humani nil a me alienum puto

random rants about news, the law, healthcare law, economics and anything I find amusing

Rights to the Bits and Bytes in Your EHR

Back in 2001, right before the HIPAA privacy rules took effect, I wrote a law school student note entitled “The Emergence of the Health Care Information Trust.”  Pretty heady, and perhaps a bit Pollyanna-ish, stuff.  In the note I argued that to pull the hidden value of disparate health care information out of the islands of digital data that had been forming throughout the health care system, some form of clearing house for patients, with strong fiduciary obligation to individual patients participants, needed to emerge.  In fact, because of HIPAA’s soon to be finalized privacy regulations, without patients expressly vesting rights in something like a health care data aggregator,  it would be very difficult (if not impossible) to use the information commercially for purposes other than directly for healthcare treatment, payment, operations and certain research.  Further, the value in that data would not be able to accrue to the individual any other way.  My concept was to allow use of patient data, with defined limitations set by the patient, with micropayments to patients for such patient approved use by anyone seeking to access the aggregated data.

Anyway, the eight years since I wrote the article, I am not sure where the health care data market is going.  But there are some services that seem to be starting to emerge as potential aggregators.  Most notably, both Microsoft and Google have been taking initiatives in the area.  Of course, Microsoft and Google are not what I had projected; but it probably makes more sense in hindsight that the two biggest IT juggernaughts would be making headways into this this very young market with unknown potential.  If anything, the ability to pull good, useful and linkable health care information (except maybe healthcare claims data) is a monumental problem, and true electronic medical records are, at best, still in their infancy.  So, also, the immediate possibilities of wide-scale transfers to such aggregators.

One of the obvious limitations, even if and when health record data is transferable without impossibly difficult transactional barriers and costs, is the fact that the privacy regulations are really set up to address patient rights in principally paper records.   So, even if you wished to transmit electronic data to an aggregator service (be it my concept of a Healthcare Information Trust or, for that matter, Google or Microsoft), there are no express provisions addressing this.

So I found it interesting when I read about “A Declaration of Health Data Rights.”  In it, the organization specifically makes mention to access to records in “computable form.”  Also, in reading about the initiative in the NYT’s Bits blog, I took particular note that both Microsoft and Google have a role in it.  Ah, this makes some sense now.

For what its worth, the group desires:

A Declaration of Health Data Rights

In an era when technology allows personal health information to be more easily stored, updated, accessed and exchanged, the following rights should be self-evident and inalienable. We the people:

1. Have the right to our own health data

2. Have the right to know the source of each health data element

3. Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form

4. Have the right to share our health data with others as we see fit

These principles express basic human rights as well as essential elements of health care that is participatory, appropriate and in the interests of each patient. No law or policy should abridge these rights.

via HealthDataRights.org.

Filed under: Health Law, HIPAA, , , ,

HHS issues guidance on safeguarding PHI

On Friday, April 18, 2009, the Department of Health and Human Services released its guidance on protecting personally identifiable healthcare information by encrypting or destroying it so that it is rendered “unusable, unreadable or indecipherable to unauthorized individuals.”  (See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi.pdf).

Because the breach notification requirements of the HITECH Act apply only to breaches of unsecured PHI, the Department’s guidance provides the means by which covered entities and their business associates are to determine whether a breach has occurred to which the notification obligations under the Act and its implementing regulations apply.   Recall that under the HITECH Act, if there is a “breach” of  “unsecured PHR identifiable information” as personal health record (PHR) identifiable health information that is not protected through the use of a technology or methodology specified in the Secretary’s guidance (this document), and the “breach” is not qualified as provided in the HITECH Act, then certain disclosures by the covered entity are required.  These would include direct certified mail disclosure to individuals, “in cases in which there is insufficient or out-of-date contact information, substitute notice, including, in the case of 10 or more individuals for which there is insufficient contact information, conspicuous posting (for a period determined by the Secretary) on the home page of the Web site of the covered entity” and in cases of 500 or more records notice to prominent media outlets within the State or jurisdiction and immediately to the Department.   Notice by covered entities to HHS of all breaches is also required on an annual basis.  The Secretary will also post to its web-site notice concerning all disclosed breaches of 500 patient records or more.

[W]e have identified two methods for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals: encryption and destruction *** Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals only if one or more of the following applies:

a) Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”15 and such confidential process or key that might enable decryption has not been breached. Encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.

i) Valid encryption processes for data at rest are consistent with NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.17

ii) Valid encryption processes for data in motion are those that comply with the requirements of Federal Information Processing Standards (FIPS) 140-2. These include, as appropriate, standards described in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, and may include others which are FIPS 140-2 validated.

b) The media on which the PHI is stored or recorded has been destroyed in one of the following ways:

i) Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.

ii) Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization,19 such that the PHI cannot be retrieved.

The Department indicates that its list is an exhaustive list, but it opens discussion of other methods to make PHI unusuable, unreadable, or indecipherable.  In the development of this guidance, the Department reported that it had considered whether PHI in limited data set form should be treated as unusable, unreadable, or indecipherable to unauthorized individuals for purposes of breach notification.  It does not, but suggests that in the future, based upon additional comments and analysis, further restrictions on Limited Data Sets (e.g., removal of some of the digits of ZIP code) might effectively make re-identification such a remote possibility that the more limited data set would be unusable, unreadable, or indecipherable.  The Department also ask for comment on use of fingerprint protected Universal Serial Bus (USB) drives, for example, or whether it should, in providing future guidance on this topic, identify specific “off-the-shelf” products that may “meet the encryption standards identified in this guidance.”

In advance of its guidance to be issued on its interim final regulations on breach notifications, it also asks for comments.  The request for comments seems to indicate that the Department is concerned about need for covered entities to send multiple notices due to inconsistency between federal and state legal requirements.  They also are seeking examples of situations that covered entities think that the exceptions under the HITECH act will actually apply (perhaps to agree, disagree or to use in their own illustrative examples).

1.  Based on experience in complying with state breach notification laws, are there any potential areas of conflict or other issues the Department should consider in promulgating the federal breach notification requirements?
2.  Given current obligations under state breach notification laws, do covered entities or business associates anticipate having to send multiple notices to an individual upon discovery of a single breach? Are there circumstances in which the required federal notice would not also satisfy any notice obligations under the state law?
3.  Considering the methodologies discussed in the guidance, are there any circumstances in which a covered entity or business associate would still be required to notify individuals under state laws of a breach of information that has been rendered secured based on federal requirements?
4. The Act’s definition of “breach” provides for a variety of exceptions. To what particular types of circumstances do entities anticipate these exceptions applying?

Filed under: Health Law, HIPAA, , , ,

CVS Resolution Agreement with HHS Office for Civil Rights for HIPAA Violations

CVS Pharmacy, Inc. recently entered into a “Resolution Agreement” with the DHS Office of Civil Rights for a variety of business practices that were reported in the media concerning disclosure of protected health information (“PHI”).   There was a similar agreement with Providence Health System last year for a $100,000 amount and corrective action plan.

Of note is the size of the settlement – $2.25M.  I also took a look at the Resolution Agreement and the Corrective Action Plan (“CAP”) to note similarities/differences from Corporate Integrity Agreements from OIG.  I saw many similar parallel items from my experience with the CIA front.   Now that the bubble has burst on actual enforcement actions with significant settlement payment amounts, and with the recent HIPAA changes in the Stimulus law, you can bet that there will be both more plaintiff litigation on this front (i.e., HIPAA privacy regulations as the “standard of care” and state tort law as the actual suit mechanism) as well as enforcement action by the Office for Civil Rights.   It is also notable that the “trigger” here was media reports.  Perhaps no accident that the proposed HIPAA changes require media outlet reporting once a threshold of PHI is released.  You can check out the press release and the resolution agreement/CAP at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html

Filed under: CMP, Health Law, HIPAA, , , ,

Pages

May 2017
M T W T F S S
« Oct    
1234567
891011121314
15161718192021
22232425262728
293031  

HealthCounsel Tweets