Head In the Sand Leads to HIPAA Fine

Continuing a hot streak in the fall of 2020, the Office for Civil Rights announced another HIPAA settlement with a business associate on September 23, 2020. The $2,300,000 fine was imposed on a business associate following a months long cyberattack that resulted in the exfiltration of data for more than 6 million patients.

The facts of the settlement are particularly troubling and offer targeted lessons or warnings depending on the point of view. As laid out in the Resolution Agreement, CHSPSC, LLC was attacked by an outside attacker on April 10, 2014. On April 18, 2014 (within 8 days), CHSPSC received notification of the intrusion from the FBI. While it can be understandable why CHSPSC did not find the intrusion within 8 days, the response to the FBI’s notification is where the wheels were shown to fall off. Instead of taking immediate (or impactful) action, it was subsequently determined that intrusion activity continued until August 18, 2014. The continued access by the attacker does strongly suggest that no response was implemented by CHSPSC.

The problems only compounded once the breach was finally cut off. As typically happens, an investigation by OCR ensued and, also as happens often, widespread non-compliance was found. The findings by OCR included:

  1. No requirements around preventing unauthorized access;
  2. Failure to mitigate the impact of a known security incident;
  3. Failure to have technical policies and procedures to only allow access to individuals or programs that have been granted access rights;
  4. Failure to regularly review system activity; and
  5. Failure to conduct a risk analysis (the finding that shows up in almost every settlement).

Reading between the lines of the settlement, it is arguably apparent that CHSPSC tried to take an approach of hiding its head in the sand and desperately hoping that the problem would go away. Unfortunately, hiding one’s head in the sand is not a valid approach because the world continues to spin and problems continue to mount.

Since hoping a problem will go away is not a valid approach, what can be done? One hint is contained in the finding of CHSPSC’s failures. Specifically, the required element of HIPAA Security Rule compliance of regularly reviewing information system activity including audit logs and access reports. The regular review of those aspects of a system can help find irregularities, whether caused externally or internally, and better protect the private information entrusted to entities.

Monitoring systems is not historically an easy task, especially as the size and scope of systems has continued to grow. However, the rise of technology also means improved tools to automate the monitoring of systems. The tools also enable more comprehensive review because the automated tools can scan the entire system whereas previous manual efforts relied upon random sampling. Regardless of the approach, the mandate to monitor and respond cannot be ignored.

Malicious attacks will never stop and it will never be possible to stop all of those attacks. However, it is possible to be nimble, quickly find issues, and cut off negative impacts as soon as possible. Healthcare organizations, as stewards of vast quantities of sensitive private information, must take the role seriously and explore utilization of all helpful tools.

Posted in Business, Health IT, HIPAA, HITECH, Regulations | Tagged , , , , | Leave a comment

Deny Patient Access at Own Risk

The Office for Civil Rights (“OCR”) continues its recent attention to enforcing an individual’s right of access under HIPAA. The latest step is the concurrent announcement of five settlements with various entities for alleged failures to provide records upon request. The new settlements build upon the chain that start in September 2019 when OCR imposed the first settlement premised upon a denial of access.

The latest examples are:

  1. Housing Works, Inc. – A non-profit organization providing healthcare, job training, legal aid support and other services primarily to homeless individuals. In July 2019 OCR received a complaint about an individual not having a request for access honored. OCR in turn provided technical assistance, which is not an unexpected outcome. Immediately following the technical assistance though, Housing Works again did not provide timely access, which issue was flagged in an August 2019 complaint. As a result of the failure to provide access, a $38,000 settlement resulted. Arguably the short period of time between the complaints fed into the push to a monetary resolution.
  2. All Inclusive Medical Services, Inc. (“AIMS”) – AIMS is a multi-specialty clinic covering an array of services. A patient filed a complaint with OCR after AIMS allegedly refused to provide the patient access to records and also subsequently denied a request to inspect the record. The double whammy of denying the patient both a copy and access to review seems to have fed into the $15,000 settlement.
  3. Northeast Behavioral Health Corporation (d/b/a Beth Israel Lahey Health Behavioral Services) (“BILHBS”) – BILHBS is a network of substance use disorder and mental health services. OCR received a complaint that an adult child was not provided with a copy of their parent’s medical record. The complaint was received in April 2019 and the records were only released in October 2019 after intervention by OCR. Without any other background facts, a settlement of $70,000 was reached.
  4. Patricia King MD & Associates (“King”) – King is a psychiatric care provider group. In October 2018 a complaint was received by OCR about a patient not being able to access their records. As with Housing Works, OCR provided technical assistance. Also like Housing Works, a second complaint was filed in February 2020, by the same individual, that access had still not been provided. The records did not end up being released until July 2020 after an OCR investigation. The actions resulted in a $3,500 settlement.
  5. B. Wise Psychiatry, P.C. (“Wise”) – Wise is a psychiatry practice providing direct patient care. In February 2018 a personal representative filed a complaint over not being provided with a request copy of a minor child’s medical records. OCR again attempted to go the route of technical assistance. As with the other examples, technical assistance did not result in the right outcome and the same personal representative filed a second complaint in October 2018. Following an investigation, the records were finally released in May 2019, well over a year and a half after initially being requested. For the blocking, Wise entered into a settlement for $10,000.

Leaving aside the still puzzling means of determining settlement amounts for the moment, the fact patterns across the examples a strikingly similar. An individual requests access, gets a bit of a runaround, files a complaint, still waits, and then finally after an extended period of time gets access to the records. Given the innumerable anecdotes around trouble getting access to records, it can be suspected that the incidents covered by the complaints were not isolated incidents at the organizations. Oftentimes, even if not intentional, denial of access becomes a frustrating routine. The round and round nature of the fight for access has become a specific point of contention for individuals. It is unclear why so many barriers are thrown up when the HIPAA Privacy Rule is quite clear on both the process and time for responding.

The transition to electronic records highlights the issues even more. When records are maintained electronically, modifications to the right of access that occurred through the HITECH Act enable individuals to request an electronic copy, if the records are maintained electronically. Since the vast majority of hospitals and physician groups have transitioned to electronic medical records at this point in time, most if not all requests should be able to seek an electronic copy. However, some request forms will not even identify that an electronic copy is an option. The electronic access issue represents another area of either misinterpretation or lack of awareness.

On the issue of the settlement amounts, it is a bit striking that the dollar amounts are so low. Penalty amounts are driven by the number of incidents and the severity of the incident. Each of the new settlements only involve one patient, which could be one means of insight into the low dollar values aside from BILHBS. However, a couple of the settlements arguably involved knowing and deliberate action since continued non-compliance with the right of access occurred after receiving technical assistance from OCR. In those instances, it would be tough, if not impossible, to argue that the organization was unaware of obligations or did not fully appreciate what needed to occur. At some point, it would be helpful to understand the process by which OCR determines settlement amounts, though it is fully acknowledged that such a wish will in all likelihood remain forever unfulfilled.

What Comes Next?

The next step for covered entities (and probably business associates) should be a refresher on right of access requirements and improving practices for facilitating as opposed to hindering access. Since the right of access is not a new requirement under HIPAA that could be a bit of an overly optimistic hope. If rights have not been respected up to this point, then why would practices change overnight.

Stepping up compliance efforts most likely can be enhanced through better training and education. The axiom that compliance cannot happen without firm knowledge applies in this context too. The training on the right of access should also focus on collaboration since a request may travel across multiple departments or groups within an organization.

Improving responsiveness to requests for access can also impact an organization’s reputation. If record access is denied, those actions could begin showing up in reviews or comments about the organization. Reviews cannot be ignored since individuals increasingly turn to online reviews for purposes of vetting clinicians. Negative comments around a right of importance could sway decisions.

What could drive more systemic change? The fear of bigger penalties. If OCR were to take a leap and impose a large dollar penalty on an organization from a right of access complaint, then more focused attention could result. Even the $70,000 penalty to BILHBS will not cause a large organization much pain as that amount would be easily covered and could be less than the time and cost involved in enhancing employee education or other steps to implement change. However, rising dollar amounts would likely change that calculus and could achieve the proper outcome. As the saying goes, money talks.

Another factor impacting the future for right of access are the upcoming opening requirements that are part of the information blocking rules. Even though enforcement is being delayed, compliance must start soon, which includes extensive opportunities for individuals to seek access to their own information. If organizations are confused by HIPAA and its right of access, the advent of new rules could provide the chance to start afresh from the right foot.

Patient Preference and Technology

What may actually be the game changer is the stronger patient voice and access to technology. Patients are clearer with expectations along with the ability to connect new forms of technology or more easily seek a new place or venue for care delivery. The concern of losing patients and arguably the more intuitive means of granting access could be a turning point. The patient engagement and consumerism tides seem to support a more equal playing field, which is well symbolized by access to and control over a broad swath of health data.

The stronger patient voice is showing up in social media and through the growing patient advocacy or support industry. While the advocacy and statements on social media may not represent a broad based voice at the current moment, the views will continue to spread and be recognized by more individuals. Prevalence and visibility can improve the odds of anyone finding and being able take up the same position.

As noted, technology is also an important factor. The information blocking regulations require enable third party application interfaces to hook into data feeds, which are meant to pull data for the benefit of individuals. That process builds upon the many solutions targeted to individuals for purposes of collecting, collating, and finding value in healthcare data. While individuals are encouraged to produce a lot of their own data in those applications, formal data from a healthcare organization is also expected to play a role. The broader scope of healthcare data also means creating a more comprehensive picture of individuals that includes information from all parts of an individual’s life.

The Takeaway

Time will tell on the patient front, but it does seem to be an area with the most promise as there is not much precedent to sway an outcome in one direction or the other. One thing is clear though, organizations must and should honor a request for access because even though HIPAA mandates that outcome, OCR could also be coming with a fine now too.

Posted in Business, Compliance, Health IT, Healthcare, HIPAA, Regulations | Tagged , , , , , | Leave a comment

Data Access Rights: Following HIPAA Correctly

How and when can data be shared in a manner that is compliant with HIPAA? The answer to those questions is a lot broader and more frequently than many might expect. However, the expectation of limited sharing is exactly the root cause for data blockage that frustrates many individuals.

Explaining the scope of permissiveness under HIPAA is an effort worth undertaking often. If lessons and explanations appear a number of times, then it may be possible to create a more informed industry and foster more nuanced dialogue instead of the common response of an action not being possible because of HIPAA even though that action more often than not can occur. A recent perspective in the Journal of Medical Internet Research dives deeply into HIPAA in an attempt to emphasize the benefit that it provides. As stated by the authors of the article:

So, on the road from the doctor’s office to the patient’s third-party app, where are HIPAA’s green lights, yellow lights, and red lights for disclosing patients’ protected health information as patients direct? We explain in detail why it’s a green light all the way, and your patients’ health and care are much the better for it because they can be engaged, informed, and shared decision-makers.

J. Med. Internet Res. 2020 vol. 22 iss. 9 e19818 p. 1

The analogy to traffic lights paints a picture of the golden ride home, namely one where no stoppages occur because it is green the whole way. When it comes to using and sharing health data for the benefit of a patient, it is an apt analogy.

Internal to the Healthcare System

Within the healthcare system, patient information can be shared all of the time without needing permission. HIPAA does not want to interfere with the regular business workflows within the healthcare industry. Supporting the steady flow of data occurs through the broad definitions of payment, treatment, and health care operations (the three are often referred to together as PTO). Three broad categories of uses and disclosures that can occur in the ordinary course and result in most data being sent around in ways that ostensibly benefit patients. A more in-depth discussion the PTO uses and disclosures, check out this post: Who’s Using My Data?: HIPAA and Allowed Uses.

Without getting into the intricacies and allowing for time to read the prior post, PTO focus on all aspects of a healthcare organizations operations from working with a patient, to being paid for the work, to assess internal operations for improvement. In all of those instances, information can be used and disclosed, subject to the privacy and security obligations imposed by HIPAA, in a free way that becomes very extensive. For the most part, those uses and disclosures also occur without barriers being thrown up, though such an all encompassing statements is certainly painting with a broad brush that covers over some pain points that arise in reality. However, the pain points that are internally facing likely are dwarfed by what happens when a patient seeks to obtain their information.

Patient Access to Health Information

HIPAA has always afford individuals a right of access to their own health data. The right is clearly baked into the privacy rule by identifying the categories of data that an individual may obtain (it is almost everything) and explaining how organizations must implement the right of access. As with most good intentions, the road to access is paved in a certain direction that usually results in extreme frustration for patients.

Does it need to be that way? No. As suggested already, the right of access under HIPAA is a concrete right that should not be hard to interpret. An individual can either come to an organization to inspect the record or request to receive a copy. In requesting to receive a copy of the record, an individual can specify how the record should be sent (broadly in paper form or electronically) and where it should be sent. Since the vast majority of health records should be in electronic form at this point in time, every patient should likely be able to request an electronic copy since an organization is obligated to offer the record electronically if stored that way.

If the assumption is made that the record is stored electronically, then the options for where and how an individual may request the records be sent become almost exponential. The options are that varied because the individual is free to specify how and where they want to receive the record. Some ways can include email, flash drive, CD (if anyone has a CD drive anymore), or even third party application. Further, an individual can request that the information be sent to a location that is not secure, though the healthcare organization will want to make sure that the individual is aware of the risks associated with an insecure location. If that is done, then the individual’s request must be honored. However, this is an area where trouble often occurs because organizations will be fearful of receiving blame if anything goes wrong. Fear should not be a factor though because fore knowledge can cast the necessary light to drive away the shadows of fear.

Why is This Important?

Aside from acting in a way that does the right thing, understanding how HIPAA facilitates the flow of data is necessary to comply both with HIPAA and soon to be in force deeper requirements around information access. The upcoming regulations driven by the 21st Century Cures Act prohibit information blocking and introduce even more explicit direction around enabling third party applications to collect and receive information on behalf of individuals.

Leaving aside regulatory compliance considerations, getting information access right will also foster better relationships with individuals. Individuals increasingly expect information to be available at their fingertips and with a large degree of ease. Considering everyday applications across all other industries, the barriers that exist in healthcare largely don’t appear. From financial account information to purchasing history and almost anything else, it can all be found through a mobile app or website. Why should healthcare be so different? That is the issue being pushed.

The difficult balance against the drive for better access is the necessity of protecting privacy and security too. Even if individuals want access to their own information, there is also a corollary expectation that the information will not become available for public consumption. There are real dangers in that regard from an expect proliferation of third party applications. Not all will have an individual’s best interests in mind since data are currency. How such applications will be vetted and sorted to remove the malicious ones will become that much more important. Who will take up that challenge?

Where Do We Go?

The future can never be foretold with certainty. With that caveat, it is clear that individuals will increasingly expect information to be available and may begin choosing with their feet when that access is denied. To proceed in a collaborative manner, hopefully all sides will come together and set clear guardrails around processing and providing information that helps to preserve the interests of all.

Posted in Business, Compliance, Healthcare, HIPAA, Regulations | Tagged , , , , , | Leave a comment