Tag: HIPAA

OCR Continues to Verify Entity Contact Info for Phase 2 HIPAA Audits

Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May.  We understand that Covered Entities continue to receive emails requesting contact information verification this week.Inbox, Email, HIPAA Audit Notices

Emails are sent from OSOCRAudit@hhs.gov and request a response from the entity verifying its information within five days.  A sample copy of the email is available from OCR’s website.  The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit.  Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.

For the time being, Business Associates are not being contacted.  OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer.  Business Associates should use this extra time to ensure that they are ready for an audit should they be selected.   OCR has provided a sample template for Covered Entities to use to list their Business Associates.

In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

Article By Kate F. Stewart of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.

[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

Article By Matthew R. BakerMichael R. CallahanDoron S. Goldstein & Megan Hardiman of Katten Muchin Rosenman LLP
©2016 Katten Muchin Rosenman LLP

More Than Family Affair: Six-Figure HIPAA Penalty Upheld for Unrepentant Home Care Agency due to PHI Access by Spurned Spouse of Employee

HIPAAIntroduction

The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 and the regulations promulgated thereunder (“HIPAA”) should be now well-known to health care providers and health plans.  Under HIPAA’s “Privacy Rule,” covered entities must take steps to “reasonably safeguard” protected health information (“PHI”) from any “intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements” of the Privacy Rule.  What is also becoming painfully clear is the growing financial and reputational risks to covered entities (and business associates) from a breach of HIPAA’s Privacy or Security Rules stemming from unauthorized access or disclosure of PHI.

A recent ruling by a U.S. Department of Health and Human Services Administrative Law Judge (“ALJ”) in the case of Director of the Office for Civil Rights v. Lincare, Inc., (Decision No. CR4505, Jan. 13, 2016), underscores the substantial penalties that a health care provider can face, even for relatively small-scale HIPAA violations, particularly if the provider determines to not settle with the Office of Civil Rights (“OCR”) and instead contests the claimed violations.  In Lincare, a home care agency was found to have violated the Privacy Rule when an unauthorized person (the husband of a home health employee) was able to access patient records after the employee had removed records from the agency and taken them into the field as part of her job.  Specifically, the ALJ upheld a civil monetary penalty (“CMP”) of $239,800 imposed by OCR – only the second time the OCR has sought CMPs for violations of HIPAA’s Privacy Rule.  In a unique twist, OCR was alerted to the improper disclosures when the “estranged husband” of an employee of the home care agency complained to OCR that his wife allowed him to access documents containing PHI when she moved out of the marital home and left patient records behind.

Background

Lincare Home Care Agency.  The respondent Lincare, Inc., d/b/a United Medical (“Lincare”) supplies respiratory care, infusion therapy, and medical equipment to patients in their homes.  Lincare operates more than 850 branch locations in 48 states.  As Lincare explained, because its employees provide services in the homes of patients, they often remove patient records containing PHI from its branch locations.  Additionally, according to Lincare, managers of the various Lincare branch offices are required to maintain in their vehicles copies of Lincare’s “Emergency Procedures Manual,” which contains PHI of Lincare patients, so that employees could access patient contact information if an office was destroyed or otherwise inaccessible.

PHI at Issue.  Faith Shaw was a Lincare branch manager in Wynne, Arkansas from October 2005 until July 2009 and maintained the “Emergency Procedures Manual,” with PHI of 270 Lincare patients, as well as patient-specific documents of eight Lincare patients.  The patient records and Manual were apparently hard copies, and not electronically secured through encryption or authentication.

Disclosure of the PHI.  Ms. Shaw kept the records containing PHI in her car and in her marital home, where her husband lived.  After a falling out with her husband Richard in August 2008, Ms. Shaw moved out of the marital home and left the documents containing the PHI behind in her home and car.  In November of 2008, Mr. Shaw, who was concededly not authorized to access the Lincare PHI, reported to Lincare and OCR that he had in his possession the Emergency Procedures Manual and the eight patient files left behind by his wife.

OCR’s Investigation and Action.  Following its investigation, OCR determined that Ms. Shaw:  (a) kept the PHI either in her vehicle or home, to which Mr. Shaw had access; (b) maintained the PHI without proper safeguards, (c) knew or reasonably should have known that the manner in which she kept the PHI did not reasonably safeguard such PHI, and (d) knew or reasonably should have known that Mr. Shaw had ready access to the PHI.  While acknowledging that the provision of home care services may require providers to remove PHI from their offices, OCR found that Lincare’s policies and procedures did not adequately instruct its employees how to maintain PHI taken off the premises in a safe and secure manner and that Lincare did not properly record or track removed PHI.  Unlike the majority of HIPAA violations cited by OCR against providers, Lincare did not settle with OCR and instead determined to contest OCR’s charges.

In the absence of a settlement, OCR cited the following “aggravating” factors for imposing a substantial CMP against Lincare:

  • The length of time Lincare allowed employees to transport PHI away from the office without appropriate and reasonable safeguards; and

  • Lincare’s failure to promptly review and enhance its HIPAA policies for safeguarding PHI taken off premises even after it was notified of the improper disclosure.

Accordingly, OCR sought to impose a CMP totaling 239,800 for Lincare’s alleged violations of HIPAA’s Privacy Rule, broken down as follows:

  • Impermissibly disclosing PHI:  OCR determined that Lincare had improperly disclosed PHI of 278 patients in November of 2008, which then carried a penalty of $100 per patient.  OCR imposed a penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to safeguard PHI:  OCR determined that the failure to safeguard the PHI lasted from February 1, 2008 through November 17, 2008, which carried a penalty of $100 per day.  OCR imposed an additional penalty of $25,000 – the maximum penalty that could be applied in the 2008 calendar year.

  • Failure to implement policies and procedures to ensure compliance with the Privacy Rule:  OCR determined that Lincare’s failure continued from (a) February 1, 2008 through December 31, 2008, at a penalty of $100 per day, with a maximum of $25,000 per calendar year, (b) January 1, 2009 through February 17, 2009, at a penalty of $100 per day, which totaled $4,800, and (c) from February 18, 2009 through July 28, 2009, during which time, penalty amounts were increased pursuant to the adoption of the HITECH Act, and which OCR determined to be $1,000 per day, totaling $160,000.

Significantly, in effectively stacking CMPs for separate HIPAA violations, one on top of another—although arising from the same breach or continued breach—OCR was able to multiply the aggregate size of penalties to $239,800.  At the same time, OCR determined that there was no basis to waive the imposition of the CMP because there was no evidence that the payment of a CMP would be excessive relative to the violations that it found.

Lincare appealed OCR’s determination before an ALJ.  OCR moved for summary judgment, arguing that there was no genuine issue of material fact concerning the HIPAA violations and that it was entitled to impose the aggregate CMP as a matter of law.

The ALJ’s Analysis

The ALJ granted OCR’s motion for summary judgment, finding that the evidence established that Lincare had violated HIPAA, and upheld the CMP of $239,800.

Theft is No Defense to Improper Disclosures:  In its defense, Lincare claimed that it was not responsible for the improper disclosure because it was the victim of a theft.  Specifically, Lincare claimed that Mr. Shaw “stole” the PHI from his wife and “attempted to use it as leverage to induce his estranged wife to return to him.”  The ALJ rejected this argument, concluding that Lincare was obligated to take “reasonable steps to protect its PHI from theft.”  The ALJ explained that Lincare violated this obligation when Ms. Shaw took documents out of the office and left them in in her car or home, allowing her husband to access them; and then completely abandoned them.

Lincare’s Policies Did Not Properly Address the Removal of PHI:  The ALJ also found that Lincare’s privacy policy failed to properly address the security of records removed from the office for use in the field, and monitor removed records to ensure their return.  When asked about specific guidelines for safeguarding PHI taken out of its offices, Lincare’s Corporate Compliance Officer replied that Lincare personnel “considered putting a policy together that said thou shalt not let anybody steal your protected health information.”  The ALJ did not “consider this a serious response.”

Key Takeaways

Consider Settling with OCR to Avoid a CMP:  The OCR’s imposition of a CMP, and the ALJ’s decision to affirm this penalty, represents only the second time a CMP has been imposed for a violation of the HIPAA Privacy Rule, and the first one in which an ALJ ruled on the merits.  Typically, OCR attempts to resolve HIPAA violations informally, but could not reach such a resolution with Lincare in this case.  Had a resolution been reached, the OCR would likely not have sought and secured such a substantial CMP based on “aggravating factors,” with the resultant fine likely to have been significantly lower.

Consider Encryption or other Means for Accessing PHI Remotely:  Employees of home care agencies often need to access PHI in the field when providing services.  However, the provider should consider restricting access only through electronic devices, with appropriate encryption and user authentication, to prevent unauthorized users from accessing these records.

Update Policies and Procedures:  Policies and procedures should detail for employees when patient records can be removed from the office and taken into the field, and under what circumstances; and identify how such records containing PHI should be safeguarded from disclosure.

Implement a System to Track Removed PHI:  Similarly, a system should be implemented to record and track the removal of records containing PHI so as to allow the health care provider to account for and maintain oversight over removed documents.

Regularly Train Employees:  Having detailed policies and procedures is not enough; all employees should be regularly trained on the HIPAA Privacy and Security Rules, and the agency’s corresponding HIPAA policies and practices.  To reinforce training, to the extent any PHI is removed from the premises, employees should be continually reminded not to allow unauthorized persons—including a spouse or other family or friends—to access the records.

Article By Jared Facher & Brian T. McGovern of Cadwalader, Wickersham & Taft LLP
© Copyright 2016 Cadwalader, Wickersham & Taft LLP

HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity, or

  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.

Final Rule:  HHS finalized its proposed rule without any substantive changes. Under the final rule, a new section 164.512(k)(7) of the HIPAA Privacy Rule expressly permits certain covered entities to disclose information relevant to the federal mental health prohibitor to the NICS.

The permitted disclosure applies only to those covered entities that function as repositories of information relevant to the federal mental health prohibitor on behalf of a State or are responsible for ordering the involuntary commitments or the adjudications that would make someone subject to the prohibitor.  Thus, most treating providers may not disclose protected health information about their own patients to the NICS, unless otherwise permitted by the HIPAA Privacy Rule.  HHS also clarifies that individuals who seek voluntary treatment are not subject to the prohibitor.

The rule limits disclosure only to the NICS or an entity designated by the State to report data to the NICS.  And only that information that is “needed for purposes of reporting to the NICS” may be disclosed, though HHS gives States the flexibility to determine which data elements are “needed” to create a NICS record (consistent with requirements of the FBI, which maintains the NICS).  At present, the required data elements for the NICS are: name; date of birth; sex; and codes identifying the relevant prohibitor, the submitting state agency, and the supporting record.  The NICS also allows disclosure of certain optional data elements (e.g., social security number and identifying characteristics).  HHS notes that applicable covered entities may disclose such optional data elements “to the extent necessary to exclude false matches.”

HHS declined many commenters’ suggestion to expand the rule to permit the disclosure of information about individuals who are subject to state-only mental health prohibitors. HHS fears that expanding the scope of the permitted disclosure would disrupt the careful balance between public safety and encouraging patients to seek mental health care.

Finally, in the preamble, HHS defended its statutory authority to make this change, despite the fact that Congress did not address HIPAA in recent legislation to strengthen the NICS.  HHS explained that the “HIPAA statute confers broad authority on the Department to specify the permitted uses and disclosures of PHI by HIPAA covered entities.”

Article By Dena Feldman of Covington & Burling LLP

© 2015 Covington & Burling LLP

Gun Control: HIPAA Final Rule Targets Background Checks and Mental Health Reporting

President Obama has announced plans to tighten gun control regulations, including applying the background check requirement to dealers at gun shows and on websites.  Federal law already requires that those “engaged in the business” of selling guns must have a Federal Firearms License (FFL) and conduct background checks at the time of every purchase.  Some sellers assert they are not gun dealers but collectors or hobbyists who do not sell regularly and, therefore, are not “engaged in the business” of selling firearms and not required to have a FFL and conduct background checks.  The Obama administration has clarified that people who claim to be hobbyists may be engaged in the business if, for example, they operate an online gun store, frequently sell guns in their original packaging, or pass out business cards.  The Bureau of Alcohol, Tobacco and Firearms (“ATF”) issued Guidance to help individuals understand when a FFL is required.

Consistent with this initiative, the Office for Civil Rights (“OCR”) released a Final Rule modifying the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule to permit certain covered entities to disclose identifying information on persons subject to a “Federal mental health prohibitor “ to the National Instant Criminal Background Check System (“NICS”).

Intersection of NICS and HIPAA

As background, the NICS is a national system mandated by the Brady Handgun Violence Prevention Act of 1993.  Maintained by the FBI since November 1998, NICS is used by Federal Firearms Licensees to instantly determine whether an individual seeking to buy firearms is eligible to do so.  Federal law provides that it is unlawful for certain categories of persons to ship, transport, possess, or receive a firearm.  These categories are referred to as “prohibitors.” Among them  are the following mental health prohibitors, which provide that it is unlawful for the following individuals to possess a firearm:

  • individuals who have been involuntarily committed to a mental institution, for reasons such as mental illness or drug use;

  • individuals found incompetent to stand trial or not guilty by reason of insanity; or

  • those otherwise determined by a court, board, commission or other lawful authority to be a danger to themselves or unable to manage their own affairs as a result of marked subnormal intelligence, or mental illness, incompetency, condition or disease.

Many of the records qualifying an individual for a Federal mental health prohibitor are maintained by the criminal justice system, which does not generally include HIPAA covered entities.  However, some qualifying information may be housed within HIPAA covered entities that are either (i) involved in involuntary commitments or mental health adjudications; or (ii) have been designated by states to serve as repositories to collect applicable mental health data and report it to the NICS.

In balancing individuals’ privacy with public safety, the Final Rule modifies HIPAA to permit the disclosure of select demographic information to the NICS by covered entities that either (i) function as repositories of information relevant to the Federal mental health prohibitor on behalf of the state; or (ii) are responsible for ordering the involuntary commitments or other adjudications.  The Final Rule limits disclosure to demographic and other information needed for purposes of reporting to the NICS, and disclosure of diagnostic or clinical information is not permitted.

Potential Impact on Mental Health Legislation

This Final Rule is one aspect of a multi-faceted approach the Obama administration is taking on gun control.  An open question remains as to whether Congress will act with respect to gun control and mental health, and if so, how?  Certain Republicans are already looking for ways to halt President Obama’s actions, while, others in Congress do not believe that the actions go far enough and seek additional gun control measures.

At a minimum, the President’s decision to take action related to gun controls is certain to have an impact on mental health legislation.  Congressional Republicans have been discussing improving the nation’s mental health system since 2013.  Many see this focus on mental health as an effort to redirect the conversation away from gun control.  As such, the President’s recent actions propose adding $500 million to increase access to mental health care.

The combination of Republicans seeking to dismantle the recent executive actions, while redirecting the conversation to mental health may place Senate Democrats in a tough position.  The President’s action increases the likelihood that gun control measures may be attached to mental health legislation.  The issue is whether Senate Democrats are willing to filibuster mental health legislation in order to keep the focus on gun control and prevent the unraveling of some of the President’s executive actions.

Article By Lauren M. MoldawerM. Daria Niewenhous & Rodney L. Whitlock of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Wearables, Wellness and Privacy

Bloomberg BNA recently reported that this fall the Center for Democracy & Technology (CDT) will be issuing a report on Fitbit Inc.’s privacy practices. Avid runners, walkers or those up on the latest gadgets likely know about Fitbit, and its line of wearable fitness devices. Others may know about Fitbit due to the need to measure progress in their employers’ wellness programs, or even whether they qualify for an incentive. When participating in those programs, employees frequently raise questions about the privacy and security of data collected under such programs, a compliance issue for employers. Earlier this month, FitBit reported that its wellness platform is HIPAA compliant.

fitbit, charge HR, wearable technology, fitness tech, exercise, step counter, weight loss deviceFitBit’s Charge HR (the one I use) tracks some interesting data in addition to the number of steps: heart rate, calories burned, sleep activity, and caller ID. This and other data can be synched with a mobile app allowing users to, among other things: create a profile with more information about themselves, to track progress daily and weekly, and to find and communicate with friends also using a similar device.

Pretty cool stuff, and reasons why FitBit is the most popular manufacturer of wearables with nearly 25 percent of the market, as noted by Bloomberg BNA. But, of course, FitBit is not the only player in the market, and the same issues have to considered with the use of wearables regardless of the manufacturer.

According to Bloomberg BNA’s article, one of the concerns raised by CDT about FitBit and other wearables is that the consumer data collected by the devices may not be protected by federal health privacy laws. However, CDT’s deputy director of the Consumer Privacy Project stated to Bloomberg BNA that she has “a real sense that privacy matters” to FitBit. This is a good sign, but the laws that apply to the use of these kinds of devices depend on how they are used.

When it comes to employer-sponsored wellness programs and health plans, a range of laws may apply raising questions about what data can be collected, how it can be used and disclosed, and what security safeguards should be in place. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA) should be on every employer’s list. State laws, such as California’s Confidentiality of Medical Information Act, also have to be taken into account when using these devices in an employment context.

Recently issued EEOC proposed regulations concerning wellness programs and the ADA address medical information confidentiality. If finalized in their current form, among other safeguards, the regulations would require employers to provide a notice informing employee about:

  • what medical information will be obtained,

  • who will receive the medical information,

  • how the medical information will be used,

  • the restrictions on its disclosure, and

  • the methods that will be used to prevent improper disclosure.

Preparing these notices for programs using wearables will require knowing more about the capabilities of the devices and how data is accessed, managed, disclosed and safeguarded.

But is all information collected from a wearable “medical information”? Probably not. The number of steps a person takes on a given day, in and of itself, seems unlikely to be medical information. However, data such as heart rate and other biometrics might be considered medical information subject to the confidentiality rule. Big data analytics and IoT may begin to play a greater role here, enabling more detailed pictures to be developed about employees and their activities and health through the many devices they use.

Increasingly wellness programs seek to incentivize the household, or at least employees and their spouses. Collecting data from wearables of both employee and spouse may raise issues under GINA which prohibits employers from providing incentives to obtain genetic information from employees. Genetic information includes the manifestation of disease in family members (yes, spouses are considered family members under GINA). The EEOC is currently working on proposed regulations under GINA that we are hoping will provide helpful insight into this and other issues related to GINA.

HIPAA too may apply to wearables and their collection of health-related data when related to the operation of a group health plan. Employers will need to consider the implications of this popular set of privacy and security standards including whether (i) changes are needed in the plan’s Notice of Privacy Practices, (ii) business associate agreements are needed with certain vendors, and (iii) the plan’s risk assessment and policies and procedures adequately address the security of PHI in connection with these devices.

Working through plans for the design and implementation of a typical wellness program certainly must involve privacy and security; moreso for programs that incorporate wearables. FitBits and other devices likely raise employees’ interest and desire to get involved, and can ease administration of the program, such as in regard to tracking achievement of program goals. But they raise additional privacy and security issues in an area where the law continues to develop. So, employers need to consider this carefully with their vendors and counselors, and keep a watchful eye for more regulation likely to be coming.

Until then, I need to get a few more steps in…

Article By Joseph J. Lazzarotti of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

HIPAA: Disclosing Exam Results to Employers

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.HIPAA

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92).

An employee who receives an unfavorable test or exam result may attempt to block disclosure by revoking their authorization. Although patients are generally entitled to revoke their authorization by submitting a written revocation, HIPAA contains an exception that limits revocation if and to the extent that the provider has taken action in reliance on the authorization. (45 CFR 164.508(b)(5)). That exception should apply when the provider has conditioned and provided the test or exam in reliance on the patient’s authorization.

There are very limited exceptions to the authorization requirement. As in other situations, a provider may disclose protected health information to an appropriate entity if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public (45 CFR 164.512(j)), or if the disclosure is otherwise required by law. (Id. at 164.512(a)). HIPAA contains a specific exception that allows disclosures to employers if the exam was performed as part of a medical surveillance of the workplace and the employer needs the information to report work-related injuries as required by OSHA, MSHA, or similar state laws. (Id. at 164.512(b)(v)). Finally, HIPAA allows providers to disclose protected health information as authorized by and to the extent necessary to comply with workers compensation laws. (Id. at 164.512(l)).

The bottom line: if you are a physician or other provider who conducts employment physicals, tests, or exams, be sure you obtain the patient’s written, HIPAA-compliant authorization before conducting the exam and/or disclosing test or exam results to the employer.

Article By Kim C. Stanger, Pia Dean & William W. Mercer of Holland & Hart LLP

Copyright Holland & Hart LLP 1995-2015.

Moving to the Cloud: Some Key Considerations for Healthcare Entities

Covington & Burling LLP

Healthcare providers, health plans, and other entities are increasingly utilizing cloud services to collect, aggregate, store and process data.  A recent report by IDC Health Insights suggests that 80 percent of healthcare data is expected to pass through the cloud by 2020.  As a substantial amount of healthcare data comprises “personal information” or “protected health information” (PHI), federal and state privacy and security laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, raise significant questions for healthcare providers and health plans utilizing the cloud in connection with such data.  Such questions include whether HIPAA requirements extend to cloud providers, how and if entities storing health data on the cloud will be notified in case of a breach, and whether storage of data overseas by cloud providers triggers any additional obligations or concerns.

Given the complex legal issues at play, any contract between a healthcare provider or health plan and a cloud service provider that involves using the cloud in connection with PHI should therefore address the regulatory restrictions and requirements applicable to PHI.  By way of example, recent guidance from the HHS Office for Civil Rights suggests that health care providers must likely have a business associate agreement in place with their cloud service provider.  Moreover, although cloud providers might not regularly access the data they store and may never “use” or “disclose” that data as those terms are defined under HIPAA, cloud providers probably need to adhere to HIPAA breach notification requirements.  There have also been indications of late that HHS may consider it advisable, if not required, that entities subject to the HIPAA Security Rule encrypt PHI data even when that data is at rest and not being transmitted electronically.  The recent data breaches involving health plans Anthem and Premera highlight the vulnerability of health care data and may lead to additional pressure for providers to implement additional encryption measures.

Even if HIPAA rules do not apply to cloud service provider contracts, healthcare providers and health plans storing data on the cloud should be aware that many states now have privacy and breach notification laws which could come into play.

Finally, in addition to addressing the regulatory requirements and data privacy and security, a healthcare provider or health plan should negotiate appropriate service level terms with the cloud provider that address such issues as the performance requirements for the cloud network and the process and procedures for addressing problems with the cloud network.  The healthcare provider or health plan should also include appropriate back-up and disaster recovery provisions in the contract with the cloud provider, as well as appropriate remedies in the event it suffers losses as a result of the contract.

ARTICLE BY

Paige M. Jennings
Anna Kraus
Ramy Ramadan
Lee J. Tiedrich
Covington & Burling LLP
Covington E-Health

Still Waiting for ADA and GINA Guidance on Wellness Incentives

Jackson Lewis P.C.

March is here. The EEOC’s perspective on wellness program incentives is not. Yet again.

In its Fall 2014 regulatory agenda, the EEOC stated it would be issuing in February 2015 amended regulations concerning the size of incentives an employer may offer, yet still have a “voluntary” wellness program under the ADA and GINA.  The EEOC listed these same amendments on its Spring 2014 regulatory agenda. The regulatory agenda is a preliminary statement of priorities under consideration and is not a binding commitment to issue the regulations on the stated date.

The EEOC noted on its agenda that these amendments were needed to address whether an employer’s compliance with HIPAA rules concerning wellness program incentives, as amended by the Affordable Care Act (ACA), also complies with the ADA. The EEOC added that an amendment would also address the size of inducements allowed under GINA “to employees’ spouses or other family members who respond to questions about their current or past medical conditions on health risk assessments.”

The allowed size of wellness incentives matters to the growing number of employers with wellness programs. The ACA has a clear compliance standard for such incentives.  Until 2014, the EEOC had stayed on the sidelines of the wellness incentive debate, not offering any guidance beyond its general view that if the incentive was too large, the program was not “voluntary.”

In 2014, the EEOC sued three employers, claiming the size of their wellness incentives (or penalties, depending on your perspective) transformed otherwise voluntary wellness programs into involuntary programs. In the third case, the EEOC sought to enjoin the company from continuing the incentives in its wellness plan. There was no claim that the incentives violated the ACA standard. Our report on that case is here.

At the oral argument on the injunction hearing, the court asked the EEOC numerous times to define the line between a lawful and unlawful incentive under the ADA and GINA. The EEOC declined to define a specific line. The court denied the EEOC’s injunction request.

More than a year ago, we posted that waiting for the EEOCs guidance on incentives under wellness programs is like waiting for Beckett’s Godot, where Estragon and Vladimir lament daily that Godot did not come today, he might come tomorrow. The waiting continues.

ARTICLE BY

Michael J. Soltis
OF
Jackson Lewis P.C.

Bring Your Own Device To Work Programs: Regulatory and Legal Risks and How To Minimize Them

Poyner Spruill LLP Attorneys at Law, a North Carolina Law Firm

If you’ve ever left your mobile phone on an airplane, in a restaurant, or somewhere other than in your possession, you know it’s frightening enough to think of losing the device itself, which costs a premium, as well as your personal photos or information stored on the device. Now imagine if you lost your mobile phone, but it also had protected health information (PHI) associated with your health care work stored on it.  The lost device suddenly presents the potential for reputational damage and legal or regulatory obligations, in addition to the inconvenience and cost of replacement.

Mobile phones are lightweight, palm sized, and cordless, which makes them convenient and easily portable. These same features make mobile phones highly susceptible to theft or loss. As such, there are serious compliance risks to consider and mitigate when allowing personal mobile device use for work purposes, or a bring your own device (BYOD) program, especially in a healthcare setting. Despite the known risks, current research shows that in some industries, up to 90% of employees are using their personal devices for work purposes whether “allowed” or not.  For example, an assisted living nurse using a personal device for work purposes might send a text message to a patient’s primary care physician (PCP) to obtain guidance or to provide an update.  That communication includes PHI, raising compliance obligations, such as state laws or HIPAA security requirements. In the long term care setting, it’s also a clear violation of applicable privacy laws and the Centers for Medicare and Medicaid Services will, and has been, citing such infractions on surveys.  We suspect the Division of Health Service Regulation would do likewise under state law if this occurred in an adult care home.

There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices. However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients. One such step is implementing a mobile device management (MDM) solution. An MDM solution allows a secure connection for employees to access work networks and information resources remotely, using an application installed on their personal device. That solution keeps “work applications” such as the employer’s email program technically separated from “personal applications” like social media apps. In addition, an MDM solution allows the employer to force technical controls on the device, such as password requirements, encryption or the ability to remotely wipe all data from the device.

Recognizing that employers must relinquish ownership and technical control to make a BYOD program work, employers also must implement robust policies and procedural controls. For example:

  • Permissible Uses. Document the permissible uses of personal devices for work purposes, including whether employees are ever permitted to transfer PHI or other types of sensitive personal information on a personal device and the employment terms associated with such uses.

  • Device Security Controls. Document the policies that govern device controls (such as requiring employees to use passwords, up-to-date malware protection, device time-out, authentication or encryption on the device).

  • Training and Sanctions. Enforce training requirements and frequency as part of the terms of use and implement clear sanctions policies for unauthorized access or use.  Employers may also consider whether the same training and policies/procedures will apply to vendors or contractors.

  • HR Policies.  Review other important employment law considerations such as employee privacy rights, social media policies, and policies for removing applicable data from the devices of terminated or exiting employees.

There are many compliance considerations to keep in mind when deciding whether to implement a BYOD program. A comprehensive security framework, including technical controls, policies, procedures, and training, can reduce the high risks associated with the use of personal mobile devices for work purposes.

ARTICLE BY

Tara N. Cho
OF
Poyner Spruill LLP