Wearables, medical devices and HIPAA are just some of the questions we have gotten recently. Today’s episode is privacy and security news plus listener questions.
In this episode:
Wearables Plus More HIPAA Questions – Ep 241
2020 Spring Session Dates
March 24, 25, 26
2020 Fall Session Dates
Sept 15, 16, 17
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Wearables Plus More HIPAA Questions
We get questions every day from a wide variety of sources. Mostly out clients but also podcast listeners and occasionally random people who have heard me speak will reach out in desperation for guidance on something obscure. Well, at least outside their normal privacy and security domains. We, well you know I mean I, got way behind in responding to emails coming in. So sorry for that folks but at least I did send something back to you – eventually. My list was backed up so I just answered questions for a while this week. Yes, I know you all wish you could get HIPAA questions every day. The excitement is like no other!
In the news
First let’s touch on a couple updates to stories we have been following in the news.
This guy I just don’t begin to understand. Is it arrogance, boredom, or ignorance? What could make any provider of care think that it is acceptable to perform a procedure on a patient that is sedated while standing on a hoverboard, film it and then share it with people? In Jan, Seth Lookhart was convicted of 46 counts of felony medical assistance fraud and scheming to defraud, plus misdemeanors for illegally practicing dentistry and reckless endangerment.
That is just what has happened in the first round. There will probably be more based on what prosecutors were able to use against this guy. He was running fraud schemes against Medicaid and felt that he was never going to get caught. They said a lot of evidence “was often supported, and often in excruciating detail, by Lookhart’s own texts, photos and videos.” Looks like the arrogance thing may be a key element. The patient who was treated never agreed to oral surgery while hoverboarding nor did she consent to being filmed. Her statement was if she had been asked she would have said “Hell, no!”.
It will be interesting to see if the OCR will make a run at the case. There is a lot to it if you read the Alaska AG announcement. The office manager was involved, they were ordering IV sedatives for Medicaid patients and making a bunch of extra cash that his partners didn’t know about.
Issues with partners
Speaking of that, we got a question about what a practice could give investigators when you have turned in one of your ex-providers for problems you found when they worked for you. Our advice was to document everything you do in the case even more if PHI must be exposed. You are allowed to work with Federal and State agencies investigating fraud, corruption, and more illegal issues. It is important to only include patients related to the cases and only the minimum needed by the investigators. Get everything in writing from them though. Patients may not be in the know until much later in the investigation. The woman in the hoverboard case had no idea what had happened to her until investigators showed up at her door.
While not a healthcare case, this kind of case will be happening if not already in healthcare. In a lawsuit against its IT provider this company claims that it is the IT company’s fault that lax security resulted in hackers stealing more than $1,750,000 from their business sending it to Hong Kong and Cambodia. The suit is for service order, and professional negligence and malpractice. It is only for $25k plus legal fees. All the juicy details can be found in that link.
According to the suit, the IT company, Involta LLC of Cedar Rapids, Iowa, was hired in 2017 to provide security protections for protecting their business data. The deal goes back to April 2017 when they signed a three-year contract for $10,995 a month. The company claims that when they figured out what was going on and contacted Involta, they were told there was no breach and Boardman was the one with a problem. The “ticket” was closed at that time. Involta had gotten into the Ohio area by acquiring two MSP in the area to expand their business from Iowa. Sounds familiar to some, I am sure.
Other allegations include that the internal IT staff was not allowed to do anything with the security settings and had no authority within the system. They also say that all the computers were not protected by AV leading to 114 infections being found weeks after the attack. I assume that some other vendor came in and found that problem.
Why did we share this story? Two reasons really, IT providers need to step up and be part of the solution as much as anyone else does. Plus, one very sad point. According to their website:
“Healthcare is 38% of Involta’s Business, reaching 13 states.”
A case had been working its way through the courts for years now. Ciox challenged what HHS had said they could charge for their records search, retrieve and delivery services. As the ruling states:
“For years, the medical records industry understood that the limitations imposed by the Patient Rate applied only to requests for PHI made by the patient for use by the patient. For other types of requests, such as those made by commercial entities, like insurance companies and law firms, the records industry understood that the allowable fee was not restricted by the Patient Rate.”
The guidance in 2016 which we now know as the $6.50 guidance changed everything. We have covered this many times. Well, forget everything this ruling has changed things again. Ok, maybe not forget everything but some of it has changed.
Three points were challenged in the suit:
- When can the “Patient Rate” be used for third parties
- What can be included in the “Patient Rate” labor fees and alternative calculations
- Requirements to send PHI to third parties based on the patient requested format regardless of how the PHI is being stored.
The court ruling makes the normal kind of sense you would expect from legal statements.
Basically, they agreed with Ciox on third party fees don’t have to use Patient Rate and the format of delivery to third parties mandate.
We will be watching this one as things progress and all the lawyers attack it.
HIPAA Fax Cover Sheet Requirements
First, it is hard to believe we are still talking about faxing in healthcare. I never talk about faxing anything with anyone outside healthcare. But, here we are proving how slow the industry is to changing its ways. We got a question from Krista asking
Is there a hipaa rule that says you must send a fax cover sheet if sending PHI or do you just need the Fax disclaimer on it somewhere.
Here is the answer I finally sent to Krista.
First, HIPAA never specifically mentions faxes or faxing or cover sheets other than to point out that fax numbers are part of PHI.
What HIPAA does say under the Privacy Rule is that you “must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure”. It also tells you all the conditions where you are allowed to send or receive PHI.
That means your organization should define what they feel are reasonable and appropriate safeguards for protecting faxes. Most people believe it is a good idea to make sure you use a cover sheet for two reasons 1) it may end up on top of the PHI and cover it up on a machine 2) it makes it clear that this information is confidential and should be protected.
Other safeguards like steps required to confirm the correct fax number will be used and limiting access to fax machines are more of those prudent precautions that people decide to implement.
The internet is full of references stating as a fact that HIPAA requires cover sheets with specific information and disclaimers. If it is in there I do not know where. Of course, it is very hard to prove the negative. I just need someone to show me where it says anything related to disclaimers and cover sheet details.
On another note, don’t just slap any disclaimer on there. You don’t want to be sending things to your BAs with something in that statement that would contradict your BAA requirements.
Some references if you need them: https://www.hhs.gov/hipaa/for-professionals/faq/482/does-hipaa-permit-a-doctor-to-share-patient-information-for-treatment-over-the-phone/index.html (if one was required I feel sure it would have been mentioned in this FAQ)
Property Management and HIPAA
This question came in from Leean.
We are a behavioral health agency and we get funds to House our clients. We are trying to contract to use a property management software that will log name, address and phone #. While we can create a unique identifier for the name, we have to have other items, though. They will not sign a BAA and wonder if we can use an authorization to disclose documents for each client.
My response to her wasn’t as helpful as I wanted to be, I am sure. But, it was the best I could do with what information was there.
This question is tricky. Your software you are thinking of using stores the names of the clients/patients in the housing portion of your services. I would find it hard to argue that was not PHI especially with the extra super private rules you guys may need to follow. No way I would recommend using that service. Is there a tool that you can use to manage them but maybe isn’t property management software? I would try to find another solution.
Finally, we get to wearables! This question came in from one of our clients to the team who then submitted it to the podcast. Yes, they submit there too when they think you guys will find it interesting. Don’t worry, I don’t answer them differently. You get what cha pay for right!
What are the technical safeguards that organizations need to ask / look out for with wearable health devices. One of the companies that a client is looking for is VitalTech. This would be designed for the seniors in assisted living to help track them, manage their care, etc.
This type of application is different that a patient / resident wanting to track their own information (Apple Watch, FitBit, etc.) but the organization is using this to increase patient / resident care.
Questions off the top of my head: Where is the data stored (US or not, HIPAA compliant platform or not), is data encrypted at rest and in transit, what are their security policies / procedures / white papers on handling PHI.
It is very important to make the distinction between wearables that are covered under HIPAA and those that are not covered under HIPAA. If your provider sells a device to you or leases it to you then it is covered under HIPAA. If you purchase the device on your own then it is NOT covered under HIPAA. You are free to share that information with your provider but the data on your device is managed by you not the provider.
The vetting process for these vendors is becoming a vital protection in today’s connected world. If the provider intends to represent one as a solution for their patients/clients, then the devices, the software they use, and the vendors practices must be vetted thoroughly to protect the provider’s patients.
- Understand how they secure the device itself so ask about connections, etc.
- Understand how the device software is accessed and updated. Including how the software itself secured from malware injections.
- What does the vendor do to ensure any access they may have to PHI is protected properly.
There are a lot of variables already in healthcare security but don’t expect anything to improve. The variables keep growing exponentially as we become more connected and innovation continues to accelerate the pace of new device creations. The problem is we need to make sure security is addressed even though the innovative ideas may be very exciting.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!