§ 530 (c) of the HIPAA regulations provides, with regard to safeguards, that “a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” We typically think of “safeguards” as a security issue, and therefore related mainly to electronic PHI. However, twice in the last three weeks, we’ve had to deal with patients photographing and posting pictures of PHI that was unprotected – once a screenshot and another a paper form. One was meant to embarrass the provider as revenge for making the patient wait. Another was simply meant to illustrate the provider’s laxness. Both incidents were troublesome to resolve.
The lesson from these events is that HIPAA’s requirement to secure PHI is not simply an IT responsibility. Providers should also continually monitor and evaluate their precautions regarding paper records, exposed computer screens, etc.
Written by: Gregory D. Frost
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently entered a $400,000 Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC). The settlement serves as a stark reminder that all covered entities, including FQHCs, must meet the HIPAA Security Rule requirements and that OCR is continuing to step up enforcement efforts in this area. Continue reading
A delay in timely breach notification may now cost you. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) recently entered a settlement with Presence Health for untimely reporting a breach of unsecured protected health information (PHI). Presence discovered that its operating room schedules containing PHI for 836 individuals were missing on October 22, 2013. Under the HIPAA Breach Notification Rule, breaches like this which involve >500 individuals are required to be reported to the individuals, prominent media outlets and OCR without unreasonable delay and in no case later than 60 days. Presence did not report the breach to OCR until January 31, 2014, approximately 100 days after discovering the breach. OCR’s investigation concluded that Presence failed to notify, without unreasonable delay and within 60 days of discovering the breach, each of the 836 individuals, the media and OCR. Presence agreed to pay $475,000 to settle the potential violations.
The Press Release and Resolution Agreement are available on the OCR website.
Written by: Jacob Simpson
Clay J. Countryman and Alec Alexander will be speaking at a workshop hosted by the Medical Group Management Association’s New Orleans chapter on September 28, 2016. Mr. Countryman will present “HIPAA Phase 2 Audits: Are you ready?” and Mr. Alexander will present “Fraud and Abuse: Compliance for Physician Practices and Recent Hot Topics. The workshop will be located at the East Jefferson General Hospital Conference Center – Esplanade I in Metairie, Louisiana. For more information or to register, click here.
Clay Countryman Alec Alexander
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has started a second phase of audits for compliance with HIPAA Privacy, Security and Breach Notification Standards. The OCR has previously conducted an audit pilot phase and Phase 1 audits of HIPAA covered entities (i.e., healthcare providers, clearinghouses, and health plans). In this Phase 2 of the HIPAA audits, OCR will audit both covered entities and their business associates. Continue reading
The Office for Civil Rights (OCR) recently announced two separate settlements with a hospital and a physician practice that highlight the importance of having HIPAA business associate agreements. Each of these HIPAA settlements were based on the failure to have a HIPAA business associate agreement in place with a third party that a hospital and a physician practice had disclosed patient’s healthcare information to perform certain administrative services. In each case, the third party recipients of patient electronic healthcare information committed or contributed to a breach under the HIPAA Privacy Rule. Continue reading
This week, the OCR announced another HIPAA settlement based on a provider’s failure to have a Business Associate Agreement in place before disclosing PHI to a third party business vendor.
OCR had initiated an investigation of Raleigh Orthopaedic Clinic, P.A. of North Carolina following receipt of a breach report which revealed a release of protected health information (PHI) without first having a business associate agreement (BAA) in place. Continue reading
The Office for Civil Rights (OCR) announced on March 16, 2016, that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle allegations that it violated the HIPAA Privacy and Security Rules by failing to implement a Business Associate Agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. The OCR initiated an investigation of North Memorial following receipt of a breach report that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals. Continue reading
On February 25, 2016, the Office of Civil Rights, which enforces the HIPAA privacy rules, released lengthy guidance on a patient’s right to access their medical records under 45 CFR §164.524. The link to the guidance is http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. The publication also includes a number of FAQs addressing copy fees, including “What labor costs may a covered entity include in the fee that may be charged to individuals to provide them with a copy of their PHI?”, “How can covered entities calculate the limited fee that can be charged to individuals to provide them with a copy of their PHI?”, and “When do the HIPAA Privacy Rule limitations on fees that can be charged for individuals to access copies of their PHI apply to disclosures of the individual’s PHI to a third party?”
Providers will get a sense for OCR’s perspective from the following FAQ comment, “Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.”
BSW is planning a webinar in the near future on this guidance. If you’d like to receive notice of that webinar, please contact Sharon.Stickling@bswllp.com.
Written by: Greg Frost
Covered entities evaluating the impact of this HIPAA amendment should take note that the use or disclosure authorized by this amendment is PERMISSIVE, not mandatory. The language of the rule states the covered entity “may” use or disclose PHI for purposes of reporting to the NICS the identity of an individual who is prohibited from possessing a firearm under 18 USC 922(g)(4). The covered entity is not required to do so. Therefore, if a covered entity isn’t sure whether they are allowed by this recent amendment to make a disclosure to the NICS, the normal compliance strategy would require careful consideration. Continue reading