TMA Form Helps Keep You Out of Trouble
Law Feature – January2013
By Crystal Conde
Tex Med. 2012;109(1):51-54.
As more physicians adopt electronic health records (EHRs) and increasingly share patient information electronically, complying with state and federal privacy and security laws becomes more important than ever.
The Texas Medical Association wants physicians to have the tools they need to comply while alleviating the administrative hassles that often accompany compliance, so it has created a patient authorization form to help physicians adhere to the law. By signing the form, a patient authorizes the physician to disclose all information in the medical record including medication lists, tests, and diagnoses. The form features fields for patient demographic information and medical history.
Generally, physicians can exchange patient information for treatment and payment under state and federal law without obtaining a patient's authorization. But health care professionals must get patients' approval before exchanging some types of sensitive information, such as certain drug and alcohol abuse treatment information and psychotherapy notes.
The new form is available in TMA's Policies & Procedures: A Guide for Medical Practices. The guide also includes updated information about a state privacy law that imposes requirements more stringent than the Health Insurance Portability and Accountability Act (HIPAA) on Texas physicians and others using EHRs.
A hard copy of the guide with customizable CD is $295 for members and $395 for nonmembers. The customizable CD alone is $255 for members and $355 for nonmembers. TMA also offers a free downloadable update featuring the new patient authorization form and information on Texas' new EHR privacy law for physicians who previously purchased the policies and procedures guide.
To order the guide and to inquire about the update download, call the TMA Knowledge Center at (800) 880-7955, or email firstname.lastname@example.org.
TMA Practice Consulting will begin offering on-site HIPAA compliance training for medical practices this month. Call TMA Practice Consulting at (800) 523-8776 for more information about the training.
Additionally, Texas law requires the state attorney general to develop an authorization form for health information exchanges (HIEs) by Jan. 1. Check the agency's website for information about the form.
Follow the Law or Pay
Ignorance of privacy and security laws is no excuse, and violations are costly.
Last spring, an Arizona cardiology practice paid $100,000 and agreed to a corrective action plan after the U.S. Department of Health and Human Services (HHS) received a complaint it had posted clinical and surgical patient appointments on a publicly accessible Internet-based calendar. HHS said its investigation found the practice had few policies and procedures to comply with HIPAA, had limited safeguards to protect patients' electronic protected health information (PHI), did not document that it trained any employees on HIPAA policies, and did not identify a security official or conduct a risk analysis.
According to the 2011 Ponemon Institute Survey on Medical Identity Theft, the average health data breach costs $282 per patient record to cover expenses associated with providing patients free identity protection for one year, notifying patients of the loss, investigating the incident, and taking measures to prevent future loss or theft. In addition to being expensive for a practice, data breaches are becoming more common. HHS reports breaches of PHI increased 97 percent from 2010 to 2011, with 385 breaches affecting about 19 million patient health records. The average number of patient records per breach in 2011 was 49,396, an 80-percent increase since 2010.
The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA regulations to require physicians and others subject to the law to notify the patient when a breach of his or her unsecured PHI occurs. HHS generally defines a breach as "an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the PHI" and poses a significant risk of "financial, reputational, or other harm" to the patient.
Civil penalties for unintentional HIPAA violations range from a minimum of $100 per violation to a maximum of $50,000 per violation. Criminal penalties for fraud include a minimum $100,000 fine and up to five years' imprisonment. Individuals who violate HIPAA with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm face a maximum $250,000 fine and 10 years' imprisonment.
For more information about penalties, consult Section 13410 of the HITECH Act at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf. (See "Mum's the Word," August 2010 Texas Medicine, pages 49–53.)
According to the 2010 and 2011 Ponemon Institute Benchmark Study on Patient Privacy and Data Security, data breaches commonly result in the following problems for physicians:
- Loss of revenue, business, and patient goodwill;
- Damage to reputation;
- Lost time and productivity;
- Cost of outside consultants and lawyers;
- Remediation, technology, and training expenses;
- Government fines and penalties;
- Lawsuits; and
- Poor employee morale.
Austin attorney Deborah Hiser says physicians would be smart not only to have a system to detect breaches but also to encrypt all confidential patient information. The reason: Physicians and business associates must provide the required notification only if the breach involves unsecured PHI. HHS has guidance on ways to encrypt PHI on its website.
TMA's policies and procedures guide is a useful HIPAA compliance tool. Ms. Hiser and attorney Ana Cowan worked with TMA to develop the guide's HIPAA and HITECH privacy and security manuals and forms. The manuals include template policies and forms for:
- Staff training on the HITECH Act requirements,
- Business associate agreements that incorporate the HITECH amendments,
- Breach risk assessments, and
- Use of email with patients.
Texas Law Tougher Than HIPAA
Texas raised the patient privacy stakes with a new law that took effect Sept. 1. For example, while HIPAA has always required physicians to train their employees, the new state law mandates training specific to the staff member's scope of employment within 60 days after he or she is hired. In addition, training must be provided at least once every two years and must be documented, says Ms. Hiser.
The Texas law directs physicians to notify patients their health information is subject to electronic disclosure, says Ms. Cowan.
Fort Worth emergency physician Matt Murray, MD, vice chair of the TMA Ad Hoc Committee on Health Information Technology, says it is especially important for physicians to become well versed in cyber liability risk and Texas' new medical records privacy law.
For instance, under the new state law, physicians using EHRs must give patients their electronic records within 15 business days of a written request (just like physicians have been required to do for paper records under state law). The state law is more stringent than the 30 days HIPAA allows. Physicians may provide the record in a nonelectronic format if the patient agrees.
Under Texas law, when breaches of security occur, physicians must now notify all affected individuals, not just patients who reside in Texas. If the affected person lives in another state, he or she must be notified under the requirements of that state. Ms. Hiser recommends physicians facing a data breach that has an impact on patients outside Texas consult an attorney for guidance on applicable state law.
"Failure to comply with state and HIPAA notice requirements has severe penalties," she said.
Dr. Murray encourages physicians to review their agreements with business associates. HHS reports 59 percent of all breaches in 2011 involved a business associate.
"Texas' privacy law doesn't address who will notify patients and who will pay for associated costs when a breach occurs. Physicians should ensure that if a breach occurs on the part of the business associate, that associate notifies the physician of the breach in a timely manner. They should also determine in writing who will cover the cost of patient notification and other related expenses," he said.
The new state privacy law also allows civil penalties up to:
- $5,000 per each negligent violation in one year;
- $25,000 per each intentional violation in one year;
- $250,000 for a violation committed knowingly and intentionally that involves using PHI for financial gain; and
- $1.5 million if a court finds "the violations have occurred with a frequency as to constitute a pattern or practice."
To avoid violating the law and facing steep penalties, Dr. Murray advises physicians to contact an attorney to ensure compliance with the new regulations and to consult their area regional extension center (REC) for assistance with security risk analysis and management.
"REC IT consultants have established relationships with medical practices and can conduct or assist the practice in completing a security risk analysis, which is a required measure for achieving meaningful use," said Dr. Murray, chair of the North Texas REC Board of Directors.
For more information on the RECs, visit TMA's REC Resource Center.
Cyber Liability Coverage
Because medical practices are vulnerable to computer hacking and identity theft due to the amount of sensitive information they collect, the Texas Medical Liability Trust (TMLT) offers cyber liability coverage. It is available to physicians, medical groups, and other entities, and it's included with a policy at no additional cost. The policy covers what TMLT considers the four most important data breach and privacy liability exposures:
- Network security and privacy coverage for third-party claims from electronic and physical information breaches, virus attacks, hacks, identity theft, and defense costs for regulatory proceedings;
- Regulatory insurance that covers administrative fines and penalties stemming from an investigation by a federal, state, or local government agency resulting from a privacy breach;
- Patient notification and credit-monitoring costs coverage that includes all necessary legal, information technology forensic, public relations, advertising, call center, and postage expenses to notify third parties about the breach of information;
- Data-recovery costs insurance that includes all reasonable and necessary costs to recover and/or replace compromised, damaged, lost, erased, or corrupted data.
At press time, TMLT had received 23 cyber liability claims and had closed six. TMLT anticipated no further expense or investigation into closed claims. Theo van Eeten, TMLT research and product development coordinator, says TMLT paid an average of $5,506 per closed claim as of November. He says the vast majority of claims pertained to privacy breaches, and the largest breach involved a server that crashed and affected 1,896 electronic patient records.
"The numbers are small so far, and the cyber liability coverage is fairly new," Mr. van Eeten said. "In addition, the easier and smaller claims tend to get taken care of a little quicker, so the 17 open claims may change the average payout significantly once they're closed."
TMLT's cyber liability coverage offers annual aggregate limits of $50,000 per insured physician.
"Medical practices should evaluate whether $50,000 is adequate coverage to meet their needs," Mr. van Eeten said. "Various factors – practice size, number of records at risk, the availability of additional insurance coverage, and the party responsible for maintaining the security of the system – influence the coverage limits a medical practice needs."
Physicians insured by TMLT can purchase additional limits, subject to underwriting, up to $1 million. TMLT also offers Medefense and cyber liability coverage combined with limits up to $1 million. For more information, call TMLT at (800) 580-8658.
Crystal Conde can be reached by telephone at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by email.
HIPAA Webinar: Reduce Your Risk
Matt Murray, MD, a Fort Worth pediatric emergency physician and vice chair of the Texas Medical Association Ad Hoc Committee on Health Information Technology, conducted a webinar titled HIPAA: Reduce Your Risk, which is available on demand from TMA.
He discusses privacy, security, and patient consent concerns; Texas' new privacy law; changes to HIPAA; physician accountability and financial penalties for privacy breaches; problems that can impede the safe use of electronic health records and electronic exchange of records; risk assessment tools; and encryption.
To access the webinar, visit the TMA Education Center.
January 2013 Texas Medicine Contents
Texas Medicine Main Page