Dec 2014

Hospital Data Breach a Costly Reminder of PHI Responsibilities

An increasing number of state attorneys general are sending a very clear message to holders of patients’ medical information (otherwise known as “protected health information” or “PHI”): protect PHI, or be prepared to pay.

Although the US Health and Human Service’s Office for Civil Rights generally prosecutes HIPAA violations, the HITECH Act empowered state attorneys general to file suit on behalf of their state’s residents for HIPAA violations. And since Congress expanded HIPAA enforcement to the states, officials in several states have sued PHI holders following a data breach.

Unencrypted Laptop and Unlocked Door Lead to Trouble.

A very instructive example of this extended HIPAA enforcement power surfaced in November 2014, when Beth Israel Deaconess Medical Center of Boston agreed to pay $100,000 to settle a civil suit filed by the Attorney General of Massachusetts following a data breach at the hospital. The Beth Israel settlement stemmed from the May 2012 theft of an unencrypted personal laptop that contained the PHI of nearly 4,000 individuals. The laptop was taken from a physician’s unlocked, unattended hospital office. Beth Israel knew of and authorized the physician’s use of the personal laptop while at work, which the physician used to store patient records and download emails that contained PHI. Although Beth Israel had a policy requiring the encryption and secure storage of laptops containing PHI, the physician failed to follow the policy on both counts. To worsen matters, Beth Israel failed to notify patients of the data breach within the HIPAA-mandated timeline following the discovery of the theft. In announcing the settlement terms in November 2014, Massachusetts Attorney General Martha Coakley stressed the importance of implementing and enforcing data security policies. In addition to the $100,000 payment for the breach, Beth Israel also agreed to reeducate its workers on PHI protection and to enact more vigorous encryption compliance policies.

In Massachusetts, the Beth Israel settlement stands as just one of several similar data breach enforcement actions by the State Attorney General in recent years. Since 2012, Massachusetts has reached settlements of $150,000 (Women & Infants Hospital of Rhode Island), $140,000 (Goldthwait Associates), and $750,000 (South Shore Hospital) for the failure to secure PHI.

Increased State Attorney General Enforcement of HIPAA

The HITECH Act permits state attorneys general to initiate a civil suit against alleged HIPAA violators, both to stop data breaches and to obtain damages for harm caused by a breach. Within a year of the law’s passage, Connecticut became the first state to use these powers when its Attorney General sued managed care organization Health Net for losing an external hard drive and delaying the required notifications for the data breach. As part of its settlement, Health Net paid $250,000 and agreed to a corrective action plan to improve its security policies. Vermont followed suit, and brought a lawsuit against Health Net in connection with the lost external hard drive, settling for $55,000.

Proactively Working to Prevent a Lawsuit

The lessons embedded in these lawsuits are threefold:

· Develop clear policies about device use, encryption, storage, and protection;
· Enforce those policies; and
· Where a breach may exist, be diligent in promptly notifying the required parties.

State attorneys general have very clearly shown that the failure to protect PHI and timely report data breaches will not be excused — even when theft is involved.  PHI holders can proactively protect PHI – and themselves – by developing a strong set of policies to manage data security, by enforcing those policies, and by promptly reporting a breach. Anything short of this invites a costly reminder of the failure of protecting PHI.

Download the full article here (PDF):

Oct 2014

Providing Referral Sources with Limited-Use EHR Interfaces

As many healthcare providers migrate to electronic health records (EHRs), clinical laboratories and diagnostic imaging centers have sought to provide their referring physicians with a limited-use EHR interface that allows the physician offices to submit orders and review test results electronically.

Over the past several years, the Centers for Medicare and Medicaid Services (CMS) and the U.S. Department of Health and Human Services Office of the Inspector General (OIG) have separately approved such arrangements through regulatory guidance and advisory opinions.

In general, limited-use EHR interfaces allow referring physician practices to electronically submit orders for diagnostic services directly to clinical laboratories and diagnostic imaging centers via the physician’s EHR. In addition, the clinical laboratories and diagnostic imaging centers can send reports electronically to the referring physician’s EHR. This EHR interface eliminates the need to fax orders and reports back and forth and also allows immediate entry into the EHR of such records. The limited-use EHRs generally have the following characteristics:

  1. They have no independent value to the physician.
  2. Their use is limited to sending and receiving information between a referring physician and a clinical laboratory or diagnostic imaging center.
  3. It is integrally related to the provision of the clinical laboratory’s or diagnostic imaging center’s services.

Clinical laboratories and diagnostic imaging centers have sought to pay for the cost of installing the interface with a referring physician’s office. The arrangement typically works as follows:

  1. The clinical laboratory or diagnostic imaging center purchases an interface license and pays the annual software maintenance fee. They also pay a one-time installation and set-up fee. The interface vendor invoices the clinical laboratory or diagnostic imaging center directly for these charges.
  2. The clinical laboratory or diagnostic imaging center pays for the costs associated with developing software to connect their IT system to the interface software purchased in step 1.
  3. The clinical laboratory or diagnostic imaging center pays for any costs associated with establishing network connectivity with the referring physician practices.

Based on a review of guidance from the OIG and CMS, it is clear that providing a limited-use interface to referring physicians is allowed, and does not violate the Anti-Kickback Statute (AKS) or Stark Law. Nonetheless, clinical laboratories and diagnostic imaging centers should develop a compliant process in which to select those physicians who will receive the interface.

Download the full article here (PDF):

Jan 2014

Cases of Brain-Dead Patients Pose Knotty Problems for Hospitals, Doctors

The recent widely publicized cases of two young women kept on life support despite being declared brain dead have highlighted concerns about whether physicians, hospital leaders and the public fully understand the term “brain death” and whether physicians are effectively communicating what it means to patients’ families.

Experts say poor communication can contribute to serious public relations and legal problems for hospitals, as it did in these two cases.

One case involves a pregnant woman, raising unique issues because at least a dozen states have laws restricting the ability of healthcare providers to end life support for terminally ill pregnant women, regardless of the wishes of the patient or the family. “Patients and even some doctors are mixed up about the proper use of concepts like coma, brain dead, and persistent vegetative state,” said Art Caplan, a professor of bioethics at NYU Langone Medical Center, New York. As a result, he said the terms are often communicated to patients’ families in ways that are confusing and misleading. “I think doctors should simply say, ‘Susie is dead’ and shouldn’t use the term brain death.” Otherwise, he added, families may think their loved one’s “brain has died but the body may come back.” Michael Silhol, a Dallas healthcare attorney and former board member of the American Health Lawyers Association, said hospitals should develop specific policies on how to engage patients’ families in discussing withdrawal of life support for brain-dead patients or transferring the patient to a different facility.

Download the full article here (PDF):

Dec 2013

Texas Changes Rules Regarding Delegation of Prescriptive Authority by Physicians

Texas has recently had a significant revision regarding the ability of physicians to delegate prescribing devices, drugs and other controlled substances to advanced practice registered nurses (APRNs) and physician assistants (Pas).

SB 406, which was passed in the 2013 Texas legislature, has recently been implemented through new Texas Board of Nursing (BON) and Texas Medical Board (TMB) regulations.

SB 406 substantially revises Chapter 157 of the Texas Occupations Code, which governs the authority of a physician to delegate certain medical acts, and expands the ability of APRNs and PAs to prescribe or order Schedule II controlled substances in certain practice settings. SB 406 also eliminates the old concept of “alternate” and “primary” practice site requirements and authorizes the use of a “Prescriptive Authority Agreement” (PAA) in order to delegate prescription writing authority to APRNs and PAs. The new statute increases to seven (from four) the number of APRNs and PAs to whom a physician can delegate prescribing authority, and provides an exception to that limit when the PAA is exercised in a facility-based practice or elsewhere. However, the new rules also have increased the continuing educations requirements of APRNs who receive this delegation of authority and provide for substantial documentation requirements, as well as enforcement actions by the BON, the Texas Medical Board and the Texas Physician Assistant Board.

Download the full article here (PDF):