The delay, announced October 30, comes at the request of Congressional members, the FTC said. The rule was scheduled to go into effect November 1.

The announcement comes a week after the House of Representatives passed an amendment to the rule that would exclude certain businesses, including small healthcare, accounting, and legal practices. The House bill is currently in the Senate.

On the day FTC announced the delay, the US District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.

This is the fourth delay for the rule, which was originally scheduled to take effect November 1, 2008. Industry groups, including healthcare providers and lawyers, have pushed for an exclusion, while others have complained that the rule lacked sufficient detail and guidance. The FTC has since been adding information and guidance online.

The amendment is intended to relieve the administrative burden on small businesses.

The Red Flags Rule, part of the Fair and Accurate Credit Transaction Act of 2003, requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. As described in the rule, creditors are organizations that maintain consumer accounts that receive multiple payments or payments made in installments.

In full, HR 3763 amends the Fair Credit Reporting Act to exclude “any health care practice, accounting practice, or legal practice with 20 or fewer employees.” It also excludes any other business that the Federal Trade Commission, which oversees the rule, determines:

• knows all its customers or clients individually;
• only performs services in or around the residences of its customers; or 
• has not experienced incidents of identity theft, and identity theft is rare for businesses of that type.

The proposed amendment moved easily through the House. It was introduced October 8 and was voted on without debate on October 20. There were 400 votes to approve and no votes in opposition.

The House bill was received and read in the Senate and referred to the Committee on Banking, Housing, and Urban Affairs.

The Red Flags Rule was first scheduled to take effect November 2008. The Federal Trade Commission offered several delays to provide more guidance and give businesses more time to prepare.

Provider Burden or Consumer Protection?

Rep. John Adler (D-NJ) sponsored the bill. “The Federal Trade Commission went too far and went beyond the intent of Congress by considering non-financial, service-related industries to be ‘creditors’…,” he said in a floor speech before the vote.

“Its ruling would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program.”

The American Medical Association also is opposed to inclusion of medical practices and has lobbied against it.

However, in a letter to the Senate committee chair, AHIMA argues that medical practices are already a target of identity thieves and that exempting them from the rule would motivate thieves to focus on them more.

AHIMA also noted that the bill has a much farther reach than might appear. Nearly half of physicians work in practices of six physicians or fewer, according to a 2008 report from the Centers for Medicare and Medicaid Services. At a time when medical identity theft and healthcare fraud are on the rise, the bill would exempt a large share of providers from having identity theft prevention programs.

In addition, the exemption would undermine efforts to raise awareness of identity theft and subsequent fraud within the healthcare industry, AHIMA wrote.

The Senate Committee on Banking, Housing, and Urban Affairs has yet to schedule discussion of the bill. With a full plate and the winter recess approaching, it is unclear if the committee will consider the House bill this year.

Updated Oct. 28

California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers.

The veto does not dramatically affect state healthcare organizations, which beginning September 23 must meet similar requirements under federal breach notification laws. The federal laws require companies that handle personal health information to include specific information in breach notification letters, including date of the incident and the personal information breached.

However, the federal provisions—part of the American Recovery and Reinvestment Act’s HITECH section—only cover healthcare businesses, leaving California organizations such as banks and educational institutions open to include as much or as little information in their breach notifications as they deem appropriate.

Veto “Surprising”

Senate bill 20 was proposed by state senator Joe Simitian, who said it was necessary to ensure that victims receive the information they need to understand the problem and protect themselves from harm.

“This is one of the most surprising vetoes I’ve gotten while I’ve been here, over nine years,” Simitian said.

The bill had moved through the state legislature with strong support.

Simitian acknowledged that the majority of the notices that go out to consumers do contain adequate, helpful information. However, he said there have been instances of vague and meaningless breach notifications.

A survey of data breach victims included in a 2007 University of California-Berkeley School of Law paper found that 28 percent of those receiving a breach notification did not understand the “potential consequences of the breach after reading the letter.” Simitian cited this study as well as personal conversations with confused breach notification recipients to explain why legislation is needed.

The proposed additions to California’s privacy law would not break new ground. Several states have added similar breach notice requirements to their privacy laws, Simitian said. Setting notification requirements could also benefit businesses by spelling out their responsibilities. Having clear-cut requirements saves businesses from guessing at what they should do to be compliant.

While he feels the breach notification content requirements were not necessarily a bad idea, California-based healthcare attorney Reece Hirsch said he can understand why the bill was vetoed. Hirsch, a partner with Morgan Lewis’s FDA/Healthcare regulation practice, has helped clients draft many breach notifications. The breach notification requirements proposed in the bill are considered best practices in the field and already followed, he noted.

“Most companies responding to a security breach under the existing law would typically include the elements that are stated in senate bill 20,” Hirsch said. “Certainly there are consumer groups who have felt that these notices are maybe confusing, not as forthcoming as they should be.

“But by and large I am not sure that the elements that were specified in senate bill 20 would really affect a real change in the sorts of notices that consumers are seeing under the current California law.”

No Copy for the Attorney General

Senate bill 20 also called on businesses to send a copy of their breach notifications to the California attorney general if the breach affected more than 500 people. The provision was included to give law enforcement and the legislature a way to track privacy breaches across industries and identify trends, Simitian said.

In his veto message, Schwarzenegger wrote there was “no additional consumer benefit” to the provision because the bill does not require the attorney general to do anything with the notices.

“I thought there was a little irony in the veto message suggesting that we didn’t have evidence of the nature of the problem, and then going on to say ‘and by the way, why on earth would you want to have a place where there is a repository of this information,’” Simitian said.

Under state law that took effect January 1 of this year, healthcare organizations are already required to report breaches of any size to the California Department of Public Health, Center for Health Care Quality, which has power to investigate and fine organizations.

However, sending a breach notice directly to the attorney general could have increased an organization’s chance of being prosecuted, Hirsch noted. The federal breach notification provisions give attorneys general the power to enforce privacy protections and take enforcement action against healthcare organizations that have experienced a breach of protected health information.

Though the bill was vetoed, Simitian said he will have conversations with the California governor’s office on how to get the bill passed. He plans to reintroduce the legislation next year.

The Federal Content Requirements

Two federal laws govern breach notification. A rule promulgated by the Department of Health and Human Services governs HIPAA covered entities; a rule published by the Federal Trade Commission applies to noncovered entities such as personal health record vendors.

The rule governing covered entities spells out that breach notifications must:

• Be written in plain language
• Describe what happened, including the date of breach and discovery (if known)
• Describe the types of unsecured personal information involved in the breach
• Provide steps individuals should take to protect themselves
• Give a brief description of what the healthcare organization is doing to investigate, mitigate harm, and protect against further breaches
• Describe contact procedures for patient questions, including a toll-free telephone number

The rule currently exists as an interim final rule, meaning that it could be modified based on public comments. The comment period ends this Friday, October 23. The FTC law governing noncovered entities has similar content requirements, though it provides less detail.

The California bill would have required businesses to include two items in addition to what the federal laws specify:

• Contact information for credit reporting agencies
• A statement describing whether there was a delay in notification because of law enforcement investigations

The rule also proposes to:

• prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;
• revise the provisions relating to the notice of privacy practices for health plans that perform underwriting;
• make conforming modifications to definitions and other provisions of the privacy rule; and
• make technical corrections to update the definition of “health plan.”

The interim final rule applies GINA’s prohibitions on using and disclosing protected genetic health information for underwriting to all health plans subject to the privacy rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. It also proposes applying the prohibition on using or disclosing is genetic information for underwriting purposes to all health plans that are covered entities as defined by the HIPAA privacy rule.

CMS will accept public comments for 60 days.

Signed in 2008, GINA protects individuals against discrimination in health coverage or employment based on their genetic information.

After learning her son sought care at the hospital, the woman, a health unit coordinator at St. Francis Hospital for 30 years, accessed his records eight times in one year in hopes of learning his current address or when he was next scheduled for an appointment. The mother acknowledged that her actions were inappropriate, but said she accessed her son’s records to find out whether he was okay after one of his friends was murdered in 2007.

The woman was unable to contact her son because his medical records listed her residence as his home address and listed no appointments. However, after someone saw her son enter a residence, the woman sent him a birthday card to that address. The son, who is in his mid-20s, then filed a complaint with the hospital alleging she must have gotten the address through his confidential medical records, which prompted the investigation and her firing.

The woman’s union, the Wisconsin Federation of Nurses and Health Care Professionals, appealed the firing. Arbitrator Coleen Burns of the Wisconsin Employment Relations Commission changed the discipline from a firing to a suspension and ordered the woman reinstated.

Burns noted in her ruling that illegally accessing his medical records was not justified. She called it “egregious misconduct” that was an aberration from her otherwise positive record.

Hospital lawyer Stacie Andritsch said the employee had resumed employment at the hospital, which will not appeal the decision.

Tell us what you think. Was the punishment excessive? Should the woman have been reinstated?

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address.

Entities must notify the FTC, also. They must report breaches involving more than 500 people within 10 business days of discovery. This doubled the amount of time in the proposed rule. Commenters expressed concern that 5 days may not be enough time to properly investigate the incident prior to reporting it. That change may get attention in California, where state law requires healthcare entities to notify both consumers and the state of breaches within 5 days.

The final page of the Federal Register notice includes a form that PHR vendors may use to file breach reports.

The FTC rule does not apply to HIPAA-covered entities or to “any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.” However, there could be instances where a company serves as both a business associates of a HIPAA-covered entity and a vendor of PHRs to the public. That entity could be subject to both the HHS and FTC. The final rule provides several examples.

The Definitions

The rule defines a PHR as an “electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” The rule offers further definition of what information constitutes PHR identifiable health information.

Paper PHRs are not covered by the rule, because ARRA legislation specified a rule on electronic records only.

FTC defines a ‘‘PHR related entity’’ as an entity that “(1) offers products or services through the Web site of a vendor of personal health records; (2) offers products or services through the Web sites of HIPAA-covered entities that offer individuals PHRs; or (3) accesses information in a personal health record or sends information to a personal health record.”

The final rule adopts the definition of breach provided in the proposed rule: “the acquisition of unsecured PHR identifiable health information of an individual in a personal health record without the authorization of the individual.”

Preemption

Preemption of state law does apply, with FTC clarifying that the final rule preempts only contrary state laws.

A state law is contrary if it would be impossible to comply with both state and federal requirements or if the state law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives’’ of the federal requirements.

The rule does not preempt state laws imposing additional—as opposed to contradictory—breach notification requirements.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.

Dust off the Business Associate Agreements

Under the rule, business associates must notify covered entities of breaches they discover no later than 60 days following their discovery. The covered entity is responsible for notifying the affected individuals.

If the business associate is acting as an agent of the covered entity, then the business associate’s discovery of the breach will be imputed to the covered entity. The covered entity must provide breach notifications based on the time the business associate discovered the breach, not from the time the business associate informed the covered entity.

However, if the business associate is an independent contractor of the covered entity, then the covered entity must provide notification based on the time the business associate notified it of the breach. HHS notes that “covered entities may wish to address the timing of the notification in their business associate contracts.”

Final, yet Interim

In order to (almost) meet its ARRA-imposed deadline, HHS issued an interim final rule, meaning that modifications may still come. In effect, entities must prepare to comply with the law before its 60-day comment period has expired.

HHS is taking comments on the rule in two parts. The deadline for comments on the rule’s information collection requirements are due September 8. Presumably, if there’s a problem with the collection requirements, HHS wants to know before the rule goes into effect.

Comments on the overall provisions of the rule are due by October 23, 2009.

Let the Preemption Begin

Contrary state law will be preempted by the breach notification regulations. HHS has already heard about this issue, and in the final interim rule it requests more feedback.

HHS refers to HIPAA for the definition of “contrary,” writing, “a State law is contrary if ‘a covered entity could find it impossible to comply with both the State and federal requirements’ or if the State law ‘stands as an obstacle to the accomplishment and execution of the full purposes and objectives’ of the breach notification provisions in the Act.”

HHS believes that in general covered entities can comply with both state laws and its regulation. For example, it notes that, “in most cases,” it believes a single notification can satisfy requirements under both state and federal law.

California may be the caveat in HHS’s belief. In many ways the state’s breach laws are stricter than the HHS rule and may make it difficult for an entity to meet both laws with a single notice. That’s the topic of a story in this month’s print journal, which takes a look how California entities are teasing apart state and federal breach notification laws. They highlight the challenge organizations everywhere face in determining responsibilities under ARRA’s new privacy regulations.

In “Reports Pour in under CA’s New Privacy Laws,” the Journal reports on the California Department of Public Health, which has been fielding and investigating incidents of unauthorized record access since California’s new breach notification laws took effect on January 1.

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process.

What Did HIPAA Change?

“The problem is a lot of people don’t really understand how HIPAA operates in collaboration with the existing state regulatory framework that they live in…” says Barry Herrin, JD, FACHE, a partner with the Atlanta-based law firm Smith Moore Leatherwood LLP. “HIPAA is not the bad guy here.”

HIPAA did not create a new rule, Herrin says, and in instances where it does prevent someone from accessing patient records, generally speaking, it is reinforcing existing state laws on how deceased patient matters are handled.

HIPAA leaves it up to states to determine who qualifies as a deceased patient’s personal representative-the person who has legal rights to access another’s medical record. This is clear cut when a patient has signed a HIPAA release or named an executor to his or her estate. But when a patient dies without doing either, HIPAA defaults to state law to determine the hierarchy of rights to that person’s estate and health records.

The privacy rule states that people have the same privacy rights in death as they do in life. But it also requires that healthcare facilities must release medical records to those people either appointed by the patient or who are deemed a personal representative by state law. Because of this, Herrin says that HIPAA law can actually help authorized individuals access deceased patient’s medical records.

HIPAA also requires a covered entity to verify the identity of a person requesting protected health information as well as their authority to such access. Just because someone is related to a deceased patient does not mean they have a right to their record. “There is a difference between identity and status,” Herrin says. “You have to verify both.”

Though HIPAA federalized this requirement, the act of authenticating requestors of protected health information was being done in many facilities long before HIPAA was passed. Aurora Healthcare, based in Milwaukee, WI, updated their information release policies to include specific language about verification following HIPAA implementation. But the rule did not change their practices significantly, says Peg Schmidt, RHIA, Aurora’s chief privacy officer.

Varying State Laws

State laws can get complicated regarding who has rights to access or authorize the release of a person’s record after death.

In Utah, pre-HIPAA policy was to follow a hierarchal next-of-kin list regarding who had authorization to a deceased patient’s record. But after HIPAA was implemented, some providers felt they needed clearer direction from the state on whether it was still legal to discuss a deceased patient’s medical care with his or her spouse, says Mary Thomason, MSA, RHIA, CHPS, CISSP, privacy compliance consultant with Intermountain Healthcare, based in Salt Lake City. Because of this, Utah legislators passed specific state laws to define exactly who qualifies as the personal representative of a deceased patient.

The executor has first rights to the patient’s records. But if no executor was named, the patient’s spouse or adult child can become the deceased’s personal representative. Proving status as a personal representative requires that a person must receive a letter of appointment from a probate court.

Even though the law is relatively clear, Thomason’s facility has had to deny records requests in the past and deal with disputes. A common dispute occurs when adult siblings want to deny record access to brothers and sisters. “In that case we basically say, ‘Hey, we are not the court. Go back to the probate court and find out who gets the letter of appointment to represent the estate, and that is the person we will deal with,’” Thomason says.

The situation in Wisconsin is more complicated. In Wisconsin, different laws govern the release of records for behavioral health records and general medical records.

With behavioral health records, access rights first go to the executor of the estate. If there is no executor, the patient’s spouse has sole rights of access. If there is no spouse or executor, a “responsible member of the patient’s family” comes next, Schmidt explains.

With the general record, the patient’s personal representative and spouse or domestic partner share access rights equally. “None is higher than the other, none can cancel out the other’s authority,” Schmidt says. If those individuals do not exist, then the personal representative is defined as any adult member of the deceased patient’s immediate family, such as children, parents, grandchildren, siblings, and even spouses of siblings.

All share equal rights to the record. Discretion is left up to the healthcare staff handling the request to decide if record requestors meet state law requirements as a personal representative. No one official document is required for access.

Common Disputes

With so many people authorized to access the record in Wisconsin, verification issues can arise. At Aurora Healthcare, the burden of proof lies with the requestor. Providing that proof is not always easy, and it can lead to people being denied access.

“The verification of some of these situations becomes a little difficult,” Schmidt says. “They have to prove their relationship to the deceased, and that is not always easy for them to do.”

A spouse can present a marriage certificate, but brothers and sisters lack comparable documents that show their relationship to the deceased. “They have to be able to just prove their standing in the family and their relationship to that person any way that they feel they can,” she says. It is up to staff to decide whether someone has provided adequate proof that they are authorized to access a deceased patient’s record.

“These are just things that you do to the best of your ability,” Schmidt says. “You are always looking for that comfort feeling of ‘this feels right’ or ‘this doesn’t.’ And sometimes that is all you are left with.”

Wisconsin state law leaves the potential that legally authorized individuals could be denied deceased patients health records due to their inability to prove their authorization. However, Schmidt says the law has worked well at her facility, and she hasn’t encountered many problems with verification.

People become upset when they feel entitled to the patient’s medical record even though state law blocks their access, Thomason says. In most state law, a healthcare agent for a patient loses authority after the patient dies. If that agent was not named as an executor to the deceased patient’s estate, and is not related to the deceased, then that person is denied access, even though they most likely would feel entitled to the records.

Another common situation occurs when a patient dies and the spouse breaks all contact with the deceased’s immediate family, Schmidt says. The deceased’s siblings would not have authorization to access the records because the spouse holds all rights of access. “If the spouse really has moved on, the immediate family probably feels they have a right to that patient’s record, and technically they do not,” Schmidt says. “Those situations get hard.”

In July Wisconsin legislators amended state confidentially laws to allow domestic partners the same authority over a patient’s records as a spouse. However, the change was only for general records, and it did not affect laws governing behavioral health medical records-an oversight Schmidt says could lead to some problems.

But the change will still help with a number of situations. “Somebody who took care of someone for 20 years and suddenly loses all authority, and the family steps in and kicks them out,” she says, “we have seen that. So I think it will help some people.”

Preventing Ambiguity

The most direct way for facilities to prevent record access disputes is to require patients to sign release of information authorizations or name their personal representative upon their admittance, Herrin says. Many healthcare facilities only ask patients for the name of someone they can contact in an emergency or the person who is the responsible party on their account. These questions do not identify who may legally access their medical records.

If a patient has not declared an executor or personal representative, Herrin recommends that a patient advocate or other staff member assist in filling out the proper paper work. A HIPAA authorization form specifically identifies who can access their medical records before and after their death. This form should be filled out during or just after patient registration.

Federal law requires hospitals to ask admitted patients if they have an advance directive. Many facilities merely ask patients if they have an executor of their estate or have assigned a durable power of attorney, but they do not collect the actual advance directive documents, Herrin says. Requiring that these documents be included in the medical record on the front end can save hours of arguing if disputes arise later.

“It is that kind of preparation that HIPAA specifically allowed that people are not taking advantage of,” Herrin says. “They are treating HIPAA as a shield, instead of a sword.”

Best Practices

Unless state law dictates otherwise, healthcare facilities should require that requesters present a court-authorized document showing they have authority to see the record. A hospital is not a court, and staff should not have the responsibly of determining who has first authorization rights.

“Why should the hospital spend all its time and resources hiring a lawyer to fight this fight [between people over records],” Herrin says. “Just tell them, ‘Look, whatever court of whatever county handles disputes about who is in charge. You all go fight about it there and tell me who won.’”

HIM professionals in general err on the conservative side when releasing medical information, Schmidt says. “We are trying to err on protecting that person’s privacy, and [we] just try to make that judgment call thinking in terms of the best interest of the patient as a human being,” she says.

There are varying reasons why patients may not want family members to access their records after death. A common reason for privacy, Herrin says, is when a person is dying from a “catastrophic disease” such as HIV and does not want family members or others to know. The patient deliberately shielded his or her health information from them while alive, and that decision must be protected after death. Release of information staff should not be tempted to simply release a record rather than deal with irate requestors, Herrin says.

“If it is your medical information or your mother’s, and something happens to you or her, do you want everybody in your family poking around in that stuff?” Herrin says. “If the answer to that question is no, then you can’t be mad at HIPAA for making a person go and become the personal representative of a deceased patient’s estate. Because that is precisely what it is intended to do-to stop people from poking around in your stuff.”

Thomason can see how facilities that do not have ample access to legal council could restrict their policies rather than break the law by issuing records to an unauthorized person. But ignorance of the law is not an excuse, she says.

HIM professionals responding to a release of information request have a duty to explain why a record request is denied, Schmidt says. Aurora Healthcare keeps the state’s hierarchical chart of authority on hand for staff to reference. Facilities can also keep a sample copy of a valid court document to show requestors how to become a personal representative or executor, Thomason says.

“Part of our role is to educate the requestor on the true facts of why they can or can’t [access the record] or what the rules are,” Schmidt says. “I would sure hope we never see someone just give an outright ‘Well, it is HIPAA.’ Because that is never really the answer, directly.”

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.

ARRA did not detail the exact content of the disclosures. The Department of Health and Human Services must deliver those requirements this month, advised by a federally appointed policy committee. Once HHS defines the required content, a second advisory committee will recommend the technical standards to enable the disclosures by the end of this year. By June 2010, HHS must promulgate the final rule on disclosures.

Providers are concerned that it is not technically possible to track every access to every patient record. Some feel such accounting would slow down access to records, time that could be spent treating a patient.

“It is very, very tough [technologically],” says Cassi Birnbaum, director of health information and privacy officer at Rady Children’s Hospital of San Diego. “We can require that everyone does a quick disclosure whenever they are handing information out to somebody outside of the organization. But when you are disclosing information to another clinician, that would be so disruptive to patient care.”

When disclosing information for treatment, HIM professionals will now have to also mind the “minimum necessary” provisions of HIPAA—which state that only the information necessary for an action to be carried out can be disclosed. Organizations have struggled with determining “minimum” since the day the HIPAA rule took effect. HHS is currently compiling guidance on what constitutes the minimum necessary for treatment disclosures in anticipation of the new provisions.

But privacy advocates like Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, DC, keep the end goal in site. McGraw, who serves on the advisory committee developing disclosure policy recommendations, feels that patients have a basic right to know who is accessing their medical records.

Gerry Hinkley, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco, agrees. The provision helps give possession of a patient’s health record back to the patient, he says. “If your caregiver shares the information with somebody else, really for any purpose, it is your information and you should know to whom and when.”

The ARRA legislation may have underestimated the wide variance in today’s EHR systems, but legislators did recognize that most existing systems cannot meet the accounting of disclosures rule today. Organizations using EHR systems purchased before January 1, 2009, have until January 2014 to comply with the provision.

Purchasers of new systems are under a much tighter deadline. Healthcare entities that purchase a system after January 1 of this year must be compliant with the new provision as of January 1, 2011. Therefore, organizations currently in the market for an EHR should discuss the provision thoroughly with vendors.

Out-of-Pocket Costs

A separate ARRA provision gives patients the right to prevent the disclosure of health data to their health insurance plans if they paid for the treatment out of their own pockets. Complying with this request will require separating out records generated from treatment that was paid personally by the patient, a technically difficult task in the EHR. Previous state and federal law have not set these requirements, buyers never requested the functionality, and vendors have not incorporated it in their systems.

When payers evaluate a claim, typically they request the entire medical record to determine if the treatment was medically necessary, McGraw says. The ARRA provision comes out of some patients’ fears that insurance providers could use certain medical information to modify coverage. The segregated records most likely would be mental health records from psychotherapy sessions, or certain reproductive health services not covered by most insurance.

In addition to the technical challenges, the law raises administrative questions. Organizations will require policies establishing who can and cannot access segregated information. If files are masked from payers, the EHR would have to unmask information when it is needed for treatment.

Ideally, McGraw says, you don’t want to resort to keeping separate systems.

While this segregation of records is both technically and administratively challenging, Hinkley believes actual requests for this type of action will be uncommon. Usually when patients receive treatment they want their health insurance to pay for it, he notes.

Electronic Copies of Electronic Records

The limitations of current technology also complicates an ARRA provision that requires providers to give patients electronic copies of their electronic health records upon request. State law varies on this requirement, with most states, including California, defaulting to HIPAA regulations. Under HIPAA, providers are required to give a copy of a patient’s record in the format requested, but only if documents are “readily producible” in that format.

But ARRA removes the “readily producible” language and outright requires any facility using an EHR to provide an electronic copy of a patient’s health record. Many current EHR systems cannot directly produce an electronic copy of a record by burning it onto a disk or downloading it to a memory stick, Birnbaum says.

“There isn’t an exception for entities that have older legacy systems where you can’t produce an electronic copy,” McGraw notes. “There is no grandfather clause, no easing in.”

HIM professionals have already encountered this wrinkle at the state level. In Illinois, a bill proposing that patient information stored electronically must be produced electronically for release of information requests was amended after state healthcare associations argued that most current EHR systems were incapable of meeting the requirement. The subsequent law requires that a facility unable to produce its electronic documents in an electronic format as requested must send a letter to the requestor explaining why it cannot fulfill the request.

Again, entities shopping for EHR systems must discuss the requirement with vendors to ensure they will be compliant with the law. Birnbaum notes that the provision creates an opportunity for vendors and third-party developers to create add-ons that enable systems to reproduce records electronically.

More than 800 reports have been filed since the law took effect January 1, according to Kathleen Billingsley, RN, deputy director of the California Department of Public Health, Center for Health Care Quality (CDPH). The agency has conducted dozens of investigations to date, she says. 

The new laws have raised eyebrows across the country, and have positioned California as a “leader in medical privacy,” Billingsley says. Meanwhile healthcare providers have been scrambling to institute policies that adhere to the new—some say overly strict— requirements.

Reporting Any and All Improper Disclosures

In 2008 California legislators passed SB 541, which gave CDPH power to investigate and fine organizations for data breaches. Companion legislation, AB 211, created the California Office of Health Information Integrity (CalOHII) and gave the office power to fine individuals for data breaches and refer them to professional licensing boards.

Beginning January 1 of this year, healthcare organizations in California are required to report any unauthorized access to a patient’s personally identifiable health information—intentional or unintentional.

“The message we want to send is that it is no longer acceptable to view patient’s medical records or to disclose them without having authorization to see those records…” Billingsley says. “It is a major, major change in the healthcare industry.”

CDPH investigators had a backlog of investigations from the start. CDPH received 823 breach incident reports from January 1 to May 31, the latest numbers available. Of those cases, 122 have received a full investigation, with 116 confirmed as breaches. There were 232 cases that had ongoing investigations, and 469 reported breaches were pending an investigation. While most of the incident reports come through self-reporting by providers, CDPH also fields patient complaints regarding breaches.

CDPH officials were initially surprised by the high number of breach incident reports they received, Billingsley says. They expect the number to increase over time as people become more familiar with what needs to be reported.

The types of reported breaches vary from unintentional breaches, such as faxing a patient’s chart to the wrong Dr. Jones, to facility employees purposefully snooping in a patient’s record.

This latter type of breach occurred earlier this year at Los Angeles-based Kaiser Permanente Bellflower Hospital, when “Octomom” Nadya Suleman’s medical records were inappropriately accessed by 23 hospital employees. In May Kaiser Permanente received the only CDPH fine to date—the $250,000 maximum allowed under the new law.

Intentional breach cases have been rare, Billingsley says. Most reported breaches to date have been the result of errors.

The Investigative Process

Determining what corrective action should be required for a breach starts with a formal CDPH investigation. Once a facility discovers a privacy breach it has five days to notify the patient and the local CDPH Licensing and Certification office.

State investigators triage incoming notifications and patient complaints, investigating the most serious cases first. In most cases, investigators conduct an on-site investigation and issue a formal report to the facility. If a violation has occurred, organizations have 10 days to submit a correction plan that will prevent similar incidents.

Investigators determine fines based on multiple factors, including the facility’s history of breach law compliance, its actions upon discovery of the breach, and the steps it has taken to prevent or correct the situation.

Individual Fines Possible

After CDPH concludes its investigation, it may refer the case to CalOHII, which has the authority to fine the individuals involved and refer them to their professional licensing board for disciplinary action.

CDPH had referred 125 cases to CalOHII as of June 30, according to Alex Kam, CalOHII director. One of those cases is the Kaiser breach case, which Kam said is one of the first being reviewed by investigators. Originally called the Office of HIPAA Implementation, CalOHII took on its new name and added responsibilities under AB 211 legislation in August 2008.

CDPH refers cases to CalOHII if it determines that an individual contributed to or benefited from a privacy breach. Fines for individuals can reach up to $250,000, depending on the severity and extent of personal harm caused by the breach. In June, CalOHII was preparing to conduct its first official investigations and had not yet issued any individual fines.

Both CDPH and CalOHII created their enforcement programs from scratch. Nationally, HIPAA has rarely been enforced, so a true privacy breach enforcement model did not exist. Since the state laws went into effect in January, CalOHII has been busy formalizing complaint, investigation, and referral processes. The active investigation of individuals suspected in data breach incidents was expected to begin in July, Kam says, though in the months prior CalOHII staff were examining cases and preparing formal investigations.

Kaiser’s Fine Sends a Message

Healthcare entities scrambled to understand the new laws and evaluate their privacy and security processes against them. But the $250,000 fine against Kaiser Permanente sent a shock through facilities across the state.

Many providers have since had conversations about how to prevent a similar incident from occurring at their facilities, says Gerry Hinkley, JD, a healthcare lawyer and partner with Davis Wright Tremaine LLP, based in San Francisco. Many in California healthcare law were surprised by the size of the Kaiser fine. “That got people’s attention,” Hinkley says.

In its report on the case, CDPH investigators faulted Kaiser for not doing enough to lock down Suleman’s record once it discovered the first improper viewings. Kaiser added a notice at the top of Suleman’s record warning employees that they required authorization and a valid need in order to access medical records, according to CDPH’s report. The warning did not prevent additional breaches.

These missteps provided a lesson to officials at Rady Children’s Hospital of San Diego, says Cassi Birnbaum, RHIA, CPHQ, director of health information and privacy officer. “We are in the final phases of designing our new EHR system, so we certainly are looking at some of those items and figuring out what we can do to safeguard things here,” she says.

The Kaiser Permanente case highlighted the need for better access management controls. Hinkley notes that organizations should ensure their electronic health record systems have the appropriate levels of authentication. “I’m aware of hospitals where everybody on the medical staff can look at everybody’s medical record,” he says. “That doesn’t make any sense.”

Rady has sent out several breach notifications under the new California law since January, according to Birnbaum. All of them were due to inadvertent disclosures, such as a fax being sent to the wrong number. Rady has not been fined, but the organization has been required to submit corrective course of action plans after each incident.

While Rady has been able to meet the five-day notice requirement, Birnbaum says staff have been rushed to prepare the breach notification.

Hinkley describes the five day limit as “unrealistic.” Healthcare officials have found that five days is sometimes not enough time to know what patients are affected or even to prepare a proper notification, he says. By contrast, most states with breach notification laws require organizations to send notices “without reasonable delay.” ARRA as drafted requires facilities to notify patients within 60 days.

“Good Things” Come from Oversight

California’s new laws are coming at a pivotal time for healthcare, says CalOHII’s Kam. “The transition to the electronic health record world is going to occur very quickly now as money starts coming out of the HITECH portion of ARRA [the American Recovery and Reinvestment Act],” he says. “And we feel it is really critical that there is consumer confidence in the privacy and security protections that come along with that change.”

Billingsley believes the new laws are making a difference. Organizations are instituting corrective actions to ensure future breaches do not occur, such as processes to ensure fax numbers are correct before sending out health records. They also are working to change culture so unauthorized peeping at records is curbed.

In the end, the goal is to protect patients and hold healthcare professionals responsible for protecting privacy, Billingsley says.

“We want to make sure that hospitals put safeguards in place so patients, for example, don’t go home with someone else’s discharge order,” she says. “And I can safely say I bet the hospital where this may have taken place has probably taken some pretty aggressive action to prevent that in the future.

“So, good things come out of monitoring and oversight.”