Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym. When it comes to protecting the privacy… Continue Reading
The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today. What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements? Here are 3 shortcuts… Continue Reading
The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year. The most common breach type is “theft” in this… Continue Reading
The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations). … Continue Reading
Michael J. Coco writes: If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the… Continue Reading
My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points discussed… Continue Reading
Michael J. Coco writes: The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase… Continue Reading
What do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s… Continue Reading
Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA. As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog… Continue Reading
I read a recent Forbes.com post by Rick Ungar (“Claims That Obamacare Website Violates Health Privacy Reveals Embarrassing Fact – GOP Does Not Understand HIPAA or Obamacare”) that revealed a truly embarrassing fact: very few of us really understand HIPAA, let alone the intricacies of the Affordable Care Act (“ACA” or “Obamacare”) and its interplay… Continue Reading
It is noteworthy that there are often substantial delays in disclosures regarding covered entities (“CEs”) that have become marchers in the Parade of large Protected Health Information (“PHI”) security breaches under HIPAA. This is the case even though the PHI breach notification rule requires that, when a PHI breach affects 500 or more individuals (a… Continue Reading
A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or… Continue Reading
Where did the time go? Today’s the day – September 23, 2013. This is compliance day for most of the Omnibus Rule changes. I had a feeling this deadline would catch up with me faster than I would be able to blog my 10 tips, so I’m going to count “TIP TWO” as tips TWO… Continue Reading
Unless the Department of Health and Human Services (HHS) makes another last-minute, litigation-inspired decision to delay the September 23, 2013 compliance date, we’re on a 10-day countdown for compliance with most of the Omnibus Rule requirements. In a motion filed jointly with the plaintiff in the U.S. District Court for the District of Columbia on… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). As reported in a previous blog post in this series,… Continue Reading
This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and here… Continue Reading
Elizabeth Litten and Michael Kline write: For the second time in less than 2 ½ years, the Indiana Family and Social Services Administration (the “FSSA”) has suffered a large breach of protected health information (“PHI”) as the result of actions of a business associate (“BA”). If I’m a resident of Indiana and a client of… Continue Reading
Tamarra Holmes writes: In recent weeks, people all around the world were made aware of a secret U.S. government surveillance program that essentially collects massive amounts of data from the general public through electronic communication providers, such as Facebook, Skype, and Google. The existence of the program, known as PRISM, was leaked by a former National… Continue Reading
In January 2011 this blog series discussed here and here that the University of Rochester Medical Center (“URMC” or the “Medical Center”) became a marcher twice in 2010 in the parade of large Protected Health Information (“PHI”) security breaches. The U.S. Department of Health and Human Services (“HHS”) publishes a list (the “HHS List”), which… Continue Reading
Under HIPAA, where do we draw the line between a run-of-the-mill, ordinary garden variety “security incident” and a “presumed breach” when it comes to reporting PHI events? How do we describe these types of reporting obligations in business associate agreements?
While the summaries of closed investigations posted on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals continue to provide highly useful information for covered entities, business associates and subcontractors relative to confronting PHI breaches, large and small, they must be analyzed with appropriate care and attention paid to changes brought about by the recently-published Omnibus Rule.
As of January 1, 2013, there were 525 postings on the U.S. Department of Health and Human Services list of breaches of unsecured PHI affecting 500 or more individuals. “Theft” constituted the majority of PHI breach types reported.
A thoughtful reader commented on a recent blog post in this series by highlighting the importance of evaluating the risk of harm by any covered entity that experiences a PHI security breach.
Much has been written about the circumstances surrounding the agreement of Massachusetts Eye and Ear Infirmary (“MEEI”) to pay the U.S. Department of Health and Human Services the sum of $1.5 million to settle potential violations involving an alleged 2010 security breach of PHI under HIPAA. However, relatively little has been written that the 2010 breach was the second of what may be three significant PHI breaches experienced by MEEI within the last three years.