Does your business associate agreement (BAA) reflect your business deal, or is it a bare bones HIPAA compliance document? Now is the time to check. The HIPAA “Omnibus Rule” published in January of 2013 gave covered entities, business associates, and subcontractors until September 22, 2014 to make their business associate agreements (BAAs) compliant, so use… Continue Reading
My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.” While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article. (Elizabeth herself has… Continue Reading
Is the PHI on all your mobile devices encrypted? If not, here’s another two million reasons to make encryption your top priority. The Office of Civil Rights (OCR) of the Department of Health and Human Services announced on April 22, 2014 that they had imposed nearly $2 million in penalties on two entities as a… Continue Reading
LabMD is not the only company that has tried to buck the FTC’s assertion of authority over data security breaches. Wyndham Worldwide Corp. has spent the past year contesting the FTC’s authority to pursue enforcement actions based upon companies’ alleged “unfair” or “unreasonable” data security practices. On Monday, April 7, 2014, the United States District… Continue Reading
Last week’s Resolution Agreement between the US Department of Health and Human Services, Office for Civil Rights (“HHS”) and a small county in Washington State marks the first time HHS has settled an action against a county government for noncompliance with the Privacy and Security Rules under HIPAA (the “HIPAA Rules”). The Resolution Order with… Continue Reading
My partner Bill Maruca was quoted in Jeff Overley’s article “Historic HIPAA Fine Will Push Feds To Get Tougher” published in Law360 on Friday, February 20, 2014. The article reports on the nearly $7 million fine imposed by the Puerto Rico Health Insurance Administration on a contractor, health plan Triple-S Salud Inc. (“Triple-S”). Bill’s quote sums it… Continue Reading
My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her Medical Practice Compliance Alert article “HIPAA, ICD-10 Among 6 Compliance Trends That Will Affect You in 2014.” While the full text can be found in the January 6, 2014 issue of Medical Practice Compliance Alert, a synopsis is noted below. As we… Continue Reading
Our partner Keith McMurdy posted this analysis of a recent HIPAA settlement involving a physician practice on our Employee Benefits Legal Blog: HIPAA Failure Results In Penalties: Lack of Compliance the Key By Keith R. McMurdy on January 1, 2014Posted in Plan Administration, Welfare Plans Often, when I am discussing HIPAA privacy compliance, I am… Continue Reading
Who watches the watchdogs to ensure they’re not sleeping on the job? The Office of Inspector General (OIG) of the Department of Health and Human Services has published a report of its review of the Office of Civil Rights’ HIPAA/HITECH Security Rule oversight efforts, and some of the findings are not pretty. The report’s lengthy… Continue Reading
Here’s the official 10th tip to help you comply with today’s Omnibus Rule deadline. However, since I had to make TIP TWO into TIPs TWO through SEVEN when I realized my time had was running out, I will continue to blog a few more tips over the coming weeks. I expect that at least a… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re well into the 10-day countdown for compliance with most of the Omnibus Rule requirements. Here’s “TIP TWO” (however, since I’ve listed 6 specific tips here, I may need to count these as… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements. In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading
Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog. It is reproduced below: Lost in the Shuffle: The September 23 HIPAA Notice Requirements By Keith R. McMurdy on September 6, 2013Posted in Plan Administration, Welfare Plans… Continue Reading
With gun violence and mental health concerns in the headlines, the Office of Civil Rights of the Department of Health and Human Services has published a letter to health care providers clarifying when it is permissible to reveal PHI when a patient is reasonably believed to present a serious danger to himself or others. The long-awaited HIPAA… Continue Reading
The first breach settlement announcement of the new year breaks new ground – a $50,000 fine based on theft of a laptop containing 441 patients’ unencrypted data. It’s the first settlement of a breach involving fewer than 500 individuals. There was no indication that any PHI was improperly viewed or accessed. In a press release issued January 2,… Continue Reading
Once again, a healthcare worker’s inability to resist the temptation to snoop in her employer’s medical records has resulted in criminal prosecution. In the latest incident, a Vermont ultrasound technologist improperly accessed the electronic medical records of her husband’s former wife and her children, allegedly over a period of 12 years. The victim, also employed by the… Continue Reading
The settlement in the Accretive Health, Inc. PHI breach case provides a good example of how the blurring of the covered entity and business associate roles can backfire on parties that fail to sufficiently analyze and define such roles, not only at the outset of a relationship but throughout its duration and evolution.
The federal Office of Civil Rights deems it necessary for a covered entity (CE) to verify whether a business associate (BA) is also a covered entity with respect to the CE’s protected health information; in turn such CE and BA and their respective counsel should use the verification process to develop provisions in the business associate agreement.
Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided… Continue Reading
Many people who have been in the unfortunate situation where they believe that their protected health information (PHI) has been compromised inappropriately, are often surprised and deeply disappointed to learn that the HIPAA law does not provide a “private right of action.”
The recent Department of Health and Human Services (“HHS”) resolution with Alaska Department of Health and Social Services, the state Medicaid agency (“Alaska Medicaid”), which includes the payment by Alaska Medicaid to HHS of $1.7 million respecting possible violations of HIPAA, raises questions as to the exacting of payments by HHS from a state agency that funds medical care for the Alaska indigent from taxpayers.
To avoid becoming marchers in the Breach Parade, covered entities and business associates should be aware of tools being used by the federal Office of Civil Rights and State Attorneys General to deter and catch HIPAA privacy and security breaches that may be similar to the red light cameras designed to deter and catch traffic violations.
Late last week I had the opportunity to speak with Colin O’Keefe of LXBN TV regarding Phoenix Cardiac Group, P.C.—a two-physician practice—joining the parade of practices being punished for PHI HIPAA security breaches. In the short interview, I explain the background of the case, why this is an unprecedented step for Health and Human Services… Continue Reading
Remember Huping Zhou, the UCLA researcher sentenced to prison for snooping through the health records of celebrities and co-workers? A federal appeals court has upheld his conviction and rejected his defense attorney’s position that the prosecution had not alleged that he had known he was violating HIPAA when he accessed the records. The court determined that the only… Continue Reading