Mixing It Up: HIPAA Hybrid Entities

architecture-1354811_640When it comes to HIPAA compliance, no stone can be left unturned. The most recent HIPAA settlement announced by the Office for Civil Rights (“OCR”) in the Federal Department of Health and Human Services continues the trend of using settlement agreements to highlight specific areas of HIPAA for compliance. The settlement with the University of Massachusetts at Amherst (“UMass”), which resulted in a fine of $650,000, stemmed from UMass’ failure to appropriately designate of its components when establishing the scope of compliance for purposes of hybridizing. While it is certainly possible and acceptable for entities to engage in activities that fall both inside and outside of HIPAA, entities are then responsible for clearly and accurately covered and non-covered components.

The UMass settlement arose out of a malware attack that impacted 1,670 records that included names, addresses, social security numbers and more. As is usually the case, upon receiving notification of the breach OCR conducted a thorough investigation of UMass’ overall state of compliance. The investigation revealed that UMass did not follow all of the HIPAA “hybrid” entity requirements, did not take appropriate steps to secure protected health information and did not timely conduct the required risk analysis. As such, the breach was only the tip of the non-compliance iceberg. Picking on hybrid entity requirements is a first for OCR, which makes the UMass settlement interesting.

One of the questions resulting from the UMass settlement is what exactly is a hybrid entity under HIPAA. Hybrid entities are a specially defined organizational construct in the HIPAA regulations.  A hybrid entity, as suggested above, is a single legal entity that clearly documents what components of that entity perform covered entity and/or business associate type functions. A hybrid entity as such must comply with HIPAA in some regards, but not for others. Using UMass as an example, pieces of UMass are a university and would not qualify as a covered entity under HIPAA. However, UMass also operated certain counseling and occupational therapy centers that engaged in covered health care services. As the example hopefully clearly shows, there may not be any bright lines distinguishing the different functions. However, the nature of the functions being performed should help inform when HIPAA compliance is necessary.

The burden and obligation to define what components engaged in covered health care services lie with the particular organization. No one else will, or should, make that call. Determining the scope of hybridization requires careful review and analysis of operations to determine what functions come under HIPAA. The determination requires weighing each and every aspect of an organization’s services or functions and comparing against the HIPAA regulations definition of covered health care services.

To date, hybrid entities have not received any significant amount of attention. Why did OCR pursue the UMass settlement at this time, if hybrid entities have been a rare occurrence? One possible reason is that hybrid entities are becoming increasingly common. Following the HIPAA regulation revisions and expansions contained in the 2013 Omnibus Rule, more and newer entities that did not previously provide services to the health care industry, and thus fall under HIPAA, are coming within HIPAA’s ambit.  Given the expanded reach of the regulations and non-traditional industry participants, hybrid entities are and will appear more frequently. For example, information technology companies that offer software as a service may have been used to providing software for other industries and are now offering the same services for health care entities. Coming into the health care field is not so simple, though. Those entities must comply with HIPAA but may not need to do so for all operations. If that is the case, the entity may be a hybrid entity and should engage in the exercise of separating out its components. With that new reality, OCR probably felt it was high time to educate as to how HIPAA interacts with hybrid entities.

Any emphasis on hybrid entities does not change HIPAA enforcement or expectations. Instead, attention to hybrid entities will only drive awareness of existing and long-standing requirements for entities both established in and new to the health care realm. Any entity providing services within the health care field should carefully review its operations to determine the scope of compliance that will be required. Failure to do so will almost certainly lead to a negative consequence. Such negative consequences become easier to impose in light of breach notification obligations, an increased willingness to pursue enforcement actions and the now ongoing audit protocol. With all of these factors converging, it is unacceptable for any entity to claim ignorance of requirements.

Posted in Healthcare, HIPAA, HITECH, Uncategorized | Tagged , , , | Leave a comment

Recognizing an Energizing and Active Healthcare Year

judge-300556_640Despite recent turbulence in healthcare and the country as a whole, as we come into Thanksgiving there have been many positive developments and events this year. Those positive moments are a collection of both general healthcare industry and personal ones from my perspective. It is important to keep in mind that progress is being made and that there are a number of changes to be thankful for.

The Healthcare Industry

As a whole, the healthcare industry continued to progress toward value-based care and away from fee for service. Progress in this direction meant increased focus on collecting, analyzing and meaningfully applying data from a variety of sources. Terms such as precision medicine, population health, and machine learning all latched onto data as a means of promoting better patient care and outcomes. The central requirement for all of these initiatives is data. As indicated, not just obtaining the data, but being able to take meaning from it and make it actionable.  While there is not yet a consensus on what data are important or how to use the data, the mere fact that these issues are on the forefront is important.

Emphasizing the need for data lead to calls to stop information blocking and other impediments to accessing data, such as contract terms from vendors. The government believed information blocking to be a significant issue, with regulators and legislators asking questions. Views within the industry are split as to how real of a problem information blocking really is, but the bottom line is that information must be able to flow freely from one place to another. This concern leads to the another major topic of the year: interoperability. Interoperability was the subject of many discussions and lots of commitments. No clear answer was developed, but the pressure is on. If a solution is not found, the government certainly hinted at action, though it will likely be better if the industry can figure out by itself. Foreshadowing potential government intervention, guidance on vendor contracting, specifically in the electronic medical record context, emphasized that vendors cannot lock down data collected within systems. The data collected and created is healthcare information that must get into the hands of individuals and providers. Denying such access will not be tolerated.

In one of my favorite positives of the year, long desired HIPAA guidance was prepared and distributed with an increasing frequency by the Office for Civil Rights (“OCR”) and the Office for the National Coordinator of Health IT. OCR in particular continually highlighted the need to educate new and experienced players in the healthcare industry as to obligations and requirements under HIPAA. Not understanding basic tenets of the law and regulation is no longer acceptable. OCR’s guidance did not break any new ground, just repeating long understood interpretations and requirements. However, the guidance drew new attention and seemed to appease  the desire for information. Any outreach is a good thing, especially when that outreach confirms common beliefs.

One final industry development to commend was the real (and hopefully ongoing) engagement between the Centers for Medicare and Medicaid Services (“CMS”) and physicians. CMS did not start off on the right foot as evidenced by widespread condemnation of the initial proposed rule to implement the Merit-Based Incentive Payment System (“MIPS”) under the Medicare Access and CHIP Reauthorization Act (“MACRA”). The proposed rule was widely viewed as overly ambitious and destined to drive physicians out of business. In response, CMS and its Acting Administrator Andy Slavitt went on a barnstorming tour throughout the country to meet with physicians and other industry players. Thousands of comments were also submitted. After collecting all of this information, CMS issued a final rule for MARCA and MIPS that largely satisfied many in the industry. Establishing a level of trust and appreciation between CMS and the healthcare industry will hopefully bear dividends in the future.

The Personal

HIMSS16 SMA BadgeOn a personal level, I am very thankful for a number of opportunities and developments this year. A big honor for me was being selected as a Social Media Ambassador for the HIMSS16 Annual Conference. Not only did I attend HIMSS for the first time, an overwhelming experience, but I got to meet so many social media friends face to face for the first time. In person meet-ups are a great way to further develop relationships and really create more meaningful friendships. Such was certainly the case as I was able to talk for extended periods of time with a number of people and then continue those conversations after the conference. The new connections also enabled me to participate more in various activities following HIMSS16.

With regard to associational involvement, I cannot forget to include the American Bar Association Health Law Section. Through the Section, I have made countless friendships, found some mentors and also found an outlet where I can play a role in broader legal discussions surrounding healthcare. Being tied into these national discussions is very interesting and helps me see different currents that are running through the healthcare industry. This ability, in turn, helps me work with my clients and provide the benefit of a broader perspective that may not otherwise be readily available.

I am also thankful to the Answers Media Group for launching Healthcare de Jure with me as the host. The program offers me the continuing opportunity to chat with leaders from the industry, the government and elsewhere about hot topics in healthcare. Each guest brings a new perpsective and focuses on a different angle or issue within healthcare. It is an ongoing learning process for me because I need to dive into a guest’s specialization area and then explore that area during the conversation. As with so many other activities, I thoroughly enjoy learning so many new things. I look forward to more conversations on the program.

Lastly (at least for now), I am thankful for my great family, including the addition of a new baby daughter. My family provides a significant amount of inspiration for many areas of my life and drives me to think about issues in a new light.

I hope everyone has a very Happy Thanksgiving and can take the time to reflect on what there is to be thankful for despite troubling circumstances.

Posted in Business, HIPAA, Stark Law | Tagged , , , | Leave a comment

Pagers: Only in Healthcare

21613130185_54085fac1e_mHealthcare is often subject to many jokes about the utilization of outdated technology. The old-fashioned pager, or a beeper, is the hallmark example that is most often cited. Now, not only are pagers found to only be used by healthcare (and maybe drug dealers), but pagers may also pose a significant security risk.

How does a pager work? Pagers typically work by transmitting messages by a radio signal. Essentially, the pager is a personal radio receiver that ensures the intended recipient will actually see and receive the message. Additionally, each pager can receive any message sent to any pager. However, only messages that contain a special code will be picked up by a specific pager. As the brief description demonstrates, a pager works by radio signal only. Radio signals are not a means of communication that can be easily secured, if it all.

Given that transmissions to pagers are not encrypted, intercepting pages can be relatively easy. An analysis by Trend Micro found that something as simple as a $20 dongle and some understanding of software-defined radio can enable interception of the radio signals. If the signal is intercepted, then the message can be viewed and a breach likely to occur.

What does all of this mean for healthcare? It means that there may finally be a hook, beyond outdated technology, to abandon the pager. If transmissions cannot be encrypted and it is easy to break in, then there is a significant risk posed under HIPAA. While encryption is an addressable element, it does not mean that i can be wholly ignored. Instead, it means that entities need to consider options. If there is a known risk that cannot be eliminated, then is that tool something that should be utilized in healthcare given HIPAA requirements? The answer

If there is a known risk that cannot be eliminated, then is that tool something that should be utilized in healthcare given HIPAA requirements? The answer to that question arguably becomes even easier when the number of alternatives that exist are considered. In the age of smartphones where information can be encrypted quite easily, where does a pager fit in? Maybe nowhere.

The issue all comes back to healthcare needing to become comfortable with newer forms of technology. Such technology appears and is used quite regularly in other industries. Such technology can increase efficiency and enable everyday solutions to come into healthcare. Developments in this vein can appease many concerns and desires and result in an overall better environment. If demands continue to be made and risks continue to be found, change will occur.

Posted in Health IT, Healthcare, HIPAA | Tagged , , , | Leave a comment