Meet the HIPPO HIPAA Expert
Omen Safavi, J.D.
Omen Safavi is licensed attorney, who is admitted to the Tennessee Bar. Omen manages the operations of a Maternal Fetal Medicine practice in Austin, Texas.
He is a graduate of the Saint Louis University School of Law, which has been the number one Health Law program in the United States, as ranked by U.S. News and World Report, from 1990-2014. Omen serves as the Director of Compliance for HIPPO Data Storage.
In a recent Guidance, the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) appears to have attempted to reverse an impression that its emphasis is more on privacy of protected health information (“PHI”) than on security of PHI. Its July 2016 article draws attention to the need by covered entities and business associates for equal attention to PHI security.
Relative to this OCR initiative, our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August 29, 2016 issue of Environment of Care Leader entitled “OCR: Providers need to assess cybersecurity response.” Full text can be found in the August 29, 2016 issue, but a synopsis is below.
Litten and Kline observed that the Guidance provided less specificity than prior guidance releases in the HIPAA area and seemed to be more geared to large providers and managed healthcare systems. Nonetheless, Litten observed, “The bar [for PHI security] is higher than what some providers thought, especially if you read this with the [contemporaneous OCR] guidance on ransomware. So you may need [to take more steps] to protect your software.” Kline added, “OCR is going to say that if we tell you to do this and you don’t, tough on you.”
Some of the tips provided by Litten and Kline in the article include the following:
Litten: Protect your electronic patient information if you haven’t done so already, taking into account your particular resources and limitations. “You don’t need a forensic analyst on staff, but you may want the contact information of one in your address book. If you’re not sure how to proceed or even where to start, you may need to hire a consultant to help you.”
Kline: Develop policies and procedures to address cybersecurity. “The fact that you’ve done something constructive and documented that you’ve tried to comply, you’re so much better off [if you get audited by OCR].”
Kline and Litten: Review your cybersecurity response policies, plans and procedures annually.
Litten: Ask your electronic health record and other health IT vendors about the cybersecurity capabilities of their systems. “You want to make use of tools you have or at least know what you don’t have.”
Kline: Understand that OCR considers a cybersecurity incident, not just a breach and not just ransomware, a reportable breach that must be put through the four-part risk analysis to determine whether that presumption can be refuted. “It’s not just [clear] breaches that need a HIPAA risk analysis.”
Kline and Litten: Document all of your plans, policies and procedures your facility has to respond to a cybersecurity incident and what you have done if you have been subject to one.
Litten: Use free or easily available resources when you can. For instance, OCR has tools on its website, such as a sample risk analysis to determine vulnerabilities of electronic patient data. Your local medical societies may also offer tools, webinars and training.
Litten: Make sure that your business associates also have cybersecurity protections in place. “The [G]uidance specifies that business associates as well as covered entities need to have this capability. Because it’s the covered entity that’s ultimately responsible for protecting its patient data and for reporting security breaches, it falls to the entity to ensure that the business associate complies.” So you need to ask business associates what their cybersecurity response plans entail and make sure that they’re adequate, include the fact that they have such a plan in the representations and warranties of your business associate agreement, require swift reporting to you of any cybersecurity incidents suffered by a business associate and make sure that business associates limit access to your patients’ data. “You don’t want seepage of patient protected health information.”
In light of the clear concerns of OCR that covered entities and business associates, both large and small, pay sufficient attention to security of PHI, current compliance efforts should evidence relevant concrete policies and procedures that cover not only privacy but also security. Documentation of such efforts should specifically address current issues such as ransomware and risk analysis to demonstrate that the covered entity or business associate is staying current on areas deemed to be of high risk by OCR.
Co-authored by Elizabeth G. Litten and Michael J. Kline
HIPAA turns 20 today. A lot has changed in the two decades since its enactment. When HIPAA was signed into law by President Bill Clinton on August 21, 1996, DVDs had just come out in Japan, most people used personal computers solely for word processing, the internet domain myspace.com had just come online, Apple stock was at a ten-year low, and Microsoft Windows CE 1.0 would soon be released (in November of 1996 as a portable operating system solution). In December of 1996, Microsoft’s Office 97 was published in CD ROM and also available on a set of 45 3 ½ inch floppy disks. The internet did not exist in many countries, and The New York Times took the bold step of starting its own website. Google was also born in 1996, but few people had heard of it outside of Stanford University. Pokémon hit the market for the first time, but it wasn’t a game played on cell phones. Even texting was a rarity:
“Most early GSM mobile phone handsets did not support the ability to send SMS text messages, and Nokia was the only handset manufacturer whose total GSM phone line in 1993 supported user-sending of SMS text messages. According to Matti Makkonen, the inventor of SMS text messages, Nokia 2010, which was released in January 1994, was the first mobile phone to support composing SMSes easily … Initial growth was slow, with customers in 1995 sending on average only 0.4 messages per GSM customer per month.” [https://en.wikipedia.org/wiki/Short_Message_Service]
According to Wikipedia, the first secure data kidnapping attack was invented by experts at Columbia University and was presented at an IEEE Privacy and Security conference in 1996. Fast forward 20 years to the first six months of 2016, and ransomware attacks of hospitals made headlines after a hospital in Hollywood, California paid $17,000 in ransom (reportedly in bitcoins, another digital invention never considered in 1996).
The Department of Health and Human Services (HHS) released a “FACT SHEET: Ransomware and HIPAA” in July of 2016, reporting a 300% increase in ransomware attacks reported in the first 6 months of 2016 as compared with those reported in all of 2015. It’s hard to imagine that, back in 1996 (or even in 2000 or 2003, when the Privacy Rule and Security Rule, respectively, were first promulgated) HIPAA compliance would require staving off and responding to cybersecurity attacks involving data “kidnapping”.
Over the years, this blog site has addressed many issues that were not a gleam in the eyes of the federal and state governments, healthcare organizations, insurers, patients and many other stakeholders in 1996. Ten of these issues featured in the last two years on this blog and their links and posting dates are noted below.
Is Your Facility a PokéStop? (A what?) – July 20, 2016
HIPAA audits – April 10, 2016
Health Information Mobile Apps – March 31, 2016
The Federal Trade Commission becomes one of several competing new sheriffs in town for regulating healthcare privacy and security – January 11, 2016
Stolen laptops as constant sources of HIPAA privacy breaches – September 3, 2015
Dumpster diving as a common source of HIPAA breaches respecting paper records – July 31, 2015
Federal and state governments become victims of HIPAA breaches even with high levels of security – June 26, 2015
Countless cases of alleged theft and other crimes involving PHI or other HIPAA breaches by employees, including physicians – March 24, 2015
Numerous lawsuits by State Attorneys General to enforce HIPAA and state health information privacy laws – December 17, 2014
The “Wall of Shame” features many highly respected and well-known hospitals, universities, insurers, Fortune 500 companies and numerous other lesser-known victims – July 30, 2014
It can be expected that many more unanticipated and challenging issues will confront HIPAA in the future as the dizzying advance of technology surges onward, matched only by the boundless ingenuity of hackers and others seeking to profit from illegal activities relating to PHI.
My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.
HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects. For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision. HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.
So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?
If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:
* A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death
* A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition
* A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families
* If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends
* If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions. That person can also authorize release of information to others
Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”. Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI. [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]
However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.
Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA. HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.
Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.
This web site is not intended to be, and you should not rely on any materials on this blog as a source of legal advice. Postings to this web site have been prepared for informational purposes only.
Transmission or receipt of information contained in this web site does not create an attorney-client relationship. No assurance is given that any correspondence, via e-mail or otherwise, between you and the author of this blog resulting from your receipt of information from this web site will be secure or treated as confidential or privileged. The transmission or delivery of any correspondence will not create an attorney-client relationship between you and the author of this blog. Please do not send the author any confidential information. Legal advice must be tailored to the specific circumstances of each situation, so nothing in this blog should be used as a substitute for the advice of qualified legal counsel in your jurisdiction familiar with your particular situation.
The author assumes no responsibility for the accuracy or timeliness of any information contained in this web site.
This blog is not intended to serve as an advertisement or solicitation of legal or any other business. In particular, the author does not intend or desire to solicit through this blog the business of anyone in any state or other jurisdiction where this web site can be accessed.