The post What Your Compliance Officer Is — And Is Not appeared first on Herrin Health Law, P.C..

The post Eight release of information (ROI) missteps to avoid appeared first on Herrin Health Law, P.C..

• HIPAA has expanded liability for business associates and their subcontractors.
• Law firms are business associates and subcontractors to many covered-entity clients.
• In these roles, law firms may now be held directly liable for HIPAA compliance failures.
• HIPAA obligations may conflict with a law firm’s duties to its clients.
• Because of these conflicts, a “standard” business associate agreement may not suffice.
  

With the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 and the January 17, 2013 publishing of final rules (the Omnibus Rule) implementing HITECH, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has expanded the applicability of the Health Insurance Portability & Accountability Act of 1996 (HIPAA) Privacy and Security Rules to business associates and their subcontractors. The Omnibus Rule expands the definition of business associate to include subcontractors that create, receive, maintain, or transmit protected health information (PHI) on behalf of the business associate.¹ Consequently, a subcontractor of a business associate also can be a business associate and is subject to the HIPAA Privacy and Security Rules, even if the business associate is not a covered entity under HIPAA.

Law firms often serve as business associ­ates to many of their clients who are covered entities and as subcontractors to clients who are business associates of covered entities. Consequently, as business associates or sub­contractors of business associates, law firms may be held directly liable for their failure to comply with the HIPA A Privacy and Security Rules. Consequently, law firms should execute Business Associate Agreements (BAAs) with their subcontractors who create, receive, maintain, or transmit PHI to ensure that these subcontractors are aware and agree to comply with the Privacy and Security Rules. Moreover, law firms should identify whether they are subject to the Privacy and Security Rules as sub­contractors of business associates by instituting procedures that would assess whether their cli­ents are business associates of covered entities.

This direct liability for a business associate’s wrongful acts that violate HIPAA creates performance and notice obligations that are significantly broader than under prior versions of law. Some of these broader requirements may conflict with the law firm’s duties to its clients. For example, the requirement that a business associate notify individuals of a “breach” as defined in HITECH and the Omnibus Rule would disclose that the covered entity had retained the law firm. The nature of the law firm’s use of PHI could create issues under the rules of attorney-client confidentiality, attorney-­client privilege, and the work-product doctrine. Rule l.6(a) of the American Bar Association’s Model Rules of Professional Conduct states that “[a] lawyer shall not reveal information relat­ing to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is [otherwise permitted].” Commentary to Rule 1.6 states in part that “[a] fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation …. This contributes to the trust that is the hallmark of the client-lawyer relationship.”

The Model Rules prohibit the attorney from disclosing any information relating to the representation of the client without the client’s consent. Consequently, the law firm/business associate cannot be the party charged with notifying a covered entity’s patients about a breach unless the covered entity consents, thereby waiving the requirement of confidentiality. A provision in a BAA between a law firm and a covered entity dealing with this situation might look like this:

The covered entity (CE) shall determine whether the business associate (BA) or CE will be responsible for providing noti­fication of any “breach” (as specified in 45 C.F.R. § 164.410(c)) to affected individuals, the media, the HHS Secretary, and/or any other parties required to be notified under the HIPAA regulations or other applicable law. If CE determines that BA will be respon­sible for providing such notification, BA may not carry out notification without receipt of a written directive to do so from CE. Except as otherwise provided in this Agreement, noth­ing in this Agreement shall be construed as abrogating, or as a waiver by BA of, applicable privilege or other legal protections that may be asserted by CE. If CE fails or refuses to provide notification of a breach as required by 45 C.F.R. § 164.410 and directs BA not to provide notification of such breach, the CE shall have the obligation to defend any legal action that occurs as a result of such directive and to indemnify and hold the BA harmless from any costs, losses, damages, fines, penalties, and other assessments against the BA arising out of or relating to such directive.

Similarly, business associates are required to make available their “internal practices, books, and records relating to the use and disclosure of PHI” on behalf of a covered entity client to the HHS Secretary to determine the covered entity’s (and now the business associate’s) compliance with HIPAA. Such a disclosure could expose information of the covered entity protected by the principles of attorney-client confidentiality enshrined in Rule 1.6 to the government and could even create a situation in which the law firm as a business associate could be required to furnish inculpa­tory information on its covered entity client.

Consequently, a law firm/business associate would have to assert the privilege and not produce the requested information, risking the imposition of direct sanctions against itself in order to protect the confidences and secrets of the client. To deal with this situation, many law firms require their covered entity clients to affirmatively waive the privilege prior to any production of information, or indemnification if the client refuses to execute a waiver. A provi­sion in a business associate agreement dealing with this scenario might look like this:

BA will promptly notify CE when it receives a request, made on behalf of the HHS Secretary pursuant to 45 CF.R. § 160.310, that BA make available its internal practices, books, and records relating to the use and disclosure of protected health information (PHI) to the Secretary for purposes of determining BA’s or CE’s compliance with the HIPAA regula­tions. Upon BA’s receipt of a written directive to do so from CE, BA will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary for such purposes. Except as provided in this subsection C.6., nothing in this Agreement shall be construed as abrogating, or as a waiver by BA of, applicable privilege or other legal protections that may be asserted by CE or any other CE of BA in response to such a request by the HHS Secretary. H CE directs BA not to make its internal practices, books, and records relating to the use and disclosure of PHI available to the HHS Secretary pursu­ant to a request from the Secretary, CE shall have the obligation to defend any legal action that occurs as a result of such directive and to indemnify and hold harmless BA from any costs, losses, damages, fines, penalties, and other assessments against BA arising out of or relating to such directive.

Thus, in order to protect itself from liability created by its own client’s failure to waive the protections afforded by the attorney-client relationship, the law firm/business associate must tender a BAA that creates a conflict of interest with its own client. If a client refuses to sign the agreement without negotiation, the law firm/business associate would be required to inform its own client that it should seek independent representation for the purpose of negotiating the law firm’s BAA Rule 1.8(h) states that a lawyer “shall not make an agreement prospectively limiting the lawyer’s liability to a client for malpractice unless the client is independently represented in making the agreement.” To the extent that the BAA is construed merely as a business arrangement and not one limiting the ability to sue for malpractice, Rule 1.8(a) would require that: … the client is advised in writing of the desir­ability of seeking and is given a reasonable opportunity to seek the advice of independent legal counsel on the transaction; and the client gives informed consent, in a writing signed by the client, to the essential terms of the transac­tion and the lawyer’s role in the transaction.²

Conclusion

The HIPAA Privacy and Security Rules have created an environment in which attorneys can be adverse to their own clients when defining their roles as a covered entity and business associate. Understanding the attor­ney’s existing obligations to the client under the attorney-client privilege may help avoid a conflict when it comes time to execute a busi­ness associate agreement.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta, Ga. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Citations

1. 45 C.F.R. §160.103
2. American Bar Association: Rule 1.8 Conflict of Interest: Current Clients: Specific Rules.

The post The law firm business associate: New liabilities create conflicts of interest appeared first on Herrin Health Law, P.C..

For institutions entering into the alternative payment model (APM) landscape for the first time, there needs to be an appreciation of what this activity does and does not entail. It does not simply mean that the enterprise can package a reduced fee-for-service pricing structure into a different bag. Neither does it mean that the enterprise can expect new money for meeting quality benchmarks that it should already be meeting. Finally, in the words of one hospital executive, it does not mean that everything can stay the same except I can write the doctors a check.

Rather, a true APM offering creates the kind of clinical and financial integration that can help with federal and state antitrust compliance as well as with elimination of duplicative or redundant care. APMs can increase positive clinical outcomes and reduce cost, all without denying patients medically necessary services. So, as institutions transition from fee-for-service to APM reimbursement, changes in operations and in thought processes need to occur, often in parallel with ongoing efforts to stabilize revenues under the ‘old way’ of doing things.

The biggest initial hurdle for institutions contemplating APM relationships is whether the information technology already within the enterprise is capable of gathering even basic clinical outcome data and sorting it within a variety of patient populations. Claims data, if made available by payors, and especially for a care-managed population, can show a variety of clinical activities such as medication compliance (with prescription refill information) and clinical activity outside of the APM enterprise (most hospitals and multispecialty physician groups do not include vision, dental, and other types of routine care services). Integrating this claims data with the enterprise’s electronic health record (EHR) is a critical first step, and many legacy systems (and some modern EHRs) do not have this capability. Interface engines and bridging technology are expensive as well. So, a business decision whether the cost of new APM-assistive technology is less than the anticipated additional revenue from APM payors should be made.

While considering the capability of the EHR to gather and sort clinical data in a helpful way, the enterprise should also analyze its business systems to make sure than, among other things, revenue from care NOT provided can be linked to patients whose overall care is being managed within the APM framework. Many APMs link the payment of bonuses to decreases in the overall spend experienced by individual patients or patient groups, and linking these shared savings and other payments to providers who prevented unneeded (and therefore unbilled) patient care becomes important. A variety of regulatory schemes require that these savings be paid proportionally to the owners or participants in the APM venture as well, so business systems need to be able to track this and integrate this information into the back-end payments of bonus or savings revenues.

Once the capabilities of the enterprise’s various data systems have been established, the contract negotiation team, which should include providers as well as business executives, counsel, and other subject matter experts, should convene to discuss which data will be measured within the APM and what monetary value will be assigned to each of these measurable data points. Clinicians generally do not like being measured on things that don’t matter clinically; yet, you can’t manage what you don’t measure is still the order of the day. One strategy to gain compliance is to sort the measurable data into baskets or to create successive gates through which a successful provider must pass in order to qualify for higher and higher distributions of shared savings or non-care-related revenues. The unfortunate reality of APM contracting is that once one payor requires a healthcare provider to measure some performance capability, the APM ends up measuring it for ALL payors, on the theory that quality is payor agnostic and the enterprise doesn’t want to discriminate in the quality care it delivers based on payor type. Thus, controlling the number and quality of measurable data points at the outset of an APM relationship is critical to prevent participants from measuring everything and focusing on nothing of clinical significance. And APM participants can’t forget the various legal mandates not to create payment methodologies that incentivize providers to deprive patients of medically necessary care; however, what is medically necessary may vary depending on which regulatory scheme you apply and what a particular payor feels about therapeutically equivalent care.

Care must be taken as well not to agree to an onerous measurement framework for which there is no new money. Assuming there have been no problems with the quality of care in the past, APM providers should not agree to terms that allow the payor to claw back contracted rates by adding new preconditions to payment. There is enough value in increasing quality and decreasing the overall medical spend in any patient population such that only new money needs to be put at risk. The chief value of the APM gambit is that the providers earn out their efficiencies and quality improvements.

Monitoring compliance with all of the contract’s provisions is a necessary step, which is made more difficult by the traditional separation of enterprise oversight and management into different silos of responsibility. To the extent that a separate business organization has not been formed to deal with APM contracting and payment issues, close collaboration between clinical and administrative departments needs to be created and maintained. For example, physicians may not make critical distinctions between care pathways that have vastly different financial consequences unless they are both included in the conversation about developing those pathways and reminded of those pathways when atypical patients present. Similarly, clinical reasons need to be developed and explained when business office staff request additions to or changes to medical record documentation (such as hospital-acquired conditions or present on admission indicators); reimbursement as a motivator typically does not impress physician partners. Finally, frequent feedback on both clinical and financial benchmarks needs to be provided to all participants. Industry information shows that this dashboard information is more effective when presented as a comparison with other participants (on an anonymous basis, of course), as most providers do not want to be viewed as negative outliers.

If a separate organization has been established to manage the APM arrangements, then one compliance-related item of documentation should be a business associate agreement between each APM provider and the management organization. Unless the manager is a licensed entity under state insurance law, most likely it will be viewed as a ‘legal stranger’ to the flow of protected health information (PHI) and will need a business associate agreement with each provider. Likewise, the provision of PHI to members of the APM collaborative NOT involved in direct patient care creates another compliance risk and such information should be de-identified before sharing with APM management and membership.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 30 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

The post Tips for Alternative Payment Model (APM) Contract Administration and Negotiation appeared first on Herrin Health Law, P.C..

• Renal and urinary tract disorders
• Surgical cardiovascular procedures
• Acute inpatient admissions for neurological disorders
• Outpatient services billed as inpatient encounters.

The application of overpayment recoupment provisions under the Patient Protection and Affordable Care Act as well as Medicare Conditions of Participation provisions were illustrated with specific examples seen in practices. Some reasons for queries include ineffective practices of resulting from having the practice’s utilization review department being absorbed into the case management function, creation of workarounds for physician satisfaction, submission of noncompliant (leading) queries, assumptive actions by coders, and misconceptions of providers.

It is important for CDI professionals to focus on revenue integrity, understanding that the outcome of such an approach may not be an increase in billing, but rather keeping more of what has been billed. Correct coding may mean lower initial reimbursement but more certainty in the revenue picture. To ensure success, revenue integrity initiatives can be initiated, such as creating teams of internal experts, which may include health information management (HIM), case management, nursing, medical staff, billing, and corporate compliance. The continuous training of staff is important and can include teaching physicians the basics of coding and teaching coders about clinical documentation processes. One way to provide this education is by having CDI professionals involved in reviewing health records for content on the floor during episodes of care. Coding is a HIM function, not a business office function. Some postulates that can be beneficial to follow include: just because you have a code doesn’t mean it’s covered, just because you’ve been paid once doesn’t mean you’ll get paid again, and not knowing the rules can land you in jail.

Proceedings of AHIMA’s 2017 Summit on Clinical Documentation Improvement: Advancing the Documentation Journey

The excerpt above describes Barry Herrin’s presentation during the American Health Information Management Association’s annual clinical documentation improvement (CDI) summit July 31 to Aug. 1, 2017.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

The post Respond to Federal Recoupment Initiatives by Improving Clinical Documentation appeared first on Herrin Health Law, P.C..

As published in the ISSA Journal February 2018. ISSA is the Information Systems Security Association International 

Executive Summary: Federal and state laws governing notification of breach of patient medical information vary, and some of those variations are material. It is important for health care providers to understand the differences between these regulatory schemes and to comply with each. Providers located in one state and treating patients from another state may also have a regulatory burden of which they are unaware. The assistance of experienced privacy and data breach counsel should be sought when examining these issues.

Introduction

The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), enacted by Congress as a part of the American Recovery and Reinvestment Act of 2009, places a duty on covered entities to notify patients, the Secretary of the Federal Department of Health and Human Services through its Office for Civil Rights (“OCR”) and, in some cases, the media, of any breach of unsecured protected health information (“PHI”).¹  Because of this obligation, it is important that health care providers develop internal systems for investigating security incidents involving unsecured PHI. Critically, although every breach of unsecured PHI is an impermissible disclosure under HIPAA, not every impermissible disclosure under HIPAA is a breach. Being able to tell the difference between the two will help covered entities avoid unnecessary, embarrassing, and potentially costly notification requirements and penalties.

Adding to this regulatory burden are the requirements of the several states governing patient information and its privacy. Although many states default to the federal HIPAA standard, many do not. In these states, covered entities may have different reporting requirements, definitions of data that are covered by the protections of state law, and differing penalties. Providers need to be aware of both and not make the mistake that HIPAA pre-empts all state privacy rules. Remember: only those state regulations that provide less protection for patients are replaced by HIPAA – in all other circumstances, the state scheme survives.²

The Federal Framework

For federal purposes, “unsecured PHI” is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by OCR.³ Currently approved encryption technologies and destruction methodologies are outlined in the National Institute of Standards and Technology (“NIST”) Special Publications 800-111, 800-52, 800-77, 800-113, and 800-88.⁴ The definition should remind us that the federal HITECH breach and notification requirements cover both paper and electronic records: this is not just an expansion of the HIPAA Security Rule covering only electronic PHI.

A breach of unsecured PHI under the federal regulations occurs where (1) the PHI is acquired, accessed, used, or disclosed in a manner not permitted under the HIPAA Privacy Rule;⁵ and (2) that compromises the security or privacy of the protected health information. The security or privacy of the information is presumed compromised for the purpose of this analysis UNLESS an exception applies (described below) OR the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

Even if the breach does not pass the above analysis, it is still not a breach requiring notice and disclosure under the federal scheme if the information meets any one of the following three (3) criteria:

(a) It is individually identifiable health information held by the covered entity or business associate in its capacity as an employer. For example, workers’ compensation information on a hospital’s employee would contain health information, but it would not be subject to these provisions.

(b) It is PHI that does not include one of the sixteen (16) identifiers listed at 45 C.F.R. § 164.514(e)(2) or the patient’s date of birth or the patient’s zip code.

(c) It is information that has been “de-identified” in accordance with the HIPAA Privacy Rule.⁶

A Smattering of State Schemes

As one might expect, state legislators and regulators take very different approaches to privacy of their citizens’ personal health information and when notification of a security incident is required. A brief examination of three such regulatory schemes will illustrate the problem for health care businesses with a presence in more than one state.

California

Section 1280.15 of the California Health & Safety Code requires certain medical providers to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the [California Department of Public Health] no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected by the provider, and to make the same report to the affected patient or the patient’s representative.⁷

Medical information means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. Individually identifiable means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.⁸ A breach in this context means any unlawful or unauthorized access to, [or] use [or] disclosure of medical information.⁹ Unauthorized in this context means access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act or any other statute or regulation governing the lawful access, use, or disclosure of medical information.¹⁰

One can see immediately that the California statute is remarkably similar to the current HIPAA/HITECH statute in both the breadth of information covered and the circumstances under which that information is compromised. And both the California statute and HIPAA/HITECH exempt from the breach notification requirements incidents involving any information that is encrypted. However, the California statute does not contain any exemption from breach notification if there is a low probability that the [PHI] has been compromised as the federal scheme does: any breach meeting the California definition (and therefore, arguably, the HIPAA/HITECH definition) would require patient notification.¹¹

But, and importantly for our comparison, California does provide a safe harbor for health care entities involved in a breach that would qualify under both California law and HIPAA. Entities that are covered entities under HIPAA need only comply with the patient notification requirements articulated in HITECH in order to comply with the patient notice provisions of California law; however, those entities will still have to notify the California attorney general if required to do so.

Florida

The Florida Information Protection Act of 2014 (FIPA)¹² requires covered entities¹³ to notify persons if a breach of security occurs with respect to a person’s personal information. FIPA defines personal information as either one of two types of information: (1) an individual’s first name or first initial and last name in combination with at least one of (a) a social security number; (b) a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity; (c) a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account; (d) any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or (e) an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual OR (2) a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.¹⁴ A breach of security occurs when there is unauthorized access of data in electronic form containing personal information.¹⁵ However, a breach is not a breach requiring notice if after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.¹⁶

Several things are apparent when comparing FIPA with HIPAA. First, there are fewer exceptions to the notification standard if a breach has occurred in FIPA; however, the risk protected against in FIPA (identity theft and financial harm) is arguably more narrow than the risk framework contemplated by HIPAA, which would include reputational and other non-financial risks, and could therefore more easily result in a no notice breach. Second, the exception available under FIPA requires active collaboration with law enforcement, whereas there is no such requirement in HIPAA. Third, although HIPAA could consider a breach to occur when any of the information listed in FIPA is used, accessed, acquired, or disclosed, FIPA requires those data elements to be accessed in combination with the patient’s name; thus, a release of just a patient’s name would not cause a breach under FIPA when it would under HIPAA. Fourth, FIPA requires the release of both the person’s email account AND password or access credential, whereas HIPAA requires only one of the two to be involved in a breach. Finally, and most importantly, FIPA only covers electronic information, whereas HIPAA applies to all PHI, regardless of the format in which it is maintained.

North Carolina

The Identity Theft Protection Act of 2005¹⁷ requires businesses¹⁸ and state and local government to notify people when there is a security breach involving their personal information.¹⁹ For the purposes of this statute, a security breach is an incident of unauthorized access to and acquisition of unencrypted²⁰ and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.²¹

In the healthcare context, the North Carolina act may have limited application, as the types of data generally are only those relating to financial resources. However, a patient’s name, Social Security number, email addresses, biometric identifiers, fingerprints, and any other numbers or information that can be used to access a person’s financial resources,²² which could include health plan beneficiary numbers and account numbers,²³ are protected under the North Carolina act and under HIPAA as well.

Without even considering the definition of personal information, note the important distinctions between the federal HIPAA framework and the North Carolina act. First, the data must be illegally accessed and acquired for the North Carolina act to apply, whereas HIPAA requires only one or the other. Second, and similar to the rule in Florida, whereas encryption of the data provides a complete exception to the breach and notice framework under HIPAA, the acquisition of the data along with the key to the encryption still constitutes a breach requiring notice in North Carolina. Third, unless criminal activity is involved, a security breach is not presumed under the North Carolina act; an analysis still must be conducted to determine whether there is a material risk of harm, which is the approach to the HIPAA breach notification scheme before its most recent amendment.

Conclusion

States take a varied approach to the regulation of losses of patient health information. Some regulate only electronic information (such as Florida), others only apply regulatory scrutiny if it can be shown that the information has been both accessed and acquired by an unauthorized person (such as North Carolina), and some, such as California, provide even broader protections than those found in HIPAA/HITECH. Providers operating in states with such statutes and regulations must be mindful of the differences between the federal and the operative state schemes. In addition, some states, of which North Carolina is one, would purport to regulate providers outside of the state who have protected information on its own citizens, a situation which could prove harmful to providers holding licenses in that state even though they may not have a physical presence in that state. Careful review of all of the statutes, rules, and regulations applicable to patient data safety and release is ever more critical. Providers would be well advised to seek knowledgeable counsel to guide them through these requirements.

Barry S. Herrin, JD, FAHIMA, FACHE, is the founder of Herrin Health Law, P.C., in Atlanta. Herrin offers more than 25 years of experience practicing law in the areas of healthcare and hospital law and policy, privacy law and health information management, among other healthcare-specific practice areas. He is a Fellow of the American College of Healthcare Executives and a Fellow of the American Health Information Management Association. He also holds a Certificate in Cyber Security from the Georgia Institute of Technology.

Citations

1. The combined regulations can be accessed at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
2. 45 C.F.R. Section 160.202.
3. 45 C.F.R. Section 164.402
4. 45 C.F.R. Section 164.310 requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.” The NIST criteria for electronic data destruction are available at http://csrc.nist.gov/.
5. 45 C.F.R. § 164.500, et seq.
6. 45 C.F.R. Section 164.502(d) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in §164.514(a)-(b).
7. Section 1280.15(b) of the California Health & Safety Code.
8. Section 56.05(j) of the California Civil Code.
9. Section 1280.15(a) of the California Health & Safety Code.
10. Id. The Confidentiality of Medical Information Act is found at Section 56 of the California Civil Code.
11. Section 1280.15(b) of the California Health & Safety Code.
12. Fla. Stat. Section 501.171.
13. The definition includes arguably only commercial entities and all units of state and local government that maintain, store, or use personal information. Fla. Stat. Section 501.171(1)(b).
14. Fla. Stat. 501.171(1)(g)(1).
15. Fla. Stat. Section 501.171(1)(a).
16. Fla. Stat. Section 501.171(4)(c).
17. N.C.G.S. Chapter 75-60 et seq.
18. The business must either be located in North Carolina or the data must be that of North Carolina residents.
19. N.C.G.S. Section 75-65(a). The term personal information: includes the information governed by N.C.G.S. Section 14-113.20(b) regarding identity theft, and includes the following pieces of information in combination with a person’s first name or first initial and last name: (1) Social Security or employer taxpayer identification numbers; (2) driver’s license, State identification card, or passport numbers; (3) checking account numbers; (4) savings account numbers; (5) credit card numbers; (6) debit card numbers; (7) Personal Identification (PIN) Code;(8) electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names; (9) digital signatures; (10) any other numbers or information that can be used to access a person’s financial resources; (11) biometric data; (12) fingerprints; (13) passwords; and (14) parent’s legal surname prior to marriage.
20. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall [also] constitute a security breach. N.C.G.S. Section 75-61(14)
21. N.C.G.S. Section 75-65(a).
22. N.C.G.S. Section 14-113.20(b)((10).
23. 45 C.F.R. Section 164-512(b)(2)(i)(H), (I), (P).

The post Security Incidents and Breaches in the Healthcare Industry (Case Study) appeared first on Herrin Health Law, P.C..