Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Bipartisan Budget Act of 2015 – Potential Impact on Hospitals

House Republican leaders introduced legislation on Monday, finalizing a two-year budget agreement between Congressional leaders and the White House. This legislation is currently being considered and may be up for a vote as early as Wednesday on the bipartisan budget deal.

Hospitals should note the language in Section 603 (which is on pages 35-39 of the draft bill) codifies the definition of a “provider-based off-campus hospital outpatient department” (PBD HOPD) as a location that is not on the main campus of a hospital and is located more 250 yards from the main campus.  The section defines a “new” PBD HOPD as an entity that executes a CMS provider agreement after the date of enactment of the Act and that any NEW PBD HOPD executing a provider agreement after the date of enactment would not be eligible for reimbursements from CMS’ Outpatient Prospective Payment System (PPS).

Bipartisan Budget Act of 2015

Section-by-Section Summary

©2015 Epstein Becker & Green, P.C. All rights reserved.

Age and Sex Differences in Working Memory after Mild Traumatic Brain Injury: Functional MR Imaging Studies

A new study published in Radiology evaluated the age effect on working memory performance and functional activation after mild traumatic brain injury. According to the abstract, researchers at Taipei Medical University-Shuang-Ho Hospital in Taiwan compared a group of thirteen individuals between the ages of 21-30 (with a mean age of 26.2 years) to a group of thirteen older patients who had an age range between 51-68 years (with a mean age of 57.8 years). Both groups had sustained mild traumatic brain injuries (MTBI). The researchers compared these twenty-six patients with twenty-six age- and sex-match control subjects. Functional MR images were obtained within one month after injury and six weeks after the initial study. Researchers performed group comparison and regression analysis among post concussion symptoms, neuropsychological testing and working memory activity in both groups.

The results showed different manifestations of post concussion symptoms at functional MR imaging between younger and older patients, which confirmed the important role of age in activation, modulation and allocation of working memory processing resources after mild traumatic brain injuries. The researchers concluded that these findings also supported the observation that younger patients have a better neural plasticity and clinical recovery than older patients.

David Yen-Ting Chen, the lead author of the study, stated in a press release, “old age has been recognized as an independent predictor of worse outcome from concussion, but most previous studies were performed on younger adults.” Dr. Chen went on to state, “taken together these findings provide evidence for differential neural plasticity across different ages, with potential prognostic and therapeutic implications. The results suggested MTBI might cause a more profound and lasting effect in older patients.”

The researchers also looked at the differences between men and women. They found that female patients with MTBI had lower digit span scores than did female control subjects, and functional MR imaging depicted sex differences in working memory functional activation; hypoactivation with non recovery of activation change at follow-up studies may suggest a worse working memory outcome in female patients with MTBI.

Again, this is just another example that refutes defense allegations that mild TBI always goes on to uneventful healing and recovery with 3-6 months.  If you or your family was injured and sustained traumatic brain injuries, it is encouraged that you seek experienced legal counsel.

Article By Bruce H. Stern of Stark & Stark


HHS Launches Portal Seeking Questions from Mobile Health Application Developers

On October 5, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services launched a new platform to enable developers of mobile health technology, as well as others “interested in the intersection of health information technology and HIPAA privacy protection.” OCR notes that there is currently “an explosion of technology using data about the health of individuals in innovative ways to improve health outcomes.” The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.

The platform invites mobile health developers to submit questions and topics for future guidance. The portal asks:

What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable, more accessible? Use this page to submit your questions about HIPAA. Or present a use case. Look at what your peers are discussing, comment on it and vote on which topics or use cases would be the most helpful or important to your work.

As of now, the platform features questions (though no answers yet) regarding:

  • what entities are covered by HIPAA;

  • the application of HIPAA to cloud computing;

  • what aspects of the application (environment) must be HIPAA compliant;

  • the content of business associate agreements;

  • the flow of patient-generated data; and

  • the use of audit logging by developers.

Anyone can browse the site, but users who wish to submit questions must register. Registered users may also offer comments on other submissions or vote on the relevance of a topic. The portal represents that the entities and email addresses associated with posts by registered users will be anonymous to OCR. OCR also states that posting or commenting on a question on the portal will not subject anyone to enforcement action. While OCR will moderate comments posted by users, it will not vouch for the accuracy of these comments. Thus, users must pay close attention as to whether guidance appearing on by the portal is endorsed by OCR before taking action in reliance on this guidance.

The release of the portal comes at a time of particular uncertainty for medical application developers. HHS has acknowledged that existing HIPAA guidance has not addressed all of the questions raised by emerging technologies and has said that it plans to seek guidance from mobile application developers themselves. Depending on the timeliness of, and level of detail contained in, OCR’s responses to questions, the portal could prove a useful resource to a quickly evolving industry.

© 2015 Covington & Burling LLP

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.HIPAA

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92).

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. (45 CFR 164.508(b)(5)). That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 CFR 164.512(j)), or if the disclosure is otherwise required by law. (Id. at 164.512(a)). HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (Id. at 164.512(b)(v)). Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at 164.512(l)).

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer.

Copyright Holland & Hart LLP 1995-2015.

UK Government Launches Cybersecurity Service For Healthcare Organizations

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016.

Acording to recent press releases, CareCERT will:

  • “Provide incident response expertise for the management of cyber security incidents and threats across health and care system”;

  • “Broadcast potential cyber threats and necessary actions to take across the sector, to ensure cyber threats are safely dealt with”;

  • “Be a central source of security intelligence for health and care by working with cross government monitoring partners such as GovCertUK and CERT-UK”;

  • “Support the analysis of emerging and future threats through unique analysis tools and reporting”; and

  • “Be a trusted source of security best practice and guidance”.

CareCERT will be run by the Health and Social Care Information Centre (HSCIC).  The HSCIC is an important offshoot of the UK Department of Health, overseeing information assurance and patient privacy within the NHS as part of its broader role in setting health IT standards, assisting IT rollout throughout the NHS, and managing the release of healthcare statistics for the NHS.

CareCERT is expected to be a natural evolution of HSCIC’s existing function and expertise.  In particular, under the HSCIC/Department of Health’s data breach reporting policy (imposed on NHS bodies and their suppliers through contract), HSCIC is already one of the bodies notified and involved in the event of serious data breaches in the public healthcare sector.  The creation of CareCERT will enhance the HSCIC’s incident response capabilities, and will give NHS suppliers an increased opportunity to engage with HSCIC proactively (for guidance and threat alerts), rather than only after serious incidents take place.

Article by Mark Young & Philippe Bradley-Schmieg of Covington & Burling

© 2015 Covington & Burling LLP

Medical Record Retention

I am often asked how long a practice must maintain medical records. The answer depends on the type of provider you are and your risk tolerance. Providers should generally consider the following in establishing their record retention policies:

1. Patient care. The primary consideration should be patient care. Some practices (e.g., oncology) may want to retain medical records longer than the relevant regulatory requirement or statute of limitations period because the records may be important to future patient care. If your electronic records program allows, you may want to retain the records permanently.

2. Statutory or Regulatory Requirements. State and federal regulations require hospitals and certain other institutional providers to maintain medical records for specified periods, but those laws usually do not apply directly to physicians or physician groups. There are numerous guides online. For example, published a 50-state survey of record retention requirements. The Idaho Department of Health and Welfare published a helpful but incomplete summary of federal record retention regulations. CMS published a MedLearn article on recordretention. AHIMA is usually a good source for online guidance about record retention laws and regulations.

3. Accreditation, payer or other contract requirements. Some provider contracts, payer requirements, or accreditation standards may require providers to keep records for a certain time. For example, Idaho’s Medicaid Provider Handbook requires providers to maintain records to support claims for five years. Check your relevant contracts to ensure your record retention policies comply with any such requirements. You may also want to check with your liability insurer to determine if they have any record retention requirements or suggestions.

4. Statute of limitations. If there are no more paramount concerns, physicians should generally retain medical records for at least the applicable statute of limitations period to ensure the practice has the records necessary to defend its care or charges if challenged. In most cases, maintaining the records for ten (10) years should get you past relevant state or federal limitations periods, including those for malpractice, contract, or fraud and abuse claims. Beware that many states toll the statute of limitations period for claims by minors; if so, you may want to keep records of minors until the later of either (i) six years after the date of treatment, or (ii) three years after the minor reaches the age of majority, depending on your applicable state statute of limitations for malpractice claims.

If your records are subject to a pending claim or investigation, you should retain the records through the resolution of the claim or investigation. Destroying records that are subject to pending claims or investigations may result in liability under state or federal laws; common law claims for destruction of evidence; or adverse judgments because you lack the evidence to defend yourself.

Copyright Holland & Hart LLP 1995-2015.