September 10, 2015

QUESTION:        Our hospital is doing a HIPAA security risk assessment and was told we have to follow guidance issued by the National Institute of Standards and Technology (“NIST”). Is that something we have to do?

ANSWER:            No. You can use the NIST publications as a guide, but you don’t have to. The HIPAA Security Rule itself does not reference the NIST guide at all, although some NIST documents are mentioned in the Preamble to that rule. The HHS Office of Civil Rights has published several papers providing useful guidance on complying with the security rule, which can be found at In one of them, OCR says:

Although only federal agencies are required to follow federal guidelines like the NIST 800 series, non-federal covered entities may find their content valuable when performing compliance activities. As stated in the CMS frequently asked questions (FAQs) on the HIPAA Security Rule,

“Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities. While NIST documents were referenced in the preamble to the Security Rule, this does not make them required. In fact, some of the documents may not be relevant to small organizations, as they were intended more for large, governmental organizations.

The Security Rule does not prescribe a specific risk analysis or risk management methodology. This paper is not intended to be the definitive guidance on risk analysis and risk management. Rather, the goal of this paper is to present the main concepts of the risk analysis and risk management processes in an easy-to-understand manner. Performing risk analysis and risk management can be difficult due to the levels of detail and variations that are possible within different covered entities. Covered entities should focus on the overall concepts and steps presented in this paper to tailor an approach to the specific circumstances of their organization.

Therefore, while the NIST publications might help you in doing the risk assessment, they are not binding on you.


June 25, 2015

Our hospital would like to develop a “VIP” program by which certain individuals would receive special recognition when they are hospitalized. For example, current or past members of the Board of Directors or other individuals who have served the community might receive a card, flowers or a personal visit. Is such a program acceptable under HIPAA?

ANSWER:          HHS has issued no guidance on this topic. However, we believe a VIP program poses little risk under the HIPAA Privacy Rule.

The Privacy Rule permits hospitals to use or disclose protected health information for its own “health care operations.” “Health care operations” is defined broadly to include “general administrative activities,” which could reasonably be interpreted to include efforts to build and maintain relationships with individuals who are involved in the affairs of the community.

Of course, some hospitalized individuals who are particularly concerned with privacy may complain that the VIP program does not actually involve health care operations. One way to limit the possibility of such complaints is to ensure that any individual who has opted out of the facility directory, as permitted by the Privacy Rule, does not receive special recognition. More broadly, any dissemination of information within the hospital should be limited to those with a “need to know” for purposes of the VIP program.

Another way to limit complaints is to ensure that the health information of a patient is not disclosed outside of the hospital. For example, if flowers or other small gifts are ordered, they should be sent to an administrator’s office and then re-directed to the patient. Patients may expect hospital personnel to know they are hospitalized, but they may object to that information being shared with the local florist or other merchants.

We are unaware of any enforcement actions involving VIP programs, which might suggest that they are not viewed as a HIPAA violation by HHS. However, hospitals that choose to implement them should do so in a way that protects patient privacy and limits the disclosure of patient information.

June 11, 2015

QUESTION:        Our professional practice evaluation committee (“PPEC”) recently obtained an external review of a neurosurgery case that involved significant complications and a poor outcome for the patient. We shared the de-identified results of that review with the surgeon and invited him to submit his written comments and meet with the committee. Instead of doing so and without notice to the PPEC, he arranged for his own external review, by a neurosurgeon picked by him and unknown to the committee. He has submitted that review – which found no deviation from the standard of care – to the committee, with a statement indicating that no further review is required. What can we do with conflicting external reviews? Should we reprimand him for violating HIPAA?

ANSWER:        It can be frustrating when the leadership is attempting to deal openly and collegially with a colleague and its efforts are rebuffed. Such is the case here, where the neurosurgeon whose case is under review has ignored your request for his personal input and his attendance at your upcoming meeting and, instead, has obtained an unauthorized review by a third party. Your knee-jerk reaction may be to reprimand him or disregard his unsolicited expert opinion out-of-turn. After all, you are trying to help this practitioner improve his performance and he is, by all observation, fighting you tooth and nail. While that perspective is understandable, we encourage you to also think about this from the neurosurgeon’s perspective before deciding on next steps.

First, to get the legal issue out of the way, please note that there does not appear to be a violation of HIPAA’s privacy regulations, since the neurosurgeon is part of an organized health care arrangement with the hospital (as are all doctors who are members of the Medical Staff) and, in any event, the disclosure of information he made to his external reviewer was limited to records of a patient that he and the hospital have both treated and was for the limited purpose of quality improvement. HIPAA permits disclosures in such situations.

While HIPAA may not have been violated, the neurosurgeon’s actions may have nevertheless violated the hospital’s policies. For example, the hospital may have policies requiring all external reviews to be arranged through a specific person (such as the CEO or CMO) or body (such as the MEC), to ensure that any contracts for such reviews include appropriate protections. Further, the hospital may require its own business associate agreement or a confidentiality policy to be signed by any reviewer prior to sending that reviewer medical records. In this case, because the review was arranged by the neurosurgeon, but involved the disclosure of the hospital’s records, the hospital lost the opportunity to protect itself through the contract with the reviewer. It would be appropriate to follow up with the neurosurgeon by requesting a copy of the business associate agreement and, consistent with any hospital or Medical Staff policy, by notifying him of the appropriate process for arranging external reviews of care provided in the hospital.

Unless there is good reason to proceed otherwise, a reprimand is probably not necessary. Unless you have additional facts pointing to the contrary, it seems likely that this physician did not realize that his actions in obtaining an independent review informally – and without the authorization of the hospital and its Medical Staff leaders – could violate policy.

Now that you have the neurosurgeon’s independent review in your hands – what should you do with it? Medical Staff leaders often struggle with how to proceed in cases where experts disagree. Admittedly, this can seem like a “damned if you do and damned if you don’t” sort of situation. The good news is: Most courts give great deference to the decisions of hospitals and their Medical Staff leaders in matters involving Medical Staff appointment and clinical privileges. So, when facing conflicting information, your hands are not tied. You should feel comfortable looking at all of the information at hand, weighing each piece against the totality of information, and then finalizing a decision. Things to keep in mind:

  • Don’t reject the neurosurgeon’s independent review out of hand, simply because the neurosurgeon obtained it without notice to the PPEC and without going through formal channels. Consider the qualifications of the independent reviewer and the quality of the report that he or she supplied. Ask follow-up questions, if necessary. In the end, you may reject the review if the reviewer is not adequately qualified, does not have current clinical experience, or has not delved into the parts of the case that the PPEC thinks are relevant. If you do reject the report, or choose to give it little weight, articulate your reasons for doing so – and record those reasons in the minutes of the meeting where the matter is decided.
  • If the independent review seems well-informed and the reviewer seems well-qualified, you may try to work out the conflict between the PPEC’s external review and the neurosurgeon’s external review via any one or more options. First, you may choose to send the report submitted by the neurosurgeon to the PPEC’s external reviewer – and ask that your reviewer comment on the contrary conclusions. Second, you may choose to send the PPEC’s external review report to the neurosurgeon’s independent reviewer – and ask that reviewer to comment on the contrary conclusions. You could send both external reviews to a third external reviewer, who may act as a “tie breaker.” As a fourth option, you could choose to simply contact the neurosurgeon’s reviewer to question him about his conclusions – and verify that he had all relevant information about the care and about the PPEC’s concerns at the time he conducted his review and wrote his report.
  • In the end, the PPEC will need to weigh all of the information it has gathered before deciding how to proceed. This will mean considering all external reviews, any input from the physician, the opinions of the physicians who serve on the committee, and the physician’s peer review history, among other things. It must decide which sources of information are most credible, informative, relevant, and persuasive. Remember that the purpose of professional practice evaluation is to identify areas where there is room for improvement. Therefore, the leadership may choose to give less weight to a case review that concludes that there was “no deviation from the standard of care” (a term usually reserved for malpractice litigation, which relates only to whether the care is considered negligent by legal standards and not to whether the care satisfies your organization’s expectations) and more weight to a review which identifies strengths and weaknesses in the care that was provided.

Finally, one last point that, though discussed last, is not of least importance. The PPEC has invited the neurosurgeon to submit written feedback and to attend its upcoming meeting. The physician has ignored these requests. It is important that you follow up on these invitations – and not get sidetracked by the fact that the physician has submitted a report from an independent reviewer. Now is the time to follow up with the neurosurgeon. Tell him that you will consider the report he submitted, but that he must provide the written feedback and attend the meeting, as previously requested. If you have language in your Medical Staff Bylaws, Credentials Policy, or Professional Practice Evaluation Policy stating that individuals must provide information upon request by the leadership, or stating that they must attend meetings when given special notice that they are required to attend and that their care will be discussed, cite that language.

Make it clear that the leadership will not be thrown off course by the submission of the independent review – or by any other antics. Performance improvement can occur only if physicians under review actively participate in the professional practice evaluation process. Accordingly, it is important that this neurosurgeon get on board and work with the PPEC, collegially, to help it get to the bottom of what happened in this case to give rise to such serious complications and such a poor outcome.

April 2, 2015

QUESTION:    May physicians text or e-mail patient information to one another if such texts or e-mails are directly related to patient care? If so, does HIPAA require that such transmissions be encrypted?

ANSWER:       Any discussion of sending Protected Health Information (“PHI”) via text or e-mail should distinguish between: (1) the HIPAA Privacy Rule and (2) the HIPAA Security Rule:

(1)       The Privacy Rule is concerned with WHY information is being used or disclosed. Is there a permissible purpose? There is no violation of the Privacy Rule if a text or e-mail is for a treatment purpose.

(2)        The Security Rule is concerned with HOW information is transmitted and stored. Thus, while it may be appropriate for one physician to disclose PHI to another physician for treatment purposes, the Security Rule could be violated if the method used to transmit that information is improper.

The Security Rule has three categories of requirements:

(i)         Standards.

(ii)        Required Implementation Specifications.

(iii)       Addressable Implementation Specifications.

Covered entities must comply with all “Standards” and “Required Implementation Specifications.” As the name implies, “Addressable Implementation Specifications” do not always have to be implemented. Instead, each covered entity must evaluate whether an Addressable Implementation Specification is a “reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting” PHI. If so, the Addressable Implementation Specification must be implemented. If not, the covered entity must consider whether an alternative measure to protect security is feasible and must document its conclusions.

Encryption is an Addressable Implementation Specification. Thus, covered entities are expected to encrypt texts and e-mails if doing so is a “reasonable and appropriate safeguard in its environment.” In evaluating this question, covered entities should consider whether encryption would interfere with patient care (e.g., undue delays in transmission, retention of encrypted transmissions, etc.).