When is Enough, Enough?

gxyzndocilivhqmmjumtyzl72ejkfbmt4t8yenimkbvvk0ktmf0xjctabnaljim9An easy to overlook aspect of the HIPAA Privacy Rule is the requirement that all uses and disclosures be of the “minimum necessary” amount of protected health information. That means the least amount of information needed for the intended purpose should be used. That is not always an easy concept to keep in mind or follow.

Before diving into an example of an overreaching request, an overview of the minimum necessary requirements will be helpful. The minimum necessary standards can be found at 45 C.F.R. ยง 164.502(b), which is part of the general rules governing uses and disclosures of protected health information. As with so many requirements in the Privacy Rule, the initial statement provides that all uses and disclosures should only include the minimum necessary amount of protected health information. The regulation then goes on to state that the following uses and disclosures are exempt from the minimum necessary requirement: (i) request by a health care provider for treatment, (ii) to the individual who is the subject of the protected health information, (iii) pursuant to a valid authorization, (iv) to the Secretary of the Department of Health and Human Services, (v) required by law, and (vi) for compliance with applicable portions of the Privacy Rule.

On the whole, the carve-outs are fairly limited and do not cover all that many instances. In reading between the lines a little bit, the exemptions go to instances where the use or disclosure will benefit the individual or when the law mandates that a use or disclosure occur. As suggested, those make sense because there is an overriding interest driving the use or disclosure.

With background on the minimum necessary requirement out of the way, an interesting example can now be presented. As will happen from time to time (or too frequently depending on one’s particular viewpoint), healthcare providers or organizations will receive requests from payors to provide medical records. The request may be for purposes auditing accuracy or submission or part of a general quality review. A recently increasing reason is for a payor to “need” data from the medical records to gather risk adjustment data in connection with submitting reports required by the Affordable Care Act.

A compliance officer provided such a request to me, but with a nuanced question. Specifically, the request received by this particular compliance officer sought all records concerning a specified list of patients for an entire year. However, the patients were not always covered by the requesting payor for the entire year. For example, one patient may have been on payor X and switched to the requesting payor for only two months of the year. Despite that limitation, the payor wanted all of the patient’s information for the entire year. Could all of the information be disclosed?

While it is possible that the answer would depend, the request certainly seems to be overly broad. Why could a payor seek information about a patient when the patient was not a beneficiary of the payor for the entire year. Seeking all of the information would appear to be beyond the bounds of minimum necessary. As the notice from the payor indicated, the information was needed for that payor’s specific risk adjustment filings. The FAQs included by the payor explain that the risk adjustment is to “identify any gaps in coding that are supported by the documentation” and to help ensure accurate coding. The explanation implies that coding should be accurate to help demonstrate the actual health status of patients covered by the payor. Reviewing coding from claims not covered by the payor would not be needed.

Given the concerns about the scope of information requested, the compliance officer in question contacted a former Office for Civil Rights (“OCR”) official. That individual agreed that the request overstepped minimum necessary bounds and even suggested that OCR was aware of such issues. Awareness will not necessarily equate to action because it is highly likely that other issues have higher priority and this one will remain toward the bottom the list.


Even if OCR will not be taking action, providers or organizations receiving overly broad requests can push back. It is justified to stand up for one’s interests and seek to ensure that any request is consistent with applicable HIPAA requirements. Minimum necessary is a real requirement and not just superfluous language in the regulation.

Posted in Business, Compliance, Healthcare, HIPAA, HITECH, Regulations | Tagged , , , , , | Leave a comment

What’s the Goal: HIPAA Enforcement

Maze and labyrinth

Compliance with HIPAA and the attendant privacy and security requirements is a frequent topic of discussion. Discussions around compliance are driven by the daily reporting of breaches and the probably more than daily issues faced by patients, clinicians and others when HIPAA is misinterpreted. In that face of all of these issues, there are not many options to turn to in order to obtain redress. Unless state law offers some alternative, HIPAA permits filing a complaint with an organization’s privacy officer, the Office for Civil Rights (OCR), or the applicable attorney general. With those options, complaints can then feel as though they disappear into a black hole.

Complaints are not just dismissed though. Many thousands result in some form of action, most often by OCR. The typical response from OCR is to send an investigative demand, usually by asking for documentation, to the “offending” organization, reviewing the responses, and then offering technical or other similar advice to address the situation. Following that resolution, OCR will notify the complainant about that generalized action taken.

The common scenario outlined above can leave many feeling dissatisfied though. The lack of overt public action and/or attention can perpetuate an impression that organizations are able to violate HIPAA with impunity. While so-called “behind the scenes” resolutions are the most frequent means of resolution, there can also be well-publicized settlement agreements and fines imposed.

When a complaint or issue results in a public settlement, the resolution agreement most often cites pervasive non-compliance with the HIPAA Security Rule. While a HIPAA Privacy Rule violation could be the genesis for the complaint or other issue, that will fall to the wayside when reading through the actions or omissions that really caught the attention of OCR. Does this mean that OCR is not as concerned with Privacy Rule issues, or just that compounding actions are needed before a fine will be imposed?

Regardless of the answer or response to some of the questions and issues posed above, the bigger underlying question is what is the purpose behind enforcement actions taken by OCR. Actions by states are not really being considered because those are even rarer than monetary penalties from OCR. Should organizations be called to task for violations of all stripes, or only especially egregious conduct called out? One’s response to that question will very likely be driven by the side that one is on.

From the perspective of organizations, the behind the scenes approach to resolution is probably preferred. That allows issues to be identified, guidance provided by OCR, and then changes implemented. At least that is the optimistic assessment and the hope of what happens for conscientious organizations. That should represent the majority of instances. The private resolution avoids unnecessary shaming and lets the organization move on.

From the individual perspective, more public attention and public resolution would likely be preferred. Issues can be pervasive, constant, disruptive. From that perspective, why should a resolution be reached without anyone being informed of what happened. For example, if an organization’s conduct is brought to the fore, maybe more reports will come that could justify a different response.

From OCR’s perspective, a blended approach is probably preferred. Realistically, the approaches are also constrained by staff and budgetary resources, which are not as high as would be preferred. Resolving the majority of issues by private resolutions enables education and guidance that aims to result in better overall compliance. When specific lessons are needed, then a public fine and settlement could be pursued. That balanced approach can serve multiple needs.

The suppositions from each perspective are purposefully brief and broad stroke. Getting specific input from anyone interested in this issue will be appreciated and help inform the debate and discussion. Let comments commence.

Posted in Business, Compliance, Healthcare, HIPAA, HITECH, Regulations | Tagged , , , , , , | 2 Comments

HIPAA Musings: Random Thoughts on Privacy and Security

art-2981726_640With the holidays quickly receding, there was some time for reflection. When given that time (and honestly spurred to some degree by the HIPAA request for information), different issues about HIPAA wandered through my mind. With so many issues to ponder, and taking a page Boston Globe sports columnist Dan Shaughnessy and his picked up pieces columns, here are various musings about HIPAA:

  • Why is it assumed that HIPAA and the goals of value-based care cannot co-exist with HIPAA as currently in place? The permissible uses and disclosures under treatment, payment and health care operations are quite extensive. In fact, in beginning to work on comments for submission to Office for Civil Rights (“OCR”) in response to the request for information, population health style concepts are already included in the definition of health care operations. Further, sharing of information among health care providers and payors is clearly permissible. If other parties are brought into the fold, then those parties will likely fit into one of those categories or be a business associate. In all instance, HIPAA allows utilization of the data.
  • Control and use of data are essential components of most contracts. Almost every analytics, consulting, or similar vendor wants to retain and keep using patient data even once a contract ends. While most such vendors are aware enough to request continued use of only de-identified data, that is not always the case. When a vendor wants to keep identifiable patient data, it suggests that the vendor does not accurately understand HIPAA. However, retention of de-identifiable data is strongly argued for since it can enable development of new tools or refinement of existing ones. To the vendors, there is an arguable trade-off that the fees charged will be less if data can be kept or some other argument. These arguments counter the often default position of covered entities that de-identification and subsequent use can only occur with explicit permission. As with all things, neither side is right or wrong, but it is an unavoidable debate.
  • While the debate over ownership or control of healthcare data remains strong (my thoughts are clear in this post), the underlying issue often seems to be one of access. Specifically, individuals find it overly difficult and complicated to get access to their records with organizations throwing up barriers left and right. Fundamentally, HIPAA is clear on the right of access and it should not be denied. Frankly, a major HIPAA fine or settlement over denial of access is probably only a matter of time because if an organization makes access difficult for one person, it is likely doing the same to many others. If enough complaints pile up, action may occur. Regardless, why should good relations with a patient be strained over such a simple issue? While it is appreciated that making a copy is not necessarily as easy as pushing one button, it also should not be made into an insurmountable obstacle. If access were easier, then the debate about ownership and control could potentially be moderated into a more productive discussion over ensuring the smooth, seamless, and steady exchange of data.
  • Why does every natural disaster have to trigger a “waiver” of HIPAA now? It seemed to have started with some of the hurricanes a few years ago, but now every time something happens there is the announcement of a limited waiver. HIPAA allows sharing of limited information without a waiver, including confirming that an individual is being treated and directory style information. Further, when the limited waiver is dug into, it does not actually do all that much since it only waives compliance with issues that arguably non-“material” in nature anyway. That is not to say that any organization subject to HIPAA can ignore compliance obligations, but the waiver does not put wholesale freedom into place either.
  • When it comes to keeping family members or other involved parties in the dark, it is not necessitated by HIPAA. HIPAA allows information to be shared with family members, though with acknowledged limitations. It is more likely that state law could be the real culprit for not being able to share information. if that is the case, then be honest that state law is at issue. Don’t pin everything onto HIPAA.
  • If an organization has deep pockets and there is any sort of violation that occurs, that organization should be feeling pretty nervous nowadays. The fines imposed by OCR in 2018 for HIPAA violations set a troubling trend that organizations with an ability to pay will be targeted. That pattern emerged starting in February and continuing into November when large fines were imposed over conduct that arguably was not as egregious as previous actions that resulted in negligible or no fines. Now, even “small” breaches could be used to investigate and get into the realm of imposing a fine. That cannot be a comfortable position for any entity. However, there is an easy means of addressing or mitigating the issue: focus on compliance now and always. If an organization makes honest, good faith efforts to avoid issues, then there is a strong argument that a fine should not be imposed. At a minimum, do not miss conducting a risk analysis. It is possible that every single HIPAA settlement includes a finding that the organization did not conduct a sufficient risk analysis or one at all. Skipping is probably inexcusable at this point in time.
  • Lastly, at least for the moment, one of the biggest issues surrounding HIPAA is a continuing lack of understanding of what HIPAA does and how HIPAA operates. It does not matter whether the lack of understanding is deliberate or not, it must change. So many opportunities exist for education and training that there are few excuses to avoid. While the pace of guidance from OCR has slowed if not stopped altogether, there is still a fair amount of information available on the OCR website to give an organization or individual a solid start on comprehending how HIPAA operates. The ability to learn assumes a desire to learn though. Too often there is a feeling of trying to drag individuals or organizations to the proverbial water and then an obstinate decision to avoid taking the next step. That issue cannot be resolved by anyone other than the individual or organization resisting. Culture change is happening, but not quickly enough.

While those are not nearly all of the musings around HIPAA that bounce around in my head, it is a start. Look for further musing over the course of the year, which will be a means of pouring out an almost stream of consciousness rambling, but having a unifying theme of wanting to drive awareness and understanding to a better place.

Posted in Business, Compliance, Health IT, Healthcare, HIPAA, HITECH, Regulations, Value Based Care | Tagged , , , , , , , , | 1 Comment