Articles Posted in HIPAA

As a healthcare and business law firm, we assist many clinical laboratories in compliance and regulatory matters, and because of COVID-19, Georgia has seen a rise in the number of clinical lab-testing-adobe-stock-300x200laboratories.  A compliance question faced by many of our clients, particularly those who conduct COVID-19 testing, is how to properly maintain and share patient records.  Herein, we note some of the rules around retaining and sharing patient records under Georgia law for clinical laboratories.

Record Retention

Georgia Code, Title 31, Chapter 22 provides rules for Clinical Laboratories.  For entities that meet the definition of “clinical laboratory,” section 31-22-4(f) provides that “[r]ecords involving clinical laboratory services and copies of reports of laboratory tests shall be kept for the period of time and in the manner prescribed by the department.”  The department refers to the Georgia Department of Community Health (“DCH”).  DCH’s rules require reports of “all clinical laboratory services, including records of laboratory test requests and reports” to be retained for at least two (2) years for general laboratory records and quality control records, at least five (5) years for records of immunohematology and cytology, and at least ten (10) years for surgical pathology records.  Rule 111-8-10-.26.

Welcome to the third of our business and healthcare law firm’s holiday-themed blog posts. This week’s post is inspired by my favorite holiday movie, A Christmas Story, and the eloquent words websiteshowart15167-300x300Ralphie wrote: “A Red Ryder BB gun with a compass in the stock, and this thing which tells time.” Analyzing Ralphie’s literary genius, he gave Miss Shields three enticing facts: the main description, a vital component, and an interesting addition. Following suit, I will provide three enticing facts of CMS’ new proposed rule.

First, the shortened name of the rule is: “Reducing Provider and Patient Burden by Improving Prior Authorization Processes and Promoting Patients’ Electronic Access to Health Information.”  According to CMS, the purpose of the proposed rule is “[t]o drive interoperability, improve care coordination, reduce burden on providers and payers, and empower patients.” The ingenuity of the proposed rule stems from the fact that it is not only designed to grant patients better access to their records; it is designed to grant all vital parties’ necessary access to records—meaning patients, payors, and providers.

Second, the new rule requires each payer to use an Application Programming Interface (“API”) that allows each payer’s system to communicate with other payers. The new rule also does not require patients to request the transfer of claims data.  As such, a patient’s new payer will have access to all of his or her claims data almost immediately upon enrollment. Importantly, on the new API, payers can send “patient claims, encounter data, and clinical data directly to providers[].” Verma, Seema, Reducing Provider and Patient Burden and Promoting Patients’ Electronic Access to Health Information, (Dec. 10, 2020). 

AOA WebinarOn April 6, 2020, Lee Hamil Little co-presented with Brian Tuttle, Navigating HIPPAA and Telemedicine during COVID19.

The United States Office for Civil Rights (OCR) has issued new COVID-19 guidance on various aspects of its jurisdiction under both HIPAA and the federal civil rights laws.  Many of these changes were directly relating to telemedicine and relaxing some of the HIPAA Security and Privacy regulations.  However, this DOES NOT mean we can just use any technology we want to, there are still guidelines.  This in-depth 60-minute webinar discussed the do’s and don’ts relating to telemedicine during this national emergency caused by COVID19.

device-digital-pen-6336-e1540845862509On October 16, the FDA’s Center for Devices and Radiological Health and Homeland Security’s Office of Cybersecurity and Communications announced a partnership to address cybersecurity issues related to the utilization of medical devices. As healthcare professionals continue to rely on computer-based systems to monitor and treat patients effectively, cybersecurity threatens providers and hospital systems. Confusion regarding the role of the FDA in medical device security, and questioning the accountability of manufacturers in terms of security issues, are two of the key factors concerning health IT professionals. The possibility of potential threats continues to grow alongside the need for data management for network security. The FDA and HHS memorandum of agreement renews the agencies commitment to coordinate, identify, and address cybersecurity risks that pertain to patient safety by agreeing to communicate and share information about data being stored on medical devices.

Continue reading ›

1238683_untitledIn July 2017, Georgia passed House Bill 249, transitioning the state’s Prescription Drug Monitoring Program (PDMP) from the Drug and Narcotic Agency to the Department of Public Health. “The goal of the Georgia PDMP is to reduce the misuse of controlled substances and to promote proper use of medications used to treat pain, as well as to help diminish duplicative prescribing and overprescribing of controlled substances,” said Georgia Department of Public Health Commissioner Patrick O’Neal, MD. The new mandates call for providers to utilize the PDMP system for prescriptions of opioid and benzodiazepine medications. Now, prescribers of CII medications are required to review a patient’s PDMP information every 90 days, unless the patient meets specific criteria. Pharmacy Monitoring Systems are regulated by individual states, each imposing its own unique requirements for reporting.

Continue reading ›

dna-1-1444488-300x300Genetic testing companies, such as 23andMe, have become a craze in the United States within the last 10 to 15 years. 23andMe was formed with the purpose of informing its customers of their genetic health risks, carrier status, and ancestry information.  After collecting DNA from saliva, the DNA is sent off to research labs that perform qualitative genotyping­–the process of discovering variants in DNA.  The genetic tests that 23andMe runs analyze the donor’s DNA, RNA, chromosomes, proteins, and metabolites to determine mutations and changes in chromosome structure. This genotyping allows the labs to discover the customer’s genetic information and background.

Many citizens remain wary of using such resources due to a fear that employers and health insurance companies will use the genetic information for discriminatory purposes. In 2008, the Genetic Information Nondiscrimination Act (GINA) was passed to combat this potential discrimination and protect those employees or insured persons.   Continue reading ›

filesA Denver area Federally Qualified Health Center (FQHC) must pay $400,000 in fines and implement a corrective action plan for HIPAA violations that resulted from a hacker’s breach into the health center’s employee emails.  The breach led to theft of electronic protected health information (ePHI) of 3,200 individuals. Although the HIPAA violations were a result of a malicious breach, Metro Community Provider network (MCPN) was found at fault by OCR officials after OCR’s investigation showed MCPN did not conduct a risk analysis of its ePHI environment and waited another two months after discovery of the breach to conduct a risk analysis. MCPN had no system of risk management in place to determine what vulnerabilities the center was susceptible to.

Georgia Healthcare and HIPAA Compliance Lawyers

The HIPAA Privacy Rule was enacted to protect patient health information and  secure for patients more control over the use of their private information. Under Federal law, healthcare businesses have a strict obligation to protect the information of patients. While there is no private cause of action for violations of HIPAA, complaints can be filed with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), states’ Departments of Health, federal third-party Payors (Medicare, TRICARE, VA, etc), state licensing boards, and, in some cases, state law may provide a cause of action for individuals under specific state privacy laws. Such complaints can lead to investigations, fines and other negative consequences for a healthcare professional or practice.

Continue reading ›

medical-doctor-1314902-mThe U.S. Department of Health & Human Services (HHS) announced its preparation to move into its next phase of audits of healthcare covered entities and their business associates. According to HHS, “[t]he 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”  Physicians, medical practices, other providers and healthcare businesses, and their business associates, should take steps to ensure they are current and compliant with respect to HIPAA requirements.

Federal Investigation/ Medical Audit Lawyers

HHS is charged by federal law with the responsibility to enhance and protect the health and well-being of all Americans.   To that end, HHS, through its Office of Civil Rights (OCR), endeavors to ensure high quality health and human services and promote advances in medicine and public health. Federal law known as the Health Information Technology for Economic and Clinical Health Act (HITECH) requires HHS to conduct periodic audits of healthcare providers and their business associates to ascertain compliance (or lack thereof) with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.  The HIPAA Privacy, Security and Breach Notification Rules, though very important to our government’s efforts to protect protected health information (PHI), are additional burdens for those in the business of providing healthcare and their business partners who might have access to PHI.

A few years ago, OCR used a “pilot” audit program to assess a sampling of covered entities’ progress in implementing HIPAA’s requirements for protecting PHI.  Now, utilizing the information obtained by its pilot audit program, OCR will begin auditing both healthcare providers and their business associates.  Beginning this year, OCR will review and analyze policies and procedures adopted by covered entities and business associates against the requirements of the HIPAA Privacy, Security and Breach Notification Rules.

Continue reading ›

HIPAA Audits 2015

Auditing is to Increase; Increased Contractors; Business Associates at Risk



Brian Tuttle

Well D-Day in the Health Insurance Portability and Accountability Act (HIPAA) world (September 23, 2013) has come and gone and we are all still here, the world hasn’t ended, the Feds still haven’t kicked down your doors demanding to comb over your practice or business……yet. As of now the Federal government has a heavy workload in terms of who, what, when, and where will be affected by their new enforcement efforts. Their progress was stunted a bit by the recent government shut down, but as of this writing (November 14, 2013) they are back in business.

As you may or may not know, the enforcement wing of the U.S. Department of Health and Human Services (HHS), which is the Office of Civil Rights (OCR), began a pilot campaign of audits in the summer of 2012. This pilot campaign is to become a full time heavily enforced effort with many more facets involved. Based upon the findings there are many areas that need to be addressed chiefly dealing with the HIPAA Security Rule (65% of fines levied) in comparison with the HIPAA Privacy Rule (26% of fines levied) and the Breach Notification Rule (9% of fines levied). Going forward the OCR plans to evolve this process and give sharp teeth to what’s already going on. Originally the law firm KPMG was given the contract to conduct these pilot audits. According to HHS, the government plans to bring in many more firms (and subcontractors of those firms) to enforce and audit. Leon Rodriguez, director for OCR, stated at the HIMSS Privacy and Security Forum in Boston on September 23, 2013 “We hope to be off and running in the next calendar year.” Additionally, Mr. Rodriguez stated that OCR “will leverage more civil penalties” but more concerning is that fines levied are expected to pay for the audit program and be a revenue generating process for the Feds.

Continue reading ›

flash-drive-155970-m.jpgAlthough most health care providers understand in the abstract that they must comply with The Health Insurance Portability and Accountability Act of 1996 (HIPAA), many may not fully appreciate the legal and financial significance of noncompliance. More and more, the federal government utilizes HIPAA enforcement options to protect the public interest in security, including the following strong incentives for HIPAA compliance.

HIPAA Civil Penalties

Caps on penalties for HIPAA violations by covered entities were increased in 2009 by the enactment of the HITECH Act. Covered entity civil penalties are “tiered” as follows:

  1. No knowledge of HIPAA violation – $100-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  2. A reasonable cause of the HIPAA violation exists – $1,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  3. The HIPAA violation was caused by willful neglect but timely corrected – $10,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
  4. The HIPAA violation was caused by willful neglect but not timely corrected – $50,000 or more for each violation, up to a maximum of $1.5 million during a calendar year

The HITECH Act also offers benefits to encourage patients to report HIPAA violations similar to those offered in qui-tam cases. This allows patients who have been impacted by HIPAA violations to collect a portion of the civil monetary penalty that is imposed against a violator. However, there are three very important exceptions to collecting on this penalty:

  1. The offense is punishable under HIPAA criminal provisions;
  2. The violator did not know and, by exercising reasonable diligence, would not have known of the violation; or
  3. The failure to comply is caused by “reasonable cause” rather than “willful neglect” and the alleged violator takes action to cure the failure during the first 30 days following actual knowledge of the noncompliance or when the person should have known of the noncompliance.

HIPAA Criminal Penalties

Although the DHHS Office for Civil Rights enforces the civil penalties for HIPAA violations, the Department of Justice is the agency in charge of enforcing HIPAA’s criminal penalties. As with the civil penalties, the nature of the HIPAA violation determines the severity of the penalty in regards to criminal sanctions:

  1. If a person knowingly and, in violation of the Privacy Rule, discloses PHI to another individual, they face a base penalty of up to $50,000 in fines and up to a year in prison, or both;
  2. if the offense is committed under false pretenses, they can be fined up to $100,000 and face up to five years in jail, or both;
  3. if the offense is committed with an intent to sell or otherwise use PHI for commercial advantage, personal gain or malicious harm, they can be fined up to $250,000 and face up to 10 years in jail, or both.

Continue reading ›

Contact Information