HIPAA Regulatory Alert: H1N1 deaths: What you can and can't say
HIPAA Regulatory Alert
H1N1 deaths: What you can and can't say
You need to take a look at aggregate data
As U.S. deaths from the H1N1 virus have mounted in recent months, media reports began to include the inevitable comments from hospital spokespeople that the patients who died had "pre-existing conditions," with no specifics given. While it is understood that HIPAA requirements prevent the airing of specific patient conditions, these comments naturally raise the following question: What about aggregate data? Wouldn't it benefit the public to know that, say, 75% of the victims had asthma - or diabetes?
No doubt such information would be beneficial, but, say the experts, the decision on whether to release it is far from cut and dried. "Aggregate information is one of those things an organization would look at in terms of the big picture," says Beth Hjort, RHIA, CHPS, professional practice resource manager for the American Health Information Management Association. "Information from one facility may not hold relevance to giving such clinical health care messages, so an organization should take caution about that."
The authority for reporting such cases in the aggregate place rests with state legislatures, she continues. "That's where mandatory requirements exist. You have state laws that are not all the same, so the kinds of things you report, the types of diseases and criteria, vary from state to state."
Who you report to varies by state
What's more, Hjort adds, who you report the information to also varies from state to state. "In some states you report to the local health department and in some the state health department," she explains. "What's important is that it's done in a way that can be analyzed for meaningful interpretation. When it's done by single entities, I'm not sure that individuals will be able to deduce common trends."
What can be deduced?
But if a single hospital had 20 cases, and 15 of the patients were asthmatic, wouldn't that have significance? "My recommendation to any organization is to give it situational consideration, because when you look at aggregate data the concern is that the n, or denominator, may be too small," says Beth Malchetske, MBA, RHIA, director of health information services at Appleton Medical Center and Theda Clark Medical Center in Neemah, WI.
"I live in a town of 5,000 people," she continues. "If I had a child in high school who was sent home with the swine flu, every one of those 5,000 people would know that. So then, if I publish 'aggregate data' for the city, and it involves two people who had swine flu, I really have identified a person's health condition." Conversely, she notes, in a city such as Miami, if 20 patients have been identified with the virus and it's reported that they also had asthma, people would not be able to identify who they were.
Hjort agrees. "Even 'unidentifiable' information - when done in an area with frequency that low - can lead to implied identification," she says. "It can be deduced who that is. Let's just say one victim or two expired from swine flu in that local health entity, and within a week of June 15 at 'Mid-America Hospital.' Obituaries that note the date of death or place of death may enable people to put the facts together and trace it back."
Are you in violation of HIPAA if you don't disclose the information outright but you disclose it in such a way that those amateur detectives might be able to deduce the facts? "I don't know if you'd be in pure violation, but you'd be at considerable risk," warns Malchetske. "I would want to assess the risk/benefit in that case."
Ethical considerations
There also is an ethical consideration involved, she continues, adding, "This really makes me think about how you work with the command center." For example, she points out, "My understanding is that the Department of Health and Human Services, with the advice of the CDC [Centers for Disease Control and Prevention], can suspend certain regulatory compliance, sanctioning some activities in a public health emergency. That's one of the variables I would investigate - what's been their message in terms of suspension of sanctions?"
The other question she would ask herself is: "What's the reasonable ability of someone in the community to tie this information in with that person? I would not make the recommendation to do it if it puts us at more risk to break down patient trust in us over the longer term. I might, however, consider talking with the family and explaining that it might be a way of helping others, and asking their permission to release the fact that their loved one had COPD [chronic obstructive pulmonary disease], or emphysema, so that others might not suffer." She would only approach the family, however, "If there is something so unique that it is important to share with a wider audience.
"What becomes glaringly clear to me is it really takes the subjectivity of the minimal necessary rule; would another reasonable person come to the same conclusion that these are the right items to share?" she continues. "This may mean seeking out a peer to discuss the issue. You should definitely do some due diligence, and not just react."
Outside help is critical
The other reason for caution, says Hjort, is that a compliance officer alone may not be in a position to determine the clinical significance of the data. "Even if asthma was pre-existing in most of the patients, for example, could we necessarily know that those with asthma have a greater likelihood of contracting and/or expiring from [H1N1]?" she poses. "That's why you need to work in conjunction with experts using the public health approach to tell us, because the data could be misinterpreted."
The HIPAA privacy rule, says Hjort, permits but does not require covered entities to disclose identifiable patient information to health organizations. "HIPAA's broad recognition of laws already in place alludes back to the states," she explains.
What about sharing information with the CDC? "What I understand is that reporting to the CDC is voluntary as well," says Hjort. "HIPAA permits organizations to disclose identifiable health information when a judgment call leads them to do so; the guideline is written in a very permissive way."
The privacy rule, she continues, generally limits disclosure to "necessary and well-intended" reasons. "We want our decisions to be related to the intended purpose, for the information to be used only for that purpose and retained and destroyed after it is used," says Hjort.
This applies to H1N1, or any epidemic or pandemic, she asserts. "You do not need permission [to release personal health information] for purposes of public health, but you do not have to do it if it's in the best interests of patient privacy rights," says Hjort.
In summary, she says, "Organizations have their own internal processes for identifying, monitoring, and trending infection control issues, and within that practice they must honor and comply with mandatory state reporting laws with regard to aggregate information. In doing this, they are going to protect the information privacy of the individual."
Ready for HITECH privacy requirements?
The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February 2009, includes a number of challenging new privacy requirements that some experts believe represent the biggest changes in this area since the enactment of HIPAA itself. For sure, it shines an even brighter light on data breaches.
"There is really a positive movement afoot to move to EHRs [electronic health records], but this also represents security and privacy challenges," says Rick Kam, president of Beaveron, OR-based ID Experts. "That's why the stimulus bill and HITECH came out; they helped identify those challenges, so the public who would use EHRs would actually feel more comfortable working with providers who use those systems." While he says the Obama administration is "on the right track" by trying to improve health care service and reduce costs, "it does produce additional exposure" for facilities using EHRs.
The key, Kam continues, is that to really adopt an EHR system, you have to trust it. "If the criminal element or some of your associates cause a lot of security or privacy breaches, it will undermine that trust and take us longer to move to that environment," says Kam. "You can't have a lot of breaches right off the bat, because it will make the road tougher to climb."
Use multipronged approach to avoid breaches
Kam recommends a multipronged strategy to help avoid breaches. First, he says, you must conduct a thorough risk-based assessment of how well protected your personal health information is throughout its lifecycle - i.e., when you collect it, use it, store it, and destroy it. "Do you have a sense of where the information is and whether it is being appropriately protected?" he challenges.
"There is a lot of information exchanged between a lot of people involved in maintaining the care of patients - doctors, nurses, pharmacies, and so on; it's probably one of the most complex environments. It's 'target-rich'; and if someone wants to go after it, it's easier to get than in most other industries," Kam explains. So, even if your hospital is compliant on most issues, he says, you must look for weak links such as the pharmacy, the outpatient area, or noncritical care. "It may be information stored off-site or sitting on older equipment," Kam says. "Those are the ones these folks will go after - not a highly protected host-based infrastructure. It's just like a burglar looking for a weak spot to get into a house."
Your assessment, he continues, should include an accurate inventory of the data you hold and all internal and external workflows where the information is used, such as those involving business associates. "We once had a client that was working with veterans," he recalls. "Because of VA [Veterans Affairs] processes, they had to keep track of all the veterans they did procedures on."
Since it did not have access to the VA system, the hospital had to keep track of the vets in a paper notebook. "The doctor went to different facilities with the notebook; his car was broken into, his backpack was stolen, and in it was the PHI [personal health information] of several vets," recalls Kam. "That's considered a breach. Then, the VA was required to be notified and get involved in the notification process, which puts an extra burden on the hospital, because they now had to coordinate their incident response with the VA."
The plan also should identify PHI-specific risks not only in your IT systems but also in your organizational policies and processes. So, for example, you need to train your personnel to recognize a breach. "For instance, if I lose my notebook, that might constitute a breach, but if someone is looking over my shoulder when I'm recording information, it might not trigger a breach notification," he explains.
Keeping PHI secure
There also are guidelines for securing PHI through a technology or methodology specified by the secretary of the U.S. Department of Health and Human Services (HHS) pursuant to the HITECH Act. One example would be "de-identification" of personal data, which entails providing only the minimal amount of information needed for each process or function. So, for example, Kam suggests changing member ID numbers from their Social Security number to a specifically assigned member ID.
"We've also been involved recently with people who were victims of medical identify theft, which can result in inaccurate information getting into a patient's medical records," he continues. "What we're starting to see as potentially a best practice is to have the organization set up a single point of contact within customer service to help people who think they may be victims of identity theft, identify the place in the system where there are inaccuracies, and associate them with another record."
Contracts, processes targeted
The HITECH Act also requires contracts with your business associates to authorize and define their use of the PHI that is shared with them. "A risk-based assessment tells you which associates pose the highest breach risk," says Kam. Risk, he notes often is associated with the amount of data used or specific data elements. "If you work with a payment processor who processes millions of dollars of payments and thousands of clients, there could be higher risk than with someone who provides maintenance services to your organization," Kam explains.
Most breaches, he continues, are generated by business associates and/or rogue employees. Because of this, "You've also got to look hard at your hiring - like putting a felon in a maintenance function, which gives them access to computer rooms," says Kam.
Planning and response
Under the HITECH Act, you now must provide notification within 60 days when PHI in any form is breached, says Kam, who adds that this includes even incidental loss or exposure of single records or small amounts of personal information. To ensure early breach detection, he recommends "aggressive, ongoing monitoring programs that may range from IT audits to checking patient health records for inconsistencies."
In addition, he says, a detailed breach response plan should be in place. However, he reports, he has worked with a number of health care organizations recently and "none of them have had an updated incidence response plan."
So, what should that plan entail? "The real key is having a team be engaged when a breach is recognized - that will include the compliance officer, HR, marketing and PR, communications, and legal," he says. "That team has to be assembled quickly and know what their responsibilities are." Having these people identified before a breach occurs "is almost as important as knowing what will constitute a breach," he says. "You need to have some discussions on what will trigger a response, who will make the call to the lawyer, for example, and you should have a simple plan of action."
The mere fact that an unauthorized individual was present in a part of a health care facility he or she was not supposed to have access to was enough to earn DePoo Chemical Dependency Facility in Key West, FL, a citation for a HIPAA violation from the U.S. Department of Health and Human Services.
According to HHS, the program director allowed her significant other (also a facility employee) onto DePoo's locked unit on more than one occasion. The report also indicated that the unauthorized employee was "often" in the day room with patients, and in the nurse's station. Under HIPAA regulations, the "potential" for such disclosures can constitute a violation, even where there is no actual communication of personal information.
The specific violation cited was the fact that the program director failed "to demonstrate appropriate care in handling confidential information that resulted in accidental access or accidental access due to lack of awareness or education."
The program director "received a written warning, which was placed in the employee files. In addition, [she] was required to receive training on specific HIPAA policies and procedures relative to the violation."
Hospital CEO Nicki Will, in a prepared statement, said: "Upon receiving such information, LKMC [the organization that owns the facility] administration conducted an in-depth investigation of all facts relevant to the potential violation ... [which] showed that there had actually been no disclosure of protected health information to anyone.
"However ... there had been an isolated incident whereby there existed the potential for such a disclosure, even though no such actual disclosure took place. This situation involved the presence of an individual in a place where [private information] was stored, and might have been sighted. Under HIPAA regulations, the 'potential' for such disclosure can constitute a violation, even where there is no actual communication of [personal information]. That is what happened here. No protected health information was accessed or communicated."
The statement continued: "... LKMC provided written warnings and supplemental HIPAA education and training to all involved persons. LKMC is unaware of any situation where [personal information] has actually been used for anything other than appropriate medical care and treatment."
As U.S. deaths from the H1N1 virus have mounted in recent months, media reports began to include the inevitable comments from hospital spokespeople that the patients who died had "pre-existing conditions," with no specifics given.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.