Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?

The Question:

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and HITECH?

The Answer:


Classifying the entity

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that “transmits any health information in electronic form in connection with a transaction covered by this subchapter” is considered a covered entity. Moreover, according to the 45 CFR §160.103(2)(ii)(3), “a covered entity may be a business associate of another covered entity.” In fact, CMS recognized that as a government agency, it is subject to HIPAA, the HITECH Act and related rules in an October 2012 report issued by the Office of the Inspector General, “CMS Response to Breaches and Medical Identity Theft.”

In turn, a business associate, as defined by the HIPAA Rules, is “a person who performs functions or activitieson behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information” (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.

Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.

Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA’s requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.

Patient access rights

The tension between patients wanting to have access to their health data from a medical device, which is implanted in them, and a medical device company is highlighted. According to a representative of a medical device maker quoted in the article, “Federal rules prohibit giving Ms. Hubbard’s data to anyone but her doctor and hospital. Our customers are physicians and hospitals.” In general, 45 C.F.R. §164.524, Access of Individuals to Protected Health Information, sets forth the parameters of the HIPAA Privacy Rule. Included in these standards are the circumstances for providing protected health information to a patient and exceptions. Nothing in the scenario of the PHI being transmitted from a patient’s implant to a medical device company, who would be classified as a business associate in this instance invokes an exception to deny the patient’s request.

Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements.” And, “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.

“How Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?”. Becker Hospital Review, US. Retrieved December 20, 2018.

HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a Request for Information (RFI) seeking input from the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules, especially the HIPAA Privacy Rule, could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare. This RFI is a part of the Regulatory Sprint to Coordinated Care, an initiative led by Deputy Secretary Eric Hargan.

HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the Rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care. The RFI requests information on any provisions of the HIPAA Rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) and/or patients’ ability to exercise their rights with respect to their PHI.

“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

Public comments on the RFI will be due by February 11, 2019. The RFI may be downloaded from the Federal Register at:

“HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules”. United States Department of Health, US. Retrieved December 12, 2018.

Memo: subsidiary websites

The question

We have our [redacted] website but just found that our substance abuse team has created another website that just specifically address addiction and the services provided. The only association it has with our office is a small little logo at the bottom of the page. And the telephone number listed goes directly to a staff members cell phone. Do you find this a issue?

The answer

Strictly regarding subsidiary websites, there is no violation or problem that arises from this issue alone. Many hospitals and practices enable the use of separate websites when services are differentiated substantially from the parent organization.

However, the problem with the [redacted, subsidiary] team website is that this website was created without the prior express authorization of the parent organization. The website was created and is managed outside of the normal reach of the parent organization and the project was undertaken in violation of the organization’s policies and procedures (this is assumed, based on unseen policies and procedures).

The inclusion of a staff member’s cell phone number on the site as the primary method for contacting the substance abuse team creates a problem with chain of custody. A patient suffering from substance abuse might leave sensitive information in a voicemail left on the staff member’s cell phone. Without being able to guarantee any assurances as to the privacy and security of this potentially sensitive information, such an incident could be considered an unauthorized disclosure.

Depending on the organization’s policies and procedures regarding a BYOD (bring your own device) policy and mobile device management, this creates a continual vulnerability for sensitive information to be disclosed, unintentionally or otherwise.

Additionally, the substance abuse website might not sufficiently publicize the organization’s notice of privacy practices (this is assumed, based on unseen website).

Suggested corrective action

The website should immediately be brought under the direct control of the parent organization, be made so that the site is not publicly accessible until corrective action is completed, and evaluated by the designated individuals responsible for website maintenance. Any deficiency should be brought into compliance in accordance with the organization’s policies and procedures. The staff responsible for acting outside of the organization’s policies and procedures should be made aware of the problems their actions have caused, along with appropriate disciplinary sanctions.

Phishing Attack Exposes Patient Records in Washington

A Vancouver surgery center notified more than 2,000 patients of a recent email-based cyberattack and data breach that targeted Social Security, credit card numbers and other personal information.

The Southwest Washington Regional Surgery Center in Vancouver has been hit by a data breach, which may have revealed personal information from 2,393 patients including names, Social Security numbers, driver license numbers, medical information and some credit card numbers.

Not all patients were affected. A notice posted on the center’s website says the office notified the 2,393 affected patients last week, on Nov. 6.

The breach involved a phishing attack that allowed hackers to gain access to one employee’s email, according to the notice. The list of affected patients and compromised data was determined by reviewing the emails on the employee’s account.

The notice says that the email box was compromised between May 27 and [August] 13. After learning of the breach, the center hired external cybersecurity professionals and launched a forensic investigation, which concluded [September] 25.

The center is offering free enrollment in a credit monitoring and identity theft restoration service for impacted patients, and the company also notified patients about ways to protect their information including monitoring their bank statements and placing a security freeze on their credit files.

The website notice says the company has found no evidence the compromised information has been misused.

The company has set up a response hotline for affected patients: 888-891-8399. The center has also updated its passwords and enhanced its email access protocols to prevent further breaches.

A representative at the hotline and an employee at the company’s office said they would forward questions about the breach to center officials. Those officials did not return the calls on Tuesday.

The Southwest Washington Regional Surgery Center is an outpatient surgery center that performs general surgery and also features a variety of specializations including orthopedic, spine, podiatry, pain management and plastic surgery. The center handles almost 8,500 cases per year, according to its website.

News of the center breach comes just a month after a similar breach was publicly reported by Vancouver-based Rebound Orthopedics and Neurosurgery, which operates offices in the same building where the center is located: the Physician’s Pavilion building at PeaceHealth Southwest Medical Center.

Rebound and the center appear to be primarily owned by the same group of physicians, according to the center’s website and business registration records at the Washington State Department of Revenue.

The two breaches also share some characteristics; the Rebound breach was reported to have taken place on May 22 — just a week before the center breach — and also involved a successful phishing attack that gained access through a single employee’s email account.

However, a Rebound official named Todd Carpenter, reached by email on Tuesday, said the two data breaches were unrelated.

Rebound executive director John Bauman told The Columbian in October that the company’s employees are trained to scrutinize suspicious emails, but the phishing email appeared to have been sent by a known representative of the company’s landlord.

According to PeaceHealth spokeswoman Debra Carnes, the Pavilion building is physically connected to the adjacent PeaceHealth hospital and PeaceHealth leases some of the Pavilion’s offices, but the building itself is not owned or operated by PeaceHealth.

The Physicians Pavilion building appears to be owned by Pacific Medical Buildings, a California-based real estate company. The company’s website advertises vacant office suites in the Pavilion. Pacific Medical Buildings did not return calls requesting comment when the Rebound breach was reported in October, and again did not return calls on Tuesday.

“Phishing Attack Exposes Patient Records in Washington”. Government Technology, US. Retrieved November 29, 2018.

Memo: reasonably anticipated threats to protected health information

What are possible threats to protected health information (PHI), electronic (ePHI) or otherwise?

The US Department of Health and Human Services defines a threat as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Threats are broken down into three categories:

  • Environmental: referring to immediate physical environments, such as offices or data centers
  • Natural: referring to weather, natural disasters, mass human events, and Acts of God
  • Human: referring to individuals who could cause harm, either inadvertently or negligently, or intentionally and maliciously

Aligned Risk Management has identified the following reasonably-anticipated threats to the security, privacy and availability of ePHI.

  1. Environmental Threats
    1. Internet outage: Failure of application server to connect to internet, failure of DNS servers to resolve server domain name, upstream connection failure, and other internet outages.
    2. Power outageFailure of power systems at the data center, failure of power supply to the data center, and other power outages.
    3. Hardware failureFailure of any hardware component of the server or data center where the application is hosted. Refers to failures caused by wear, age, design flaws, and other inherent hardware weaknesses.
    4. Software failureFailure of any application, operating system or other software component to operate as intended. Includes malware infections, data corruption, functional failures.
    5. Site pollutionFire, spills, accidents, etc.
  2. Natural Threats
    1. Floods, earthquakes, tornadoes, landslides, etc.Any unpredictable large-scale threat over which humans have no control. Also includes mass human events, such as war, terror attacks, strikes, epidemics, alien invasions, zombie apocalypse, etc.
  3. Human Threats
    1. Internal threatsAuthorized users, staff, Business Associates, trusted advisors, etc. The least dramatic but most common threats to the security, privacy and availability of ePHI.
      1. Inadvertent disclosure of ePHIUnintentional action by authorized user or failure of Application that inadvertently discloses any ePHI to any unauthorized user
      2. Inadvertent data entry, modification or deletionUser error. Accidental and unintentional action or omission by an authorized user that causes damage to the security or availability of ePHI
      3. Malicious disclosure of ePHI by authorized userDeliberate disclosure by authorized user who intends to obtain some personal gain or to cause harm
      4. Malicious destruction of ePHI by authorized userDeliberate sabotage by authorized user who intends to cause harm
    2. External threatsEx-employees, hackers, thieves, etc.
      1. Unauthorized observation of ePHIUnauthorized person is able to observe improperly-controlled ePHI
      2. Unauthorized person gains access using genuine credentialsAttacker successfully logs into a controlled system using a genuine username and password or other credentials of an authorized user
      3. Technological attack against a controlled systemAttacker exercises a technological vulnerability of an ePHI system still controlled by the covered entity
      4. Technological attack outside any control or responseAttacker gains indefinite physical control of an ePHI system and is able to exercise vulnerabilities without detection or intervention by covered entity
      5. Social engineeringAttacker uses psychological manipulation to induce authorized users to act against security policies or divulge confidential information
      6. Malicious destruction of ePHI by unauthorized userDeliberate sabotage by attacker who intends to cause harm
  4. Compliance Gaps
    1. Civil liability for failure to implement HIPAA-mandated specificationFailure to implement or adequately document certain required polices and procedures
    2. Civil liability for failure to follow documented policiesFailure to implement or adequately document certain required polices and procedures

The National Law Review outlines potential changes in HIPAA

Changes Ahead for HIPAA?

Seal of the United States Department of Health and Human Services (HHS), also known as the Health Department.

As [previously] discussed […], the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda.  In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.

On the enforcement side, HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals.  The request was supposed to be issued in November but has been pushed to January.  There is currently no clear methodology for determining when an individual is harmed by a data breach and how much money any one individual would deserve for the resulting harm.  This determination would be particularly difficult for large data breaches involving hundreds, if not thousands, of unspecified victims whose information may have been left vulnerable but not actually exploited.

HHS’s list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information.  As providers are encouraged to work together more to improve patient outcomes and decrease costs, the flow of information between them can be restricted due to HIPAA concerns.

Finally, the list includes another topic often seen as another impediment to coordination of care: 42 CFR Part 2.  HHS plans to release a notice of proposed rulemaking in March 2019.  This move comes after Congress failed to pass a bill aligning 42 CFR Part 2 with HIPAA.  The legislation would have permitted providers to share information about patients subject to 42 CFR Part 2 for the purpose of treatment, payment, and operations such patients, similar to HIPAA.  The change would have promoted patient treatment and outcomes, which is particularly important in light of the current opioid epidemic, but Congress decided not to add it to the final opioid package passed in September.

We will be closely monitoring these proposals. Stay tuned.

“Changes Ahead for HIPAA?” The National Law Review, US. Retrieved November 6, 2018.

Your medical record is worth more to hackers than your credit card