By: Helen Oscislawski, Principal at Attorneys at Oscislawski LLC

For those that have been logging their "small" breaches (i.e., less than 500 individuals affected) and waiting to report them to HHS at the end of the year, next Wednesday, February 29th is the LAST day to get your information entered into HHS' Breach reporting website.  While covered entities may opt to report each small breach to HHS throughout the year (i.e., including the onsies and twosies), the other option is to log each small breach during the calendar year and report all such small breaches to HHS within 60 days of the end of such applicable calendar year.

A couple of important points to note about reporting small breaches to HHS:

First, the HHS-reporting "buck" stops with the covered entity, not the Business Associate. Even if a breach was caused by a Business Associate (BA), under the current HITECH Breach Rule, the BA's only reporting obligation is to the covered entity; the covered entity is solely responsible for reporting all reportable Breaches to HHS.

Second, follow a “GOLDILOCKS rule”  of “Not too much, not too little -- just right.” Covered entities must report all relevant information requested on HHS' online reporting form. However, there are several fields that ask for a typed response.  For example, HHS asks for a "brief description of the breach" including how it happened, any additional information about the breach, type of media and PHI. HHS similarly asks the covered entity to describe "other actions taken" in response to the breach. But, while a covered entity must report what it is required to report by law, offering too much information (including impermissibly disclosing patients' PHI, among other things) could land the covered entity in hot water.

Finally, you better have remembered to collect ALL the required information on your Breach Log!  A covered entity that is planning to report small breaches at the end of the calendar year must plan ahead and know what information to collect and document, and hint: It's a lot of information that you might not be able to recall at the end of the year unless you documented it as you went along.  Among the information that covered entities should be collecting about each "small" breach includes:

• Date of the breach?
• Date the breach was discovered?
• Approximate number of individuals affected?
• What "type" of breach was it? (select: theft, loss, improper disposal, unauthorized access, hacking/IT incident, other, or unknown)
• Location of the Breach? (select: laptop, desktop computer, network server, e-mail, portable electronic devices, electronic medical record, paper, other)
• What type of information was involved? (select : demographic info, financial info, clinical info, other)
• What safeguards were in place prior to the breach? (select: firewalls, packet filtering, secure browser sessions, strong authentication, encrypted wireless, physical security, logical access control, antivirus software, intrusion detection, biometrics)
• Date individuals were notified? (note: that this date should never be more than 60 days after the Date of Discovery entered, and in any case any "unreasonable delay" in notifying individuals (even if less than 60 days) could be a trigger a closer look by HHS)
• Actions taken in response (select : privacy & security safeguards, mitigation, sanctions, policies and procedures, or other)

Even though HHS withdrew the Interim Final Breach Notification Rule during the summer of 2010 (and even though we continue to wait for a final revised version of that rule to be published), covered entities are still required to report all breaches (if there is a positive "Harm" determination) to HHS. HHS specifically points out on its website that "[u]ntil such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect." For Breach Notification training & education, visit our Workshops.

By: Krystyna Monticello, Attorney at Oscislawski, LLC

A final "omnibus rule" is expected to clarify the HITECH business associate (and other) provisions this year, but in the meantime, much confusion remains.  Despite the lack of final business associate rules, and confusion or not, Minnesota has dived head first into action against a business associate for HIPAA violations.  In the first HIPAA enforcement action directly against a business associate, Minnesota Attorney General Lori Swanson has brought an action against Accretive Health, Inc., pursuant to her authority under HITECH.  In addition, multiple violations of Minnesota law are alleged, including the Minnesota Health Records Act, debt collection statutes, and consumer protection laws.

Accretive functions in multiple capacities for covered entities in Minnesota, including as treatment coordinator, debt collector and quality cost control and management partner.  A breach last summer of data compiled by Accretive resulting from a stolen unencrypted laptop left in a rental car by an employee affected at least 23,531 patients.  Information that was on the laptop included personal identifying information (name, address, phone number, Social Security Number), "medical scores" predicting the frailty, complexity and likelihood a patient would be admitted to the hospital, and dollar amounts allocated to the patient's health care provider, as well as whether patients had certain conditions such as bipolar disorder, depression, high blood pressure, asthma, and back pain.

The HIPAA violations are quite extensive, with the complaint alleging:

• Failure to implement policies and procedures to prevent, detect, contain and correct security violations;
• Failure to implement policies and procedures to ensure appropriate access to electronic PHI by members of its workforce and prevent those without authorized access from accessing such PHI in violation of HIPAA;
• Failure to effectively train all members of its workforce, agents and independent contractors, on the policies and procedures regarding PHI as necessary and appropriate to carry out their functions and maintain security of the PHI;
• Failure to identify and respond to suspected or known security incidents and mitigate to the extent practicable harmful effects known to them;
• Failure to implement policies and procedures to limit physical access;
• Failure to implement policies and procedures governing receipt and removal of hardware and electronic media containing electronic PHI within and without the facility;
• Failure to implement technical policies and procedures for electronic information systems to allow access only to those granted access rights; and
• Failure to implement policies and procedures as otherwise required by HIPAA.

This action has the potential to set precedent in Minnesota as to just how much transparency and information should be viewed as "necessary" for patients to make informed choices regarding their health care and medical records and the extent to which health care entities must take affirmative action to notify patients of their role in their health care. Although the extensive HIPAA violations are merely one drop in the bucket of allegations against Accretive (e.g., fraud and deceptive practices, failure to notify of status as debt collector, release of health records in violation of the Minnesota Health Records Act), the enforcement action against Accretive makes it quite clear that covered entities aren't the only ones who need to be scrambling to get their ducks in a row.  While other state Attorney Generals have previously brought actions against covered entities (e.g., Vermont, Indiana, Connecticut), now that a state has gone after a business associate directly, it would not come as a surprise to see other states joining in, even despite the lack of business associate rules.  For more information regarding what covered entities and business associates can do to prepare for a HIPAA audit or ward off the potential for enforcement action against them, see our November 17 blog post with links to additional HIPAA resources.  A copy of the complaint against Accretive may also be found here.

By: Helen Oscislawski, Principal at Attorneys at Oscislawski LLC

When DHHS published its Proposed ACO Rule in April 2011 and then the Final ACO Rule in November 2011 (I’ll refer to them as the “ACO Rules”), discussions focused predominately on issues such as who is “qualified” to participate, what the required governance structure should be, what methodology will be used to assign Medicare beneficiaries, and what the payment models will be.  However, as I digested the ACO Rules, my reading deliberately slowed down as I zeroed in on the not unremarkable language and comments CMS included with regard to sharing individually identifiable health information in the ACO context. Among other things, the ACO Rules would authorize key data sharing between CMS and an ACO.  In particular, four categories of data could potentially be shared:

• Aggregated Data
• Personal Identifiers
• Personally Identifiable Claims Data
• Prescription Claims Data

In the Preamble to the Proposed Rule, CMS emphasized the importance of sharing these forms of data in order provide more complete information for the services provided or coordinated for the ACO beneficiary populations, better achieve improvements in the quality of care and gain a better understanding of the population served while lowering the growth in health care costs. Notably, while the ACO Rules would permit Medicare beneficiaries to “opt-out” of certain data sharing, other data would be shared without the patient’s consent.  Moreover, it is clear that CMS deliberately chose to proceed with an opt-out approach, given its concerns regarding beneficiary participation and ACO Participant administrative burdens.  In the Preamble to the ACO Rules, it noted that:

An opt-out approach is used successfully in most systems of electronic exchange of information because it is significantly less burdensome on consumers and providers while still providing an opportunity for caregivers to engage with patients to promote trust and permitting patients to exercise control over their data.”  See 76 Fed Reg. 19560 (2011).

CMS acknowledges in the ACO Rules that there could be privacy concerns with sharing identifiable information, but nevertheless takes the position that the HIPAA Privacy Rule permits disclosure for purposes of sharing Medicare Part A and Part B claims data with ACOs participating in the Shared Savings Program.  The agency also specifically notes that the disclosures of claims data would be permitted as “health care operations”.  Under HIPAA, a covered entity may disclose PHI to another covered entity for the recipient’s health care operations if they both have or had a relationship with the individual, the records pertain to that relationship, and the records will be used for a health care operation function meeting one of the first two paragraphs in the definition of health care operation under HIPAA.

Over the past year, privacy, patient consent and HIE opt-in/opt-out continues to be debated (sometimes painfully).  The debate continues essentially because certain stakeholders hold different and strong views on if, when and at what point affirmative patient consent is required (under current law) or should be required (through promulgation of new rules).  As a result, some HIE collaboratives have required affirmative patient consent before any data is shared. Similarly, Recommendations from the ONC Tiger Team include, in part, that consent should be obtained before any information is shared with third parties, including Business Associates and HIOs(except where sharing is directed exchange (provider-to-provider), or between providers participating in an OHCA (as as side note, query if ACOs might qualify as OHCAs? probably...at least in some cases)).  Others have determined that the value of networked electronic HIE – i.e., healthcare quality improvement and cost reduction – is most efficiently realized when certain data is readily shared without prior authorization or consent, in accordance with HIPAA's exceptions, as a presumed default.  Now with CMS throwing its views on consent & opt-in/opt-out into the ring, at least with respect to ACO's data-sharing with Medicare, I'm sure many are anxious to see if the forthcoming HITECH Final Rule and NHIN Governance Rule will offer clear standards for the current HIE consent conundrum, or continue to precariously balance this issue on the fence....... I know I personally can't wait to see.  For more a more detailed analysis of privacy and the ACO Rules, download our firm's February 2012 edition of our Health Law Diagnosis Newsletter. 

For this article and other articles from Helen Oscislawski, click here.