Category Archives: HIPAA

California Health Record Privacy

 

In California, the Confidentiality of Medical Information Act (“CMIA”) creates rights for patients in their own personal records. While most attention is given to federal law, especially HIPAA and HI-Tech, when trying to understand what to do medical records.

California has created a strong statutory scheme to protect patients’ rights. Codified at Civil Code section 56.10, the Act provides that “No provider of health care provider, service plan or contractor shall disclose medical information regarding a patient of the provider of healthcare or an enrollee or subscriber of a health care service plan without first obtain an authorization” from the patient. The statute then goes on to proscribe in detail the requirements for authorization.

Violation the CMIA will result in fines and a civil cause of action against the party who provided the private healthcare information.

CMIA does have several exceptions. Some the exceptions require the healthcare provider to disclose information, for example under court order or for police or coroner investigations. Other exceptions allow, but do not required, the physician to disclose medical records to other health care providers and healthcare insurance companies. Healthcare providers may also provide information that has been scrubbed of identifiable information to public health studies and other companies who will allow the medical profession to better understand healthcare service.

By Matt Kinley, Esq.

KINLEY TO SPEAK ON “WHO OWNS PATIENT DATA”

R-HEALTH BY THE HEALTH MANAGEMENT INTEREST GROUP SEEKS TO EDUCATE ON THE DANGERS AND OPPORTUNITIES IN PATIENT DATA

University of California, Riverside. HIPAA and the Hi-Tech regulations impose burdens on healthcare providers on how private health information can be utilized.  Given the potential penalties for missteps, this is an important topic for the healthcare industry to grasp.  Tickets are still available!

As a recent Office of Civl Rights Report recently pointed out, 2016 was a record year for enforcement: “OCR has been on a tear, settling 11 cases in 2016 with resolution agreements and corrective action plans. The agency also won a decision by an administrative law judge in an enforcement action contested by a home healthcare and medical equipment supplier (see OCR Slaps Home Health Provider with Penalty.”

Private Health Information must be maintained and utilized in ways that protect the information from exposure.

Matt Kinley is a health care attorney and founder of Kinley Law Practice in California. You can contact him at matt@kinleylawpractice.com.

 

How to Utilize an Attorney for HIPAA Breach Analysis

Attorney’s Role in Breach Analysis

An attorney’s role in any potential breach is to lead an assessment of the breach and to help clients determine whether to disclose a breach by applying the law to the factual investigation. Such an assessment is required for covered entities when a breach is suspected under Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, and under the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) and the corresponding regulations. As the company and experts review the potential breaches, the attorney should apply the  law implicated by the facts.  The appropriate law may not only be the federal law, but state law, as well.  For example,   the very stringent California Privacy Law which applies to breaches in California.

IF it is determined that there is a reportable breach, the attorney assists with the proper methods to make notification.

Any attorney chosen for this task should have experience and education in healthcare law.  Some examples include a healthcare LLM, such as the one offered by Loyola Chicago’s Beazley Institute for Health Law and Policy. and designations in compliance, such as someone certified in Healthcare Compliance (CHC).

My background includes retention by several clients to help with such an assessment, a Masters of Law (LLM) in Healthcare Law from Chicago Loyola Law School and I am Certified in Healthcare Compliance (CHC). I help healthcare institutions comply with HIPAA and other federal and state regulations.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment.

The risk assessment requires the following investigation:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the protected health information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and,
4. The extent to which the risk to the protected health information has been mitigated.

The team must also complete an analysis on three potential exceptions to the definition of “breach.” The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority. The second exception applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information and Guidance

Covered entities must only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of specific technology or methodology.

By Matt Kinley,Esq.,  LLM, CHC

562.715.5557

 

IS YOUR HEALTHCARE COMPLIANCE PROGRAM COMPLIANT?

HEALTHCARE COMPLIANCE

10 RED FLAGS

Under current law, physicians are required to maintain an effective, comprehensive compliance program to detect, correct and prevent incidences of non-compliance with state and federal regulatory law.  Goals of a comprehensive compliance program is to prevent the significant criminal and civil penalties that might come with a violation of the False Claims Act, Stark, the Anti-Kickback Statutes, HIPAA and state law equivalents. Failure to comply might lead to exclusion from health payments. Here is a summary of the core components of a complete compliance plan:

#1  MISSING OR INCOMPLETE WRITTTEN POLICIES, PROCEDURES AND STANDARDS OF CONDUCT

#2  PEOPLE:   NO COMPLIANCE OFFICER OR COMPLIANCE COMMITTEE

#3  TRAINING:  THE FACILITY LACKS EFFECTIVE TRAINING AND EDUCATION

#4.  COMMUNICATION:  THE FACILITY LACKS

#5.  PERSONEL:  FAILURE TO PUBLISH DISCIPLINARY STANDARDS & TO EFFECTIVELY DISCIPLINE VIOLATORS

#6.  NO SYSTEM TO AUDIT AND MONITOR ORGANIZATION COMPLIANCE AND COMPLIANCE RISKS

 #7  FAILURE TO CREATE PROCEDURES TO PROMPTLY RESPOND TO IDENTIFIED ISSUES AND SELF DISCLOSURE OBLIGATIONS

#8.  LACK OF SUPPORT FROM PHYSICIANS AND LEADERSHIP OF THE ORGANIZATION

#9.  FAILURE TO INSTITUTE PRIVATE HEALTH INFORMATION POLICIES

#10. FAILURE TO MONITOR NEW LAW AND UPDATE COMPLIANCE ACCORDINGLY

By Matt Kinley,Esq., LLM, CHC

562.715.5557

             

 

                

 

 

 

Federal Court Rules CGL Policies Cover Data Breach

Insurance companies issuing commercial general liability (CGL) policies are undoubtedly taking note of a recent noteworthy, though unpublished, federal appeals court decision. In April 2016, a federal appeals court in Virginia upheld a lower court’s ruling that a CGL policy may cover a data breach. The decision centered on the interpretation of policy language that the court said should be construed broadly. The ruling will likely cause insurers to scrutinize coverage language more closely and revise future policy definitions.  For insureds, the decision should prompt a second look at policy language to determine whether a data breach arguably falls within the scope of coverage. The case, Travelers Indemnity Company of America v. Portal Healthcare Solutions, L.L.C. (https://www.scribd.com/doc/308033367/Travelers-v-Portal-Healthcare-Fourth-Circuit-Court-of-Appeals) (hereinafter referred to as “Portal Healthcare“), is at odds with other recent state court decisions.

 

The factual prompt for the suit was a class-action lawsuit brought by a patients of a hospital whose confidential medical records were publicly posted online by the hospital’s electronic record-keeping service, Portal Healthcare Solutions (“Portal”). Portal tendered the matter under the two separate but substantially identical CGL policies issued by Travelers.  In a declaratory relief action, Travelers argued data breach was not covered under the policies, but the District Court for the Eastern District of Virginia in Alexandria ruled that Travelers had a defense obligation under its Personal and Advertising Injury coverage section of the policies. The policies language obligated coverage because of an advertising or website injury arising from the “electronic publication of material that…gives unreasonable publicity to a person’s private life” or “the electronic publication of material that discloses information about a person’s private life.”

 

Travelers argued that the action of posting the medical records online was not a “publication” within the meaning of the policy because it could not be proven that the records were actually viewed by a third-party. The lower court and appellate court rejected this narrow and “pars[ing]” definition of publication.  The appellate court also held that the class-action complaint by the patients, “at least potentially or arguably alleges a publication of private medical information” and that the conduct if proven, would have given unreasonable publicity to and disclosed information about the patients’ private lives.  The court determined that any doubt in the meaning of the word “publication” should be interpreted in a manner that grants coverage rather than withholds it.

 

The lower court’s opinion distinguished a Connecticut case which ruled that a CGL policy did not cover the loss of computer tapes that contained personal information. See Recall Total Info. Mgmt. Inc. v. Fed. Ins. Co., 83 A.3d 664 (Ct. App. Conn. 2013).  In that case, computer tapes fell out of the back of a van, were taken by an unknown person, and never recovered. Id. at 667.  This fact pattern was distinguished because it involved a single thief and no allegation that the stolen information had been placed on the internet.  In the Portal Healthcare case, the court stressed that the facts alleged “potentially or arguably” constituted “publication.”

 

While insurers offer policies specifically addressing cyber liability and data breach, these policies can often be cost-prohibitive and/or scarce. Business owners should consult with their legal counsel to look closely at the terms of the business’ CGL policies to determine whether they may potentially or arguably cover data breaches. The exorbitant cost of defending a data breach lawsuit, especially a class-action suit, may justify a declaratory relief action against a CGL carrier to determine the claims trigger a defense obligation. All companies should evaluate their cyber risks and exposures to make an informed decision about whether cyber liability insurance coverage is worth it.  Despite the holding in Portal Healthcare, securing coverage for data breach incidents under a CGL policy is still an uphill battle.

 

By Matt Kinley,Esq., LLM, CHC

562.715.5557

HHS TO CREATE NEW CYBERSECURITY REGULATIONS FOR HEALTH CARE

CONGRESS DIRECTS ACTION IN HEALTHCARE CYBERSECURITY

In December of 2015 Congress passed a 2000-page spending bill which was enacted into law. Included in the text was the Cybersecurity Information Sharing Act of 2015 (CISA). While that legislation received most of the headlines, the spending bill also implemented some major developments in the field of privacy for the healthcare industry. Section 405 of Title IV directs the Department of Health and Human Services (HHS) to develop best practices for organizations in the healthcare industry.

The legislation mandates HHS to report to Congress regarding the preparedness of the health care industry in responding to cybersecurity threats. This includes identifying the HHS official responsible for coordinating threat efforts and including plans on how HHS divisions communicate with one another regarding threats. Congress also mandated a one-year task force to plan a threat reporting system in real time, and to prepare a cybersecurity preparedness information for dissemination in the healthcare industry. Most notably, HHS has been directed to collaborate with other governmental entities and experts to establish a best practices standards specific to healthcare cybersecurity. The intent is to create an industry standard and cost-effective method to reduce cybersecurity risks for healthcare organizations.

Inclusion of Section 405 of the Cybersecurity Act of 2015 reinforces the federal government’s well-established priority of protecting personal health information. Protection is necessary because of the high value of personal health information on the black market. According to the The Insurance Journal, a complete health record containing a patient’s entire health profile can fetch as much as $500. The value is based on the ability of lawbreakers to fraudulently bill insurers for medical services. Compared to industries like the credit card payment industry—which has implemented its own cybersecurity standards—the healthcare industry is woefully behind in its efforts to protect valuable private information.

Healthcare facilities, both public and private, should stay ahead of HHS and develop their own internal policies, security measures, and best practices to protect confidential information of their patients. While guidance form HHS in the future will help establish industry standard best practices, healthcare providers should evaluate their cybersecurity needs and work with experts—attorneys, technologists, and governmental agencies—to stay ahead of the curve. Undoubtedly the attention given to healthcare cybersecurity in the next years will increase the scrutiny on healthcare providers who fail to meet industry standards.

By Matt Kinley,Esq., LLM, CHC

562.715.5557

OSHA GUNNING FOR MEDICAL PRACTICES

NEW GUIDE LINES BRING NEW RESPONSIBILITIES

The Occupational Safety and Health Act of 1970 requires employers to provide their employees with working conditions that are free from known dangers.  There are thousands of pages interpreting the meaning of that simple statement, including primarily what is a “known danger.”

For medical facilities, OSHA has attempted to provide guidelines for protecting healthcare workers from violence in the work place.  In OSHA: Guidelines for Preventing Workplace Violence for Healthcare Workers (2015) OSHA explores its expectations for organizations in complying with the obligation to provide a safe workplace and to prevent violence.  Many of the obligations are structural, that is, they provide for a system to protect against violence:  polices, training, work place evaluation, and documentation of an organizations efforts to complete these tasks.  Like HIPAA and Compliance, the solution to medical office problems are a new policy, a committee and training.

Along with this new resource comes a new obligation.  In an OSHA Instruction, OSHA reviews the inherent dangers in the healthcare setting and the higher rates of violence and injury in the healthcare setting.  It instructs it’s investigators to pay more attention to the healthcare setting utilizing its 2015 guidelines.

If you are a healthcare company, it makes sense to pay attention to these OSHA materials.  Even if you are not investigated by OSHA itself, it does set up a standard for behavior and a potential negligence suit should your facility suffer violence.

By Matt Kinley,Esq., LLM, CHC

562.715.5557

YOUR “JOHN HANCOCK” ON A COMPUTER KEYBOARD

When is an “electronic signature” legally appropriate in the medical context?

More than one would think. Electronic signatures are appropriate under HIPAA and other federal and state laws, and they are enforceable under California’s Uniform Electronic Transactions Act (Civil Code section 1633.1 et seq, “UETA”). There are some cautions, though. Digital signatures on custodian affidavit/declaration forms, consents to treatment, and generally all document where a patient must sign are permissible and legally enforceable.
Electronic & Digital Signatures.

There is a distinction between an “electronic” and a “digital” signature. Federal law and many state laws allow electronic signatures on some documents. Electronic signatures can be a picture of a signature, an agreed-upon string of characters, a symbol, a signature typed into a signature block in an ¬electronic form, and other personal non-encrypted, agreed-upon identifiers. A digital signature is an encrypted “hash” or tag that is registered to an individual and ¬accompanies transmission of electronic data or forms signed via computer. They are much more reliable than electronic signatures because they allow recipients to validate senders and prevent repudiation at a later date.

California Law: the UETA

California law provides in the UETA: “(a) A record or signature may not be denied legal effect of enforceability solely because it is in electronic form. (b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation (c)If a law requires a record to be in writing, an electronic record satisfies the law. (d) If a law requires a signature, an electronic signature satisfies the law.”

What is an electronic signature? The language of the statute is simple: an electronic signature satisfies the law. Typically, if the person “signing” types his name on an email, formatted screen or word processing document, that will suffice as a signature. The document with the signature should be reliable: sent from the signers email, or delivered by him or her in some way.

CAUTION!

As in all contracts, the surrounding circumstances are important. In a recent California Court of Appeals case, (JBB Investment Partners v. B. Thomas Fair), the court looked at the actions surrounding a parties alleged electronic signature to a contract. The Court determined that while the party had printed his name in an electronic communication, other communications had determined that there had not been “a meeting of the minds,” or a final agreement as to terms.

Even with this this cautionary case, most of the time electronic signatures will be acceptable for medical records.  If the party signing gives indications of some doubt about what is being signed, you might want to get the document signed in your facility.

By Matt Kinley, Esq.

 

 

PHYSICIAN OFFICE COMPLIANCE: PHYSICIANS SHOULD PREPARE

Compliance in Physician Offices

Compliance guidance for physician practices was issued by the Office of Inspector General in 2000. Since that time, many physician practices, especially more complex specialty practices, have developed some sort of compliance plan. Compliance covers many areas of a healthcare practice.

Although compliance plans have not previously been mandatory, they have become “industry standard” as a way to minimize risks associated with health care regulations such as the Health Insurance Portability and Accountability Act of 1996, the Medicare and Medicaid Fraud and Abuse Laws, Anti- kickback Statute, Civil Monetary Laws, False Claims Act, the Clinical Laboratory Improvement Act and all other state and federal statutes, regulations and directives that apply to the operation of a complex physician’s practice.

The Patient Protection and Affordable Care Act of 2010, in section 6401, requires Health and Human Services and the Office of Inspector General to promulgate regulations that require most healthcare providers and suppliers to establish compliance programs. The compliance programs are intended to be “effective in preventing and detecting criminal, civil, and administrative violations” under the Medicare and Medicaid laws and other laws that govern operations.

Under the Affordable Care Act, physicians and group practices, will be required to establish compliance programs as a condition of enrollment in the Medicare program.HHS is required to issue regulations creating a timetable and basic core compliance program requirement.

Physician groups should begin the process of establishing compliance programs as soon as possible and not wait for final regulations. Compliance programs are a good way for physician practices to reduce risk associated with fraud and abuse and other legal matters that present risk to their operations. It makes sense for physicians to begin development now to provide ample time for creation of appropriately scaled policies and input from various personnel in the group.

It will not be sufficient to adopt pre-written compliance policies. Rather, physician offices must establish a continuing system of review for their office. Practices may need to be modified based upon their specialization. The seven core elements of effective compliance programs have been released by the Office of Inspector General, including the Physician Practice Guidelines.
A compliance program requires the physician to perform a risk assessment in their organization and document the outcomes of that assessment. The risk assessment could take many forms. Compliance professionals talk about a “gap analysis” which is an approach to help determine the vulnerabilities of your organization. Areas of risk provide emphasis to appropriate areas of risk that are identified through your risk assessment.
The seven areas of emphasis include:
1. Adoption of written guidelines and policies to promote the organization’s commitment to compliance;
2. Identification and appointment of a high ranking individual within the organization to serve as compliance officer;
3. Establishment of anonymous reporting systems, preferably through multiple pathways, to encourage individuals to make complaints regarding compliance items without fear of retaliation;
4. Effective education and training programs for all levels of employees and others with close relationships to the organization;
5. Ongoing auditing systems to assess the effectiveness of the compliance program and to provide input into areas that require additional emphasis;
6. Mechanisms to enforce the requirements of the compliance program and to discipline employees for violations of the organization’s commitment to compliance; and
7. An ongoing system of program modification based upon audit, feedback and experience that can further adapt the compliance policies to the specific issues faced by the organization.

By Matt Kinley, Esq

HOME HEALTH COMPANIES ARE SUBJECT TO FEDERAL LAW, TOO

Payment for patients can land you in the federal penitentiary.

Home health care companies are facing more and more scrutiny from federal and state regulators. Such companies, particularly if they bill Medicare, are subject to all the laws, rules and regulations as are all health care providers.

In a case just reported by the Justice Department, an 64-year old owner of such a healthcare company pleaded guilty to violation of the Anti-Kickback laws for billing for services that were unnecessary and in some cases not even provided. He also paid recruiters which provided the company with patients. The owner was fined over $6.5 million, 75-months in prison and sentenced to three years supervised release. The case was investigated and brought as part of the Medicare Fraud Strike Force. However, such cases can be brought by state investigators or even by whistle blowers who are paid a percentage of recovery for reporting the health care provider, even if the whistle blower was part of the fraud.

The ramifications of even technical Medicare rules can be catastrophic a person’s life or business. Home health care companies should have competent legal representation to make sure their business plans are appropriate. Home health companies will soon be under rules that require compliance plans. Legal counsel should be engaged to help put in place an appropriate plan.

By:  Matt Kinley, Esq.  You can contact Mr. Kinley @ (562)715-5557.