Rachel V. Rose (firstname.lastname@example.org) is Attorney at Law, PLLC, in Houston, Texas. Patrick Ouellette (email@example.com) is Assistant General Counsel at the Massachusetts Executive Office of Health and Human Services.
Recently, Roger Severino, director of the Department of Health & Human Services (HHS) Office for Civil Rights (OCR), indicated that in relation to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “[f]or enforcement purposes, there’s still a lot of low-hanging fruit.” The 2019 year-end trend of OCR issuing fines for violations of the Privacy Rule, the Security Rule, as well as the intersection of various state biometric and privacy laws, highlights the value of compliance and how it ultimately reduces the risk of a potential OCR enforcement action.
From September through December 2019, OCR issued several financial penalties related to Privacy Rule violations. Importantly, two cases (Bayfront Health St. Petersburg and Korunda Medical LLC cases ) related to failures to provide patients access to their own medical records within the time frame and fee structure prescribed by HIPAA, resulting in the first enforcement actions and settlements under OCR’s Right of Access Initiative. The Privacy Rule also rears its head in times of natural disasters, infectious disease outbreaks, and other emergencies. For example, the COVID-19 outbreak serves as a reminder to providers as to what can and cannot be disclosed, as well as whom it may be disclosed to.
The purpose of this article is to hone in on what is considered “low-hanging fruit” by OCR; review the February 2020 bulletin: HIPAA Privacy and the Novel Coronavirusin light of current events; and provide compliance best practice areas that can mitigate the risk of an actionable HIPAA violation or breach of protected health information (PHI).
The Security Rule and Privacy Rule make it very clear that certain technical, administrative, and physical safeguards need to be implemented in order for an organization to be considered compliant with HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Neither HIPAA nor the HITECH Act are new, with HIPAA stemming back to 1996, and the HITECH dating back to 2009. Therefore, it’s perplexing that “[t]here are a lot of entities that are not doing the basic steps to make sure that they have proper, for example, cybersecurity protections in place. They’re not doing the comprehensive risk analyses on the front end.” No entity is exempt from this particular requirement, as illustrated by the $1.6 million penalty imposed by OCR in November 2019 on the Texas Health and Human Services.
According to HHS’s website, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Examples of technical, administrative, and physical safeguards, all of which should be addressed in an annual comprehensive risk analysis, include: access controls (i.e., unique user ID and password, access logs); adequate encryption (minimum 256 bit) both at rest and in transit; adequate annual training; and comprehensive policies and procedures. Likewise, as indicated on the HHS website,
“The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”
As previously mentioned, the privacy of one’s PHI, as well as the right to examine and obtain a copy of PHI, is inherent in HIPAA, and the failure of covered entities to provide access was a focus of OCR in the latter part of 2019. Thus, during an annual risk analyses, the Privacy Rule should be given equal attention to the Security Rule.
The HHS Coronavirus Bulletin
In terms of public health concerns and other disasters, there are certain exceptions to the Privacy Rule with respect to the disclosure of PHI. For example, as the COVID-19 public health issue demonstrates, the Privacy Rule carves out an exception to enable public health and safety entities such as the Centers for Disease Control and Prevention (CDC) to access PHI in order to carry out various public health initiatives without first obtaining patient’s consent. Pursuant to 45 C.F.R. §§ 164.501 and 164.512(b)(1)(i), “a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”
Another important aspect of the Privacy Rule’s application during a public health event is disclosure to family, friends, and others involved in an individual’s care. The February 2020 Bulletin provides the following guidance in relation to 45 C.F.R. § 164.510(b):
“A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 C.F.R. § 164.510(b).
“The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
“For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally could not share unrelated information about the patient’s medical history without permission.
“In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.”
HHS will often provide an alert or a bulletin in the wake of a public health or a natural disaster. It is crucial to check the HHS website and become familiar with the nuances associated with a certain event. Except for disclosures made to healthcare providers for treatment purposes, the minimum necessary standard should always be used.
Conducting an annual risk analysis is crucial for everyone who creates, receives, maintains, and/or transmits PHI. It gives an annual lay of the land in terms of the technical, administrative, and physical safeguards. The impetus is ensuring that the confidentiality, integrity, and availability of the PHI remains intact. As Director Severino noted, “[t]hey’re not implementing the proper controls on access [to patient records]. They’re not having proper password policies. They’re not doing system activity reviews to [make] sure that the logs that they have already in place to detect intrusion or attacks are being monitored. There is also not sufficient training for privacy, when you have, in some cases, doctors or nurses accessing people’s health information out of pure curiosity.”
Director Severino’s comments should serve as a guidepost for cultivating a culture of HIPAA/HITECH Act compliance. Yet, many businesses and individuals decide to ignore HIPAA compliance by cutting corners through not conducting annual training, not doing an annual risk analysis, ignoring having executed Business Associate Agreements, and not having appropriate HIPAA Authorizations and the related Notice of Privacy Practices.
The most basic HIPAA/HITECH Act compliance items include annual risk analysis, data encryption at rest and in transit, annual training, adequate policies and procedures with annual review and updates, and Business Associate Agreements.
Conducting an adequate risk analysis, while not remedying past noncompliance, can serve to avoid falling into the basket of low-hanging fruit.
Another area to closely monitor relates to the Privacy Rule and the access of medical records by patients since OCR has begun enforcing its HIPAA Right of Access Initiative. HIPAA mandates that covered entities act on patient requests for their records no later than 30 days after receipt of the request, and OCR states that the 30 calendar days is an “outer limit and covered entities are encouraged to respond as soon as possible.” The Privacy Rule also allows covered entities to require from individuals a reasonable, cost-based fee if they request a copy of the PHI.
Covered entities and their business associates should also consider state law when reviewing their policies related to patient access to their own medical records. For instance, the Massachusetts regulation promulgated by the Board of Registration of Medicine, titled the “General Provisions Governing the Practice of Medicine,” covers patients’ access to copies of medical records as well as the fees associated with such access and states that “[u]pon a patient’s request, a licensee shall provide the following in a timely manner, to a patient, other licensee or other specifically authorized person: (1) The opportunity to inspect that patient's medical record, except in the circumstances described at 243 CMR 2.07(13)(e); (2) A copy of such record, except in the circumstances described at 243 CMR 2.07(13)(e); (3) A copy of any previously completed report required for third-party reimbursement.” Notably, as opposed to HIPAA’s 30-day requirement, this regulation does not prescribe a specific turnaround time for patient record requests, only that they be provided by a licensed Massachusetts provider in a timely manner.
Additionally, under Massachusetts General Laws, healthcare providers must provide health records requested in relation to a claim or appeal “under any provision of the Social Security Act or any federal or state financial needs-based benefit program” within 30 days of the request. Patient record copies are also required to be “furnished upon the request and a payment of a reasonable fee . . . of not more than $15 for each request for a hospital or clinic medical record; a per page charge of not more than $0.50 for each of the first 100 pages of a hospital or clinic medical record that is copied per request; and not more than $0.25 per page for each page in excess of 100 pages of a hospital or clinic medical record that is copied per request.”
In light of the 2019 OCR enforcement actions discussed earlier in this article, when weighing HIPAA versus state medical record access laws, entities will want to consider that only those state laws that are more beneficial to patients (i.e., shorter timelines and lower fees) and are not in conflict with HIPAA will take precedence over HIPAA.
To avoid falling into the bucket of low-hanging fruit, people who create, receive, maintain, and/or transmit PHI should conduct an adequate annual risk analysis. In relation to declared emergencies, entities should access the HHS website and stay abreast of nuances associated with a particular emergency, as well as updates. Finally, compliance can serve as a risk reduction measure, even if entities let it lapse for a while or never had it to begin with.
Noncompliance is not worth taking a business risk that can result in enforcement actions and a costly defense of a class action lawsuit. The financial, legal, and reputational costs, however, are worth considering.
Conduct an annual and comprehensive risk analysis.
Stay abreast of state consumer privacy laws, which often reference HIPAA.
Keep a pulse on Office for Civil Rights enforcement actions and look for trends.
Appreciate state law time frames for medical record disclosures.
Use an enterprise risk management approach to assess risk throughout the organization.