The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.
OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.
KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.
The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.
The flash drive did not include patient addresses, Social Security numbers, personal identification numbers, dates of birth, financial information, or other identifiable information, according to the report on the Saint Barnabas website.
KPMG reported the matter to the New Jersey healthcare system June 29, 2010. KPMG believes the flash drive was misplaced on or about May 10, 2010, according to Saint Barnabas.
“KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,” according to the healthcare system’s report. “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person. … KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”
Reached August 5 via e-mail, Pete Settles of KPMG external communications confirmed the incident with Saint Barnabas but said that “for reasons of confidentiality, we do not comment on client work.”
Susan McAndrew, deputy director of health information privacy for OCR, wrote in an e-mail that “OCR cannot address KPMG’s involvement with the breach at St. Barnabas as this case is currently under investigation.”
Ellen Greene, vice president of public relations and marketing for the Saint Barnabas Health Care System, said the organization had no comment.
News broke last month that OCR hired KPMG, LLP to implement its HITECH-required HIPAA compliance auditing plan.
KPMG is assisting the government to implement the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by HITECH.
KPMG will end up auditing 150 entities varying in size by December 31, 2012. HITECH requires “periodic audits” of covered entities and business associates to ensure HIPAA compliance.
Asked if OCR considered the KPMG involvement on this 2010 breach at any level when considering it for the HIPAA audit contract, McAndrew only said, “the award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.”
The process to hire KPMG involved a Department of Health and Human Services (HHS) panel that reviewed and ranked all technical proposals and qualifications by “predetermined evaluation criteria,” McAndrew said.
“Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs,” McAndrew said. “Negotiations were conducted, and an offer was made.”
KPMG LLP is an audit, tax, and advisory firm and is the United States member firm of KPMG International, according to its website. KPMG International’s member firms have 137,000 professionals, including more than 7,600 partners, in 144 countries.
The Office for Civil Rights (OCR) is undecided whether to include business associates (BAs) in its HIPAA-compliance audit plans per a $9.2 million contract it awarded last month.
Susan McAndrew, JD, OCR’s deputy director of health information privacy, says the contractor, KPMG, LLP, will be developing protocols to support business associate audits.
However, “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012,” McAndrew says.
KPMG is a consulting firm with a global network of professional firms that provides audit, advisory, and tax services. The contract calls for up to 150 audits of organizations varying in size before December 31, 2012.
McAndrew says the audit program will occur in three steps. OCR will work with KPMG to develop audit protocols and an initial round of audits to field test the program. If these test audits return positive results, OCR will launch a full range of onsite audits and an evaluation process.
OCR awarded Booz Allen Hamilton (the McLean, VA, consultant it originally hired to evaluate and compare different audit methods) a $180,000 contract to identify audit candidates.
HIPAA experts call for BA audits
BAs are involved in 57 of the 292 breaches affecting 500 or more individuals listed on the OCR website as of Thursday afternoon; that’s about 20%. The top two breaches include BAs (1,900,000 and 1,700,000 patients affected; see details at the end of this story).
The website list is required by HITECH and has been live since February of 2010, dating back to breaches that occurred on or after September 22, 2009.
Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY, says she “most definitely would encourage OCR to audit BAs, especially those of high priority/potential risk to the privacy and security of confidential information in that they work with the covered entity’s PHI and confidential information on a regular basis.”
Patrick cites examples such as IT vendors, billing companies, coding companies, accounting firms, and disposal companies (media, shredding, etc.).
Kate Borten, CISM, CISSP, president of The Marblehead Group in Marblehead, MA, says BAs play a “key role” in healthcare and should be looped in to OCR audits.
“Given the key role that many BAs play in healthcare—as well as the vast amount of PHI entrusted to BAs—it is very important that OCR also audit them,” Borten says.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says OCR should audit BAs in the next round and focus on covered entities now.
“In my mind, OCR auditing BAs is like climbing a falling tree: There may be some activity in trying to get somewhere, but at the end of the day, one really hasn't gained any ground,” Ruelas says. “Historically, BAs have taken their direction from their client covered entities, so by OCR focusing on covered entities, I am confident any BA-related findings will be shared between the covered entity and the BAs it contracts with.”
Top business associate breaches Per individuals affected, according to OCR website:
IBM
Covered entity: Health Net, Inc. (Shelton, CT) Date of breach: January 21, 2011 Approx. individuals affected: 1,900,000 Type of breach: Unknown Location of breached info.: Other More information
GRM INFORMATION MANAGEMENT SYSTEMS
Covered entity: New York City Health & Hospitals Corporation's North Bronx Healthcare Network (New York, NY) Date of breach: December 23, 2010 Approx. individuals affected: 1,700,000 Type of breach: Theft Location of breached info. Electronic Medical Record, Other More information
IRON MOUNTAIN DATA PRODUCTS, INC. (NOW KNOWN AS ARCHIVE DATA SOLUTIONS, LLC)
Covered entity: South Shore Hospital (Weymouth, MA) Date of breach: February, 26, 2010 Approx. individuals affected: 800,000 Type of breach: Loss Location of breached info. Portable Electronic Device, Electronic Medical Record, Other More information
Federal regulators are “misguided” in their proposed HIPAA disclosures rule, disregarding what Congress intended through HITECH and failing to balance patient privacy rights with the technological capabilities of providers, the American Hospital Association (AHA) says in a letter released Monday.
The letter, submitted to Kathleen Sebelius, secretary of the Department of Health and Human Services (HHS), calls on the federal regulators to “significantly alter” their approach in the “HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act.” The proposed rule was published in the Federal Register May 31.
Chiefly, AHA wants the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules under HHS, to withdraw from the rule its new “access report” provision; through the proposed provision, patients can request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.
As the government tries to reduce administrative costs in healthcare—through health reform and new financial incentives to become a “meaningful user” of electronic health records (EHR)—the access report right is a step back, AHA says.
“The proposal … is misguided and does not appropriately balance the relevant privacy interests of individuals with the burdens that will be imposed on covered entities, including hospitals,” the AHA writes in the letter. “The proposal is based on a fundamental misunderstanding of the value to individuals of receiving the particular information that the access report would capture, as well as a misunderstanding about the capabilities of technologies available to and used by covered entities.”
AHA’s letter represented its official comment to OCR regarding the proposed rule; the comment period ended Monday. After OCR considers the comments, it is expected to issue a final rule.
Instead, OCR should first seek more information from the industry in order to determine “the needs of patients who seek to understand how their PHI is disclosed, while simultaneously ensuring that covered entities are technically capable of providing such information without incurring unreasonable burdens to do so,” AHA writes.
AHA also included the following recommendations for OCR:
Clarify the discussion of designated record sets, adopt its proposed exclusions to the accounting requirement and maintain existing exclusions.
Maintain a 60-day response requirement and limit an accounting to three years.
Retract its HIPAA Security Rule preamble commentary in order to reflect longstanding department guidance.
Extend the access report compliance date and remove the requirement to name employees.
Reflect the statutory requirement that covered entities be permitted to direct individuals to a business associate
Make clear that a covered entity is not liable for unsecure transmissions requested by a patient
Provide at least 60 days for the provision of an access report
The right to request an "access report" as outlined in the Office for Civil Rights' proposed HIPAA accounting of disclosures rule could be an asset to attorneys in HIPAA civil suits and malpractice cases, privacy experts say.
Under the proposed accounting of disclosures rule, "patients could request an accounting of who accessed their electronic health information in a designated record set, for any reason. It covers both uses and disclosures.
The proposed rule could help the case of a malpractice and other lawyers , says Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog.
"And it doesn't even have to be a HIPAA or data breach or confidentiality case," Drummond says. "In a medical malpractice case, the plaintiff's lawyer can say, 'X looked at the file and didn't say anything.' "
Through the new provision, patients would be able to obtain access reports for the purpose of sharing the report with their malpractice attorneys.
"In practice, I think that these reports will be useful to malpractice attorneys, but not necessarily serve as a smoking gun," said Adam Greene, JD, MPH, a lawyer in the Washington, DC, office of Davis Wright Tremaine LLP. Greene is a former OCR senior health information technology and privacy specialist. "This is because the access report will not provide the purpose of the access; so much of the access that a malpractice attorney suspects to be impermissible may prove to be for a valid purpose, such as for a valid administrative or quality improvement purpose."
So could a lawyer use the following argument?
Dr. Smith only accessed Jane Doe's record once prior to her damaging surgery. That is not enough time spent researching the patient's condition before operation.
"I suppose that it's possible," Greene says. "It may depend on whether the access log tracks the user action."
For instance, Green presents the following scenario:
Dr. Smith only accessed the record once, but what the access report does not reflect is that he downloaded the file to his encrypted portable device and then spent a substantial amount of time reviewing it.
Covered entities should reasonably limit access to electronic PHI, Greene says, and would be well served to maintain documentation of why particular persons and positions have access.
For example:
John Doe accessed your record, but he is permitted to do so because his position requires him to access patient records to ensure that patients are receiving high quality services.
Access revelations
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the access reports could detect patterns of inappropriate access.
The proposed provision does not include a requirement to show how long a person viewed a medical record. However, the date and time must be noted, which can be problematic, according to Ruelas. "If [a staff member] works from 8 to 5, and there are access report entries before 8 or after 5, this might be worth more investigation."
Ruelas says this could boost a lawyer's argument because if the CE does not have an adequate monitoring or auditing process, "a lawyer seeing that [the staff member] is repeatedly looking at records before 8 a.m. can invite some very interesting questions."
"If someone is listed on the report as 'viewed' under 'action' over and over again, and this has gone undetected, this can also be a problem," Ruelas adds.
The new requirement not only provides easier access for patients concerning who accessed their record, but also, according to Ruelas:
What systems were queried to get the data
Whether the organization is fulfilling its commitment to safeguarding user access to ePHI (e.g., access IDs, unique IDs, etc.)
Whether the CE reviews reports indicating unusual access patterns
Ruelas calls the process of finding culprits who access records inappropriately a "very laborious task with an element of luck."
A proposal that would require hospitals to give patients, on request, information about anyone who accessed their health records would be costly, time-consuming, and could potentially put healthcare workers in danger from "stalkers" armed with the names of hospital employees, the American Health Information Management Association (AHIMA) says.
Chicago-based AHIMA, the non-profit association for HIM professionals, released public comments Wednesday that it submitted to the Office for Civil Rights (OCR) regarding the "HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act" proposed rule.
The disclosure rule, required by HITECH and published in the Federal Register May 31, updates the HIPAA Privacy Rule accounting of disclosures provision and creates an "access report" requirement. The new provision includes an accounting of who accessed electronic health information in a designated record set, for any reason. It covers both uses and disclosures, regardless of the purpose.
All such DRS systems should be capable of logging access, according to the proposed rule. OCR expects covered entities and business associates to generate access reports for each electronic DRS and aggregate it into a single electronic access report.
However, that would "cause a significant burden for covered entities and their EHR vendors" because current systems do not support such a requirement. The association suggests CEs and BAs respond to these patient requests on an ad hoc basis "rather than require significant systems and process changes that will raise the cost of healthcare for what appears to be a very limited number of requests."
Because many entities do not have the ability to meet the technical requirements, OCR should delay its proposed compliance dates, AHIMA says. Currently compliance with the access reports provision is January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.
Further, access reports should carry only identifiers for the work force members rather than actual names, AHIMA says. Patients asking who viewed their medical records often have a specific individual in mind, such as a former spouse, AHIMA says.
HIM professionals have reported to AHIMA several situations where employees have been stalked after their names are released to patients.
"While we fully support the requirement allowing an individual to have knowledge of access, we also want to protect the workplace staff of the covered entity," AHIMA states in its comments. "AHIMA supports narrowing the requests to specific individuals when possible. In some treatment environments (e.g., emergency departments and psychiatric facilities), providers are permitted to use pseudonyms to avoid patients stalking or contacting them outside the workplace. Access accounting would require facilities to share the legal names of their providers which defeat the protections that have been in place for long periods of time."
AHIMA concluded its comments by calling for OCR to develop a pilot to test the "assumptions" in the new access report requirement and consumer awareness and education.
"In addition to not knowing the impact on covered entities and business associates, the burdens will not be known if we cannot determine how the average consumer will or will not request an access report," the organization said.
The Department of Health and Human Services (HHS) entered into its third largest settlement for potential HIPAA privacy and security rule violations this week, reaching a resolution agreement Tuesday of $865,500 with the University of California at Los Angeles Health System (UCLAHS).
UCLAHS has also committed to a corrective action plan in order to fix "gaps in its compliance" with HIPAA's privacy and security rules, , according to a report on the HHS website published Wednesday.
The Office for Civil Rights (OCR), which enforces HIPAA under HHS, investigated the health system following two separate complaints filed by two celebrity patients. OCR said UCLAHS employees repeatedly and without permissible reason looked at their electronic personal health information in addition to other UCLAHS patients.
This week's settlement ranks behind CVS Caremark Co. ($2.25 million, February, 2009) and Rite Aid ($1 million, July 2010) for the amount of money reached in an agreement with OCR for potential HIPAA privacy and security rule violations.
This February, OCR fined Cignet Health $4.3 million civil money penalty, the largest fine for such violations. It was not a settlement.
A UCLAHS official said the employees cited in the investigation received some level of discipline but did not specify further.
UCLAHS released a statement today saying it "considers patient confidentiality a critical part of our mission of patient care, teaching and research. Over the past three years, we have worked diligently to strengthen our staff training, implement enhanced data security systems and increase our auditing capabilities."
The Los Angeles health system -- which includes 12,000 employees and 856 beds at its three licensed facilities and also 90 clinics -- says it worked collaboratively with OCR and "continues to take measures to demonstrate our ongoing commitment to protecting our patients’ privacy."
“Our patients’ health, privacy and well-being are of paramount importance to us,” Dr. David T. Feinberg, CEO of the UCLA Hospital System and associate vice chancellor for health sciences, said in the statement. “We appreciate the involvement and recommendations made by OCR in this matter and will fully comply with the plan of correction it has formulated. We remain vigilant and proactive to ensure that our patients’ rights continue to be protected at all times.”
HIPAA experts say the major take-away from the HIPAA Privacy Rule disclosures proposed rule published May 31 in the Federal Register is the need to revisit existing auditing methods for disclosures of protected health information.
But let's take a closer look. For starters, it's already mandatory– regardless of what the proposed rule says.
The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires covered entities (CEs) (and now business associates, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."
Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, helped author the proposed rule during his time at the Office for Civil Rights (OCR). The 12-year health law veteran and key regulator for the Department of Health & Human Services (HHS), who left the government agency in April, says covered entities "are going to need to take a fresh look at their auditing procedures and what systems qualify as 'designated record sets (DRS).'"
The HITECH Act requires CEs and BAs to provide an accounting of disclosures of PHI through an electronic health records system for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.
The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a DRS, for any reason. This includes both uses and disclosures, regardless of the purpose.
While it is a great time to review existing auditing procedures, remember that this is a proposed rule, subject to change. Privacy and security officers "may want to sit tight and not act prematurely in response to a proposed, rather than final, rule," Greene says.
He does recommend, however, taking note of a few things:
1.Expansion of the accounting of disclosures details. This will require changes to the corresponding policies and/or procedures that cover accounting for disclosures, in addition to possible changes in the applications being used to log and track these types of disclosures, and the ways in which this accounting is provided to individuals requesting to see it, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA.
2.The creation of a new DRS (containing ePHI) access report. This data is likely already collected somewhere, but CEs and BAs (who have DRS's) will need to create reports that are readable by all individuals, and are not just a listing of raw log data, says Herold.
3.Updates to Notice of Privacy Practices (NPPs). The need to let individuals know their new, expanded rights will result in the need for CEs to update their NPPs and then ensure the updated NPPs are provided to patients according to the new requirements and within the indicated timeframes; they do seem to try and accommodate the CEs according to current requirements for at least annual notices.
4.The change of six years to three years for accounting of disclosures. This is likely meant to help save storage space for CEs and BAs, in addition to the stated reasons within the NPRM. "However, an impact already being heard is the concern that there are still other standing requirements to maintain certain other documentation, such as policies/procedures, for at least six years," Herold says. "CEs and BAs now wonder if they HAVE to change the disclosures to three years, or can keep current logging practices the same (at six years) so they can have one less thing to do with implementing the final version of this NPRM."
5.New duties for BAs. Herold cites the need for BAs to not only get into compliance with the accounting for disclosures requirements, but also to create new ePHI access reports. They have to do this while they are still trying to get into compliance with the other HITECH requirements that most have not made much progress with to date, she adds. BAs must now comply, per HITECH, with the HIPAA Security Rule.
6.It's not too soon to start. These changes would go into effect, if accepted as proposed, for the access reports beginning January 1, 2013, for electronic DRSs acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRSs acquired as of January 1, 2009. "So, with all the probably programming/systems changes these will bring, CEs and BAs will need to get started on the changes sooner rather than later," Herold says. "Certainly as soon as the final version of the Accounting for Disclosures NPRM is released. Determining where all DRSs exist now would be prudent; even if the NPRM is not finalized as is, entities need to have this information documented any way, and most do not."
Covered entities and business associates finally have an idea what the accounting of disclosures provision in HITECH is all about. The Department of Health & Human Services publically released a proposed rule governing privacy disclosures related to electronic health records May 27 and published it in the Federal Register May 31. Comments must be submitted on or before August 1, 2011. See also: 6 Things to Know About the HIPAA Disclosures Proposed Rule.
What: The HITECH-required proposed rule is formally known as "HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act." The HITECH Act requires CEs and BAs to provide an accounting of disclosures of personal health information (PHI) through an EHR, for treatment, payment, and healthcare operations (TPO) dating back three years from such a request.
The proposed rule implements this requirement through the right to an "access report," which includes an accounting of who accessed electronic health information in a designated record set (DRS), for any reason. This includes both uses and disclosures, regardless of the purpose.
Why accounting of disclosures: "The intent of the accounting of disclosures is to provide more detailed information (a 'full accounting') for certain disclosures that are most likely to impact the individual," according to the proposed rule.
Why access reports: "The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic DRS information (it will not provide information about the purposes of the person's access)," according to the proposed rule.
Compliance dates: For new accounting of disclosures requirements, if the rule becomes final in its current form, compliance would be mandatory 180 days after the effective date of the final regulation (i.e., 240 days after publication). For the access reports provision, compliance would be effective January 1, 2013, for electronic DRS systems acquired after January 1, 2009, and beginning January 1, 2014, for electronic DRS systems acquired prior to 2009.
DRS definition: According to the HIPAA Privacy Rule, a DRS is a group of records maintained by or for a CE which:
Consists of medical records and billing records about individuals maintained by or for a CE
Contains enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Is used, in whole or in part, by or for the CE to make decisions about individuals
Comment period: Comments on this proposed rule must be submitted on or before August 1, 2011.
New rule a burden for providers and BAs? Yes, according to HHS itself in the proposed rule. Adam H. Greene, JD, MPH, of Davis Wright Tremaine LLP, based in Seattle, adds that healthcare providers who do not maintain comprehensive audit logs will be required to do so and the proposed rule may represent a significant burden. "For health plans, this proposed rule most likely represents an unwelcome surprise since it encompasses their systems, rather than only 'electronic health records,' " said Greene, a 12-year health law veteran and key regulator for HHS who left the government agency last month, but not before helping author this proposed rule published this week.
Is this accounting completely new? No. The HIPAA Security Rule already requires audit tracking: Rule 45 CFR 164.312, technical safeguards, requires CEs (and now BAs, per HITECH) to "implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI."
Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR, points out that 45 CFR 164.308 includes two periodic audits (user login monitoring and information systems activity review) that rely or should rely on generated audit logs. Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, in Des Moines, IA, says she doubts if more than 40% of CEs and BAs combined actually have such logging in place.
"Even though Sec. 13405 (c) within HITECH indicates this type of accounting would be a requirement, it's likely this section was overlooked by most CEs and BAs who instead focused on the breach notice section. The Accounting of Disclosures NPRM is a wake-up call for CEs and BAs alike to get this portion of the Security Rule implemented," Herold says. "Once it is implemented, then creating easy-to-understand reports to show these accesses will be a matter of creating or updating existing applications that access ePHI."
EHRs should have tracking capability, but don't. Apgar says one of the key aspects which providers should take note of is making the audit logs "human-readable" for the patient. "This should be a reporting function of the EHR application," Apgar says. "Tracking data elements that are required per the draft rule that are not generated by the EHR (such as with legacy applications) will be very difficult for the covered entity," he said.
Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC, in Purchase, NY, says it's clear that the technology "does not exist or is not yet available to most, if not all, providers to be able to respond to these requirements." Any process today is probably more manual than technical and requires personnel time to locate and report the information, and work with the patient to explain what the information includes, Patrick added. "How can providers and business associates align these requirements with patient requests when EHR capability is not there yet?" she asked.
Some relief? Greene, of Davis Wright Tremaine LLP, says one aspect of the proposed rule is a "welcome relief to covered entities." HHS in the rule limits the types of disclosures that are subject to a "full accounting." The preamble states that the full accounting of disclosures will be limited to the types of disclosures that are likely to be of most interest to individuals (such as law enforcement and court proceedings), Greene says, and exempts large categories of disclosures such as those required by law or for research.
Are "access reports" a good thing? "I think it makes good sense to add the new right to an access report," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
"Many healthcare organizations already provide this voluntarily, and this report, which includes insider access (use, rather than disclosure), is commonly used to identify snoopers."
Concerns over limits to DRSs. Limiting the accounting and access reports to PHI in DRS raise concerns, Borten adds. In the proposed rule, HHS cites the breach notification interim final rule that applies to all PHI in any form regardless of where such information exists. In other words, if there is unauthorized access outside of a DRS, CEs and BAs would theoretically have to report it as a breach.
"There is uncertainty about what qualifies as a breach since it's left up to the individual organization. That's a big loophole," Borten says. "The NPRM example of PHI outside a DRS (hence, not subject to this reporting) is PHI in a peer review report. But how confident are we that a covered entity would know of unauthorized use or disclosure of a peer review report and would deem it a breach?"
A shorter reporting period? The proposed rule would have providers account for disclosures going back three years, instead of the current six. Herold says it's probably an attempt on the part of the lawmakers to help save storage space, about which many organizations have expressed concerns. The three-year timeframe was also established within Sec. 13405 (c) of HITECH, so it is not a new idea. Borten calls it "a bit puzzling."
Organizations already keep accounting information for six years, and since the statute of limitations for civil action is six years, Borten says, "I don't see a good reason to reduce the reporting period to only the past three years. Some hospitals with user access logs already keep them for at least six years and even longer. The hard part of meeting the current requirement is setting up and following the process, not data storage, and the process as stipulated in the privacy rule should already be in place."
A federal judge has sentenced a man to six years in prison for his role in a prescription fraud scheme that included crimes of healthcare fraud, aggravated identity theft and violations of HIPAA, the U.S. Attorney's office in Alabama announced Wednesday.
U.S. District Judge C. Lynwood Smith Jr. also ordered Isaac Earl Smith, 38, who pleaded guilty to the charges in November 2009, to serve three years of supervised release after completing his prison term.
According to the release from the Alabama attorney's office, between September 2008 and April 2009, Smith:
Accessed the personal information of individuals who had Flexible Spending Accounts administered by United Healthcare Inc. and were also covered by a prescription drug plan sponsored by the Federal Employees Health Benefit Plan.
Used the information to create counterfeit prescriptions that were presented to pharmacies in order to illegally obtain controlled substances; the drugs were illegally sold to third parties.
Caused the federal employee's prescription drug plan to pay for the controlled substances, resulting in a loss of $72,746.
"Not only did the people involved in this scheme illegally obtain and sell prescription drugs, they used stolen identities to cause insurance plans to bear the cost of these drugs, as if they had been issued for a legitimate purpose," U.S. Attorney Joyce White Vance said in a statement.
Martin Phanco, inspector in charge of the U.S. Postal Inspection Service in Atlanta, said the healthcare industry relies on the postal service, and "when fraudsters undermine that trust, they hurt not only the healthcare industry, but also the people who really do need medical attention.
Under the terms announced Wednesday, Smith must also pay $72,746 in restitution to the federal drug plan and to forfeit the same amount to the government as proceeds of illegal activity.
This isn't the first time HIPAA violations have resulted in jail sentences.
United States Magistrate Judge Andrew J. Wistrich in April 2010 sentenced a former UCLA Healthcare System employee who admitted to snooping on patients' records to four months in prison.
Huping Zhou, 47, of Los Angeles, admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.
Wistrich condemned Zhou for his lack of respect for patient privacy.
Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization, according to the attorney's office.
In January Zhou pleaded guilty to four misdemeanor counts of violating the HIPAA Privacy Rule. He is a licensed cardiothoracic surgeon in China who was employed in 2003 at UCLA Healthcare System as a researcher with the UCLA School of Medicine.
A Minnesota hospital system fired this month 32 employees in two of its hospitals for inappropriately accessing medical records of patients – the highest reported termination tally at a hospital for such a violation in recent memory.
Allina Hospitals & Clinics terminated the employees in Unity Hospital in Fridley and Mercy Hospital in Coon Rapids who wanted a peek at the medical records of patients hospitalized in March due to a drug overdose at a party in nearby Blaine, a hospital official said.
David Kanihan, Allina's director of marketing and communications, told HealthLeaders Media in an e-mail the employees were terminated for "accessing electronic medical records of patients without a legitimate patient-care reason for doing so."
HIPAA allows hospital employees to view patient records for reasons of treatment, payment and healthcare operations.
According to the Minneapolis Star Tribune, 11 teenagers and young adults were hospitalized after they overdosed on a synthetic drug. One died.
"We take our obligation to protect patient privacy very seriously," Kanihan wrote in the e-mail to HealthLeaders. "Our actions in this matter are completely consistent with how we have always dealt with these cases. Anything short of a zero tolerance approach to this issue would be inadequate."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says the most significant threats regarding patient information breaches come from internal sources.
"I am seeing not only with folks I network with, but firsthand, stepped up efforts for organizations to analyze access to medical records by its own staff to see if there are some privacy issues that need to be addressed," Ruelas says.
Big events, such as a VIP coming to a hospital or a well-known member of the community receiving care at a facility, may prompt unauthorized access, primarily out of curiosity or concern for the individual, Ruelas adds.
"However, as more organizations prompt their employees to make use of their own facilities to receive care, the opportunity for more snooping even out of a genuine concern from coworkers to see how someone they know is doing -- which is still unauthorized -- is a big issue that I believe people are finally realizing needs to be addressed," Ruelas says.
This isn't the first case of termination for patient-record snooping.
In January, the University Medical Center in Tucson fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records."
The records were related to shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D-AZ).
Last September, Mayo Clinic fired an employee who worked in a business center in Arizona for accessing nearly 2,000 patient medical and financial records over a four-year period. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.
HIPAA compliance specialist Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, N.Y., says the number of terminations at Allina Hospitals & Clinics itself may not be as "significant as it may seem."
"This is a large health system," she adds. "They have developed their policies, training programs, auditing systems, and sanctions processes to meet the requirements and the spirit of the laws. It appears that they have had their program in place for some time and their processes should be no surprise to any of their workforce. … They appear to be diligent in their investigation process and consistent in how they treat inappropriate access."