MSBCBS of TN Settles HIPAA/HITECH Violation for $1.5M

The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.

The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.

WV HIT Funding Under HITECH: WVHIN Gets $7.8M and WV REC gets $6M

Health and Human Services Secretary Sebelius and the National Coordinator for Health Information Technology, David Blumenthal, announced the HITECH funding under the ARRA for State Health Information Exchanges (HIEs) and Regional Extension Center (RECs) across the country.

The White House Press Release provides a detailed list of HIEs and RECs receiving grants. Inormation is also available via the HHS News Release, Sebelius, Solis Announce Nearly $1 Billion Recovery Act Investments in Advancing Use of Health IT, Training Works for Health Jobs of the Future.

West Virginia will receive the following funding:

• West Virginia Department of Health and Human Resources in conjunction with the West Virginia Health Information Network HIE Award: $7,819,000

• West Virginia Health Improvement Institute, Inc. REC ward:$6,000,000

More information about the health information technology programs and awards can be found on the Office of National Coordinator HIT Website.

• State Health Information Exchange Cooperative Agreement Program

• Health Information Technology Extension Program

Congressional Members Concerned About HHS Inclusion of "Harm Standard" In Breach Notification Rule

Members of the U.S. House of Representative submitted an October 1, 2009 letter of concern to Secretary Sebelius and the Department of Health and Human Services (HHS) concerning inclusion of a "harm standard" in the recently released(August 24, 2009) Interim Final Rule - Breach Notification for Unsecured Protected Health Information (45 CFR Part 160 and 164) 74 Fed. Reg. 42740.

HHS in developing the Interim Final Rule interpreted the term "compromises" as meaning that a threshold substantial harm standard should be included when determining whether a breach of data has occurred. However, the Members indicate in their letter that they considered whether a "harm standard" should be a part of the legislation and decided not to include such a standard. The letter urges HHS to revise and repeal the harm standard provisions included in the Interim Final Rule.

The letter was submitted by Rep. Henry Waxman, Rep. Charles Rangel, Rep. John Dingell, Rep. Frank Pallone, Jr., Rep. Pete Stark and Rep. Joe Barton.

Tip to Alan Goldberg, health care attorney and American Health Lawyer Association HIT Listserve Moderator, who posted a copy of the letter.

HITECH Act Breach Notification Guidance: What Renders PHI Unusable, Unreadable or Indecipherable For Purposes of Breach Notification?

On April 17, 2009, the U.S. Department of Health & Human Services (HHS) issued guidance on the technology requirements to render protected health information (PHI) "unusable, unreadable or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which is a part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The April 27, 2009 Federal Register (74 FR 19006),contains the official copy of the regulation, Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information

The guidance is effective as of April 17, 2009. However, the guidance will apply to breaches 30 days after publication of the interim final regulations.

HHS's press release on the guidance states:

The guidance issued today provides steps entities can take to secure personal health information and establishes the trigger for when entities must notify that patient data has been compromised. This guidance is related to “breach notification” regulations, which will be issued by HHS and the Federal Trade Commission respectively. The HHS regulations will apply to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the FTC regulation will apply to vendors of personal health records and certain others not covered by HIPAA. The Recovery Act requires that these regulations be published within 180 days of enactment.
The guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare &Medicaid Services (CMS).

The guidance also seeks public comments on the guidance as well as the breach notification provisions under FTC's new Health Breach Notification Rule and the yet to be releases HHS Breach Notification Requirements for HIPAA Covered Entities and Business Associates. Public comments must be submitted on or before May 21, 2009.

ONCHIT Issues Nationwide Privacy and Security Framework for Electronic Exchange of Health Information

Today the Office of the National Coordinator for Health Information Technology (ONCHIT) issued The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The summary states that the framework creates a set of consistent principles to:

". . .address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation's adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network."

Along with the Nationwide Privacy and Security Framework the Department of Health and Human Services (HHS) has issued The Health IT Privacy and Security Toolkit. The Toolkit includes new HIPAA Privacy Rule guidance documents developed by the ONCHIT and the Office for Civil Rights (OCR) to help facilitate the electronic exchange of health information.

Of particular interest to many interested in PHRs will be the OCR's guidance on Personal Health Records and the HIPAA Privacy Rule and the draft Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance (the "Leavitt Label").

The Toolkit provides information and guidance focused around these key areas:

• Individual Access Principle - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction Principle - Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
• Openness and Transparency Principle - There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
• Individual Choice Principle - Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
• Collection, Use, and Disclosure Limitation Principle - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
• Data Quality and Integrity Principle - Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
• Safeguards Principle - Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
• Accountability Principle - These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

I have only made an initial pass though the information and guidance documents. There is a lot to read and digest over the holidays. Please post in the comments your thoughts on the new federal principles and guidelines.

Consumers' Checkbook v. HHS Update

The WSJ Health Blog, "Feds Fight to Keep Doctor Data Secret," has the latest on the Consumers' Checkbook v. HHS matter involving whether or not Medicare physicians claims data should be made publicly available. Consumers' Checkbook, a nonprofit consumer information and service resource, wants to use the data to rate physicians and health care services.

Last week the DOJ filed its appeal and HHS released this statement regarding appeal of Consumers' Checkbook Decision explaining the basis for opposing (and supporting) release of the data. The press release states:

HHS is appealing this decision because of two conflicting court opinions that control HHS’ release of data. Release of certain Medicare claims data is currently governed, in part, under an existing order issued by a federal court in Florida in 1979. That order, which is still in effect, prohibits Medicare from releasing physician reimbursement data in a manner that would enable the user of that data to identify individual physicians. The court order states that this information is protected by the Privacy Act of 1974. The data sought by Consumers Checkbook, when combined with other publicly-available data on Medicare fees, could lead to the disclosure of annual Medicare reimbursement amounts for individual physicians. Release of the data would, therefore, result in a violation of the existing Florida court order. On the other hand, HHS faces the decision rendered last year by the District of Columbia court ordering the release of the data. HHS argues in its appeal that the recent decision is based on an erroneous application of the Florida court order and of the Freedom of Information Act’s exemption that protects privacy. The Department seeks resolution of this conflict from the Court of Appeals.

Beyond the legal issues that must be resolved, HHS recognizes and shares the goals of Consumers Checkbook. Like Consumers Checkbook, HHS seeks to support consumers and providers with quality performance and cost information for a variety of providers and plans. For many years, HHS has worked closely with providers and other stakeholders in developing and reporting quality information, including the use of national consensus-based quality performance measures. While Consumers Checkbook seeks to post the number of times a provider has performed a specific service, the quality measures used by HHS generate more valid, specific, and comprehensive information on the quality of care delivered.

For background on the legal saga check out my prior post.

HHS Announces Physician EHR Demo Project

Yesterday HHS announced that CMS will involve physicians in a five year demonstration project encouraging small and medium physician practices to adopt electronic health records.

Excerpt from Secretary Leavitt's announcement:

“This demonstration is designed to show that streamlining health care management with electronic health records will reduce medical errors and improve quality of care for 3.6 million Americans. By linking higher payment to use of EHRs to meet quality measures, we will encourage adoption of health information technology at the community level, where 60 percent of patients receive care,” Secretary Leavitt said. “We also anticipate that EHRs will produce significant savings for Medicare over time by improving quality of care. This is another step in our ongoing effort to become a smart purchaser of health care -- paying for better, rather than simply paying for more.”

Conducted by the Centers for Medicare & Medicaid Services (CMS), the demonstration would be open to participation by up to 1,200 physician practices beginning in the spring. Over a five-year period, the program will provide financial incentives to physician groups using certified EHRs to meet certain clinical quality measures. A bonus will be provided each year based on a physician group’s score on a standardized survey that assesses the specific EHR functions a group employs to support the delivery of care.

The CMS demonstration also will help advance Secretary Leavitt’s efforts to shift health care in the U.S. toward a system based on value. The Department is working to effect change through its Value-Driven Health Care initiative, which is based on Four Cornerstones: interoperable electronic health records, public reporting of provider quality information, public reporting of cost information, and incentives for value comparison.

For more info check out the HHS Press Release.

Thanks to the Medicare Update blog for a tip on this new project.

Hospital Mashup: Google and HHS Hospital Data

NetDoc now as a mashup of Google Maps and HHS hospital data. As Shahid Shah says, these types of tools takes mountains of data and makes it more accessible and easier to digest by the average public health consumer. Here is the view/data of hospitals that are 100 miles from Charleston, West Virginia.

Here is the summary of what the tool provides:

When it comes to treating heart attacks, pneumonia, surgery and other emergencies, you want to find the best medical care available.

To help you make these decisions, visit the NetDoc.com Hospital Rankings tool and enter your ZIP code to see how hospitals in your neighborhood rank on benchmarks set out by the U.S. Department of Health and Human Services in four categories: Heart Attack, Heart Failure, Pneumonia and Surgical Care Improvement/Surgical Infection Prevention.

Thanks to Shahid for the tip on this new tool.

Medicare Physician Data: Transparency vs. Privacy

iHealthBeat provides commentary and an update on the outcome of the Consumers' Checkbook v. HHS matter involving whether or not Medicare physicians claims data should be made publicly available.

The United States District Court for the District of Columbia ruled in favor of Consumers' Checkbook on August 22 requiring that HHS release the physician data requested under FOIA to Consumers' Checkbook. So far HHS has not appealed the decision and the data is required to by produced by September 21.

It will be interesting to see if HHS appeals the decision. Classic example of transparency vs. privacy. Brian Kleppner has more over at that The Health Care Blog.

UPDATE (10/22/07): The WSJ Health Blog reports that HHS has decided to appeal the decision requiring that HHS release data under FOIA to Consumers' Checkbook. The decision initially required production of the data by September 21 which was then extended until October 22.

HHS Secretary Leavitt Joins The Blogosphere

A warm welcome to Secretary Mike Leavitt (blog bio) who last week launched his blog at Secretary Mike Leavitt's Blog. It is wonderful to see the United States top health care official join the blogospere and create a vehicle to share his personal observations and have an open conversation about health care and the challenges that that we all face.

I am impressed by his goal to keep the blog personal (not relying on staff or the PR department to write his posts) outlined in his About this Blog summary and introductory post. I'm hoping that he enjoys the experience and has the time to continue to blog past his initial trial phase. In my mind he gets the idea behind blogging -- a communication utility which is used to think and understand, share his observations, engage ideas and as he says, create a "dynamic online conversation." These characteristics are what makes blogging something more than just another way to create traditional media/PR web content. It's the reason why I enjoy the blogging process.

Question to readers: Is Secretary Leavitt the highest ranking U.S. official to date to have a blog which is personally written? Are there any other Federal Executive Department Secretary level bloggers?

Thanks to iHealthBeat for its article announcing Secretary Leavitt's blog.

New HIPAA Privacy Compliance and Enforcement Website

Yesterday I received an email via the OCR-Privacy listserv announcing the launch of a new HHS web site on HIPAA Privacy Compliance and Enforcement.

I haven't had time to check out the new website but plan to in the coming days. While scanning the website I found the "Enforcement Highlights" and "Case Examples" section very interesting. In the meantime, here is the press release issued in the email by HHS.

To coincide with the fourth anniversary of the enforcement of the HIPAA Privacy Rule, the Department of Health and Human Services (HHS) announced today the launch of an enhanced Web site that will make it easier for consumers, health care providers and others to get information about how the Department enforces health information privacy rights and standards. In launching the website, Winston Wilkinson, the Director of the HHS Office for Civil Rights, noted: "HHS has obtained significant change in the privacy practices of covered entities through its enforcement program. Corrective actions obtained by HHS from these entities have resulted in change that is systemic and affects all the individuals they serve."

The Health Information Privacy Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site, http://www.hhs.gov/ocr/privacy/enforcement provides information for consumers, health care providers, health plans and others in the health care industry about HHS’s compliance and enforcement efforts. The new information describes HHS activities in enforcing the Privacy Rule, the results of those enforcement activities, and statistics showing which types of complaints are received most frequently and the types of entities most often required to take corrective as a result of consumer complaints. The other information on the Web site covers consumers’ rights to access their health information and significantly control how their personal health information is used and disclosed, as well as guidance about how to submit complaints about possible violations of the law and extensive guidance for entities who must comply with the rule.

HHS issued the patient privacy protections pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The first and only comprehensive federal privacy standards to protect patients' medical records and other health information provided to health plans, doctors, hospitals and other health care providers took effect on April 14, 2003. Developed by HHS, these standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. The regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. HHS has conducted extensive outreach and provided guidance and technical assistance to providers and businesses to help them to implement the new privacy protections. These materials are available at http://www.hhs.gov/ocr/hipaa.