The Joint Commission Issues Clarification on Texting of Patient Care Orders

“The use of secure text orders is not permitted at this time.”

In 2011, the technology to provide for the safety and security of text messaging was not available and, at that time, The Joint Commission (“TJC”) said it was not acceptable for practitioners to text orders for patient care and treatment. Then, in May 2016, TJC revised its position in recognition of technological advances and said physicians could text message when done in accordance with standards of practice, laws, regulations, policies and practices “as long as the system met specific requirements.”

Since then, however, TJC got together with the Centers for Medicare & Medicaid Services (CMS) and issued updated recommendations that include the following:

  • Providers should have policies prohibiting the use of unsecured text messaging of protected health information (PHI).
  • CPOE (computerized provider order entry) should be the preferred method for submitting orders, which are directly entered into the electronic health record.
  • The use of secure text orders is not permitted at this time.

This turnaround came after TJC and CMS discussed the issues with numerous stakeholders, including text messaging platform vendors and experts in electronic health records (EHRs). The identified concerns for maintaining the existing status quo were:

  • Increased burden on nurses to manually transcribe text orders into the EHR.
  • Verbal orders are preferred when CPOE not used, because they allow for real-time clarification and confirmation of the order as it is given by the practitioner.
  • Text messaging could cause delay in treatment where a clinical decision support (“CDS”) recommendation or alert is triggered during data entry, requiring the nurse to contact the practitioner for additional information.

To view the full text article on the TJC website click here.

Failure to Update Business Associate Agreement Leads to Health System’s Settlement with OCR

A hospital’s breach notification to the Department of Health and Human Services, Office of Civil Rights (“OCR”) led to a Resolution Agreement, payment of $400,000 and a Corrective Action Plan for an east coast health system. On September 23, 2016, OCR issued a press release advising that Woman & Infants Hospital of Rhode Island (“WIH”) a member of Care New England Health System (“CNE”) notified OCR of a reportable breach in November of 2012, stemming from its discovery that unencrypted backup tapes containing electronic Protected Health Information (“PHI”) were missing from two of its facilities. CNE provides centralized corporate support to the covered entities under its common ownership and control, including technical support and information security for WIH’s information systems, as its business associate. Although WIH had in place a business associate agreement (“BAA”) with CNE, it was dated from March of 2005 and had not been updated since implementation and enforcement of the HIPAA Omnibus Final Rule.

OCR’s investigation of WIH’s HIPAA Compliance program, triggered by the report of the missing tapes, uncovered the outdated BAAs. WIH updated their BAA on August 28, 2015, as a result of OCR’s investigation. OCR then determined that from September 23, 2014, the date enforcement of the Final Rule began, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI. The settlement was reached without any admission of liability by CNE or WIH.

The settlement is a jolt to many covered entities and their business associates for a number of reasons. The key take-aways are: (1) There is an inference in the OCR’s actions that a well worded BAA, wherein the business associates agrees to abide by the specifications required by the Privacy and Security Rules, is sufficient to satisfy the covered entity’s obligation to obtain “satisfactory assurances” the business associate will appropriately safeguard the PHI (meaning those often lengthy and burdensome security questionnaires or audits business associates are being asked to complete may be unnecessary and not required); (2) documentation of intent and action, including policies, procedures and BAAs, is extremely important in establishing HIPAA Compliance (i.e., the fact that the mistake occurred—tapes went missing—is being treated as the result of the absence of a written agreement, justifying the enforcement action, when in reality it is likely, or at least conceivable, that human error, inadvertence or lack of attention is the root cause and this could have occurred even if an updated BAA was in place and being followed); and (3) policies, procedures and continuous training and retraining of the workforce handling PHI is imperative to a successful HIPAA compliance program, and remains on the radar of any OCR investigation.

A copy of the Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/wih.
OCR’s sample BAA may be found at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

OCR Provides Further Clarification on Charging Flat Rate for Copies of PHI

The Office of Civil Rights (OCR) at the Department of Health and Human Services recently provided further clarification about the amount that an individual may be charged for a copy of their protected health information (PHI). After releasing guidance earlier this year about individuals’ rights under HIPAA to access and obtain a copy of their health information, OCR provided clarification in response to questions it received after releasing the guidance. In a new frequently asked question, OCR clarifies that $6.50 is not the maximum amount that can be charged to provide individuals with a copy of their PHI. Rather, OCR states that charging a flat fee of $6.50 is an option available to those covered entities (or business associate acting on behalf of the covered entity) that do not want to calculate the allowable fees for providing individuals with copies of their PHI as provided by the Privacy Rule.

Arizona Anesthesia Group Notifies 882,590 Patients of Data Breach

Valley Anesthesiology and Pain Consultants (“VAPC”), a physician group of more than 200 anesthesiologists and pain management specialists with several locations near Phoenix, Arizona, began notifying patients on August 11, 2016, of a potential data breach involving protected health information (“PHI”), despite the fact their retained forensic consultant found no evidence that the information on the computer system was accessed. However, the consultant was unable to definitively rule that out after investigation, and it did confirm that an individual gained access to a system containing PHI. The physician group elected to take the proactive route of notifying affected individuals. The forensic firm was apparently called in shortly after VAPC learned on June 13, 2016, that a third party may have gained unauthorized access to VAPC’s computer system on March 30, 2016, including records of 882,590 current and former patients, employees and providers.

On its website, VAPC says they value their relationship with patients and so decided to mail the notification letters. Law enforcement was also advised, and a dedicated call center has been set up to answer patients’ questions. Patients have been advised to review the statements they receive from their health insurer and to advise the insurer of any unusual activity. The computer system accessed is believed to have contained patient names, limited clinical information, name of health insurer, insurance identification numbers, and in some instances, social security numbers (“SSN”). No patient financial information was included in the computer systems. For providers, the information included credentialing information such as names, dates of birth, SSN, professional license numbers, DEA (Drug Enforcement Agency) and NPI (National Provider Identifier) numbers, as well as bank account information and potentially other financial information. The employee records on the system included names, dates of birth, addresses, SSNs, bank account information and financial information. Individuals that had their SSN or Medicare number exposed are being offered credit monitoring and identity theft protection services.

The circumstances of the incident illustrate the quandary regarding the presumption that it is a reportable breach if you can’t prove there was no access to the information, and the interplay between the HIPAA Security Rule and the Privacy Rule. Here, it was apparently established the system’s security was breached, but unclear whether personal health information was accessed once the unauthorized individual was in the system.

More information is available on VAPC’s website: https://valley.md/securityupdate.