Carl Cadregari, executive vice president at The Bonadio Group, a Rochester, N.Y., consulting firm, said health providers should do 3 things if they suspect that patient information has been breached: Stop and take a breath, don't panic … and call an attorney.

In recent years, there have been widespread media reports of large breaches – millions of records compromised, followed by millions of dollars in fines. It is wise to seek counsel after a breach, but practice must take steps in-house to rectify the situation.

Prior to 2013, breaches of information only needed to be reported to the Office for Civil Rights (OCR) if it was reasonable to suspect that harm had been caused to the individuals whose information was released. The Omnibus rule, however, changed that. Now, all breaches must be reported, even if no harm could be caused.

Not all release of information has to be reported, however. Mike Semel, CEO and founder of Semel Consulting in Las Vegas, said many physicians don't understand the difference between a breach and a disclosure. If information is “out in the wild” where anyone can see it, it is a reportable breach. A disclosure, on the other hand, could be data sent to a business associate that they didn't necessarily need to have. That might not need to be reported. 

Providers should also establish whether the health information that was released was protected. To be considered protected health information, the information has to include an identifier and a treatment or payment. If a list of patient names with no other information is released, that may not be a breach. But it would be a breach if a patient's prescription is released and it provides an identifier and a treatment.

Cadregari said there is another caveat that may allow physicians not to report a breach: encryption. If information released was encrypted, and a provider can prove it was encrypted at a secure level when it was lost or stolen, it may not be need to be reported under HIPAA.

One step a provider has to take if information has been breached is a risk assessment. This is performed to find out what records were breached, where they went, if the information was accessed by another party, and who might have been harmed.

A good place to look for guidance for this step is the American Health Information Management Association. The organization provides a breach checklist that offers a full range of mitigation and notification steps to take should a breach occur. 

HIPAA requires notifications be sent after a breach occurs, but the requirements vary based on the information released. Within 60 days of when a provider knows a breach has occurred, providers have to notify the individuals whose records were compromised. They must describe the information released, tell people how to protect themselves, and what is being done to investigate the breach and mitigate future occurrences.

If there are fewer than 500 records breached, the breach has to be reported to OCR within 60 days of the end of the calendar year. If there are more than 500 records, notification has to be sent to OCR within 60 days of when the breach was discovered.

Semel recommends being as honest as possible with patients after a breach. Tell patients what you know about the breach and then apologize.

“Apologies go a long way when people make mistakes,” he said.

Even though physicians can take a couple of months to begin notifications, Semel tells clients to start immediately because they may forget later and it makes a strong statement to OCR if the provider notifies them before a patient complaint is filed. In addition, some states have shorter time frames, so reporting immediately will cover all the bases. 

The major fear of most providers following a breach is being fined by OCR. This is an understandable trepidation. Providers can be forced to pay penalties ranging from $100 to $50,000 per violation, depending upon the extent of the problem.

But a bigger problem than fines is the investigation that can occur. Each breach will bring an audit from OCR or another entity and that can open Pandora's Box. One of the most infamous of these occurred at a cardiac surgery group in Arizona in 2012. It was reported to OCR that the internet-based calendar with patient appointments was available online to the public. After the report was received, OCR audited the group and found that patients' electronic health information had not been protected. The group had to pay $100,000 and implement corrective action.

Aside from fines, Semel said, breaches can cost an organization upwards of $200 per record due to credit reporting, legal assistance, and patient notification. Providers can purchase cyber liability insurance—which he recommends—to mitigate some of these costs. But the insurance can't be used to pay for OCR fines.

“If you have car insurance and get drunk and drive by a ‘road closed' sign, and then have an accident, it doesn't matter if you have insurance,” he said.

...

The Kidney Health Initiative (KHI) has announced the creation and appointment of the inaugural Patient and Family Partnership Council (PFPC). A joint partnership between the American Society of Nephrology (ASN) and the U.S. Food and Drug Administration with over 70 member organizations and companies, KHI’s mission is to enhance the quality of patient care and safety and foster innovation in kidney disease. The PFPC will coordinate with the KHI Board of Directors to bring patient perspectives to, and make recommendations on, current and future KHI projects and the organization’s overall efforts.

“There are more than 20 million Americans who may have kidney disease and 450,000 receiving dialysis,” said Celeste Castillo Lee, PFPC Chair and Liaison to the KHI Board of Directors. “My hope is that the newly established KHI PFPC will make great strides in helping to understand how to better engage more patients in the crucial issues that affect those of us living with kidney diseases.”

The PFPC will identify strategic opportunities to advise KHI members on patient involvement in project proposals, outline potential patient roles on KHI projects, identify patients to contribute to project workgroups, and collaborate on developing patient centered project(s) to submit for KHI endorsement.

“Patients are at the core of all of KHI’s efforts, which is why their opinions and insights are so critical to ensuring the success of the organization’s projects and initiatives,” said Prabir Roy-Chaudhury, MD, PhD, FASN, Co-Chair of the KHI Board of Directors. “The insights from PFPC and its members will spur KHI members and projects, to focus more on issues that are important to patients, which will then help kidney health professionals to deliver the highest quality care for their patients.”

...

Should people be paid if they donate an organ? A focus group in Australia turned up a variety of opinions

Focus groups with 113 participants from the general public in three Australian states considered reimbursement and justifiable compensation of costs related to organ donation to be legitimate ways of supporting donors. Financial payment beyond reimbursement was regarded as “morally reprehensible and would threaten community values of goodwill, human dignity, and fairness, with the potential for exploitative commercialism,” the researchers reported.

Some participants believed that regulated compensation could be defensible provided that mechanisms are in place to protect donors. The findings in the article, “Focus group study of public opinion about paying living kidney donors in Australia,” published online last month in the Clinical Journal of the American Society of Nephrology by Tong and colleagues, suggest that addressing the removal of disincentives to donation would be more acceptable to the general public than providing financial incentives.

The unmet demand for kidney transplantation has “generated intense controversy about introducing incentives for living kidney donors to increase donation rates,” the authors wrote in the paper. “Such debates may affect public perception and acceptance of living kidney donation. This study aims to describe the range and depth of public opinion on financial reimbursement, compensation, and incentives for living kidney donors.”

Twelve focus groups were conducted with 113 participants recruited from the general public in three Australian states in Feb. 2. Five themes were identified:

• creating ethical impasses (commodification of the body, quandary of kidney valuation, pushing moral boundaries)
• corrupting motivations (exposing the vulnerable, inevitable abuse, supplanting altruism)
• determining justifiable risk (compromising kidney quality, undue harm, accepting a confined risk, trusting protective mechanisms, right to autonomy),
• driving access (urgency of organ shortage, minimizing disadvantage, guaranteeing cost-efficiency, providing impetus, counteracting black markets), and
• honoring donor deservingness (fairness and reason, reassurance and rewards, merited recompense).

Reimbursement and justifiable recompense are considered by the Australian public as a legitimate way of supporting donors and reducing disadvantage, the authors wrote. Financial payment beyond reimbursement is regarded as morally reprehensible, with the potential for exploitative commercialism.

“The perceived threat to community values of human dignity, goodwill, and fairness suggests that there could be strong public resistance to any form of financial inducements for living kidney donors. Policy priorities addressing the removal of disincentives may be more acceptable to the public,” the authors wrote.

...

A new coalition that aims to reduce geographic disparities in wait times for donated organs launched May 20. The Coalition for Organ Distribution Equity (CODE) is working to reform the liver allocation process in the United States. The coalition includes one group from California, OneLegacy, and two from New York, LiveOn NY and the Greater New York Hospital Association. Both New York and California are among the states with the longest wait times for liver donations.

“We believe that no person should be allowed to die due to an accident of location,” added Dr. Lewis Teperman, the Chief of Transplant Surgery at NYU Langone Medical Center. “CODE is looking to make the system equal for all recipients waiting for organs. We hope that more lives will be saved and that geographic disparity will become a thing of the past.”

Read also: 50 most active kidney transplant centers in the United States 2009 to 2013

CODE said they strongly support efforts by the Organ Procurement and Transplant Network (OPTN), under the authority of the Health Resources and Services Administration (HRSA), to reform the methodology by which organs are distributed for transplant in the U.S. Last summer, the OPTN-designated United Network for Organ Sharing (UNOS) Liver and Intestinal Organ Transplantation Committee issued a concept paper that outlined new organ distribution models. CODE is calling for a data-driven approach to determining a new methodology that will reduce geographic disparities and save lives.

"While our region's donation rate is among the highest in the country, patients in our region can wait years longer and are far more likely to die while waiting than other areas,” said Tom Mone, CEO of OneLegacy, an organ procurement organization in the Los Angeles area. “The CODE effort is helping to ensure that our donation and transplant community can save more lives throughout the country.”

The UNOS Liver Committee is convening June 22 in Chicago to discuss its progress and welcome public comment. CODE members will participate in the meeting and report on recommendations and actions coming out of it.
 

...