One of the largest hurdles to the growth of telehealth—the lack of a streamlined process for obtaining physician licensure in multiple states—is one step closer to being scaled. The Federation of State Medical Boards (“FSMB”) recently released a revised draft of its Interstate Medical Licensure Compact (“Compact”). This revised draft is a continuation of efforts by FSMB and its member boards to study the feasibility of an interstate license portability. Additionally, the revised draft of the Compact reflects changes based upon comments received from FSMB member boards and other stakeholders since the draft was released by FSMB earlier this year. Adoption of the Compact is critical to the interstate practice of telehealth. You can read the full alert here.
By Brandon Ge and Alaap Shah
The Department of Health and Human Services (“HHS”) is taking laudable steps to improve notices of privacy practices (“NPPs”) and make them more clear, understandable, and user-friendly. Under the HIPAA Privacy Rule, individuals are entitled to a receive an NPP informing them of how their health information may be used and shared, as well as how to exercise their health privacy rights. Health plans and health care providers must develop and distribute NPPs that clearly explain these rights and practices. Unfortunately, to date NPPs have been poorly designed, hard to navigate and unclear with regard to patient rights or company obligations regarding use and disclosure of health information.
Privacy is just as much about protecting patients’ rights to data as it is about protecting data. The HIPAA Omnibus Rule, CLIA Rule, and others are designed to improve patient access to their medical records, empowering them to actively manage their health. The digitization of medical records, in the form of electronic health records, personal health records, patient portals, and the like, facilitates patient engagement in healthcare if used properly. However, ineffective NPPs create barriers for patient understanding their rights.
NPPs that clearly convey patients’ privacy rights are critical in enabling patients to take a more active role in healthcare. Conversely, if patients do not understand NPPs, then they won’t have a good sense of their privacy rights, including their right to access their health information. Some critiques regarding NPPs include that they are frequently lengthy and include legalese that the general public has difficulty understanding. To remedy these concerns, some suggest simplifying language and “layering” the notice—that is, including a short summary of the individual’s rights as a first layer and including a longer, more detailed explanation as a second layer—would go a long way toward improving the readability of NPPs.
In an effort to address criticisms of NPPs, last month, the Office of the National Coordinator for Health Information Technology (“ONC”) collaborated with the HHS, Office for Civil Rights (“OCR”) to develop model NPPs that clearly convey the required information to patients in an accessible format. Covered entities can customize these model NPPs and then display them and distribute them to patients.
ONC and OCR have also thrown down the gauntlet and established the Digital Privacy Notice Challenge, which will award $15,000 to the creators of the best online NPP (second place wins $7,000 and third place gets $3,000). The challenge calls for designers, developers, and privacy experts to use the model notices as a baseline and create an online NPP that is clear, effectively informs patients of their privacy rights, and is easily integrated online. Once submissions are finalized, the public will have two weeks to vote on the best submission.
The submission period ends on April 7, 2014, and winners will be announced in May or June of 2014.
Does your organization think it has what it takes to win this challenge?
Follow Alaap Shah on Twitter: @HealthITLawyers
A significant barrier to the interstate practice of telehealth is closer to being broken down. The Federation of State Medical Boards (FSMB) has completed and distributed a draft Interstate Medical Licensure Compact, designed to facilitate physician licensure portability that should enhance the practice of interstate telehealth. Essentially, the compact would create an additional licensing pathway, through which physicians would be able to obtain expedited licensure in participating states. As the FSMB notes in its draft, the compact “complements the existing licensing and regulatory authority of state medical boards, ensures the safety of patients, and provides physicians with enhanced portability of their license to practice medicine outside their state of primary licensure.” This is a potentially significant development because burdensome state licensure requirements have been a major impediment to the interstate practice of telehealth. A physician practicing telehealth is generally required to obtain a medical license in the state where the patient—not the physician—is located. As a consequence, physicians wishing to treat patients in multiple states need to obtain a license in each of those states in order to practice medicine lawfully, a lengthy and expensive process.
While the draft compact shares some of the same features as the Nurse Licensure Compact (NLC) (launched in 2000 to facilitate nurse mobility and improve access to care), a key difference is in the process for obtaining multistate licensure. Under the draft compact physicians have to submit an application, register, and pay certain fees to obtain licensure in other participating states. Nurses under the NLC, on the other hand, only need to declare that their home state is an NLC state, and the privilege to practice in other NLC states is automatically activated—no separate applications or fees are required. You can read a more comprehensive analysis of the FSMB draft compact here.
If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.
There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.
Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.
While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.
Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:
1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.
2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.
3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.
What Your Company Can Do
The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.
A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.
Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.
HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.
Conduct Breach Drills
Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.
For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ
Follow Alaap Shah on Twitter: @HealthITLawyers
By: Alaap Shah and Marshall Jackson
With the New Year, come new protections for health care entities and individuals utilizing electronic health records (EHRs). On December 27, the U.S. Department of Health and Human Services, Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS), issued final rules regarding the Stark Exception and the Anti-Kickback Safe Harbor permitting certain health care organizations to subsidize up to 85% of the donor’s cost of certain EHR items and services (the “Final Rules”). The Final Rules amended the 2006 original rule (the “Original Rule”). The Final Rules:
- Extend the expiration of the protections from December 31, 2013 to December 31, 2021;
- Exclude laboratory companies from the list of eligible “Protected Donors” that may donate EHR items and services;
- Update the provisions under which an EHR donor or recipient can ascertain, with certainty, that EHR is interoperable;
- Remove requirements that donated EHR include e-prescribing capabilities; and
- Clarify the requirement prohibiting any action that limits or restricts the use, compatibility, or interoperability of donated EHRs.
Under the Original Rule, EHR donation regulations were set to expire on December 31, 2013. The Final Rules extend the expiration of the protections until December 31, 2021.
As a change from the Original Rule, the protections under the Final Rules no longer extend to laboratory companies as a type of entity that may donate EHR items and services. However, this exclusion under the Final Rules does not apply to hospitals who furnish clinical laboratory services through a laboratory that is a department of the hospital. It should be noted that a hospital-affiliated or hospital-owned company that furnishes laboratory services, which have a billing number assigned to the company as opposed to the hospital, would be excluded from the protections under the Final Rules.
The Original Rule required that donated or subsidized software be “interoperable”. The rule stated that software is interoperable if a certifying body recognized by the Secretary of the Department of Health and Human Services certified the software within 12 months of the time it was provided to a physician. Under the Final Rules, software is deemed to be interoperable if, on the date it is provided to the physician, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology to an edition of EHR certification criteria. Significantly, the protections under the Final Rules are not limited to donations to individuals and entities eligible to participate in the EHR Incentive Programs (the “Meaningful Use Program”), but also extend to other entities and individuals if the donations meet the conditions of the safe harbor.
DATA LOCK-IN AND EXCHANGE
In order to foster the free exchange of data, the Final Rules have made limited clarifications to require that a donor not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems. The Final Rules included examples, making it clearer that this prohibition applies to any donor action that limits the use of donated software with any other health information technology.
The Original Rule required that donated software contain an electronic prescribing capability. However, under the Final Rules, effective March 27, 2014, the requirement that the donated software contain an electronic prescribing capability has been eliminated.
THE WINNERS AND LOSERS
The Final Rule attempts to strike the right balance between competing interests. On the one hand, the Final Rule seeks to foster continued adoption of EHRs and increased interoperability, which are ongoing goals within CMS, ONC and much of the healthcare industry. On the other hand, OIG has shifted its position to better control risks associated with misuse of EHR donation by certain entities that seek to secure kickbacks. Recognizing these competing concerns, OIG has extended the safe harbor and improved alignment with ONC to ensure companies have better guidance to meet the interoperability requirements. Therefore many organizations emerge as winners under the Final Rule, including EHR vendors, protected EHR donors and EHR recipients. However, laboratory companies are at a significant loss as a result of OIG’s tightening of the definition of “Protected Donor”.
Follow Alaap Shah on Twitter: @HealthITLawyers
Why is data breach such a rampant problem within the health care industry?
As health care rapidly digitizes through adoption of electronic health records, mobile applications and the like, the risk of data breach is rising exponentially. To effectively manage this risk, health care companies and their business associates must be vigilant by implementing and evaluating security controls in the form of administrative, physical and technical safeguards. Health care companies also have resources to assist them with managing this risk. Specifically, the Federal agency for oversight of the Health Insurance Portability and Accountability Act (“HIPAA”), the Department of Health and Human Services, Office for Civil Rights (“OCR”) is tasked with providing technical assistance to guide companies to achieve compliance with the HIPAA security rules. Further, when companies fail to comply, OCR has enforcement authority to “obtain” compliance.
The responsibility for the oversight and enforcement of the Security Rule was delegated to OCR by DHHS in 2009 under the Health Information Technology for Economic and Clinical (“HITECH”) Act. Nonetheless, anyone that reads the news is aware that data breaches within the health care sector are commonplace. As such, it is becoming increasingly clear that health care companies systemically lack adequate security safeguards. Additionally, it raises a concern regarding the effectiveness of OCR’s efforts to ensure compliance.
According to a recently released report by the Department of Health and Human Services (“DHHS”) Office of Inspector General (“OIG”), OCR’s compliance efforts reveal significant gaps in their oversight activities between 2009 and 2011. Specifically, the report states that OCR “hasn’t performed required audits of how corporations handle patient information and failed to guarantee the security of its own records.” As a result, OIG indicated that OCR’s periodic Security Rule compliance audits, which were made mandatory by HITECH, remain an outstanding objective.
OCR responded to the OIG’s report explaining their performance citing that “no funds [have] been appropriated . . . to maintain a permanent audit program.” Going forward, however, Rodriguez said he expects that OCR “will leverage more civil penalties” and that OCR will be permitted to use collected penalties to fund enforcement actions and “to maximize funding [for] our auditing and breach analysis” activities. OCR has already committed $4.5 million from monies it collected from prior enforcement actions.
Interestingly, this is not to suggest OCR has not been active in promoting security compliance. For example, OIG indicated that OCR has provided guidance to covered entities to promote compliance and has established an investigation process for responding to reported violations. Yet, OCR’s report card, although somewhat changed, is not materially improved since OIG’s 2011 report wherein a “need for greater OCR oversight and enforcement” was recommended. In light of these findings, it is likely that OCR will turn its focus to increasing its oversight activities in an effort to gain further insight into security rule compliance.
OCR is Transforming into OIG
As early as May 2012, the Director of OCR, Leon Rodriquez, indicated that the agency is headed toward the Office of Inspector General enforcement model. OCR director Leon Rodriguez has warned that “the same level of vigilance that providers have used to steer clear of OIG’s fraud enforcement now needs to be applied in the HIPAA environment.” Coupling these comments with the findings of the recent OIG report suggest that OCR will be taking its oversight and enforcement activities even seriously moving forward.
Based on reinvigoration of the HIPAA Audit Program and signals from OCR, it appears that 2014 will be the year of heightened OCR enforcement. According to federal regulators, the permanent HIPAA Audit program is planned to begin early in the new-year and that covered entities should identify and mitigate outstanding non-compliance. Although Rodriguez has conceded that “the audits under this permanent program will be narrower in scope in comparison [to those] conducted during the pilot program,” the number of organizations that will be audited is expected to increase.
In short, the health care industry should expect even more audits and enforcements in the future.
Follow Alaap Shah on Twitter: @HealthITLawyers
One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council (which represents the governments of the individual member countries) and the Commission to obtain a decision on the final text of the proposed regulation before the Parliamentary elections and end of the current Commission mandate in May 2014. In Europe, the three institutions are involved in the law-making process. In principle, the Commission proposes new laws, and the Parliament and Council adopt them. The Commission and the member countries then implement them, and the Commission also ensures that the laws are properly applied and implemented.
What’s in store for health data specifically?
The EU Parliament proposes a compromise text on the EU Commission proposal for general data protection, including health data. The general principles of the proposed regulation would apply to health information, with health data being a category of sensitive personal data subject to extra controls. There are however specific provisions for processing of health data at articles 81 and 83.
Paraphrasing Article 81, when processing health data, companies must safeguard the patient’s interests and fundamental rights, to the extent that these are necessary and proportionate, and of which the effects shall be foreseeable by the data subject.
The principle of data minimization also applies, meaning that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. A data controller is someone who has a certain degree of control over the data processing activity. Data controllers can be either individuals or legal entities such as companies or government authorities. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc. Data controllers should retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.
The data minimization principle is not new. It derives from Article 6.1(b) and (c) of Directive 95/46/EC and Article 4.1(b) and (c) of Regulation EC (No) 45/2001, which provide that personal data must be “collected for specified, explicit and legitimate purposes” and must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
In proposed Article 83 the Parliament imposes strict requirements for data processing in health research. These proposed requirements have led to an outcry from industry stakeholders because they believe the proposal would unduly limit the positive uses of health data in research, as you can see here in the joint statement of the Healthcare Coalition on Data Protection.
Software Developers AND Medical Device Manufacturers Should Design with Privacy in Mind
Privacy by Design is not a new concept. Privacy by Design means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. What is new, however, is its scope. The Parliament proposes to expand general compliance obligations and “privacy-by-design”/“privacy-by-default” requirements in particular, to software and hardware manufacturers — regardless of whether they process personal data. So, software that captures health data must be compliant by default with the design requirements. The design requirements are not clearly defined, and companies should do their due diligence beforehand. Erik Vollebregt, an expert on EU medical devices regulations, has seen many companies dealing with these issues, and wrote a practical report explaining the pitfalls and strategies to help you comply with these design requirements. You may access that report here.
Further, producers and data processors (which will affect many cloud providers) must also “implement appropriate technical and organizational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this regulation, in particular [privacy-by-design and privacy-by-default]” (emphasis added).
Companies might think that locating the cloud in countries outside the EU with more permissive laws would save them from the EU maze. It is unlikely that such strategies would make sense since the European Commission is already encouraging companies to locate their clouds in the EU.
So why are Europeans so gung ho about data protection?
First, unless you were stranded on an island with zero Internet access, you probably have read about whistleblower Edward Snowden’s allegations about US spying. Because of the Snowden revelations, the European Union has reacted and is reinforcing its privacy fortress.
For example, on October 23, 2013 the EU Parliament recommended the EU suspend its Terrorist Finance Tracking Program (TFTP) agreement with the US in response to the NSA’s alleged tapping of EU citizens’ bank data held by the Belgian company SWIFT. The EU-US TFTP agreement on the processing and transfer of bank messaging data to track terrorists’ financial flows became effective in August 2010. The US authorities’ access to these financial data is strictly limited by the TFTP deal. If proven, the NSA’s activities would constitute a clear breach of the EU-US agreement.
Second, data protection is explicitly protected as a constitutional right in Europe. Under the Lisbon Treaty of 2009, the protection of personal data is recognized as a fundamental right. While the US has a constitutional right to privacy, the concept has grown organically from a Supreme Court case (Griswold v. Connecticut), and privacy protections have not been developed as comprehensively as they have in the EU.
Third, as recently as World War II and its aftermath, many countries in Europe lived through the catastrophic consequences of what can happen when collected personal is shared with and by authorities without restriction.
Whether influenced by history, constitutional rights, or rapid technological advances, the EU will reinforce its data protection and privacy rules. Companies will need to invest in risk management. Government may seek disclosure for security purposes, but then in the EU companies would need to disclose those requests for personal data by foreign authorities.
By: Alaap Shah and Marshall Jackson
Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered. It seems to be business as usual, as your health care organization continues to digitize its operations. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive patient information.
Unfortunately, this scenario is commonplace, and brings with it hefty costs. To the extent electronic protected health information (“e-PHI”) is compromised in a cyber security breach, health care entities can expect to spend on average $233 per record to clean up the problem. As health care operations digitize, organizations should be cognizant of the cyber security risks impacting the data that flows through their systems. Further, health care entities need to understand how to assess and manage these risks to meet Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) requirements.
The facts of “cyber” life…
Although health care organizations have not always been a primary target for a cyber-attack, hackers are recognizing the value of data held by health care companies. Research indicates that electronic data in the health care sector is among the most vulnerable. Additionally, health care entities account for the highest percentage of incidents, more than one-third of all data breaches in the country. In one report 94% of health care entities have experienced security breaches impacting their data. Moreover, patients have experienced over a 19% increase in medical identity theft due to cyber security breaches over the last year.
Even given what we know, much of cyber security related breaches remains uncertain. There are namely two reasons for this uncertainty:
- Most cyber security breaches go undetected; and
- Many cyber security breaches go unreported.
Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected. Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered. Yet, there is one certainty in this climate—There are only two types of organizations: those that have already been hacked and those that will be at some point . . . .
Why cyber security is important now more than ever…
Recently, there has been increased scrutiny given the increased risk of data breaches. The Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority. Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard. As a result, the health care industry will see increased breach reporting, which will likely result in increased enforcement for noncompliance. This is bad news for health care companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.
With an increased focus on data breaches under HIPAA and HITECH, health care organizations don’t want to be the last to know how their e-PHI is being compromised. Not understanding the organizations cyber security threats can be:
- Bad for patients because it can lead to identity theft;
- Bad for the organization because regulators may use that as evidence of noncompliant security practices; and
- Lead to noncompliance with reporting obligations under HIPAA and HITECH.
In addition to increased enforcement on the part of OCR, the FBI has joined the effort to investigate cyber security breaches. For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.
The FBI also recognized that collaborative efforts are needed to solve the cyber security problem. These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats. However, even with these collaborative efforts, health care organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices. As such, proactive cyber security risk management is the best approach to ensure compliance with HIPAA and HITECH.
What can you do…
The stakes are getting higher regarding cyber security and HIPAA compliance. However, there are several steps health care organizations can take to protect against cyber security data breaches. Further, taking these steps can protect health care companies in the context of increasing investigatory activity on the part of OCR and other agencies, such as the FBI.
First, organizations should conduct periodic risk analyses to determine cyber security related risks. The risk analysis can help organizations to:
- Identify key systems and locations;
- Determine where e-PHI is located;
- Identify vulnerabilities and threats;
- Evaluate security safeguards; and
- Evaluate risk to e-PHI.
Second, health care organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:
- Identify critical infrastructure,
- Protect the organization’s critical infrastructure using appropriate safeguards,
- Detect cyber security events,
- Respond to cyber security events using pre-defined and prioritized activities, and
- Recover from cyber security events to restore critical infrastructure.
The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions. Health care organizations can review these references and select the standard that best addresses the organization’s particular needs. Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.
Ultimately, as the health care industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data. Further, as the number of cyber security related breaches increases, health care companies must prepare to identify and report such breaches as required by HIPAA and HITECH. Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance with HIPAA, health care companies should proactively leverage HIPAA risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting ePHI.
Follow Alaap Shah on Twitter: @HealthITLawyers
By: Alaap Shah and Ali Lakhani
“Hey Doc, just shoot me a text . . .”
The business case supporting text messaging in a health care environment is compelling – it is mobile, fast, direct, and increases dialogue between physicians and patients as well as streamlines the often inefficient page/callback paradigm that stalls workflows and efficiency in the supply chain of healthcare delivery. As a growing percentage of the 171 billion monthly text messages in the U.S. are sent by healthcare providers, often containing electronic protected health information (ePHI), providers are potentially exposing themselves to regulatory liabilities arising under the Health Information Portability and Accountability Act (HIPAA).
Currently, there is a great deal of uncertainty around whether “HIPAA-compliant” texting of ePHI can be accomplished. Even greater confusion exists around whether certain texting platforms themselves can be “HIPAA-compliant”. Before you start to send ePHI via text message, there are a number of issues to consider.
“Texting”, in the colloquial sense, has become an umbrella term for the entire category of mobile, asynchronous, instant communication between two or more parties. The first category of texting is what most people use today. This category is the traditional, wireless carrier-based text messaging, known as Short Message Service (SMS) text messaging. Here, users exchange messages between mobile devices over a cellular network. Most cellphones and smartphones in the U.S. market have an SMS text message capability, and it is a relativity simple push technology that can be used by people who are not tech-savvy. These benefits of SMS illustrate the broad reach of this technology.
The second category of texting is application-based instant messaging whereby users exchange messages over the internet between web-enabled devices. In essence, users download stand-alone applications to their mobile devices, create accounts with unique login credentials, and then send and receive text messages between accounts using the application interface. In light of challenges posed by HIPAA, many companies have developed application-based texting platforms, which are now branded as “HIPAA-compliant”. A number of these texting platforms allow for encryption of messages as well as secure login at the application level. However, the reach of these texting applications is somewhat narrower than traditional SMS text messaging for a few reasons. First, these texting applications typically run on smartphones, but are not universally available on ordinary cellphones. Second, use of the applications may be limited if the user is not tech-savvy. Nonetheless, these application-based texting platforms provide powerful tools to share ePHI.
Before you choose to use SMS text messaging or even a “HIPAA-compliant” application-based texting platform to send or receive ePHI, proceed with caution. First, note that no particular “texting” platform can be, in and of itself, “HIPAA-compliant.” Second, text messaging presents a litany of privacy and security challenges which must be addressed before texting ePHI.
By virtue of how it is generated, transmitted, stored, and viewed, traditional SMS texting presents several obstacles to HIPAA compliance. Some of the key obstacles include the following and are explained below:
- SMS text messages are transmitted in clear text;
- SMS text messages are not encrypted;
- Senders cannot authenticate recipients;
- Recipients cannot authenticate senders; and
- ePHI can remain stored on wireless carrier servers.
Of particular note, SMS text messages are currently not secured through encryption. This potentially allows unauthorized third parties to get access to and view the content of SMS text messages associated with certain individually-identifiable information.
It is also difficult to know who generated a text message or even whether it is ending up in the right place. Recognizing some of these authentication issues prompted the Joint Commission to explicitly restrict text messaging. Indeed, the Joint Commission stated that it is unacceptable for “physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting[s].” This, however, does not amount to a complete ban on text messaging of ePHI, and leaves open the possibility of other appropriate ways to utilize texting to share ePHI.
Finally, ePHI sent via SMS text message can end up being stored in places outside the control of the sender or the recipient. This can create an unmanageable risk in the context of data breach. For example, SMS text messages reside on telecommunications servers for some time before and after being transmitted to a recipient’s phone. As such, a breach of the telecom servers could allow unauthorized individuals to access or view the ePHI.
These risks render SMS text messaging a difficult avenue for the transmission of ePHI.
Despite these obstacles, is there a way to leverage text messaging while complying with HIPAA?
First and foremost, HIPAA does not explicitly prohibit the use of SMS text messaging to transmit ePHI. Rather, the HIPAA Security rule requires Covered Entities and Business Associates acting on their behalf to implement administrative, physical and technical safeguards if engaged in the transmission or storage of ePHI. While HIPAA does not prescribe specific safeguards to use to protect ePHI sent via text message, it does provide a framework to assess and mitigate risks associated with such transmissions. For example, key technical safeguards included within the HIPAA Security Rule that should be considered before texting ePHI include the following controls:
- Unique User Identification;
- Automatic Logoff;
- Integrity Management;
- Authentication; and
- Transmissions Security.
Further, to comply with HIPAA, those who want to send ePHI via text must conduct a risk analysis. A risk analysis consists of “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Thus, prior to employing SMS or application-based texting, the risks associated with either should be addressed.
In short, HIPAA compliance is achieved by implementing reasonable and appropriate safeguards and conducting a risk analysis on a periodic basis.
Text messaging continues to offer a simple, attractive, and cost effective way to communicate ePHI. As a result, text messaging solutions will continue to enter the market place. Yet, text messaging solutions carry a great deal of risk stemming from various threats and vulnerabilities. Before utilizing text messaging, these risks must be evaluated and effectively managed to ensure compliance with HIPAA and avoid the potential for unauthorized use or disclosure as well as data breach.
Follow Alaap Shah on Twitter: @HealthITLawyers
Below is a re-print of an article that we recently wrote for the Advisory Board Company’s 2013 third quarter General Counsel Agenda. To view the original publication in the General Counsel Agenda, click here.
For hospitals, the promise of telehealth has spurred innovation across multiple service lines and led to the emergence of a number of new delivery models such as telestroke, teleradiology, telepsychiatry, telepathology, teleICU and remote patient monitoring. While many of these programs are leading to significant improvements in access to health care services, quality of care, and efficiencies, they often also raise their own distinct set of compliance challenges, particularly in the area of privacy and security.
Privacy and security law questions can become challenging in a telehealth setting because of the nature of the data and the ways in which it is being used. Telehealth is increasingly becoming a vehicle for generating, transmitting and storing large volumes of electronic health information, and as telehealth platforms and delivery models continue to evolve, the ways in which providers are creating and using health information are constantly changing. There are at least three categories of privacy and security law issues that can create heightened challenges in the telehealth setting.
I. Data Management
Telehealth services often result in the creation of health information in formats that historically have not been part of the patient’s medical record (e.g. audio recordings, videos, remote monitoring data). While hospitals and other providers have some flexibility in determining the information that comprises the medical record, there are circumstances where an organization may want or the law may require that such information be included in the record. For example, it may be necessary to include such information in the medical record in order to comply with state medical record laws or for risk-management purposes.
Therefore, when reviewing information generated through telehealth operations, you may want to ask yourself the following:
- Should the data be maintained as part of the “medical record” (e.g. should video sessions be recorded? Should remote monitoring data be saved?). Answering this question will require both an analysis of privacy law requirements as well as other considerations, such as whether maintaining the information is important for clinical reasons or risk management purposes.
- Does state law require the information to be maintained or included in the medical record or HIPAA designated record set?  If so, what obligations does the provider have with regard to providing patients with access to this information, maintaining accountings of disclosures, and record retention under both HIPAA and state privacy law?
- If the information is part of the medical record, or maintained for other reasons, how and where is it being maintained and secured? This question goes to important operational issues such as whether the information can be tracked for purposes of complying with medical record access and other legal requirements relating to patient rights to their health information and whether it is properly secured.
II. Sharing Data Management Responsibilities with Other Providers
When a telehealth program involves interactions with providers outside of the organization (e.g. a telestroke program bridging separately run hospitals or mental health services between a hospital and mental health professionals at a distant location), it is important to ensure that responsibilities for securing and managing the health information generated through these programs are clearly defined, and that each party is aware of its responsibilities and those of the other parties. For example, the parties should have common understanding or an agreement as to who will be responsible for maintaining the information and the levels of access that will be given to each of the participating provider organizations. It is also important to consider the extent to which the hospital could be found liable (under HIPAA or otherwise) for a security breach or unauthorized disclosure caused by another telehealth program participant. In these types of arraignments your security may only be as strong as the weakest link in the chain.
III. Privacy and Security Risks during the Telehealth Encounter
When communicating with patients through telehealth, there are also risks that the telehealth encounter itself could result in a privacy or security law violations. Because these interactions, by definition, involve communications with patients who are not physically present, there is a heightened risk of disclosing information to the wrong person (i.e. somebody who is not the patient), which would likely be an unauthorized disclosure under the HIPAA Privacy Rule. To minimize this risk (and also to meet authentication standards under the HIPAA security regulations), telehealth providers should have in place reliable methods for verifying and authenticating the identities of the patient and practitioner(s) at the beginning of each telehealth encounter.
Telehealth encounters may also be vulnerable to third party interference, signal errors, or transmission outages. These types of incidents can result in the loss of data, interrupted communications, or the alteration of important clinical information, which, in addition to other liability risks, could lead to HIPAA privacy and security violations. For example, third party interference with an unsecure transmission may constitute a security breach under the HIPAA security regulations. And transmission outages or the loss of important clinical data during transmission could be seen, in certain cases, as a failure to adequately maintain the integrity or availability of protected health information as required under the HIPAA security regulations.
As has been true with the transition from paper to electronic medical records, hospitals will need to adapt their privacy and security practices in response to the specific privacy risks and compliance challenges associated with various forms of telehealth. Depending on the nature of the telehealth services being provided, this may require updating policies and security risk analyses, and taking a more active compliance role in the coordination of telehealth services with outside organizations. But perhaps most importantly, given how rapidly telehealth technologies and clinical models are evolving and the increasingly high volumes of health information generated through telehealth mediums, compliance teams should be actively monitoring and participating in the design and implementation of telehealth programs within the hospital.
 A common theme in many state statutes and codes is that telehealth documentation retained in the medical record must be comparable to an in-person office visit. For example, Texas requires that medical records “include copies of all relevant patient-related electronic communications, including … if possible, telemedicine encounters that are recorded electronically.” 22 Tex. Admin. Code § 174.10(c) (2013).
 See § 164.312(d).
 See § 164.306(a).