Previous month:
April 2012
Next month:
June 2012

May 2012

Texas Privacy Laws Provide Patients Stronger Rights to Access Electronic Health Record Than HIPAA

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", Texas House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.  Through a series of blogs I am illustrating a variety of these new protections. Today we contrast a patient's right to access their electronic health record (EHR) under HIPAA against HB 300 requirements in Texas. Case history:

A patient alleged that a physician failed to provide him access to his electronic medical record within 30 days of a written request as required by HIPAA. After the Office of Civil Rights (OCR) notified the physician of this allegation, he provided the records but charged the patient a $100.00 “administrative fee” because the patient was delinquent on bills. HIPAA permits only a reasonable cost-based fee (copying and postage) with an explanation or summary if agreed to by the individual. To resolve this matter, the physician refunded the $100.

When state and federal privacy laws diverge, the more protective law prevails.  In Texas HB 300 combined with other state laws are more protective than HIPAA such as with a patient’s right to access their electronic health records (EHRs). HB 300 mandates physicians who use EHRs to provide patients the requested record in electronic form not later than 15 business days after receiving a written request unless there is an allowable exception.   The EHR may be provided in another format if the physician’s EHR is incapable of producing an electronic copy or if agreed upon by the patient in advance.  Physicians in Texas should align with HB 300 by revising policies on patient access to their EHR and updating their Privacy Notice as needed.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


CMS prematurely dismisses the alternative option to forgo ICD-10 and implement ICD-11

In their proposed rule to delay ICD-10, CMS prematurely dismisses (in three short sentences) the alternative option to forgo ICD-10 completely and implement ICD-11 instead.    I am very concerned that this  dismissal is published  without a comparative analysis of the total costs of each option.   And there is good reason to seriously consider implementing ICD-11. 

In a recent Health Affairs report  the authors express concerns that adopting ICD-10 for reimbursement will be disruptive and costly with little material improvement over the current system.  These informatics experts fall short of suggesting we forgo ICD-10 for ICD-11, but they do recommend that policymakers begin planning now to facilitate a tolerable transition to ICD-11.   We should recognize that this article was not an appropriate platform for the authors to make a political statement to forgo ICD-10.   In addition, more information is needed before making such a recommendation:

  1. What is the earliest date by which the U.S. could implement ICD-11?  CMS suggests that it could be as early as 2020-2022.  What could be done to possibly accelerate that date?
  2. What is the earliest date we could implement ICD-11 if we implement ICD-10 first?  Historical data suggests 2028 is the earliest, but some informatics experts suggest it will be after 2030.
  3. What is the estimated total cost to complete the ICD-10 implementation, then convert to ICD-11?
  4. What is the total cost of stopping the ICD-10 implementation today and proceeding with ICD-11, including the sunken costs of work already done on ICD-10?
  5. What value will ICD-11 provide over ICD-10?
  6. How does the total cost to the industry for using ICD-9 codes another 5-7 years (while ICD-11 is implemented) compare to the total cost to the industry for using ICD-10 codes instead of ICD-11 for 13 or more years after ICD-10 is implemented?
  7. What additional burden will be imposed on physicians and small hospitals by requiring two code system conversions over the next 15 years?  What are the capital costs physicians and small hospitals will incur under both pathways? 
  8. What other potential impacts could there be on physicians and small hospitals?   Will it drive an increasing number of physicians into early retirement?   Will some small hospitals be forced to close?   Will it drive a decision by increasing number of physicians to convert to a concierge or cash-only practices?  

These and other potential impacts have not been fully assessed by CMS.   Implementing ICD-10 has been compared to buying a Betamax instead of a VHS recorder in terms of pending obsolescence.   Informatics experts are in agreement that ICD-11 is superior to ICD-10 and that we need to get to it as soon as is tolerable.   Perhaps the optimal pathway to ICD-11 really is through the ICD-10, but we need a more comprehensive analysis to make a better-informed decision.   Let’s put on the table the total costs and impact of both pathways and then decide.

You may read here my entire public comment as submitted to CMS on the proposed rule to delay ICD-10 for one year.


New Texas Privacy Law Increases Employee Training Requirements in Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   I am concerned that their may be low levels of awareness at this time among Texas physicians regarding the new privacy provisions.  For example, one of the new requirements impacts employee privacy training policies for the physician practice.   As an illustration, consider this case history:

A laptop computer was stolen or lost from the reception desk area possibly after a cleaning crew had left the main door to the building open.   An employee had previously used the laptop to download information that included protected health information (PHI) on 67 patients seen that week.   Following the breach the practice notified all affected individuals, added technical safeguards of encryption for PHI stored on mobile computers, added physical safeguards by keeping all portable devices locked in a cabinet of a locked storage room when not in use and required re-training of all employees on privacy and security policies including immediate training for the cleaning staff.

Many breaches of PHI are avoidable if employees are trained on privacy/security  and remain vigilant when managing PHI.    In Texas HB 300 protects not only PHI as defined by HIPAA, but also “sensitive personal information (SPI)” as defined by the Texas Identity Theft Protection Act.   HB 300 requires all employees who will encounter PHI or SPI to undergo privacy training that is tailored to the employee’s specific responsibilities and types of contact with PHI.    New employees must be trained within 60 days of hiring, and training must be repeated at least once every two years.    A log must be maintained with employee signatures verifying their attendance.    Physicians can prepare by updating employee training policies and materials.

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


New Texas Privacy Law Places More Accountability on Business Associates of Physician Practices

As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012.   In a series of weekly blogs I am writing to illustrate some of the new protections.   I think that the most important change imposed by HB 300 is the increased accountability placed on business associates of a physician practice to adhere to the state privacy laws.  Consider this case history:

A physician practice was notified by one of their business associates (BA), a medical transcription service, that dictated patient reports were viewable on the Internet by anyone after the BA’s server was compromised.  The breach involved PHI of 1.085 individuals.  In response, the practice immediately terminated the business associate agreement (BAA) with this company and engaged another medical transcription service.  The practice contracted with forensic consultants to ensure that the cause of the compromise was found and all online traces of breached reports were removed.

HB 300 holds accountable any business in Texas that comes into contact with PHI.   This means that BAs of physician practices are accountable to HB 300 protections and HIPAA unless they have no contact with PHI.   Physicians should revise their BAAs to include language compelling BAs to comply with state and federal privacy laws.  Matters to address in a BAA include:   

  • Immediate notification to practice when BA discovers breach
  • Who notifies affected individuals?  Who bears the cost?
  • Contract termination for failure to comply with law or take "reasonable" steps to fix breach
  • BA ‘s compliance with performing security risk analysis at least annually
  • BA’s compliance with employee privacy training
  • Encryption of PHI on BA’s mobile devices or exchanged online; and other circumstances where PHI is at high risk

Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

More on other HB 300 provisions next week...

cook children's


New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks

Privacy protection is getting bigger in Texas.   Last year the Texas Legislature passed House Bill 300 (HB 300) heavily amending the state's Texas Medical Records Privacy Act.   These amendments increase protection of electronic personal health information (PHI) and become effective on September 1, 2012.    HB 300, along with other state privacy laws such as the Texas Identity Theft Protection Act, are more protective of patients' privacy than HIPAA.  Stronger protections translate to increased physician cyber liability risks.

I support strong protection of patients' electronic PHI through state and federal privacy laws including the imposition of fair penalties, disciplinary actions and audits that are strong enough to deter breaches of PHI.   But I am concerned that there may be low levels of awareness among physicians regarding the new state privacy requirements which increase the physician's cyber liability risks.   In the next month I know of  two physician-oriented publications that will discuss the issue, and I will present on the topic at the Texas Medical Association's TexMed 2012 Conference in Dallas, Texas, on May 18th.    Hopefully we can stimulate more conversations and actions across the state.

I suggest that physicians at least consult with their lawyer to ensure their practice is aligned with HB 300.   Specific actions a physician practice may need to take to be compliant with HB 300 include revising employee privacy training policies and materials; revising policies on patient access to their EHR; updating the Privacy Notice; revising business associate agreements; encrypting protected health information (PHI) stored on mobile devices; and encrypting PHI transported online.    Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.

Stay tuned for more blogs on HB 300...   

cook childrens