This HHS publication triggers two key deadlines, one commencing September 23, 2009, when employers and health care providers (“covered entities”) will be required to comply with the Act’s security breach notification requirements; and, the other, is February 22, 2010, the 180 day enforcement grace period announced by HHS. Accordingly, during this 180 day grace period, covered entities need to digest the new requirements, revise existing HIPAA policies and procedures and develop new ones, put in place a security incident response plan, train employees, confer with business associates about security breach response and negotiate modifications to existing business associate agreements. Employers and health care providers who discover a security breach after that date and fail to provide the required notices may be targeted for an enforcement action.

A security breach notification will only apply to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met:

• the information is “unsecure” PHI;
• the information was used or disclosed in an unauthorized manner (see, HIPAA Privacy Rule); and
• the use or disclosure poses a “significant risk of financial, reputational, or other harm to the individual”. To determine if such a harm has occurred, the covered entity must review factors such as:

(a) to whom the information was disclosed;
(b) the type of information disclosed;
(c) what steps were taken that mitigate the potential harm to the individual; and
(d) whether the use or disclosure falls under an exception listed in the statute. The exceptions are:

(i) Unintentional access by a covered entity’s or business associate’s employee. Such access must be in good faith, within the employee’s course and scope of employment and not result in further use or disclosure. HHS provided an example of a nurse mistakenly sending an e-mail with PHI to a hospital billing employee, who opened it in the normal course of business; however, the billing employee deletes the e-mail and notifies the nurse.
(ii) Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee. HHS explains that the information should not be further used and that “similarly situated” means both employees must be authorized to access the information. For example, a doctor and billing employee may be similarly situated, because they are both authorized to view PHI, but a doctor and a receptionist may not be or, for example, when a doctor inadvertently gives a patient chart to a nurse who is not responsible for the doctor’s patients.
(iii)The recipient would not reasonably have been able to retain the information. For example, a nurse gives out incorrect discharge papers, but immediately discovers the error and takes them back.

NOTIFICATION OF BREACHES

If a breach occurs, then the covered entity must notify the individual “without unreasonable delay”, but no later than 60 days after discovery of the breach. HHS notes that, if a business associate is an “agent” of the covered entity, the business associate’s discovery of the breach will be imputed to the covered entity.

If the breach involves 500 or more individuals, the covered entity must notify HHS at the same time it notifies the affected individuals. Breaches involving fewer than 500 individuals must be logged, and a log must be submitted to HHS by March 1st of the following calendar year.

There are also provisions for what needs to be done if a breach involves 500 or more individuals from an entire state or jurisdiction. Since business associates are impacted by the discovery and breach notification, covered entities should address those matters in their business associates agreements or vendor agreements, by rewriting or amending those agreements.

WHAT MUST THE NOTICE SAY?

The Notice must be written in plain language and contain five (5) subject areas:

1. a brief description of what happened, including the date of the breach and the date the breach was discovered, if known
2. the types of unsecured PHI involved in the breach (e.g., Social Security number, full name, date of birth, home address, account number, diagnosis)
3. steps that affected individuals can take to reduce the risk of harm from the breach
4. a brief description of the covered entity’s investigation, efforts to mitigate harm to affected individuals and steps taken to prevent a recurrence of breaches
5. contact information for people to ask questions and obtain information, including a toll-free telephone number, e-mail address, website or postal address.

HHS has devised electronic notification forms on its website for submitting notice of breach to the Secretary. These requirements are in accord with the Privacy Rule that requires each covered entity to take reasonable steps to mitigate the harmful effects of an unauthorized use or disclosure of PHI.

There are also provisions for substitute notice under the HHS rules.

THE EFFECT ON STATE SECURITY BREACH NOTIFICATION LAWS

HHS has said that the HIPAA requirements do not pre-empt state notice law and that covered entities will be required to comply with both sets of laws when both are applicable. For example, where a state law requires notification within five days, HHS says notice within this period also would satisfy the new HIPAA requirements, so the two laws do not conflict. Similarly, if a state law requires additional elements be included in a notice, HHS says there would be no conflict because a covered entity could develop a notice that satisfies both laws.

STEPS FOR COVERED ENTITIES

• Establish notice procedures for a security breach response plan
• Implement systems for detecting a security breach
• Maintain a breach log
• Train workforce members on their role in responding to a security breach
• Revise business associate agreements to address security breaches
• Revise HIPAA policies and procedures regarding training, complaints, and sanctions, as applicable
• Update address lists for patients and/or plan participants to reduce the number of return notices in the event of a breach.

This is only a short review of considerations. Consultation with an attorney is advised to ensure that all matters specific to your practice have been covered. If you have further questions or if you would like to set up an appointment to discuss your practice’s protected health information needs, please contact Laura Gerdes Long, Esq.

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

At the same time, employees’ contributions to employer-provided health insurance have increased an average of 143%, with their out-of-pocket costs, including co-payments and deductibles, also increasing an average of 115%. Id.

Countless studies have shown that certain conditions impact employers’ costs, overall, and not only for health care.

• For example, survey findings recently reported in the Archives of Internal Medicine found that obese employee medical claim costs were seven times higher than average and those employees missed 13 times more work days. (Ostbye T., et al., Obesity and Workers’ Compensation, 167 Arch Intern. Med. 766-773 April 23, 2007).

• A study conducted by the Centers for Disease Control found that the cost increase for obese employees, combining medical costs and absenteeism,range from an additional $460.00 to $2,500.00 per employee. (Forbes, 10/05/2006, U.S. Companies Embrace Wellness Programs).

• Some estimates put the annual medical costs of smoking and the illnesses that link to it, such as cancer and heart disease, at $150 billion or more. (September 2007, HR Magazine, 115).

How wellness programs can help employers

With all of this bad news, what is an employer to do? Final federal regulations have been released for wellness programs and may provide one approach for improving employee health and potentially reducing health care costs. (71 Fed. Reg. 75014 (Dec. 13, 2006); 45 C.F.R. Part 146). These new, final rules and guidelines are detailed in the Health Insurance Portability and Accountability Act’s (HIPAA) non-discrimination and wellness program rules. These HIPAA regulations were issued, and will be enforced, by the Internal Revenue Service, the Department of  Labor, and the Department of Health and Human Services.

What is a wellness program?

A wellness program is defined as “any program designed to promote health or prevent disease.” (71 Fed. Reg. at 75035; 45 C.F.R. at § 146.121(f)). The wellness plan must make participation in the program available to all similarly situated individuals, and cannot condition a reward on an individual satisfying a standard based on a health factor. Id. For example, an employer can provide a waiver of co-payments for preventive care; reimbursement for participation in a smoking cessation program, without regard to success; rewards for attendance at monthly health education seminars; a diagnostic testing program that provides a reward for participation and does not base any part of the reward on outcomes; and reimbursement of fitness center memberships. Id.

What are some employers doing?

Wellness programs take a myriad of forms. Some wellness programs include employers providing educational materials about health choices, health risk assessments or free gym memberships. Other plans integrate a variety of elements, including nutritional counseling, screenings, use of health data to target high cost diseases, and incentives to motivate physical activity.

Recently, Guardian Insurance, in conjunction with Healthways’ Whole Health Networks, started offering programs, including complimentary nutrition coaches, tai chi, yoga and pilates, and membership fees at gyms such as Bally’s Total Fitness, in addition to discounts for weight loss programs, Jenny Craig and Weight Watchers (Forbes/2007/05/29/pilates-yoga-taichi-leadmanage-ex).

Some of the nitty gritty (the regulations, a/k/a, “boring lawyer stuff”)

Under the HIPAA prohibition against discrimination on the basis of health status, there exist eight health factors:

• health status,
• medical condition (both physical and mental),
• claims experience,
• receipt of health care,
• medical history,
• genetic information,
• evidence of insurability, and
• disability.

What this means is that employees cannot be denied eligibility or charged a higher premium based on one or more of those health factors. It is essential that the employer be aware that the HIPAA non-discrimination rules generally prohibit group health plans from discriminating against individuals based on certain health factors. In other words, a plan cannot penalize an employee who is unsuccessful in ending their nicotine habit after attending a smoking cessation program. Similarly, an employee cannot charge greater premiums to employees with a body mass index over 25.

Thus, if a wellness program conditions a reward on satisfying some standard, based on such health factors, then the
regulations require the program to meet five criteria:

• the value of the reward must not exceed 20% of the cost of employee-only coverage (or 20% of the cost of the coverage in which any employee and any dependents are enrolled);
• the program must be reasonably designed to promote health or prevent disease;
• the program must give individuals an opportunity to qualify for the reward under the program at least once per year;
• the reward must be available to all similarly situated individuals, including a reasonable alternative which must be offered to those individuals for whom it is unreasonably difficult or medically unadvisable to participate; and
• the health plan must disclose the availability of the alternative standard in any plan materials describing the terms of the wellness program.

(71 Fed. Reg. at 75036; 45 C.F.R. § 146.121(f)(2).)

As for the fifth criteria, a wellness program must include some sort of alternative standard for employees who cannot reach a particular target. Sometimes employers have to fashion alternative standards on a case-by-case basis. For example, a premium discount may be offered to employees who walk five miles per week, but there must be an alternative, such as teaching a class about cardio fitness, instead, or offering swimming opportunities.Employers may also pay for employees’ gym memberships or nutritionist services, or give policy discounts to employees who lower their cholesterol. But if an individual is genetically predisposed to having high cholesterol, and provides verification from a doctor, that individual cannot be penalized.

This “alternative method” is a common sense approach, which HIPAA requires by using a “reasonably designed” standard to balance the needs of employers to experiment with various programs to provide employees incentive to participate, while at the same time, protecting employees from plans that are mere subterfuge for discrimination. Many examples of such alternatives and the kind of language that may be used to satisfy these requirements are  included in the comments to the Federal Rules at 71 Fed. Reg. at 75036-75038.

A summary:

Thus, Wellness Programs allow for a lot of experimentation by employers while, at the same time, providing employees an opportunity to receive an offered reward for their efforts at maintaining a healthy lifestyle. Of course, other laws may intersect with various provisions of the regulations, such as the Americans With Disabilities Act (ADA). Generally, to comply with the ADA, the incentives should be voluntary, and any medical information gathered in connection with the incentive should be kept confidential and separate from the employees’ personnel records.

In summary, by following a few simple rules and sometimes thinking “outside the box” in terms of developing a program to assist your employees with creating and maintaining a healthy lifestyle, employers may gain a group of employees who are healthier, less likely to become sick, and who are, hopefully, happier. Definitely, a win-win situation for both employees and employers.

Caveat: As usual, these rules can be complicated stuff. They are not all inclusive or applicable in all contexts and, although the author is a lawyer, she is not your lawyer. So, enjoy the article, but if you are ready to jump onto the wellness parade, please consult a lawyer qualified to advise you on these matters relative to your specific situation.

View PDF

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

The interesting thing about this case is that it shows the tight link between the HIPAA Privacy and Security Rules. Due to the number of employees who allegedly, inappropriately accessed his records, it is likely that it was done by looking at electronic information—a security breach by “inside employees.” Fortunately, it appears that the hospital’s audit practices, which are required under the Security Rule, caught the breach. Unfortunately, it appears that the staff was not trained well enough to keep from inappropriately accessing the information in the first place, and apparently were not aware they could be caught and disciplined.

The case also illustrates some of the differences between privacy risks posed by paper versus electronic records. Electronic records can lead to a breach of a patient’s privacy without even having physical access to the health records. And, after a patient’s privacy is breached electronically, it can never be recovered.

Punitive Damages for Breaches of Medical Privacy

A case out of New York also serves as a cautionary tale with regard to the monetary damages that may be awarded for breaches of medical privacy.

In J. v. Long Island Surgi-Center (N.Y.A.D. 2nd Dept., September 25, 2007), a 20 year-old, unmarried woman who lived with her parents decided to terminate her pregnancy at the Long Island Surgi-Center. Since her parents disapproved of pre-marital sex and were implacably opposed to abortion, she was determined to keep her decision from them.

When she first contacted the clinic to arrange for the procedure, she provided her cell phone number and gave specific instructions never to call her at home. The day after her abortion, nevertheless, one of the clinic’s nurses telephoned the young woman’s home and spoke with the person she knew to be her mother. In the course of the conversation, the nurse revealed information sufficient to allow the mother to conclude that her daughter had had an abortion.

On appeal, the Court of Appeals held that, in the young woman’s subsequent action to recover damages for wrongful disclosure of confidential medical information under New York’s Public Health Law, the trial court was “not in error” to submit the issue of punitive damages to the jury.

View PDF

The case alleged that plaintiff was a patient at a particular medical group. Blood samples and/or records were sent to a hospital and examined by a phlebotomist. The phlebotomist revealed the results of those records at a public tavern to the plaintiff’s twin sister. The hospital admitted the phlebotomist had revealed one fact about the plaintiff, discovered from her medical records, to the plaintiff’s sister at a tavern, but also alleged that when the phlebotomist revealed the information, she was not acting within the scope of her employment with hospital. Although HIPAA does not provide a private cause of action, in Illinois a common-law right-of privacy cause of action existed for the doctor’s violation of plaintiff’s right to privacy.

The court held that the question whether the phlebotomist was acting in the scope of her employment with the hospital was a question for the jury. The court went on to note, however, that the defendant hospital and employee had a duty not to disclose confidential information, without limitation as to time or place.

The court reasoned that the “hospital’s training of its employees did not limit the duty of the employee to maintain confidentiality of patients’ medical information only during working hours. Rather, that duty, imposed by the hospital in its execution of its duties, was, according to its own training, to extend to all times and to all places. In effect, for purposes of patient confidentiality, [the phlebotomist] was on duty 24 hours a day, 7 days a week.” Thus, the defendant had a continuing off-shift duty to maintain the confidentiality of patient records. This duty derived not only from the hospital’s rules of employment, but also from the patient’s right to privacy.

The court further included employees of lawyers, therapists, and other employers who maintain confidential information, as examples of other workers who have a constant duty to keep confidentiality.

View PDF

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

If selling a practice, a series of steps must be accomplished when notifying patients of the sale, including notifying the patient of the process for obtaining a copy of medical records and the potential need for the written authorization before medical records can be transferred to another provider. Moreover, under HIPAA, a specific authorization is required for the release of information considered sensitive, such as HIV/AIDS status, psychiatric history, drug or alcohol abuse, or sexual abuse.

Since the physical record is considered the property of the practice and the information in the record is considered the property of the patient, a practitioner who is leaving one practice to go to another should not simply take the records with him of those patients who will continue in his or her care.

For instance, if a practice is dissolved, a custodian of patient records may have to be located and a business associate agreement obtained requiring that custodian or receiving physician to respect the confidentiality of the records in accordance with HIPAA. The state medical board or department of health should also be notified where the records are being stored in case patients, at some point in the future, need to access their records if the former physician or custodian cannot be located.

In addition, the Code of Ethics of the American Medical Association at E-7.03 provides similarly. Patients should initially be notified and informed that upon authorization, their records will be sent to their choice of physician. Any records not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. If the physician is leaving a group practice, after notification, the patients should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. The Code warns that it is unethical to withhold such information upon request of a patient.

In the case of a retiring physician, it may be most practical to transfer the records to a hospital. The hospital should agree to treat the records as if they were their own for HIPAA purposes and only transfer the records to another physician upon the patient’s written authorization. Essentially, the hospital becomes a business associate of the retiring physician and is subject to the business associate requirements of HIPAA.

As you can see, many issues and precautions must be taken into account when a physician retires, moves from an existing practice, or sells a practice with regard to patient records.

View PDF

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Though employers are not Covered Entities under HIPAA, many employers offer fully or partially self-funded health plans to their employees and those health plans are Covered Entities under HIPAA. Indeed, even flexible spending accounts or 125 plans are considered health plans and thereby must comply with HIPAA.

Last April, the final installment in the series of three HIPAA regulations went into effect. The first installment was the Electronic Health Care Transaction and Code Sets (October 2002). The second installment was the Privacy Rule (April 2003 or April 2004 for small group health plans). Finally, as of April 20, 2005, all covered entities (as defined by HIPAA) were required to implement the Security Rule. Small health plans, defined as those that spend $5 million or less in claims, were given until April 20, 2006, to comply.

The Security Rule, a series of standards, provides administrative, physical and technical safeguards to protect the security of electronic health information. It may be found at Title 45, Code of Federal Regulations, Part 164, Sections 302-318 (45 CFR 164.302).

While the Privacy Rule includes a mini-security rule, the regulations of the Security Rule are far more detailed and include comprehensive ways in which a covered entity may perform a risk analysis to determine the measures required to comply with the Rule. The Security Rule applies to the same covered entities as the Privacy Rule and similarly applies to the covered entities’ business associates. If you offer a health plan to your employees, that plan must meet both the Privacy Rule and Security Rule requirements. By extension, the employer must ensure that the plan has met those requirements.

For small plans, compliance may be simple, especially when most employers outsource their health care operations to third party administrators and have very little interaction with electronic protected health information, or PHI.

Like the Privacy Rule, the Security Rule requires health plans to limit disclosures of PHI to the plan sponsor employers unless certain conditions are met. Consequently, non-covered entity employers who are health plan sponsors are affected by HIPAA’s Security Rule including having to amend employer health plan documents to incorporate provisions requiring such employers who receive PHI from the health plan to implement security safeguards.

These safeguards include three standards which fall under the categories of administrative, physical and technical, and numerous implementation specifications.

The good news is that the Security Rule permits flexibility in your entity’s approach based upon organizational size, complexity, staff capabilities, the likelihood of potential risks, costs, and your computer hardware and software capability.

It’s also a good time to be reminded that every three years, covered entities should revisit their adherence to the Privacy Rule requirements by evaluating actions taken and determining whether it is appropriate to modify compliance processes and procedures. HIPAA compliance does not have a completion date, rather it is an ongoing process.

View PDF