Monday, December 14, 2015

Small privacy violations can have huge impact on individuals but don’t get the appropriate attention and followup under current HIPAA enforcement

To contrast the large data breaches in healthcare that get high public visibility but may have lesser known impacts on the individuals whose data is stolen with the little known breaches that can have a huge impact on a single individual, National Public Radio reported Small Violations of Medical Privacy Can Hurt Patients and Corrode Trust.

Noted by the report –

Under the federal law called the Health Insurance Portability and Accountability Act, or HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.

The bulk of the government's enforcement — and the public's attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.

The report also notes that –

Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, the office typically settles for pledges to fix any problems and issues reminders of what the privacy law requires. It doesn't even tell the public which health providers have reported small breaches — or how many.

The Office of Civil Rights took some criticism in this NPR report:

The vast majority of the federal Office for Civil Rights' enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.

Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR's website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.

Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.

Organizations only have to report them to OCR once a year. Even then, the agency doesn't post them online. HHS has rejected requests under the Freedom of Information Act for information about them.

Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.

In September, the HHS inspector general issued 2 reports that criticized the Office for Civil Rights, including its handling of small breaches. One report said the OCR should strengthen its followup of breaches of Patient Health Information when reported by HIPAA covered entities.  Another report said the OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.

Thursday, December 10, 2015

HealthData Management Reviews the Ten Largest Healthcare Cyber Attacks in 2015

HealthData Management recently reviewed the 10 largest cyber attacks of 2015 in the healthcare setting.  The report notes that some of the attacks started in 2014 (focusing on the time period of when the attacks were reported).  The total number of victims from these hacks was placed at 109,671,626, which represents about one-third of the population of the U.S. Each hacked organization has offered paid credit and/or identity theft protection services.

The single largest attack was against Anthem Health Insurance, affecting 78.8 million individuals.  The hack affected all Anthem product lines, compromising names, birthdates, member IDs, SSNs, addresses, phone numbers, email addresses and employment.
An attack against Premera Blue Cross, started in 2014, affected 11 million individuals.  As with Anthem, a wide range of member information was compromised, including personal bank account numbers. Ten million individuals were affected by an attack started in 2013 against Excellus BlueCross BlueShield, which included members from other BCBS plans in a 31 county area in update New York.  The company said “Individuals who do business with us and provided us with their financial account information or Social Security number also are affected.”

UCLA Health detected suspicious network activity in late 2014 and investigated with assistance from the FBI, concluding that the attackers had not gained access to parts of the network that contain personal and medical information.  In mid 2015, as part of an ongoing investigation, UCLA determined that attacks had accessed parts of its network, affecting 4.5 million individuals.
Medical Informatics Engineering, which sells electronic health records with its NoMoreClipboard subsidiary, found an attack that involved 3.9 million individuals.  The hack retrieved patient names, user names, hashed passwords, security questions and answers, email addresses, dates of birth, health information and Social Security numbers all compromised.

An attack against a single database at CareFirst BlueCross Blue Shield affected 1.1 million individuals.  The attack was discovered during security work being done in response to attacks against other insurers.  Limited personal information was said to have been involved in the attack, with no member Social Security numbers, medical claims information or financial information put at risk.
In mid 2015 Beacon Health System discovered a phishing attack that accessed multiple employee e-mail boxes, starting in late 2013.  The breach was found by an internal forensic team after an employee noticed email irregularities, and affected the two-hospital system and affiliated physicians.  St. Mary’s Health in Indiana discovered a breach affecting 4,400 individuals after investigating a hack attack against employee email accounts. 

Advantage Dental, with 30 clinics across Oregon, discovered an attack on an internal database that affected over 150,000 individuals.  The access was terminated only 3 days after it was discovered and notifications were sent to affected individuals within 30 days.  The intruder accessed the database through a computer infected with malware.  

Monday, December 7, 2015

Check out The Joint Commission's Physical Environment Portal

The Joint Commission announced a Physical Environment Portal, in partnership with the American Society for Healthcare Engineering (ASHE), which focuses on 25 Life and Safety and Environment of Care elements from 8 standards identified as the most cited for violations over the last four years. 

This simple infographic identifies the standards being featured: Utility Systems, Means of Egress, Built Environment, Fire Protection, General Requirements, LS Protection, Automated Suppression System, and Haz Mat/Waste Management.  Each standard is being highlighted in 2-month modules: The first month features information for facilities managers; the second month focuses on strategies for leadership and clinical impact.  The current modules may be found on the Portal’s Announcement Page.

For example, violations associated with LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, the Portal offers examples of improved compliance – both for facilities managers and leadership.  For example, two Elements of Performance are identified as problem areas: Corridor Clutter was found to have a non-compliant rate of 22.41% and Doors unlocked in the direction of egress was found to have a non-compliant rate of 16.84%.  A flow chart provides examples of improved compliance: looking at issue identification, risks associated with non-compliance, the potential impact of the risk and mitigation strategies.  Notice that for each of these EPs there is a cross walk to the CMS Conditions of Participation. 

Navigate to the ASHE website’s Focus on Compliance for additional resources on each standard.  For example, for violations of LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, three specific areas are identified: Obstructions of the Means of Egress, Inappropriate Locking Mechanisms, and Improper Use or Designation of Suites.   Also, remember to visit and explore the resources in the Joint Commission Survey Toolkit. 

Finding a standardized combination of patient attributes and standardizing the collection/input of these attributes in provider electronic systems

Over a year ago NAHAM offered recommendations recorded in the Office of the National Coordinator for HIT’s 2014 Patient Identification and Matching Final Report.  Pointing to a standardization of data attributes and their capture in electronic systems –

NAHAM supports continuing efforts to create an environment of positive patient identity and believes that the standardization of patient identification protocols and technologies are important means to this goal.  NAHAM is investigating appropriate third factors to enhance positive patient identification.  NAHAM supports the development of standards for data attributes in electronic systems, whether clinical or administrative, and enhanced common capabilities for all health data systems to input standardized data….

This reference to “appropriate third factors” is a call on providers to go beyond The Joint Commission’s National Patient Safety Goal requirement that at least two patient identifiers be used.  While it can be acknowledged that this requirement speaks primarily to the clinical setting, it is a benchmark for Patient Access as well.  NAHAM’s recommendation call for an additional set of patient identifiers, ideally standardized both in combination and means of collection so that all healthcare systems are tracking the same data in the same manner, using the same recording protocols.  NAHAM’s recommendations to the ONC also included a call for standardized EHR technology solutions that would support the standardized patient identification attributes –

Ongoing education and training are also important to ensure personnel at all levels understand the important roles patient data input and patient identification protocols serve in enhancing patient safety.  NAHAM supports Stage 3 Meaningful Use requirements to improve patient matching and supports a comprehensive approach that includes the standardization of patient identification attributes, the development of standards for EHR technology solutions, and the development of best practices and protocols for data input. This would include regular feedback from supervisors and audits for quality control.

The same ONC report, based on the input of a number of stakeholders, including NAHAM, recommended the following data attributes: First Name, Last Name, Previous Last Name, Middle Name or Middle Initial, Suffix, Date of Birth, Current Address, Historical Addresses, Current Phone Number, Historical Phone Numbers, Gender. Whether these are the ideal data attributes is arguably subject to debate; however, we do have a general idea of what attributes are most commonly captured.

The results of an informal NAHAM survey presented at the Patient Identity Integrity Symposium held prior to the 41st Annual Educational Conference and Exposition showed that over 80% of respondents indicated that their systems collected the following patient information: Name (First and Last), Home Phone Number, Work Phone Number, Date of Birth, Gender, Next of Kin, Next of Kin Relationship, Guarantor Phone Number, Primary Physician, Insurance Information, Medical Record Number, Billing Address. 

Next of Kin, Next of Kin Relationship, Medical Record Number, and Billing Address fall out when looking at what 90% of respondents collect.  When looking at the common identifiers for all respondents, patient Work Phone Number and Primary Physician fall out.  The survey showed that 100% of respondents collect patient Name, Home Phone Number, Date of Birth, Gender, Guarantor Phone Number, and Insurance Information. 

We also have some metrics on the key patient identifiers or traits: Validity (is the trait known to be correct?), Distinctness (is the trait able to uniquely identify an individual?), and Stability (how much does the trait remain constant over the lifetime of the individual?).  The recent Sequoia Project's Framework for Cross-Organizational Patient Identity Management (Draft for Public Review and Comment: November 10, 2015) rated these characteristics along with Completeness (at what rate is the trait captured and available?) and Comparability (noting that numbers such as SSNs are easier to compare that free text such as addresses).  Last Name, First Name, Gender and Date of Birth scored well enough to be considered desirable traits, and Postal Code and Primary Phone Number were identified as promising, although Postal Code in particular scored low for Stability.  Ethnicity and Race scored high and very high for Comparability and Stability but comparably lower for Completeness, Validity and Distinctness. 

When looking at combinations of these traits, the following had the highest levels of Completeness: FN+LN+DoB, FN+LN+DoB+Gender, and FN+LN+DoB+Gender+Zip Code (first 5 digit).  This last combination scored highest for Uniqueness, second only to FN+LN+DoB+Gender+SSN (last 4 digits) – although this combination scored among the lowest for Completeness.  The Social Security Number scored low for Completeness and Validity, while scoring high for Distinctness, Comparability and Stability.

So, what combination of attributes could become the basis of a national standard?  Do phone numbers, historical addresses, or next of kin and relationship aid in maximizing Patient Identity Integrity?  What about the last four digits of the Social Security Number?  What combination of attributes does your organization collect?
We'll leave for another discussion the important milestone of standardizing the collection of these attributes -- meaning the protocols and conventions used in collecting and recording First Name, Last Name, whether to record Middle Name or Middle Initial, and how to agree on conventions such as hyphens (do we eliminate these all together?), titles, and generational titles - Junior, Senior, etc.

Let us know what you collect, your thoughts on standardization of how we collect this data, and what combination of attributes could serve as a national standard.

Tuesday, December 1, 2015

The Joint Commission Quick Safety Issue: Temporary names put newborns at risk

The Joint Commission released Quick Safety, Issue 17, October 2015, “Temporary names put newborns at risk”.  NAHAM’s Joint Commission Survey Toolkit includes material on naming conventions for newborns as well.  NAHAM members may find the toolkit, along with NAHAM toolkits for CMS Audits and Patient Identity Integrity, on the NAHAM website. 

TJC Quick Safety Issue, presented below in its entirety, including reference documents and TJC’s legal disclaimer, points out that temporary names for newborns results in a large number of patients with similar identifiers, identifies a number of misidentification errors, and makes specific recommendations regarding the use of more distinct naming conventions.

The Temporary names put newborns at risk


A common practice in hospitals is to give newborns temporary names at birth, since the parents may not have decided on the baby’s name. While the practice is intended to identify newborns, it results in a large number of patients with similar identifiers and who could potentially have the same date of birth, gender and surname – circumstances that put newborns at risk for patient identification errors.1,2

Newborns also are a unique patient population as they are unable to participate in the identification process. This unique need requires a reliable system that is hardwired among all providers to prevent error. An example of a typical temporary name is Babyboy Smith, using the baby’s gender and the parent’s last name. This naming convention is not distinct enough to prevent patient identification errors that could result in harm.

Newborn misidentification errors include:

  • Feeding a mother’s expressed breast milk to the wrong infant2
  • Reading imaging tests or pathology specimens for the wrong patient1
  • Incorrect documentation of medications, vascular lines, and patient weight2
  • Administering blood products to the wrong patient1
  • Collecting lab specimens from the wrong patient
  • Wrong person surgery
The Joint Commission’s Sentinel Event database includes 10 reports since 2010 of sentinel events that occurred due to the misidentification of newborns. All 10 reports are wrong person surgeries and all 10 resulted in circumcision being performed on the wrong patient.

A recent study1 published in Pediatrics highlights how one hospital experienced a 36.3 percent reduction in Retract-and-Reorder (RAR) events after implementing a distinct naming convention for newborns requiring admission to the neonatal intensive care unit (NICU). (RAR is an automated tool for detecting the outcome of wrong-patient electronic orders.) The distinct naming convention used the mother’s first name, followed by the letter “s” and the baby’s gender, then the parent’s last name (ex: Judysgirl Smith). In the case of multiple births, the hospital adds a number in front of the mother’s first name (ex: 1Judysgirl and 2Judysgirl).1

The high potential for error due to the misidentification of newborns was illustrated in a study published in 2006.2  Over a one-year period, a NICU discovered that not a single day was free of risk for patient identification. The mean number of patients who were at risk on any given day was 17, representing just over 50 percent of the average daily census. During the entire calendar year, the risk ranged from 20.6 percent to a high of 72.9 percent. The most common causes of misidentification risk were:

  • Similar-appearing medical record numbers (MRNs)
  • Identical surnames
  • Similar-sounding names
Safety Actions to Consider:

Hospitals can take the following simple and effective actions to protect vulnerable newborns from adverse events related to patient misidentification:

  • Stop using Babyboy or Babygirl as part of the temporary name.
  • Change to a more distinct naming convention.
  • Train staff on the distinct naming convention.
  • Follow the recommendation in National Patient Safety Goal 01.01.01 and implement use of two patient identifiers at all times.
  • As soon as parents decide on their baby’s name, enter that name into the medical record instead of the temporary name.

1. Adelman J, et al: Use of Temporary Names for Newborns and Associated Risks. Pediatrics 136(2); August 2015

2. Gray JE, et al: Patient Misidentification in the Neonatal Intensive Care Unit: Quantification of Risk. Pediatrics 117(1); January 2006

Note: This is not an all-inclusive list.

Legal disclaimer: This material is meant as an information piece only; it is not a standard or a Sentinel Event Alert. The intent of Quick Safety is to raise awareness and to be helpful to Joint Commission-accredited organizations. The information in this publication is derived from actual events that occur in health care.

©The Joint Commission, Division of Health Care Improvement

Tuesday, November 17, 2015

Considering the tension between providing care and contacting law enforcement

A member of the Public Policy and Government Relations Committee shared this article, "Patient's Arrest for False ID Reminds CEs To Review Police, Validation Procedures," found at

The first half of the article focuses on a case of a hospital calling law enforcement when a patient presented with a false ID – in this case a fake driver’s license.  The second half of the article discusses broader issues of how providers might respond to such circumstances and highlights requirements under HIPAA and EMTALA.  We have highlighted some of the text below.  This is definitely worth a read.  What are your policies on this issue?

The HHS Office for Civil Rights (OCR) is investigating whether a Texas clinic acted appropriately following the arrest of a patient, RPP has learned. The woman, who is not a U.S. citizen, was taken into custody while waiting to see her doctor for allegedly presenting a fabricated driver’s license; she has not been charged with violating immigration laws.

OCR spokeswoman Rachel Seeger told RPP the agency is “reviewing the news report(s) to determine our authority under both HIPAA and civil rights laws to take action in the matter.”

The incident involves Blanca Borrego, 44, who was handcuffed and removed from an obstetrician-gynecologist’s office, part of Memorial Herman Health System of Houston, in front of her two daughters. Court documents show Borrego, a native of Mexico, spent 12 days in jail charged with a felony prior to her release on $35,000 bail.

To date, officials with Memorial Hermann, a nonprofit organization that includes 13 hospitals, have not admitted to any wrong-doing nor apologized. They stated that while they did call the local sheriff’s office, they “did not ask” for Borrego to be arrested.

The officials acknowledged that “what happened to the patient is unfortunate” and that the Sept. 4 incident, which caused a national furor among immigration rights organizations and others, provides them “an opportunity to evaluate our processes.”

Law Enforcement Issues Are Tricky

Other HIPAA covered entities (CEs) may wish to do the same in light of this situation, which pits policies for working with law enforcement and for thwarting identity fraud against the need to render care while complying with HIPAA, other federal laws and state regulations.

Memorial Hermann officials have not commented beyond a statement issued on Sept. 15 that described the actions that occurred prior to the arrest and referred to the situation as “a unique event in Memorial Hermann’s history.” They also would not answer any questions submitted by RPP.

The statement refers to Borrego by name. Among the questions Memorial Hermann did not answer was whether it had Borrego’s permission to discuss her situation. Failure to obtain consent to discuss a patient by name led to the imposition of a corrective action plan and a $275,000 payment by the owners of Shasta Regional Medical Center two years ago (RPP 7/13, p. 1).

According to Memorial Hermann’s statement, the arrest was at the discretion of “local law enforcement,” which became involved only after Borrego “presented potentially false identification” at the clinic.

Borrego “was unable to provide another valid form of identification and in an effort to verify the authenticity of the suspicious driver’s license, the office then called the licensing bureau of the Texas Department of Public Safety (DPS),” Memorial Hermann officials say in the statement. “DPS instructed our staff to contact local law enforcement to validate the driver’s license number. This inquiry confirmed a false identification. Local law enforcement took this information and made the decision to arrest the patient.”

The statement adds that clinic officials “did not ask for this individual to be arrested” and “did not press charges.”

Memorial Herman does not “ask patients about residency or immigration status nor do we report an undocumented patient to law enforcement. To be clear, this incident has nothing to do with immigration or residency status,” the statement says.

“What happened to the patient is unfortunate,” the statement concludes. “We also appreciate the sensitivity of this matter. As such, we consider this an opportunity to evaluate our processes.” Which processes are at issue was not addressed, and, as noted, the system would not respond to any of RPP’s queries.

 ‘Medical Care Should Take Precedence’

 In an interview, Clarissa Guajardo, Borrego’s attorney, tells RPP her client never got to see her doctor and that if the medical staff had problems with the materials she provided to prove her identity,that should have been dealt with afterward.

 Guajardo says she has not seen what Borrego presented and thus could not say whether falsification or fabrication was involved. But she stresses that she believes Borrego was mistreated by the clinic staff, who she says were instructed to keep Borrego waiting until arresting officers could arrive.

“Certainly her medical care should have taken precedence over law enforcement activities,” Guajardo says. She is exploring whether staff were permitted under HIPAA to contact law enforcement in this situation and whether they violated any Texas privacy laws.

Borrego’s arraignment is scheduled for Oct. 20. Guajardo is hoping a grand jury declines to indict her client or that any charges, if they are brought, will be of a lesser nature. Borrego’s visa expired a dozen years ago, according to numerous reports.

RPP spoke to several health care experts to get their take on the incident and, generally, to clarify how HIPAA’s provisions related to law enforcement apply to a case of this nature.

Even years after the privacy rule went into effect, sharing information with law enforcement remains a complicated area for hospitals and other CEs because of the interplay of state laws and the fact that some types of reporting is voluntary, meaning the protected health information (PHI) can be shared, while in some cases under state law it must.

In addition, providers may feel intimidated or threatened into providing more information or assistance than they’re comfortable with, or than is allowed.

In 2013, a New Mexico jury awarded a man $1.6 million in compensation for having been forced to undergo a colonoscopy and other medically unnecessary procedures ordered by judicial officials; local police suspected the man was hiding drugs in his body but none were found (RPP 12/13, p. 1).

Hoping to clarify some of these issues for both health care providers and law enforcement officials as they have a “shared responsibility,” the Oregon Association of Hospitals and Health Systems developed a 27-page report, “HIPAA and Law Enforcement: Guidelines for Release of Protected Health Information.” This was published in 2012 and updated in 2013.

While this provides information related to Oregon state law as well as HIPAA, CEs regardless of their location may find it useful because it contains three flow charts to help providers know how to respond when law enforcement officials request PHI, when disclosures are mandatory, and when they are voluntary. It also has a series of questions and answers that address situations CEs face. (See

“A hospital’s first obligation to all patients is caring for their medical needs. When a patient is also involved in a criminal investigation, either as a suspect, witness or victim, that obligation remains the priority,” the Oregon guide states. “Law enforcement officials, however, also have an important job to do that often involves seeking access to patients, their medical information or other evidence held by the hospital.”

CEs will not find much to go on under HIPAA as to whether they are asking for too much information when trying to validate a patient’s identity. “HIPAA generally is silent about specifically requesting identification from patients,” says Becky Williams, a former nurse who chairs the Health Information Technology/HIPAA Practice Group at Davis Wright Tremaine LLP. But “[v]erification of identity is consistent [with] best practices to prevent medical identity theft,” adds Williams, who is based in Seattle.

Conversely, HIPAA does “recognize the need to verify the identity of a person requesting protected health information,” Williams says. She recommends that providers who have a question about the identity of a patient they’re treating “keep records of the patient separate until it can be confirmed that the patient presenting actually is the individual he or she claims to be.”

“This may help avoid ‘polluting’ the medical records of an identity theft victim,” Williams points out.

Among the factors to consider are whether –– and when –– CEs should contact law enforcement. One relevant provision in HIPAA is §164.512(f)(5) Permitted disclosure: Crime on premises, which states that a CE “may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises” of the CE.

“Some folks take the position that if someone is knowingly presenting false documents that may result in fraud or identity theft, this represents a crime on premises,” says Frank Ruelas, principal and founder of the consulting firm HIPAA College. “As such they use this as a basis for a disclosure –– using minimum necessary –– to law enforcement.”

It also would not be unthinkable to conclude that patients who are undocumented and admit to being in the United States illegally are committing a crime on premises. But CEs making such a call need to be aware of how this scenario would play out, particularly if it went public.

In addition, health care providers who are providing any services with federal dollars –– such as through Medicare or Medicaid, which is virtually all of them –– are not permitted to discriminate against individuals based on their ethnicity, gender and other characteristics.

This is specified in the Civil Rights Act, which OCR enforces for health care purposes, and in the Affordable Care Act. A Brooklyn hospital recently agreed to a settlement with OCR over allegations it violated the civil rights and the ACA, following a discrimination complaint filed by a transgender patient (RPP 8/15, p. 1).

Emergency Care Cannot Be ‘Interrupted’

Faced with a patient who may be committing a crime or meet other categories for which HIPAA permits notification to law enforcement, CEs must consider timing and whether care should be interrupted.

For example, the federal Emergency Medical Treatment and Active Labor Act (EMTALA) regulation, applicable to emergency services, “requires that individuals be provided a medical screening exam,” Ruelas explains. But, he adds, “EMTALA is clear that no processes, such as insurance verification, eligibility, etc., should delay the receipt of care by an individual who presents at the dedicated emergency department.”

However, EMTALA does not apply to the provision of non-emergency care.

“A regular medical practice [is] not required to work for free, and if the patient is engaging in medical identity theft, for example, then the practice probably won’t get paid,” says Jeff Drummond, a partner with Jackson Walker, LLP, in Dallas. Drummond stresses that he is not commenting on this case in particular.

One option if the patient is in an outpatient setting is to refer him or her to a free clinic or other provider. Ruelas says staff could ask if the patient “feels he or she has an ‘emergent condition,’ then we can call 911 and have them taken to an emergency department.”

This is not an ideal situation, Ruelas acknowledges, but says “this has worked in the past” and makes sense “[g]iven all of the moving pieces that are involved with people without insurance, the use of false IDs, the need to try to obtain information for payment of services, the need to create correctly documented records of care, and that undocumented workers in these situations may not have coverage.”

OCR issued a short guide regarding law enforcement (see box, p. 9). It is important to note that, in addition to HIPAA’s federal requirements, under many state laws “mandatory reporting is triggered,” Ruelas says. Often this relates to “injuries as a result of a crime or injuries related to gunshot wounds, knife wounds, etc.,” he says.

If the patient is suspected, or confirmed, of being under the influence of an illegal substance, providers may contact law enforcement. “Typically if a person is suspected of being a danger to self or others, a report can be made” to law enforcement, adds Ruelas. “Many hospitals use this to alert police when a patient decides to leave against medical advice [and] is intoxicated. Because of the possibility that this person may try to operate a motor vehicle, this presents that basis for possible risk to others.”

Suspected or confirmed abuse can also trigger reporting to law enforcement, says Williams.

I have worked as a pediatric nurse for years, so I will emphatically say all child abuse should be reported immediately,” Williams says. “HIPAA permits reporting of child abuse and state law generally requires –– or at least permits –– good faith reporting of child abuse.”

Regarding adult abuse, neglect, or domestic violence situations under HIPAA, “a provider may report good faith beliefs of abuse to government authorities that are in a position to address the issue,” Williams says.

Reporting also occurs when required by state law, when a potential victim approves or is incapacitated and “the provider believes it is necessary to prevent harm.” The government agency accepting the report is required to attest that “the information will not be used against the patient” and “that immediate enforcement activity depends on [obtaining] the information,” she says.

Disclosures Must Be Entered in Logs

In addition, Ruelas reminds CEs that their “policies on how the staff is to respond” when law enforcement is involved should include “how this is to be reported both to authorities but also internally as well, such as to risk management or administration.”

And, as the Oregon law enforcement guide notes, disclosures need to be logged for the patient to obtain later. “The HIPAA Privacy Regulations require a hospital to give an accounting of certain disclosures, including disclosures to law enforcement made without patient authorization, upon the request of the patient,” it states.

However, there are also provisions that allow law enforcement to request a suspension of this “[a]ccounting for a time period specified by law enforcement if they provide a written statement that an [a]ccounting would be reasonably likely to impede the agency’s activities and specifying the time for which such a suspension is required.”


Kentucky looks at mobile driver licenses

We have reported on state initiatives on improved or modernized driver licenses. 

A NAHAM member of the Public Policy and Government Relations Committee shared this article, "Kentucky Holds Hearing on Mobile Driver Licenses," from SecureID News.  We note that because many in Patient Access use the driver license as the patient ID, this could have big implications.  What will you do if the driver license is electronic only - on a patient's smart phone?

The article may be found at --

Two states have started piloting mobile driver licenses and at least five others want to explore putting the credentials on smartphones. Kentucky proposed legislation that would study the feasibility of mobile driver licenses this year but the bill died in committee. That didn’t stop legislators and other government officials from hosting a Joint Committee on Transportation hearing that discussed mobile driver licenses.
“The goal is to give the Commonwealth a background on the issue and the progress in other states,” says Chad Grant, vice president at Grant Consulting Group. HID Global executives testified at the hearing, giving officials information on the latest developments with placing the credentials on mobile devices.
The company talked about its proof of concept for a mobile driver license and what is involved with such a project, says Kathleen Carroll, vice president of corporate affairs at HID Global. Officials from the company also met with the Kentucky State Police to get some feedback on the idea of mobile driver licenses.
“When discussing a mobile driver’s license, there are four key stakeholders that should have significant input into any solution: citizens, law enforcement, federal authorities and state licensing authorities,” Carroll says.
States are looking at mobile driver licenses to increase security and convenience, Carroll says. Individuals have to carry around multiple IDs for different purposes – driver license, health care, work, etc. By placing identity on a mobile device individuals will only have to carry the smartphone.
“Because there is a secure trusted relationship between the state licensing authority and the citizen’s smartphone, new services can be added and the need to stand in long lines can be eliminated,” Carroll says. “Additionally, driver’s licenses built on a secure mobile technology platform will give citizens more control over their personal information allowing them to choose when and with whom they share their information, and as importantly, how much information they share.”
Law enforcement has concerns over mobile driver licenses, but Carroll explains how the system can make their jobs easier. “When appropriate, a secure mobile driver’s license platform would allow the authentication of a person’s ID from a safe distance by using Bluetooth technology to give law enforcement officers more time to determine if a traffic stop is routine or more complex,” she says.
The system could also help alleviate problems with counterfeiting licenses. During provisioning of the license to the smartphone, the system would establish a mutually authenticated channel between the provisioning service and the mobile device that ensures safe delivery of data. “A mobile credential would only be sent to a mobile device through a secure service by an authorized state licensing authority,” Carroll explains. “Likewise, during use of the credential, a mutually authenticated channel is established between the mobile device and the relying party application. This ensures a secure private transaction independent of Bluetooth, NFC or any other transport protocol.” -

Thursday, September 17, 2015

Deconstructing the FCC’s Declaratory Ruling on TCPA Regulations – What it Means for Healthcare Providers

The Federal Communications Commission (FCC) issued a Declaratory Ruling and Order on July 10, 2015, clarifying several exemptions under the Telephone Consumer Protection Act (TCPA) regulations common the healthcare organizations.  These were raised in a petition filed by the American Association of Healthcare Administrative Management (AAHAM) regarding the exemption from prior express consent of “healthcare-related messages”.  

The HIPAA exemption in the TCPA regulations currently extends to advertising and marketing calls to cell phone and residential landline phone numbers. Under the exemption, calls that deliver a healthcare message made by or on behalf of a “covered entity” or its “business associate,” as defined in HIPAA, do not require the prior express written consent of the party called. 

The FCC found that for calls subject to the HIPAA exemption, an individual’s voluntary provision of his or her cell telephone number to a healthcare provider constitutes prior express consent to be called on that number. The FCC had already ruled in a different proceeding that an individual’s provision of his or her cell phone number is “effectively an invitation to be contacted at that number”, as long as the calls or texts are limited in scope to the purpose the number was provided in the first place. The FCC extended that reasoning to calls and texts in the healthcare context.  It is important to note that only HIPAA-covered entities and their business associates can make healthcare calls subject to this exemption and calls must be within the scope of the consent given. 

The FCC also addressed situations where a patient is incapacitated and unable to provide a telephone number directly to a healthcare provider, while a third party intermediary may be able to provide a number.  The FCC ruled that where a party is unable to consent because of medical incapacity, prior express consent to make healthcare calls subject to HIPAA may be obtained from a third party.  Consent by a third party on behalf of an incapacitated party will end when the party is no longer incapacitated.  In such an instance, the provider must get prior express consent from the party being called. 

The FCC also clarified that certain free-to-end-user non-telemarketing healthcare calls are exempt from the prior express consent requirement.  The FCC found that such calls can provide vital, time-sensitive information that patients welcome, expect and often rely on to make informed decisions. 

The FCC found that acceptable calls that fall under this “free-to-end-user” call exemption include
·        Appointment and exam confirmations and reminders

·        Wellness check-ups

·        Hospital pre-registration instructions

·        Pre-operative instructions

·        Lab results

·        Post-discharge follow- up intended to prevent readmission; prescription notifications

·        Home healthcare instructions

It is important to note that the FCC made clear that healthcare calls related to accounting, billing, debt collection or containing other financial content are not part of this exemption. 

Also, the content of the exempt calls are still subject to HIPPA privacy rules.  The FCC said, "The information provided in these calls and texts “must not be of such a personal nature that it would violate the privacy of the patient if, for example, another person received the message.”

Exempt calls are subject to these FCC imposed limitations
1)     Calls must be free to the end user;

2)     Calls must be made by or on behalf of a healthcare provider;

3)     Calls can only be made or sent to the cell phone number provided by the patient;

4)     Calls or texts must state the name and contact information of the healthcare provider;

5)     Calls or texts must be “concise” (one minute or less for voice calls and 160 characters or less for text messages);

6)     Healthcare providers may only make one exempt call or send one exempt text per day (per recipient), with a weekly limit of three total calls or texts (per recipient); and

7)     Healthcare providers must offer recipients an opportunity to opt out of receiving these types of calls or texts, and honor those opt outs immediately

The exclusive method for opting out of text messages is for the recipient to reply with the word “STOP”.  Recipients must be given this instruction.

Did the FCC address your questions regarding your system’s practices?  Do you have any specific practices you are still not sure about?  Let us hear from you.  Chances are other NAHAM members are have the same questions and are finding answers.

The FCC’s Declaratory Ruling and Order may be found at its webpage using this address:

A “NAHAM TCPA Checklist” as well as a longer version of this blog, NAHAM’s “Deconstructing the FCC’s Declaratory Ruling on TCPA Regulations – What it Means for Healthcare Providers”, may be found on the NAHAM webpage using this address: