Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Healthcare

Subscribe to Healthcare RSS Feed

Advisory Alert: Latest HIPAA Settlement

Posted in Healthcare
health care icons

 Compliance is an Ongoing Process

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued its first settlement under new OCR Director Jocelyn Samuels earlier this month. This latest settlement serves as a reminder that a successful privacy and security compliance program is an ongoing process. Samuels’ statements underscore the importance of monitoring information systems and conducting compliance audits. Samuels calls for entities to “review[] systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.” When it comes to data security, all organizations—from big box retailers to small start-up companies, from large health systems to small provider groups—need to continuously assess risks and vulnerabilities to their data and develop a plan for reducing the risk of a data breach.

To continue reading, click here.... Continue Reading

Advisory Alert: Refill Reminders and the TCPA

Posted in Healthcare, Marketing and Consumer Privacy
Questionnaire

The Telephone Consumer Protection Act (“TCPA”) presents another challenge as health care providers continue to engage patients and seek to meet Meaningful Use reminder objectives. Over the past year, there have been several class action suits alleging pharmacies’ prescription refill reminders violated TCPA. One federal trial court recently opined that if the plaintiff provided his cell phone number only for verification purposes, that provision of the cell number cannot be equated to consent to receive automated refill reminders on his cell phone.

Click here to continue reading.... Continue Reading

Encryption and Securing BYO Devices at the Heart of Massachusetts AG $100,000 Settlement

Posted in Healthcare
locks

The Massachusetts Attorney General announced Friday that her office had reached a settlement with Beth Israel Deaconess Medical Center (BIDMC) surrounding a 2012 data breach in which a physician’s unencrypted personal laptop containing patient and employee information was stolen from BIDMC’s grounds.  Under the terms of the settlement, BIDMC agreed to pay a $100,000 fine and take additional measures to ensure compliance with state and federal data security requirements, including encrypting, physically securing and tracking all portable devices, and training employees on how to handle patients’ personal and protected health information (PHI).

In May 2012, a physician’s unencrypted personal laptop was stolen from an unlocked office at BIDMC. Although routinely used for hospital-related business with BIDMC’s knowledge and permission, the laptop was not encrypted or secured as required under BIDMC policy. As a result, the personal information/PHI of nearly 4,000 patients and employees was exposed due to the breach. The Attorney General’s Office later filed suit against BIDMC under Massachusetts consumer protection and data security laws and HIPAA, citing BIDMC’s failure both to adequately secure the laptop and to timely notify patients of the breach.

The data breach at BIDMC and the resulting settlement demonstrate the importance that covered entities ... Continue Reading

Preparing for HIPAA Compliance Audits

Posted in Healthcare
health care

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), the office responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), will continue to audit HIPAA covered entities and business associates in 2015. OCR conducted its first phase of the HIPAA audit program, known as “the pilot audits,” in 2011 and 2012. Earlier in 2014 OCR announced plans for Phase 2 audits, including plans to audit both covered entities and their business associates. OCR has since delayed its initial timeframe for the Phase 2 audits and has indicated changes to the program, but covered entities and business associates can rest assured: HIPAA audits are coming. After the pilot audits concluded, OCR reported that 56% of audited entities became aware of additional HIPAA requirements as a direct result of being audited. The middle of an OCR HIPAA audit is not the time to be learning about additional HIPAA requirements; instead, covered entities and business associates should review their HIPAA compliance now.

Pilot Audit Program

While the next phase of audits may look very different from the pilot program in a number of ways, the pilot audits still provide a valuable learning ... Continue Reading

Advisory Alert: Ebola or Not, Patient Privacy Must Be Protected

Posted in Healthcare
mask

In the wake of the recent Ebola cases, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a new bulletin reminding HIPAA-covered entities and their business associates that the requirements of the HIPAA Privacy Rule still apply when sharing protected health information (PHI), even in emergency situations. Towards that end, OCR’s bulletin provides guidance on how covered entities can share, use, and disclose critical information under certain situations during a disaster. Hospitals and other covered entities subject to the HIPAA Privacy Rule should consider the bulletin and OCR’s additional guidance on HIPAA in emergency situations as part of any Ebola or disaster preparedness plan.

Click here to continue reading.... Continue Reading

Advisory Alert: CMS Reopens the Medicare Payment Adjustment Hardship Exception Application Submission Period for Certain Providers and Hospitals

Posted in Healthcare
health care

Centers for Medicare & Medicaid Services (CMS) recently announced the reopening of the submission period for hardship exception applications for eligible professionals and eligible hospitals that have been unable to fully implement 2014 Edition Certified Electronic Health Record Technology (CEHRT) due to availability delays. Qualified providers will now have until Nov. 30, 2014 to submit hardship exception applications to avoid Medicare payment adjustments in 2015.

Read more here.... Continue Reading

Advisory: California Extends Its Medical Data Breach Notification Requirement From 5 to 15 Days

Posted in Data Protection, Healthcare

On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often found it difficult to investigate reasonably and respond to a potential breach within the five-day period. This law takes effect on Jan. 1, 2015.

Read more here.... Continue Reading

Advisory: Starting Oct. 6, Patients Can Access Test Reports Directly From Clinical Laboratories

Posted in Healthcare

On Oct. 6, 2014, a final rule issued jointly by the Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights (OCR) will require all HIPAA-covered labs (i.e., labs that conduct certain electronic transactions, such as electronic submission of claims) to provide individuals with direct access to completed test reports and other protected health information (PHI) maintained about the individual. Labs not covered by HIPAA will be permitted, but not required, to provide individuals with direct access to completed test reports. The U.S. Department of Health and Human Services (HHS) cited the lack of direct access to test reports as a barrier to the adoption and widespread use of health information technology.

Read more here.... Continue Reading

Advisory: CMS Issues Final Rule Providing Flexibility for Providers Unable to Fully Implement 2014 Technology to Demonstrate Meaningful Use in 2014

Posted in Healthcare

In response to providers being unable to fully implement 2014 Edition certified electronic health record technology (CEHRT) due to limited availability, CMS adopted changes proposed earlier this year through a final rule allowing additional options for the 2014 reporting period and amending the meaningful use stage timeline. Providers who received 2014 Edition CEHRT in time to attest during this program year must still attest to Stage 1 or Stage 2 based on their original timeline using the 2014 CEHRT in order to receive incentive payments and avoid future payment reductions. But the final rule offers additional flexibility to providers who cannot satisfy Stage 2 or revised Stage 1 requirements in program year 2014 because of delays in the availability of 2014 Edition CEHRT.

Read more here.... Continue Reading

DWT Advisory: Rhode Island Hospital’s Breach of Health Information Leads to Settlement with Massachusetts Attorney General

Posted in Healthcare

On July 23, 2014, the Massachusetts attorney general announced a settlement with Women & Infants Hospital of Rhode Island (WIH) over the loss of unencrypted backup tapes. WIH agreed to pay $150,000 and undertake numerous compliance measures, including hiring an independent auditor, to resolve allegations that it failed to protect the personal information (PI) and protected health information (PHI) of more than 12,000 Massachusetts patients under HIPAA and Massachusetts’ data security law. The attorney general also alleged that WIH engaged in unfair or deceptive acts or practices by not properly protecting the PI and PHI. This marks the third settlement by the Massachusetts attorney general’s office for allegations that an entity failed to secure its residents’ PHI and PI under HIPAA and state data security laws. This case serves as a good reminder to organizations to know where their identifiable information resides and to properly secure electronic portable media.

Read more here.... Continue Reading

Advisory: Appellate Court Rules Medical Information Must Actually Have Been Viewed by an Unauthorized Person for a Plaintiff to Recover Under the California Confidentiality of Medical Information Act

Posted in Data Protection, Healthcare

The California Court of Appeal recently held that in order to recover under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code §§ 56 et seq., a plaintiff must plead and prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health et al. v. The Superior Court of Sacramento County (Atkins), Case No. C072591 (Cal. Ct. App. July 21, 2014). The court held that mere possession of medical information or records by an unauthorized person was insufficient to establish a breach of confidentiality if the unauthorized person has not viewed the records. This case is very good news for California health care providers, because it substantially increases the burden on plaintiffs in health information breach cases, and brings California more in line with other states—where courts often dismiss security breach actions on the distinct but similar basis of a lack of demonstrated harm.

Read more here.... Continue Reading

DWT Advisory: New HIPAA Reports to Congress Shed Light on OCR Enforcement

Posted in Healthcare

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals.

HIGHLIGHTS

OCR’s compliance report for 2011-2012

OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter.

OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide ... Continue Reading

Stolen Patient Information on Hospital Computer Not Considered “Medical Information” by California Appellate Court

Posted in Healthcare

The California Court of Appeal recently held that the release of an index identifying hospital patients did not constitute the release of medical information under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code, § 56 et seq., because the index contained only demographic information and nothing “regarding a patient’s medical history, mental or physical condition, or treatment.”Eisenhower Medical Center v. Superior Court (Malanche), Case No. E058378 (Cal. Ct. App. May 21, 2014). The Court held that “a health care provider cannot be held liable under the relevant portions of the CMIA for the release of an individual’s personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.”

CONTINUE READING …... Continue Reading

$4.8 Million – Largest HIPAA Settlement to Date

Posted in Healthcare

On May 7, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) issued a press release announcing that two health care organizations—New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”)—agreed to resolve charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy and security rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”) on their network. The monetary payments total $4.8 million, which is the largest HIPAA settlement to date. This settlement suggests that OCR is increasing its settlement amounts and expects entities to know where their ePHI is located and how it is being accessed.

CONTINUE READING …... Continue Reading

New Advisory Examining HHS’s HIPAA Guidance on Mental Health Information

Posted in Healthcare

Be sure to check out at our recent advisory discussing the latest HIPAA guidance on mental health information. It discusses how the Department of Health and Human Services addresses frequently asked questions about when it is appropriate for providers to share protected health information of a patient who is being treated for a mental health condition with family, friends, or others involved in the patient’s care. The guidance was issued in order to clarify how the HIPAA Privacy Rule operates to strike a balance between protecting individuals’ privacy of mental health information with the need to communicate information to others in order to enhance treatment and assure safety.  You can read the advisory here.... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading

It’s Not Enough to Notify: Don’t Forget the Policies, Risk Analyses, and Training

Posted in Healthcare

HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.... Continue Reading

HHS Issues Model Privacy Notices: The Good, the Bad, and the Ugly

Posted in Healthcare

By Adam Greene

Just in time for the September 23, 2013, deadline for compliance with the HIPAA Omnibus Rule, the U.S. Department of Health and Human Services (“HHS”) issued a set of model notices of privacy practices for health care providers and group health plans, available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.  HIPAA requires covered health care providers and health plans to post, distribute to enrollees and new patients, and make available to everyone such a notice.  Business associates of covered entities, who are subject to certain HIPAA privacy and security requirements, are not required to maintain a notice of privacy practices.  The new model notices reflect changes required by the Omnibus Rule, but their use is not required and covered entities are free to use notices that they have drafted, so long as they have been updated with changes that the Omnibus Rule requires.... Continue Reading

New Advisory Highlights How HIPAA Restricts Covered Entities’ Freedom in Responding to Media Requests and Public Complaints

Posted in Healthcare

Adam Greene has posted a new advisory discussing Shasta Regional Medical Center’s HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights, arising out of the Center’s use and disclosure of protected health information in attempting to rebut media reports of alleged Medicare fraud.  The advisory spotlights the limits that covered entities face in responding to media requests and public patient complaints.  You can access the advisory here.... Continue Reading

HHS Releases HIPAA Regulations with Updates Incorporating Omnibus Rule Changes

Posted in Healthcare

By:  Adam H. Greene

In January 2013, The U.S. Department of Health and Human Services released the HIPAA Omnibus Rule in the Federal Register, the most significant changes to the HIPAA regulations since they were first promulgated.  These changes, however, are not yet reflected in the Code of Federal Regulations.  For those of you who have been jumping back and forth between the prior codifications of the HIPAA regulations and the more recent HIPAA Omnibus Rule, there is good news.  HHS has released an updated version of the HIPAA regulations, which incorporates the recent changes from the Omnibus Rule.  The updated regulations are available here, which is the “unofficial version.”  The official version will not be available until title 45 of the Code of Federal Regulations is updated, likely in October.... Continue Reading

Analysis of New HIPAA “Omnibus Rule”

Posted in Healthcare

Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register.  The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits.  It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA).  The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA.  You can access the advisory here.
 ... Continue Reading

HIPAA Omnibus Rule Released

Posted in Healthcare

By Adam Greene and Becky Williams

At long last, after much delay and speculation, the HIPAA Omnibus Rule has been placed on display at the Federal Register in preparation for formal publication.  Clocking in at 563 pages, we have to admit that we have not yet fully analyzed it, but it is expected to address:

• The breach notification harm threshold
• Direct liability for business associates
• Covered entity liability for business associates who are agents
• Sale of “protected health information” or “PHI”
• Use and disclosure of PHI for marketing purposes
• Use and disclosure of PHI for fundraising
• Enforcement where noncompliance is due to “willful neglect”
• Use of compound authorizations for research and authorization of future research
• Restrictions on disclosure of PHI to health plans when patient pays out of pocket
• Use and disclosure of genetic information for underwriting purposes by health plans
• Disclosure of student immunization records to schools

We will provide more information in a DWT alert and can address your particular issues after we have had an opportunity to review and analyze the rule.
 ... Continue Reading