Articles Posted in HIPAA

Published on:

by

Recently, the Department of Health and Human Services Office for Civil Rights (OCR), released its annual report on breaches of protected health information (PHI). Under the Breach Notification Rule, covered entities are required to issue notifications following breaches of unsecured PHI. Examples of covered entities include health care providers and health plans, such as HMOs. Covered entities must notify affected individuals of a breach without unreasonable delay and no later than 60 calendar days following discovery of the breach. Notification to the individuals affected by the breach must include:

  • Covered entity’s contact information for individuals to ask questions and learn additional information;
  • A brief description of the breach, including the date of the breach and discovery of the breach, if known;
  • A description of the types of unsecured PHI involved in the breach;
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach; and
  • A brief description of what the covered entity is doing to investigate the breach, mitigate harm to individuals, and to protect against future breaches.

In addition, for breaches implicating fewer than 500 individuals, covered entities must submit a report to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. Breaches involving 500 or more individuals require the covered entity to provide notice to OCR at the same time the affected individuals are notified. Covered entities must notify OCR by filling out and electronically submitting a form available on OCR’s website.

In its annual report to Congress on breaches of unsecured PHI, OCR reported 236 breaches of PHI which affected over 500 people in 2011 and 222 in 2012. The 236 breaches in 2011 affected in total 11,415,185 individuals, while 3,273,735 were affected in 2012. Per department policy, OCR conducted investigations of each breach that affected over 500 individuals.

Following their investigations, OCR found that the primary reason for breaches affecting over 500 people in 2011 and 2012 was theft of portable electronics or paper containing PHI. The second leading cause of breaches was unauthorized access of records containing PHI. For example, in 2011 the largest breach occurred because of a loss of backup tapes, affecting 4.9 million people. Similarly, in 2012, 116,506 individuals were affected when an unencrypted laptop containing PHI was stolen.

Continue reading
Published on:

by

On Wednesday, New York Presbyterian Hospital and Columbia University agreed to settle claims with the Department of Health and Human Services (HHS) Office for Civil Rights for a collective $4.8 million stemming from a data breach in 2010. This matter, along with other similar cases, should serve as an important warning to healthcare providers and other HIPAA covered entities that personal health information (PHI) of patients must be protected, especially in the electronic age. If a data network is breached and PHI is made available, HHS will use its enforcement powers to assess punitive penalties and institute corrective actions in order to achieve compliance.

Under the terms of the settlement, New York Presbyterian will pay $3.3 million while Columbia University will pay $1.5 million. Both entities must also institute corrective action plans. The settlement represents the highest combined total financial penalty issued to an entity covered by HIPPA. As part of the settlement, the entities must undergo a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports.

The investigation and subsequent settlement were brought on by a data breach incident in 2010 where the shared data system for New York Presbyterian and Columbia University was breached and the records of 6,800 patients were made available on the internet. The data breach occurred when a physician attempted to deactivate a personally owned computer server on the network. The Office for Civil Rights alleged that that due to a lack of technical safeguards, deactivation of the server resulted in PHI being accessible via internet search engines.

Continue reading
Published on:

by

On February 24, 2014, the Department of Health and Human Services’ (HHS) Office for Civil Rights (“OCR”) announced in the Federal Register that it plans to survey up to 1,200 organizations to identify candidates for audits under the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. In accordance with the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, OCR is required to schedule periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Privacy, Security, and Breach Notification Rules.

According to the notice, the survey will assess covered entities and business associates’ “suitability” (e.g., size, complexity and fitness) for an audit by collecting information from these respondents such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations.” Although the total number of entities to be audited in 2014 is unclear, HHS expects that expanding the audit program to up to 1,200 organizations will provide a more accurate depiction of covered entities and business associates’ compliance with HIPAA. HHS will be accepting comments regarding this pre-audit survey until April 25, 2014.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. In addition, all employees should receive ongoing training in HIPAA compliance. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. If you have any questions or require assistance developing and implementing a HIPAA compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at wapc@wachler.com.

Published on:

by

On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider’s data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider’s program is inadequate if it fails to provide reasonable and appropriate data security measures. A company’s failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act’s prohibition of “unfair … acts or practices.” Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC’s authority under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.

The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC’s complaint, arguing that the FTC had no authority to address private companies’ data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act (“HIPPA”) and other statutes, Congress implicitly restricted the FTC’s authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD’s motion to dismiss, the FTC determined that nothing in the federal statutes reflected a ‘clear and manifest’ intent of Congress to restrict the FTC’s authority over unfair data and security practices. Furthermore, the FTC held that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.”

As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers’ personal information in the event of an investigation by the FTC.

Continue reading
Published on:

by

After months of delay, compliance with the Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Omnibus Final Rule goes into effect today. HIPAA Privacy and Security Rules are implemented by the Health and Human Services (HHS) Office for Civil Rights.

The Omnibus Final Rule was announced by HHS on January 17, 2013. According to the HHS press release, the Final Rule “expand[s] many of the requirements to business associates of [health care providers, health plans, and other entities that process insurance claims] that receive protected health information, such as contractors and subcontractors…Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.”

The Final Rule’s safe harbor period, which ended today, gave covered entities and business associates 180 days to comply with stricter modifications which will be enforced by heavy fines. Time is of the essence for covered entities and business associates to take proper measures to comply with the new rules. It is imperative that entities review their relationships with covered entities, as the Final Rule expanded the definition of a “business associate” and entities that previously were not business associates, may be considered business associates with the implementation of the Final Rule. If an entity is a business associate with a covered entity, then certain obligations come into play, including the requirement that the business associate and covered entity enter into a business associate agreement that meets the requirements set forth in the Final Rule.

Continue reading
Published on:

by

On May 21, 2013, the Department of Health and Human Services (HHS) released its settlement agreement with Idaho State University (ISU) for Health Insurance Portability and Accountability Act (HIPAA) violations. The $400,000 settlement agreement involves ISU’s self-reported breach of unsecured electronic protected health information (ePHI) of about 17,500 patients.

HHS received notification of ISU’s breach on August 9, 2011, and shortly thereafter began an investigation into ISU’s HIPAA compliance. Due to disabled firewall protections on ISU’s servers, about 17,500 patients’ ePHI were left unsecured for a minimum of 10 months. Furthermore, according to the investigation conducted by HHS, ISU’s security measures were not adequate and ISU did not evaluate the possibility of potential risks occurring.

Most importantly, the Office for Civil Rights (OCR) which enforces HIPAA and oversees health information privacy in HHS, determined that processes for routine review were not in place at ISU. As a result, ISU was not able to detect the firewall breach as early as they could have if proper procedures were in place. Routine review is part of the HIPAA’s minimum necessary standard which every HIPAA covered entity must comply with.

Continue reading
Published on:

by

The Office for Civil Rights (OCR) enforces the Health Insurance Portability and Accountability Act (HIPAA) and oversees health information privacy in the Department of Health and Human Services (HHS). On Tuesday, a notice was published in the Federal Register asking for input and comments on the OCR’s HIPAA Audit Review Survey. The Information Collection Request (ICR) collected in this online survey looks at 115 Covered Entities (health plans, clearinghouses and providers) that were audited in 2012 by OCR.

The survey looks to collect information on just how effective these audits are and solicits opinions on the audit process itself. As part of that review, the online survey will be used to:

• Measure the effect of the HIPAA Audit program on covered entities • Gauge their attitudes towards the audit overall and in regards to major audit program features, such as the document request, communications received, the on-site visit, the audit-report findings and recommendations • Obtain estimates of costs incurred by covered entities, in time and money, spent responding to audit-related requests • Seek feedback on the effect of the HIPAA Audit program on the day-to-day business operations • Assess whether improvements in HIPAA compliance were achieved as a result of the Audit program

Continue reading
Published on:

by

The Department of Health and Human Services (HHS) has issued a letter to health care providers to ensure that they are aware of their ability under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to take action, consistent with their ethical standards or other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when they believe the patient presents a serious danger to himself or other people.

In the letter, HHS describes the HIPPA Privacy Rule as requiring a careful balance between protecting the patients’ privacy and ensuring the safety of the patient and others. In general, the Privacy Rule requires providers to protect the privacy of the patients’ health information. However, an exception is created when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. A provider is presumed to have a good faith belief if his or her belief is based on the provider’s actual knowledge, such as through the provider’s interactions with the patient, or when the provider is relying on a credible representation by a person with apparent knowledge or authority, such as a credible family member of the patient.

If a health care provider does believe in good faith that a warning is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, then the Privacy Rule allows the provider to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. In alerting such persons, the provider may disclose patient information, including information from mental health records, if necessary. Furthermore, persons “reasonably able to prevent or lessen the threat” may include police officers, the patient’s family members, or even campus security or administration.
Continue reading

Published on:

by

The U.S. Department of Health and Human Services (HHS) recently agreed to a $1.5 million settlement with the Massachusetts Eye and Ear Infirmary for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HIPAA Security Rule protects electronic health information by requiring HIPAA-covered entities to use various safeguards to ensure that electronic protected health information remains private and secure. The Privacy Rule, by contrast, grants individuals rights over protected health information, and sets rules for who may view that information.

MEEI submitted a HIPAA breach report, as required by HIPAA’s Breach Notification Rule, following the theft of an unencrypted personal laptop. The laptop contained electronic protected health information (ePHI), including patient prescriptions and clinical information.

Continue reading
Published on:

by

On May 31, 2012, Department of Health and Human Services (HHS) Director of the Office of Civil Rights Leon Rodriguez issued a memo to consumers regarding those consumers’ right to access their protected health information and medical records. In this memo, Rodriguez stressed that it is important for consumers and providers to remember that the Health Insurance Portability and Accountability Act (HIPAA) not only provides protection for personal health information, but also provides consumers with the right to view and obtain copies of health records.

Many providers, when dealing with HIPAA compliance, tend to focus on safeguarding protected health information, but fail to recognize the importance of patient rights including the right to access. Under HIPAA, patients have the right to view their health records from most providers, pharmacies, and health plans. Patients also have the right to obtain copies of those records in the form they choose, be it electronic or on paper, if the provider is able to do so.

Providers can charge patients a reasonable amount for the copies of health records the patient receives, and any cost for mailing the records. This amount is statutorily regulated in most states. It is important to note that a provider cannot charge a fee for searching for and retrieving records, and providers cannot withhold access to records because a patient has not paid for services received.
Continue reading

Contact Information
210 E 3rd St #204
Royal Oak, MI 48067
Phone: 248-544-0888
Fax: 248-544-3111

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2016 – 2024, Wachler & Associates, P.C.
JUSTIA Law Firm Blog Design