Categories
Health Law Highlights

Healthcare AI and HIPAA Compliance

From AI in Healthcare by Dave Pearson:

  • AI can accumulate a large amount of data from many sources. Using large datasets, AI can realistically re-identify previously de-identified healthcare data.
  • Under the HIPAA de-identification safe harbor, even if you remove the 18 specific identifiers, you cannot have actual knowledge that the information could be used alone or in combination with other information to identify patients. Is it possible to meet that standard in the age of AI?
  • This is an evolving area. These issues and others will continue to develop for years to come.
Categories
Around the Web

Is Dropbox HIPAA Compliant?

A lot of my healthcare clients use Dropbox. Many assume, incorrectly, that it is HIPAA compliant. I am generally concerned with any service that declares itself to be HIPAA compliant. Like many services, Dropbox can be used in a HIPAA compliant manner, but the burden rests on the user, not on Dropbox.

From Samuel Okoruwa, writing for Cloudwards:

Dropbox offers health organizations a secure way to store sensitive files. It’s not HIPAA compliant in itself, but relies on the user to use it in HIPAA-compliant ways. 

Health organizations that use Dropbox to upload medical information bear the greater responsibility of protecting this information by issuing Dropbox a contract called a business associate agreement and correctly configuring their accounts. 

Health organizations can take steps to correctly configure their accounts by limiting health information access to only authorized users, monitoring user activity and evaluating third-party apps.

Categories
Around the Web

Exploring Data De-Identification in Healthcare

From Health IT Analytics:

Adequately de-identifying healthcare data is critical for health systems, payers, and other stakeholders to ensure HIPAA compliance. However, the advent of newer technologies, such as artificial intelligence (AI) and connected devices, has created questions about ensuring patient privacy while enabling data sharing and access to improve care and drive medical breakthroughs.

At its most basic, de-identification refers to the principle of being unable to re-identify a person based on the information in their medical record, which often involves removing or hiding information such as the individual’s name, date of birth, gender, or address.

Beyond this basic level of de-identification to obscure explicitly personal information, healthcare stakeholders need to be aware of additional information and levels of identifiability to protect patient information.

Many people misunderstand de-identification. Certainly, the patient’s name and other unique identifiers should be removed. But there is also identification inherent in the pattern of care, the diagnosis, prescriptions, and other characteristics which can be used to re-identify specific patients, especially when there is a known dataset.

“In other words, there are additional safeguards and controls that go beyond the mere extraction of personally identifiable information,” [Suraj Kapa, MD] said. “So fine, you eliminate the medical record number, you eliminate the name, you eliminate the address, you eliminate all this other stuff from individual records. However, say you’re running a large analytic function across, say, the US, on patients with a specific type of cancer and trying to understand what we call social determinants of health.”

Categories
Alert

Large Health System Agrees To Pay $200,000 as Part of OCR’s Fourteenth Right of Access Initiative Settlement

In its first enforcement action of 2021, on January 12th, the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced it settled with Banner Health its fourteenth enforcement action as part of its HIPAA Right of Access Initiative (the “Initiative”). OCR announced the Initiative in 2019 to ensure individuals can easily and timely access their health information at a reasonable cost under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. In 2020, OCR announced eleven settlements as part of the Initiative including most recently against a primary care provider. The Initiative has resulted in settlements with all sizes of providers.

Source: Large Health System Agrees To Pay $200,000 as Part of OCR’s Fourteenth Right of Access Initiative Settlement

Categories
Alert

HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

On January 5, the President signed the HR 7898, HIPAA Safe Harbor Bill, into law, which amends the HITECH Act to require HHS to incentivize best practice security.

The legislation directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months, when investigating and undertaking HIPAA enforcement actions, or other regulatory purposes.

The law also expressly noted that the HITECH changes do not give HHS the authority to increase fines or the extent of an audit, when an entity is found to be out of compliance with the recognized security standards.

The law also corrected technical elements of the 21st Century Cures Act related to the information blocking enforcement authority of HHS’ OIG. Specifically, under the new law, OIG is authorized to obtain information, assistance, and other support from federal agencies when investigating claims of information blocking by the developers or entities that offer health information technologies.

Source: HIPAA Safe Harbor Bill Becomes Law; Requires HHS to Incentivize Security

Categories
Alert

The OCR Settles another Investigation under the HIPAA Right of Access Initiative

OCR has settled its thirteenth enforcement action under the HIPAA Right of Access Initiative, which involved a primary care physician practicing in the State of Georgia. Dr. Peter Wrobel, M.D., P.C., operating under the fictitious name of Elite Primary Care, became subject to an OCR investigation (twice) for his alleged violations of the HIPAA Privacy Rule. Dr. Wrobel must pay a Resolution Amount of $36,000.00 and implement a two year Corrective Action Plan following the OCR’s second investigation. This is an example of another single patient complaint leading to a substantial penalty under the Right of Access Initiative.

Source: No Signs of Slowing Down: The OCR Settles another Investigation under the HIPAA Right of Access Initiative

Categories
Alert

Proposed Changes to HIPAA Privacy Rule

HHS has proposed several important changes to the HIPAA Privacy Rule to bring it in line with HHS’s Sprint Toward Coordinated Care initiative. These proposed changes are not yet final. Comments on the proposed rules are due within 60 days of their publication in the Federal Register.

  • Reducing the time that covered entities have to respond to a patient’s request to access his or her medical records to 15 calendar days (with the possibility of a 15 day extension);
  • Allowing an individual to take notes, videos, and photographs, and use other personal resources to capture Protected Health Information (“PHI”) in a designated record set when accessing PHI in person;
  • Changing the fee structure applicable to requests for access to PHI and adding a requirement that covered entities provide advance notice of approximate fees for copies of PHI;
  • Modifying the definition of “health care operations” to clarify that the term encompasses both individual-level and population-based care coordination and case management activities by health plans and covered health care providers;
  • Adding an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for an individual;
  • Expressly allowing covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management;
  • Replacing the “professional judgment standard” with a “good faith standard” for certain disclosures of PHI allowed in the Privacy Rule;
  • Eliminating the requirement for a direct treatment provider to obtain written acknowledgment of receipt of the Notice of Privacy Practices (“NPP”) and adding an individual right to discuss the NPP with a person designated by the covered entity;
  • Expressly allowing covered entities and their business associates to disclose PHI to telecommunications relay service communications assistants; and
  • Expanding the current Armed Forces exception for covered entities to use and disclose PHI for mission requirements and veteran eligibility to all uniformed services personnel.

Source: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement

Categories
Alert

HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens

The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

Source: HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens

Categories
Highlight

Ways your Healthcare Company is Breaking the Law — Without Realizing it

According to the U.S. Department of Health & Human Services’ Breach Portal, sometimes called the “Wall of Shame,” 418 breaches of HIPAA were reported in 2019. Some 34.9 million Americans had their protected health information (PHI) compromised. How is this still happening?

Healthcare companies and practices make the biggest mistake by believing human behavior can be perfect all the time. … [R]esulting from this assumption about human behavior, healthcare providers cheap out and refuse to pay for sufficient security measures for their network. A cheap security system may not contain proper firewalls and leave devices vulnerable, while wholly unencrypted devices can be a nightmare. Healthcare employees leave their cell phones, laptops, or iPads in their vehicles while they run out for coffee or to the grocery. And what happens next? The vehicles are broken into, and PHI is at risk.

I think there is another erroneous assumption that employers make: they assume their business model will continue to be the same.

It is so easy when putting a deal together, to come up with workflows and policies that make the deal compliant. But as time goes on, the business model shifts, even slightly, in a way that makes the previously workflow and policy no longer compliant.

As a result, as part of their ongoing Compliance Program, Covered Entities should routinely audit their HIPAA Privacy and Security standards to ensure they are evolving with their business.

Source: Ways your Healthcare Company is Breaking the Law — Without Realizing it

Categories
Alert

OCR Settles Tenth Investigation in HIPAA Right of Access Initiative

Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.

OCR received a complaint from a patient alleging that RPMG failed to provide her a copy of her medical records despite multiple requests to RPMG beginning in February 2019. Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter. In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino.

Source: OCR Settles Tenth Investigation in HIPAA Right of Access Initiative