Articles Posted in HIPAA

1221952_to_sign_a_contract_3.jpgThe U.S. Department of Health and Human Services (HHS) published the HIPAA final omnibus rule (Final Rule) on January 25, 2013. The Final Rule deals with required changes for medical practices and other health care providers that HHS determined are necessary to secure protected health information (PHI). As a result of the Final Rule, many health care providers must update existing business associate agreements, revise existing notices of privacy practice, and require some business associates’ subcontractors to execute business associate agreements. For many medical practices and health care businesses, this process may be a tedious undertaking and, therefore, should begin promptly. The deadline for compliance is September 23, 2013.

A “business associate” is a person or entity that acts on behalf of or provides services to a health care provider (a “covered entity”) who, by doing so, obtains access to PHI. The purpose of a business associate agreement is to ensure business associates will appropriately safeguard PHI and limit permissible uses and disclosures of PHI, to protect patient privacy and related purposes advanced by HIPAA. A business associate is directly liable under HIPAA and subject to civil (and potentially criminal) penalties for data breaches and other violations of HIPAA.

The Final Rule is published in the Federal Register (78 FR 5565) and is 523 pages. Under the Final Rule, a “business associate” includes a broader scope of entities. “Business associate” now includes subcontractors and entities that create, receive, maintain, or transmit PHI. How this change will impact particular situations may require determinations on an ad hoc basis. All physicians, physician groups, other health care providers, and health care businesses, should promptly marshal their existing business associate agreements for review and analysis to determine which agreements must be changed to comply with the Final Rule. Additionally, all business arrangements need to be inventoried and reviewed for a determination as to whether the relationship necessitates a business associate agreement under the Final Rule. For every business arrangement that will require a new business associate agreement, the business associate should be contacted now regarding the requirement of a business associate agreement.
Continue reading ›

1269437_laptop_and_cellphone[1].jpgA single unencrypted laptop computer containing electronic protected health information (ePHI) cost The Hospice of North Idaho (HONI) $50,000. HONI agreed to pay the U.S. Department of Health and Human Services (HHS) a $50,000 fine to settle potential breaches of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

HONI regularly used laptops in field work. However, according to HHS, HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI posed by mobile devices on an on-going basis as part of its security management process in violation of HIPAA. HONI also failed to implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained and transmitted using portable devices, another alleged HIPAA breach. In addition to the fine, HHS required HONI to enter into a corrective action plan.

The HONI settlement is notable as the first settlement of an alleged HIPAA violation based on breach of ePHI affecting fewer than 500 individuals. The government discovered in its investigation that HONI simply failed to conduct any risk assessment to safeguard ePHI and failed to have policies and procedures to address mobile devices. Leon Rodriquez, the Director of the HHS Office for Civil Rights, explained: “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”
Continue reading ›

1066058_patrol_hat_too[1].jpgThe Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.

According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:

Is there a signed business associate agreement with each business associate?

Do you encrypt protected health information (PHI)?

Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?

Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?

Do you have a written policy for ascertaining and reporting a security breach?

Do your policies cover everything you do with PHI?

Do you really do things consistently with your existing policies?

Continue reading ›


The final Health Insurance Portability and Accountability Act (HIPAA) rule was announced on January 17, 2013, modifying the original 1996 version. The rule becomes effective on March 26, 2013, with full compliance mandated by September 23, 2013. After that, enforcement will commence.

Under the new rule, patients have new rights to their health information, greater privacy protection and the government has increased ability to enforce the law.

It is time to begin implementing a reporting plan for covered entities and business associates. Such a plan should consider four factors. Those factors to be considered in determining whether a breach must be reported include: (1) the type of protected health information (PHI) involved; (2) who used the PHI or to whom the PHI was disclosed; (3) whether the PHI was viewed or acquired; and (4) whether the risk to the PHI was mitigated, such as through assurances by trusted third parties that the PHI was destroyed.

Some other changes to be aware of are:

• Business associates are liable for HIPAA privacy and security rule requirements.

• A business associate includes subcontractors that create, receive, maintain or transmit PHI on the behalf of a business associate.

• Subcontractors for business associates are bound by the same compliance obligations no matter how far away the services are from the covered entity.

• A breach is any wrongful use or disclosure of PHI unless the covered entity or business associate assures that there was no compromise of the PHI or a small chance that it was.

• Covered entities have to protect the PHI of a decedent for 50 years following the date of death.

• Patients can request a copy of their electronic medical record (EMR) in an electronic form.

• For all practical purposes the sale of a patient’s PHI is prohibited without their authorization.

• Penalties are enhanced for noncompliance depending upon the level of culpability up to the civil monetary cap of $1.5 million per violation.

Navigating the expanded HIPAA rule and making certain that you are in compliance by September 23, 2013 can be a daunting task for small and large healthcare businesses, physicians, dentists and hospitals.
Continue reading ›

Contact Information