Like many people in my area of healthcare law and compliance, we are up to our ears in the 563 page HITECH Final Omnibus Rule, parsing and analyzing. I will be writing a number of pieces on this hefty bit of your-tax-dollars-at-work, but let me start with this one point: A Patient's Right to Transmission of the EHR. As you probably know, patients have the absolute right to an electronic copy of their electronic record, and there is much discussion about what that looks like, what media to use (the regulators won't tell you) and how to get paid for honoring that request. (And, if your practice is in a hybrid state, the patient's request for the record requires a more extensive response, as you ensure that you have produced the appropriate paper and electronic records in their respective formats.)
For practices and healthcare organizations alike, this small section of the large rule has enormous operational impact. But here is the part of the rule I like best: the federal regulators actually agreed with me on something.
Last year, at the HIPAA Summit in Washington, D.C., and the year before that, at the NIST/OCR conference, also in Washington, D.C., I asked Susan McAndrew, OCR's Deputy Director for Health Information Privacy, essentially the same question: I inquired about how small practices, without secure email capability, were going to comply with the Interim Final Rule's mandate that they transmit an EHR electronically to a specific recipient, and at the same time, avoid a compliance violation and enforcement risk. My feeling was that providers without secure email were caught between a rock and a hard place - at risk for sending unsecure email, at risk for refusing to comply with the patient's right to transmit his/her EHR for fear of regulatory reprisal. The patients should be able to assume the risk inherent in the email transmission, but would the regulators agree to back off of the provider's HIPAA compliance responsibilities?
In essence, the answer is yes. The guidance to the HITECH Omnibus Rule states that if a patient or personal representative requests that a provider transmit his/her electronic record to him/herself or someone else, and the provider is only able to do so through unencrypted email technology, then the provider needs to make sure that the individual understands the risks inherent in the email transmission. If, knowing this risk of sending the record over unsecure email, the individual nonetheless wants the provider to honor the request, then the provider is not subject to enforcement in the event the transmitted ePHI is subsequently compromised. Further, the provider may rely upon the email address the patient/personal representative has provided. The provider should obtain a written email request and waiver/understanding of the discussion of the risks. Again, as long as the email address was typed in correctly based upon the written request, the provider is not subject to enforcement if something goes wrong after hitting "send."
Score one for common sense. Those many providers who refused to use email for fear of enforcement can breathe a little easier now.
Much more to follow.
Friday, January 25, 2013
Thursday, January 10, 2013
Are You Mobile?
The Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the National Learning Consortium, have joined forces to bring you an accessible educational tool around mobile device security. There are brief sources to read and to watch online. I like the common sense approach and the list of suggested mobile device protections. I also find it amusing that there is a waiver at the end of each page (i.e., following these steps does not guarantee that the regulators will find you in compliance.) Well, it certainly can't hurt.
This resource is important in light of the January 2, 2013 press release regarding Hospice of North Idaho or “HONI,” which became nationally known not for its compassionate end-of-life care, but as the first organization to settle a HIPAA Security Rule/HITECH violation regarding a breach impacting less than 500 individuals.
HONI reported to DHHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. OCR investigated and discovered that HONI had not conducted a risk analysis to find the gaps in its PHI safeguards, and failed to have policies or procedures in place to address mobile device protection as required by the HIPAA Security Rule. They were hit with a $50,000 penalty and a corrective action plan. The monetary penalty might have been far greater, but HONI got right to work improving its compliance program and processes. That type of immediate action and accountability impresses the OCR, and may lessen the severity of an enforcement penalty.
This resource is important in light of the January 2, 2013 press release regarding Hospice of North Idaho or “HONI,” which became nationally known not for its compassionate end-of-life care, but as the first organization to settle a HIPAA Security Rule/HITECH violation regarding a breach impacting less than 500 individuals.
OCR Director Leon Rodriguez said: “This action [against HONI] sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” He also stated that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable” (which gives the ePHI a “safe harbor” under the breach notification rule. The provider would not need to report the loss or exposure as a breach.)
This is only the beginning. Although the OCR claims that only a small percentage of reported breaches are investigated, who wants to be one of the few? Protection of the ePHI on your mobile devices, including laptops, tablets, smartphones and flash drives, is a reasonable place to start.
Subscribe to:
Posts (Atom)