Articles Posted in HIPAA

Published on:

by

On May 31, 2012, Department of Health and Human Services (HHS) Director of the Office of Civil Rights Leon Rodriguez issued a memo to consumers regarding those consumers’ right to access their protected health information and medical records. In this memo, Rodriguez stressed that it is important for consumers and providers to remember that the Health Insurance Portability and Accountability Act (HIPAA) not only provides protection for personal health information, but also provides consumers with the right to view and obtain copies of health records.

Many providers, when dealing with HIPAA compliance, tend to focus on safeguarding protected health information, but fail to recognize the importance of patient rights including the right to access. Under HIPAA, patients have the right to view their health records from most providers, pharmacies, and health plans. Patients also have the right to obtain copies of those records in the form they choose, be it electronic or on paper, if the provider is able to do so.

Providers can charge patients a reasonable amount for the copies of health records the patient receives, and any cost for mailing the records. This amount is statutorily regulated in most states. It is important to note that a provider cannot charge a fee for searching for and retrieving records, and providers cannot withhold access to records because a patient has not paid for services received.
Continue reading

Published on:

by

The Office of Civil Rights (OCR) announced yesterday that its Health Insurance Portability and Accountability Act (HIPAA) Enforcement Training tools would be available to the general public today, June 5, 2012.

Since 2009, as part of the Health Information Technology for Clinical and Economic Health (HITECH) Act, State Attorneys General (SAGs) were given the authority to bring civil suit for HIPAA violations on behalf of the aggrieved patients. To assist SAGs, the OCR developed a wide range of HIPAA Privacy and Security Rules compliance, enforcement, and training tools.

Included in the materials are computer-based modules, and videos and slides from in-person training sessions covering the following topics:

  • General Introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

These materials may be a helpful training tool for health care providers and privacy officers. The materials highlight to whom, what, where, when, and how HIPAA Rules will be enforced and provide basic summaries of the HIPAA Privacy and Security Rule requirements.
Continue reading

Published on:

by

On May 10, 2012 the United States Court of Appeals for the Ninth District decided that criminal charges under the Health Insurance Portability and Accountability Act (HIPAA) do not require that an individual have knowledge that their actions are illegal. The case, United States of America v. Zhou, is the first such case to establish that the knowledge requirements of a criminal HIPAA violation apply only to the fact that the information accessed was protected health information, and not that obtaining the information was in violation of HIPAA.

Under the statute, HIPAA provides that a criminal penalty applies to a person who knowingly and in violation of the statute, uses, obtains, or discloses protected health information. Zhou argued that the statute requires knowledge that the information obtained was protected health information, as well as knowledge that obtaining it was illegal. The court rejected the argument and determined that the language of HIPAA is plain. The court found that the word “and” unambiguously indicates that there are two elements of a violation, and that knowingly applies only to obtaining the protected health information, and not to the fact that obtaining the protected health information was illegal.

The statute at issue in the decision is 42 U.S.C §1320d-6a, which reads as follows:

(a) Offense A person who knowingly and in violation of this part–

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b) of this section. For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d-9 (b)(3) of this title) and the individual obtained or disclosed such information without authorization.

Penalties for violations of the statute can include fines of up to $250,000, imprisonment for up to 10 years, or both.
Continue reading

Published on:

by

The first enforcement action from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule has resulted in an agreement by Blue Cross Blue Shield of Tennessee (BCBST) to pay the Department of Health and Human Services (HHS) $1.5 million.

BCBST reported that unencrypted hard drives had been stolen from a leased storage facility in Tennessee. The hard drives contained personal health information of more than one million people, and included information such as social security numbers and dates of birth. An investigation discovered BCBST failed to ensure the facility had proper security measures in place as required by HIPAA rules. The settlement also requires BCBST to establish a corrective action plan to revise its security policies and conduct training.

The HITECH Breach Notification Rule requires HIPAA covered entities to promptly make notifications in the event of a breach that affects more than 500 individuals. The entity must notify each individual affected, the HHS Secretary, and the media. A breach of information affecting fewer than 500 individuals need only be reported to the HHS Secretary on an annual basis.

More information on the HITECH Breach Notification Rule can be found on the Department of Health and Human Services website.

HIPAA Privacy and Security Rules are enforced by the Health Human Services (HHS) Office for Civil Rights. HIPAA Security Rules establish requirements for how entities must secure and protect electronic health information, and ensure that it remains secure and protected.

More information on the HHS Office for Civil Rights can be found on their website.
Continue reading

Published on:

by

According to a Boston Globe article, Tufts Medical Center and one of its primary care doctors are being sued by a patient whose privacy rights were allegedly violated when her medical history was sent to a fax machine at her workplace without her consent. The patient, Kimberly White, was recovering from a hysterectomy this past December. While recovering, she asked Dr. Kimberly Schelling to fax a form to White’s employer that was required to receive disability payments. Instead, medical records were allegedly sent to a shared fax machine in the office, which resulted in White’s medical records being viewed by at least two co-workers. White claimed that this disclosure has caused her extreme embarrassment and the inability to show her face at work again. Tufts has not yet filed a response to the complaint, but the hospital maintains that they were in full compliance with the patient’s request to share the medical information.

The HIPAA Privacy Rule allows information to be disclosed pursuant to a patient’s authorization or as otherwise permitted by the HIPAA Privacy Rule. The Office of Civil Rights (OCR) has issued guidance stating that the use of fax machines are permissible so long as reasonable safeguards are taken to protect the information from unauthorized or impermissible disclosure. If you have questions regarding patient privacy or assistance with HIPAA compliance policies and procedures, please contact a Wachler & Associates attorney at 248-544-0888.

Published on:

by

The Department of Health and Human Services (HHS) has issued a notice of proposed rulemaking to modify the HIPAA Privacy Rule in accordance with the Health Information Technology for Economic and Clinical Health Act (HITECH) requirement that users of electronic health records (EHRs) provide a more extensive accounting of disclosures than previously required by the Privacy Rule. The proposed rule would give individuals the right to receive an access report showing them specifically who has accessed their electronic protected health information. While the Security Rule has arguably required such tracking pursuant to the audit trail requirements, it did not have to be shared with individuals. The proposed rule also requires more detail in accounting of certain disclosures, in an attempt to curtail existing efficiency problems.

Click here to view the complete HHS announcement. You can also click here to view the proposed rule. If you have any questions regarding compliance with the new HIPAA privacy standards or any other HIPAA issues, please contact a Wachler & Associates attorney at 248-544-0888.

Published on:

by

The percentage of physicians in the United States using electronic health records (EHR) has increased by nine percent (20% to 29%) over the past twelve months. The push towards electronic records has been firmly supported by the current and previous presidential administrations. The Obama Administration aims to have at least 50 percent of Americans using EHRs by 2014 in an attempt to reduce health care costs and medical errors.

This month, the United States government will begin distributing incentive payments to hospitals and doctors who opt to use EHRs. These incentive plans could pay out as much as $31.3 billion. If health care providers meet government standards for the EHRs, they may be eligible to receive up to $44,000 over six years through Medicare and up to an additional $63,750 over five years from Medicaid. Additionally, the federal government plans to reduce Medicare reimbursements to health care providers who fail to make the electronic switch by 2015.

If you need help understanding the meaningful use requirements, HIPAA security or assistance with negotiation of EHR contracts, please contact a Wachler and Associates attorney at 248-544-0888.

Published on:

by

Two hospitals in Anoka County have fired 32 employees for accessing the medical records of patients without permission or a legitimate reason to do so. The employees accessed the medical records of certain patients that were hospitalized due to a massive drug overdose stemming from a party; the overdoses were considered a high-profile case. The HIPAA privacy regulations require hospitals to apply a “minimum necessary” rule, i.e., employees are only permitted to access information that they have a need to know in order to perform their job duties. The HIPAA Security Rule also requires hospitals and other covered entities to have the capability to audit employees’ access. The HIPAA Privacy Rule also requires hospitals and other covered entities to have appropriate disciplinary policies in place when violations of the rule are found. For questions regarding HIPAA compliance or for assistance with developing a HIPAA Privacy or Security compliance program, please contact a Wachler & Associates attorney at 248-544-0888.

Published on:

by

The Centers for Medicare and Medicaid Services recently published an MLN Matters Article regarding the length of time physicians are required to retain documentation.  The article reiterated that the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires a covered entity to retain required documentation for six years from the date of its creation or the date when it was last in effect, whichever is later.  Although some state laws may have shorter periods, HIPAA requirements preempt these laws.  In addition, the HIPAA Privacy Rule requires covered entities to utilize appropriate administrative, technical and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for the period in which the information is maintained by the covered entity, including disposal.

The MLN Matters Article also reminded providers that submit cost reports that they are required to retain the original or legally reproduced for at least 5 years after the closure of the cost report.

As is reiterated by this MLN Matters Article, the maintenance of accurate medical records for Medicare beneficiaries is very important.  The medical records should be completed promptly, accessible, retained and providers should implement a system of author identification to ensure authenticity and security.

Continue reading
Published on:

by

The Department of Health and Human Services (HHS) hosted a press conference today to announce changes to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Privacy, Security and Enforcement Rules. The rule proposed by HHS will be in a notice and comment period for the next two months, beginning July 8, 2010. During the press conference, Kathleen Sebelius, Secretary of the Department of Health and Human Services, noted that the new rule will make business associates culpable for information breaches the same as covered are currently. In addition, the penalties for breaches of information will now be raised to a maximum of $50,000 per breach, with an overall maximum of $1.5 million. The new rule will also prohibit the sale of protected information.

In addition to announcing the proposed rule, HHS outlined new resources and activities to strengthen the privacy of protected health information and educate Americans on their rights and the resources available to them to secure their protected health information. There will be two new websites that will help report and inform the public of any breaches of healthcare information privacy. The first website is the Office of Civil Rights breach notice website where entities and individuals are required to immediately post a notice of any breaches. The second website will keep the public informed on the actions and policies the government is contemplating and implementing for the protection of patient information.

Finally, questions from participants prompted a discussion of the actions HHS is taking to protect healthcare information. The HHS provided examples such as the training of a new workforce to try and protect health IT, working with the cyber security department and starting a national dialogue with consumers and providers at locations across the country to provide education on the privacy and security of protected health information.

Continue reading
Contact Information
210 E 3rd St #204
Royal Oak, MI 48067
Phone: 248-544-0888
Fax: 248-544-3111

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2016 – 2024, Wachler & Associates, P.C.
JUSTIA Law Firm Blog Design