In our most recent post, the Top 5 Common HIPAA Mistakes to Avoid in 2018, we noted that the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has recently published guidance on disclosing protected health information (PHI) related to overdose victims. OCR published this and other guidance within the last two months in response to the Opioid Crisis gripping the nation and confusion regarding when and to whom PHI of patient’s suffering from addiction or mental illness may be disclosed.

Pills and capsules on white backgroundTo make the guidance easily accessible to patients and health care professionals, OCR published two webpages, one dedicated to patients and their family members and the other dedicated to professionals.

  • Patients and their family members can find easy-to-read commentary addressing the disclosure of PHI in situations of overdose, incapacity or other mental health issues here.
  • Physicians and other health care professionals can find similar fact sheets tailored to their roles as covered entities here.
  • OCR also recently issued a two-page document summarizing its guidance on when health care professionals may disclose PHI related to opioid abuse and incapacity [accessible here].

The main points from this guidance include:

  1. If a patient has the capacity to make decisions regarding his or her health care, a health care professional may not generally share any PHI with family, friends or others involved in the patient’s care (or payment for care), unless the patient consents to such disclosure.  However, a health care professional may disclose PHI if there is a serious and imminent threat of harm to the patient’s health and the provider in good faith believes that the individual to whom the information is disclosed would be reasonably able (or in a position) to prevent or lessen such threat. According to OCR, in the context of opioid abuse, this rule allows a physician to disclose information about the patient’s opioid abuse to any individual to whom the physician in good faith believes could reasonably prevent or lessen the harm that could be caused by the patient’s continued opioid abuse following discharge.
  2. If the patient is incapacitated or unconscious, HIPAA allows health care professionals to disclose certain PHI to family and close friends without a patient’s permission where (i) the individuals are involved in the care of the patient, (ii) the health care professional determines that disclosing the information is in the best interests of the patient, and (iii) the PHI shared is directly related to the family or friend’s involvement in the patient’s health care (or payment for such health care). As an example, OCR clarified that a physician may, in his or her professional judgment, share PHI regarding an opioid overdose and related medical information with the parents of someone who is incapacitated due to an overdose.
  3. OCR also addressed the difficult situation where a patient is severely intoxicated or unconscious, but may regain sufficient capacity to make health care decisions several hours after arriving in the emergency room.   In such situations, HIPAA would allow a physician or nurse to share PHI related to the patient’s overdose and medical condition with the patient’s family or close personal friends while the patient is incapacitated, so long as the nurse or doctor believes that it is in the patient’s best interest to do so and the information shared with the family member or friend is related to the individual’s involvement in the patient’s health care.

OCR published similar guidance, available at the above websites, regarding the disclosure of PHI related to the mental health of a patient.  Included in that guidance is clarification that HIPAA does not prohibit treating physicians from sharing PHI of a patient with a mental illness or substance use disorder for treatment purposes, except in the case of psychotherapy notes.

However, it is important to understand that OCR’s guidance on these issues does not supersede state laws or other federal laws or rules of medical ethics that would apply to disclosure of a patient’s PHI, including the federal confidentiality regulations [located at 42 CFR Part 2] pertaining to patient records maintained in connection with certain federally-assisted substance use disorder treatment programs.  The “Part 2” regulations (as well as state patient confidentiality laws that are more restrictive than HIPAA) could prohibit some or all of the disclosures which OCR has now clarified are permitted under HIPAA.

If you have a question regarding how this new guidance may affect your practice, please contact a knowledgeable attorney.

Elizabeth G. Litten, Partner, Fox Rothschild LLPOn November 9, the Florida Supreme Court ruled in the case of Emma Gayle Weaver, etc. v. Stephen C. Myers, M.D., et al., that the right to privacy under the Florida Constitution does not end upon an individual’s death. Fox partner and HIPAA Privacy & Security Officer Elizabeth Litten recently reacted to the decision in an article in Data Guidance. She noted the decision’s compatibility with HIPAA regulations concerning the protected health information of a deceased patient. She also discussed certain elements of the Florida statutes that were deemed unconstitutional by the court, and how they differ from HIPAA’s judicial and administrative proceedings disclosure rules.

We invite you to read the article and Elizabeth’s remarks.

Long gone are the days when social media consisted solely of Myspace and Facebook, accessible only by logging in through a desktop computer at home or personal laptop. With every single social media platform readily available on personal cellular devices, HIPAA violations through social media outlets are becoming a frequent problem for healthcare providers and individual employees alike. In fact, social media platforms like Snapchat® and Instagram® that offer users the opportunity to post “stories” or send their friends temporary “snaps” seem to be a large vehicle for HIPAA violations, specifically amongst the millennial generation.

Megaphone and social media illustrationIn a recent poll by CNBC of the younger-end of the millennial generation, CNBC found that a majority of teens ranked Snapchat and Instagram among their top three favorite apps.  One teen claimed that they enjoyed the “instant gratification” of having a quick conversation, and another teen even stated that “Snapchat is a good convenient way to talk to friends (sharing pictures) but you can say things you would regret later because they disappear (I don’t do that though).”

This dangerous and erroneous mentality, while prevalent in teens, exists to some extent among the younger generation of nurses, residents, and other employees working for healthcare providers. With just a few taps and swipes, an employee can post a seemingly innocuous disclosure of PHI. Interns and residents of the younger generation may innocently upload a short-term post (be it a picture for two-seconds or an eight-second long video) of a busy hospital room or even an innocent “selfie” without realizing that there is visible and identifiable PHI in the corner. Two major categories of HIPAA violations have become apparent to me in relation to Snapchat and Instagram Stories and HIPAA: (1) The innocent poster, as described above, who does not realize there is PHI in their post; or (2) The poster who knows that their picture or video could constitute a HIPAA violation, but posts it anyway because they think it’s “temporary”.

The first category of violators are employees who do not realize that they’re violating HIPAA but can still be punished for such behavior. Think of a resident deciding to post a picture on their “Snapchat story” of a cluttered desk during a hectic day at work, not realizing that there are sensitive documents in clear view. Again, whether the resident meant to or not, he or she still violated HIPAA.

The second category of violators think that they’re safe from HIPAA violations, but don’t realize that their posts may not be as temporary as they think. Let us imagine a nursing assistant, working at an assisted-living facility, “snapping” a video of an Alzheimer’s patient because the patient “was playing tug of war with her and she thought it was funny.”  The story only lasts 24 hours on the nursing assistant’s Snapchat “story”, but it is still a clear breach of HIPAA. In this case (a true story), the nursing assistant was fired from the facility and a criminal complaint was filed against her.

Violations in this category do not even need to be as severe as the one in the scenario with the nursing assistant. An employee at a hospital taking a “snap” with one of their favorite patients and sending it to just one friend on Snapchat directly (instead of posting it on their “story”) is a violation because that friend could easily take a screenshot of the “snap”. In fact, any “snap” is recordable by a receiving party; all the receiving party would have to do is press and hold the home button in conjunction with the side button on their iPhone. Voila, now a third-party has PHI saved on their phone, and worse yet, that third-party can distribute the PHI to the world on any number of social media outlets.

Snapchat posts and Instagram stories are not temporary. In fact, in 2014, Snapchat experienced a security breach that released 100,000 Snapchat photos.  The hack – cleverly called “The Snappening” – involved hackers who released a vast database of intercepted Snapchat photos and videos that they had been amassing for years.  In that instance, the hackers acquired the files from a third-party site called “Snapsave.com”, which allowed users to send and receive “snaps” from a desktop computer and stored them on their servers. Snapchat argued back then that it was not in fact their own server which was hacked, but currently the app does allow users to save “snaps” on their phone and on the application before sending them to their friends or stories. This change was made in 2016. Where are those pictures being saved? Could hackers get their hands on them?

The appeal of “instant gratifications” and “temporary conversations” is what makes social media platforms such as Snapchat and Instagram dangerous to healthcare providers. To avoid HIPAA violations of this nature, it is important to inform and educate employees, especially of the millennial generation, of the dangers of posting pictures that they think are temporary. I have an anonymous friend at the age of 26 who is a resident at a hospital that completely disabled her ability to access G-mail through her phone. While this method is a severe solution to a growing issue, and not absolutely necessary, healthcare providers should definitely consider other creative ways to keep their younger employees off their social media apps.

Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice Compliance Alert entitled “Business associates who farm out work create more risks for your patients’ PHI.” Full text can be found in the April, 2017 issue, but a synopsis is below.

In her article Marla cautioned, “Fully one-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” She pointed out that the telecommuting practices of business associates (“BAs”) and their employees with respect to protected health information (“PHI”) create heightened risks for medical practices that are the covered entities (“CEs”) — CEs are ultimately responsible not only for their own HIPAA breaches but for HIPAA breaches of their BAs as well.

Kline observed, “Telecommuting is on the rise and this trend carries over to organizations that provide services to health care providers, such as billing and coding, telehealth providers, IT support and law firms.” Litten commented, “Most business associate agreements (BAAs) merely say that the business associate will protect the infor­mation but are not specific about how a business associate will do so, let alone how it will when PHI is off site.”

Litten and Kline added, “OCR’s sample business associate agreement is no dif­ferent, using general language that the business associate will use ‘appropriate safeguards’ and will ensure that its subcontractors do so too.”

Kline continued, “You have much less control over [these] people, who you don’t even know . . . . Moreover, frequently practices don’t even know that the business associate is allowing staff or subcontractors to take patient PHI off site. This is a collateral issue that can become the fulcrum of the relationship. And one loss can be a disaster.”

Some conclusions that can be drawn from Marla’s article include the following items which a CE should consider doing  when dealing with BAs:

  1. Select BAs with due care and with references where possible.
  2. Be certain that there is an effective BAA executed and in place with a BA before transmitting any PHI.
  3. Periodically review and update BAAs to ensure that they address changes in technology such as telecommuting, mobile device expansion and PHI use and maintenance practices.
  4. Ask questions of BAs to know where they and their employees use and maintain PHI, such as on laptops, personal mobile devices or network servers, and what encryption or other security practices are in place.
  5. Ask BAs what subcontractors (“SCs”) they may use and where the BAs and SCs are located (consider including a provision in BAAs that requires BAs and their SCs to be legally subject to the jurisdiction of HIPAA, so that HIPAA compliance by the CE and enforcement of the BAA can be more effective).
  6. Transmit PHI to the BA using appropriate security and privacy procedures, such as encryption.
  7. To the extent practicable, alert the BA in advance as to when and how transmission of PHI will take place.
  8. Obtain from each BAA a copy of its HIPAA policies and procedures.
  9. Maintain a readily accessible archive of all BAAs in effect to allow quick access and review when PHI issues arise.
  10. Have a HIPAA consultant available who can be contacted promptly to assist in addressing BA issues and provide education as to best practices.
  11. Document all actions taken to reduce risk from sharing PHI with BAs, including items 1 to 10 above.

Minimizing risk of PHI breaches by a CE requires exercising appropriate control over selection of, and contracting and ongoing interaction with, a BA. While there can be no assurance that such care will avoid HIPAA breaches for the CE, evidence of such responsible activity can reduce liability and penalties should violations occur.

It may not come as a surprise that Congressman Tom Price, MD (R-GA), a vocal critic of the Affordable Care Act who introduced legislation to replace it last spring, was selected to serve as Secretary of the U.S. Department of Health and Human Services (HHS) in the Trump administration. What may come as a bit of a surprise is how Price’s proposed replacement bill appears to favor transparency over individual privacy when it comes to certain health care claim information.

Section 601 of the “Empowering Patients First” bill (Bill) would require a health insurance issuer to send a report including specific claim information to a health plan, plan sponsor or plan administrator upon request (Report). The Bill would require the Report to include all information available to the health insurance issuer that is responsive to the request including … protected health information [PHI] … .”

Since a “plan sponsor” includes an employer (in the case of an employee benefit plan established or maintained by the employer), the Bill would entitle an employer to receive certain PHI of employees and employees’ dependents, as long as the employer first certifies to the health insurance issuer that its plan documents comply with HIPAA and that the employer, as plan sponsor, will safeguard the PHI and limit its use and disclosure to plan administrative functions.

The Report would include claim information that would not necessarily be PHI (such as aggregate paid claims experience by month and the total amount of claims pending as of the date of the report), but could also include:

“A separate description and individual claims report for any individual whose total paid claims exceed $15,000 during the 12-month period preceding the date of the report, including the following information related to the claims for that individual –

(i) a unique identifying number, characteristic or code for the individual;

(ii) the amounts paid;

(iii) the dates of service; and

(iv) applicable procedure and diagnosis codes.”

After reviewing the Report and within 10 days of its receipt, the plan, plan sponsor, or plan administrator would be permitted to make a written request for additional information concerning these individuals. If requested, the health insurance issuer must provide additional information on “the prognosis or recovery if available and, for individuals in active case management, the most recent case management information, including any future expected costs and treatment plan, that relate to the claims for that individual.”

Price transparency has been studied as a potentially effective way to lower health care costs, and employers are often in a difficult position when it comes to understanding what they pay, as plan sponsors, to provide health insurance coverage to employees and their families.   Laws and tools that increase the transparency of health care costs are desperately needed, and the Empowering Patients First bill valiantly attempts to create a mechanism whereby plan sponsors can identify and plan for certain health care costs. On the other hand, in requiring the disclosure of procedure and diagnosis codes to employers, and in permitting employers to obtain follow-up “case management” information, the bill seems to miss the HIPAA concept of “minimum necessary”. Even if an employer certifies that any PHI it receives will be used only for plan administration functions, employees might be concerned that details regarding their medical condition and treatments might affect employment decisions unfairly and in ways prohibited by HIPAA.

If Dr. Price steps up to lead HHS in the coming Trump administration, let’s hope he takes another look at this Section from the perspective of HHS as the enforcer of HIPAA privacy protections.

What you might have thought was not a big breach (or a big deal in terms of HIPAA compliance), might end up being a big headache for covered entities and business associates. In fact, it’s probably a good idea to try to find out what “smaller” breaches your competitors are reporting (admittedly not an easy task, since the “Wall of Shame” only details breaches affecting the protected health information (PHI) of 500 or more individuals).

Subscribers to the U.S. Department of Health and Human Services Office of Civil Rights (OCR) listserv received an announcement a couple of weeks ago that OCR would begin to “More Widely Investigate Breaches Affecting Fewer than 500 Individuals”. The announcement states that the OCR Regional Offices investigate all reported breaches involving PHI of 500 or more individuals and, “as resources permit”, investigate breaches involving fewer than 500.  Then the announcement warns that Regional Offices will increase efforts “to identify and obtain corrective action to address entity and systemic noncompliance” related to these “under-500” breaches.

Regional Offices will still focus these investigations on the size of the breach (so perhaps an isolated breach affecting only one or two individuals will not raise red flags), but now they will also focus on small breaches that involve the following factors:

*          Theft or improper disposal of unencrypted PHI;

*          Breaches that involve unwanted intrusions to IT systems (for example, by hacking);

*          The amount, nature and sensitivity of the PHI involved; and

*          Instances where numerous breach reports from a particular covered entity or business associate raise similar concerns

If any of these factors are involved in the breach, the reporting entity should not assume that, because the PHI of fewer than 500 individuals was compromised in a single incident, OCR is not going to pay attention. Instead, whenever any of these factors relate to the breach being reported, the covered entity (or business associate involved with the breach) should double or triple its efforts to understand how the breach occurred and to prevent its recurrence.  In other words, don’t wait for the OCR to contact you – promptly take action to address the incident and to try to prevent it from happening again.

So if an employee’s smart phone is stolen and it includes the PHI of a handful of individuals, that’s one thing. But if you don’t have or quickly adopt a mobile device policy following the incident and, worse yet, another employee’s smart phone or laptop is lost or stolen (and contains unencrypted PHI, even if it only contains that of a small handful of individuals), you may be more likely to be prioritized for investigation and face potential monetary penalties, in addition to costly reporting and compliance requirements.

This list of factors really should come as no surprise to covered entities and business associates, given the links included in the announcement to recent, well-publicized OCR settlements of cases involving smaller breaches.  But OCR’s comment near the very end of the announcement, seemingly made almost in passing, is enough to send chills down the spines of HIPAA compliance officers, if not induce full-blown headaches:

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.”

In other words, if the hospital across town is regularly reporting hacking incidents involving fewer than 500 individuals, but your hospital only reported one or two such incidents in the past reporting period, your “small breach” may be the next Regional Office target for investigation. It will be the covered entity’s (or business associate’s) problem to figure out what their competitors and colleagues are reporting to OCR by way of the “fewer than 500” notice link.

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.

 

We blogged on this back in early May, but compliance with individuals’ rights to access their PHI under HIPAA is even more critical now that OCR has announced that its current HIPAA audits will focus on an audited Covered Entity’s documentation and process related to these access rights.

In an email sent to listserv participants on July 12, 2016 from OCR-SECURITY-LIST@LIST.NIH.GOV, the U.S. Department of Health and Human Services (HHS) included the following list of areas of focus for the desk audits:

Requirements Selected for Desk Audit Review
Privacy Rule
Notice of Privacy Practices & Content Requirements  [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
Breach Notification Rule
Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule
Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

As discussed in our prior post, HHS issued guidance regarding individuals’ rights to access PHI earlier this year. Here is a link to this PHI access guidance:  Individuals’ Right under HIPAA to Access their Health Information | HHS.gov

The HHS access guidance stresses that Covered Entities should provide individuals with “easy access” to their PHI and cannot impose “unreasonable measures” on the individuals with respect to this right to access. The HHS access guidance provides important information regarding the different rules that apply when an individual provides a signed authorization for release of their PHI versus when an individual is really making a request for access to his or her PHI.

If an individual is asking for the PHI to be provided to him or her, this is really a request for access even if the individual is providing a signed authorization for release of the PHI.

If the individual is asking the PHI to be directed to a third party, this can be either a situation when a signed authorization is needed or can be an access request, depending on who is really originating the request (the individual or the third party). A Covered Entity cannot require an individual to provide a signed authorization to make an access request.  A Covered Entity can require that the access request be in writing and can require use of a form as long as it does not impose undue burden on the individual’s right to access.

The HHS access guidance also indicates that if an individual requests that his or her PHI be provided by email, the Covered Entity is required to do so and further, if the individual requests in writing that the PHI be provided by unsecure, unencrypted email, the Covered Entity is required to do so after notifying the individual in writing of the risks of this method of transmission. (This notice can be included on the access request form.)

As a result of the HHS access guidance, a Covered Entity may need to review and amend its HIPAA Privacy Policies and Procedures governing individual rights with respect to access to PHI, the form it uses for individual access requests, and its employee training protocols to be sure employees aren’t requiring a patient  (or member, in the case of a health plan Covered Entity) to sign an authorization form when the patient is requesting access to PHI.

Jessica Forbes Olson and T.J. Lang write:

In Part 1, we noted that on March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits this year. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

A HIPAA compliance checklist for health care providers and insurers follows:

  • Determine whether for HIPAA purposes you are a hybrid entity, an affiliated covered entity or part of an organized health care arrangement. Document that status.
  • Appoint a HIPAA privacy official.
  • Appoint a HIPAA security official.
  • Appoint a HIPAA privacy contact person who will handle complaints and respond to the exercise of patient or participant rights.
  • Determine where PHI is located, whether hard copy, electronic, or spoken.
  • Determine the reasons why PHI is used or disclosed (e.g., treatment, payment, health care operations, public health reasons, public policy reasons, to government agencies or officials).
  • Determine which departments and workforce members have access to PHI, why they have such access and the level of access needed.
  • Identify and document the routine requests, uses and disclosures of PHI and the minimum necessary for those requests, uses and disclosures.
  • Identify all business associates: vendors that create, maintain, use or disclose PHI when performing services for your entity.
  • Have executed business associate agreements with all business associates.
  • Have and follow written HIPAA privacy, security and breach notification policies and procedures.
  • Train all workforce members who have access to PHI on the policies and procedures and document the training.
  • Have and use a HIPAA-compliant authorization form.
  • Have and follow process for verifying the status of personal representatives.
  • Distribute a notice of privacy practices and providers must attempt to obtain acknowledgment of receipt of notice from patients and post one in each facility where patients can view it.
  • Establish and document reasonable administrative, technical and physical safeguards for all PHI, including hard copy and spoken PHI.
  • Conduct and document a HIPAA security risk analysis for all electronic PHI (e.g., PHI on desktops, laptops, mobile phones, iPads and other electronic notebooks, copy machines, printers, discs and thumb drives).
  • Address risks to ePHI that are identified in the HIPAA security risk analysis.
  • Update your HIPAA security risk analysis periodically or when there is a material change in your environment that does or could impact PHI or if there are changes in the law impacting PHI.
  • Encrypt PHI to fall within the breach safe harbor.
  • Have written disaster recovery and contingency plans.
  • Prepare for and respond to security incidents and breaches.
  • Comply with HIPAA standard transactions and code set rules related to electronic billing and payment.
  • Although it will not be covered by the audits, comply with more stringent state privacy and security laws (e.g., document retention; patient consent; breach reporting).
  • Maintain HIPAA compliance documentation in written or electronic form for at least 6 years from the date the document was created or last in effect.

For more information about OCR audits or assistance in conducting a HIPAA compliance review, please contact any member of the Fox Rothschild Health Law practice group.


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.

Jessica Forbes Olson and T.J. Lang write:

HIPAA and Health Records
Copyright: zimmytws / 123RF Stock Photo

On March 21, 2016, the Office of Civil Rights (“OCR”) announced it will launch a second round of HIPAA audits during 2016. As with the first round of audits, in round two OCR will be reviewing compliance with HIPAA Privacy, Security and Breach Notification rules. New for this round, the 2016 audits will focus on covered entities, including health care providers and health insurers, and their business associates.

The round two audits will occur in three phases: desk audits of covered entities, desk audits of business associates, and finally, follow-up onsite reviews. It is reported OCR will conduct about 200 total audits; the majority of which will be desk audits.

OCR has already begun the process of identifying the audit pool by contacting covered entities and business associates via email.  Health care providers,   insurers and their business associates should be on the lookout for automated emails from OCR which are being sent to confirm contact information. A response to the OCR email is required within 14 days. OCR instructed covered entities and business associates to check their spam or junk email folders to verify that emails from OCR are not erroneously identified as spam.

After the initial email, OCR will send a pre-audit questionnaire to entities it may choose to audit. Receiving a pre-audit questionnaire does not guarantee your entity will be audited. The purpose of the questionnaire is to gather information about entities and their operations, e.g., number of employees, level of revenue, etc. The questionnaire will also require covered entities to identify all of their business associates. Health care providers and insurers who have not inventoried business associates should do so now.

Entities who fail to respond to the initial OCR email or questionnaire will still be eligible for audit. OCR will use publicly available information for unresponsive entities to create its audit pool.

OCR will then, in the “coming months,” randomly select entities to audit and notify them via email that they have been selected for audit.

Health care providers, health insurers and business associates should check their HIPAA compliance status before they are contacted by OCR. Once selected for an audit, entities will only have 10 business days to provide the requested information to OCR.

Recent OCR enforcement activity has shown that noncompliance with HIPAA can be costly:

  • A Minnesota-based hospital entered into a $1.55 million settlement for failure to implement one business associate agreement and failure to conduct a HIPAA security risk analysis;
  • A teaching hospital of a university in Washington entered into a $750,000 settlement for failure to conduct an enterprise-wide HIPAA security risk analysis;
  • An insurance holding company based in Puerto Rico entered into a $3.5 million settlement for failure to implement a business associate agreement, conduct a HIPAA security risk analysis, implement security safeguards and for an improper disclosure of protected health information (“PHI”);
  • A radiation oncology physician practice in Indiana entered into a $750,000 settlement for failure to conduct a HIPAA security risk analysis and implement security policies and procedures.

If you receive any communications from OCR, please contact a member of the Fox Rothschild Health Law practice group immediately. A proactive review of your HIPAA compliance status can identify potential gaps and minimize the risk of potential penalties.

In Part 2, we’ll provide a HIPAA compliance checklist for healthcare providers and insurers. Stay tuned!


Jessica Forbes Olson is a partner and TJ Lang is an associate, both resident in the firm’s Minneapolis office.