HIPAA

Published on: December 14, 2020

HHS Proposes HIPAA Modifications to Better Serve Patients

On December 10, 2020, the Office of Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) announced a proposal to modify the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The overarching goal of the proposed rule is to get patients more engaged in their own healthcare, provide easier access to coordinated care, and reduce the burdensome regulations that have an impact on quality of care. HHS has recently rolled out a Regulatory Sprint to Coordinated Care, and the proposed modifications to the HIPAA rule support this measure.

The Regulatory Sprint facilitated a nationwide transformation to value-based care. The public had determined that there were far too many regulatory burdens to have sufficient coordinated care, which made it difficult for patients to have high quality value-based care. In response to this feedback, CMS proposed changes to the Anti-Kickback Statute, Civil Monetary Penalty rules, and the Physician Self-Referral Regulations. As such, the HIPAA rule was the next regulatory burden that needed to be addressed to further the Regulatory Sprint.

For a complete list of the proposed changes to the HIPAA rule, please see the HHS notice. Here are some highlights:

Published on: November 2, 2020

Ransomware Attacks Imminent in Healthcare Entities

by Wachler & Associates, P.C.

On October 29, 2020, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that pursuant to credible information by HHS, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), hospitals and healthcare providers are at an imminent risk of a cybersecurity attack. As a response to this looming threat, law enforcement is advising healthcare entities to implement best practices to avoid a cyberattack.

Specifically, CISA, HHA, and the FBI are predicting ransomware attacks. Ransomware is a type of malicious software that denies users access to targeted data. Hackers encrypt the data and hold it hostage until a random is paid. If the ransom is not paid, the hackers will permanently destroy all the data. Unfortunately for healthcare providers, the Department of Treasury recently announced that any entity that pays a ransom to get their data returned will be in violation of the International Emergency Economic Powers Act and will thus be subject to paying steep civil monetary penalties, not to exceed $250,000.

This puts providers in a precarious position, so CISA, the FBI, and HHS have come out with various references and guides to help prevent healthcare providers’ systems from being susceptible to a ransomware attack in the first place. Some of these preventive measures include: regularly backing up data, keeping data backups offline from the network, regularly changing passwords and avoid using the same password for different accounts, using two-step verification where available, regularly updating operating systems as soon as updates are available, and always having antivirus and anti-malware programs regularly scanning and updating.

Published on: March 19, 2020

CMS Expanding Telehealth to Combat COVID-19

by Wachler & Associates, P.C.

Beginning on March 6, 2020, the Centers for Medicare and Medicaid Services (“CMS”) has temporarily expanded telehealth services for Medicare beneficiaries and cut back on HIPAA enforcement to help combat the COVID-19. This expansion will last until the end of the public health emergency as declared by the Secretary of HHS. Telehealth, the remote delivery of healthcare services, often by video conference between patient and provider, is a growing frontier in the age of digital healthcare. However, Medicare was slow to adopt the new technology.

Until recently, Medicare only covered telehealth services provided to beneficiaries in designated rural areas and only if they received the services at a hospital, clinic, or other medical facility. Virtual check-ins and e-visits were reimbursed at a much lower rate. Virtual check-ins encompass brief communications between physicians and patients, such as text messages or emails, where a patient can send images and discuss symptoms and treatment options with their physician. E-visits are conducted through a patient portal and are not face-to-face. This temporary expansion will now reimburse physicians who perform virtual check-ins and e-visits at the rate of an in-person visit.

The expansion was made in pursuant to an 1135 waiver. The Coronavirus Preparedness and Response Supplemental Appropriations Act, as signed into law on March 6, 2020 authorized the Department of Health and Human Services (“HHS”) to waive certain traditional Medicare telehealth requirements during this national emergency. Spurred by the calls for self-quarantine and social distancing, these waivers have led to an expansion of Medicare coverage for telehealth services.

Published on: December 17, 2018

OCR Imposing Fines on Smaller Providers for HIPAA Violations

by Wachler & Associates, P.C.

The Office for Civil Rights (“OCR”), a division of the Department of Health and Human Services (“HHS”), is responsible for investigating complaints and reports that covered entities (i.e., health plans, health care clearinghouses, or health care providers that conduct certain electronic transactions) or business associates have violated either the HIPAA Privacy or Security Rule. The HIPAA Privacy and Security Rules exist to safeguard Protected Health Information (“PHI”) that is held, used, or disclosed by covered entities and their business associates. Generally, any individually identifiable health information held by or that is within a covered entity’s or its business associates’ control is considered PHI, and any non-permitted release of PHI is considered a HIPAA violation.

Historically, the OCR has investigated and sanctioned larger covered entities and business associates in connection with HIPAA violations that affect the PHI of 500 or more individuals. OCR’s recent settlement agreement with Anthem, which corresponded to the much-publicized 2015 cyber-attack on Anthem’s information systems compromising the PHI of over 79 million individuals, is a good example of OCR’s normal enforcement activity (with the exception of the $16 million fine, the largest to date for a HIPAA violation). However, since 2015, the OCR has placed emphasis on investigating and at times fining smaller covered entities for breaches affecting less than 500 individuals (after a report issued by the HHS Office of Inspector General found that the OCR had typically not investigated the same). Two recent fines issued by the OCR illustrate this emphasis.

The first was issued against Allergy Associates of Hartford, P.C. (“Allergy Associates”), which is comprised of four physicians and two mid-level providers. The settlement agreement, announced on November 26, 2018, requires Allergy Associates to pay a $125,000 fine and enter into a two-year corrective action plan (“CAP”) with the OCR. The incident leading to the alleged violation involved a patient who tried to enter Allergy Associates for treatment while accompanied by her service dog. Upon seeing the dog, an Allergy Associate’s physician turned the patient away, advising the patient that he and many of his patients were allergic to dogs. The patient thereafter contacted a local media outlet about what happened, and also filed a complaint to the Department of Justice alleging that Allergy Associates violated her civil rights under the Americans with Disabilities Act. A physician from Allergy Associates later spoke with a reporter from the media outlet (off-the-record) regarding the incident and disclosed the patient’s PHI. Despite the fact that the reporter was already familiar with the incident, the physician’s statements to the reporter concerning the patient violated HIPAA, as he did not have her prior written authorization to disclose the information. Moreover, and despite an obligation under HIPAA to do so, Allergy Associates made no attempt to sanction the doctor internally.

Published on: October 25, 2018

Anthem Settles Data Breach Suit at Record $16 Million

by Wachler & Associates, P.C.

In 2015, Anthem, Inc. (“Anthem”) discovered that criminal hackers had breached its electronic database and gained access to over 79 million records, including the records of at least 12 million minors. The protected health information obtained by the hackers included, among other information, names, addresses, dates of birth, medical IDs, and Social Security numbers. The hackers were able to gain access to the information by using a “spear phishing” email technique. At least one employee received a phishing email and responded to it, allowing the hackers to gain remote access to the employee’s computer and at least 90 other systems, including Anthem’s data warehouse.

Although the massive data breach was first discovered in January 2015, the breach actually began on February 18, 2014 – meaning the breach went undetected for almost a whole year. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information,” said Office of Civil Rights (“OCR”) Director Roger Severino.

Anthem has agreed to pay $16 million to the Department of Health and Human Services’ (“HHS”) OCR and take corrective action to prevent potential violations of HIPAA rules in the future. While other breaches like this have occurred in the past, this was the largest health data breach in U.S. history, and the $16 million settlement is now the largest HIPAA settlement in history.

Published on: April 27, 2017

Lack of Business Associate Agreement Leads to $31k HIPAA Penalty

by Wachler & Associates, P.C.

On April 20, 2017, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) announced that it had reached a settlement with the Center for Children’s Digestive Health (the Center) regarding the Center’s (alleged) violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Center is a small health system specializing in pediatric care with seven clinics, all located in Illinois.

The settlement was for $31,000, and included the Center agreeing to a Corrective Action Plan (CAP). The Center’s HIPAA violation stemmed from an arrangement between the Center and one of its business associates, FileFax, Inc. The two companies began their relationship in 2003, with FileFax storing records containing protected health information (PHI) for the Center. However, through a HHS compliance review in 2015, it was discovered that there was no signed Business Associate Agreement between the parties prior to October 2015.

A Business Associate Agreement is required whenever a HIPAA-covered entity forms a relationship with a business entity, pursuant to which PHI will be transmitted. The terms of the Business Associate Agreement must include information on how the PHI will be used by the business associate, how the PHI will be safeguarded and protected, and other such details.

Published on: March 1, 2016

HHS Modifies HIPAA to Allow for Easier Firearm Background Checks

by Wachler & Associates, P.C.

In January, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published a final rule, which modifies HIPAA privacy rules to allow for easier sharing between certain HIPAA covered entities and the National Instant Criminal Background Check System (NICS). Specifically, the final rule allows certain HIPAA covered entities to share with NICS the identities of individuals prohibited under federal law from legally owning a firearm.

The Gun Control Act of 1968 prohibits categories of individuals from engaging in the shipment, transport, receipt or possession of firearms. The Department of Justice (DOJ) issued regulations applying the prohibition to those that have been involuntarily committed to a mental institution, those found to be incompetent to stand trial or found not guilty by reason of insanity are prohibited from owning a firearm, or otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or unable to manage their own affairs as a result of marked subnormal intelligence, or mental illness, incompetency, condition, or disease. This prohibition is referred to as the “mental health prohibitor.” The January final rule provides that only covered entities which already have lawful authority to render adjudication decisions which subject individuals to the mental health prohibitor may disclose those individuals’ identities to the NICS. The final rule does not allow for clinical or medical information to be disclosed; only demographic information about individuals subject to the prohibitor may be disclosed.

In the text and analysis of the Final Rule, the OCR explains the very limited and narrow exception to HIPAA privacy rules as a balance between patient privacy and public safety goals. The Final Rule cited the American Medical Association’s (AMA’s) support for the Final Rule stating that the AMA “…Code of Ethics supports strong protections for patient privacy and, in most cases, requires physicians to keep patient medical records strictly confidential. If there must be a breach in confidentiality, such as for public health or safety reasons, the disclosures must be as narrow in scope as possible.” In addition, OCR cited uniformity as a justification for the Final Rule. OCR explained that some states have not established reporting rules for this type of disclosure to the NICS. Thus, this rule will allow for more uniform reporting standards throughout all fifty states.

Published on: February 16, 2016

OCR Releases New HIPAA Guidance for Health App Developers

by Wachler & Associates, P.C.

On February 11, 2016, the Department of Health and Human Services, Office for Civil Rights (“OCR”), released important guidance on its Developer Portal to address the application of the Health Insurance Portability and Accountability Act (“HIPAA”) regulations to developers of mobile health apps. Whether a mobile app developer is directly employed by a covered entity (i.e., health plans, health care clearing houses, and most health care providers) or a business associate of a covered entity (or one of the covered entity’s contractors), reasonable safeguards must be applied when the developer creates, receives, maintains or transmits protected health information (“PHI”) on behalf of a covered entity or other business associate.

The OCR guidance provides “Key Questions” for app developers in determining whether or not they may be a business associate of a covered entity. In addition, the OCR guidance provides several factual scenarios to further assist app developers in determining whether they are considered a business associate. Below are two of the scenarios included in the OCR guidance, one in which the developer would not be considered a business associate and one where the developer would be considered a business associate.

Scenario: Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment.

Published on: October 6, 2014

Office for Civil Rights Advisor Warns Providers on HIPAA Audits: “Get Your House In Order”

by Wachler & Associates, P.C.

On September 9, Linda Sanches, the Senior Advisor for the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) warned that Health Insurance Portability and Accountability Act (HIPAA) audits are forthcoming. Speaking at the HIMSS Privacy and Security Forum in Boston, Sanches cautioned attendees that the best defense to an audit is conducting periodic and comprehensive risk analyses focused on administrative and technical protections, as well as human error vulnerabilities. “The onus is on you to prove that you had the proper systems in place,” Sanches warned, advising providers to proactively perform risk analyses in advance of a HIPAA audit.

To attendees’ disappointment, Sanches did not unveil a start date for the HIPAA audits. Instead, Sanches explained that the OCR has postponed initiating HIPAA auditing to implement new technology with increased auditing capacities. Originally, the OCR intended to conduct a total of 400 desk audits. However, Sanches confirmed that now the OCR will likely perform fewer than 200 targeted desk audits and an unconfirmed number of on-site audits. A variety of providers across practice area, size, and geographic location should expect to be audited. Audited entities will be responsible for compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule. In addition, providers should have available an updated list of business associates with contact information and services provided. Sanches warned that the OCR will use a provider’s business associate list to select business associates for HIPAA auditing.

Providers with patterns in reported breaches are more likely to face HIPAA auditing. Sanches emphasized that providers who fail to demonstrate compliance with the HIPAA privacy rule and HIPAA security rule may face hefty settlement fines based on the amount of harm and provisions violated. When discussing fines, Sanches stated, “It’s basic math. How many people were affected?”

Published on: October 1, 2014

OCR Offers Guidance on HIPAA Privacy Rule and Same-sex Marriage

by Wachler & Associates, P.C.

In September 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released guidance to assist covered entities in understanding their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in light of the Supreme Court’s 2013 decision in United States v. Windsor. In Windsor, the Supreme Court struck down Section 3 of the Defense of Marriage Act (DOMA), which restricted interpretations of “spouse” and “marriage” in federal law to opposite-sex marriages, as a violation of the Due Process Clause of the Fifth Amendment. As a result, OCR opined that covered entities and applicable business associates must take into account lawfully married same-sex couples when applying federal law.

OCR noted that the Privacy Rule’s definition of “family members” includes the terms “spouse” and “marriage.” Under the Privacy Rule, a spouse is defined as any individual who is in a legally valid marriage sanctioned by a state, territory, or foreign jurisdiction (assuming that the marriage performed in a foreign jurisdiction would be recognized by a U.S. jurisdiction). OCR clarified that “marriage” includes same-sex marriages, a family member includes dependents of that marriage, and that these terms apply to individuals who are legally married, “whether or not they live or receive services in a jurisdiction that recognizes their marriage.”

OCR also provided two examples how this clarified definition of a family member would be applied to specific provisions in the Privacy Rule. Specifically, §164.510(b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes allows protected health information to be shared with a patient’s spouse and family members. OCR opined that in light of Windsor, covered entities must consider legally married same-sex spouses, regardless of where they live, to be family members.