In July 2017, Georgia passed House Bill 249, transitioning the state’s Prescription Drug Monitoring Program (PDMP) from the Drug and Narcotic Agency to the Department of Public Health. “The goal of the Georgia PDMP is to reduce the misuse of controlled substances and to promote proper use of medications used to treat pain, as well as to help diminish duplicative prescribing and overprescribing of controlled substances,” said Georgia Department of Public Health Commissioner Patrick O’Neal, MD. The new mandates call for providers to utilize the PDMP system for prescriptions of opioid and benzodiazepine medications. Now, prescribers of CII medications are required to review a patient’s PDMP information every 90 days, unless the patient meets specific criteria. Pharmacy Monitoring Systems are regulated by individual states, each imposing its own unique requirements for reporting.
Genetic testing companies, such as 23andMe, have become a craze in the United States within the last 10 to 15 years. 23andMe was formed with the purpose of informing its customers of their genetic health risks, carrier status, and ancestry information. After collecting DNA from saliva, the DNA is sent off to research labs that perform qualitative genotyping–the process of discovering variants in DNA. The genetic tests that 23andMe runs analyze the donor’s DNA, RNA, chromosomes, proteins, and metabolites to determine mutations and changes in chromosome structure. This genotyping allows the labs to discover the customer’s genetic information and background.
Many citizens remain wary of using such resources due to a fear that employers and health insurance companies will use the genetic information for discriminatory purposes. In 2008, the Genetic Information Nondiscrimination Act (GINA) was passed to combat this potential discrimination and protect those employees or insured persons. Continue reading
A Denver area Federally Qualified Health Center (FQHC) must pay $400,000 in fines and implement a corrective action plan for HIPAA violations that resulted from a hacker’s breach into the health center’s employee emails. The breach led to theft of electronic protected health information (ePHI) of 3,200 individuals. Although the HIPAA violations were a result of a malicious breach, Metro Community Provider network (MCPN) was found at fault by OCR officials after OCR’s investigation showed MCPN did not conduct a risk analysis of its ePHI environment and waited another two months after discovery of the breach to conduct a risk analysis. MCPN had no system of risk management in place to determine what vulnerabilities the center was susceptible to.
Georgia Healthcare and HIPAA Compliance Lawyers
The HIPAA Privacy Rule was enacted to protect patient health information and secure for patients more control over the use of their private information. Under Federal law, healthcare businesses have a strict obligation to protect the information of patients. While there is no private cause of action for violations of HIPAA, complaints can be filed with the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS), states’ Departments of Health, federal third-party Payors (Medicare, TRICARE, VA, etc), state licensing boards, and, in some cases, state law may provide a cause of action for individuals under specific state privacy laws. Such complaints can lead to investigations, fines and other negative consequences for a healthcare professional or practice.
The U.S. Department of Health & Human Services (HHS) announced its preparation to move into its next phase of audits of healthcare covered entities and their business associates. According to HHS, “[t]he 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Physicians, medical practices, other providers and healthcare businesses, and their business associates, should take steps to ensure they are current and compliant with respect to HIPAA requirements.
Federal Investigation/ Medical Audit Lawyers
HHS is charged by federal law with the responsibility to enhance and protect the health and well-being of all Americans. To that end, HHS, through its Office of Civil Rights (OCR), endeavors to ensure high quality health and human services and promote advances in medicine and public health. Federal law known as the Health Information Technology for Economic and Clinical Health Act (HITECH) requires HHS to conduct periodic audits of healthcare providers and their business associates to ascertain compliance (or lack thereof) with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. The HIPAA Privacy, Security and Breach Notification Rules, though very important to our government’s efforts to protect protected health information (PHI), are additional burdens for those in the business of providing healthcare and their business partners who might have access to PHI.
A few years ago, OCR used a “pilot” audit program to assess a sampling of covered entities’ progress in implementing HIPAA’s requirements for protecting PHI. Now, utilizing the information obtained by its pilot audit program, OCR will begin auditing both healthcare providers and their business associates. Beginning this year, OCR will review and analyze policies and procedures adopted by covered entities and business associates against the requirements of the HIPAA Privacy, Security and Breach Notification Rules.
HIPAA Audits 2015
Auditing is to Increase; Increased Contractors; Business Associates at Risk
By: Brian L Tuttle, CHP, CHA, CPHIT, CBRA, CCNA, CISSP
Well D-Day in the Health Insurance Portability and Accountability Act (HIPAA) world (September 23, 2013) has come and gone and we are all still here, the world hasn’t ended, the Feds still haven’t kicked down your doors demanding to comb over your practice or business……yet. As of now the Federal government has a heavy workload in terms of who, what, when, and where will be affected by their new enforcement efforts. Their progress was stunted a bit by the recent government shut down, but as of this writing (November 14, 2013) they are back in business.
As you may or may not know, the enforcement wing of the U.S. Department of Health and Human Services (HHS), which is the Office of Civil Rights (OCR), began a pilot campaign of audits in the summer of 2012. This pilot campaign is to become a full time heavily enforced effort with many more facets involved. Based upon the findings there are many areas that need to be addressed chiefly dealing with the HIPAA Security Rule (65% of fines levied) in comparison with the HIPAA Privacy Rule (26% of fines levied) and the Breach Notification Rule (9% of fines levied). Going forward the OCR plans to evolve this process and give sharp teeth to what’s already going on. Originally the law firm KPMG was given the contract to conduct these pilot audits. According to HHS, the government plans to bring in many more firms (and subcontractors of those firms) to enforce and audit. Leon Rodriguez, director for OCR, stated at the HIMSS Privacy and Security Forum in Boston on September 23, 2013 “We hope to be off and running in the next calendar year.” Additionally, Mr. Rodriguez stated that OCR “will leverage more civil penalties” but more concerning is that fines levied are expected to pay for the audit program and be a revenue generating process for the Feds.
Although most health care providers understand in the abstract that they must comply with The Health Insurance Portability and Accountability Act of 1996 (HIPAA), many may not fully appreciate the legal and financial significance of noncompliance. More and more, the federal government utilizes HIPAA enforcement options to protect the public interest in security, including the following strong incentives for HIPAA compliance.
HIPAA Civil Penalties
Caps on penalties for HIPAA violations by covered entities were increased in 2009 by the enactment of the HITECH Act. Covered entity civil penalties are “tiered” as follows:
- No knowledge of HIPAA violation – $100-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- A reasonable cause of the HIPAA violation exists – $1,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- The HIPAA violation was caused by willful neglect but timely corrected – $10,000-$50,000 for each violation, up to a maximum of $1.5 million during a calendar year.
- The HIPAA violation was caused by willful neglect but not timely corrected – $50,000 or more for each violation, up to a maximum of $1.5 million during a calendar year
The HITECH Act also offers benefits to encourage patients to report HIPAA violations similar to those offered in qui-tam cases. This allows patients who have been impacted by HIPAA violations to collect a portion of the civil monetary penalty that is imposed against a violator. However, there are three very important exceptions to collecting on this penalty:
- The offense is punishable under HIPAA criminal provisions;
- The violator did not know and, by exercising reasonable diligence, would not have known of the violation; or
- The failure to comply is caused by “reasonable cause” rather than “willful neglect” and the alleged violator takes action to cure the failure during the first 30 days following actual knowledge of the noncompliance or when the person should have known of the noncompliance.
HIPAA Criminal Penalties
Although the DHHS Office for Civil Rights enforces the civil penalties for HIPAA violations, the Department of Justice is the agency in charge of enforcing HIPAA’s criminal penalties. As with the civil penalties, the nature of the HIPAA violation determines the severity of the penalty in regards to criminal sanctions:
- If a person knowingly and, in violation of the Privacy Rule, discloses PHI to another individual, they face a base penalty of up to $50,000 in fines and up to a year in prison, or both;
- if the offense is committed under false pretenses, they can be fined up to $100,000 and face up to five years in jail, or both;
- if the offense is committed with an intent to sell or otherwise use PHI for commercial advantage, personal gain or malicious harm, they can be fined up to $250,000 and face up to 10 years in jail, or both.
An unencrypted thumb drive cost a dermatology practice $150,000. On December 26, 2013, the U.S. Department of Health & Human Services (HHS) announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts (APD) of alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). APD, a “covered entity” for HIPAA purposes, has offices in Concord, Westford, Marlborough, and Ayer, Massachusetts, and Wolfeboro, New Hampshire.
The thumb drive contained unsecured electronic protected health information (ePHI) relating to the performance of Mohs surgery for about 2,200 patients. The thumb drive was stolen from the vehicle of one of APD’s employees. APD informed its patients of the theft of the thumb drive and provided a media notice.
HHS investigated and determined that APD did not timely conduct an accurate and thorough analysis of the risks associated with potential exposure of the ePHI. HHS also determined that APD did not fully comply with the administrative requirements of HIPAA’s breach notification requirements to have written policies and procedures and train employees regarding breach notification requirements. HHS also determined that APD disclosed ePHI in violation of HIPAA by the access gained to it when APD did not reasonable safeguard an unencrypted thumb drive.
HHS fined APD $150,000 and required APD’s execution of a Corrective Action Plan. The Corrective Action Plan requires APD to develop a comprehensive risk analysis and risk management plan to ensure future compliance with HIPAA and to periodically report to HHS the status of APD’s implementation of the plan. HHS released its right to take further action against APD, conditioned upon full compliance by APD with the Corrective Action Plan. See HHS Resolution Agreement.
As a general rule of thumb for legal issues, being proactive tends to be much less expensive than being reactive. This general rule certainly applies to health care providers, their business associates and, now, business associate subcontractors with respect to changes required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Omnibus Final Rule (Final Rule), implementing provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed in 2009, became law last week on March 26, 2013. The Final Rule significantly modifies HIPPA requirements for compliance and security measures intended to protect health information (PHI), especially business associate agreements. Health care covered entities and their business associates and subcontractors have six months to become compliant with the rule, or face large fines (up to $1.5 million). The deadline for compliance is September 23, 2013, and the clock is ticking. Quickly.
According to the U.S. Department of Health & Human Services (HHS), the Final Rule is intended to bolster privacy and security protections for PHI under HIPAA by greatly enhancing the government’s ability to enforce the law. Health care provider audits are expected to dramatically increase in the coming months and years. Assuming that an audit will not happen is a mistake for any health care provider. Fines for HIPAA violations can be considerable, up to $1.5 million.
Under the Final Rule, parts of the HIPAA “Security Rule” (security requirements for electronic PHI) and “Privacy Rule” (security requirements for privacy of PHI) will now apply directly to business associates so that business associates will be potentially liable for civil and criminal penalties for any non-compliance with the HIPAA regulations, rather than just a breach of contract. Additionally, many subcontractors of business associates will now be covered. Liability for data breaches and other non-compliance can lie with the subcontractor, the business associate or the covered health care entity.
So, who is a “business associate”?
This is an important question because many changes under the Final Rule will profoundly impact not only covered entities and existing business associates, but other entities that now meet the definition of “business associate” and downstream business associate subcontractors whose services touch PHI. The Final Rule broadened the definition of “business associate” so that anyone who creates, receives, maintains, or transmits PHI might be deemed subject to HIPAA rules as a business associate. For example, the new definition includes companies or persons that “maintain” PHI, such as a data storage company or a company that provides data transmission services.
Legal counsel should be consulted to determine what business partners and vendors might be deemed “business associates” by HHS in the event of an audit. The reality is that many (probably most) business associates are currently not compliant with HIPAA and, if they consider the issue at all, may be in denial. HHS has decided it will deal with the issue more aggressively. Prudent health care providers must promptly inventory their business relationships to identify all business partners and vendors that meet the broadened definition of “business associate” under HIPAA rules and ascertain whether business associates are compliant with HIPAA’s risk assessment and other compliance protocol. This process should include evaluation of existing business associate agreements and, ultimately, health care providers should insist that every business associate demonstrate compliance.
Do your business associate agreements need to be updated?
Covered entities, business associates and subcontractors have until September 23, 2013 to execute business associate agreements compliant with the Final Rule. Under the Final Rule, business associate agreements must be updated to require that:
– the business associate comply with applicable requirements of the Security Rule.
– business associate ensure subcontractors that create, receive, maintain or transmit electronic PHI on behalf of the business associate agree to comply with the requirements of the Security Rule.
– the business associate ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such PHI.
– the business associate report breaches of unsecured PHI.
– the business associate carry out a covered health care entity’s obligation under the Privacy Rule (e.g., serving as the privacy official)
– the business associate comply with the requirements of the Privacy Rule that apply to the performance of such obligation.
It is estimated that up to 500,000 existing Business Associates will have to have new business associate agreements.
The U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.
A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.
The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
A single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.
HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.
The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”