Articles Posted in HIPAA

Published on:

On April 20, 2017, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) announced that it had reached a settlement with the Center for Children’s Digestive Health (the Center) regarding the Center’s (alleged) violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Center is a small health system specializing in pediatric care with seven clinics, all located in Illinois.

The settlement was for $31,000, and included the Center agreeing to a Corrective Action Plan (CAP). The Center’s HIPAA violation stemmed from an arrangement between the Center and one of its business associates, FileFax, Inc. The two companies began their relationship in 2003, with FileFax storing records containing protected health information (PHI) for the Center. However, through a HHS compliance review in 2015, it was discovered that there was no signed Business Associate Agreement between the parties prior to October 2015.

A Business Associate Agreement is required whenever a HIPAA-covered entity forms a relationship with a business entity, pursuant to which PHI will be transmitted. The terms of the Business Associate Agreement must include information on how the PHI will be used by the business associate, how the PHI will be safeguarded and protected, and other such details.

Published on:

In January, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published a final rule, which modifies HIPAA privacy rules to allow for easier sharing between certain HIPAA covered entities and the National Instant Criminal Background Check System (NICS). Specifically, the final rule allows certain HIPAA covered entities to share with NICS the identities of individuals prohibited under federal law from legally owning a firearm.

The Gun Control Act of 1968 prohibits categories of individuals from engaging in the shipment, transport, receipt or possession of firearms. The Department of Justice (DOJ) issued regulations applying the prohibition to those that have been involuntarily committed to a mental institution, those found to be incompetent to stand trial or found not guilty by reason of insanity are prohibited from owning a firearm, or otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or unable to manage their own affairs as a result of marked subnormal intelligence, or mental illness, incompetency, condition, or disease. This prohibition is referred to as the “mental health prohibitor.” The January final rule provides that only covered entities which already have lawful authority to render adjudication decisions which subject individuals to the mental health prohibitor may disclose those individuals’ identities to the NICS. The final rule does not allow for clinical or medical information to be disclosed; only demographic information about individuals subject to the prohibitor may be disclosed.

In the text and analysis of the Final Rule, the OCR explains the very limited and narrow exception to HIPAA privacy rules as a balance between patient privacy and public safety goals. The Final Rule cited the American Medical Association’s (AMA’s) support for the Final Rule stating that the AMA “…Code of Ethics supports strong protections for patient privacy and, in most cases, requires physicians to keep patient medical records strictly confidential. If there must be a breach in confidentiality, such as for public health or safety reasons, the disclosures must be as narrow in scope as possible.” In addition, OCR cited uniformity as a justification for the Final Rule. OCR explained that some states have not established reporting rules for this type of disclosure to the NICS. Thus, this rule will allow for more uniform reporting standards throughout all fifty states.

Published on:

On February 11, 2016, the Department of Health and Human Services, Office for Civil Rights (“OCR”), released important guidance on its Developer Portal to address the application of the Health Insurance Portability and Accountability Act (“HIPAA”) regulations to developers of mobile health apps. Whether a mobile app developer is directly employed by a covered entity (i.e., health plans, health care clearing houses, and most health care providers) or a business associate of a covered entity (or one of the covered entity’s contractors), reasonable safeguards must be applied when the developer creates, receives, maintains or transmits protected health information (“PHI”) on behalf of a covered entity or other business associate.

The OCR guidance provides “Key Questions” for app developers in determining whether or not they may be a business associate of a covered entity. In addition, the OCR guidance provides several factual scenarios to further assist app developers in determining whether they are considered a business associate. Below are two of the scenarios included in the OCR guidance, one in which the developer would not be considered a business associate and one where the developer would be considered a business associate.

Scenario: Consumer downloads a health app to her smartphone. She populates it with her own information. For example, the consumer inputs blood glucose levels and blood pressure readings she obtained herself using home health equipment.

Published on:

On September 9, Linda Sanches, the Senior Advisor for the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) warned that Health Insurance Portability and Accountability Act (HIPAA) audits are forthcoming. Speaking at the HIMSS Privacy and Security Forum in Boston, Sanches cautioned attendees that the best defense to an audit is conducting periodic and comprehensive risk analyses focused on administrative and technical protections, as well as human error vulnerabilities. “The onus is on you to prove that you had the proper systems in place,” Sanches warned, advising providers to proactively perform risk analyses in advance of a HIPAA audit.

To attendees’ disappointment, Sanches did not unveil a start date for the HIPAA audits. Instead, Sanches explained that the OCR has postponed initiating HIPAA auditing to implement new technology with increased auditing capacities. Originally, the OCR intended to conduct a total of 400 desk audits. However, Sanches confirmed that now the OCR will likely perform fewer than 200 targeted desk audits and an unconfirmed number of on-site audits. A variety of providers across practice area, size, and geographic location should expect to be audited. Audited entities will be responsible for compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule. In addition, providers should have available an updated list of business associates with contact information and services provided. Sanches warned that the OCR will use a provider’s business associate list to select business associates for HIPAA auditing.

Providers with patterns in reported breaches are more likely to face HIPAA auditing. Sanches emphasized that providers who fail to demonstrate compliance with the HIPAA privacy rule and HIPAA security rule may face hefty settlement fines based on the amount of harm and provisions violated. When discussing fines, Sanches stated, “It’s basic math. How many people were affected?”

Published on:

In September 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released guidance to assist covered entities in understanding their obligations under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule in light of the Supreme Court’s 2013 decision in United States v. Windsor. In Windsor, the Supreme Court struck down Section 3 of the Defense of Marriage Act (DOMA), which restricted interpretations of “spouse” and “marriage” in federal law to opposite-sex marriages, as a violation of the Due Process Clause of the Fifth Amendment. As a result, OCR opined that covered entities and applicable business associates must take into account lawfully married same-sex couples when applying federal law.

OCR noted that the Privacy Rule’s definition of “family members” includes the terms “spouse” and “marriage.” Under the Privacy Rule, a spouse is defined as any individual who is in a legally valid marriage sanctioned by a state, territory, or foreign jurisdiction (assuming that the marriage performed in a foreign jurisdiction would be recognized by a U.S. jurisdiction). OCR clarified that “marriage” includes same-sex marriages, a family member includes dependents of that marriage, and that these terms apply to individuals who are legally married, “whether or not they live or receive services in a jurisdiction that recognizes their marriage.”

OCR also provided two examples how this clarified definition of a family member would be applied to specific provisions in the Privacy Rule. Specifically, §164.510(b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes allows protected health information to be shared with a patient’s spouse and family members. OCR opined that in light of Windsor, covered entities must consider legally married same-sex spouses, regardless of where they live, to be family members.

Published on:

Recently, the Department of Health and Human Services Office for Civil Rights (OCR), released its annual report on breaches of protected health information (PHI). Under the Breach Notification Rule, covered entities are required to issue notifications following breaches of unsecured PHI. Examples of covered entities include health care providers and health plans, such as HMOs. Covered entities must notify affected individuals of a breach without unreasonable delay and no later than 60 calendar days following discovery of the breach. Notification to the individuals affected by the breach must include:

  • Covered entity’s contact information for individuals to ask questions and learn additional information;
  • A brief description of the breach, including the date of the breach and discovery of the breach, if known;
  • A description of the types of unsecured PHI involved in the breach;
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach; and
  • A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and to protect against future breaches.

In addition, for breaches implicating fewer than 500 individuals, covered entities must submit a report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. Breaches involving 500 or more individuals require the covered entity to provide notice to OCR at the same time the affected individuals are notified. Covered entities must notify OCR by filling out and electronically submitting a form available on OCR’s website.

In its annual report to Congress on breaches of unsecured PHI, OCR reported 236 breaches of PHI which affected over 500 people in 2011 and 222 in 2012. The 236 breaches in 2011 affected in total 11,415,185 individuals, while 3,273,735 were affected in 2012. Per department policy, OCR conducted investigations of each breach that affected over 500 individuals.

Following their investigations, OCR found that the primary reason for breaches affecting over 500 people in 2011 and 2012 was theft of portable electronics or paper containing PHI. The second leading cause of breaches was unauthorized access of records containing PHI. For example, in 2011 the largest breach occurred because of a loss of backup tapes, affecting 4.9 million people. Similarly, in 2012, 116,506 individuals were affected when an unencrypted laptop containing PHI was stolen.

Published on:

On Wednesday, New York Presbyterian Hospital and Columbia University agreed to settle claims with the Department of Health and Human Services (HHS) Office for Civil Rights for a collective $4.8 million stemming from a data breach in 2010. This matter, along with other similar cases, should serve as an important warning to healthcare providers and other HIPAA covered entities that personal health information (PHI) of patients must be protected, especially in the electronic age. If a data network is breached and PHI is made available, HHS will use its enforcement powers to assess punitive penalties and institute corrective actions in order to achieve compliance.

Under the terms of the settlement, New York Presbyterian will pay $3.3 million while Columbia University will pay $1.5 million. Both entities must also institute corrective action plans. The settlement represents the highest combined total financial penalty issued to an entity covered by HIPPA. As part of the settlement, the entities must undergo a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports.

The investigation and subsequent settlement were brought on by a data breach incident in 2010 where the shared data system for New York Presbyterian and Columbia University was breached and the records of 6,800 patients were made available on the internet. The data breach occurred when a physician attempted to deactivate a personally owned computer server on the network. The Office for Civil Rights alleged that that due to a lack of technical safeguards, deactivation of the server resulted in PHI being accessible via internet search engines.

Published on:

On February 24, 2014, the Department of Health and Human Services’ (HHS) Office for Civil Rights (“OCR”) announced in the Federal Register that it plans to survey up to 1,200 organizations to identify candidates for audits under the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. In accordance with the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, OCR is required to schedule periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Privacy, Security, and Breach Notification Rules.

According to the notice, the survey will assess covered entities and business associates’ “suitability” (e.g., size, complexity and fitness) for an audit by collecting information from these respondents such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations.” Although the total number of entities to be audited in 2014 is unclear, HHS expects that expanding the audit program to up to 1,200 organizations will provide a more accurate depiction of covered entities and business associates’ compliance with HIPAA. HHS will be accepting comments regarding this pre-audit survey until April 25, 2014.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. In addition, all employees should receive ongoing training in HIPAA compliance. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. If you have any questions or require assistance developing and implementing a HIPAA compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at

Published on:

On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider’s data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider’s program is inadequate if it fails to provide reasonable and appropriate data security measures. A company’s failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act’s prohibition of “unfair … acts or practices.” Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC’s authority under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.

The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC’s complaint, arguing that the FTC had no authority to address private companies’ data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act (“HIPPA”) and other statutes, Congress implicitly restricted the FTC’s authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD’s motion to dismiss, the FTC determined that nothing in the federal statutes reflected a ‘clear and manifest’ intent of Congress to restrict the FTC’s authority over unfair data and security practices. Furthermore, the FTC held that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.”

As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers’ personal information in the event of an investigation by the FTC.

Published on:

After months of delay, compliance with the Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Omnibus Final Rule goes into effect today. HIPAA Privacy and Security Rules are implemented by the Health and Human Services (HHS) Office for Civil Rights.

The Omnibus Final Rule was announced by HHS on January 17, 2013. According to the HHS press release, the Final Rule “expand[s] many of the requirements to business associates of [health care providers, health plans, and other entities that process insurance claims] that receive protected health information, such as contractors and subcontractors…Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.”

The Final Rule’s safe harbor period, which ended today, gave covered entities and business associates 180 days to comply with stricter modifications which will be enforced by heavy fines. Time is of the essence for covered entities and business associates to take proper measures to comply with the new rules. It is imperative that entities review their relationships with covered entities, as the Final Rule expanded the definition of a “business associate” and entities that previously were not business associates, may be considered business associates with the implementation of the Final Rule. If an entity is a business associate with a covered entity, then certain obligations come into play, including the requirement that the business associate and covered entity enter into a business associate agreement that meets the requirements set forth in the Final Rule.

Contact Information