AMARILLO, TX – DME suppliers are “covered entities” as defined by HIPAA. This means that suppliers must comply with HIPAA statutes and regulations. If confidential patient information (protected health information) is used or disclosed by the DME supplier in contravention of HIPAA requirements, then the supplier must take certain steps to address the problem.
This article discusses what a HIPAA “breach” is and the steps that the supplier needs to take to respond to the breach. For purposes of this article, assume that an employee of a DME supplier resigns (“resigning employee”) and goes to work for a competitor. Before he resigns, assume that the resigning employee downloads, and takes with him, (i) a Sales Report that includes names and contact information of customers and (ii) a work-in-process (“WIP”) report (“WIP Report”) that includes names and insurance company information of customers.
What Constitutes a Breach
HIPAA defines “breach” generally as “the [impermissible] acquisition, access, use, or disclosure of protected health information . . . which compromises the security or privacy of the protected health information.” “Protected health information” (“PHI”) is defined as “individually identifiable health information . . . that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium.” Lastly, “individually identifiable health information” is defined as:
[I]nformation that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a [covered entity]; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
A breach occurs when PHI is acquired, accessed, used, or disclosed in a manner that is not permitted under HIPAA. As a covered entity, a DME supplier is permitted to use and disclose PHI under specific situations outlined in 45 C.F.R. §164.502. Furthermore, the definition of breach does not include the following:
- “Any unintentional acquisition, access, or use of [PHI] by a workforce member. . . if such acquisition, access, or use was made in good faith and within the scope of authority. . . ;”
- “Any inadvertent disclosure by a person who is authorized to access [PHI] at a covered entity. . . to another person authorized to access [PHI] at the same covered entity. . . ;” or
- “A disclosure of [PHI] where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.”
The access and/or use of patients’ PHI by a resigning employee is not a permissible use or disclosure of PHI by the employer (the DME supplier). The HIPAA statutes state that such use and/or access by the resigning employee will be presumed a breach unless the covered entity (i.e., the DME supplier) can demonstrate that there is a low probability that the PHI has been compromised by assessing the following factors:
- “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;”
- “The unauthorized person who used the protected health information or to whom the disclosure was made;”
- “Whether the protected health information was actually acquired or viewed; and”
- “The extent to which the risk to the protected health information has been mitigated.”
Assume that the resigning employee takes the Sales Report described above with him. In this scenario, the likelihood that the patient names were compromised is high. Although the resigning employee likely had the authority to view the information when he was an employee, he utilized the information after his employment was terminated without authority or consent from the patients. As such, a breach of PHI has occurred with regard to the Sales Report information.
Assume also that the resigning employee takes with him the WIP described above. Assume there is no contact information or other identifying information in the WIP Report. Whether taking the WIP Report is a HIPAA breach can be determined once the DME supplier knows the extent of the information taken and the mitigation that is possible. A record of the DME supplier’s analysis and decision should be kept.
Notification of Breach
The appropriate breach notification steps for the patients affected by the HIPAA breach is summarized below.
Notice to Individuals
Covered entities are required to notify each individual affected by the breach by written notice via first class mail or email. The notification should include the following elements:
- A brief description of the breach, including the date of the breach and the date that the breach was discovered;
- A description of the types of PHI that were involved;
- Any steps that the individuals should take to protect themselves from potential harm;
- A brief description of what the covered entity is doing to investigate the breach and protect against further breaches; and
- Contact information that the individual can use to call and ask question, learn additional information, etc. This contact information must include a toll-free number, an email address, website, or postal address.
These notifications must be written in plain language and be sent via first class mail to affected individuals within no more than 60 calendar days of discovery of the breach. The covered entity may send the notification via email only if the individual has agreed to receive electronic notification and such notice has not been revoked. If the covered entity has outdated contact information for 10 or fewer individuals, then it may substitute the mail or email notice with an alternative written form of notice, a telephone call, or other means. If the covered entity has outdated contact information for 10 or more individuals, then it must provide substitute notice in the form of (1) “a conspicuous posting for a period of 90 days on the home page of [the covered entity’s website]” or (2) “conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside” and must also provide an active toll-free number that remains active for at least 90 days where an individual can learn whether his PHI may be included in the breach.
If the breach of the Sales Report information involves less than 500 individuals, then reporting the breach to the media is not required. If a breach involves the PHI of more than 500 residents in a state or jurisdiction, then the covered entity is required to notify “prominent media outlets serving the state or jurisdiction” in addition to providing individual notice to patients.
Notice to Secretary
Covered entities are also required to notify the Secretary of the Department of Health and Human Services (the “Secretary”) of all beaches of PHI. For breaches involving less than 500 individuals, the covered entity is required to keep a log of all such breaches. All such breaches can be reported as they occur, but if not reported as they occur, the covered entity is required to report all such breaches to the Secretary within 60 days after the end of the calendar year. The breach report must be made via the Office of Civil Rights’ online portal.
For breaches involving more than 500 individuals, the covered entity is required to notify the Secretary “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach” through the Office of Civil Rights’ online portal.
AAHomecare’s Retail Work Group
The Retail Work Group is a vibrant network of DME industry stakeholders (suppliers, manufacturers, consultants) that meets once a month via video conference during which (i) an expert guest will present a topic on an aspect of selling products at retail, and (ii) a question and answer period will follow. The next Retail Work Group video conference is scheduled for December 13, 2018, at 11:00 a.m. Central. Lisa Wells and Kristina Rhoades, Cure Medical, will present “Learning the Voice of the Customer/End User with Disabilities.” Participation in the Retail Work Group is free to AAHomecare members. For more information, contact Ashley Plauché Manager of Government Affairs, AAHomecare ([email protected]).
AAHOMECARE’S EDUCATIONAL WEBINAR
Negotiating Managed Care Contracts
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Tuesday, December 11, 2018
2:30-3:30 p.m. EASTERN TIME
Until relatively recently, DME suppliers only dealt with Medicare and Medicaid fee-for-service (“FFS”) programs. The FFS programs would establish coverage and reimbursement criteria…and suppliers would submit claims directly to the FFS programs. All of this is changing. Today, approximately 35% of Medicare beneficiaries are covered by Medicare Advantage Plans and this percentage is increasing. Approximately 70% of state Medicaid beneficiaries are covered by Medicaid Managed Care Plans; this percentage is also increasing. A supplier’s obligations to the Plan and the Plan’s covered lives are set out in a Plan contract that the supplier signs. The contract contains coverage and reimbursement requirements. Many suppliers believe that when it is presented with a Plan contract, then it is a “take it or leave it” proposition. This is not the case. While there are some contractual provisions that the Plan will likely not budge on, there are other provisions that can be negotiated. This webinar will discuss (i) the most important provisions in Plan contracts, (ii) those provisions that are normally non-negotiable, and (iii) those provisions that Plans are open to modify. Equally as important, this program will discuss practical steps that the supplier can take that will increase its chances to successfully negotiate key provisions in Plan contracts.
Register for Negotiating Managed Care Contracts on Tuesday, December 11, 2018, 2:30-3:30 p.m. ET, with Jeffrey S. Baird, Esq., of Brown & Fortunato, PC.
FEES: Member: $99.00; Non-Member: $129.00
Jeffrey S. Baird, JD, is Chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or [email protected].