-1- When looking at a compliance issue, one key issue is to establish precisely what the Information System under consideration involves.
As the case makes clear, the system includes all direct and indirect subcontractors of a particular healthcare provider who have access to personal medical records from the provider.

-2- Whether mandated by law or decisions internal to the organization itself, compliance is always diluted by a long chain of command.
From a criminal mindset, the benefits are twofold:

• - escape enforcement by creating a distinct legal entity or operating in a distinct sovereign country (or both)
• - deny responsability by creating reasonable doubt on one's knowledge of the incriminatory facts

• - UC San Francisco Medical Center (CA)
• - Transcription Stat (CA)
• - Sonya Newburn (FL)
• - Tutranscribe/Tom Spires (TX)
• - Lubna Baloch (Pakistan)

-3- When law enforcement concerns data sent across geographic boundaries, the operating concept is the so-called "safe harbor". See case II-2

-4- One should not be carried away by the focus of the article on outsourcing abroad. The existence of cascading subcontractors is the first issue to consider.

-5- Compliance must be understood from the start in relation to risk management. It cannot be overemphasized that the level of risk depends on each specific participant.
For a patient whose personal privacy had been endangered, it may seem irrelevant. But each legal entity in the chain has been affected very differently.

• - for UCSF Medical Center:
  • - reputation risk: for an organization dealing with consumers, this can be significant if it spawns a consumer boycott. In this case it is unlikely.
  • - legal risk: in the instance, the risk is minimum unless the contract with Transcription Stat, or its supervision of a subcontractor, are at odds with industry practice. but any chink in its legal position would open the way to large damages under the "deep pocket" theory
  • - financial risk: the risk again is minimum but the case may well force extra costs through a reduction in the pool of authorized subcontractors.
• - for Transcription Stat:
  • - reputation risk: for an organization selling commodity services to large businesses, this can lead to immediate and grave financial risks, as in the case
  • - legal risk: in the instance, the risk is small unless the contract with Sonya Newburn, or its supervision of a subcontractor, are at odds with industry practice.
  • - financial risk: see fatal consequence of above reputation risk
• - for Sonya Newburn:
  • - reputation risk: small, shady operators carry no significant reputation risk as they can and do change their business identity at little cost
  • - legal risk: the risk is real but mitigated by distance (Florida is far from California), insignificance (if not for the SF Chronicle) and the difficulty to find a victim. However imagine a prominent citizen (US Senator, movie celebrity...) learnt his or her privacy has been recklessly endangered...
  • - financial risk: it is highly probable that this operator was unprepared for the downside of trying to extract top profits by squeezing its suppliers.
• - for Lubna Baloch:
  • - reputation risk: resorting to blackmail is fraught with fatal risks unless one is contemplating a career as a shady operator.
  • - legal risk: nil
  • - financial risk: see fatal consequence of above reputation risk

General Comments:

-1- The core of the HIPAA statute from the point of view of this course is made of:

• - SEC 1173 d, Security Standards for Health Information, supplemented by the so-called security rule
• - SEC 264, Recommendations with Respect to Privacy of certain Health Information, supplemented by the so-called privacy rule

• - read the relevant sections of the statute for general understanding of principles
• - study the implementation guidelines provided by HHS for practical implementation
• - use the text of the actual rules for reference only

-2- Notice however the development entitled "The Importance of Privacy" included in the privacy rule (pp 4-6 in pdf file 01). Most of it applies well beyond the healthcare industry. For example take the following quote:
"Moreover, electronic health data is becoming increasingly ‘‘national’’; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently comprehensive and rigorous legal structure to allay public concerns, protect the right to privacy, and correct the market failures caused by the absence of privacy protections. Hence, a national policy with consistent rules is necessary to encourage the increased and proper use of electronic information while also protecting the very real needs of patients to safeguard their privacy."
Mentally suppress the word "health" and replace "patient" by "consumer". One may think of credit reports, consumer buying profiles...

-3- The person responsible for compliance in a specific health organization must remember that HIPAA does not supersede applicable state laws and regulations whenever they enact stricter requirements.

-4- When the Law is applied to data, MIS and the Law share the same perspective. Examples follow.

• -a- The HIPAA statute starts with a series of definitions so that later meaning becomes as little ambiguous as possible. Compare to the need to start any MIS task by precisely defining the system under consideration.
• -b- The HIPAA statute makes explicit mention of costs to avoid unreasonable security expenses (SEC 1173 d 1 A ii)
• -c- The HIPAA statute makes explicit mention of personel training (SEC 1173 d 1 A iii)
• -d- The HIPAA statute attaches special importance to coding of the data for recording and processing (see the notion of "code set") (SEC 1171)
• -e- The Security and the Privacy rules prepared by HHS make explicit reference to the media used for the data. While the privacy rule applies to all media, the security rule concerns itself solely with electronic recording and communication.
• -f- The distinctions made by the Security rule between administrative, physical and technical requirements apply well beyond the healthcare industry.

-5- Major parts of the privacy rule address the need to:

• - publish a privacy notice (privacy rule paragraph 164.520)
• - account for disclosures of protected health information (PHI), for example upon request from a patient (privacy rule paragraph 164.528)
• - sollicit individual authorization for disclosure from all patients involved when a particular task or process require it (privacy rule paragraph 164.508)

• (1) To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, unless the communication is made:
  • (i) To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
  • (ii) For treatment of the individual; or
  • (iii) For case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
• (2) An arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.
  [...]
  Uses and disclosures for which an authorization is required.
  [...]
• (3) Authorization required: Marketing.
  • (i) Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:
    • (A) A face-to-face communication made by a covered entity to an individual; or
    • (B) A promotional gift of nominal value provided by the covered entity.
  • (ii) If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved."

-6- One must carefully distinguish "personal identity" and "individually identifiable health information". HIPAA is concerned with the latter (see SEC 1177).
For example, suppose that the Computer Science professor of a small town high school happens to be given access to summary medical records of the local hospital for some school project. All names and addresses have been expunged from the data sent to the professor but, as this information bears on medical conditions, age, sex, race and occupation appear in the summary. The professor finds out that a male, aged 45, african american, a high school teacher, has prostate cancer. In retrospect this would be deemed "individually identifiable health information" because there is only one person in town who fits this profile.

-7- In examining the privacy notice of Lahey Clinic, notice the declaration:
"Any other sharing of your medical information will be made only with your written permission [...] except if [...] your permission was obtained so that the services provided would be covered by insurance"
The danger of this language is that it is not clear that the permission obtained in this way is limited to compute the insurance payment. Examples from other industries show that unscrupulous companies do not hesitate to obtain "opt-in" from consumers, when required by law, by making the permission a quid pro quo for something unrelated but wanted by the consumers (e.g., check the forced Consent to Receiving Emails clause). Such "bundling" is of course against the spirit of the law.

-8- The cost table included in the privacy rule (p 1 in pdf file 07) can be used as a yard stick when developping or reviewing a compliance policy as it list a series of steps and gives their relative influence on costs. Notice the lines devoted to planning, business associates (see case study) and training.

-9- The best way to study the Security rule, which is concerned with electronic data, is to start with the checklist provided in matrix form in appendix A following paragraph 164.318 and amplified in the corresponding guidance documents.
One must note that great care is taken not to tie the rule to any specific technology. The purpose of the rule is rather to force each healthcare organization to address the problem of security explicitly and document the implementation taken so as to be able to show "reasonable care" was in fact applied.
To take an analogy, one could imagine a law mandating every company to prepare, apply and update a business plan. The accompanying rule would then go on to list the required parts to be included in the business plan with the minimum level of precision required. The plan itself would be specific to each company.
Calling outside expertise can be justified to achieve HIPAA compliance to:

• - shoulder temporary peaks in workload linked to planning and auditing, whether quantitative (body count) or qualitative (special expertise)
• - get access to benchmarks grounded in other clients' actual implementations
• - buy a measure of legal protection through an independent third party's opinions

-10- Returning to the case study, the relevant legal document today is the so-called HIPAA security rule, more particularly in its section concerned with administrative safeguards in relation with "business associates" of "covered entities". However the events related occurred in Oct 2003, after the privacy rule came into force but before the security rule became applicable.
Transcription Stat had clearly done a very poor job of obtaining "satisfactory assurances" from Sonya Newburn.
On the contrary it is highly likely that UCSF Medical Center could claim it had satisfied both the spirit and the letter of the law, shielded as it was by Transcription Stat, a reputable business, from the shady activities of Sonya Newburn.
Question: could Transcription Stat argue that it is not a covered entity according to HIPAA, only a business associate of UCSF Medical Center which is a "covered entity"? As such Transcription Stat may not be required to obtain the same level of "satisfactory assurances" from its own business associates such as Sonya Newburn.

-11- Side effects: Read in a church bulletin under the heading "Hospital Confidentiality":
"The pastoral implications of [HIPAA] are: unless a patient who is hospitalized gives explicit permission[...]

• - no mention of your hospitalization may be announced to other parishioners
• - your name may not be automatically placed on a prayer list at the church
• - nor may another person add your name to such a list"

Solutions:

This is written from the perspective of the organization.

• - Appoint a person to be clearly responsible for managing the risk associated with handling of personal medical records
• - Make sure that this person is given adequate resources relative to time, budget and authority
• - Develop, apply and maintain a compliance policy appropriate from a risk management perspective and covering the points listed in the Privacy and Security rules
• - Pay special attention to:
  • - overall MIS security:
    • - are personal medical records subject to appropriate, explicit and enforceable access rules ?
    • - is the underlying IS security up to a "reasonable level of industry standards" ?
    • - are allowable lower levels of security properly documented and justified ?
  • - the human factor:
    • - are all categories of personnel having material access of personal medical records included, informed and trained ?
    • - are all categories of personnel having no professional need for personal medical records barred from material access ?
  • - so-called business associates and how they in turn outsource the work and the data
  • - relevant changes in business conditions since the last compliance audit:
    • - whether technical (new type of software...) or organizational (new partnerships...)
    • - whether internal (reorganization...) or external (new kind of security threats...)
  • - Assess insurance coverage of HIPAA-related risks

Tools available:

• - general information:
  • center for medicare and medicaid services
• - educational material provided by the Health and Human Services Department
  • for the security rule
  • for the privacy rule
• - information made available by the healthcare industry and state bodies
  • see for example the American Medical Association
  • and : the Mass Health Data Consortium
• - internal audit of existing policies - remember this is should be a periodic activity
• - external audit by consulting companies specialized in HIPAA compliance
  see for example: Beacon Partners
  for more: Google search for HIPAA compliance audit services
• - external audit by consulting compagnies specialized in IS security
• - use of specialized software packages for implementing specific parts of HIPAA compliance such as:
  accounting of disclosures of protected health information
  see for example: Beacon Partners.com
  for more: Google search for HIPAA compliant software
• - training sessions for personnel involved in the handling of personal medical records - remember this should be an on going activity