I was recently asked whether the sending of an unencrypted group email to participants in a health-related support group violated HIPAA. Faithful blog readers can guess my first question: “Was the sender a covered entity, business associate, or subcontractor?” Many support group entities are non-profit organizations staffed by volunteers and do not meet the definition
Which Privacy Protections Apply? HIPAA, FERPA and Ebola
Recent news articles regarding a New Jersey elementary school’s handling of the enrollment of two new students from Rwanda provided another glimpse of Ebola hysteria and the opportunity for me to follow up on Bill Maruca’s blog about Ebola and HIPAA with yet another (fairly obscure) statutory acronym. When it comes to protecting the privacy
Countdown to September 22nd — Shortcuts for Business Associate Agreement Compliance
The deadline for executing a HIPAA Omnibus Rule-compliant Business Associate Agreement (BAA) looms just 2 short weeks from today. What can a busy covered entity (CE) or business associate (BA) do quickly to show HHS (let alone its business partners/contractors) that it wants and fully intends to comply with the new requirements? Here are 3
The Parade of Major Reported PHI Breaches Surges to 885 – Theft and Loss Dominate the Numbers
The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year. The most common breach type is “theft” in this
Hobby Lobby, HIPAA and Happy Independence Day
The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit
When the Long Arm of HIPAA Reaches into Mergers, Acquisitions and Asset Sales of Health Care Practices
Michael J. Coco writes:
If you have ever bought or sold a business, or you have experience with the process, you are aware of the due diligence efforts and multiple agreements required to close the deal. Transactions involving the sale or purchase of health care related business, such as a medical practice, often take the
More on Considerations for Entering into or Revising Business Associate Agreements
My partner Elizabeth Litten and I were interviewed by Marla Durben Hirsch for her recent article in Medical Practice Compliance Alert entitled “Evaluate Relationships Before Signing Business Associate Agreements.” While the full text can be found in the February 3, 2014 issue of Medical Practice Compliance Alert, the following considerations are based upon points
“Boilerplate” Provisions in Business Associate Agreements Warrant Attention
Michael J. Coco writes:
The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase
Springing, Shifting, and Slip-Sliding Business Associate Agreements
What do you do if you have signed a Business Associate Agreement (BAA) with a covered entity, but are getting protected health information (PHI) from the covered entity in conjunction with health care treatment you provide to the individual? What if another covered entity provider has contracted with you to provide services to that provider’s
Avoiding a HIPAA Identity Crisis in 2014
Who you are makes a big difference in how and whether you must protect individually identifiable health information under HIPAA. As we near the end of 2013, I look back at the events of the past year and am struck by the breadth and complexity of the issues we have written about on this blog