Time to Improve Awareness

3_Regulation-ImageDoing the right thing or merely demonstrating compliance with requirements is hard to do when knowledge of expected or necessary requirements is missing or not sufficient. In such a situation, it becomes harder to fault individuals for the resulting missteps or violations. Unfortunately, lack of awareness is a primary issue plaguing security efforts in healthcare.

A recent study conducted by Kaspersky of healthcare organizations in the United States and Canada uncovered some fairly startling figures.  Key finds from the study include the following:

  • 34% of respondents were not aware of their organization’s cybersecurity policies with that percentage evenly split between respondents saying they should know about such policies if they exist or there is no need for aware
    • 17% of respondents thinking that there is no need to be aware of cybersecurity policies should be a major red flag. When it comes to healthcare data, every single individual in an organization has an important role to play with regard to security. Apathy will likely quickly lead to a breach.
  • 44% of respondents have not received cybersecurity-related training.  If that figure, 25% thought they should have received training and 19% said training was not necessary.
    • The portion of respondents that think training is not necessary is another red flag. From the healthcare perspective, every individual employed by a covered entity must be trained since annual training is an obligation imposed by HIPAA. Regardless of whether an individual believes training is needed, it should not be skipped both from a practical and compliance perspective.
  • The last area addressed was awareness of IT device protections, which resulted in a relatively positive response rate. The majority of respondents were aware of security measures with the level of awareness varying depending on role.

What do all of the answers mean? That a serious deficiency exists in healthcare when it comes to taking security issues seriously. Despite the constant stream of breach reports and notifications, if individuals do not consider security to be under attack, then appropriate actions to avoid issues will not be taken.

What could be done to better drive home the message? Some may argue for increased enforcement actions by the Office for Civil Rights or attorneys general on the HIPAA front. Those are the two agencies that can bring actions directly under HIPAA. However, the actual number of enforcement actions is vastly dwarfed by the number of incidents. Lack of training has been cited in some settlements, but missing risk analyses are more often identified as areas of fundamental non-compliance. It is possible that the threat of monetary pain could spur greater action.  The question though is at what level of an organization would that action occur? A typical rank and file individual within an organization may not perceive the risk of enforcement as something that relates to them, instead of thinking it is an issue that the organization is responsible for. While that perception is likely accurate in terms of who will pay a potential fine, the fine would be the result of inaction or inappropriate action by an individual. From that perspective, the burden is still pushed to the organizations to appropriately inform individuals of the risks and why security awareness is important.

Another means of “enforcement” may be lawsuits based upon state law initiated by those impacted by a security failure. In fact, class actions frequently arise after a large data breach is reported, with such suits now following within days at times. However, the ability for such a suit to succeed is very dependent upon the state law of the location where an incident occurs. a primary gating issue is what form of damages need to be asserted. The question specifically centers upon whether actual damages need to be established or whether potential future harm from the disclosure of information is enough. As already stated, the answer to that question is state-specific. As with government enforcement though, individuals within an organization will not necessarily bear the repercussion of a lawsuit though. Again, the organization will be named and on the hook.

If enforcement is not a clear path, what about changing the culture in an organization? Culture focuses on expectations, self-driving actions, and more to acknowledge responsibility and to proactively work to improve security. Arguably, culture could be a lynchpin for true strides forward in security. If all individuals in an organization support and consider security, then efforts can feed upon themselves and grow beyond the expectations of the initial architects. Further, a culture of security is self-sustaining and will push outward without requiring such concerted and artificial feeling efforts.

There is no doubt that the study from Kaspersky is concerning. However, it can also be a wake-up call and provide the means for a call to action. Wil that call be answered? Hopefully yes.

Posted in Business, Compliance, Health IT, HIPAA, HITECH, Regulations | Tagged , , , , , , , | Leave a comment

Unnecessary Stress: HIPAA and Litigation Requests

medical-781422_640While many areas of HIPAA compliance result in confusion and misinterpretation, responding to document requests from parties in litigation is one that has been presenting itself frequently. The classic scenario is Party A and Party B are in a lawsuit with each other. Party A’s claim is based upon suffering some sort of injury that resulted in receiving medical treatment. During the course of the lawsuit, Party B sends a request for documents to Party A’s physicians. No surprises have arisen yet and the ability to obtain documents is a classic part of litigation.

However, the “fun” will often start when the physician receives the request. Many physicians receiving a request will look at it and refuse to provide documents until Party B provides a clear authorization from Party A allowing the release or will want a court order. The physician will then blame HIPAA for taking this position. Is the position correct? Not entirely. A written authorization or court order are certainly two means of demonstrating appropriate permission to release records under HIPAA, but those are not the exclusive two means.

In exploring when records can be released, it is first important to understand where in the HIPAA Privacy Rule the ability to produce records for lawsuits exists. The authority is found at 45 C.F.R. § 164.512(e), which is a subsection entitled “Disclosures for judicial and administrative proceedings” (the “Proceeding Response Rule”). More interestingly, the full Section 164.512 identifies uses and disclosures for which an authorization or opportunity to object is not required (emphasis added). The entire Section of the Privacy Rule is for uses where authorization is not required. The mere location of the rule allowing disclosures undercuts the prototypical response that a patient’s authorization is needed for the release.

A decision from the Connecticut Supreme Court allowed a patient to proceed with an action against their physician’s office when records were disclosed in litigation. The records were produced in response to a subpoena. However, the bare summary of the case is not the end of the story. Diving into the details of the decision, the root of the physician office’s problem was not necessarily providing the documents in response to a subpoena, but not following the requirements set forth in HIPAA before producing the documents. The case, therefore, while premised on a state law basis, wanted to see that the clear requirements in the Proceeding Response Rule are followed before information is divulged.

Breaking down the Proceeding Response Rule, it states that a covered entity (or business associate on behalf of a covered entity) can disclose protected health information (“PHI”) in response to (i) an order of a court or administrative tribunal or (ii) a subpoena if certain conditions are met. The conditions to be met around a subpoena are the factors that trip up so many. The conditions to be met are (i) the covered entity receives satisfactory assurances that reasonable efforts have been made to notify the individual who is the subject of the PHI or (ii) reasonable efforts have been made to obtain a qualified protective order.

What does it mean to receive “satisfactory assurances” of reasonable efforts to notify though? Thankfully, the Proceeding Response Rule does not leave that question unanswered. The Proceeding Response Rule specifies how the requesting party can provide satisfactory assurances, which should be done through a written statement and documentation.

Satisfactory assurances can be provided by (i) showing good faith efforts to provide notice of the request to the subject individual, (ii) including sufficient information about the nature of the proceeding in the notification to enable the subject individual to appropriately object, and (iii) showing the time to object has lapsed and either no objection was filed or any objection has been resolved. As stated, if these elements can be satisfied, then the covered entity receiving the subpoena can provide documents containing PHI without either a court order or written authorization. Further, the means of establishing the reasonable efforts are not overly burdensome, nor likely misaligned with standard discovery procedures.

If a qualified protective order is presented, then the Proceeding Response Rule informs what can be considered a qualified protective order. In short, it will either be agreed upon by the parties and blessed by the court or administrative tribunal or issued in the first place by the court or administrative tribunal.

In light of the explanation of the Proceeding Response Rule, all organizations should get more comfortable with requirements under HIPAA and not unnecessarily block access to information. Once HIPAA is put into the sunlight and broke down part by part, it can be seen that the rules are not arcane or unnecessarily tricky. Instead, HIPAA does a good job of laying out the path to follow.

Posted in Compliance, HIPAA, Litigation, Business, Physicians, EHR, EMR | Tagged , , , , , | 1 Comment

Data Use: Who Should Control?

Walking_reflectionQuestions around the state of privacy for healthcare and other information are being left unanswered in many regards. Many services and tools fall outside the “traditional” healthcare realm, which means HIPAA and state-level legal protections focused on the healthcare industry do not provide coverage. Services that ostensibly protected data are also frequently found to have either not been entirely forthcoming or always using data just without readily apparent disclosure.

The summary of privacy woes may seem like a litany applicable only to individual or consumer use. Unfortunately, the same may hold true for healthcare clinicians as well. Digital or cloud-based tools can offer a seemingly great deal, but that great deal may come with a catch: the ability to de-identify data and use it for other purposes. While that can be a negotiated point when working with a vendor or consultant, a knowing negotiation is not problematic. What happens though when the ability to use data is inserted after use has already started or is part of the terms of use when signing up for an electronic medical record?

The hypothetical around a cloud-based electronic medical record (“EMR”) reserving to itself the ability to de-identify patient information is neither a hypothetical nor far-fetched. Instead, it appears frequently in the terms of use of many EMRs. Examples of such terms can be found in the terms of use for systems supporting all types of clinicians from physicians to mental health professionals to dentists and more.

The provisions can be very generous in favor of the EMR vendor, such as this language (which appears identically in at least two products): “In consideration of our provision of the Service, you hereby transfer and assign to us all right, title and interest in and to all De-Identified Information that we make from Your Information pursuant to Section 4.1.5. You agree that we may use, disclose, market, license and sell such De-Identified Information for any purpose without restriction, and that you have no interest in such information, or in the proceeds of any sale, license, or other commercialization thereof. You acknowledge that the rights conferred by this Section are a principal consideration for the provision of the Service, without which we would not enter into these TOS.​”

Another version looks like this: “[Vendor] may use protected health information to provide you with data aggregation services (as that term is defined by HIPAA) and to create de-identified data in accordance with 45 CFR 164.514(a)-(c) retaining any and all ownership claims related to the de-identified data it creates from protected health information. [Vendor] may use, during and after this agreement, all aggregate anonymized information and de-identified data for purposes of enhancing the Service, technical support and other business purposes, all in compliance with the HIPAA Privacy Standards, including without limitation the limited data set and de-identification of information regulations.”

An underlying question is why an EMR, which is purpose-built to store patient data for the clinician, wants the ability to go into the data it is holding and de-identify it. One obvious answer is that de-identifying data could enable the EMR to amass a large database of valuable information that can be sold in other avenues and providing a better profit. The aggregated data could also be used to enhance analytics, which could be an add-on feature that can be obtained for a fee. Ultimately, with data becoming the predominant commodity in the market, any ability to get vast quantities for free (or arguably to have someone pay to give it you) will be pursued.

Leaving aside the reasons for wanting the unbridled ability to de-identify data, the discussion may shift back to whether some services should stay out of that game or at least make it very plain upfront. That discussion seems especially relevant in the EMR field because clinicians may not have a choice of whether to adopt the EMR and little to no practical choice as to which one will be chosen. Further, the EMR may be viewed as a secure electronic version of a clinician’s old paper records, which is an area that no one would previously have thought would be freely available to a third party.

Despite all of the questions, the imposition of the ability to de-identify, so long as it is done consistent with HIPAA requirements, likely does not necessarily result in conduct contrary to HIPAA requirements. As noted in one of the provisions, HIPAA specifically identifies how data may be de-identified and goes on to state that once data are de-identified, the de-identified data are outside the bounds of HIPAA.

While HIPAA may permit the activity, if the right is done through a bait and switch method or hidden, then the Federal Trade Commission may be interested in the issue as an unfair or deceptive business practice. While the argument is possible, it could be an uphill battle in terms of being able to establish or prove.

Regardless of the legality, an EMR vendor reserving to itself the ability to de-identify data in its product may create a practical problem. Distaste for the practice could drive away customers (unless there are no other options) and create public backlash. That is not necessarily farfetched as Practice Fusion did receive a fine from the FTC or deceptive practices around patient contacts. The issue was not centered on de-identification, but a case could be brought.

As noted at the start, privacy concerns are coming to the fore and being debated with more nuance and attention. As those discussions continue and delve into new areas, de-identification practices could very well receive some time in the sun.

Posted in Business, Compliance, EHR, EMR, Health IT, HIPAA, Regulations | Tagged , , , , , | 1 Comment