Interview with Iliana Peters
Iliana Peters is a shareholder at Polsinelli Law Firm. This interview was completed on September 14, 2018.
I know you’ve spent a lot of time at the US Department of Health and Human Services, I think it would be helpful if you talked briefly about your role there, for the work that you did.
I spent 12 years at the Office for Civil Rights at the Department of Health and Human Services. I started my federal career in the Dallas regional office as an investigator, for mostly HIPAA matters, a few other things as well, but I spent about a little over a year at the Dallas regional office, and then I was promoted up to the Washington DC office, the headquarters office of the Office for Civil Rights at HHS, to do policy related work and enforcement work, which included several different (rulemaking) things under HIPAA, and worked on enforcement matters there as well, so I did that for several years and then I would lead regulation writers on several of the efforts for the (rulemaking) while I was at OCR, and then I was promoted to the senior adviser for HIPAA enforcement, so I had responsibility for ensuring that the enforcement of the HIPAA rules with regard to cases that resulted in settlement agreements and civil money penalties was consistent, and in that effort we also drafted a number of guidance documents for the regular public and investigators that worked for the Office for Civil Rights, and most recently prior to my joining the law firm Polsinelli, I was the acting deputy director for health information privacy at the office for civil rights, so I had responsibility for both enforcement and policy matters, and was responsible for the team doing the HIPAA and other work at the office for civil rights.
You mentioned HIPAA enforcement, could you talk a little more about what HIPAA stands for and when that law was passed and just give us a little background
The Health Insurance Portability and Accountability Act of 1996 was passed to facilitate payment for healthcare, so it’s interesting and important to know that HIPAA was originally not about privacy and security of health information, even though its most classically known as a health information privacy law, the original purpose of HIPAA was really to ensure at least in the administrative simplification, which is where the privacy and security piece lived, was to ensure that healthcare claims were paid electronically, so at the time there was a lot of interest involved in paying for healthcare from an insurance perspective, particularly with regard to Medicare and Medicaid, so the government spent a lot of money processing paper claims, because they were not standardized, so basically you’d get a paper claim for one procedure, you could say a doctor’s visit for a cold for example, from one doctor that would look very different from a claim from a different doctor for the same thing. So the idea was that we needed a standard code, a standard transaction, such that it would cut down on the paperwork that was involved in paying for healthcare to standardize it, and because we were going to be using these electronic codes and we were going to be sending data back and forth electronically, Congress wanted to make sure that the information was protected as part of those electronic transactions, and that was where the privacy and security pieces came from, as part of that original statute. Interestingly, Congress did not originally write the privacy and security pieces of the statute, they left that to the Department of Health and Human Services, and HHS did that through rulemaking, those provisions were reinforced by the passage of the HITECH Act, which was several years later, most recently as part of the American Recovery and Reinvestment Act which was an effort under the Obama administration and the HITECH act solidified and codified several parts of the HIPAA privacy and security rules, and also added breach notification requirements. So the HITECH Act has specific requirements with regard to breach notification, and enhancement of the requirements that were already existing in the privacy and security rules.
HHS was given a lot of authority or space to make a lot of the rules about patient data privacy and security, this isn’t something Congress delegated to the agency, or at least let the agency figure out the details of it, would that be an accurate way of looking at it?
I think originally that was the idea, HIPAA provided that if Congress itself did not develop those rules within a certain amount of time, that responsibility was left to the Department of Health and Human Services. Congress codified that decision with the HITECH Act, where they enhanced provisions under privacy and security, and added very specific breach notification requirements, and then significantly enhanced the penalties, the penalties available under HIPAA originally for violation of the rules under HIPAA were somewhat limited, they were limited to $25,000 dollars a year, and Congress increased that to $1.5 million a year, that updated annually for inflation, after passage of the HITECH Act. For many reasons, the HITECH Act was an action by Congress that solidified the work that the HHS had done as a result of HIPAA.
Now you’re working for a law firm, what kind of work do you do, and how does it compare to the work you previously did for Health and Human Services?
That is correct, I am a shareholder at Polsinelli, I am very lucky to work for their fantastic healthcare team, that includes specialists in data privacy and security, not only in healthcare but in other sectors, and it does include some of the fantastic people that I worked with at OCR, and they’re both an investigator and policy specialist, who I worked with at OCR, that I work with now at Polsinelli. Others on the team that have a primary focus for privacy and security issues in healthcare, so it’s very similar work, although we do additionally, although we do work on new and emerging issues, such as artificial intelligence and areas where the law might not quite reach, by the law I mean HIPAA, may not quite reach all healthcare entities, so we work with entities not covered with HIPAA as well on data privacy and security matters, so it’s a really fun mix of questions that I didn’t get as the regulator. As you can imagine, the regulator sees specific types of issues many times, and the same types of issues over and over again, there are issues that are extremely important to people, like access to their health information, or the security of their health information, with regard to certain types of breaches. The interesting and creative questions about the application of the law in new and emerging technologies, isn’t necessarily something that I would get to work on at HHS, and I do get to do more of that exciting work here at the law firm.
In light of the years of experience that you’ve had with HIPAA enforcement, can the average American today feel assured that his/her medical data is safe, in your opinion?
I think that is a good question, but I think it’s a question I’m not sure I have an answer to, I think certainly there are many many entities, healthcare entities and other types of entities, that take their responsibility to safeguard data very seriously and honestly do the best that they can in that regard, and by that I mean that not only do they take their legal obligations very seriously, under HIPAA, and other laws that protect the privacy and security of personal information, but they also have a culture within their institutions that really, as someone recently said to me, emphasized the golden rule, consider that information just as you would consider your information, they would protect that information just as they would want their information to be protected. And there are organizations that are doing a very good job of that, unfortunately, and given our recent national conversations about data privacy and security, there are other organizations that aren’t doing as good a job, and that has a lot to do with many different factors. It is important to realize in the healthcare sector, many different types of entities and healthcare professionals, that aren’t highly trained security professionals, they are highly trained medical professionals, they’re really worried about ensuring that individuals get the best treatment, for example, as possible, and they don’t have the resources or the bandwidth to try to ensure that IT security matters are appropriately handled. So that’s a constant challenge I think for the healthcare sector, in terms of understanding what the requirements are and why they are so important, and also having the resources and dedicating the resources to IT security efforts.
Recently a number of apps for smartphones have been coming out, some of them focus on health, others focus on fitness, some of them cater to those who have substance abuse disorder, such as Opioid Use Disorder, and they do a number of things where the end user puts in some information, the app can connect them with peers, or a support group, it can also help connect with medical personnel, like through long-distance. I know some of these apps have gathered quite a bit of information about their users, does HIPAA apply to these apps, or does it only cover traditional relationships between patients and medical personnel?
That’s a really good question, and the answer is, it depends. HIPAA covers only what are called covered entities under HIPAA, those include healthcare providers that use those HIPAA transactions that I was talking about earlier, just keeping in mind that the whole point of HIPAA was to ensure payment using electronic transactions. So if the healthcare provider is a cash only business, then it is not covered by HIPAA, so there are certainly even healthcare providers that are not covered by HIPAA. HIPAA also applies to health plans, so generally what we would consider health insurance companies, and that includes Medicare and Medicaid for example, and another type of entity called a healthcare clearinghouse that helps those entities do those HIPAA-covered transaction. But HIPAA also applies to senders and associates of those HIPAA-covered entities. So to the extent, you have a law firm, like mine, who works with healthcare providers or health insurance companies, we work mostly with healthcare providers, we can in certain circumstances, get information that is protected by HIPAA to help our healthcare providers, to help with certain legal responsibilities or other reasons that are covered under provisions of HIPAA privacy rules. But that makes us a business associate, and in order to disclose that information to us, the covered identity and the covered provider, has to make sure through contract that we are going to protect that information just like they’re required to protect that information. So we also have to comply with the HIPAA requirements. So there are many types of entities, not just lawyers, but many types of entities that provide services to HIPAA-covered entities; doctors, hospitals, health systems, dentists, health plans; if they provide services to those types of entities, and they create, receive, maintain or transmit, and/or disclose data to do that from those entities, then they also have to comply with the HIPAA requirements. And that originally was something that was just a contractual duty, but the HITECH Act solidified those requirements, and made business associates directly liable for many provisions under HIPAA, so we are required to secure that data for example. So it really depends on whether or not these applications stand on their own, and do not interact with any other HIPAA covered entities, for purposes of providing services to those HIPAA covered entities. So if they are solely applications that interact with the consumer and don’t have any interaction with HIPAA covered entities, then they would not be covered by HIPAA, but if they do in fact provide services for example, not only to individual patients but also to the doctors that they work with, to some extent they could be covered by HIPAA, it would depend on the circumstances and how those services are provided, so the Office of the National Coordinator for Health Information Technology also at the Department of Health and Human Services, a couple of years ago did a report exactly on this issue, on where HIPAA coverage ends and the other applications that may be involved in healthcare are covered by HIPAA, so it’s a very good question and its one we’re still dealing with.
I noticed that some of HIPAA has a lot of provisions, it had HHS create rules for requirements for patient privacy. I know that in the news recently, there’s been a lot of chatter about insurance fraud, whether it’s a company like Theranos, which has a machine that can do a bunch of different tasks, but it turns out it couldn’t, or with the opioid crisis, that there were certain organized schemes, people with Medicare or Medicaid to get a prescription for an opioid-based painkiller, but it was basically fraudulent, so that those pills could be diverted for some other purpose, and there’s an end user who has () syndrome getting a lot of different treatments, that do not actually coincide with actual conditions that they have. In your opinion, how does HIPAA strike a balance between protecting patient privacy on one hand, and allowing the investigations necessary to uncover insurance fraud on the other hand?
Healthcare fraud is not my area of expertise, but I will note that the HIPAA privacy rule permits disclosures in certain circumstances, and that includes when they are required by law for example. So to the extent that there is a court order to disclose the protected health information, then that would be a disclosure that would be permitted under HIPAA, there are also other provisions under HIPAA that address government investigations for example, so certainly if there was a government investigation that was ongoing to determine fraud in a particular case, then the healthcare provider would be permitted to share such information under the HIPAA privacy rule, for purposes of the investigation, but they would be limited in what they can share, it would have to be specific to the ongoing investigation.
So it allows health providers to permit health disclosure under certain circumstances, like a legal court order, or some other circumstances?
Correct. Essentially there are disclosures that are permitted under HIPAA, and those do include for purposes of litigation like pursuant to a court order or pursuant to what’s called an administrative subpoena, that is different from a regular subpoena. So an administrative subpoena is one ordered by, for example, a federal government agency during an ongoing investigation. There are provisions under HIPAA that allow healthcare providers to disclose information if and when there is an investigation for example, for fraud purposes.
So the subpoena then can come directly from the federal agency that has investigators working, looking for something like fraud or things like that or I guess a court order, could that include things like a search warrant that a judge gives?
So I think the answer in most circumstances is yes, in a lot of cases dependent on whether or not you’re talking about federal or state law, and what would be required, but generally yes, a court order requires compliance and if it does, then that permission is available under HIPAA, and as I said certainly if there is a law enforcement inquiry, such that there is an administrative subpoena. So again, a regular subpoena is not sufficient on its face, under HIPAA, where maybe under state law for example. But certainly, there are permissions under the privacy rule if there is an administrative subpoena and its part of a law enforcement inquiry, which is an ongoing law enforcement investigation, and that information is absolutely necessary for that investigation, then yes the HIPAA-covered entity or business associates could disclose that information for that purpose.
I see. When the Affordable Care Act was passed did it make any major changes to HIPAA with regard to patient privacy?
No, the last changes to HIPAA rules were with the American Recovery and Reinvestment Act.
Given your experience working of the Office for Civil Rights at HHS, if you had the ability to change any provision of HIPAA to more effectively protect data privacy, which provision would it be and why, or any HHS rule.
That’s a question I never really thought about, but I would say that I would have to go back and change “risk analysis” to “risk assessment” and “risk assessment” to “risk analysis.” Probably the only people that would get that are the people who do that work I do on a regular basis, and that drives us all crazy. But, I have to say what the writers of the original privacy and security and breach notification rules did, and I was part of the breach notification effort, but not the privacy and security effort, that was before my time at OCR. It is that they managed to write a set of regulations that has stood the test of time, which says a lot about the effort, it is actually quite impressive. They took a series of different provisions that already existed, including those under the privacy act, other requirements, and other standards with regard to the the privacy security standards of data, and applied that to health information when they wrote these rules. So they took all of the best thinking on privacy and security data at the time, and put them into these rules. And I truly think they have withstood the test of time, because they are nimble enough to change in a way that is beneficial to the individual, given what is expected by the industry. For example, encryption is a very good one. Encryption is what’s called an addressable specification under the HIPAA security rule, and that does not mean that its optional, which is a common misunderstanding. What it means is that entities have to do encryption, they have to implement encryption to their data, at rest or in transit, or they have to implement reasonable compensating controls, something that is essentially the same as encryption, that would protect that data. The thing is right now there really isn’t anything better than encryption to protect your data, but you may well know, there are a lot of efforts ongoing to do something that is better than encryption, in terms of the resources, in terms of protection from a security perspective, in terms of how encryption may be broken over time, all of those issues are currently being addressed in the IT security sector. To the extent something better then encryption comes along, that would be considered a reasonable compensating control rather than encryption. So it is pretty amazing that these rules like I said have codified ideas of privacy and security that have been in existence in different types of laws over time, and continued to in fact be good law, and that state laws have emulated for example, and that reflect requirements that are international even. So I think the changes I would make if it were up to me, would be comparatively minor.
What advice would you give to healthcare compliance professionals who are just starting out in the field?
I guess the idea that this information is incredibly important to people and incredibly sensitive. I know there’s a lot of thinking out there that ‘privacy is dead’ and that individuals really don’t feel strongly about the privacy of their data anymore. OCR gets roughly 20,000 complaints a year, and that indicates to me that people do actually care about the privacy and security of their information. And I think that our national conversation of late also indicates that people care very much about the privacy and the security of their data. So I would encourage new practitioners to really think seriously about their responsibilities to protect this data, in the way I describe earlier, how would they want their own data to be protected, or the data of their child. That’s a really good example, because in many cases medical identity theft takes years to be recovered. If you are a victim of medical identity theft, it can take many years before you know you have been a victim, so think about it in that you need to protect this data like you would protect your own child’s data, so when they turn 18 they don’t discover that they have had massive identity theft when they try and get their first credit card for example. So along with all the other responsibilities new practitioners have, they really do need to be concerned with the privacy of this data, not just because it is important to their patients but also because it affects their ability to provide healthcare, many of the cyberthreats that they confront nowadays, can actually shut down their systems such that they cannot provide patient care, such that there are massive risks to patient safety. This is truly an issue that is not just about the privacy of the data, but also the security of the data, so that patient safety is protected, so it’s really important to spend a little of that time, that they spend keeping up with their continuing medical education for example, and devote that to really understanding what data security means in the healthcare sector, and how they can be better prepared for all different types of threats to the security of that data.
I think that’s all the questions I have, were there any additional thoughts or ideas that you would like to share?
I would only emphasize that there is a lot of misunderstanding about HIPAA, there are things that those of us who do this work call ‘HIPAA myths’, one of those is that HIPAA does not allow healthcare providers to share information with family and friends of a particular individual patient. That’s not true, the HIPAA privacy rule does in fact allow healthcare providers to share information related to an individual’s care or payment of their care with their family members or friends who are involved in their care or payment for their care. Unless the individuals explicitly objects to that sharing of information, it’s important to understand that HIPAA doesn’t get in the way of sharing that information with someone’s family members or their friends, if their friends are involved in their care. So I think there is a lot of misunderstanding about the fact that HIPAA, that not only does not want to interfere in treatment of individuals, it does not want to interfere with coordination of that treatment from an individual’s family and friends because those people particularly work hard with the individual in crisis, and with respect to the opioid crisis. Those particularly vulnerable individuals truly often need the help of their family members and friends, and do not object to the sharing of that information, and in those circumstances that information can be shared, and should be shared, so that the individual has the best results.
That’s great and helps to dispel some of these myths. What you were saying, that was the perception among a lot of people.
It’s unfortunate, too.