This document is intended to provide general information to assist in the discussions of the CPS Workgroup. The document may contain general legal information and should not be construed as legal advice to be applied to any factual situation. Neither the CPS Workgroup nor its staff makes any claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained in this document.

Scenario Environment:

HIE-DC is a local health information exchange comprised of 100 providers (primary care, specialists, dentists, etc.) 10 hospitals, 3 insurers, and 2 labs.

Scenario Description:

The following scenario begins with a triggering event to identify the baseline (i.e., most typical/relevant) HIPAA Privacy Rule components one would need to know in order to perform a comparative analysis of the current and forthcoming electronic health information exchange environment. Following the baseline section is a “differences section” which attempts to identify what, if any, differences exist in how the HIPAA Privacy Rule operates in an electronic environment compared to the current environment.

Definitions:

• “Repository” model electronic health records (EHRs) reside on HIE-DC’s system and are available 24/7.

• “Non-repository” model EHRs are not held by HIE-DC but are locatable and available 24/7.

Scenario Improper Disclosure/Breach:

Due to a security breach an internal or external source has gained access to, and subsequently sold, health information on a number of websites for over a week.

Baseline:

• The breach occurs at Capital Hospital

  • Section 164.502 of the Privacy Rule states that a covered entity may not use or disclose protected health information, except as permitted or required by other sections of the HIPAA Administrative Simplification provisions.

  • (Does not include all parts) Section 164.530 of the Privacy Rule requires that a covered entity must:

    • Have in place appropriate administrative, technical, and physical safeguards to protect privacy.

    • Reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.

    • Have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart.

    • Mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate.

• The breach occurs at Capital Hospital’s Business Associate

• Section 164.502 of the Privacy Rule states that a covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.

• Section 164.504 of the Privacy Rule states that a covered entity is not in compliance with the standards in 164.502 (disclosures to business associates) if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate's obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:

  • • Terminated the contract or arrangement, if feasible; or

    • If termination is not feasible, reported the problem to the Secretary.

  • (Does not include all parts) Section 164.504(e)(2) of the Privacy Rule states that a contract between the covered entity and a business associate must (1) establish the permitted and required uses and disclosures of such information by the business associate; (2) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract and (3) provide that the business associate will:

    • Not use or further disclose the information other than as permitted or required by the contract or as required by law;

    • Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;

    • Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;

    • Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information;

• At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Differences from Baseline Questions:

The breach occurs at Capital Hospital’s Business Associate HIE-DC

• Assuming HIE-DC has determined that all of the improperly disclosed information as a result of the breach was from patients at Capital Hospital, is HIE-DC required to notify all of the covered entities that it has a contract with?

  • What if the breached information came from multiple covered entities?

• If we did not follow the CPS 6/12/07 recommendation, Capital Hospital would be responsible for mitigating the situation because of its contractual relationship with HIE-DC and HHS would not be able to go after HIE-DC directly for the violation.

• If because of the breach and Capital Hospital’s obligation to “mitigate, to the extent practicable, any harmful effect that is known to the covered entity,” what impact would Capital Hospital requesting higher privacy and security processes have on HIE-DC and its other business associate relationships?

  • Again what if the breach involved information from multiple covered entities who each responded with different mitigation tactics?

• What happens if Capital Hospital decides to terminate its contract with HIE-DC?

  • Repository model:

    • Would it benefit the patients of Capital Hospital for HIE-DC to return or destroy all of the information it received from or create on behalf of Capital Hospital?

    • What if HIE-DC maintains a combined record, would it be possible or potentially harmful for HIE-DC to remove Capital Hospital’s information from the record?

• • Non-repository model:

    • Capital Hospital would no longer be part of the network. Would it be completely disconnected from say a record locator service? Would it be possible to allow searches to continue to get results from Capital Hospital?

• Who notifies patients?

  • Capital Hospital?

  • HIE-DC? Maybe if it is a repository model? Maybe not if it’s a non-repository model?