Articles Posted in HIPAA

filesA Denver area Federally Qualified Health Center (FQHC) must pay $400,000 in fines and implement a corrective action plan for HIPAA violations that resulted from a hacker’s breach into the health center’s employee emails.  The breach led to theft of electronic protected health information (ePHI) of 3,200 individuals. Although the HIPAA violations were a result of a malicious breach, Metro Community Provider network (MCPN) was found at fault by OCR officials after OCR’s investigation showed MCPN did not conduct a risk analysis of its ePHI environment and waited another two months after discovery of the breach to conduct a risk analysis. MCPN had no system of risk management in place to determine what vulnerabilities the center was susceptible to.

Georgia Healthcare and HIPAA Compliance Lawyers

The HIPAA Privacy Rule was enacted to protect patient health information and  secure for patients more control over the use of their private information. Under Federal law, healthcare businesses have a strict obligation to protect the information of patients. While there is no private cause of action for violations of HIPAA, complaints can be filed with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), states’ Departments of Health, federal third-party Payors (Medicare, TRICARE, VA, etc), state licensing boards, and, in some cases, state law may provide a cause of action for individuals under specific state privacy laws. Such complaints can lead to investigations, fines and other negative consequences for a healthcare professional or practice.

Continue reading

medical-doctor-1314902-mThe U.S. Department of Health & Human Services (HHS) announced its preparation to move into its next phase of audits of healthcare covered entities and their business associates. According to HHS, “[t]he 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”  Physicians, medical practices, other providers and healthcare businesses, and their business associates, should take steps to ensure they are current and compliant with respect to HIPAA requirements.

Federal Investigation/ Medical Audit Lawyers

HHS is charged by federal law with the responsibility to enhance and protect the health and well-being of all Americans.   To that end, HHS, through its Office of Civil Rights (OCR), endeavors to ensure high quality health and human services and promote advances in medicine and public health. Federal law known as the Health Information Technology for Economic and Clinical Health Act (HITECH) requires HHS to conduct periodic audits of healthcare providers and their business associates to ascertain compliance (or lack thereof) with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.  The HIPAA Privacy, Security and Breach Notification Rules, though very important to our government’s efforts to protect protected health information (PHI), are additional burdens for those in the business of providing healthcare and their business partners who might have access to PHI.

A few years ago, OCR used a “pilot” audit program to assess a sampling of covered entities’ progress in implementing HIPAA’s requirements for protecting PHI.  Now, utilizing the information obtained by its pilot audit program, OCR will begin auditing both healthcare providers and their business associates.  Beginning this year, OCR will review and analyze policies and procedures adopted by covered entities and business associates against the requirements of the HIPAA Privacy, Security and Breach Notification Rules.

Continue reading

by

HIPAA Audits 2015

Auditing is to Increase; Increased Contractors; Business Associates at Risk

By: Brian L Tuttle, CHP, CHA, CPHIT, CBRA, CCNA, CISSP

 

Brian Tuttle

Well D-Day in the Health Insurance Portability and Accountability Act (HIPAA) world (September 23, 2013) has come and gone and we are all still here, the world hasn’t ended, the Feds still haven’t kicked down your doors demanding to comb over your practice or business……yet. As of now the Federal government has a heavy workload in terms of who, what, when, and where will be affected by their new enforcement efforts. Their progress was stunted a bit by the recent government shut down, but as of this writing (November 14, 2013) they are back in business.

As you may or may not know, the enforcement wing of the U.S. Department of Health and Human Services (HHS), which is the Office of Civil Rights (OCR), began a pilot campaign of audits in the summer of 2012. This pilot campaign is to become a full time heavily enforced effort with many more facets involved. Based upon the findings there are many areas that need to be addressed chiefly dealing with the HIPAA Security Rule (65% of fines levied) in comparison with the HIPAA Privacy Rule (26% of fines levied) and the Breach Notification Rule (9% of fines levied). Going forward the OCR plans to evolve this process and give sharp teeth to what’s already going on. Originally the law firm KPMG was given the contract to conduct these pilot audits. According to HHS, the government plans to bring in many more firms (and subcontractors of those firms) to enforce and audit. Leon Rodriguez, director for OCR, stated at the HIMSS Privacy and Security Forum in Boston on September 23, 2013 “We hope to be off and running in the next calendar year.” Additionally, Mr. Rodriguez stated that OCR “will leverage more civil penalties” but more concerning is that fines levied are expected to pay for the audit program and be a revenue generating process for the Feds.

Continue reading

by
Posted in:
Updated:

flash-drive-155970-m.jpgAlthough most health care providers understand in the abstract that they must comply with The Health Insurance Portability and Accountability Act of 1996 (HIPAA), many may not fully appreciate the legal and financial significance of noncompliance. More and more, the federal government utilizes HIPAA enforcement options to protect the public interest in security, including the following strong incentives for HIPAA compliance.

HIPAA Civil Penalties

Caps on penalties for HIPAA violations by covered entities were increased in 2009 by the enactment of the HITECH Act. Covered entity civil penalties are “tiered” as follows:

  1. No knowledge of HIPAA violation – $100-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  2. A reasonable cause of the HIPAA violation exists – $1,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  3. The HIPAA violation was caused by willful neglect but timely corrected – $10,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  4. The HIPAA violation was caused by willful neglect but not timely corrected – $50,000 or more for each violation, up to a maximum of $1.5 million during a calendar year

The HITECH Act also offers benefits to encourage patients to report HIPAA violations similar to those offered in qui-tam cases. This allows patients who have been impacted by HIPAA violations to collect a portion of the civil monetary penalty that is imposed against a violator. However, there are three very important exceptions to collecting on this penalty:

  1. The offense is punishable under HIPAA criminal provisions;
  2. The violator did not know and, by exercising reasonable diligence, would not have known of the violation; or
  3. The failure to comply is caused by “reasonable cause” rather than “willful neglect” and the alleged violator takes action to cure the failure during the first 30 days following actual knowledge of the noncompliance or when the person should have known of the noncompliance.

HIPAA Criminal Penalties

Although the DHHS Office for Civil Rights enforces the civil penalties for HIPAA violations, the Department of Justice is the agency in charge of enforcing HIPAA’s criminal penalties. As with the civil penalties, the nature of the HIPAA violation determines the severity of the penalty in regards to criminal sanctions:

  1. If a person knowingly and, in violation of the Privacy Rule, discloses PHI to another individual, they face a base penalty of up to $50,000 in fines and up to a year in prison, or both;
  2. if the offense is committed under false pretenses, they can be fined up to $100,000 and face up to five years in jail, or both;
  3. if the offense is committed with an intent to sell or otherwise use PHI for commercial advantage, personal gain or malicious harm, they can be fined up to $250,000 and face up to 10 years in jail, or both.

Continue reading

data-storage-1-1155466-m.jpgAn unencrypted thumb drive cost a dermatology practice $150,000. On December 26, 2013, the U.S. Department of Health & Human Services (HHS) announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts (APD) of alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). APD, a “covered entity” for HIPAA purposes, has offices in Concord, Westford, Marlborough, and Ayer, Massachusetts, and Wolfeboro, New Hampshire.

The thumb drive contained unsecured electronic protected health information (ePHI) relating to the performance of Mohs surgery for about 2,200 patients. The thumb drive was stolen from the vehicle of one of APD’s employees. APD informed its patients of the theft of the thumb drive and provided a media notice.

HHS investigated and determined that APD did not timely conduct an accurate and thorough analysis of the risks associated with potential exposure of the ePHI. HHS also determined that APD did not fully comply with the administrative requirements of HIPAA’s breach notification requirements to have written policies and procedures and train employees regarding breach notification requirements. HHS also determined that APD disclosed ePHI in violation of HIPAA by the access gained to it when APD did not reasonable safeguard an unencrypted thumb drive.

HHS fined APD $150,000 and required APD’s execution of a Corrective Action Plan. The Corrective Action Plan requires APD to develop a comprehensive risk analysis and risk management plan to ensure future compliance with HIPAA and to periodically report to HHS the status of APD’s implementation of the plan. HHS released its right to take further action against APD, conditioned upon full compliance by APD with the Corrective Action Plan. See HHS Resolution Agreement.
Continue reading

1177227_vintage_alarm_clock.jpgAs a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.

According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.

Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.

So, who is a “business associate”?

This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.

Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.

Do your business associate agreements need to be updated?

Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:

– the business associate comply with applicable requirements of the Security Rule.

– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.

– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.

– the business associate report breaches of unsecured PHI.

– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)

– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.

It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
Continue reading

1221952_to_sign_a_contract_3.jpgThe U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.

A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.

The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Continue reading

1269437_laptop_and_cellphone[1].jpgA single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Continue reading

1066058_patrol_hat_too[1].jpgThe Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.

According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:

Is there a signed business associate agreement with each business associate?

Do you encrypt protected health information (PHI)?

Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?

Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?

Do you have a written policy for ascertaining and reporting a security breach?

Do your policies cover everything you do with PHI?

Do you really do things consistently with your existing policies?

Continue reading

files.jpg

The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.

Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.

It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.

Some other changes to be aware of are:

• Business associates are liable for HIPAA privacy and security rule requirements.

• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.

• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.

• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.

• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.

• Patients can request a copy of their electronic medical record (EMR) in an electronic form.

• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.

• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.

Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
Continue reading

Top Rated Lawyers. LexisNexis AV Preeminent
LexisNexis AV Martindale-Hubbell
American Health Lawyers Association
Avvo Clients' Choise 2013 Health Care Avvo Clients' Choise 2013 Health Care View my profile on Avvo