Information Technology and EMR

Effective March 1, 2017, the New York State Department of Financial Services promulgated regulations to help protect against cybercriminals and their efforts to exploit sensitive electronic data. These cybersecurity regulations apply to all individuals and entities that “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, with a few exceptions.  This will undoubtedly result in insurance companies and other related healthcare entities, which hold sensitive patient health information, beefing up their internal and external rules and policies.  New York’s proactive stance should be taken with the utmost seriousness seeing that there are more than 400 cyberattacks each day over the internet, or almost 3 every minute.

The United States Congress has enacted a similar law to protect health information, the Health Insurance Portability and Accountability Act (“HIPAA”). However, because HIPAA was enacted and modified years prior to cybersecurity becoming a prominent threat to our society, HIPAA does not provide as much protection to patients’ electronic data as the New York regulations do.  HIPAA does provide important guidelines and safeguards to ensure the integrity and confidentiality of protected health information, but does not elaborate on many of the issues presented in New York’s cybersecurity regulations.

New York’s cybersecurity regulations require all “Covered Entities”, as defined in the regulations, to maintain a cybersecurity program to guard the confidentiality of Nonpublic Information, which includes a risk assessment and a comprehensive cybersecurity policy.  In addition, Covered Entities are now required to designate an individual to serve as the Chief Information Security Officer (“CISO”).  The CISO is tasked with overseeing, implementing and enforcing the Covered Entity’s cybersecurity policy, and is required to report, in writing and at least annually, to the Covered Entity’s Board of Directors or similar governing body.  The CISO’s report must include, as applicable, information on “(1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity’s Information Systems; (2) the Covered Entity’s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity’s cybersecurity program; and (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the report.”

Compliance with the cybersecurity regulations will be transitioned over a two-year period with full compliance required by March 1, 2019.

Picture1Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) is the first business associate to be held directly liable for violations under the HIPAA rules. CHCS provided management and information technology services to six nursing homes. According to the OCR Resolution Agreement, OCR received separate notifications from each of the six nursing homes regarding a breach of unsecured electronic protected health information (ePHI) by CHCS resulting from the theft of a CHCS mobile device. The mobile device containing ePHI of 412 nursing home residents was neither encrypted nor password-protected. The settlement includes a monetary payment of $650,000 and a two-year corrective action plan.

OCR’s investigation concluded that:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS; and
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with the HIPAA Security Rule.

It is important for Business Associates and subcontractors of Business Associates to understand that since enactment of the Omnibus Rule in 2013, Business Associates and their subcontractors can be held directly liable for HIPAA violations, including the failure to conduct appropriate risk assessments and the failure to adopt adequate written policies and procedures to reduce the risk of violations.

Picture1Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.

Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?

Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.

According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)).  OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”.  OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.

OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested.  For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).

For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.

Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.

Alternatives to the hospital emergency room and primary care doctor’s office are opening in strip malls and other retail locations throughout the country. New York State is no exception. In an effort to provide oversight for these walk-in clinics, New York’s Public Health and Health Planning Council (PHHPC) has recommended regulations for these facilities.

The recommendations would place walk-in clinics into one of four categories:
1. Limited Services Clinics (Retail Clinics);
2. Urgent Care;
3. Hospital-Sponsored Freestanding Emergency Departments; and
4. Non-Hospital Surgery- Ambulatory Surgery Centers and Office-Based Surgery.

The recommendations for each category of walk-in clinic are summarized below:

Limited Services Clinics (Retail Clinics)

• The name, marketing materials and all signage would be required to include the term “Limited Services Clinic.”
• Services would be limited to episodic care related to minor ailments and immunizations.
• Surgical, dental, physical rehabilitation, mental health, substance abuse and birth center services would not be permitted.
• No dispensing of controlled substances would be permitted.
• No services could be administered to children 24 months of age or younger.
• No childhood immunizations to patients under 18 years of age (except influenza) would be permitted.
• Accreditation by a national organization approved by the NYS Department of Health (DOH) would be required.
• The clinic would be required to have a Medical Director at the corporate level who is licensed to practice medicine in New York.

Urgent Care Providers

• Urgent Care would be limited to treatment of acute episodic illness or minor traumas.
• Services required would include:

  • unscheduled, walk-in visits typically with extended hours on weekends and weekdays;
  • Ex-ray and EKG;
  • Laceration repair; and
  • Crash cart supplies and medications

• The term “Urgent Care” would be required in the name and in all signage at the provider site and in all marketing materials. Other commercial terms could still be used in the provider’s name, but would need to include “Urgent Care” (e.g. “FastMed Urgent Care”).
• The word “Emergency” or its variations would not be permitted for urgent care providers unless licensed by New York State as an emergency department.
• Non-article 28 Urgent Care would require accreditation. No CON review required.
• Article 28 Urgent Care not otherwise accredited would be surveyed by DOH.
• Existing Article 28 Hospital or D&TC providers wanting to provide Urgent Care would require a limited review of their operating certificate.
• Private physician practices affiliated with an Article 28 may provide urgent care if they are accredited or become an Article 28 through CON review.
• Establishment of a new Article 28 Hospital or D&TC to provide urgent care services would require CON review.

Freestanding Emergency Departments

• Hospital-sponsored off-campus “emergency department” would be defined as an emergency department that is hospital-owned and geographically removed from the hospital campus.
• PHHPC recommends that the sponsored off-campus emergency department use the name of the Hospital that owns the facility followed by “Satellite Emergency Department”.
• The facility would be subject to the same standards as a hospital-based emergency department regarding training of providers, staffing, and the array of services provided at the facility.
• Establishment of an off-campus emergency department would require full CON review.
• Accreditation would be required.

Non-Hospital Surgery

• No changes are recommended regarding ambulatory surgery.
• New and existing office-based surgery practices would require registration with DOH.
• All physician practices performing procedures utilizing more than minimal sedation would require accreditation and the provision of adverse event reports.

Limited Services Clinics, Urgent Care providers and Hospital-Sponsored Freestanding Emergency Departments would be required to utilize electronic medical records.  Further, these facilities would be required to provide a list of primary care providers to any patient indicating that they do not have a primary care provider. These clinics would also be required to recommend that the patient schedule an initial or annual appointment with a primary care provider and develop policies and procedures to identify and limit repeat encounters with patients.

Is your office photocopy machine a HIPAA time-bomb?  Affinity Health Plan recently learned that the answer is yes, to the tune of a $1.2 million settlement with the US Department of Health and Human Services Office for Civil Rights (OCR).  Affinity is a not-for-profit managed care organization which includes one of the New York metropolitan area’s largest Medicaid managed care programs.  In 2010, Affinity made a mandatory breach report to OCR when it learned that the protected health information (PHI) of over 300,000 individuals was found on the hard drives of multiple photocopiers that Affinity had leased.  Affinity failed to have the hard drives wiped or destroyed prior to the return of the copiers at the end of the leases.

As HIPAA Covered Entities, healthcare organizations from hospitals and inpatient facilities to physician practices and health plans should take note of this matter.   For Covered Entities, this may mean new policies covering copiers and other hard drives containing PHI, revised risk analyses and safeguards, and revised Business Associate Agreements (BAAs).

Additionally, Business Associates of healthcare organizations, including consultants, lawyers, accountants, and billing companies, who may possess protected health information should also pay close attention.  Under the Omnibus Rule, finalized earlier this year and taking effect on September 23, 2013, business associates will be directly responsible for compliance with the privacy and security provisions HIPAA, HITECH and the Ominbus Rule. This means developing their own policies and procedures, conducting internal risk assessments and audits, and implementing physical and electronic safeguards to protect PHI.  Business Associates should carefully read new or revised BAAs they receive from Covered Entities to better understand their obligations.

The health care attorneys at Farrell Fritz understand HIPAA, can help your organization move toward compliance with new and old requirements, and minimize your risk of substantial fines.

 

On January 2, 2013, the US Department of Health and Human Services announced a $50,000 settlement with Hospice of North Idaho for a data breach involving the theft of a lost, unencrypted laptop computer containing the health information of 441 patients.

This settlement is the first for a reported breach affecting fewer than 500 individuals.   HHS Office of Civil Rights Director Leon Rodriguez stated that “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”

A few takeaways from this settlement:

  • All HIPAA covered entities should conduct initial and ongoing risk assessments regarding use of electronic PHI;
  • Providers should develop and adopt policies and procedures regarding the use of mobile devices such as laptops, tablets, and smart phones containing electronic PHI, and appropriate safeguards to implement;
  • Think about who should have access to the devices, how they are protected or encrypted, where they are stored;
  • Providers should carefully investigate all data breaches, no matter how small;
  • After an investigation, review the provisions of the HITECH Act regarding breach notification; must the provider notify HHS immediately, notify the affected individuals, or take other measures?
  • Consult with counsel familiar with HIPAA, HITECH and data breaches to ensure that all Federal and State obligations are being met with an appropriate investigation, response, remedial assessments and policies and procedures.

 

   The Health Information Technology for Economic and Clinical Health Act (the “HITECH”) Act of 2009 aims to have all hospitals and physicians use electronic health records (“EHRs”) for all persons in the United States by 2014.  Federal and State financial incentives, electronic billing requirements, and the need for ever-increasing collaboration and sharing of information among providers have lead to a growing embrace of EHRs across the health care system.

   The U.S. Department of Health and Human Services Office of the Inspector General (the “OIG”) recently issued its Work Plan for Fiscal Year 2013.  One of the OIG’s goals for 2013 is to identity fraud and abuse vulnerabilities in EHR systems and to determine how certified EHR systems address those vulnerabilities.

Letters and Surveys Sent By OIG

  The OIG has already begun to implement the Work Plan with respect to its review of EHR systems.  In October 2012, at least ten hospitals received an 18-page, 54-question survey requesting detailed information on their EHR systems.  The survey comes on the heels of a letter that was sent on September 24, 2012 from HHS and the Department of Justice to health care providers indicating that “there are troubling indications that some providers are using [EHR] technology to game the system, possibly to obtain payments to which they are not entitled.”

  It is expected that the responses to the survey will be used by the OIG to prepare a report which will be published during fiscal year 2013.  According to a recent article posted on HealthLeaders Media, some of the questions in the OIG survey include:

  • How diagnoses and procedures are coded (manually, automatically with coding software, or other);
  • User authorization methods (unique user ID, password, tokens, biometrics, public key);
  • Access management (session time-out, minimum password configuration rules, regular changing of passwords, user agreements or contracts to prevent sharing of passwords, or other);
  • Barriers to allowing outside entities access (lack of software or hardware support, insufficient staffing, funding restrictions, performance concerns, privacy concerns, etc.);
  • How physician progress notes are entered into the EHR (free text, via structured templates);
  • Whether narrative nursing notes are directly entered into the EHR or handwritten and scanned into the EHR, and if so, why;
  • Whether patients have access to the EHR, and if so, how.

Steps to Ensure Proper Functioning of an EHR

  There are certain steps that hospitals and physicians can take in order to ensure that their EHR system is functioning properly.  First, considerable time and research should be spent on selecting an EHR vendor to ensure that the EHR system will be a good fit for the practice.  Issues to be addressed should include: What features does the vendor’s system include that competitors may not offer?  What kind of training and support is provided by the vendor and how and when is that support available?  What is the size of the vendor’s customer base and has its software been implemented in similar practices and work environments?  Legal review of acquisition documents, service/support agreements, and hardware or hosting agreements is a key component of the process.

  Second, it is essential that hospitals and physicians receive appropriate training in the use of the system and that sufficient time is allotted for staff education.  Written manuals should be provided to staff members that, along with a detailed guide to the EHR system, include quick, one-page “cheat sheets” for easy reference by users.  Third, hospitals and physician practices should set realistic goals and expectations.  Because it is unlikely that things will go smoothly from the get-go, practitioners should set aside time on a regular basis, as frequently as every 60-90 days, to reevaluate their EHR system and see if improvements or changes should be made to the system or processes.  This will also provide an opportunity to determine if any member of the team needs additional training on the system.

  In light of the OIG’s Work Plan and increasing scrutiny on EHR systems, it is essential that hospitals and physicians take measures to ensure that their EHR systems are working properly and are being use appropriately.

In order for an accountable care organization to succeed, there must be a workable method for collaboration among the providers.  How do providers of care effectively communicate amongst one other?  What is the optimum means of memorializing a patient’s medical history and present health status so that all providers of care are basing their decisions on the same data?  And how do, for example, a surgeon and cardiologist communicate best to ensure a patient’s risks of undergoing surgery are fully assessed and yet not one day extra is spent as an inpatient than absolutely necessary?

These very issues confront providers each and every day in their offices, surgery centers, clinics and hospitals.  When a patient is admitted to a hospital because a colonoscopy indicates that a cancerous section of the colon should be removed, how is the process of caring for that patient met and coordinated from admission to discharge?  A recent experience of mine exposed the communication barriers among the various providers of care in the inpatient setting causing inefficiencies, avoidable delays and unnecessary days in the hospital.

Importance of Information Technology

Having a single provider coordinate all of the care will help increase the quality of the care and decrease wasted resources.  An invaluable tool to accomplish this coordination of efforts is to make all of the medical information concerning a patient readily available to all of the caregivers.  The manner in which the health data is organized and presented should be standardized so all providers can zero in on the information sought at any moment.  Every provider should be able to view a screen or screens of data that capture an individual’s medical history, current and history of medications as well as their present physical condition, both subjectively and objectively.  Thick and unruly medical charts must be made a thing of the past.

Kaiser Permanente physicians, for example, follow patients closely because their performance with regard to quality of care and patient satisfaction are determining factors in whether or not they receive a bonus.  Financial incentives are not new, but they work.  Physicians within the Kaiser Permanente system use a comprehensive health information process that coordinates medical records in and out patient, scheduling appointments, registration, all of which yield efficiency and effectiveness.   Elimination of wasted resources is the goal.

Perhaps we will have to accept that it will be a slow process until physicians and their staffs are able to fully adopt health information technology and learn to use it effectively.  Doing so in a standardized fashion will assist with the delivery of high quality and effective care while eliminating wasted resources.  Too much time is currently wasted waiting for diagnostic test results or communication between health care providers.  The by-product of unnecessary waiting and communication gaps is wasted resources.  With a growing population and people living longer, health care resources will become precious.  This will drive the need to become frugal and efficient when using health care resources because they are not limitless.

The US Department of Health and Human Services Office of Civil Rights (“OCR”) recently released its HIPAA audit protocol.  Audits of HIPAA compliance were mandated by the 2009 Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which amended many parts of HIPAA and included breach notification requirements.

The OCR conducted a number of pilot audits of compliance with privacy, security and breach notification requirements of HIPAA covered entities beginning in 2011, and will continue the test phase through December 2012 with a total of 115 such audits.

Protocol Modules

The protocol is divided into two modules: (1) Security, and (2) Privacy and Breach Notification.  The Security module contains 77 entries, covering Security Rule requirements for administrative, physical, and technical safeguards.  The Privacy and Breach Notification module contains 88 entries, and covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures, as well as Breach Notification Rule requirements.

Lax Enforcement No More

At a recent OCR/National Institute of Standards and Technology (NIST) HIPAA Security Conference, one OCR official stated that “It is no longer acceptable to be noncompliant.”  Another official noted that OCR was finding significant issues with security of electronic data, and that many covered entities were failing to conduct risk assessments, and failing to adequately address identified risks.

In the past, OCR had been accused of lax or non-existent enforcement of HIPAA and HITECH violations.  However, recent record-breaking fines of over $1M against several providers which had committed HIPAA breaches, combined with the full audit program being implemented along with the audit protocols, suggest that the OCR is ramping up its enforcement efforts in a big way.  Covered entities will need to take strong actions to comply with the numerous requirements of the laws.

Steps to Take to Comply

The first step toward increased compliance is to conduct a self-audit.  The new audit protocols lay out exactly what the OCR will be looking at in an audit, and will help covered entities identify areas of weakness.  This audit can be conducted by the covered entity itself, or with the guidance of legal counsel or consultants familiar with HIPAA and HITECH requirements.  Once areas are identified, the provider should prioritize by levels of importance and risk, and begin to implement new or revised policies and procedures to address the issues.

The recent increase of prescription drug abuse led both chambers of the New York State Legislature to pass the Internet System for Tracking Over-Prescribing (I-STOP) Act on June 11, 2012.  The legislation seeks to tighten control over certain controlled substances in an effort to decrease criminal diversion and abuse of such prescription drugs which can result in addiction, violence, family conflicts and increased costs to business and the health care system.

A major focus of the I-STOP Act is the creation of a “real time” Prescription Monitoring Program Registry which is aimed at shrinking the number of fraudulent prescriptions, minimizing doctor-shopping and reducing the over-prescribing of controlled substances.  The registry will contain patient history information of no less than six months and no more than five years.  Among other things, the registry will contain information including the patient’s name and address, the date the prescription was issued and the date it was dispensed, the metric quantity of drug dispensed, the supply of drug by number of days and the prescriber’s name.

Duty to Check Registry

The legislation imposes a duty upon practitioners to check the registry before prescribing certain controlled substances.  Practitioners may designate an employee or contractor to access the registry of their behalf, however, if the following conditions are met: (1) the practitioner takes reasonable steps to ensure that the designee is competent in the use of the registry; (2) the practitioner remains responsible for the designee’s access to the registry, including remaining responsible for any breach of patient confidentiality; and (3) the ultimate decision as to whether or not to prescribe or dispense a controlled substance remains with the practitioner and is reasonably informed by the relevant controlled substance history information obtained from the registry.  Practitioners, pharmacists and those persons acting on behalf of practitioners and pharmacists, who act with reasonable care and in good faith, are provided immunity against any civil liability arising from the reliance by such person upon false, incomplete or inaccurate information submitted to or reported by the registry.

There are exceptions to the duty to consult the registry before prescribing certain controlled substances.  For example, the duty does not apply to: (1) veterinarians; (2) a practitioner prescribing a controlled substance that is to be administered in the prescriber’s office; (3) a practitioner prescribing a controlled substance for use within an institution such as a hospital or clinic; (4) a practitioner prescribing a controlled substance in an emergency room setting if the prescription is for no more than a five-day supply; (4) practitioners when it is not reasonably possible for the practitioner to access the registry in a timely manner; or (5) practitioners where the registry is not operational or cannot be accessed due to a temporary technological or electrical failure.

E-Prescribing and Other Requirements

In addition to the Prescription Monitoring Program Registry, the legislation also requires that all prescriptions be issued electronically by December 31, 2014, updates New York State’s  controlled substance schedules, calls for practitioners to be educated regarding the overprescribing of controlled substances and general pain management and requires the  Department of  Health to establish a safe disposal program to facilitate consumer disposal of unused medications.  The legislation will be sent to Governor Andrew Cuomo, who is expected to sign the legislation into law.