John Carroll

HIPAA was all bark when it came to penalties for failing to protect personal health and financial records. HITECH is already showing some bite.

John Carroll

Connecticut Attorney General Richard Blumenthal grabbed headlines early this year with a high-profile legal shot fired over the bow of the health insurance industry and directly at Health Net of Connecticut.

Health Net publicly acknowledged last fall that a portable hard drive loaded with millions of documents related to the health and private financial records of its members had gone missing. Acting under the Health Information Technology for Economic and Clinical Health Act (HITECH) — federal legislation passed in early 2009, providing strict new measures on data protection — Blumenthal became the first attorney general in the nation to take advantage of the expanded enforcement powers of the security law when he brought a lawsuit claiming that Health Net not only had violated a new federal rule demanding prompt consumer notification of such breaches but also had failed to encrypt the data.

The actual loss of the data occurred in May, six months before the public was told, the attorney general claimed, just days after launching his bid for the Senate seat of Christopher Dodd. Both are Democrats; Dodd is retiring.

He excoriated the insurer for “foot-dragging” when it came to alerting its members.

At the beginning of March, the U.S. Department of Health and Human Services (HHS) followed up with a list of 41 separate instances in which covered entities under the law — generally plans, providers, clearinghouses, and the plans’ business associates (usually vendors) — reported security breaches in the previous five months. Several of the breaches included insurers, from the 528 health records from Brown University exposed to unauthorized access, to the 500,000 files that disappeared when a hard drive was stolen from a Blue Cross & Blue Shield of Tennessee training facility on Oct. 2, 2009.

For security experts, the Connecticut lawsuit and the spotlight that is now being trained on every security breach that is covered under HITECH highlights the dawn of a new era for health insurers. They spent years gaining a hard-won reputation as one of the best prepared of all industries in health care for guarding data. Now, any slip by a managed care organization — from an attack by hackers to the loss of a data disk — can expose a plan to a considerable amount of unwelcome attention, as well as the wrath of a new group of state enforcers.

“Before this law came out, some people might have detected a breach but they didn’t have to notify anyone,” says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). “Now, because of increasing regulation, there is an increased focus on breaches and notification of breaches, and we’re just now getting a glimpse of what’s going on out there.”

Officials at Blue Cross & Blue Shield of Tennessee said that they were quick to notify members just days after thieves stole computer equipment loaded with patient data. They, like Health Net, emphasized that there was no indication that any of the records had been used for some nefarious purpose — or for any other purpose.

Chronic threat

But that won’t deflect the new attention being given to something the experts see as a long-standing threat.

“This sector is a target,” says Gallagher. “Health records are rich with information about the patient. They include health information and financial information, Social Security numbers, and maybe credit cards. When there is financial identity theft, most of the required information is there. We also see medical identity theft where some records are stolen for obtaining medical care or getting care paid for.”

HITECH also unleashed a new set of consumer watchdogs when it empowered the country’s 50 attorneys general to get involved.

“The state attorneys general are a real wild card on this stuff,” says Kirk Nahra, a lawyer with Wiley Rein and a HIPAA expert who has been helping his health plan clients work on HITECH compliance. “They can do whatever they want. HHS stated they weren’t going to enforce it for six months, but that doesn’t bind the state, which is unfair.”

For others in the field, though, it is all long overdue.

“I view the HITECH Act as an extension of the HIPAA security rules,” says Brian Evans, director of program management for CynergisTek, a security consulting group that specializes in health care. “HIPAA security fell on its face. There was really no enforcement.” But HITECH added teeth to “the toothless rule” that was HIPAA.

“I can look back to the ’90s, when it was a challenge to get people to focus on the confidentiality of patient information,” adds Evans, who recently contributed a chapter on security to a new book from HIMSS. Back in 2005, when new HIPAA security rules were scheduled to go into effect, the feds did nothing and a lot of companies that were right on the cusp of compliance either backed away or just dropped the ball.

Unanswered questions

“You need to protect the data; that’s an obligation under the law,” says Gallagher. “Also, when there is a breach, you need to be prepared to deal with it and do right by your patients. There are more people watching this. You have to be on top of it. And there are a lot of consequences for not following the reporting laws.

“We’ll see more reports from HHS and see the trends,” adds Gallagher. But the message is clear: “It is time to comply and manage your risk actively.”

Of all the covered entities, though, health plans are one of the best positioned, Evans says.

“I would say plans are in a much better position, for various reasons,” Evans notes. “They’ve been more diligent in addressing the HIPAA security rule, providing leadership and execution. They have really focused on that from the get-go and realized it was a multiyear project way back when. I’m looking at health plans now that have been compliant with the HIPAA security rule and use them as an example to the provider side.”

Nahra asserts that, “The health care industry is on top of these new rules, but that doesn’t mean that everyone knows what to do every time. I’m getting a ton of questions from my clients about specific details related to risk, requirements, and the right things to do.”

But there aren’t always answers.

“HHS has promised to say what has to be included in new business associate agreements, and they haven’t yet,” Nahra noted in mid-March. “It is all over the map in terms of whether the contracts have been revised.”

Gallagher says that, “There is a real awareness issue.” At virtually every talk she gives on the subject, someone with a business associate relationship with a covered entity comes up and makes it clear that he or she has no clear understanding of what is happening.

“I’ve looked at business associates that do business with health plans and providers and it is more of a challenge for them,” agrees Evans. “They [sometimes] take care of patient information in a less than diligent manner.”

“The bottom line with business associates is that the statute is clear,” says Gallagher. “They are subject to the HIPAA security rule and portions of the privacy rule and have to disclose [breaches].”

Gallagher concedes that she is also waiting for the feds to dot all the I’s and cross all the T’s.

“We are waiting to hear from [the HHS Office of Civil Rights] on what the compliance audits will look like,” Gallagher adds. “They have said they are busy writing other regulations, but this is a big topic of interest. How will they conduct audits, who gets audited, and why?”

Contributing Editor John Carroll can be reached at

HITECH just extends the HIPAA security rules, says Brian Evans of the CynergisTek security consultancy.

Deadline pressure is causing commotion among the covered entities, says Kirk Nahra, a HIPAA/HITECH specialist.

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.