Recently in HIPAA Category

April 1, 2014

HHS to Conduct Pre-Audit HIPAA Surveys

On February 24, 2014, the Department of Health and Human Services' (HHS) Office for Civil Rights ("OCR") announced in the Federal Register that it plans to survey up to 1,200 organizations to identify candidates for audits under the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. In accordance with the Health Information Technology for Economic and Clinical Health ("HITECH") Act, OCR is required to schedule periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Privacy, Security, and Breach Notification Rules.

According to the notice, the survey will assess covered entities and business associates' "suitability" (e.g., size, complexity and fitness) for an audit by collecting information from these respondents such as "number of patient visits or insured lives, use of electronic information, revenue, and business locations." Although the total number of entities to be audited in 2014 is unclear, HHS expects that expanding the audit program to up to 1,200 organizations will provide a more accurate depiction of covered entities and business associates' compliance with HIPAA. HHS will be accepting comments regarding this pre-audit survey until April 25, 2014.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. In addition, all employees should receive ongoing training in HIPAA compliance. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. If you have any questions or require assistance developing and implementing a HIPAA compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at wapc@wachler.com.

February 11, 2014

FTC Reaffirms its Broad Authority in Regulating Private Healthcare Providers' Inadequate Data Security Programs

On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider's data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider's program is inadequate if it fails to provide reasonable and appropriate data security measures. A company's failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act's prohibition of "unfair ... acts or practices." Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC's authority under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.

The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers' personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC's complaint, arguing that the FTC had no authority to address private companies' data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act ("HIPPA") and other statutes, Congress implicitly restricted the FTC's authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD's motion to dismiss, the FTC determined that nothing in the federal statutes reflected a 'clear and manifest' intent of Congress to restrict the FTC's authority over unfair data and security practices. Furthermore, the FTC held that "so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other."

As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers' personal information in the event of an investigation by the FTC.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. In addition, all employees should receive ongoing training in HIPAA compliance. If you have any questions or require assistance implementing a compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at wapc@wachler.com.

September 23, 2013

Compliance with HIPAA HITECH Rule Effective Today

After months of delay, compliance with the Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Omnibus Final Rule goes into effect today. HIPAA Privacy and Security Rules are implemented by the Health and Human Services (HHS) Office for Civil Rights.

The Omnibus Final Rule was announced by HHS on January 17, 2013. According to the HHS press release, the Final Rule "expand[s] many of the requirements to business associates of [health care providers, health plans, and other entities that process insurance claims] that receive protected health information, such as contractors and subcontractors...Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation."
The Final Rule's safe harbor period, which ended today, gave covered entities and business associates 180 days to comply with stricter modifications which will be enforced by heavy fines. Time is of the essence for covered entities and business associates to take proper measures to comply with the new rules. It is imperative that entities review their relationships with covered entities, as the Final Rule expanded the definition of a "business associate" and entities that previously were not business associates, may be considered business associates with the implementation of the Final Rule. If an entity is a business associate with a covered entity, then certain obligations come into play, including the requirement that the business associate and covered entity enter into a business associate agreement that meets the requirements set forth in the Final Rule.
Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. If you have any questions or require assistance implementing HIPAA policies and procedures for your organization, please contact an experienced healthcare attorney at 248-544-0888.

May 28, 2013

Idaho State University Agrees to $400,000 Settlement For HIPAA Violation

On May 21, 2013, the Department of Health and Human Services (HHS) released its settlement agreement with Idaho State University (ISU) for Health Insurance Portability and Accountability Act (HIPAA) violations. The $400,000 settlement agreement involves ISU's self-reported breach of unsecured electronic protected health information (ePHI) of about 17,500 patients.

HHS received notification of ISU's breach on August 9, 2011, and shortly thereafter began an investigation into ISU's HIPAA compliance. Due to disabled firewall protections on ISU's servers, about 17,500 patients' ePHI were left unsecured for a minimum of 10 months. Furthermore, according to the investigation conducted by HHS, ISU's security measures were not adequate and ISU did not evaluate the possibility of potential risks occurring.

Most importantly, the Office for Civil Rights (OCR) which enforces HIPAA and oversees health information privacy in HHS, determined that processes for routine review were not in place at ISU. As a result, ISU was not able to detect the firewall breach as early as they could have if proper procedures were in place. Routine review is part of the HIPAA's minimum necessary standard which every HIPAA covered entity must comply with.

If you are a HIPAA covered entity or business associate and need assistance with complying with or understanding the HIPAA Privacy and Security Rules and its exceptions, please contact an experienced healthcare attorney at Wachler & Associates.

March 27, 2013

OCR Issues ICR on HIPAA Audit Program

The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services (HHS). On Tuesday, a notice was published in the Federal Register asking for input and comments on the OCR's HIPAA Audit Review Survey. The Information Collection Request (ICR) collected in this online survey looks at 115 Covered Entities (health plans, clearinghouses and providers) that were audited in 2012 by OCR.

The survey looks to collect information on just how effective these audits are and solicits opinions on the audit process itself. As part of that review, the online survey will be used to:

• Measure the effect of the HIPAA Audit program on covered entities
• Gauge their attitudes towards the audit overall and in regards to major audit program features, such as the document request, communications received, the on-site visit, the audit-report findings and recommendations
• Obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests
• Seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations
• Assess whether improvements in HIPAA compliance were achieved as a result of the Audit program

The information, opinions, and comments collected using the online survey will be used to produce recommendations for improving the HIPAA Audit program. In addition to seeking feedback on the planned survey, the Federal Register Notice asks for public comment on the estimated burden of the proposed survey. Read the published notice here for more details and for details on how to respond and comment. The comment period closes 60 days from the March 19, 2013 registration date.

Learn more about HIPAA audit process and compliance for covered entities on the HHS website. You can also learn more by visiting the OCR's HIPAA Audit Protocol program information section.

If you are a HIPAA covered entity or business associate and need assistance with complying with the HIPAA Privacy and Security Rules, please contact one of Wachler & Associates' experienced health law attorneys.

January 18, 2013

Department of Health and Human Services Issues Letter to Providers on Disclosures to Avert Threats to Health or Safety

The Department of Health and Human Services (HHS) has issued a letter to health care providers to ensure that they are aware of their ability under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to take action, consistent with their ethical standards or other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when they believe the patient presents a serious danger to himself or other people.

In the letter, HHS describes the HIPPA Privacy Rule as requiring a careful balance between protecting the patients' privacy and ensuring the safety of the patient and others. In general, the Privacy Rule requires providers to protect the privacy of the patients' health information. However, an exception is created when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. A provider is presumed to have a good faith belief if his or her belief is based on the provider's actual knowledge, such as through the provider's interactions with the patient, or when the provider is relying on a credible representation by a person with apparent knowledge or authority, such as a credible family member of the patient.

If a health care provider does believe in good faith that a warning is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, then the Privacy Rule allows the provider to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. In alerting such persons, the provider may disclose patient information, including information from mental health records, if necessary. Furthermore, persons "reasonably able to prevent or lessen the threat" may include police officers, the patient's family members, or even campus security or administration.

Continue reading "Department of Health and Human Services Issues Letter to Providers on Disclosures to Avert Threats to Health or Safety" »

September 28, 2012

HHS Office of Civil Rights Secures $1.5 million HIPAA Settlement

The U.S. Department of Health and Human Services (HHS) recently agreed to a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HIPAA Security Rule protects electronic health information by requiring HIPAA-covered entities to use various safeguards to ensure that electronic protected health information remains private and secure. The Privacy Rule, by contrast, grants individuals rights over protected health information, and sets rules for who may view that information.

MEEI submitted a HIPAA breach report, as required by HIPAA's Breach Notification Rule, following the theft of an unencrypted personal laptop. The laptop contained electronic protected health information (ePHI), including patient prescriptions and clinical information.

The HHS Office for Civil Rights (OCR) , which enforces HIPAA Privacy and Security Rules, determined that the provider failed to take necessary steps to comply with the Security rule, including:

  • Conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices;
  • Implementing security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices;
  • Adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices; and
  • Adopting and implementing policies and procedures to address security incident identification, reporting, and response.
The OCR investigation found that these failures existed over an extended period of time, demonstrating organizational disregard for the requirements of the Security Rule. Accordingly, MEEI must also follow a corrective action plan to revise and maintain policies to ensure compliance. The corrective action plan includes an independent monitor to assess MEEI's compliance with the settlement and render reports to HHS for 3-years.

HIPAA Privacy and Security Rules, together with the HIPAA Breach Notification Rule, require health care providers and suppliers to proactively manage the security of their protected health information. MEEI's settlement highlights the importance of compliance programs to avoid, and promptly report, potential HIPAA violations.

If you have questions about HIPAA compliance, or need help creating and implementing a compliance plan, please contact an experienced healthcare attorney at Wachler & Associates, at 248-544-0888.

June 8, 2012

HHS Releases Memo to Consumers Highlighting HIPAA Rights to Access Health Records

On May 31, 2012, Department of Health and Human Services (HHS) Director of the Office of Civil Rights Leon Rodriguez issued a memo to consumers regarding those consumers' right to access their protected health information and medical records. In this memo, Rodriguez stressed that it is important for consumers and providers to remember that the Health Insurance Portability and Accountability Act (HIPAA) not only provides protection for personal health information, but also provides consumers with the right to view and obtain copies of health records.

Many providers, when dealing with HIPAA compliance, tend to focus on safeguarding protected health information, but fail to recognize the importance of patient rights including the right to access. Under HIPAA, patients have the right to view their health records from most providers, pharmacies, and health plans. Patients also have the right to obtain copies of those records in the form they choose, be it electronic or on paper, if the provider is able to do so.

Providers can charge patients a reasonable amount for the copies of health records the patient receives, and any cost for mailing the records. This amount is statutorily regulated in most states. It is important to note that a provider cannot charge a fee for searching for and retrieving records, and providers cannot withhold access to records because a patient has not paid for services received.

Continue reading "HHS Releases Memo to Consumers Highlighting HIPAA Rights to Access Health Records" »

June 5, 2012

State AG HIPAA Training Materials Available Online

The Office of Civil Rights (OCR) announced yesterday that its Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training tools would be available to the general public today, June 5, 2012.

Since 2009, as part of the Health Information Technology for Clinical and Economic Health (HITECH) Act, State Attorneys General (SAGs) were given the authority to bring civil suit for HIPAA violations on behalf of the aggrieved patients. To assist SAGs, the OCR developed a wide range of HIPAA Privacy and Security Rules compliance, enforcement, and training tools.

Included in the materials are computer-based modules, and videos and slides from in-person training sessions covering the following topics:

  • General Introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR's role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

These materials may be a helpful training tool for health care providers and privacy officers. The materials highlight to whom, what, where, when, and how HIPAA Rules will be enforced and provide basic summaries of the HIPAA Privacy and Security Rule requirements.

Continue reading "State AG HIPAA Training Materials Available Online" »

May 29, 2012

Knowledge of Illegality Not Required For Criminal Charges Under HIPAA

On May 10, 2012 the United States Court of Appeals for the Ninth District decided that criminal charges under the Health Insurance Portability and Accountability Act (HIPAA) do not require that an individual have knowledge that their actions are illegal. The case, United States of America v. Zhou, is the first such case to establish that the knowledge requirements of a criminal HIPAA violation apply only to the fact that the information accessed was protected health information, and not that obtaining the information was in violation of HIPAA.

Under the statute, HIPAA provides that a criminal penalty applies to a person who knowingly and in violation of the statute, uses, obtains, or discloses protected health information. Zhou argued that the statute requires knowledge that the information obtained was protected health information, as well as knowledge that obtaining it was illegal. The court rejected the argument and determined that the language of HIPAA is plain. The court found that the word "and" unambiguously indicates that there are two elements of a violation, and that knowingly applies only to obtaining the protected health information, and not to the fact that obtaining the protected health information was illegal.

The statute at issue in the decision is 42 U.S.C §1320d-6a, which reads as follows:

(a) Offense
A person who knowingly and in violation of this part--
(1) uses or causes to be used a unique health identifier;
(2) obtains individually identifiable health information relating to an individual; or
(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.

Penalties for violations of the statute can include fines of up to $250,000, imprisonment for up to 10 years, or both.

Continue reading "Knowledge of Illegality Not Required For Criminal Charges Under HIPAA" »

March 16, 2012

HHS Settles First Breach Notification Case

The first enforcement action from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule has resulted in an agreement by Blue Cross Blue Shield of Tennessee (BCBST) to pay the Department of Health and Human Services (HHS) $1.5 million.

BCBST reported that unencrypted hard drives had been stolen from a leased storage facility in Tennessee. The hard drives contained personal health information of more than one million people, and included information such as social security numbers and dates of birth. An investigation discovered BCBST failed to ensure the facility had proper security measures in place as required by HIPAA rules. The settlement also requires BCBST to establish a corrective action plan to revise its security policies and conduct training.

The HITECH Breach Notification Rule requires HIPAA covered entities to promptly make notifications in the event of a breach that affects more than 500 individuals. The entity must notify each individual affected, the HHS Secretary, and the media. A breach of information affecting fewer than 500 individuals need only be reported to the HHS Secretary on an annual basis.

More information on the HITECH Breach Notification Rule can be found on the Department of Health and Human Services website.

HIPAA Privacy and Security Rules are enforced by the Health Human Services (HHS) Office for Civil Rights. HIPAA Security Rules establish requirements for how entities must secure and protect electronic health information, and ensure that it remains secure and protected.

More information on the HHS Office for Civil Rights can be found on their website.

Continue reading "HHS Settles First Breach Notification Case" »

July 20, 2011

Patient Sues Tufts Medical Center for Violating Her Privacy Rights

According to a Boston Globe article, Tufts Medical Center and one of its primary care doctors are being sued by a patient whose privacy rights were allegedly violated when her medical history was sent to a fax machine at her workplace without her consent. The patient, Kimberly White, was recovering from a hysterectomy this past December. While recovering, she asked Dr. Kimberly Schelling to fax a form to White's employer that was required to receive disability payments. Instead, medical records were allegedly sent to a shared fax machine in the office, which resulted in White's medical records being viewed by at least two co-workers. White claimed that this disclosure has caused her extreme embarrassment and the inability to show her face at work again. Tufts has not yet filed a response to the complaint, but the hospital maintains that they were in full compliance with the patient's request to share the medical information.

The HIPAA Privacy Rule allows information to be disclosed pursuant to a patient's authorization or as otherwise permitted by the HIPAA Privacy Rule. The Office of Civil Rights (OCR) has issued guidance stating that the use of fax machines are permissible so long as reasonable safeguards are taken to protect the information from unauthorized or impermissible disclosure. If you have questions regarding patient privacy or assistance with HIPAA compliance policies and procedures, please contact a Wachler & Associates attorney at 248-544-0888.

June 1, 2011

HHS Announces Proposed Changes to HIPAA Privacy Rule

The Department of Health and Human Services (HHS) has issued a notice of proposed rulemaking to modify the HIPAA Privacy Rule in accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH) requirement that users of electronic health records (EHRs) provide a more extensive accounting of disclosures than previously required by the Privacy Rule. The proposed rule would give individuals the right to receive an access report showing them specifically who has accessed their electronic protected health information. While the Security Rule has arguably required such tracking pursuant to the audit trail requirements, it did not have to be shared with individuals. The proposed rule also requires more detail in accounting of certain disclosures, in an attempt to curtail existing efficiency problems.

Click here to view the complete HHS announcement. You can also click here to view the proposed rule. If you have any questions regarding compliance with the new HIPAA privacy standards or any other HIPAA issues, please contact a Wachler & Associates attorney at 248-544-0888.

May 23, 2011

Physicians Using EHRs Increased by 9%

The percentage of physicians in the United States using electronic health records (EHR) has increased by nine percent (20% to 29%) over the past twelve months. The push towards electronic records has been firmly supported by the current and previous presidential administrations. The Obama Administration aims to have at least 50 percent of Americans using EHRs by 2014 in an attempt to reduce health care costs and medical errors.

This month, the United States government will begin distributing incentive payments to hospitals and doctors who opt to use EHRs. These incentive plans could pay out as much as $31.3 billion. If health care providers meet government standards for the EHRs, they may be eligible to receive up to $44,000 over six years through Medicare and up to an additional $63,750 over five years from Medicaid. Additionally, the federal government plans to reduce Medicare reimbursements to health care providers who fail to make the electronic switch by 2015.

If you need help understanding the meaningful use requirements, HIPAA security or assistance with negotiation of EHR contracts, please contact a Wachler and Associates attorney at 248-544-0888.

May 17, 2011

32 Employees Dismissed for Violating HIPAA

Two hospitals in Anoka County have fired 32 employees for accessing the medical records of patients without permission or a legitimate reason to do so. The employees accessed the medical records of certain patients that were hospitalized due to a massive drug overdose stemming from a party; the overdoses were considered a high-profile case. The HIPAA privacy regulations require hospitals to apply a "minimum necessary" rule, i.e., employees are only permitted to access information that they have a need to know in order to perform their job duties. The HIPAA Security Rule also requires hospitals and other covered entities to have the capability to audit employees' access. The HIPAA Privacy Rule also requires hospitals and other covered entities to have appropriate disciplinary policies in place when violations of the rule are found. For questions regarding HIPAA compliance or for assistance with developing a HIPAA Privacy or Security compliance program, please contact a Wachler & Associates attorney at 248-544-0888.