 2008 and October 2009 and each patient had filed complaints individually with OCR. HIPAA requires Covered Entities to provide patients with copies of their medical records on request within 30 days and in no case later than 60 days from the date of the request. HITECH created new categories of violations, ranging from "did not know" to "willful neglect" to comply with HIPAA, and established a corresponding tiered monetary penalty system.

Had this been the end of the story, Cignet would have walked away with only a $1.3 million penalty for violating HIPAA.  However, not only did Cignet fail to comply with HIPAA patient access rights, but it refused to produce the records when OCR demanded it do so.  Even after OCR presented Cignet with a subpoena, it continued to not produce the records.  Only after OCR filed a petition to enforce the subpoena and subsequently obtained a default judgment in United States District Court against Cignet did Cignet finally turn over the records.  Cignet also made no efforts throughout the entire investigation to cooperate or resolve the complaints informally.  OCR found Cignet's failure to cooperate a willful neglect of the HIPAA Privacy Rule, which requires all Covered Entities to cooperate with investigations by OCR, and an extra $3 million was imposed against Cignet.

The penalties imposed against Cignet dispel any doubt that may have remained concerning HHS' ramped up enforcement of HIPAA.  OCR Director Georgina Verdugo stated, "The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules." With a hefty $4.3 million penalty as HHS' "first shot", Covered Entities will certainly take notice and action to avoid coming under fire themselves.

Helen Oscislawski is a principal at Attorneys at Oscislawski llc, a boutique healthcare law firm located in Princeton, New Jersey specializing in privacy, HIE, HIT and other legal issues affecting the healthcare industry.

HIMSS ‘11 is only three days away. Today, Bill Childs’ third and fourth topics address the federally-mandated propulsion behind Meaningful Use of electronic health (medical) records, and the security that must be ensured so as to allay patients’ fears about personal data being breached.

Take it away, Bill -

3. Accelerated Movement Toward Meaningful Use

More and more CIO’s are beginning to wonder if they can satisfy Meaningful Use (MU) criteria in order to reap all the incentives and avoid all the penalties. Far too much remains unfinished. Dollars are often scarce or unavailable, and attaining MU exceeds many organizations’ resources. However, getting incented to make dates will be less stringent than getting penalized for missing dates. Both providers and their vendors are rushing to meet deadlines, but not all vendors can meet the needs of all their customers and not all providers can afford or manage the requisite, obligatory tasks to attain meaningful use. However, few refute that automating healthcare will produce more benefits for patient and, ultimately, provider.

4. Information Systems’ Security Issues

ARRA, HIPAA 5010, the HITECH Act and a whole host of existing and new rules and regulations are inundating Information Systems departments with (in many cases) ominous portents. At a recent I.S. Security conference hosted by Southern California HIMSS, several provider I.S. security officers detailed their efforts of trying to keep up. Their top laments? Budgets were inadequate. They were getting a mere 2% to 6% of the total I.S. budgets but needed more like 10%, which most never expected to get. Addressing proliferation and subsequent encryption of hand held and remote devices plus demands from physician groups clogged security teams’ “TO DO” lists. But the entire list reached far beyond those two issues.

Take the liberty to comment below.

Tomorrow:  Implementation and integration of new technology including devices, procedures, and the cloud demand Information Systems Support; and Dealing with reduction in elective procedures and Medicare & Medicaid reimbursement

What’s that low thrum? It’s the sound of the “meaningful use” definition” fading in the distance as healthcare providers now scramble away to put pieces of the EHT compliance puzzle into position. But wait! What’s that shrieking bleat ahead? “EHR PRIVACY,” the next issue du ARRA. The DHHS-convened Tiger group will command the headlines and attract legitimate attention over the next few months especially as the public comment period for proposed modifications to the HIPAA Privacy & Security Rules ends September 13, 2010.

The latest from the Tiger Group’s progress is succinctly captured by Modern Healthcare.com and Healthcare IT New.com. Follow these links to learn the most recent developments.

Tiger Group's EHR Privacy Conundrum: Modern HealthCare News

Privacy and security recommendations approved: Healthcare IT News

Below are two links to substantive accounts of the latest MU evolution. The first, released yesterday, is an explication by HHS National HIT Coordinator Dr. D. Blumenthal & CMS deputy administrator M. Tavenner. Given tables summarize new Core and Menu Set objectives.

The second link takes you to HISTalk’s Inga, who had by early morning today, compiled a straight-forward contrast, sort of a “then-and-now,” as regards MU after yesterday’s announcement by HHS.

You’ve probably spent the last 24 hours squinting at as many websites & sources as we have. Trying to keep you up-to-date while avoiding information overload & repetition, the blogmasters extend what we’d like to call a representative sample of our latest research done for you by our agents in the field.

Meaningful Use Regulation for EHR

Inga's Comparison

The recently published PriceWaterhouseCoopers Health Research Institute report, Ready or Not: On the Road to the meaningful use of EHRs and health IT, has circulated through the blogmasters desk, and in our continuing effort to keep you informed, we’ve produced the following abstract…

After surveying 120 CIO’s and another handful of healthcare executives, the PwC report adds heft to the impact of the ARRA’s Meaningful Use (MU).

The report makes many keen assertions including:

• “Health systems will need to transform the way they deliver care, so they can sustain performance and grow revenue in the future.”
• Successfully achieving meaningful use “hinges on closer integration with key constituents” (physicians, health insurers, patients).
• Health systems that already have connected with physicians, patients, and health insurers around MU are “more likely to be applying for government incentives” than those that haven’t. But only half of respondents expected to apply for incentives in 2011. (By 2014, 90% expect to be applying).
• Health systems that have included patients in the planning are “more confident about meeting MU standards.”
• “Implementing MU can enhance hospital-physician alignment.”
• Most health systems are failing to connect with health insurers around MU.
• 80% of CIO’s are more than concerned about meeting MU requirements by deadlines. (An American Hospital Association survey reports that 55% of hospitals expect to incur penalties.)
• “The benefits of achieving MU outweigh the challenges.” Those benefits include improve healthcare quality, disease management, coordination of care, improved alignment with physicians, increased productivity, market advantage, and improved alignment with payers.

But PwC identified four barriers to attaining MU: Lack of MU standards clarity, shortage of skilled IT staff, vendor readiness, limited capacity of existing infrastructure . . .

and proffered five benchmarks to achieve compliance: Establish governance, balance compliance against competing priorities, forge new public-private ventures, make the patient the purpose, collaborate with physicians and health insurers.

Interested in what happens now with healthcare reform? All the fervor has died down and we’re on to the next top issue (Arizona anyone?), but when will we start see the effect... Well, on July 1^st of this year people who have been unable to get health insurance because of preexisting conditions will be able to purchase subsidized coverage via a national high risk pool. On September 23^rd insurers will be banned from dropping people if they develop an illness, the dependent coverage age will extend to 26, no child will be denied because of a preexisting condition, and there will be no annual or lifetime limits. For more details read this, but in 2014 the entire law should be phased in.

That’s a brief synopsis of what’s going to happen in the coming months as a directive straight from the Patient Care and Affordability Act, but what else is going to be indirectly affected? One thing I keep reading is about the number of physicians practicing medicine. It was hard enough to practice with CMS issues, malpractice concerns, and hospital struggles…will the new law make it better for physicians to practice medicine in this country? What about the HITECH push, how is that effecting doctors?

What do you think?

More Reading:

Glamour Answers Pressing Questions

An Employer's Guide to Healthcare Reform

I Have to Buy...or else.

By: Mary Ann Ciccone

As part of ARRA, Medicare and Medicaid will provide reimbursement incentives to physicians and hospitals who become “meaningful users” of EMR. This effort will begin in 2011 and end by 2015 at which time all providers will be expected to utilize EMR. Changes will be implemented in stages and include data sharing, compliance with HIPPA and state laws, evidence based order sets, the engagement of patients and families, and care coordination. The final draft recommendations that will define meaningful use were published by the ONC for Health IT in December 2009. Eligible facilities and providers can incorporate these guidelines into projects currently in progress to meet the requirements.  

The result of following the meaningful use guidelines for all stages will be improved and more efficient patient care through the use of disease prevention and reduction of medication errors, greater communication between providers, efficiency in meeting reporting mandates and claims submissions, and lower healthcare costs.

 The recommendations for Stage 1 are listed below.

Source: HHS website for meaningful use.

Just in case you haven’t been able to find it one of the other dozens of sites publishing the link here is the HITECH: Initial Set of Standards, Implementation Specifications, and Certification Criteria for EHR Technology and here’s how you get paid (warning 556 pages).

Mr. HISTalk summarized the finer or most relevant points here. And over at HealthcareITNews.com “Stakeholders have mixed reviews on proposed requirements” while Government HealthIT profiles groups that aren’t happy with the definition.  

We all knew it’d be a mixed bag right? What do you think of the proposal? Have you (are you) going to read it or will you just look for an effective summary? Let us know what your thoughts and questions are in the comment section.