[group’s] behalf without obtaining satisfactory assurance in a business associate agreement….” Consequently, if you use Yahoo! or any other internet-based email provider to email ePHI, you should make sure you have a Business Associate Agreement with the provider.
Among other things, the Corrective Action Plan requires the group to perform a risk assessment of all of its ePHI and implement a “risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment….” The Plan also requires the group to ensure that all “ePHI transmitted over an electronic communications network” is “encrypt[ed] or otherwise adequately safeguard[ed]” against unauthorized access. Incidentally, the Plan requires the group to “submit evidence to satisfy this obligation that includes text messaging of ePHI.” In other words, the Plan requires all of the group’s emails and text messages containing ePHI to be encrypted!
In addition to complying with all of the obligations in the Plan, the group paid OCR $100,000 to resolve the matter. That may seem like a lot (and it is), however, OCR could have imposed significantly higher financial penalties.
In summary, it would be wise for your practice stop emailing any ePHI for any purpose until it has confirmed its compliance with the Privacy and Security Rules. Based on the aforementioned Resolution Agreement and Corrective Action, if your practice hasn’t performed a risk assessment and implemented a risk management plan, which includes encryption of all ePHI that is emailed or texted, or if your practice’s employees use internet-based email providers to email ePHI and the practice does not have Business Associate Agreements in place with these providers, it is fair to say that you won’t be in compliance with OCR’s interpretation of the Rules.
Arizona Pain Specialists
Dear Arizona Pain Specialists:
One of our MAs had written patient records that she was transporting between offices stolen from her car. Do we have to notify the patients whose records were stolen – we’d rather not?
Desperately Seeking Records
Dear Desperately Seeking Records:
Your story is all too common…And preventable!
The short answer is, probably. And, if you must notify the patients whose records were stolen, you also must notify OCR. Moreover, if more than 500 patients’ records were stolen, then you also must notify the media in your area.
The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which was passed in 2009 as part of the economic stimulus legislation, provides grants to physicians who implement certified electronic health record systems and satisfy the meaningful use criteria. The Act also requires covered entities to notify patients, OCR and, possibly, the media when there is a breach of “unsecured protected health information.”
A breach occurred if the stolen patient records contained information that presents “a significant risk of financial, reputational or other harm to the” patients. For example, if the records contained patients’ names, dates of birth, social security numbers and addresses, this would present a significant risk of financial or other harm to the patients. Moreover, if the records contained sensitive or potentially embarrassing medical information, then there would be a significant risk of reputational or other harm.
The HITECH Act contains certain exceptions to the breach definition that, if applicable, would not require notice. Unfortunately, none of those exceptions are applicable to stolen patient records. However, even if there was a breach, you would not have to provide notice unless the patient records constitute “unsecured PHI.”
“Unsecured PHI” is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary [of the Department of Health and Human Services] in guidance issued under [the HITECH Act] on the HHS Web site. Since the patient records were written records, they were usable, readable or decipherable to whoever has them. Consequently, they constitute “unsecured PHI.”
The HITECH Act requires you to document your breach analysis and the commentary to the regulations implementing the HITECH Act identify a number of factors that should be considered. Make sure your analysis includes these factors!
If you determine that a reportable breach occurred, you must notify the affected patients as soon as reasonably possible, but not later than 60 days, after the date you discovered the breach and notify OCR within 60 days following the end of the calendar year. If you must notify patients, the notice must be written in plain language and, to the extent possible, include the following:
□ A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
□ A description of the types of unsecured PHI that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
□ Any steps patients should take to protect themselves from potential harm resulting from the breach;
□ A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to patients, and to protect against any further breaches; and
□ Contact procedures for patients to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website or postal address.
The patient notice must be sent to the patient via first class mail to the patient’s last known address or, if the patient agreed to electronic notice and the agreement has not been withdrawn, via email. If additional information comes available, the information may be provided in more than one mailing, as the information becomes available. If there is insufficient or out-of-date contact information that precludes written notice, you must provide a substitute form of notice as specified at 45 C.F.R. § 164.404(d)(2). If you believe there is a possibility of imminent misuse of a patient’s unsecured PHI, you may provide the required information via telephone.
With respect to the notice to OCR, the notice must be submitted electronically via a breach report form which is available on OCR’s website:
Arizona Pain Specialists
Dear Arizona Pain Specialists:
Our practice wants to include patient testimonials on our website. Are there any issues we should be aware of beforehand?
Dear Testimonially Naïve:
Patient testimonials are a great thing; they’re also PHI. Consequently, even if a patient consents to posting a testimonial, you should not do so unless the patient executes a HIPAA-compliant Authorization that expressly authorizes the practice to disclose the patient’s PHI. Since the HIPAA Privacy Rule generally prohibits indefinite Authorizations, you will need to make sure you have a policy and system in place to get an updated Authorization as previous Authorizations expire.
In addition, since your testimonials will identify the patient in some way, it is a good idea to have the patient sign a separate consent documenting the patient’s consent to use them and their statements for promotional purposes. Otherwise, the practice risks a patient claiming it not only violated the patient’s right to privacy but their intellectual property rights.
Arizona Pain Specialists
Bryan Bailey is an attorney at Milligan Lawless, P.C. specializing in health care law and business transactions. Dr. Lynch and Dr. McJunkin own and operate Arizona Pain Specialists, a comprehensive pain management practice that provides minimally invasive, clinically proven treatments, with three locations in the greater Phoenix area. Dr. Lynch and Dr. McJunkin also provide consulting services to other pain doctors around the country through their partner company, Boost Medical. For more information, visit ArizonaPain.com and BoostMedical.com.