Articles Posted in HIPAA

Published on:

On September 10, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of its twentieth investigation under its HIPAA Right of Access Initiative. In early 2019, OCR stated that they would create an initiative to enforce patients’ right of access to their own health information in a timely and reasonable manner. This concept is not novel to OCR as it has already been outlined as a stated goal of HIPAA within the Privacy Rule. This aspect of HIPAA has been enforced at various times in the past, however it has never been enforced with any regularity until the OCR initiative was established. To date, OCR has remained dedicated to ensuring that every patient is afforded access to their health information that HIPAA has long stated such patients deserve.

In OCR’s latest settlement, a hospital and medical center located in Omaha, Nebraska agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule. The alleged violation stems from a May 2020 complaint filed by a parent alleging that the hospital had failed to provide her with timely access to her minor daughter’s medical records. The hospital provided some records, but did not provide all of the requested records to the parent’s multiple follow-up requests. OCR alleged that the hospital failed to provide timely access to the requested medical records and thus potentially violated the HIPAA right of access standard. That standard generally requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, the parent did in fact receive all of the requested records.

Healthcare providers often afford heightened focus to preventing unauthorized access or sharing of health information, which sometimes means that less focus is given to providing quick and affordable health records to patients. In light of OCR’s initiative and dedication to enforce patients’ right of access under the Privacy Rule, healthcare providers should take care to be knowledgeable about this aspect of their operations.

Published on:

On September 30, 2021, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance to help consumers, businesses, and healthcare entities understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about an individual’s COVID-19 vaccination status. As a preliminary note, the guidance reminds readers that the HIPAA Privacy Rule does not apply to employers or employment records. The Privacy Rule only applies to HIPAA covered entities, which include health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions and, in some cases, to their business associates.

The guidance initially answers a highly popular and controversial question in light of the COVID-19 pandemic. According to the OCR guidance, the HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether their customers or clients have received a COVID-19 vaccine. Because individuals or entities such as businesses are not covered entities, the Privacy Rule generally does not apply to them. The Privacy Rule does not regulate the ability of covered entities and business associates to request information from patients or visitors. Rather, the Privacy Rule regulates how and when covered entities and business associates are permitted to use and disclose protected health information (PHI), for example COVID-19 vaccination status, that covered entities and business associates create, receive, maintain, or transmit. In the opposite direction, the Privacy Rule does not prevent customers or clients of a business from disclosing whether they have been vaccinated. The Privacy Rule does not apply to individuals’ disclosures about their own PHI.

The guidance proceeds to inform readers that employers are not prohibited under the Privacy Rule from requiring employees to disclose whether they have received a COVID-19 vaccine to the employer, clients, or other parties. Generally, the Privacy Rule does not regulate what information can be requested from employees as part of the terms and conditions of employment that an employer may impose on its employees. However, other federal or state laws address terms and conditions of employment. Federal anti-discrimination laws generally do not prevent an employer from choosing to require that all employees physically entering the workplace be vaccinated against COVID-19 and provide documentation or other confirmation that they have met this requirement. Under the Americans with Disabilities Act (ADA), documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files. Similarly, the Privacy Rule does not prohibit a covered entity or business associate from requiring its employees to disclose to their employers or other parties whether employees have received a COVID-19 vaccine. The Privacy Rule also generally does not apply to employment records, including employment records held by covered entities and business associates acting in their capacity as employers.

Published on:

On June 24, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published comments that it received during the public comment period for the proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR first announced the proposed rule-making in December 2020. While the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period through May 2021.

The proposed changes to HIPAA are part of the larger transition to a value-based health care system in which providers are compensated based on patient health outcomes. The modifications propose to address standards that may impede the transition to a value-based health care system and other unnecessary burdens by increasing individuals’ rights to access their health information, enhancing information sharing for care coordination and case management, improving family and caregiver involvement for individuals experiencing health emergencies, reducing the administrative burden on HIPAA-covered providers, and facilitating the disclosure of certain health information during emergencies such as the opioid crisis and COVID-19 pandemic.

Some of the major changes to the Privacy Rule include:

Published on:

On February 12, 2021, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced the details of its previously-announced discretion in the enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act related to privacy, security, and date breaches. OCR will not penalize covered health care providers or their business associates for non-compliance under HIPAA for the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments during the COVID-19 pandemic.

During the COVID-19 public health emergency, HIPAA covered providers, such as large pharmacy chains, or business associates acting on behalf of the covered providers, may utilize WBSAs to schedule individual appointments for COVID-19 vaccinations. For the purposes of this exercise of discretion, a WBSA is an online or web-based application that only allows the intended parties to access the data and that provides individual appointment scheduling related to largescale COVID-19 vaccination. Technology that directly connects to electronic health records (EHR) systems used by covered providers is not included in this discretionary measure and does not constitute a WBSA. The HIPAA privacy rules allow business associates of a covered entity to use and disclose protected health information (PHI) for certain functions, only as dictated by a business associate contract or other agreement. However, during the COVID-19 pandemic, health care providers need to quickly schedule many appointments for COVID-19 vaccinations and often do this through WBSAs. Some of these online scheduling applications, and the way in which healthcare providers use them, may not comply with the HIPAA privacy rules.  Furthermore, vendors of the WBSAs may not know providers are using these applications to create and send PHI, potentially making the WBSA vendors business associates under HIPAA.

OCR will exercise discretion in the enforcement of HIPAA privacy rules and will not penalize covered healthcare providers, their business associates, or WBSA vendors who are technically business associates, for noncompliance as it relates to the scheduling of individual COVID-19 vaccination appointments during the COVID-19 pandemic. This enforcement discretion applies to covered healthcare providers and their business associates, which are, in good faith, using WBSAs to schedule COVID-19 vaccination appointments, as well as WBSA vendors whose platform is being used to schedule COVID-19 vaccination appointments. Discretion does not apply to covered providers or business associates for activities unrelated to the scheduling of COVID-19 vaccinations or if the covered providers or business associates fail to act in good faith. Instances where a covered provider or business associate are not acting in good faith include: the use of a WBSA that allows the sale of personal information collected, the use of a WBSA for purposes other than scheduling COVID-19 vaccination appointments, the use of a WBSA without reasonable safeguards to protect the PHI, and the use of a WBSA to screen individuals for COVID-19 before an in-person visit.

Published on:

On December 18, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued new guidance on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The guidance addresses important questions related to the definition of a health information exchange (HIE), when covered entities can disclose protected health information (PHI) to an HIE without the individual’s authorization, whether covered entities need a direct request from the public health authority (PHA) to disclose PHI, and whether a covered entity must provide notice to individuals regarding disclosures of PHI for public health purposes. In addition, the guidance provides examples for providers and entities relevant to HIPAA and the COVID-19 pandemic.

Questions addressed in the guidance include:

What is a health information exchange (HIE)?

Published on:

On December 10, 2020, the Office of Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) announced a proposal to modify the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The overarching goal of the proposed rule is to get patients more engaged in their own healthcare, provide easier access to coordinated care, and reduce the burdensome regulations that have an impact on quality of care. HHS has recently rolled out a Regulatory Sprint to Coordinated Care, and the proposed modifications to the HIPAA rule support this measure.

The Regulatory Sprint facilitated a nationwide transformation to value-based care. The public had determined that there were far too many regulatory burdens to have sufficient coordinated care, which made it difficult for patients to have high quality value-based care. In response to this feedback, CMS proposed changes to the Anti-Kickback Statute, Civil Monetary Penalty rules, and the Physician Self-Referral Regulations. As such, the HIPAA rule was the next regulatory burden that needed to be addressed to further the Regulatory Sprint.

For a complete list of the proposed changes to the HIPAA rule, please see the HHS notice. Here are some highlights:

Published on:

On October 29, 2020, the Office of Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) announced that pursuant to credible information by HHS, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), hospitals and healthcare providers are at an imminent risk of a cybersecurity attack. As a response to this looming threat, law enforcement is advising healthcare entities to implement best practices to avoid a cyberattack.

Specifically, CISA, HHA, and the FBI are predicting ransomware attacks. Ransomware is a type of malicious software that denies users access to targeted data. Hackers encrypt the data and hold it hostage until a random is paid. If the ransom is not paid, the hackers will permanently destroy all the data. Unfortunately for healthcare providers, the Department of Treasury recently announced that any entity that pays a ransom to get their data returned will be in violation of the International Emergency Economic Powers Act and will thus be subject to paying steep civil monetary penalties, not to exceed $250,000.

This puts providers in a precarious position, so CISA, the FBI, and HHS have come out with various references and guides to help prevent healthcare providers’ systems from being susceptible to a ransomware attack in the first place. Some of these preventive measures include: regularly backing up data, keeping data backups offline from the network, regularly changing passwords and avoid using the same password for different accounts, using two-step verification where available, regularly updating operating systems as soon as updates are available, and always having antivirus and anti-malware programs regularly scanning and updating.

Published on:

Beginning on March 6, 2020, the Centers for Medicare and Medicaid Services (“CMS”) has temporarily expanded telehealth services for Medicare beneficiaries and cut back on HIPAA enforcement to help combat the COVID-19. This expansion will last until the end of the public health emergency as declared by the Secretary of HHS. Telehealth, the remote delivery of healthcare services, often by video conference between patient and provider, is a growing frontier in the age of digital healthcare. However, Medicare was slow to adopt the new technology.

Until recently, Medicare only covered telehealth services provided to beneficiaries in designated rural areas and only if they received the services at a hospital, clinic, or other medical facility. Virtual check-ins and e-visits were reimbursed at a much lower rate. Virtual check-ins encompass brief communications between physicians and patients, such as text messages or emails, where a patient can send images and discuss symptoms and treatment options with their physician. E-visits are conducted through a patient portal and are not face-to-face. This temporary expansion will now reimburse physicians who perform virtual check-ins and e-visits at the rate of an in-person visit.

The expansion was made in pursuant to an 1135 waiver. The Coronavirus Preparedness and Response Supplemental Appropriations Act, as signed into law on March 6, 2020 authorized the Department of Health and Human Services (“HHS”) to waive certain traditional Medicare telehealth requirements during this national emergency. Spurred by the calls for self-quarantine and social distancing, these waivers have led to an expansion of Medicare coverage for telehealth services.

Published on:

The Office for Civil Rights (“OCR”), a division of the Department of Health and Human Services (“HHS”), is responsible for investigating complaints and reports that covered entities (i.e., health plans, health care clearinghouses, or health care providers that conduct certain electronic transactions) or business associates have violated either the HIPAA Privacy or Security Rule. The HIPAA Privacy and Security Rules exist to safeguard Protected Health Information (“PHI”) that is held, used, or disclosed by covered entities and their business associates. Generally, any individually identifiable health information held by or that is within a covered entity’s or its business associates’ control is considered PHI, and any non-permitted release of PHI is considered a HIPAA violation.

Historically, the OCR has investigated and sanctioned larger covered entities and business associates in connection with HIPAA violations that affect the PHI of 500 or more individuals. OCR’s recent settlement agreement with Anthem, which corresponded to the much-publicized 2015 cyber-attack on Anthem’s information systems compromising the PHI of over 79 million individuals, is a good example of OCR’s normal enforcement activity (with the exception of the $16 million fine, the largest to date for a HIPAA violation). However, since 2015, the OCR has placed emphasis on investigating and at times fining smaller covered entities for breaches affecting less than 500 individuals (after a report issued by the HHS Office of Inspector General found that the OCR had typically not investigated the same). Two recent fines issued by the OCR illustrate this emphasis.

The first was issued against Allergy Associates of Hartford, P.C. (“Allergy Associates”), which is comprised of four physicians and two mid-level providers. The settlement agreement, announced on November 26, 2018, requires Allergy Associates to pay a $125,000 fine and enter into a two-year corrective action plan (“CAP”) with the OCR. The incident leading to the alleged violation involved a patient who tried to enter Allergy Associates for treatment while accompanied by her service dog. Upon seeing the dog, an Allergy Associate’s physician turned the patient away, advising the patient that he and many of his patients were allergic to dogs. The patient thereafter contacted a local media outlet about what happened, and also filed a complaint to the Department of Justice alleging that Allergy Associates violated her civil rights under the Americans with Disabilities Act. A physician from Allergy Associates later spoke with a reporter from the media outlet (off-the-record) regarding the incident and disclosed the patient’s PHI. Despite the fact that the reporter was already familiar with the incident, the physician’s statements to the reporter concerning the patient violated HIPAA, as he did not have her prior written authorization to disclose the information. Moreover, and despite an obligation under HIPAA to do so, Allergy Associates made no attempt to sanction the doctor internally.

Published on:

In 2015, Anthem, Inc. (“Anthem”) discovered that criminal hackers had breached its electronic database and gained access to over 79 million records, including the records of at least 12 million minors.  The protected health information obtained by the hackers included, among other information, names, addresses, dates of birth, medical IDs, and Social Security numbers. The hackers were able to gain access to the information by using a “spear phishing” email technique. At least one employee received a phishing email and responded to it, allowing the hackers to gain remote access to the employee’s computer and at least 90 other systems, including Anthem’s data warehouse.

Although the massive data breach was first discovered in January 2015, the breach actually began on February 18, 2014 – meaning the breach went undetected for almost a whole year.   “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who gained access to their system to harvest passwords and steal people’s private information,” said Office of Civil Rights (“OCR”) Director Roger Severino.

Anthem has agreed to pay $16 million to the Department of Health and Human Services’ (“HHS”) OCR and take corrective action to prevent potential violations of HIPAA rules in the future.  While other breaches like this have occurred in the past, this was the largest health data breach in U.S. history, and the $16 million settlement is now the largest HIPAA settlement in history.

Contact Information