FDA strengthens regulations for surgical mesh used in transvaginal procedures

The U.S. Food and Drug Administration (FDA) is enforcing stricter regulations for surgical mesh products used in transvaginal procedures to repair pelvic organ prolapse (POP). The products are being reclassified from moderate risk (class II) to high risk (class III) when used transvaginally.

The stricter regulations do not apply to surgical mesh for other indications, such as stress urinary incontinence or abdominal repair of POP.

The FDA now requires all manufacturers of mesh products to submit data that supports the effectiveness and safety of the devices. Manufacturers with products currently on the market will have 30 months to comply with the new requirements.

According to the FDA, a significant increase has occurred over the past several years in the number of reported adverse events associated with the use of surgical mesh for transvaginal POP repair, such as severe pelvic pain, infection, and organ perforation.

In 2011, an advisory panel of experts recommended that more data was needed to establish the safety of the device. The FDA has since taken several actions to warn doctors and patients about the use of surgical mesh for transvaginal POP repair.

Read full articles on this news item on the FDA website and Wall Street Journal online.

What you need to know, part three: House Bill 2641 and HIEs

by Andrea I. Schwab, JD, CPA and
John Southrey, CIC, CRM, Manager, Consulting Services, TMLT

Texas House Bill (HB) 2641, which was passed into law in June 2015, provides physicians with some liability protections when using an HIE. While it is advisable to be vigilant in addressing potential liability exposures, HB 2641 has taken some steps to protect providers. HB 2641 states that a provider who sends information to an HIE without malice or gross negligence is not liable for damages if that information is used in violation of federal or state privacy and security laws by the HIE or another provider. It also states that use of an HIE does not create a standard of care for health care providers.

HB 2641’s limitation of liability language is as follows:

  • Unless the health care provider acts with malice or gross negligence, a health care provider who provides patient information to a health information exchange is not liable for any damages, penalties, or other relief related to the obtainment, use, or disclosure of that information in violation of federal or state privacy laws by a health information exchange, another health care provider, or any other person.
  • Nothing in this section may be construed to create a cause of action or to create a standard of care, obligation, or duty that forms the basis for a cause of action.

HB 2641 does not modify a physician’s responsibility for complying with HIPAA nor protect them from liability for damages, penalties, or other relief resulting from such violations. State laws that are contrary to the HIPAA Privacy Rule are preempted by the federal requirements, unless the state law is more stringent and/ or unless specific exceptions apply.1 2

Physicians remain responsible for ensuring that individuals, the media, and the Secretary of the Department of Health and Human Services are notified of breaches of protected health information (PHI) and of the costs incurred by the breaches, even if an HIE is the source of the breach.3 4 But physicians and HIEs can sometimes contractually agree on how they will provide notice to affected patients. The United States Department of Health and Human Services (HHS) states, “With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.”5

Even if an HIE is compromised in some way, physicians are not relieved of their responsibility to comply with appropriate standards of medical care and the Texas Medical Board (TMB) rules. For example, physicians’ duties of making timely and accurate diagnoses, maintaining accurate medical records, and providing the patient with copies of his or her records, could all be affected if an HIE is compromised.

The Office of Civil Rights and HIEs

 The Office of Civil Rights (OCR), the federal agency that enforces HIPAA compliance, states that “trust in electronic health information exchange can only be achieved if reasonable administrative, technical, and physical safeguards are in place” and the HIPAA Privacy Rule requires covered entities to implement such safeguards.6

The OCR suggests that when covered entities participate in an HIE, the covered entity can agree with the HIE (as its business associate) on appropriate safeguards that would apply to their electronic exchange of information.7 These procedures should be formalized through a business associate agreement, data sharing agreement, or other contract, and may include enforcement mechanisms and penalties for breaches and violations.

A physician should always review a business associate agreement carefully with an attorney, and require the HIE to have appropriate administrative, technical, and physical safeguards in place. The physician should determine the HIE’s procedures for verifying the identity and authority of anyone requesting PHI; the safeguards that are in place to appropriately protect PHI; and procedures to follow in case of a breach.

For more information, please contact John Southrey at john-southrey@tmlt.org.

Andrea Schwab may be contacted at andrea@aschwablaw.com.

Part one: cyber crime and liability

Part two: health information exchange – benefits and liability

Resources:

1 U.S. Department of Health & Human Services. HIPAA Privacy Rule. Code of Federal Regulations, Title 45 – Public Welfare. Section 160.202 – Definitions. Available at: http://www.gpo.gov/fdsys/pkg/CFR-2002-title45-vol1/xml/CFR-2002-title45-vol1-sec160-202.xml. Accessed October 14, 2015.

2 U.S. Department of Health & Human Services. Health Information Privacy. Does the HIPAA Privacy Rule preempt State laws? Available at: http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption_of_state_law/399.html. Accessed October 14, 2015.

3U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. Accessd October 15, 2015.

4U.S. Department of Health & Human Services. Health Information Privacy. Breach Notification Rule. Breach Notification Requirements. Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/. Accessed October 15, 2015.

5 See 45 C.F.R. section 164.530(c); HIPAA Security Rule at 45 .F.R. sections 164.308, 164.310, and 164.312.

6U.S. Department of Health & Human Services. HIPAA Administrative Simplification. Regulation Text. 45 CFR Part 164, Sections 164.308, 164.310, 164.312. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf. Accessed October 15, 2015.

7U.S. Department of Health & Human Services. Health Information Privacy. Privacy and Security Framework: Safeguards Principle and FAQs. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/. Accessed on October 15, 2015.

This article is purely informational and not intended to be legal advice and should not be construed as such.

What you need to know, part two: health information exchange – benefits and liability

by Andrea I. Schwab, JD, CPA and
John Southrey, CIC, CRM, Manager, Consulting Services, TMLT

A health information exchange (HIE) is an electronic network designed to facilitate the secure exchange of patient medical records and information among public health organizations, hospitals, physicians, and payors. These organizations include public HIEs funded through the state’s Local HIE Grant Program, private physician-led HIEs, hospital-based enterprise HIEs, and Accountable Care Organizations, among others. HIEs are designed to facilitate more coordinated patient care and increase efficiency. HIEs also promote the use of standardized data that can be seamlessly integrated with EHRs to improve the speed and quality of patient care.

HIE connectivity:

  • improves patient safety by reducing medication and medical errors;
  • increases efficiency by eliminating unnecessary paperwork and handling;
  • provides caregivers with clinical decision support tools for more effective care and treatment;
  • eliminates redundant or unnecessary testing;
  • improves public health reporting and monitoring;
  • engages health care consumers regarding their own personal health information;
  • improves health care quality and outcomes; and
  • reduces health related costs.

Since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, there has been tremendous growth in the adoption of health information technology and HIEs. The U.S. Office of the National Coordinator for Health IT (ONC) has played a critical role in accelerating improvements in HIE and interoperability among EHR systems, including the development of policies and standards to facilitate HIEs, as well as the funding of cooperative agreements and grant programs.

The Texas Health Services Authority (THSA) was charged by the Texas legislature with the implementation and maintenance of a statewide HIE. The THSA is working to identity best practices and successful models that demonstrate HIE financial and business sustainability, as well as providing Texas HIE Accreditation.

HIEs are viewed as the building blocks for a Nationwide Health Information Network (now called “eHealth Exchange”) to provide universal access to electronic health records across jurisdictions and health care systems. The ONC is charged with driving the completion of this nationwide patient data network.

While the benefits are numerous, HIE use also contains areas of potential liability for physicians. Risks can come from physicians reviewing an incomplete or incorrect medical record; failing to review information that may have been accessible; or inadvertently accessing the wrong patient record.

What happens when a patient alleges personal injury stemming from an HIE system breach? Will a physician be held accountable for entering into a contract with an HIE or EHR vendor who later fails to protect data? Will physicians be required to have their own information back ups? There are no simple answers, but all of these questions represent scenarios for physicians to consider.

Contractual liability is another concern. Contracts with HIEs or EHR vendors should be reviewed carefully to avoid any liability that may arise based on the terms of the agreement. Vendors should be properly investigated, and contract negotiations should be robust. Ask vendors any questions you may have about security, access, and the ultimate ownership of data.

Be careful not to enter any agreements that would unfairly shift risks to your practice, relieving your business associate of liability for their own actions. Ensure that you understand the details of the contractual language, and that you agree with its terms, whether they be technical requirements, such as encryption and automatic logoff, or substantive ones, such as rules regarding who will have access to information. Violating contractual terms could create liability risks for you or your practice.

For more information, please contact John Southrey at john-southrey@tmlt.org.

Andrea Schwab may be contacted at andrea@aschwablaw.com.

Previous: Part one: Cyber crime and liability

Next: Part three: House Bill 2641 and HIEs

 

This article is purely informational and not intended to be legal advice and should not be construed as such. 

What you need to know: cyber crime and liability, part one

by Andrea I. Schwab, JD, CPA

 Hospitals, medical groups, and individual physicians collectively suffered 333 data breaches in 2014, making up 43% of all data breaches, the highest percentage of any industry.1 According to recent studies, the health care sector is four times more likely to be affected by malicious online attacks than any other industry.2

Why? Identity theft. Medical records, containing sensitive patient information such as names, birth dates, social security numbers, income, insurance information, employment details, and home addresses, are worth more to hackers than credit cards–about 10 to 20 times more.3

Additionally, while credit card fraud is often quickly detected and stolen credit cards easily canceled, it can sometimes take years to detect health care related cyber crime. For example, patients may not discover that their personal health information (PHI) has been compromised until debt collectors contact them with unpaid medical bills for care that they did not receive. Some patients have even found themselves in need of medical care only to learn their health benefits have been exhausted by cyber criminals. More significantly, are the potential clinical consequences—such as a misdiagnosis or mistreatment—to patients whose medical identity/information has been corrupted.

Are physicians liable for data stolen in a cyber crime?

The potential liability for physicians as a result of cyber crime is unclear, as this area of the law is evolving with little precedent.

At a minimum, physicians are at risk of fines and penalties for violating federal and state privacy laws, such as the HIPAA Privacy Rule4 and the Texas Medical Records Privacy Act.5 Failure to comply with HIPAA can result in civil and criminal penalties, and the penalties vary widely, based on the violation and resulting harm. Data breaches or patient complaints may also trigger potential HIPAA audits, which can also occur randomly.

Pursuant to those regulations, physicians are responsible for:

  • implementing and following privacy and security policies and procedures;
  • conducting security risk assessments;
  • implementing reasonable security measures (administrative, physical, and technical safeguards);
  • training staff; and
  • notifying individuals when a breach occurs. A physician is ultimately responsible to notify his or her patients of a breach, even if a business associate, such as an electronic health record (EHR) provider or health information exchange (HIE), is responsible for the breach.

For more information on cyber liability coverage and cyber risk management resources, please contact John Southrey at TMLT at john-southrey@tmlt.org.

Andrea Schwab may be contacted at andrea@aschwablaw.com.

Next: Part two: health information exchange: benefits and liability.

Part three: House Bill 2641 and HIEs

Resources:

Identity Theft Resource Center, ITRC 2013 Breach List Tops 600 in 2013. Available at www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. Accessed October 15, 2015.
Identity Theft Resource Center, The Year of the Data Breach – a Recap of 2014, and Review of 10 Years of Breaches. Available at: http://www.idtheftcenter.org/Data-Breaches/the-year-of-the-data-breach-recap-2014-and-ten-years-of-data.html. Accessed October 15, 2015.

“2015 Industry Drill-Down Report-Health Care,” Raytheon Company, p 6. Available for download at http://www.websense.com/content/2015-healthcare-industry-drilldown.aspx?cmpid=pr. Accessed October 13, 2015.

Humer, C; Finkle, J. “Your Medical Record is Worth More to Hackers Than Your Credit Card”, Reuters, Sep. 24, 2014. Available at: http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. Accessed October 13, 2015.

The U.S. Department of Health & Human Services. The Privacy Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/. Accessed October 13, 2015.

Texas Health and Safety Code. Title 2. Health. Subtitle 1. Medical Records. Chapter 181. Medical Records Privacy. Subchapter A. General Provisions. Available at: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm. Accessed October 13. 2015.

 

This article is purely informational and not intended to be legal advice and should not be construed as such.

The weekend I spent hacking my own computer

By Anthony Passalacqua, Risk Management Representative, TMLT

Every week, there seems to be a new story of an organization being hacked and their data compromised, resulting in lost income, reputation, and customers. Target, JPMorgan, Chase, Sony Pictures, T-Mobile/Experian, and Anthem are just a few examples of companies whose names are forever linked with cyber crime.

It got me wondering: Just how easy is it to hack into a computer or a network?

I thought I would conduct my own experiment. One Saturday, I tried to hack my own personal computer while measuring the time and costs it took to do so. To learn how to go about becoming a hacker, I went to one of my favorite resources: YouTube. I easily found and watched a “how to” guide to hacking personal computers.1 Shortly after watching the video, I went around my house to collect what I would need to conduct my experiment and found two recordable CDs and a 16 GB flash drive.

Password Reset program

First, I decided to start with something easy by downloading a password-reset program. A password-reset program is a tool used by system administrators or computer owners to recover a lost password. However, the program is often used by hackers to gain access to unencrypted hard drives.

I am going to be honest, I have a very slow Internet connection by today’s standards and it took about 1.5 hours for me download the program onto a CD. Most people could have downloaded the program in less than 5 minutes with the new data streaming speeds that are now available.

When my download was complete, I rebooted my computer and launched the password-reset program on my computer. I then followed the step-by-step instructions from the YouTube video and, within minutes, successfully deleted my password.

I logged on to the computer and was immediately blasted with alerts and warnings telling me that my computer had been hacked and to call customer service. I ran a quick anti-virus program, and my computer was returned to normal. I reset my password and decided to try something a little more involved—a brute force attack.

Brute force attacks and “rainbow tables”

A brute force attack (also known as brute force cracking) is pretty much what it’s name suggests—an application program that attempts all possible password combinations to crack a computer’s password or data encryption standard keys. TechTarget, an online technology marketing company, describes this trial and error method as “infallible, although time-consuming.”2

I decided this time to download a password cracking program called Ophcrack while I went out to run some errands; after all, it was going to take another 1.5 hours to download. I came back about 2 hours later and found that the program had been successfully burned to a CD. I ran the program, and it identified all of my computer’s accounts. However, it didn’t provide me with any account passwords.

Why? Because I didn’t include a “rainbow table.” At this point, I began to learn about rainbow tables and their importance to the password cracking process. A rainbow table is a tool often used by hackers to crunch through huge amounts of hashes in very little time. On the Ophcrack website, I found the tab to download rainbow tables. There are different tables to use, and each one is separated out by operating systems, language, length of password, and type of characters. Just seeing the variety of options and methods available to me, I started to realize that cracking a password is something of an art. The more information you have about the computer or account you are trying to crack allows you to make the best hypothesis necessary to speed up the process.

Launching the attack

I began to test my theory and downloaded my first rainbow table—one that corresponded with both the name of my wife’s computer’s operating system and with the low complexity of the current password (“password123”). I reran the program, and within 5 minutes it gave me passwords to both my operating system and my wife’s accounts. Believe it or not, I received absolutely no notification that my wife’s computer was hacked when I logged in. Since I was using my wife’s credentials, I also found that I had total access to her accounts—social media, Amazon.com, you name it.

I then changed the password to an even longer and more complex one and downloaded an additional, corresponding rainbow table with more complex characters. I discovered that the more complex the password, the longer it takes to break it. For example, it took only 5 minutes for the first table to crack the initial password and about 30 minutes for the second table.

I decided to run the experiment one last time with a third rainbow table and a new, stronger password with additional characters not covered in the downloaded tables. I reran all three rainbow tables which took about 2 hours, at which point my password was still not found. I realized that my password no longer fit the parameters of the rainbow table and therefore could not be cracked.

Strong passwords

One of the biggest lessons of this exercise was the importance of a strong password to ensure your computer and accounts are safe. Many users don’t put a lot of effort into creating a strong password. They often cut corners because they are working quickly or want something easy to remember. But they often wind up creating shorter, weaker passwords that requires less time and resources for hackers to crack. One of the key features I noticed in this process was that using special characters in passwords (%, #, &, @) made it significantly more difficult for the programs to crack the passwords. This was especially obvious when compared to the relative ease of cracking passwords made up entirely of dictionary words and numbers. You should stay away from using any word found in a dictionary when creating a password. Dictionary words are a known variable to password cracking programs and hackers.

Another key discovery: if you can create a strong password that exceeds 8 characters and uses special characters, then most rainbow tables would not find the password. Another factor to consider is that if you are using an older computer or system, your encryption may be outdated and is more vulnerable to being hacked. If you are unsure if your password is strong or not, please review one of our previous blog posts on passwords.

Lessons learned—and how TMLT can help you stay safe

It only cost me $10.48 to hack my computer. I was able to find a 50 pack of CD-Rs for $5.49 (about 11 cents apiece) and a 16 GB flash drive to store my rainbow tables for $4.99 with the back to school sales. So, for about the cost of a fast food meal and roughly 6 hours of computer time, I was able to reset my password and hack into my computer.

It was an eye-opening journey to see just how easy and affordable it is to access private, sensitive information found on a hacked computer. It also reinforced to me the importance of strong cyber security which includes keeping my computer updated with the most current patches as well as reassessing my operating systems every few years. I plan on remaining vigilant in safeguarding my computer and its contents going forward.

To help you keep your computer and network safe, TMLT’s Product Development & Consulting Services Department offers a range of cyber security services, such as risk assessments, security training for you or your staff; and such resources as our TMLT Privacy and Security Toolkit. More information is found on the TMLT website.

You may also view or download the TMLT Slideshare presentation, “What every physician needs to know: cyber security best practices” with quick tips and advice on maintaining your software, managing your passwords, guarding against malware, and more.

If you are curious about a technological subject or have any questions, comments, or ideas for a future blog story, please let me know.

Resources

1 Gordon, W. How to Break Into a Windows PC (and Prevent It from Happening to You), Lifehacker website. Accessed August 24, 2015. (This video is also found on YouTube.)

2 Brute force cracking definition. TechTarget website. Accessed 10/12/15.

Anthony Passalacqua can be reached at apassalacqua@tmlt.org.