Massachusetts Lahey Hospital has agreed to pay $850K over a stolen laptop containing the ePHI of 599 individuals. That works out to over $1,400.00 per individual. It goes without saying that the 2011 incident led to an investigation that found numerous instances of noncompliance with HIPAA rules throughout Lahey Hospital, including a failure to conduct a risk analysis on all electronic protected health information (PHI) as well as a failure to safeguard a workstation that had access to ePHI. Equally unremarkable is the fact that the hospital also agreed to implement a corrective action plan that includes a full risk analysis as well as a risk management plan.
The risk of losing mobile devices is real, the lack of encryption is tragic, the apparent norm of a failure to have a proper risk analysis is almost the expected result of an investigation/audit, and the corrective action plan is to be expected.
However this incident traces back to 2011 – before there was heightened awareness of these issues and consequences.
The real issue is the current reality where many small, medium and relatively large Covered Entities think that breaches only happen to others, that they will never have a breach, that the likelihood of a random audit is too remote to worry about, and that they will never have to consider the cost of being wrong. The penalties seem to be rising, the associated legal expense, and ultimately the cost of a compliance agreement as well as reputational cost, may be more than many Covered Entities can sustain.
The Possibilities are Awesome
The Benefits are Incalculable
The Cost is Staggering
While Consistent with Outcome Based Reimbursement
Insurers taking on long term mortgages is Sobering and Transformative
Apparently valuable vouchers for expedited drug approval are being traded/sold by and between Pharma companies. The game is the same but the prices are staggering.
It is readily evident that with the current advances in medical treatment, life is often prolonged and, unfortunately, quality-of-life does not necessarily keep pace with the medical advances. More simply stated, as our population grows older, the need for long-term care seems to be increasing, and therefore, considering Long-Term Care insurance becomes more important. There are cases, however, when Long-Term Care insurance (LTC) may come into play at a younger age. A few examples that come to mind are auto accidents, chronic diseases, or disabling accidents.
Not all LTC policies are created equal, and it is important to understand the differences and deal with an experienced and ethical broker or a qualified consultant. In my experience, most people do not deal with consultants, thus dealing with the right broker is of paramount importance.
I will list a few (but not all) of the considerations in choosing an LTC policy.
Unlike an expense incurred policy, in the event of a covered event with an Indemnity policy, the insured will receive the maximum per day as long as he/she incurred an expense for an allowed benefit or arguably, in the example set forth above, the $40 daily expense incurred will entitle him/her to the $300 daily maximum.
A Disability type LTC policy will entitle the insured to receive the maximum amount for any day he/she deemed to be eligible to receive benefits under the policy – irrespective of any expenses actually incurred.
Accordingly, there may be a significant difference if the cap (total) benefits are measured in dollars or time.
Taking all these factors into account, as well as the different prices for different policies creates a very complicated decision-making process, which may be mystifying or confusing to the uninitiated. There are qualified brokers, however, who are ethical and honest in selling Long-Term Care, disability and life insurance policies. I know because in my practice I deal with brokers who pretty much run the full continuum. I am not here to advertise for or promote a particular broker, but would advise anyone looking for Long-Term Care or disability insurance to conduct some due diligence into the broker or advisor. My rule of thumb is that what separates the pros from the people seeking a “quick commission” can be easily seen when gathering information as to the time, effort and energy the broker is willing to devote when there is a claim years after the policies were sold. Obviously, my law firm is not an insurance brokerage, and therefore, we refer inquiries to brokers who have the knowledge and ethics to place the client’s needs before their commissions.
This article is for informational purposes only, is not meant to dispense any legal advice, may be considered attorney advertising in certain jurisdictions, and is written to illustrate the various differences that there may be in varying policies as well as the importance to make a well-informed decision considering the many variables that should be explained by the insurance broker.
A few months ago, I came across a number of articles regarding Washington state schools placing IUDs in girls as young as the sixth grade without their parents’ knowledge through a Medicaid program known as “Take Charge.” The story received considerable media play. I do not wish to get into either the necessity or the propriety of this story, although it is ironic that Middle and High school students can’t get a Coca Cola or candy bar at local public schools. My interest was (and still is) how this situation plays out with respect to both the Federal and State laws.
I believe that in the final analysis, based on prevailing law, not only was the IUD placement without parental knowledge or consent within the law, the startling part is that if this issue was disclosed to a parent without the consent of the minor (child) it might very well be in violation of the law. The analysis is somewhat complicated but I will try to break it down into human bites.
The first step is the Federal law regarding the privacy of patient records. Typically, Federal law supersedes State law, and therefore, we would only have to address the Federal law. The Omnibus Rule, however, allows for the stricter of Federal or State law with respect to patient privacy.
Under § 160.203 (“General rule and exceptions”), the protections afforded under the HIPAA Privacy Rule preempt the provisions of State law, except if certain conditions are met. One of those conditions, as set forth in § 160.203(b), is that “[t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [the Privacy Rule]”.
Under § 160.202 (“Definitions”), the term “more stringent” means, in comparing the State law and a provision of the Privacy Rule, a State law that meets one or more of certain criteria, which includes, a State law that, “[w]ith respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information. (See, § 160.202(6)).
We have established that to the extent that State law is more stringent with respect to protecting the privacy rights of the patient, the State law of Washington comes into play.
The general age of majority in the state of Washington is 18 (as set forth in RCW 26.28.010), however there are specific exceptions, one of which is birth control services in which case, a minor’s consent is sufficient for confidential care, and the parent/guardian’s consent is not required, nor must the parent/guardian be notified. In fact, this rule holds true at any age. (RCW9.02.100(2)
It is apparent that Washington State law (at least as understood by the schools) interprets the reproductive privacy law to mean that anyone, including the child, has a fundamental right to choose or refuse birth control.
To round out the picture totally, the law further states that “if the patient is a minor and is authorized to consent to healthcare without parental consent under Federal and State law, only the minor may exercise the rights of the patient under this chapter as the information pertaining to healthcare to which the minor lawfully consented.” (RCW 70.02.130 (1))
The sum total of all of this information is that arguably in the state of Washington, a child of any age can allow for the placement of an IUD without parental knowledge or consent, and it is only the child that can consent to the release of that information from the medical practitioner to the parent/guardian. Presumably, a parent might ask for the child’s medical records, or the child might be brought to the doctor because of bleeding or any other symptom that is a consequence of an IUD, and the medical practice is prohibited from releasing this information to the parent without the consent of the child. One can only wonder what the medical staff is supposed to tell the parents of an 11-year- old.
It would logically follow that if the medical provider, or his/her staff, in fact communicated the fact that the child had an IUD, it would be a breach under HIPAA.
I will leave it to the readers to decide if this situation makes any sense, what goals are achieved, and if this is just another example of the effects of unintended consequences.
Irrespective of anyone’s personal belief, this situation, at a minimum, underscores the fact that even when emphasis is placed on compliance with HIPAA, individual State laws must be complied with and both doctors and their staffs (as well as business associates) must be aware of operative State laws.
What do you think?
DISCLAIMER – This post and the analysis submitted are not a legal conclusion and should not be construed as such but are presented for discussion and informational purposes.
I am not admitted to practice in the state of Washington, I am not certain that my analysis is correct under Washington law, and invite any practitioners who disagree with my analysis to comment and explain why this analysis is incorrect. As always, legal advice and training should be obtained from licensed professionals within the jurisdiction. This post and the analysis submitted are not legal conclusions and should not be construed as such but are presented for discussion and informational purposes.
The medical community is subject to unprecedented governmental requirements to protect the privacy of patient data – the governmental interest and incentives for digital storage and transmission of ePHI are clear – the safe harbor of encryption has pushed the medical community, and thereby their business Associates to achieve the highest levels of encryption.
On the other hand, the United States government stands firm in its opposition to “strong” encryption.
I believe that there are two competing interests, privacy and security. HIPPA and the associated rules and regulations are firmly grounded in a patient’s right to privacy and therefore the balance is firmly tipped in favor of privacy. Moreover, the encryption safe harbor is somewhat illusory, if encrypted data can be accessed. While it is possible that the covered entity or business associate may not be subject to fines, they will have to notify those who are affected, and suffer the reputational loss associated with a breach.
On the other hand, the government must prevent crime, terrorism and other misdeeds, and to that end they are opposing “strong” encryption. However, in the final analysis I do not think that demands can be made on the medical community – and the business community at large which are being pushed toward impregnable encryption and functionally zero tolerance for breaches of information, while on the other hand insisting on “back doors” to make encrypted data accessible.
I believe that in the final analysis is a zero-sum game. If encryption will be “strong” enough that governments may not be able to access it through the service providers, and there will be end to end encryption, with service providers rendered unable to access the information, we will be protecting information like ePHI, sensitive personal financial information, and information that should be private. Conversely, if we allow governments the ability to access information, the privacy of law abiding citizens and the protection of ePHI etc. may be compromised.
The Basic Arguments are :
Government – we need the ability to monitor information passing through US computer networks. This is the position of Admiral Mike Rogers, director of the NSA.
Counterargument – if the United States has the right to have back doors for the US government (as a governmental right) other governments should have that right as well, e.g. China, Russia etc. This position was articulated by Alex Stamos, the then current security engineer at Yahoo. As an aside, Yahoo and Google are currently working on an end to end email encryption system that may be ready by the end of the year.
Government – The rise in encryption has rendered significant part of the Internet “dark” making it harder to track terrorists and other criminals.
Counterpoint- Skype seems to have end to end encryption using the Skype video service (as opposed to making phone calls on it) and therefore with respect to the criminal element all you need is one service through which criminal information is inaccessible.
Furthermore, the companies that handle the transmission of emails and other digital information say that providing any backdoor weakens encryption. Whit Diffie, A 71 year old pioneer and co-inventor of the basic approach used in most modern encryption systems seems to believe that it is counterproductive to try to build the special access governments or seeking.
It is interesting to note that the French intelligence services have been the beneficiaries of a bill that was passed in May legalizing phone tapping and email interception. With respect to England, David Cameron has proposed a ban on “strong” Encryption to ensure the terrorists do not have a safe space in which to communicate.
There are over a billion email users around the world, the use of email and digital transmission of private information is rising, as is the incidence of cyber crime, hacking by rouge nations and the need for secure digital information and transmission.
In the final analysis it is difficult to find the exact intersection/equilibrium of crime prevention (with respect to criminals and terrorists) and the rights of privacy of law-abiding citizens. This issue is only made more complex when the government is encouraging digital storage and transmission of the very information it rightfully demands to be held private.
What do you think.
How accurate is the Five Star rating system in assisting the general public to determine which nursing home to select?
The Government Accounting Office (GAO) has accepted a request to investigate the rating system used on the Nursing Home compare website.
This request stems from a request by Senators Bob Casey (D-PA) and Ron Wyden (D-OR) after CMS (this past February) added quality measures on antipsychotic medication use and staffing levels to the ratings displayed on the website. Apparently, the estimate was that 4,777 out of 15,500 nursing homes would see a drop of at least one star. Obviously, in a five-star rating system, the drop of one star is very significant.
Similarly, Rep. Elijah E. Cummings (D-MD) has asked for a briefing with the Centers for Medicare & Medicaid services on the website’s rating system.
As I understand it, the American Health Care Association (ACHA) has taken issue with the rating system, as it does not give proper weight to residents seeking nursing home care on a short-term basis for rehabilitation or therapy, and is heavily weighted toward long-term care.
Furthermore, there are concerns that the February changes do not really affect how well the residents will fare during their nursing home stay.
It is interesting that while the five-star system will come under review, there is no current roadmap with respect to the metrics (and relative weight) that should be employed to give an accurate five-star rating.
Obviously, HIPAA, or people’s interest in maintaining their privacy, would preclude (or at least severely limit) reviews by residents or their families in which they could give details regarding their ratings.
To the extent that we have become accustomed to rely on five-star rating systems, e.g. Amazon or eBay, which are becoming more widely accepted, and in my experience, with a little due diligence are highly accurate and predictive, it is important that five-star rating systems which DO NOT have detailed/descriptive ratings by the residents or their families, have accurate metrics and weight, as they will be relied on for very important decisions – clearly more important than the average purchase on Amazon or eBay.
CMS is currently testing a new payment model seeking to avoid hospitalizations by funding nursing homes and practitioners for more extensive intervention.
On August 27, 2015, CMS reported that seven organizations will test the efficacy of the new payment model for nursing home operators and practitioners by funding higher intensity interventions in the nursing facilities for residents who may otherwise be hospitalized. The goal is in recognition of the fact that treatment at nursing homes is less expensive than hospitalizations.
The Centers for Medicare & Medicaid Services has been working with seven “Enhanced Care and Coordination Providers” (ECCPs) for the past three years to gather information. These organizations may apply to test the new payment model.
While this should come as no news to anyone involved in revenue cycle management for nursing homes or hospitals, the agency said that “improving the capacity of nursing facilities to treat common medical conditions as effectively as possible within the facility has the potential to improve the residents’ experience at lower cost than a hospital admission.”
Significantly, the model also includes payments to physicians, NPsand PAs– which makes me wonder if part of this initiative will also include increased responsibilities for the nurse practitioners and physician assistants.
This model is currently scheduled to run from October 2016 to October 2020.
Today was the absolute worst day ever
And don’t try to convince me that
There’s something good in every day
Because, when you take a closer look,
This world is a pretty evil place.
Some goodness does shine through once in a while
Satisfaction and happiness don’t last.
And it’s not true that
It’s all in the mind and heart
True happiness can be obtained
Only if one’s surrounding are good
It’s not true that good exists
I’m sure you can agree that
It’s all beyond my control
And you’ll never in a million years hear me say that
Today was a good day
Please, Now read from bottom to top
In reviewing the various reports of HIPAA breaches as a subset of the almost every day occurrence of significant data breaches, and the recent reports of significant data breaches of information that is either entrusted to the government (e.g. medical and/or credit information) or information that the government is both logically and legally responsible for safekeeping, there seems to be a significant disconnect. With respect to HIPAA, the current regulatory environment seeks a very high level of compliance with significant fines and governmental interventions in the case of a breach, but when the government drops the ball, the most we can expect is OOPS, and maybe not even that.
Without going through the litany of recent governmental breaches, I will highlight the White House’s recent confirmation that the Office of Personnel Management suffered a SECOND cyber attack in which the data of 4.2 million Federal employees was stolen. In addition, the April 2015 report of the Office of Inspector General (OIG) reported the results of its audit of the security controls of the Department of Health and Human Services (HHS) which identified numerous deficiencies.
Imagine a father heartily puffing on a cigar, and a mother vigorously inhaling the smoke from her cigarette lecturing their teen about the dangers of smoking, while at the same time (in the name of proper parenting skills) advising their child of the consequences they would administer if their child began smoking. I imagine that at least to some, this scene would seem somewhat hypocritical.
I fully understand that there must be limitations on the ability for private citizens to sue the government and/or its employees carrying out governmental functions (sovereign immunity), but the real question is the propriety of placing standards on private industry before one cleans up one’s own house.
You may find this to be HIPAA-Critical (hypocritical)or you may feel that there is a critical need for the protections that HIPAA mandates and therefore, immunity and consequence free breaches are appropriate.
Irrespective of the answer, to the extent we can trust the government with private medical information (PHI) for its healthcare exchange, and to the extent that, at some level, the government may be competing with medical providers (e.g. various forms of Medicaid) is it appropriate to have two standards?
What do you think?