Health IT and Electronic Health Activate your FREE membership today |  Log-in

Pabrai on HIPAA/HITECH Compliance

August 9, 2010  4:09 PM

Uses and Disclosures – Decedent – Updates in HITECH NPRM

Posted by: Pabrai
Disclosure, HITECH, NPRM, PHI, Use

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes updates to a few areas related to use and disclosure of information related to decedents’ PHI.

Uses and Disclosures of Decedents’ PHI

The proposed rule would modify the current rule to limit the period for which a covered entity must protect an individual’s health information to 50 years after the individual’s death. This will reduce the burden on both covered entities and on those seeking the PHI of persons who have been deceased for many years by eliminating the need to search for and find a personal representative of the decedent, who in many cases may not be known or even exist after so many years, to authorize the disclosure. We believe this change would benefit family members and historians who may seek access to the medical information of these decedents for personal and public interest reasons.

Uses and Disclosures for Care and Notification Purposes

The proposed rule would permit covered entities to disclose a decedent’s PHI to family members, or other persons involved in the individual’s care or payment for care before the individual’s death, unless doing so would be inconsistent with any prior expressed preference of the individual that is known to the covered entity. The rights of the decedent’s personal representative to have access to the PHI of the decedent would remain unchanged. This would reduce the burden by permitting covered entities to continue to disclose PHI to family members and other persons who were involved in an individual’s care while the individual was alive after the death of the individual without needing to obtain authorization from the decedent’s personal representative, who may not be known or even exist.

Public Health Disclosures

The proposed rule would create a new public health provision to permit disclosure of proof of a child’s immunization by a covered entity to a school in States that have school entry or similar laws. This proposed change would allow a covered health care provider to release proof of immunization to a school without having to obtain a written authorization, provided the provider obtained the agreement (oral or otherwise) to the disclosure from either the parent or guardian, or the individual, if the individual is an adult or emancipated minor. It is expected the burden would be reduced on covered entities and parents in obtaining and providing written authorizations.

Since the proposed rule would require the covered entity and the responsible party for the student to agree that the covered entity may release proof of immunization, some covered entities may request the agreement in writing.

August 9, 2010  10:54 AM

Authorization for Marketing, Sale & Compound Disclosures

Posted by: Pabrai
Authorization, HIPAA; HITECH; Business Associates; Patient Safety Organizations (PSO);

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes proposed changes in the area of authorization and other requirements for disclosures related to marketing and sale of PHI.

Health care Operations & Marketing

The proposed rule modifies the definition of ‘‘marketing,” such that some communications to individuals about health-related products or services that are made under health care operations would now be considered marketing communications if the covered entity receives financial remuneration by a third party to make the communication. For marketing communications, individual authorization is required.

Treatment Communication

The proposal would require that a health care provider that receives financial remuneration by a third party in exchange for sending a treatment communication to an individual about the third party’s product or service must disclose the fact of remuneration in the communication and provide the individual with a clear and conspicuous opportunity to opt out of receiving future subsidized communications.

Selling PHI

In addition, the proposed rule would require an individual authorization before a covered entity could disclose PHI in exchange for remuneration (i.e., ‘‘sell” PHI).

Compound Disclosures

The proposed rule would permit compound authorizations for research purposes as long as it is clear to individuals that they do not have to agree to both the conditioned and unconditioned components of an authorization in order to receive research-related treatment. It is believed that the proposed provision would reduce burden on the research community by eliminating the need for multiple forms for research studies involving both a clinical trial and a related research repository or study.

August 2, 2010  11:31 AM

Individual Access to PHI (HITECH NPRM)

Posted by: Pabrai

Under the proposed HITECH NPRM, if a covered entity maintains PHI electronically and the recipient requests copies of their PHI in an electronic format, the covered entity must provide the information in the electronic format requested by the individual if readily producible in that format, or, if not, in a different electronic format agreed to by the covered entity and the individual.


Costs for Electronic Requests of PHI

If the covered entity provides an individual with electronic access to PHI, the proposed rule would only allow the covered entity to charge the costs of labor associated with the preparation of the request.


The proposed rule clarifies the labor and supply costs applicable to preparation of electronic requests vs. paper requests. Labor costs to produce an electronic copy involve the cost of reviewing and preparing the copy. Supplies for an electronic copy apply only to the cost of the media, if applicable, for providing the information to the individual. If the individual provides the media (e.g., a CD or flash drive), there would be no cost for the media. Similarly, if the information is transmitted via e-mail or some other electronic mode, there would be no charge for media.


Format & Delivery

Both the current and proposed rules continue to permit the covered entity and individual to negotiate over the format and delivery of PHI. By emphasizing the provision of PHI electronically, the proposed rule may lower costs because postage costs are eliminated or reduced and labor and supply costs are significantly reduced. Thus, there may be some savings that result from the greater use of EPHI.

July 30, 2010  11:43 AM

Patient Access / Disclosure Restrictions (HITECH NPRM)

Posted by: Pabrai
Electronic Health Record (EHR), HITECH, Patient Right to Restrict Disclosure, Protected Health Information (PHI)

The HITECH NPRM published as a Federal Register on July 14, 2010 (45 CFR Parts 160 and 164) includes information about changes in the area of Patient Access to Electronic Health Record (EHR) and Patient Right to Restrict Disclosures. In the area of Patient Right to Restrict Disclosures – it requires the covered entity to agree to a restriction on disclosure to a health plan if:


A.      The disclosure is for the purposes of carrying out payment or healthcare operations and is not otherwise required by law; and

B.      The Protected Health Information (PHI) pertains solely to a health care item or service for which the individual, or person on behalf of the individual other than the health plan, has paid the covered entity in full.


This NPRM also clarifies that if a restriction is placed on a disclosure to a health plan, the covered entity is also prohibited from making such a disclosure to a business associate of the health plan.


The HITECH Act gives individuals the right to receive an electronic copy of their PHI, if it is maintained in an EHR, for which the provider may charge a fee.


Covered entities should review their policy and processes related to Patient Access and Disclosure Restrictions and consider the requirements in the HITECH Act and forthcoming changes as a result of the NPRM.


July 26, 2010  10:09 AM

The HIPAA Enforcement Rule

Posted by: Pabrai

What is the HIPAA Enforcement Rule? The HIPAA Enforcement Rule establishes rules governing the compliance responsibilities of covered entities with respect to cooperation in the enforcement process. It also provides rules governing the investigation by HHS of compliance by covered entities, both through the investigation of complaints and the conduct of compliance reviews.


The Enforcement Rule establishes rules governing the process and grounds for establishing the amount of a civil money penalty where HHS has determined a covered entity has violated a requirement of a HIPAA Rule. The Enforcement Rule establishes rules governing the procedures for hearings and appeals where the covered entity challenges a violation determination.


The HITECH Act provides, for purposes of enforcement, for the transfer to the HHS Office for Civil Rights (OCR) of any civil money penalty or monetary settlement collected under the HIPAA Privacy and Security Rules and also requires HHS to establish by regulation a methodology for distributing to harmed individuals a percentage of the civil money penalties and monetary settlements collected under the Privacy and Security Rules.


Effective as of February 18, 2009, the HITECH Act also modified the civil money penalty structure for violations of the HIPAA Rules by implementing a tiered increase in the amount of penalties based on culpability. The tiered and increased civil money penalty provisions of the HITECH Act were effective for violations occurring after the date of enactment.


Further, the HITECH Act granted State Attorneys General the authority to enforce the HIPAA Rules by bringing civil action (Connecticut being the first example of such HIPAA enforcement).

July 20, 2010  10:46 AM

Business Associate Updates in Recent HITECH & HIPAA Modifications

Posted by: Pabrai
HIPAA; HITECH; Business Associates; Patient Safety Organizations (PSO);

The recent modifications to the HITECH Act include updates in the area of Business Associates. As a result of the HITECH modifications, Business Associates, also include:

·         Patient Safety Organizations (PSO)

·         Health Information Organizations (HIO), E–Prescribing Gateways, and Other Persons That Facilitate Data Transmission

·         Sub-contractors


The HITECH Act updates state that Patient Safety Organizations (PSOs) must be treated as business associates when applying the HIPAA Privacy Rule. Patient safety activities have been added to the list of functions and activities a person may undertake on behalf of a covered entity that give rise to a business associate relationship.


The modification to the HITECH Act further provides that an organization, such as a Health Information Exchange Organization, E-prescribing Gateway, or Regional Health Information Organization, that provides data transmission of PHI to a covered entity (or its business associate) and that requires access on a routine basis to such PHI must be treated as a business associate. Also, a vendor that contracts with a covered entity to allow the covered entity to offer a PHR to patients as part of the covered entity’s Electronic Health Record (EHR) shall be treated as a business associate. The HITECH Act requires that such organizations and vendors enter into a written business associate contract or other arrangement with the covered entity in accordance with the HIPAA Rules.


Subcontractors of a covered entity – i.e. those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to PHI. A subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.


So take a closer look at who are your business associates? Update your Business Associate Agreements (BAA) to ensure it meets the requirements of the HIPAA Privacy, Security Rules and the HITECH Act – and don’t forget to review State regulatory requirements as well as that may impact some areas in the Agreement – such as breach notification period.

July 16, 2010  12:11 PM

Cyber Shield and the “Perfect Citizen”

Posted by: Pabrai
Comprehensive National Cybersecurity initiative, HIPAA, NSA, Perfect Citizen

To detect cyber assaults on private companies and government agencies running critical infrastructure as electricity and nuclear plants, the U.S. federal government is launching an expansive program – called the “Perfect Citizen.” The Wall Street Journal further reported recently that the National Security Agency (NSA) would rely on sensors deployed on computer networks for critical infrastructure. The sensors would be triggered by unusual activity suggesting an impending cyber attack. U.S. intelligence officials are alarmed at Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure.


The objective of “Perfect Citizen” is to secure glaring holes typically found in older infrastructure related computer systems connected to the Internet. This is an extension of a small scale program that the NSA started several years ago – code named “April Strawberry” to research vulnerabilities in computer networks and ways to close security holes.


“Perfect Citizen” funding source includes the multi-billion dollar Comprehensive National Cybersecurity initiative which started towards the end of the Bush administration and has been continued by the Obama administration. The program is enabling the NSA to map out intrusions into critical infrastructure across the country.


The average organization’s information infrastructure is attacked nearly 60,000 times every day. What are the threats to your information infrastructure? What is the priority for security within your organization? Does your organization have effective security controls deployed and actively managed to provide timely information on attacks to sensitive assets? These are important questions to address by the organization’s Information Security Officer (ISO) and executive management.



July 13, 2010  11:03 AM

Historic State Enforcement of HIPAA

Posted by: Pabrai
Health Net, HIPAA, Lawsuit, Settlement

Connecticut Attorney General Richard Blumenthal announced a settlement with Health Net and its affiliates of a lawsuit that cited failure to secure private patient medical records and financial information on nearly a half million Connecticut enrollees and promptly notify consumers endangered by the breach.


Why the Lawsuit?

The lawsuit was the result of the disappearance in May 2009 of an unencrypted hard drive with Protected Health Information (PHI) on 1.5 million members, including 446,000 in Connecticut. Health Net took over six months before notifying impacted individuals.


HIPAA and State Attorney Generals

This was the first lawsuit by a State’s Attorney General since the HITECH Act provided state attorney generals the authority to prosecute HIPAA privacy and security violations.



The settlement includes two years of consumer credit monitoring, $1 million of identity theft insurance and reimbursement for the costs of security freezes. Under the settlement, Health Net and its affiliates also agreed to:

1.       A $250,000 payment to the state representing statutory damages.

2.       An additional contingent payment to the state of $500,000, should it be established that the lost disk drive was accessed and personal information used illegally, impacting plan members

3.       A Corrective Action Plan (CAP) in which Health Net is implementing several measures to secure PHI and other private data in compliance with HIPAA. This plan includes continued identity theft protection, improved systems controls, improved management and oversight structures, improved training and awareness for its employees, and improved incentives, monitoring, and reports.


There have been over 354 million privacy breaches over the past five years in the USA alone. California recently fined five hospitals $675,000 in penalties for failing to prevent unauthorized access to patient medical information. 


Organizations must complete a comprehensive and thorough risk analysis to clearly identify security and compliance gaps. Executive management must be provided information on critical gaps and resources as well as the budget required to complete a Corrective Action Plan (CAP) – as was required for Health Net as a result of the law suit.

July 9, 2010  12:11 PM

More About Meaningful Use & Compliance

Posted by: Pabrai
CMS, Compliance, HIPAA, HITECH, Meaningful use

The consequence of not complying with HIPAA and HITECH has implications related to Meaningful Use. CMS will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved.  At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve. 


The Importance of Completing a Security Risk Analysis

According to Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society (HIMSS), a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it (Healthcare Information Society, February 9, 2010). She further stated, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking.


HIPAA Audit Preparedness Required in Several Areas

In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Other areas that organizations must comply with include Audit Controls, Training, Encryption, Contingency Planning and more. Specifically, IAM processes and capabilities that organizations must review closely for compliance include:

·         Establishing user access for new and existing employees

·         List of secure authentication methods for users authorized to access EPHI

·         Monitoring systems use – authorized and unauthorized

·         Granting, approving, and monitoring systems access (for example, by level, role, and job function)

·         Termination of systems access


Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated. 


July 6, 2010  9:22 AM

Understanding HITECH’s Meaningful Use

Posted by: Pabrai
HIPAA, HITECH, Meaningful use

The Centers for Medicare & Medicare Services (CMS) introduced rules to implement provisions of ARRA to provide incentive payments for the meaningful use of certified Electronic Health Record (EHR) technology. Meaningfull use has an impact on HIPAA and HITECH mandates – as we will review at the end of this blog update. There are two incentive programs introduced as a direct result of HITECH’s Meaningfull Use program. The Medicare EHR incentive program provides incentive payments to Eligible Professionals (EPs), eligible hospitals, and Critical Access Hospitals (CAHs) – meaningful users of certified EHR technology. The Medicaid EHR incentive program provides incentive payments to EPs and hospitals to adopt, implement, or upgrade certified EHR technology or for meaningful use in the first year of their participation in the program and for demonstrating meaningful use during each of the subsequent 5 years.

Medicare Incentive Program

Let’s look first at some important requirements associated with the Medicare Incentive Program for meaningful use.

  • Eligibility – A Medicare EP is a doctor of medicine or osteopathy, doctor of dental surgery/dental medicine, doctor of podiatric medicine, optometry or chiropractor
    • Qualifying EP is one who demonstrates meaningful use for the EHR reporting period
  • EP can receive EHR incentive payments for upto 5 years, starting in 2011; 2014 is last year EP can begin receiving incentive payments
    • Maximum amount under the Medicare program is $44,000
    • 10% bonus applicable for shortage areas; maximum payment is $48,400

First year EP applies for and receives an incentive payment, the EHR Reporting Period is 90 days (continuous period within the year); after 1st year, the EHR reporting period = calendar year.

Medicaid Incentive Program

Now let’s review some important requirements associated with the Medicaid Incentive Program for meaningful use.

  • Eligibility – Physicians, dentists, nurse practitioners, certified nurse midwives, physician assistants practicing predominantly in a FQHC/RHC that is directed by a physician assistant
    • Must annually meet patient volume thresholds (total # of Medicaid patient encounters/All patient encounters = 30% or higher except pediatricians (20%); Must not be hospital based
  • EP can receive EHR incentive payments starting in 2010
    • Maximum amount under the Medicaid program is $63,750
  • States must verify eligibility of & disburse payments to Medicaid EPs
  • EPs must select one state from which to receive their payments
  • EPs must select one program – Medicare or Medicaid to receive incentive payments – not both

So for example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: