Adding Up: The Bottom Line Effects of Risk Management Credits Over Time

10-year (Average) Cumulative Cost of Insurance 2004-2013 (Before Dividends)

By Robert Widi VP Sales and Marketing

You’ve heard it before, put the 3 bucks you spend on coffee each day into your 401k and you’ll be amazed at how much money you’ll amass for retirement. We’re talkin extra ultra venti here. Three bucks a day, 30 days a month, twelve months a year…well you get it, adds up to tens, even hundreds of thousands of dollars… So what if we place the same kind of lens on your malpractice insurance policy. Here is one of the easiest credits to earn on your premium and it can really add up.

Risk Management

Educational credits are the best of all earned credits because you can earn and learn. Don’t underestimate the value of information disseminated at our seminars, we’ve had cases literally won or lost based on the principles that are discussed at courses because they tend to highlight the problems we’ve encountered in earlier claims. I will never understand why anyone would not take advantage of this valuable benefit if your carrier provides it. Yet amazingly, nearly half of OMIC’s policyholders did not receive a discount in the past year, and OMIC has one of the highest risk management participation rates in the country.

I did a comparison shown in the chart to the right of an average 10-year cumulative cost of insurance for an insured who participates in risk management each year and one who does not. You can see there is a difference of approximately $8,500 over a 10-year period. So, for spending approximately 10 hours (the avg OMIC risk management seminar is about an hour) over 10 years, you earn more than eight grand, $850 bucks an hour, for your time. Call me crazy but this seems like a no-brainer to me. Now let’s talk about group practices. There you really got a head scratcher. $8500 x 5 = well you do the math.

So the take-away is, don’t lose out on your chance to earn credits where they’re easy and free. Think of it kinda like a “buy 10 sandwiches and the tenth is free” card. I hope this helped put the power of discounts front and center in your mind. For more information on OMIC’s risk management program go here.

MICRA Critical to Protecting Ophthalmic Practice Across the United States

OMIC is a member of CAPP. The Californians Allied for Patient Protection (CAPP) initiative is critical tort reform that has been instrumental in keeping malpractice costs manageable and protecting patients access to health care. Because California initiatives are often a bellweather for tort actions in other parts of the country, the fight to maintain MICRA is a top priority for ophthalmic practice.

The campaign to defeat the anti-MICRA ballot initiative will now be known as the “No on 46” campaign. Organizers will need everyone’s help to educate voters that Prop. 46 will increase health care costs, reduce access to care and jeopardize citizens’ personal prescription drug information. We are counting on your involvement between now and November 4 to defeat this measure.

With only a few months until Election Day on November 4, we are ramping up efforts to educate voters that Prop. 46 will increase health care costs, reduce access to care, and jeopardize people’s private prescription drug information.

Please visit www.NoOn46.com to download information about Prop. 46.

Follow the campaign on Twitter and Facebook for immediate news on campaign updates, press releases, etc.

Twitter:      No on 46      Facebook:      Vote No on 46

Read more: The Wall Street Journal, 4/16

Read OMIC article on CAPP: Join the CAPP Fight >> MICRA Critical to Protecting Ophthalmic Practice Across the United States

Time Sensitive Conditions and Errors in Diagnosis

Paul Weber, JD, OMIC Vice President of Risk Management/Legal

Digest, Spring 2013

Claims related to error in diagnosis continue to challenge OMIC and other medical professional liability carriers. “Diagnostic error” is broadly defined as a diagnosis that is missed, incorrect, or delayed as detected by a subsequent definitive test or finding. Recently, researchers at Johns Hopkins University reviewed 25 years of malpractice claims reported to the National Practitioner Data Bank between 1986 and 2010. [1] Their research revealed that “… among malpractice claims, diagnostic errors are the most frequent, most severe, and most costly of all medical mistakes.” Although diagnostic error cases account for only 13% of OMIC closed claims, they are the most costly, resulting in over one-third of the indemnity paid to plaintiffs.

Managing the risk related to diagnostic error claims involves analyzing both system-related factors (patient-to-physician communication and communication among physician and other health care providers) and cognitive factors (physician did not gather relevant data optimally or failed to synthesize data correctly).

Time is of the essence

OMIC has noticed a subset of “time sensitive” diagnostic error cases in which there was a relatively brief period of time between when the patient was examined and when medical/surgical intervention or referral needed to occur. Many of these OMIC cases included both system-related and cognitive factors that contributed to the error in diagnosis. OMIC closed six such cases in 2012 (ROP, trauma, stroke, aggressive glaucoma, retinal detachment, and endophthalmitis), which accounted for 40% of the $10 million indemnity paid out last year. With the exception of the ROP case, there was an average of only five days between the first patient contact and the correct diagnosis, indicating that clinicians had a brief window in which to make a correct diagnosis before the patient suffered significant problems. A stroke case that settled for $500,000 is a particularly good example of a time sensitive case in which both system-related factors and cognitive factors combined to lead to a diagnostic error and large indemnity payment.

An accident waiting to happen

On March 14, a 53-year-old male patient presented to the insured with complaints of seven or eight episodes of right eye visual acuity loss over the past month. He was not an established patient, and it was unclear whether he was referred by his primary care provider (PCP) as the insured believed, or self-referred as the patient later claimed. The patient reported episodes when his vision became very gray except for a small area at the top. These episodes usually occurred when bending over or straining, lasted four to five minutes, and were sometimes followed by a slight pain in the right eye. The eye exam was essentially normal except for a posterior, subcapsular, polar senile cataract. The patient was noted to be in good general health and oriented to person, place, and time. Since these episodes occurred when the patient bent his neck or strained, the insured believed these actions caused plaques to break off and float to the ophthalmic artery or caused vascular compression. The insured’s diagnosis was transient arterial occlusion of the retina. He instructed the patient to be seen by the referring PCP within two weeks for a workup of transient ischemic attacks (TIA). The patient was told that the PCP would most likely order a carotid ultrasound, and he was advised to “phone immediately for increased pain, increased redness, or decreased vision.” Customarily, the insured’s office would have made the patient’s appointment with the PCP but did not in this case for reasons that are unclear.

The insured sent a letter to the PCP regarding his examination and discharge instructions. The letter stated that the patient had been having amaurosis fugax episodes in the right eye for a few weeks. The PCP later testified that she never received the insured’s letter and, unbeknownst to the insured, the patient had not been seen by this PCP for over four years and was not considered a “current patient.”

A few days after being seen by the insured, the patient had another episode of transient vision loss but did not seek medical attention. One week later, on March 21, the patient collapsed at work. He was taken by ambulance to a large medical center presenting with slurred speech and left-sided weakness. A CT scan of the brain taken in the ER showed a hyper-dense clot in the right cerebral artery, consistent with acute occlusion. There was no evidence of hemorrhage. A bilateral carotid Doppler performed on the same day showed near total occlusion of the right internal carotid artery and 50–60% lesion on the left internal carotid artery. The patient had a cerebral vascular accident (CVA) due to a cerebral clot.

After discharge and rehabilitation, the patient had minor left upper extremity dexterity problems and transient issues with executive cognitive functioning. He filed a lawsuit against the insured, alleging that given the number of episodes of amaurosis fugax, the insured should have referred him for an appropriate workup by a neurologist within 24 to 48 hours. The venue of the lawsuit was “plaintiff friendly” and the jury verdict range was estimated between $1 million and $2.5 million.

OMIC retained three different neuro-ophthalmologists to review the case. One of these experts wanted to be supportive but felt the history taken was a “little lean.” He also stated that “common sense” and “intuition” should have given the insured a sense of urgency regarding the seven or eight events in a one month period. Another expert stated that the insured too quickly ruled out “transient visual obscuration” from the differential diagnosis and that the insured’s theory of “plaque breaking off” and flowing through the carotid artery was a powerful argument for immediate care. The third neuro-ophthalmologist, who testified for the insured, stated that a work-up for amaurosis fugax is not “urgent” or “emergent” when several episodes have occurred over the course of a month or so and are not accompanied by other, more worrisome symptoms. All three experts agreed that had a Doppler ultrasound been ordered quickly, it would have identified the source of the clot at the base of the carotid artery and a surgical correction would have prevented the CVA.

Since the insured was a general ophthalmologist, OMIC also had a general ophthalmologist review the case. She opined that there should have been an urgent (same day) referral to the PCP. She felt strongly that if the PCP could not or would not see the patient, the patient should have been referred to the ER for emergent evaluation, including a neurology consult.

A non-binding hearing was conducted and found that the insured breached the standard of care by not referring the patient to the PCP on a more urgent basis within 24 to 48 hours. However, the hearing panel determined that the plaintiff was more at fault than the insured for not acting sooner to take care of himself, i.e., not making the appointment with the PCP. Also, the panel felt that the patient could have had the stroke at any time, including during the insured’s examination or immediately after he left his office, and that it was speculative whether the stroke could have been avoided. Given the hearing panel’s decision on the standard of care, the consensus of defense counsel, OMIC’s claims department, and the insured was that it was too risky to go to trial and the matter was settled with a $500,000 indemnity payment to the plaintiff.

System-related factors

A “perfect storm” of missed opportunities contributed to the delay in diagnosing the cerebral clot. First, the insured and his staff had different understandings about whether the patient was referred by his PCP or self-referred. The insured erroneously believed that the PCP had referred the patient and, therefore, knew about the episodes of vision loss. The insured also said it was highly unusual for his staff to field a call of vision loss and not make an appointment on a more urgent basis, although there were no written office policies or telephone guidelines for handling appointments.

Had the insured checked the OMIC website, he would have found comprehensive written telephone policies and procedures that would have provided his staff with a checklist to help them gather the necessary information from the patient and determine the appropriate appointment category: emergent, urgent, or routine. Checklists become especially important with time sensitive conditions such as neuro-ophthalmic problems. To this insured’s credit, he made several changes in his appointment practice protocol as a result of this case, including a daily review of all referrals and accompanying paperwork to verify that appointments are scheduled appropriately.

Another system-related issue that frequently impacts time-sensitive conditions is poor communication between provider and patient regarding the nature and urgency of the patient’s condition. The patient in this case claimed not to understand the importance of the follow-up appointment with the PCP and testified that he thought someone would call him with a date for the carotid ultrasound. Even though the hearing panel believed the insured had communicated the urgency of the problem and the patient was primarily responsible for not following up more quickly with his PCP, the case would have been more defensible had the office actually made the referral appointment for the patient. If they had, they would have learned that the PCP was not currently treating the patient, which might have led the ophthalmologist to treat this patient as more high risk. At a minimum, the practice should have given the patient a form specifically indicating the urgency of the appointment.

As noted here and in the Closed Claim Study regarding pseudotumor cerebri, some patients are not fully engaged in the process of their own care. Many ophthalmic practices do a good job of educating and empowering their patients on certain procedures and risks. The American Academy of Ophthalmology patient education brochure “Floaters and Flashes—A Closer Look” is an example of ophthalmologists educating patients to seek timely follow-up care and medical advice and to become active participants in their own care and diagnostic process.

Cognitive factors

In the past few years, the research and literature on diagnostic error have grown significantly. In 2007, Boston hematologist-oncologist Jerome Groopman vividly described in his bestseller “How Doctors Think” how thought processes underlie many diagnostic errors. Cognitive psychologists and researchers who have analyzed diagnostic error believe physicians use a “dual process” to arrive at a diagnosis using both “System 1,” an intuitive/subconscious process, and “System 2,” a systematic, analytical process. When using System 1, physicians employ mental shortcuts (heuristics) to reach decisions that are right the majority of the time. The insured in the stroke case later acknowledged several cognitive processing errors, biases, and limitations linked to System 1 shortcuts.

First, the patient’s general good health alleviated concern about the amaurosis fugax being urgent or emergent. The insured saw the patient in the context of an otherwise healthy 53-year-old man. This is an example of “context error,” which can occur when the diagnosing physician is biased by patient history, previous diagnosis, or other factors and thus formulates the case in the wrong context.

Second, the fact that the patient’s symptoms occurred mostly when he was bending over caused the insured to give too much weight to a diagnosis of transient arterial occlusion. The neuro-ophthalmology experts pointed out that the insured’s own patient history was incomplete and he did not develop a differential diagnosis, too quickly coming to the conclusion of transient arterial occlusion. This is an example of “premature closure.” The insured narrowed his choice of diagnostic possibilities (i.e., hypotheses) too early in the diagnostic process, such that the correct diagnosis was minimized or not considered.

Finally, the insured himself felt the biggest lesson he had learned was to consider the most serious potential diagnosis and let it drive the plan. To improve his understanding of neuro-ophthalmic risk, the insured participated in several CME courses related to transient visual loss and diagnosis and management of neuro-ophthalmic emergencies.

In order to reduce System 1 (intuitive) cognitive processing errors and related biases, some experts suggest a checklist. A copy of several sample checklists can be found at https://orlando.isabelhealthcare.com/pdf/EducationStrategiesToReduce DiagnosticError.pdf.

Checklists are simply a reminder to perform a conscious, reflective review to optimize clinical decision making and provide corrective oversight to the automatic processing that underlies diagnostic errors such as the one demonstrated in the stroke case.

Error in diagnosis is a challenge facing all of medicine. Multiple factors, system-related and cognitive, are involved. OMIC believes that only with sustained research to better understand these multiple factors will interventions be developed to reduce errors that cause injury to patients and result in claims against physicians and other health care providers.

1. Saber, Tehrani AS, Lee HW, et al. “Quality and Safety in Health Care.” First published online April 22, 2013 as doi: 10.1136/bmjqs-2012-001550.

How to Subscribe to Eye on OMIC: A Magazine on Flipboard

Simply download Flipboard for free on any mobile tablet, phone, or similar device.

Then search for “Eye on OMIC”.

Choose and open the magazine:

Then tap the Subscribe button at the top of the cover:

It’s that easy!

HIPAA Omnibus Final Rule—What To Do

Kimberly Wynkoop, OMIC Legal Counsel

After 10 years in the “HIPAA Privacy Enforcement Era,” the requirements of compliance continue to evolve. On January 25 of this year, the US Department of Health and Human Services Office of Civil Rights (“HHS”) published the HIPAA Omnibus Final Rule (“Final Rule”), modifying the privacy, security, breach notification, and enforcement rules. These modifications implemented most of the privacy and security provisions of the 2009 HITECH Act. The Final Rule became effective March 26, 2013, and compliance in most areas was required by September 23, 2013. However, existing business associate agreements do not need to be updated until September 22, 2014, as long as they are not modified or renewed prior to that date. We understand many ophthalmologists are still struggling with some of the nuances of these changes and how they impact their practices. This article will suggest actions you should take to implement the changes to your privacy, security, and breach notification procedures necessitated by the Final Rule. For personalized advice, insureds may consult one of OMIC’s risk managers at 800.562.6642, option 4. Remember that the HIPAA requirements are the baseline. Your state may have stricter applicable privacy and security standards.

Update your Notice of Privacy Practices

The Final Rule necessitates several amendments to covered entities’ (CEs’) Notice of Privacy Practices (NPP). On the Final Rule compliance date, the government published a plain language sample NPP, which can be found at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html. It provides a minimal approach to patient notification. Prior to publication of the government’s sample, OMIC created its own sample and acknowledgment form, which can be downloaded at http://www.omic.com/hipaahitech-resources/. It provides a more in-depth description of permissible uses and disclosures, authorization requirements, and patient rights. The following are the changes that must be addressed. (See OMIC’s sample and “Other Final Rule Changes” on page 5 for more detail.)

The NPP should include a statement that for any use or disclosure not described in the NPP, the CE must obtain written authorization from the individual. The NPP must alert patients that they can opt out of fundraising communications from the CE. It must tell patients that the CE will never share their protected health information (“PHI”) for marketing purposes, sell their PHI, or share their psychotherapy notes, unless the patient gives them written permission. The NPP must tell patients they have the right to see or get an electronic or paper copy of their PHI (or direct receipt to a third party), usually within 30 days of their request, and the CE may charge a reasonable, cost-based fee. The NPP must inform patients that if they pay for a service or health care item in full, out-of-pocket, they can request that the CE not share this information for the purpose of payment or health care operations with the patient’s health insurer. The NPP must state that patients have the right to receive notification of a breach of unsecured PHI. Remember that you can include additional, voluntary limitations on your use or disclosure of PHI, but you will be bound by this promise if you do.

The CE must post the revised NPP. The CE may provide email copies, if patients have agreed to electronic notice, or have patients read a laminated copy of the NPP in the office, but must also make hard copies available to take. The CE must use its best efforts to obtain acknowledgment of receipt of the NPP from new patients. If the CE maintains a website, it must post the updated NPP there as well.

Assess your security risks, safeguards, and breach plans

The HIPAA Security Rule requires CEs to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (“ePHI”). HHS specifies that CEs can take a flexible approach, using any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications. The implementation specifications are either “required” or “addressable.” CEs must assess how reasonable and appropriate it is to implement the addressable standards and how likely they are to contribute to protecting the CE’s ePHI, and implement them where appropriate. If not implementing the addressable specification, the CE must document why not, and implement an equivalent alternative measure if reasonable and appropriate. Encryption, for example, is an addressable standard. However, in order to avoid reporting security breaches under the Breach Notification Rules, encryption is a de facto necessity.

HIPAA requires that CEs notify individuals whose unsecured PHI has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the PHI. The notification requirements still only apply to breaches of unsecured PHI. In other words, if PHI is encrypted or destroyed in accordance with the HIPAA guidance, there is a “safe harbor” and notification is not required. Likewise, the definition of breach still specifically excludes various unintentional and inadvertent acquisitions or disclosures where further impermissible use or disclosure did not result and disclosures of PHI where the unauthorized recipient would not reasonably have been able to retain such information. However, the exception for limited data sets without birth dates and zip codes has been removed.

Under the Final Rule, HHS has changed the threshold test for determining whether notice of a security breach must be given. The old test was whether the breach posed a “significant risk of reputational, financial or other harm” to affected individuals. Now, any use or disclosure of unsecured PHI is presumed to be a breach requiring notice unless a risk analysis reveals a “low probability” that PHI has been compromised. The analysis must consider at least the following factors: the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the PHI or to whom the disclosure was made; whether PHI was actually acquired or viewed; and the extent to which any risk to PHI has been mitigated. No risk assessment is needed if the CE decides to report the breach, though the CE will want to undertake an appropriate review in order to determine how to mitigate the harm and reduce the likelihood of future breaches. All documentation related to the breach investigation, including the risk assessment, must be retained for a minimum of six years. The notification and timing provisions for reporting breaches of unsecured PHI have not changed.

The CE should outline these breach assessment and response steps in a written plan. OMIC’s sample plan and breach notification letter can be found in OMIC’s HIPAA/HITECH Resources.

Amend your business associate agreements

Most of the Privacy Rule and all of the Security Rule now apply directly to business associates (“BAs”) and their subcontractors, who are all now directly liable for their own HIPAA violations. Subcontractors of BAs (and even subcontractors of subcontractors) may now be BAs themselves if they create, receive, maintain, or transmit PHI on behalf of the BA. CEs do not need business associate agreements (“BA agreements”) with these subcontractors. This is the responsibility of the first downstream BA. The CE, though, must require their BAs to enter into such agreements with the BAs’ subcontractors.

The Final Rule expands and clarifies the definition of a BA. A BA is one who, on behalf of a CE, “creates, receives, maintains, or transmits” PHI. This includes claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; patient safety activities; billing; benefit management; practice management; and repricing. A BA is also one to whom PHI is disclosed so that person can provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a CE. The definition of BA also specifically includes a person who offers a personal health record to one or more individuals on behalf of a CE, and a health information organization, e-prescribing gateway, or other person who provides data transmission services to a CE and who requires “access to PHI on a routine basis.” The determination of whether a data transmission organization has access on a routine basis is fact specific, based on the nature of services provided and the extent to which the entity needs access to PHI to perform its service for the CE. Entities that act as “mere conduits” for the transport of PHI but do not access PHI, other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law, are not BAs. The conduit exception is narrow and is intended to exclude only those entities providing courier services, such as the US Postal Service, United Parcel Services, and their electronic equivalents, such as internet service providers (ISPs), and telecommunications companies. The conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains PHI on behalf of a CE, such as a data storage company, is a BA and not a conduit, even if the entity does not actually view the PHI. The difference between the two situations is the transient versus persistent nature of that opportunity to access PHI.

The new BA definition also states that a CE may, itself, be a BA of another CE. If so, the CE will need a BA agreement with the CE-BA (just like with a regular BA). A BA relationship also arises between a person performing any of the above described functions or activities on behalf of, or to or for, an organized health care arrangement (“OHCA”) in which a CE participates.

Institutional Review Boards (“IRBs”) are not BAs merely by virtue of their research review, approval, and oversight activities. While researchers are, likewise, not BAs by virtue of their research activities, HHS has confirmed that researchers may be BAs if they perform a service for the CE, such as de-identifying PHI or creating a limited data set or contacting individuals to obtain their authorizations for disclosure or use of the PHI for research, even if such tasks are ultimately for the researcher’s own use. Organ procurement organizations (“OPOs”), such as eye banks, are generally neither CEs nor BAs, and no HIPAA authorization is needed for CEs to use or disclose PHI to OPOs to facilitate donation and transplantation. CEs will need to reevaluate their business relationships to determine who now qualifies as a BA and enter into or update their BA agreements with them.

The Final Rule also modified several BA agreement requirements. CEs no longer need to report failures of the BA to the government when termination of the BA agreement is not feasible, as HHS has concluded that the BA’s direct liability for these violations is sufficient. BAs must comply with security and breach notification rules. With regards to breach notification, BAs must report security breaches to CEs; CEs are then required to report breaches to affected individuals, HHS, and in some cases, the media. CEs may propose in their agreements that BAs assume the responsibility of providing such breach notifications directly and to pay the costs associated with such notification.

Under the Final Rule penalty provisions, CEs are liable for civil money penalties if BAs who are their agents violate HIPAA. (Likewise, BAs are liable for the actions of their agents, including subcontractors.) Therefore, CEs should seek legal advice to determine whether their various BAs are agents or independent contractors. The Federal common law of agency applies. The terms or labels given to the parties (for example, “independent contractor”) do not control whether an agency relationship exists. The essential factor is the right or authority of a CE to control the BA’s conduct in the course of performing a service for the CE.

HSS has provided a sample BA agreement at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html. OMIC’s can be downloaded at OMIC’s HIPAA/HITECH Resources. For more guidance from the government on determining who is a BA and CEs’ and BAs’ responsibilities, see http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/.

Other Final Rule Changes

Fundraising: Additional types of PHI now may be used for fundraising, such as service department, treating physician, and general outcome. Opt-out notices must be clear and conspicuous on each fundraising piece. The opt-out cannot be unduly burdensome (e.g., provide a toll free number or email address; do not require a postal letter) and must be honored.

Marketing: CEs must obtain prior written authorization before communicating with patients about a third-party’s treatment-related products or services unless the CE receives no compensation for the communication or the communication is face-to-face. Authorization is not needed to send patients information about appointments, treatments, or the patient’s medications so long as any compensation the CE receives only covers the reasonable costs of making the communication. CEs may communicate with patients to encourage a healthy lifestyle, get routine tests, or participate in a disease management program, or about government benefit programs, without patient authorization. CEs may give patients promotional gifts of nominal value, health-related (e.g., eye drops) or not (e.g., pens or notepads with the third party’s logo).

Sale of PHI: Prohibition on sale of PHI without authorization includes agreements to license or lease access to PHI, receipt of in-kind benefits, not just money; and disclosures in conjunction with research if CE remuneration includes any profit margin. Authorizations for sale must state that disclosure of PHI will result in remuneration to the CE.

Public Health: CEs may release immunization records to schools without an authorization, with informal, documented guardian permission.

Decedents: CEs can make disclosures to decedents’ friends and families in the same circumstances and manner they could if the patient were alive. HIPAA protection for decedents’ medical information ends 50 years after death.

Research: CEs may combine conditioned and unconditioned authorizations for each research participant, provided individuals can opt-in to the unconditioned activity. Authorization may also encompass future research.

Encryption: CEs may send PHI through unencrypted email if an individual is advised of the risk and still chooses receipt via unencrypted email. (Document their consent.)