Spotlight Bright on Business Associates

background-767922_640The HIPAA spotlight is beginning to shine brightly on business associates. Covered entities have long had their time to star, so it is only fair to share the stage now. It is likely that covered entities are only too happy to have the Office for Civil Rights (“OCR”) and others focus attention on business associates with all the consequences that come with such attention.

A potentially non-punitive form of attention are the soon to begin desk audits of business associates. Recent statements from individuals in OCR, including Deputy Director for Health Information Privacy Deven McGraw, inform that the desk audits will begin in October. Unlike covered entities who received emails confirming information first, business associates will be thrown right into the response fire. As many will recall, entities only received up to fourteen days to submit responsive information to the desk audits. This means that business associates must be ready to roll now and cannot afford to play catch up if an audit notice is sent. One small sliver of comfort is that only forty to fifty business associates will be audited (for now), though it is nearly impossible to know how extensive OCR’s database of business associates really is and just who is in that database. The only note of comfort, if it can be called comfort, is that OCR will host an informational webinar for business associates who do receive audit notices to help responses. Since the webinar will likely mirror the webinar conducted for covered entities, it is advisable to review materials from that earlier webinar.

The first round of business associate audits will hopefully provide some level of insight into the compliance preparedness of business associates. Such insight is dependent upon OCR publishing results from the audits. No public, or easily findable public, statement has been made as to when or if results will be published. Even though there are no apparent statements on that front, OCR’s recent history of pushing out compliance guidance bodes well in favor of getting such information.

The second action directed at business associates is another non-compliance settlement resulting from a breach. The target, this time, was Care New England Health System (“CNE”).  CNE is the parent company to a number of hospitals in Massachusetts and Rhode Island. As the parent, CNE provides centralized support services whereby CNE received and/or accessed protected health information of its subsidiaries. The setup is nothing out of the ordinary. The aspect that cost CNE $400,000 was that the business associate agreement with each subsidiary was executed in 2005 and then not updated until the middle of OCR’s investigation in 2015. Remember, the Omnibus Rule required updates (for the most past) as of September 2013. Disregard for updated compliance requirements will not be tolerated. The CNE settlement is only the most recent example. As has been stated many times before, each OCR settlement is used to emphasize a particular point under HIPAA. The CNE lesson is: do not put an agreement into place and then forget about to never be touched again. That is a sure road to a fine at some point.

Given the second business associate related settlement and very near audits, how comfortable do business associates feel with compliance efforts? For a long time compliance was not necessarily a significant concern for business associates.  Such a situation cannot continue. Now is the time to evaluate, update and do what needs to be done.

Posted in Compliance, HIPAA, HITECH | Tagged , , , | Leave a comment

Telemedicine: Opportunity Waiting

laptop-425826_640The technology behind and supporting telemedicine has come a long way in a short period of time. To some degree, the development reflects general technology. It can be hard to remember given the ubiquity of smartphones and other mobile devices that communication and video anywhere and everywhere is still relatively new. Going back less than ten years, it was not possible to talk by audio or video anywhere. Instead, video streaming was relatively difficult and did not provide great quality. Now, a smartphone provides HD quality video almost anywhere. The explosion in access has driven such services, which can fuel the use of telemedicine.

Given the theoretical ease of access to video and audio communication, what does that mean for telemedicine? It means that telemedicine is posed to break through barriers impacting access to care at least from the technological side. From a non-IT perspective, there do not appear to be many technology based barriers to accessing and utilizing telemedicine. Easy and readily available videoconferencing exists in platforms that everyone can access. As indicated, videoconferencing, typically in the form of FaceTime, can be used by almost anyone at any time. Why has healthcare apparently not caught on?

One popular narrative to the inability to widely access telemedicine is that healthcare is slow to adopt new technology. However, that adage is applied to many professions, including mine of law. It is an easy thing to say that does not necessarily reflect reality. Technology pervades all aspects of life and it is increasingly coming into all professions. If there is a benefit to providers and patients, I expect that more often than not the tool will be utilized. Adoption will be true whether it is a new medical device, pharmaceutical, or other solution. Change occurs and no industry is immune.

However, change may need to be accompanied by incentives. For example, healthcare as is widely known went through a massive adoption spree for electronic medical records. Usage and adoption was not widespread, until the federal government passed and implemented the Meaningful Use program. With that program in place and providing financial incentives, healthcare providers and hospitals ramped up implementation very quickly. The availability of federal dollars also resulted in a proliferation of vendors. However, such financial incentives also provide a cautionary tale. For electronic medical records, adoption occurred very quickly as a result of the availability of incentive money. The resulting systems did not necessarily meet the needs and expectations of healthcare providers, which has caused continued frustration and complaints.

In this climate, telemedicine is now trying to become the latest technological development to garner the attention and support of healthcare. Like electronic medical records, a financial incentive is needed. For telemedicine though, the financial incentive will not constrain and artificially accelerated adoption. Instead, the financial incentive should be in the form of reimbursement for services and care provided. Telemedicine is not necessarily a technological innovation so much as a technologically enabled extension of care delivery.  Telemedicine brings healthcare services to remote areas and increases the ability to obtain certain type of care, whether primary or specialty. However, these services cannot be provided for free. Reimbursement on a consistent basis is necessary. Increasing integration into healthcare, whether as a health insurance benefit or retail availability, accustoms all involved to providing payment. As money continues to flow in, use will continue to increase as well.

Related to reimbursement is the potential for telemedicine to fit into value-based care initiatives too. Even if a telemedicine service is not specifically reimbursed, if it can be utilized to reduce unnecessary patient visits or help a patient improve from home, then it provides value. With healthcare shifting away from fee-for-service, resources that create outreach and easy touchpoints with patients will be extremely valuable.

Demand for telemedicine can also play a role in another current barrier to telemedicine usage: laws and regulations. Right now, each state has its own rules, whether imposed by a local board of registration in medicine or from actual legislation. The Centers for Medicare and Medicaid Services also follow different rules as to when telemedicine may be allowed. The differences between all of these laws and regulations requires a significant amount of attention to ensure that services are provided in a legal manner. Complying with all of these requirements also imposes significant costs on the providers, which in turn impacts how cost-effective or cost-conscious the services can be.

Despite these barriers, hope is appearing on the horizon. Telemedicine providers and consumers are seeking more consistent access and responses are occurring. States with very restrictive rules are fiancé challenges, with Texas as a prime example. Not only are restrictive rules being challenged, but the federal government is siding against the state government. Such a balance puts other states on notice that restrictions will not be tolerated.

What do all of these actions mean for access to and use of telemedicine? Telemedicine access should begin to reflect non-healthcare access to remote communications. Healthcare cannot remain an exception to access when and where wanted. Too much is at stake for all sides to resist this level of change. Optimistically, these pressures are beneficial. Widespread access is to telemedicine adds another tool to the chest for healthcare and can help result in better care. As stated at the beginning, there is a tremendous amount of promise associated with technology, including telemedicine. That potential still needs to be harnessed, but the day for telemedicine is coming closer and closer.

National Health IT Week is an ideal time to continue this push. Telemedicine takes advantage of so many IT developments and should be celebrated. Many innovators, whether start ups or established companies, are pushing boundaries and seeking new ways to deliver care. Let’s celebrate these achievements, but also say keep going and keep finding new solutions.

Posted in Health IT, Healthcare, HIPAA | Tagged , , | Leave a comment

WhatsApp, A Healthcare Panacea: Not So Fast

texting-1490691_640A recent article on Forbes, “Why WhatsApp Could be a Game-Changer for American Health Care” caught my eye and attention. The article focuses on a commonly reported desire among professionals in the healthcare industry to have and use text messaging. Texting is used in everyday life, so why not in healthcare. The quick, but incomplete answer is HIPAA. HIPAA is used as an excuse or barrier for many proposals in healthcare, but it does not tell the entire story.

The Forbes article chooses to focus on WhatsApp because WhatsApp includes end-to-end encryption. It is argued that this form of encryption addresses privacy and security concerns in healthcare by helping to lock down the messages being transmitted, including the information contained in the message. Encryption is only a piece of ensuring that communications comply with applicable HIPAA requirements. As the article rightly points out, issues of recipient verification and maintenance of information present challenges under HIPAA. These are definitely relevant and valid concerns.

While WhatsApp and its end-to-end encryption may be appealing to healthcare, the application practically is not ready to be used in healthcare. Even though WhatsApp may claim it does not access messages or information sent through its network, the question of whether WhatsApp stores the data remains. If WhatsApp stores data, then it is not a conduit and any covered entity utilizing the service would need a business associate agreement with WhatsApp. Additionally, if data is stored on WhatsApp servers, it would be necessary to gain insight into the measures ensuring the privacy and security of information stored on those servers.

Another issue related to WhatsApp is the lack of enterprise level account creation capabilities and just the overall lack of enterprise level options. As currently constituted, WhatsApp is designed for individual use. Companies cannot gain control over accounts created by employees or otherwise create a corporate account that employees can work under. As recently as May, I directly asked individuals at WhatsApp whether the application would be expanded to commercial use and in particular for the healthcare industry. At that time, WhatsApp indicated that it was in the very early stages of incorporating or developing a commercial based product/option, but had not progressed very far or given special consideration to usage in the healthcare industry. The absence of consideration by WhatsApp itself further demonstrates that it is not ready for real use in healthcare this time.

Another recent announcement by WhatsApp should further dampen any potential usage in healthcare. In a shift from previous stances of zealously protecting privacy, WhatsApp announced that it will begin sharing some information about users withs its parent, Facebook. While users can opt-out of some amount of the data sharing, the mere fact that data will move outside of WhatsApp to another entity should cause pause for any healthcare provider that would consider using WhatsApp. Even if WhatsApp asserts that only some basic metrics will be shared, this suggests that information is being accessed and policies could continue to shift in the future.

The face value promise of WhatsApp and the speed with which publications or others seem to have jumped on potential uses underscores why healthcare needs to develop a solution that allows everyday functionality to come in. While easing communication and incorporating basic technology is a recognized and desired goal, healthcare and HIPAA present challenges. These challenges are not insurmountable, but demonstrate why healthcare specific solutions often need to be created. A quick look around the internet can find some healthcare specific messaging applications and the solutions continue to be refined so they more closely mirror applications such as WhatsApp or iMessage. However, the applications likely will need to be healthcare specific, at least at this point, to help ensure that individuals and entities within the healthcare industry can satisfy applicable regulatory requirements.

Posted in Business, Health IT, Regulations | Tagged , , , | 1 Comment