HIPAA Updates

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma.

As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma.

OCR has stressed that the HIPAA Privacy and Security Rules have not been suspended and covered entities must continue to follow HIPAA Rules; however, certain provisions of the Privacy Rule have been waived under the Project Bioshield Act of 2014 and Section 1135(b) of the Social Security Act.

In the event that a hospital in the disaster zone does not comply with the following aspects of the HIPAA Privacy Rule, penalties and sanctions will be waived:

  • 45 CFR 164.510(b) – Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • 45 CFR 164.510(a) – Honor requests to opt out of the facility directory.
  • 45 CFR 164.520 – Distribute a notice of privacy practices.
  • 45 CFR 164.522(a) – The patient’s right to request privacy restrictions.
  • 45 CFR 164.522(b) – The patient’s right to request confidential communications.

The waiver only applies to penalties and sanctions in relation to the above provisions of the HIPAA Privacy Rule, only to hospitals in the emergency area that have implemented their disaster protocol, and only for the time period identified in the public health emergency declaration.

The waiver applies for a maximum of 72 hours after a hospital has implemented its disaster protocol. If either the President’s or HHS Secretary’s declaration terminates within that 72-hour time period, the hospital must immediately comply with all aspects of the HIPAA Privacy Rule for all patients under its care.

In emergency situations, the HIPAA Privacy Rule does permit the sharing of PHI for treatment purposes and with public health authorities that require access to PHI to carry out their public health mission. HIPAA-covered entities are also permitted to share information with family, friends, and others involved in an individual’s care, even if a waiver has not been issued. Further details of the allowable disclosures in emergency situations are detailed in the HHS HIPAA bulletin.

In all cases, covered entities must limit disclosures to the minimum necessary information to achieve the purpose for which PHI is disclosed.

Even during natural disasters, healthcare organizations and their business associates must continue to comply with the HIPAA Security Rule and must ensure appropriate administrative, physical, and technical safeguards are maintained to ensure the confidentiality, integrity, and availability of electronic protected health information to prevent unauthorized access and disclosures.

The post Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone appeared first on HIPAA Journal.

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems.

The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse.

One example provided refers to the Centers for Medicare & Medicaid Services, which in 2016 released 49 rules related to hospitals and health systems that spanned almost 2,400 pages. There has also been an increase in sub-regulatory guidance such as FAQs and blogs to help hospitals and health systems understand how to implement administrative policies.

In the letter, the AHA points out that “In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them.”

The AHA has suggested a number of ways that Congress can take action to immediately reduce the regulatory burden on hospitals, health systems and their patients.

While the suggestions cover many areas, there are two suggestions relating to the Health Insurance Portability and Accountability Act (HIPAA) which AHA points out negatively affects patient care.

Currently there are barriers that prevent beneficial sharing of patient health data. For example, HIPAA Regulations restrict the sharing of patient data for healthcare operations, including the use of data for quality assessment and improvement activities. The restrictions also apply to outcomes evaluation, activities related to evaluations of provider competence and performance, and to information about patients that has been disclosed to or received by providers that have or have previously had a patient relationship.

The challenge in an integrated health setting is, in many cases, patients do not have a relationship with all of the healthcare providers with whom information must be coordinated.

AHA says “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients. Moreover, achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

AHA suggests that HIPAA should allow all patients’ medical information to be disclosed to and used by all participant providers in an integrated care setting, and that it should not be necessary for a patient to have a direct relationship with all of those organizations that technically use and have access to the data.

The AHA also suggests that all treating providers should be allowed access to patients’ substance use disorder treatment records. Currently, patients must provide consent before treating providers can access those records, which is an obstacle to integrated patient care. Further, in certain situations, not having access to that information can endanger patients’ health.

The AHA suggests Overdose Prevention and Patient Safety Act (H.R. 3545) reforms should be enacted and “fully align requirements for sharing patients’ substance use disorder treatment records with HIPAA regulations that allow the use and disclosure of patient information for treatment, payment and healthcare operations.”

This would ensure that all providers and organizations that have a direct treatment relationship with a patient have access to that individual’s complete medical record, including their history of treatment for substance use disorder.

The AHA also suggested Congress cancel Stage 3 Meaningful Use requirements, pointing out that the regulatory burden on hospitals and health systems is considerable, yet those requirements have no clear benefit to patient care.

The post AHA Urges Congress to Reduce Regulatory Burden on Hospitals appeared first on HIPAA Journal.

AHA Urges Congress to Reduce Regulatory Burden on Hospitals

In a recent letter to the House Ways and Means Health Subcommittee, the American Hospital Association (AHA) suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems.

The AHA says the regulatory burden on hospitals and health systems is substantial and unsustainable and increased regulatory activity is making the situation worse.

One example provided refers to the Centers for Medicare & Medicaid Services, which in 2016 released 49 rules related to hospitals and health systems that spanned almost 2,400 pages. There has also been an increase in sub-regulatory guidance such as FAQs and blogs to help hospitals and health systems understand how to implement administrative policies.

In the letter, the AHA points out that “In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them.”

The AHA has suggested a number of ways that Congress can take action to immediately reduce the regulatory burden on hospitals, health systems and their patients.

While the suggestions cover many areas, there are two suggestions relating to the Health Insurance Portability and Accountability Act (HIPAA) which AHA points out negatively affects patient care.

Currently there are barriers that prevent beneficial sharing of patient health data. For example, HIPAA Regulations restrict the sharing of patient data for healthcare operations, including the use of data for quality assessment and improvement activities. The restrictions also apply to outcomes evaluation, activities related to evaluations of provider competence and performance, and to information about patients that has been disclosed to or received by providers that have or have previously had a patient relationship.

The challenge in an integrated health setting is, in many cases, patients do not have a relationship with all of the healthcare providers with whom information must be coordinated.

AHA says “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients. Moreover, achieving the meaningful quality and efficiency improvements that a clinically integrated setting promises requires that all participating providers be able to share and conduct population-based data analyses.”

AHA suggests that HIPAA should allow all patients’ medical information to be disclosed to and used by all participant providers in an integrated care setting, and that it should not be necessary for a patient to have a direct relationship with all of those organizations that technically use and have access to the data.

The AHA also suggests that all treating providers should be allowed access to patients’ substance use disorder treatment records. Currently, patients must provide consent before treating providers can access those records, which is an obstacle to integrated patient care. Further, in certain situations, not having access to that information can endanger patients’ health.

The AHA suggests Overdose Prevention and Patient Safety Act (H.R. 3545) reforms should be enacted and “fully align requirements for sharing patients’ substance use disorder treatment records with HIPAA regulations that allow the use and disclosure of patient information for treatment, payment and healthcare operations.”

This would ensure that all providers and organizations that have a direct treatment relationship with a patient have access to that individual’s complete medical record, including their history of treatment for substance use disorder.

The AHA also suggested Congress cancel Stage 3 Meaningful Use requirements, pointing out that the regulatory burden on hospitals and health systems is considerable, yet those requirements have no clear benefit to patient care.

The post AHA Urges Congress to Reduce Regulatory Burden on Hospitals appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts.

In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need.

The Privacy Rule permits covered entities to share patient information for treatment purposes, for public health activities, to disclose patient information to family, friends and others involved in a patient’s care, to prevent or lessen a serious and imminent threat to the health and safety of a person or the public and, under certain circumstances, allows covered entities to share limited information with the media and other individuals not involved in a patient’s care (45 CFR 164.510(a)).

In such cases, any disclosures must be limited to the minimum necessary information to accomplish the purpose for which the information is being disclosed.

However, disasters often call for a relaxation of HIPAA Rules and the Secretary of the Department of Health and Human may choose to waive certain provisions of the HIPAA Privacy Rule under Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

During the Ebola crisis in November 2014, OCR issued a waiver for certain requirements of HIPAA Rules, as was the case in the immediate aftermath of Hurricane Katrina when a waiver was issued for certain Privacy Rule provisions.

Yesterday, HHS Secretary Tom Price announced that OCR will waive sanctions and financial penalties for specific Privacy Rule violations against hospitals in Texas and Louisiana that are in the Hurricane Harvey disaster area.

The waiver only applies to the provisions of the HIPAA Privacy Rule as detailed below:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b)

These waivers only apply to hospitals in the emergency areas that have been identified in the public health emergency declaration.

The waiver only applies if hospitals have instituted a disaster protocol and the waiver applies for 72 hours after the disaster protocol has been implemented. The waiver will also only apply until the Presidential or Secretarial declaration terminates, even if the 72 hours has not elapsed.

Further information on the limited waiver of HIPAA sanctions and penalties as a result of Hurricane Harvey can be viewed in this HIPAA bulletin from HHS.

The post HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone appeared first on HIPAA Journal.

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient.

Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery. She had been struggling with addition for seven years, but prior to surgery had been clean for 6 months.

Her parents, who were at the hospital while their daughter underwent surgery, had repeatedly told doctors not to prescribe opioids unless their daughter was under the strictest supervision. However, her discharging physician gave her a prescription for 50 oxycodone tablets. Grubb overdosed and died the same night she was discharged from hospital. Her discharging doctor did not receive the information about her history of opioid use.

The bill, which was introduced by Sen. Manchin and co-sponsored by Capito, will ensure physicians are better informed about the medical histories of recovering addicts, while preserving the privacy of patients. The new bill states a “history of opioid use disorder should, only at the patient’s request, be prominently displayed in the medical records (including electronic health records).”

The Department of Health and Human Services will be required to publish guidelines on when healthcare providers are permitted to prominently display details of a patient’s history of opioid use on their medical record.

Jessie’s mother Kate Grubb said, “I am ever so grateful for the passage of Jessie’s Law; it eases a mother’s aching heart that this law will save other lives and give meaning to Jessie’s death.”

The bill will now proceed to the U.S. House of Representatives’ Committee on Energy and Commerce for consideration.

Legislation Proposed to Align Part 2 Regulations with HIPAA to Improve Patient Care

Congressmen Tim Murphy and Earl Blumenauer introduced a similar bill – The Overdose Prevention and Patient Safety (OPPS) Act (HR 3545) – late last month. The bill is intended to align 42 Code of Federal Regulations Part 2 (Part 2) with HIPAA rules and will ensure doctors have access to their patients’ complete medical histories, including details of addiction treatment. Details of addiction treatment are prohibited from being shared with doctors. However, without access to full medical records, tragic incidents such as what happened to Grubb could occur time and again.

Rep. Murphy said, “The Overdose Prevention and Patient Safety Act will allow doctors to deliver optimal, lifesaving medical care, while maintaining the highest level of privacy for the patient.” Murphy also explained that while sharing sensitive information on substance use will help patients get the care they need; patient privacy must be protected. “We do not want patients with substance use disorders to be made vulnerable as a result of seeking treatment for addiction, this legislation strengthens protections of their records.”

The Overdose Prevention and Patient Safety Act reads, “Any record…that has been used or disclosed to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient in violation of paragraphs (1) or (2), shall be excluded from evidence in any proposed or actual proceedings relating to such criminal charges or investigation and absent good cause shown shall result in the automatic dismissal of any proceedings for which the content of the record was offered.”

A coalition of more than 30 healthcare stakeholders wrote to Reps Murphy and Blumenauer to express support for the bill. In the letter, the coalition points out that while the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released a final rule that will modernize Part 2, the final rule does not go far enough.

The post U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoes appeared first on HIPAA Journal.

OCR Data Breach Portal Update Highlights Breaches Under Investigation

Last month, the Department of Health and Human Services confirmed it was mulling over updating its data breach portal – commonly referred to as the OCR ‘Wall of Shame’.

Section 13402(e)(4) of the HITECH Act requires OCR to maintain a public list of breaches of protected health information that have impacted more than 500 individuals. All 500+ record data breaches reported to OCR since 2009 are listed on the breach portal.

The data breach list contacts a wide range of breaches, many of which occurred through no fault of the covered entity and involved no violations of HIPAA Rules.

OCR has received some criticism for its breach portal for this very reason, most recently from Rep. Michael Burgess (R-Texas) who said the breach portal was ‘unnecessarily punitive’ in its current form.

For example, burglaries will occur even with reasonable physical security in place and even with appropriate controls in place, rogue healthcare employees will access PHI out of curiosity or with malicious intent on occasion, with some considering it unfair for those breaches to remain on public display indefinitely.

OCR Director Roger Severino said last month that “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved.”

While the HITECH Act requires OCR to maintain the portal, the Act does not specify for how long that information must be displayed. One possibility for change would be a time limit for displaying the breach summaries. There was concern from some privacy advocates about the loss of information from the portal, which would make it hard for information about past breaches to be found for research purposes or by patients whose PHI may have been exposed.

This week, changes have been made to the breach portal. The breach list now displays all data breaches that are currently under investigation by OCR. OCR investigates all reported data breaches impacting more than 500 individuals. Currently, the list shows there are 354 active investigations dating back to July 2015.

The order of the list has also been changed so the most recent breach reports are displayed first – A much more convenient order for checking the latest organizations to report data breaches.

Data breaches that were reported to OCR more than 24 months ago along with breach investigations that have now been closed have not been lost, instead they have been moved to an archive. The archive can still be accessed through the site and is searchable, as before.

Since recent data breaches could be in the archive or main list, it has potential to make research and searches more complicated. OCR has tackled this issue by offering a research report containing the full list of breaches dating back to 2009.

The post OCR Data Breach Portal Update Highlights Breaches Under Investigation appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI

The Mississippi Division of Medicaid (DOM) has announced that 5,220 Medicaid recipients have had some of their protected health information (PHI) exposed via email as a result of an error with an online form service.

DOM discovered that the online form service was sending emails containing PHI to staff members, but those emails were not encrypted. The online service was used by staff members to create forms that were posted on its medicaid.ms.gov website. When a form was submitted via the website, emails containing the form information were sent to designated staff members.

Once the emails were received they were securely stored; however, it is possible that the information contained in the emails could have been intercepted in transit and could have been accessed by unauthorized individuals. DOM stopped using the online service once the error was discovered and all forms were removed from the website.

The service transmitted six different online forms. Those forms contained the following PHI elements: Names, addresses, phone numbers, dates of birth, email addresses, health insurer names, admission dates, enrollment dates, medical conditions, Medicare and/or Medicaid identification numbers and Social Security numbers. The online form service was used between May 2, 2014 and April 10, 2017.

While PHI was exposed as a result of the error, DOM says there is no reason to believe that any PHI has actually been viewed or obtained by unauthorized individuals. Keith Robinson, DOM’s security officer, said, “It is highly unlikely that the data was compromised since the typical user would not know how to capture it during transmission.” He also explained that at the source and destination the information was secured.

In response to this incident, DOM will be strengthening its technological safeguards to prevent any future incidents of this nature from occurring. DOM’s policies and procedures relating to privacy and security will also be revised.

As required by HIPAA, all individuals affected by the incident have been notified by mail. No credit monitoring or identity theft protection services are being offered due to the low risk of data compromise, although impacted individuals have been advised to check their credit reports carefully.

The post Mississippi Division of Medicaid Announces Exposure of 5,220 Individuals’ PHI appeared first on HIPAA Journal.