FOR IMMEDIATE RELEASE
April 17, 2012
Contact: HHS Press Office
HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients...From the settlement memorandum (pdf):
C. Covered Conduct
OCR’s investigation revealed the following conduct occurred (“Covered Conduct”):
(a) From April 14, 2003 to October 21, 2009, Covered Entity did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.
(b) From September 1, 2005 until November 1, 2009, Covered Entity failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI). These failures contributed to and are evidenced by the following acts or omissions:
(i) From July 3, 2007 until February 6, 2009, Covered Entity posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar; and
(ii) From September 1, 2005 until November 1, 2009, Covered Entity daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.
(c) From September 1, 2005 until November 30, 2009, Covered entity did not implement required administrative and technical security safeguards for the protection of ePHI. These failures contributed to and are evidenced by the following acts or omissions:
(i) From September 1, 2005 (when Covered Entity began sending ePHI by email) until April 16, 2009, Covered Entity failed to identify a security official; and
(ii) From September 1, 2005 (when Covered Entity began sending ePHI by email) until November 30, 2009, Covered Entity failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by the covered entity.
(d) From September 1, 2005 until December 3, 2009, Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI received from Covered Entity. This failure is evidenced by the following acts and omissions:
(i) From September 1, 2005 until November 1, 2009, Covered Entity permitted the entity providing the Internet-based email account to receive, store, maintain and transmit ePHI on the Covered Entity’s behalf without obtaining satisfactory assurances in a business associate agreement with the entity; and
(ii) From July 3, 2007 until December 3, 2009, Covered Entity permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on its behalf without obtaining satisfactory assurances in a business associate agreement with the entity...
CORRECTIVE ACTION PLAN
V. Corrective Action Obligations
The Covered Entity agrees to the following:
A. Policies and Procedures
1. The Covered Entity shall develop, maintain and revise, as necessary, written policies and procedures (“Policies and Procedures”) that (i) address the Covered Conduct specified in paragraph 2 of the Agreement and (ii) are consistent with the Federal Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”) and the Federal Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”). The Policies and Procedures shall include the minimum content set forth in section V.C. below. The Policies and Procedures required under this CAP may be in addition to, and may be incorporated into, any other policies and procedures required by the Privacy and Security Rules.
2. The Covered Entity shall provide the Policies and Procedures to OCR within sixty (60) calendar days of the Effective Date for review and approval. Upon receiving any recommended changes to such Policies and Procedures from OCR, the Covered Entity shall have thirty (30) calendar days to revise such Policies and Procedures accordingly and provide the revised Policies and Procedures to OCR for review and approval.
3. The Covered Entity shall implement the Policies and Procedures within thirty (30) calendar days of OCR’s approval.
B. Distribution and Updating of Policies and Procedures
1. Within thirty (30) calendar days of OCR’s approval of the Policies and Procedures, the Covered Entity shall distribute such Policies and Procedures to all members of the workforce who use or disclose protected health information (PHI). The Covered Entity shall distribute the Policies and Procedures to any new member of the workforce who uses or discloses PHI within fifteen (15) calendar days of the workforce member’s beginning service.
2. The Covered Entity shall require, at the time of distribution of such Policies and Procedures, a signed written or electronic initial compliance certification from all members of the workforce who use or disclose PHI. Such compliance certification shall state that the workforce member has read, understands, and shall abide by such Policies and Procedures.
3. The Covered Entity shall assess, update, and revise, as necessary, the Policies and Procedures at least annually (and more frequently if appropriate).
4. The Covered Entity shall not involve any member of its workforce in the use or disclosure of PHI if that workforce member has not signed or provided the written or electronic certification as required by this section V.B.
C. Minimum Content of the Policies and Procedures
The Policies and Procedures shall, at a minimum, include:
Administrative Safeguards (45 C.F.R.§§164.308 and 164.530(c))
1. An accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit documentation of its most recent risk assessment completed since its initial risk assessment of December 2009.
2. A risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment to a reasonable and appropriate level, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit its risk management plan developed after completing its most recent risk assessment pursuant to subsection 1, above. Covered Entity’s risk management plan must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.
3. Identification of a security official who is responsible for the development and implementation of the Policies and Procedures required by this CAP and the Security Rule.
4. Satisfactory assurances that each business associate that receives, maintains, stores or transmits ePHI on behalf of the Covered Entity and has access to said ePHI will appropriately safeguard the ePHI in a written contract that meets the applicable requirements of the Security and Privacy Rules (see 45 C.F.R. §§164.314(a) and 164.504(e)).
Technical Safeguards (45 C.F.R. §§164.312 and 164.530(c))
5. Technical safeguards for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights pursuant to the Covered Entity’s information access management policies, including, but not limited to, remote access to the Covered Entity's electronic information systems.
6. Technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI transmitted to or from or stored on a portable device, regardless of whether the portable device is owned by the Covered Entity or a workforce member. Covered Entity must submit evidence to satisfy this obligation that includes text messaging of ePHI.
Training of Workforce (45 C.F.R. §§164.530(b) and 164.308(a)(5))
7. Training of all workforce members of the Covered Entity, including management, who use or disclose PHI on the Covered Entity’s Privacy and Security Rule policies and procedures, as necessary and appropriate to carry out their functions within the Covered Entity. The training must include, but not be limited to, security awareness for all workforce members, including security reminders, procedures for guarding against malicious software, log-in monitoring, safeguarding passwords. Covered Entity must provide documentation that it has completed a Privacy and Security Rule training since 2009 that includes additional training addressing its revised policies and procedures on the use and transmission of ePHI by text messaging, in accordance with section D.1., below.
1. Within sixty (60) calendar days of OCR’s approval of the Policies and Procedures identified in section V.A., the Covered Entity shall provide specific training on the Policies and Procedures to all workforce members who use or disclose PHI and shall provide such training to each new member of the workforce within fifteen (15) calendar days of the workforce member’s beginning his or her service.
2. Each workforce member attending the training shall certify, in electronic or written form, that the workforce member received the training on the Policies and Procedures and the date such training was received. The Covered Entity shall retain the training certifications and the training course materials for six (6) years.
3. The Covered Entity shall review the training annually and update the training to reflect any changes in Federal law or OCR guidance, revisions to the Policies and Procedures, or any issues discovered during audits or reviews.
4. The Covered Entity shall not involve any member of its workforce in the use or disclosure of PHI if that workforce member has not signed or provided the written or electronic training certification as required by this section V.D.
E. Reportable Events
If the Covered Entity determines that a member of its workforce has violated the Policies and Procedures required by section V.A.1., the Covered Entity shall notify OCR in writing within thirty (30) calendar days. Such violations shall be known as “Reportable Events.” The report to OCR shall include the following information:
1. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the Policies and Procedures implicated; and
2. A description of the Covered Entity’s actions taken to mitigate any harm and any further steps the Covered Entity plans to take to address the matter and prevent it from recurring.
VI. Implementation Report
Within sixty (60) calendar days after receiving OCR’s approval of the Policies and Procedures required by section V.A.1., the Covered Entity shall submit a written report to OCR summarizing the status of its implementation of the requirements of this CAP. This report, known as the “Implementation Report,” shall include:
A. The following documentation that the Covered Entity has implemented the Policies and Procedures required by section V.A.1.:
1. Copy of most recent risk analysis;
2. Copy of most recent risk management plan and evidence that its implementation has been completed;
B. An attestation signed by an owner or officer of the Covered Entity attesting that the Policies and Procedures have been distributed to all appropriate members of the workforce within 30 days of OCR’s approval and that the Covered Entity has obtained all of the compliance certifications required by section V.B.2.;
C. A copy of all training materials used for the training required by this CAP, a description of the training, including a summary of the topics covered, the length of the session(s) and a schedule of when the training session(s) were held;
D. An attestation signed by an owner or officer of the Covered Entity attesting that all members of the workforce who use or disclose PHI have completed the training required by this CAP and have executed the training certifications required by section V.D.2.;
E. A summary of Reportable Events (defined in section V.E.) that have occurred since the Effective Date of this CAP and the status of any corrective and preventative action(s) relating to all such Reportable Events;
F. An attestation signed by an owner or officer of the Covered Entity listing each of the Covered Entity’s locations (including mailing addresses), the name under which each location is doing business, the corresponding phone numbers and fax numbers, and attesting that each location is in compliance with the obligations of this CAP; and
G. An attestation signed by an owner or officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.
VII. Document Retention
The Covered Entity shall maintain for inspection and copying all documents and records relating to compliance with this CAP for six (6) years.
VIII. Breach Provisions
The Covered Entity is expected to fully and timely comply with all provisions contained in this CAP.
A. Timely Written Requests for Extensions. The Covered Entity may, in advance of any due date set forth in this CAP, submit a timely written request for an extension of time to perform any act required by this CAP. A “timely written request” is defined as a request in writing received by OCR at least five (5) business days prior to the date such an act is required to be performed.
B. Notice of Breach and Intent to Impose CMP. A breach of the CAP by the Covered Entity constitutes a breach of the Agreement. Upon a determination by OCR of a breach of this CAP, OCR will notify the Covered Entity of the breach thereof (this notification is hereinafter referred to as the “Notice of Breach”).
C. Covered Entity’s Response. The Covered Entity shall have thirty (30) calendar days from the date of receipt of the Notice of Breach to demonstrate to OCR’s satisfaction that one of the following conditions applies:
1. The Covered Entity is in compliance with the obligations of the CAP cited by OCR as the basis for the breach; or
2. The alleged breach has been cured; or
3. The alleged breach cannot be cured within the thirty (30) calendar day period, but that (i) the Covered Entity has begun to take action to cure the breach; (ii) the Covered Entity is pursuing such action with due diligence; and (iii) the Covered Entity has provided to OCR a reasonable timetable for curing the breach.
D. Imposition of CMP. If, at the conclusion of thirty (30) calendar day period, the Covered Entity fails to meet the requirements of section VIII to OCR’s satisfaction, OCR may proceed to impose a civil money penalty (CMP) pursuant to 45 C.F.R. Part 160 for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the Privacy or Security Rules. OCR shall notify the Covered Entity in writing of its determination to proceed with the imposition of a CMP.Well, there it is, in black and white.
I blogged about the Meaningful Use Core 15 compliance issue nearly a year ago.
Beyond the nominal $100,000 fine, I have to wonder how much this is going to cost this one CE in total. Moreover, let's say, for the sake of argument using E-Z round numbers, that the cost will be double the $100k (just to this clinic). $200k would otherwise pay for roughly 2,400 level 99213 Part-B visits, or perhaps 4,000 HbA1c tests, etc. Add up all of these OCR fines, and that's a lot of actual health care delivery opportunity cost.
I also have to wonder how many small outpatient CE's could pass an OCR/HIPAA audit without monetary settlement sanction (or worse), Meaningful Use Core 15 compliance "attestation" notwithstanding.
Stuff like this doesn't help matters, either:
I first ran across this last year, after seeing a breathless press release regarding Dr. Chrono's ONC-CHPL certification. Given my affinity for Apple platforms, I surfed straight to their website.
I immediately apprised them both via their website comment page and via their Facebook page of this glaring misstatement, one that help could land their more-willingly-in-denial CE clients in OCR HIPAA hot water. Their MU Core 15 page irrelevantly lists all of the NIST specs for certification of the product. None of which has the first lick to do with the ePHI Security compliance requirements of 45 CFR 164.3xx (moreover, it should be stressed that these requirements extend to all CEs, not just those applying for Meaningful Use money).
I revisited their site, and snipped out and annotated the foregoing this morning perhaps an hour ago. Nothing has changed. Under the "How to make it happen" link, all you see is this:
posted this on June 11, 2011 07:05 pm
Access control: It is necessary for all users to consistently sign in with their own unique ID in order to accomplish.Yeah. Right. Are you people kidding us? I'm having bit of a Clinic Monkey Moment.
Emergency access: Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. Click here for more information.
Automatic log-off: Terminate an electronic session after a predetermined time of inactivity. Click here for more information.
Sure would love to have a copy of their customer list.
Read the OCR Phoenix Cardiac Surgery enforcement settlement again. Draw your own conclusions. Maybe ring up Drs. Tibi and Fang. Wonder whether their EHR vendor told them "hey, we've got this one covered for you."
See my December 18th, 2011 post for more about my concern on this stuff. Take particular note of this section.
HIPAA Security Rule Toolkit
The NIST HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services. Target user organizations can range in size from large nationwide health plans with vast information technology (IT) resources to small health care providers with limited access to IT expertise...
I've installed it and have been kicking the tires. 492 questions (some of them conjunctive clause compound questions) spanning the gamut of 45 CFR 164.3...
...My take on this is that it would take a provider/organization 2-5 days to get thoroughly and forthrightly through it. And, really, this is just about the ePHI "Security" piece. "Privacy" is a different -- and potentially much more difficult -- issue.So, were you to go through all of this, say, with the help of a credible consultant** and correct all of your adverse risk analysis findings to be comfortably and defensibly in compliance (you will in fact uncover a number of them), you're looking at perhaps $5 - $10k total cost for a small shop like Phoenix Cardiac.
You can pay it now, or you can pay it later, by maybe a factor of 20 or more.
** REC "sustainability" prospect here? We are not charged with signing off on MU Core 15 compliance (though that's probably what a lot of REC clients wishfully want or think). We just provide the requisite information and free tools. Biz Opp here, no?UPDATE
What Can We Learn About HIPAA From Phoenix Cardiac Surgery?Phoenix Cardiac Surgery probably never thought they would be a poster child for HIPAA safeguards, but this 5-physician cardiothoracic practice in Prescott, Arizona has become famous for something no medical practice wants to be famous for – not protecting their patient information...What Can We Learn?
You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules.
Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy.
Physicians are not exempt from responsibility. Most physicians do not want to use the hospital or practice network email – they want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business. This is a bad habit. Emails to and from the physicians announcing meetings and reminding them of tasks are fine, but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information.
UPDATEUnderstand your technology. This is why the risk assessment is so important – you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk!
Equally notable, if not moreso, was the earlier HHS announcement concerning their $1.5 million enforcement settlement with Blue Cross-Blue Shield of Tennessee (pdf). Different HIPAA violation particulars, but BCBST got similarly CAP'd. (Corrective Action Plan)
REGARDING REC SUSTAINABILITY
We had a nice informal staff Q&A chat with our congenial CEO Mark Bennett the other day. I asked about the "sustainability" thing, and the possibility of continued REC federal funding, as some have argued for in the HIT press of late. He replied vaguely that there was a "REC Association" forming to essentially lobby for that (he's a past President of AQHA, the "trade association" for QIOs like mine, so he's in the loops on things like this).
I need names, email addresses and phone numbers.
(4-23 update: got 'em, thanks to Sharron Donnelly)
This article I found is instructive.:
Regional Extension Centers: Where are they and where are they going?Federal funding for RECs runs out after four years (2013), at which point the RECs are expected to be self-sustaining. Yet as with Health Information Exchanges, it appears that sustainability is a real issue for RECs, and fee schedules for REC services reflect their challenge in remaining viable. As reported by eHi, 67% of the 21 reporting RECs indicate they charge a11 flat-fee while 16% said they charge either a per-hour fee or use a subscription model with tiered services.
So what does all this mean for health centers? Is aligning with a Regional Extension Center as a resource for EHR selection and meaningful use qualification a “no-brainer’ for community health centers with limited resources?
As previously noted, RECs typically elect to support a small number of EHRs, or in some cases a single recommended EHR. We know that health centers have unique functional requirements for EHRs, and HIT in general, and therefore the adoption of an EHR, even if it has already been selected by the REC, needs to be vetted very carefully. Health centers should conduct careful and informed due diligence to be sure the REC supported product meets the center’s needs.
Further, to date, community health centers report varied experience with RECs. Of those health centers responding to the recent HIT readiness survey, 40% were receiving some form of technical assistance from Regional Extension Centers.12 Responding to the question, “How helpful is this REC collaboration in advancing your efforts to achieve Medically Underserved (MU) status?” – one half of those engaged with RECs reported that the REC was either “helpful” (23.7%) or “very helpful” (25.2%). Over a quarter reported that their REC participation was “not helpful yet, but potentially helpful” (26.7%13). With little data to go on, it is unclear that RECs can help expedite and smooth the path to MU qualification. That being said, RECs can be a resource for both EHR selection and meaningful use qualification.
The purpose of RECs is to help provide assistance to a broad range of providers and help level the playing field toward EHR adoption and meaningful use. Primary care associations and/or health center controlled networks are also a significant resource.
RECs will have to develop sustainable models in order to remain relevant once federal funds run out. The fee-for-service model intended by some RECs to achieve sustainability will add a cost burden for health centers and other providers. This necessitates new models focused on collaboration and partnerships with vendors and with state agencies and entities that can provide both support and expertise.
While it appears that RECs may need to mature further, foster tighter relationships in order to support providers locally and make available IT people who can “look at the dirt,” they are one resource that can assist health centers in making their way down the MU path.
Asked and Answered.
Color me skeptical. I see the potential prospect of myriad Monster.com Moments.
SPEAKING OF MU ATTESTATIONS
The latest from ONC, CMS, and Healthdata.gov:
As More Docs Use Digital Records, So Will Consumers
HITECH Act is prompting widespread adoption of e-health records, but there's more to "Meaningful Use" than what's in the government's programs.
...Without doctors using EHRs, you're not going to get buy-in from patients to use personal health records to manage their own health. When patients are relatively healthy, encounters with healthcare providers are few and far between. Starting a PHR to track very occasional vaccinations or even to record a yearly exam isn't a high priority for a lot of people unless it's super easy to do. That means having data available from healthcare provider to load into a digital record, not typed by hand by the patient. And it also means giving patients a reason to visit a PHR more than once a year, if that.
Chronically ill patients certainly have good reason to use PHRs to manage prescriptions, medical appointments, and lab results, and to refer to discharge instructions after a hospitalization. But again, if PHRs are too hard to use--and if there's no data that's available to be loaded into them--few patients will use them.
"Widespread consumer adoption of PHRs remains elusive," said Lynne Dunbrack, program director at IDC Health Insights. "Uptake and reasons expressed for not using a PHR have remained remarkably consistent for the past five years," she said in an email interview with InformationWeek Healthcare.
According to an IDC Health Insights' Connected Health Consumer Survey conducted in 2011, only 7% of respondents reported ever having used a PHR, and less than half of these respondents (47.6%) are still using one to manage their family's health, she said.
When asked why they did not use a PHR, about 51% of respondents indicated that they were not exposed to the concept of a PHR. In 2006, when a similar IDC Health Insights survey was conducted, approximately 7% of respondents indicated that they used a PC-based or Web-based PHR, and a little more than half (51.9%) were unaware of PHRs.
But as more doctors use EHRs, its likely more patients will use PHRs. "If you take into consideration patient portals, which provide a patient view into their electronic health records and are a form of tethered PHRs, consumer use will begin to increase modestly as physicians attempt to encourage their patients to use the patient portal to meet the Stage 2 meaningful use measurement objectives," said Dunbrack.