Aereo Loses the War Before the Supreme Court

July 10th, 2014

The question presented to the court was whether Aereo’s conduct, in recording and re-broadcasting over-the-air television broadcasts to individual subscribers to Aereo’s services, constituted copyright infringement.  Aereo’s service is a web-based system that permits subscribers to watch broadcast television through a web broadcast.  Subscribers are able to access available television programming by selecting a specific live broadcast from a menu on Aereo’s website.  The system will then direct an Aereo-controlled antenna to tune in to the program and transcode the broadcast for access by the requesting subscriber.  In the process, the Aereo system makes a digital copy of the over-the-air broadcast to permit streaming of the content to the subscriber.  The digital copy is only made available to the individual subscriber that requested the particular broadcast.  Am. Broadcasting Cos. v. Aereo, Inc., 573 U.S. ___ (2014).

The plaintiffs in this case are the broadcasters that transmit over-the-air television programming, along with the producers, marketers, and distributors of this content.  They sought a court’s order to enjoin the conduct of Aereo on the grounds that Aereo’s services infringe on the public performance right provided under section 106 of the Copyright Act.  Section 101 defines “public performance” to mean:

(1) to perform or display it at a place open to the public or at any place where a substantial number of persons outside of a normal circle of a family and its social acquaintances is gathered; or

(2) to transmit or otherwise communicate a performance or display of the work to a place specified by clause (1) or to the public, by means of any device or process, whether the members of the public capable of receiving the performance or display receive it in the same place or in separate places and at the same time or at different times.

17 U.S.C. § 101.

Case law over time has helped to clarify when a performance is to the “public.”  In Columbia Pictures v. Redd Horne, 749 F.2d 154 (3rd Cir. 1984), the defendant operated a video rental and sales business.  In addition, patrons of the store could rent one of eighty five private viewing booths, permitting up to four people to view a video in the store in the booth.  The plaintiff had alleged that the private viewing booths constituted an unauthorized public performance, in spite of the defendant’s attempt to limit the number of people who could view a tape in the store.  The third circuit agreed, finding that the video store was open to the public and that it was the defendant, not the patrons, that performed the copyrighted works in the private viewing booths.

However, as technology has evolved, a separate line of cases has developed in an attempt to shield technological improvements from claims of copyright infringement.  Starting with Sony in 1984, the Supreme Court held that the VCR could be sold, even though the people purchasing the technology might use it to record copies of copyrighted materials on television, without permission or a license from the copyright holders.  Sony Corp. v. Universal City Studios, Inc., 464 U.S. 417 (1984).[1]  In more recent years the federal courts have sided with the music industry and found infringement with certain file sharing and peer-to-peer sharing technologies, such as Napster, Grokster and Limewire, concluding that these technologies resulted in massive and wholesale infringement.[2]

The Aereo service itself is like a cloud-based VCR, in that the service permits users to request that a particular over-the-air broadcast be recorded and transmitted via the internet to the individual requesting the recording.  Aereo also went to great pains to distinguish its service from peer-to-peer sharing services by emphasizing that a user selects a broadcast he wishes to watch via the internet, and Aereo only records and directs that recording to the individual requestor, not making the copy available to any other Aereo user – even one that requests the same broadcast through the service.  Unfortunately, Aereo could not prevail on these points before the Court.  Instead, the Court found that Aereo’s service was functionally similar to community antenna television systems (“CATV”), and that Congress had specifically amended the Copyright Act to define CATV systems as copyright infringing, overturning legislatively two Supreme Court decisions holding otherwise: Fortnightly Corp.[3] and Teleprompter Corp.[4]

In each of those cases, the defendants operated a system where the defendant would collect over-the-air broadcasts from a region and transmit those broadcasts to subscribers in another broadcast market without the payment of a royalty and without a license from the copyright holders.  The Court held that these activities were outside of the scope of the Copyright Act as it stood prior to the 1976 amendments, because the CATV systems were acting more like “viewers” rather than “broadcasters” of the copyrighted content of others.  This was so, according to the Court, because the CATV system “‘no more than enhances the viewer’s capacity to receive the broadcaster’s signals [by] provid[ing] a well-located antenna with an efficient connection to the viewer’s television set.’”  Aereo, Inc., slip. op. at 6 (quoting from Fortnightly Corp., 392 U.S. at 399).  However, Congress disagreed with the conclusion of the Court and ultimately amended the Copyright Act to reach the conduct of CATV system providers, establishing a compulsory royalty regimen under section 111 of the Act.

Ultimately the Court held that Aereo was providing a service similar to the CATV systems, and, in spite of some differences that the dissent argued were significant, held that if the CATV systems were infringing, so to must the Aereo system.  However, the Court did not declare that Aereo is, in fact, a cable system, which would permit Aereo to take advantage of the compulsory licensing system established by Congress.  In a filing July 9, Aereo has apparently now taken the position that it is a cable system and is seeking a license to operate as such.[5]  Time will tell whether Aereo will be able to operate in this manner or whether Aereo will be unable to become a “legitimate” content distributor, like some other technology innovations that had originally been declared infringing.



[1] Admittedly, the Sony case was about unauthorized copying, rather than public performance of, copyright works, and Sony was in the suit defending against a contributory or vicarious infringement claim, where Aereo was accused of direct infringement by publicly performing copyrighted works without a license.

[2] See, e.g., Metro-Goldwyn-Mayer Studios, Inc. v. Grokster Ltd., 545 U.S. 913 (2005); A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001); Arista Records LLC v. Lime Group LLC, 715 F. Supp. 2d 481 (S.D.N.Y. 2010); but see Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2nd Cir. 2008) (cert. denied 557 U.S. 946 (2009)).

[3] Fortnightly Corp. v. United Artists Television, Inc., 392 U.S. 390 (1968).

[4] Teleprompter Corp. v. Columbia Broadcasting System, Inc., 415 U.S. 394 (1974).

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Google Books Ends in Fair Use Verdict for Google

June 9th, 2014

The case brought by the Author’s Guild against Google, for scanning of millions of books without any author’s permission, ended without a trial when Judge Chin granted a motion for summary judgment in favor of Google at the end of 2013.  In his thirty page opinion, Judge Chin agreed that Google’s conduct is affirmatively protected by section 107 of the Copyright Act, which sets out the factors that courts consider when determining if a use of another’s copyrighted work is “fair,” meaning the defendant is not required to obtain a license or pay a royalty for the use.

This controversy started almost ten years earlier when Google began its “Library Project” to scan and index books from a variety of library collections, including Harvard, the University of Michigan, the New York Public Library, Oxford and Stanford.[1]  Millions of books were to be scanned and indexed using Google’s engineering expertise and search engine, including some books that remain under copyright protection.  Google also established a “Partner Program” under which Google worked with publishers and rights holders to index and display books with permission from the owner of the rights in the work.[2]  By Judge Chin’s decision last year, more than twenty million books had been scanned and indexed into the Google Books project.[3]

Google’s database of books includes a full digital copy of each book it scans.  Each such book is indexed for searching.  Users can navigate to books.google.com and search through the index using queries of their own design.  In response, the search engine will return a list of books from the index that are relevant to the query.  Clicking on a particular book will take the user to a page which displays the cover of the book and a short summary of the content.  If the book was scanned through the Partner Program, the user is able to view what the author or publisher has consented to display on the results page.  If the book is in the public domain, the user is able to view the entire book and also to download the electronic version of the book.  However, for books still under copyright protection but not available from the Partner Program, the search result displays the book in “snippet view.”[4]  “Snippet view” is the source of controversy for the plaintiffs in the Author’s Guild because Google did not obtain permission to show portions of the indexed book in search results.[5]

Copyright infringement is the invasion of an exclusive right of an original work by another.  Among the exclusive rights of authors are the rights to reproduce, distribute, and publicly display their works.[6]  Fair use is an affirmative defense to a claim of copyright infringement.  Under section 107, courts consider four factors when determining if a defendant’s infringing use is “fair:” (a) the purpose and character of the defendant’s use, (b) the nature of the plaintiff’s work, (c) the amount and substantiality of the work used by the defendant, and (d) the impact of the use on the plaintiff’s market for his work.[7]  Determining whether fair use applies depends on the facts and circumstances of each case.[8]  Judge Chin emphasizes in his opinion that “transformative” uses of copyrighted material are more likely to be a fair use.  Citing Campbell v. Acuff-Rose,[9] the court defines “transformative” uses of a work as the creation of a new work from an old one, where the new work has a different purpose or character and the fair user alters the original expression resulting in a new work with a new meaning or message.

Fair use has been heavily litigated because the defense turns on the specific facts of each case.  In addition, while the Google Books case is an important one, it is not the first case to raise the issue of fair use in the context of technology on the internet.  More than ten years ago, the Ninth Circuit confronted a search engine that was sued for copyright infringement by a photographer, Leslie Kelly, whose photographs had ended up indexed into Arriba Soft Corp.’s internet image search engine.[10]  In that case, Kelly created, sold and licensed landscape photographs of the American West, which he made available for sale through his website.  The defendant, Arriba Soft, had crawled and indexed images available from public internet web sites, including Kelly’s web site. The Ninth Circuit held that Arriba Soft’s use of Kelly’s photographs was transformative.  Kelly’s purpose in creating his photographs was aesthetic: people would purchase Kelly’s works to have a framed photograph of a landscape in their home.  In contrast, Arriba Soft used Kelly’s photographs to create thumbnails which were placed into a search database so that search users could use keywords to find related images.[11]  The thumbnails could not supplant the original aesthetic use of the works because the thumbnails were at a considerably lower resolution.  Ultimately, Arriba Soft prevailed on the basis that its use of Kelly’s works was a fair use.[12]  Amazon obtained a similar outcome in the case Perfect 10, Inc. v. Amazon.com, 508 F.3d 1146 (9th Cir. 2007).

In the Google Books case, the court also found that Google’s use of the plaintiff’s works was transformative: “Google Books digitizes books and transforms expressive text into a comprehensive word index that helps readers, scholars, researchers, and others find books.  Google Books has become an important tool for libraries and libraries and cite-checkers as it helps to identify and find books.”[13]  The court continued: “Similarly, Google Books is also transformative in the sense it has transformed book text into data for purposes of substantive research, including data mining and text mining in new areas, thereby opening up new fields of research.”[14]

The court held that the second factor – the nature of the plaintiff’s works – also favored a finding of fair use, because most of the books indexed by Google, 93%, were non-fiction, and all of the books had been published before Google indexed them.  A court is less likely to find fair use when the defendant has used highly creative works, or works that are not yet published.  The court held that on balance, the third factor – the amount and substantiality of the use of the plaintiff’s works by Google – weighed slightly against a finding of fair use because Google had used all of the works verbatim, though that was required for the purpose of Google’s use.[15]

Finally, the court held that the last factor – the impact on the plaintiff’s market for its works – also strongly supported a finding of fair use.  In this case, the court found that the plaintiff’s market for its original works would be very unlikely to be supplanted by the “snippet” view that was available through Google’s website in response to user searches for keywords.  To the contrary, the court found that Google’s database would most likely enhance the sales of the plaintiff’s works.[16]

As a result, the court found that Google’s use of the plaintiff’s works was a fair use and entered judgment for Google.  The Author’s Guild filed notice of its intention to appeal, and subsequently filed an appeals brief with the Second Circuit in April.  Google’s reply is due in July.  Stay tuned for further developments!



[2] The Author’s Guild, Inc. v. Google, Inc., 1:05-cv-08136-DC 5 (S.D.N.Y. Nov. 14, 2013) (appeal pending in 2d circuit in case number 13-4829 CV).

[3] Id. at 1.

[5] A careful reader will note that Google also has a complete digital copy of each book it scans, which Google backs up to backup media and shares with the source library that provided the work to be scanned.  Plaintiffs alleged that these acts violate the authors’ exclusive rights of reproduction and distribution.

[6] 17 U.S.C. § 106.

[7] Id. at § 107.

[8] The Author’s Guild, Inc. at 16-17.

[9] 510 U.S. 569 (1994).

[10] Kelly v. Arriba Soft Corp., 336 F.3d 811 (9th Cir. 2003).

[11] Id. at 818.

[12] Id. at 822.

[13] The Author’s Guild, Inc. at 19.

[14] Id. at 20.

[15] Id. at 22-23.

[16] Id. at 25.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Final HIPAA Security Regulations and EHRs

May 27th, 2013

Note: this article was originally published in Maryland Physician Magazine in its May/June 2013 issue.

The HiTech Act in 2009 set in motion a series of changes to the HIPAA rules that govern the use, disclosure and protection of protected health information (“PHI”).  The Department of Health and Human Services (“HHS”) subsequently issued interim regulations in response to these changes in the law, and this year issued a final regulation as of March 26, 2013 that requires compliance by covered entities and business associates within 180 days.  These final HIPAA security regulations make a number of important changes which may impact your relationship with vendors that provide you with electronic health record (“EHR”) licensing and support.

First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations.  HiTech changed the applicability of the security regulations to include business associates.  The final regulation from HHS implements this provision of the HiTech Act, but with a twist: subcontractors to business associates are also defined as business associates within the final regulation.  What this means is that EHR vendors and their subcontractors must fully comply with the HIPAA security rules, not just with “reasonable” security measures.

Second, prior to HiTech, there was no federal requirement that a covered entity or business associate report a security breach that resulted in the disclosure of protected health information (“PHI”).  HHS subsequently issued interim regulations to implement these notification requirements, and as of March 26, 2013, HHS issued final regulations that alter the assumptions and exceptions to what constitutes a “breach” under HIPAA.  In addition, business associates and subcontractors are obligated to report security breaches to covered entities.

For providers that are at the beginning of their search for an EHR vendor, have an attorney review any proposed contract between your organization and the vendor to ensure that the business associate provisions comply with the final regulations.  If you already have an existing relationship, work with your attorney to ensure that the contract in place complies with the final regulatory requirements.  All business associate agreements must come into compliance with the final regulations by September, 2014.

In recent years, some EHR vendors have moved to “cloud”-based data storage and access solutions for their clients.  These cloud systems are designed so that provider data collected by the EHR is stored at a remote data center, and made available over an internet connection with the provider.  Some EHR vendors subcontract with a third party to provide the cloud data storage.  More likely than not, that subcontractor is now a business associate under the final regulations and takes on the same obligations as the EHR vendor with regards to your data.  The final regulations require that a covered entity’s contract with their business associate require subcontractor compliance with the final security regulations.

Beyond compliance issues, providers will want to evaluate whether an EHR vendor that hosts your data in the “cloud” has really made sufficient provisions for security.  Such an evaluation makes good business sense because of the incredibly negative consequences of any security breach that results in a loss of PHI for a health care provider.  For example, does the vendor comply with a recognized, national security standard (like NIST)?  Is the EHR vendor, or the data center it uses for storing your data, audited against a SAS standard like SAS-70?  What are the security practices and security devices in place at the EHR vendor to protect your data?  If the vendor will host your data, what are its disaster recovery and data backup procedures?  Are those procedures regularly tested?

Providers and their counsel should also evaluate what, if any, additional provisions should be negotiated into any final agreement with the EHR vendor concerning the vendor’s compliance with a security standard, commitment to security procedures, and related obligations (such as maintaining appropriate border security and/or appropriate encryption for data during its transmission).

The changes in HIPAA compliance mean that providers cannot simply treat EHR vendors as a “black box” into which providers place PHI, and rely on the EHR vendor’s representations that they know best regarding security.  In addition, because the scope of HIPAA now covers more than just covered entities and business associates, but also most subcontractors of business associates that handle PHI, more entities are at risk for substantial fines for failing to comply with the applicable security standards.  All providers should work with their counsel to analyze and address compliance with the final regulations.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Data Breach Over Time

May 22nd, 2013

The following chart is a summary of data breach information available on privacyrights.org of approximately 3,700 data breaches that have become publicly known, affecting in excess of 600,000,000 records of personal information, such as credit card numbers, social security numbers, and other sensitive information.

Public Data Breach by Year

This chart illustrates the number of private records lost by year, starting in 2005.  The two most common ways that data is lost are either as a result of a portable device (PORT) that is lost or stolen (the orange bar), or direct hacking/malware (HACK) (the green bar).  The reader will note that there was a spike in lost records in 2009.  A major contributing factor to this loss was a single hacking incident involving Heartland Payment Systems involving in excess of 130,000,000 records, combined with a loss by the Veterans Administration of 76,000,000 records that same year.

In terms of the major business industry categories, the industry sector with the largest data losses over time (2005-2013) is the financial and insurance industry (BSF), followed by retail (BSR) and government (GOV) (the latter being most impacted by losses at the Veterans Administration among government agencies).

Public Data Breach by Industry and Year

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Creative Commons Licensing

May 21st, 2013

US Copyright law provides generally broad protections for the creators (“authors”) of original works of authorship.  In particular, authors have the exclusive right to copy, distribute, publicly perform, prepare derivative works from, and publicly display their works.  In addition, these rights last for a relatively long time – for an original fixed in a tangible medium – the lifetime of the author plus seventy years.  One of the problems with the broad protection is that creative people who want to start with the work of another may be stifled by the licensing regime of an author.  Absent “fair use” (a defense raised by an infringer and one that depends on the facts and circumstances of each use), an artist may just be unable to use a work without risking a lawsuit.  One partial solution to this problem is the Creative Commons licensing.

The Commons is a copyright licensing regime (actually a set of several kinds of licenses) and searchable database that permits users to obtain re-usable creative works that are not subject to the same restrictions under US copyright law.  The database permits a user to search in a variety of individual databases for a particular work, and the database result will then display the use restrictions, if any, based on the applicable license.  The database also contains many works that are in the copyright “public domain,” which are works that require no license at all to be used (generally, works published before 1923 are now in the public domain).  In reverse, authors of works who wish the work to be more freely distributed can publish works to the Creative Commons under one of the applicable licensing agreements.

The result is that more creative works are available that require less from persons that want to use them with less risk and potentially less licensing expense.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Reported PHI Breaches

April 15th, 2013

The Department of Health and Human Services (“HHS”) maintains an online list of covered entities and business associates that have experienced PHI breaches where more than 500 individual patient records were involved.  As of the writing of this post, a total of 572 reported breaches are listed on this website.  What can we learn from this information?

First, the dataset covers breaches reported from September, 2009 through February, 2013.  A total of more than 21 million patient records are listed on this report (though it is likely there is some duplication of patient records between data breaches reported here).  These incidents total less than the single data loss reported by the Department of Veterans Affairs in 2006 when a single laptop was stolen from an employee’s home that contained in excess of 26 million records.  Nonetheless, a significant amount of PHI has been lost or stolen and reported to HHS over the last three and a half years.

Second, the most common scenarios for PHI breaches are tape backups that are lost, followed by theft.  Almost 6 million patient records were affected by this kind of data loss.  The theft or loss of a laptop came in fourth, affecting about 2.3 million patient records.  Theft generally accounted for more than one third of all records compromised, followed next by loss (which probably includes scenarios like we accidentally put the backup tapes in the dumpster, or the tape fell out of my bag between the office and my car), also accounting for about one third of all records compromised.  Hacking appears down the list, affecting a total of 1.3 million patient records.

Third, a little more than half of data breaches appear to involve a business associate of a covered entity in terms of patient records breached.  However, only 92 of the 572 data breaches note a business associate’s involvement, which tends to suggest that when a business associate is involved, more records on average are affected by the data breach.  This is consistent with the expectation that technology vendors like those that implement and/or host electronic health records often do so for more clients and are a bigger target for data theft or hacking and computer viruses.

With the change in breach notification in the final HIPAA regulations recently issued by HHS, it will be interesting to see if there are more breach notifications published to HHS’ web site.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Changes in HIPAA Breach Notification Rule

April 4th, 2013

HHS recently released the final regulations that revise certain provisions of HIPAA, including the HIPAA breach notification rule.  Congress, in enacting the HiTech Act in 2009, included a statutory requirement that covered entities report breaches that involved the unauthorized access or loss of protected health information (“PHI”).  HHS then promulgated an interim rule to implement this statutory provision.  That interim rule required reporting of the breach under the “significant risk of financial, reputational or other harm” standard.  Criticism was subsequently leveled at this standard as being too subjective.  HHS just recently issued its final rule (effective on March 26, 2013) that changes the breach reporting rule in two ways.

First, if there is a breach that involves PHI, and the breach does not fall within a regulatory exception, the presumption of the regulation is that the breach must be reported.  This means that a party that experiences a loss of PHI cannot assume, on the grounds that the loss was uncertain to cause significant harm to the patients, that notification of the breach was not required.

Second, the final regulation replaces the interim rule’s standard with a requirement that the party who experienced the loss must demonstrate that there is a low probability that the PHI has been compromised.  In order to qualify under this new standard, the party must perform a risk assessment, taking into account at least the four factors outlined in the regulation.  These factors are found in § 164.402(2):

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

So, let’s evaluate some typical hypothetical scenarios that involve the loss of PHI.  The most common reported PHI breach involves data backup tapes that are lost.  By design, a data backup tape is usually the entire database of patient records, because this entire dataset would normally be required to restore the data from the backup.

Under the first factor, such a loss would militate towards breach notification, because the dataset would almost certainly include patient identifiers and, if the backup was of an electronic health record, extensive health information on each patient.  Under the second factor, if the tape was merely lost, there is no determination of who might have had unauthorized access to the PHI.  If, for example, the backup tape was just simply lost by a contractor that stores the backup tapes in a vault for retrieval on demand, this factor might lean towards not making a notification.  On the other hand, if the tape was in the trunk of the network administrator’s car, and the car was stolen, this factor might lean towards making a notification.

As to the third factor, a lost data tape alone, without more information, would not inform us whether the data was actually acquired by anyone, or viewed by someone.  There is certainly the potential that a lost tape could be viewed, assuming that the person that obtained it had access to a compatible tape drive.  But based on what we know, this factor is probably neutral.

As to the fourth factor, the question here is whether the backup tape itself was encrypted, or was stored in a locked storage box.  A tape that is encrypted is much harder to access, even if the tape was intentionally stolen to obtain unauthorized access to PHI.  A tape in a locked storage box that was merely lost may be less likely to be accessed by an unauthorized user.  So this factor may swing either way based on what, if any, mitigations were in place to protect the data on the backup tape.

If we assumed that no mitigations were in place, the overall analysis would lean towards breach notification under the new rule.  As you can see, however, the facts and circumstances matter greatly in evaluating whether a breach has occurred that requires notification.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Changes in HIPAA Compliance

April 1st, 2013

The HiTech Act set in motion a series of changes to Health Insurance Portability and Accountability Act (“HIPAA”) compliance for covered entities and business associates in 2009, which were followed by interim regulations issued by the department of Health and Human Services (“HHS”).  HHS has issued a final regulation that goes into effect on March 26, 2013, and requires compliance within 180 days by all covered entities and business associates.

The HiTech Act made a number of important changes to the law governing the security and disclosure of protected health information.  First, prior to HiTech, business associates of covered entities were not required to comply with the security rules and standards set forth in the HIPAA security regulations.  HiTech changed the applicability of the security regulations to include business associates.  The final regulation from HHS implements this provision of the HiTech Act.

Second, prior to HiTech, there was no federal requirement that a covered entity or business associate report a security breach that resulted in the disclosure of protected health information (“PHI”).  HHS subsequently issued interim regulations to implement these notification requirements, and as of March 26, 2013, HHS issued final regulations that alter the assumptions and exceptions to what constitutes a “breach” under HIPAA.

Business Associates are Covered Entities when it comes to PHI

HiTech initially changed the law governing PHI by requiring that business associates comply with the same security regulations that govern covered entities.  The final regulations with HHS clarify which security rules also apply to business associates under section 164.104 and 164.106, including those applicable rules found in Parts 160 and 162.  However, HHS also expanded the definition of “business associate” to include subcontractors of business associates that handle PHI on behalf of the business associate for the covered entity.  The regulation does provide certain narrow exceptions to who is now covered in the definition of a “business associate,” including an exception for “conduits” of PHI that may, on a transitory basis, transmit PHI but would not access the PHI except on a random or infrequent basis.  But the regulation appears to generally expand further the legal responsibilities, and potential liability, for members of the industry that work even indirectly for covered entities.

For existing health care providers, now might be the time to revisit your business associate agreement with your business associates, such as your EHR vendors.  Section 164.314 establishes certain requirements for these agreements, including provisions that all business associates comply with the full security rule, that subcontractors to business associates also comply with the full security rule, and that business associates provide the covered entity with security incident reporting in the event of a breach at the business associate’s or subcontractor’s facility or systems.

Changes in Security Breach and Notification

HiTech also introduced a breach notification provision which was intended to require covered entities to report to HHS, and where appropriate, to patients affected by a security breach involving their PHI.  The final regulations have modified the definition of a “breach” by establishing the assumption that an unauthorized access of PHI is a breach unless it can be demonstrated by the covered entity or business associate that there is a low probability that the PHI has been compromised.

Such a demonstration requires that the covered entity or business associate conduct a risk assessment and evaluate at a minimum the four factors described in the regulation: “(i) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification, (ii) the unauthorized person who used the protected health information or to whom the disclosure was made, (iii) whether the protected health information was actually acquired or viewed, and (iv) the extent to which the risk to the protected health information has been mitigated.”

Altering the burden and requiring a covered entity or business associate to engage in this risk assessment is likely to increase the number of breach notifications required under the final regulation.

The final regulation includes a variety of other changes in requirements for covered entities and business associates not discussed in this article, such as sale and marketing of PHI, use of genetic information for insurance underwriting, notices to patients of privacy practices, and disclosure of PHI to friends and families of decedents.  Providers should promptly examine their privacy and security policies to ensure compliance with the final regulations.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Implementing Stages of Meaningful Use

October 8th, 2012

With the release of the final Stage 2 Meaningful Use regulations, CMS issued a CMS Press Release on Stage 2 that, among other things, attempted to clarify when practices that implement an EHR will need to comply with which stage of the regulations.  In the beginning of the incentive program, there was some concern that practices that delayed EHR adoption might have to jump right to a later stage of meaningful use to obtain any incentive money.  The following chart describes the current phased-in approach based on when a practice first adopts an EHR as compared to when that practice has to demonstrate which stage of meaningful use.

As you can see, for practices that decide to adopt an EHR in 2013, the individual eligible providers will be able to demonstrate compliance with the Stage 1 criteria in both 2013 and 2014, delaying the Stage 2 criteria to 2015.  Readers should note that Medicare eligible providers that delay implementing an EHR until 2015 will not be eligible for any incentive dollars; instead they will just be staving off the proposed Medicare reimbursement cuts of 1% per year (up to 5%) by adopting EHR.  See § 495.211.  For those Medicaid eligible providers, the last year one might adopt an EHR is 2017 to be able to receive any incentive payments (though such a provider would not have to meet the Stage 2 criterion until 2019).  See § 495.310.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Comparing Meaningful Use Stage 1 and Stage 2 Criteria

October 5th, 2012

In an earlier post, I had analyzed side by side the final Stage 1 criteria for achieving meaningful use to the interim Stage 2 criteria that will be phased in starting in 2014.  Following that analysis, HHS released the final Stage 2 criteria.  As a result, the comparison has changed a bit from my post earlier this year.  The following two tables analyze the final Stage 1 Core and Menu Criteria in comparison to the same for the final Stage 2 criteria.

A few highlights on what changed between the interim and final Stage 2 criteria.  First, a few of the final Stage 2 criteria ended up reducing the compliance metrics from what was proposed in the initial Stage 2 criteria.  See 495.6(j)(1), (j)(9) and (j)(11).

However, a few of the Stage 2 criteria metrics were changed to include additional requirements for compliance which might present a curve ball for those of you planning on obtaining compliance with these.  For example, in the final Stage 2 regulation, the criterion on patient access to health information has an added metric that 5% of patients actually download information available electronically from the provider.  You may want to contact your information systems vendor to determine if the portal you are implementing can provide you with this kind of information as it may not be collected and stored in a way that a report could be generated to evaluate compliance.

In addition, a new Menu criterion was added in the final Stage 2 regulations, found at 495.6(k)(6).  Here, a practice could elect to enter patient chart information as structured data; the metric requires that 30% of patients that are seen during the reporting period have data entered in this manner.  As a practical matter, many EHR systems today will store documented patient information as structured data where the patient visit is documented electronically as a part of the patient visit.  This might be an easy Menu criterion to comply with (as you need to pick three of the six total criteria in the final Stage 2 regulations).

Table 1 – Core Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

Eligible Providers must meet all of the Core Criteria to Qualify for the Incentives.  Stage 1 had 15; Stage 2 has 17.  Stage 1 meaningful use Core Criteria are found in section 495.6(d) for eligible providers.  Stage 2 meaningful use Core Criteria are found in section 495.6(j) for eligible providers.

Core Criteria for EPSubsections (d), (j) Stage 1 Metric Stage 2 Metric
§ 495.6(j)(1) – provider use of CPOE for medication, lab, and radiology orders [§ 495.6(d)(1)] 30% of orders 60% of medication orders;30% of lab and rad orders
§ 495.6(d)(2) – drug-drug and drug-allergy checking Enabled during period moved to 495.6(j)(9), same metric
§ 495.6(d)(3) – maintain up to date problem list 80% of patients subsumed into transition of care requirement.
§ 495.6(j)(2) electronic prescriptions [§ 495.6(d)(4)] 40% of Rx 50% of Rx
§ 495.6(d)(5) – active medication list 80% of patients subsumed into transition of care requirement.
§ 495.6(d)(6) – active allergy list 80% of patients subsumed into transition of care requirement.
§ 495.6 (j)(3) demographics [§ 495.6(d)(7)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(4) vital signs [§ 495.6(d)(8)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(5) smoking status [§ 495.6(d)(9)]50% of patients with encounters 80% of patients with encounters
§ 495.6(d)(10) – reporting clinical measures to CMS or State Successful testing not a separate criterion; CQM submission required
§ 495.6 (j)(6) decision support [§ 495.6(d)(11)] Implement 1 decision support intervention Implement 5 decision support interventions
§ 495.6 (j)(7) lab results as structured data [§ 495.6(e)(2)] Was Menu in Stage 1; 40% of all lab results 55% of all lab results
§ 495.6 (j)(8) patient lists by specific condition for QI [§ 495.6(e)(3)] Was Menu in Stage 1; at least 1 list At least 1 list
§ 495.6 (j)(9) patient reminders [§ 495.6(e)(4)] Was Menu in Stage 1; 20% of patients sent during period 10% of patients seen in last 2 years receive a reminder
§ 495.6 (j)(10) patient electronic access of health information [§ 495.6(e)(5)] Was Menu in Stage 1; 10% of patients receive timely access 50% of patients receive timely access & 5% actually download information
§ 495.6 (j)(11) clinical summaries at patient visit [§ 495.6(d)(13)] 50% receive summary from office visit 50% receive summary from office visit
§ 495.6 (j)(12) patient education resources [§ 495.6(e)(6)] Was Menu in Stage 1; 10% of patients receive ed. resources 10% of all office visits
§ 495.6 (j)(13) medication reconciliation for transition of care [§ 495.6(e)(7)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have medication recon
§ 495.6 (j)(14) patients transitioned to another provider’s care have care summary prepared by provider [§ 495.6(e)(8)] Was Menu in Stage 1; 50% of transitions have recon 50% of transitions of care have patient summary; 10% of transitions must involve exchange of data
§ 495.6 (j)(15) capability to submit electronic data to immunization registry [§ 495.6(e)(9)] Was Menu in Stage 1; perform 1 test to registry Ongoing submission of data to registry during CY
§ 495.6 (j)(16) security risk assessments under HIPAA security regulations [§ 495.6(d)(15)] Conduct security assessment Conduct security assessment
§ 495.6 (j)(17) use electronic messaging to communicate with patients N/A 5% of patients seen during period received secure message from provider
[§ 495.6(d)(14)] – capability to exchange key clinical information among care providers and patients One test of exchange N/A
[§ 495.6(d)(12)] 50% of patients receive timely access 50% in 3 days on patient request N/A

Table 2 – Menu Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

In Stage 1, EP had to meet 5 out of 10 Menu Criteria to qualify.  In Stage 2, EP must meet 3 out of the 6 Menu Criteria to qualify.  Stage 1 meaningful use Menu Criteria are found in section 495.6(e) for eligible providers.  Stage 2 meaningful use Menu Criteria are found in section 495.6(k) for eligible providers.

Menu Criteria for EPSubjections (e), (k) Stage 1 Metric Stage 2 Metric
§ 495.6(k) (1) – access to imaging results in EHR N/A 10% of imaging results in EHR
§ 495.6(k) (2) patient family health history in structured data N/A 20% of all patients seen
§ 495.6(k) (3) capability to submit syndromic surveillance data to public health agency [§ 495.6(e)(10)] Was Menu in Stage 1; perform 1 test to registry Successful ongoing submission of data for period
§ 495.6(k) (4) capability to identify and report cancer cases to State cancer registry N/A Successful ongoing submission of data for period
§ 495.6(k) (5) capability to report other specialized registry (other than cancer) to specialized registry N/A Successful ongoing submission of data for period
§ 495.6(k) (6) record electronic notes in patient records N/A 30% of patients seen during the reporting period
[§ 495.6(e)(1)] – implement drug formulary checking Enable functionality Moved to Core / decision support
[§ 495.6(e)(2)] – lab results as structured data 40% of lab results are structured data Moved to Core
[§ 495.6(e)(3)] – generate lists by specific conditions 1 reporting list Moved to Core
[§ 495.6(e)(4)] – send reminders to patients for follow-up care 20% of patients Moved to Core
[§ 495.6(e)(5)] – Provide patients with timely access to health information 10% of patients have electronic access Moved to Core
[§ 495.6(e)(6)] – Use EHR for patient education 10% of patients Moved to Core
[§ 495.6(e)(7)] – Incoming transition of care to EP medication reconciliation 50% of patients have medication recon Moved to Core
[§ 495.6(e)(8)] – Outgoing transition of care from EP care record summary 50% of patients have care summary Moved to Core
[§ 495.6(e)(9)] – immunization registry 1 certified test Moved to Core

 

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)