Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Healthcare

Subscribe to Healthcare RSS Feed

Advisory Alert: Ebola or Not, Patient Privacy Must Be Protected

Posted in Healthcare

In the wake of the recent Ebola cases, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a new bulletin reminding HIPAA-covered entities and their business associates that the requirements of the HIPAA Privacy Rule still apply when sharing protected health information (PHI), even in emergency situations. Towards that end, OCR’s bulletin provides guidance on how covered entities can share, use, and disclose critical information under certain situations during a disaster. Hospitals and other covered entities subject to the HIPAA Privacy Rule should consider the bulletin and OCR’s additional guidance on HIPAA in emergency situations as part of any Ebola or disaster preparedness plan.

Click here to continue reading.... Continue Reading

Advisory Alert: CMS Reopens the Medicare Payment Adjustment Hardship Exception Application Submission Period for Certain Providers and Hospitals

Posted in Healthcare
health care

Centers for Medicare & Medicaid Services (CMS) recently announced the reopening of the submission period for hardship exception applications for eligible professionals and eligible hospitals that have been unable to fully implement 2014 Edition Certified Electronic Health Record Technology (CEHRT) due to availability delays. Qualified providers will now have until Nov. 30, 2014 to submit hardship exception applications to avoid Medicare payment adjustments in 2015.

Read more here.... Continue Reading

Advisory: California Extends Its Medical Data Breach Notification Requirement From 5 to 15 Days

Posted in Data Protection, Healthcare

On Sept. 18, 2014, California’s governor approved Assembly Bill 1755, extending California’s stringent breach notification deadline for medical information breaches from five business days to 15 business days for clinics, health facilities, home health agencies, and hospices. This is good news for these healthcare providers, who often found it difficult to investigate reasonably and respond to a potential breach within the five-day period. This law takes effect on Jan. 1, 2015.

Read more here.... Continue Reading

Advisory: Starting Oct. 6, Patients Can Access Test Reports Directly From Clinical Laboratories

Posted in Healthcare

On Oct. 6, 2014, a final rule issued jointly by the Centers for Medicare & Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and Office for Civil Rights (OCR) will require all HIPAA-covered labs (i.e., labs that conduct certain electronic transactions, such as electronic submission of claims) to provide individuals with direct access to completed test reports and other protected health information (PHI) maintained about the individual. Labs not covered by HIPAA will be permitted, but not required, to provide individuals with direct access to completed test reports. The U.S. Department of Health and Human Services (HHS) cited the lack of direct access to test reports as a barrier to the adoption and widespread use of health information technology.

Read more here.... Continue Reading

Advisory: CMS Issues Final Rule Providing Flexibility for Providers Unable to Fully Implement 2014 Technology to Demonstrate Meaningful Use in 2014

Posted in Healthcare

In response to providers being unable to fully implement 2014 Edition certified electronic health record technology (CEHRT) due to limited availability, CMS adopted changes proposed earlier this year through a final rule allowing additional options for the 2014 reporting period and amending the meaningful use stage timeline. Providers who received 2014 Edition CEHRT in time to attest during this program year must still attest to Stage 1 or Stage 2 based on their original timeline using the 2014 CEHRT in order to receive incentive payments and avoid future payment reductions. But the final rule offers additional flexibility to providers who cannot satisfy Stage 2 or revised Stage 1 requirements in program year 2014 because of delays in the availability of 2014 Edition CEHRT.

Read more here.... Continue Reading

DWT Advisory: Rhode Island Hospital’s Breach of Health Information Leads to Settlement with Massachusetts Attorney General

Posted in Healthcare

On July 23, 2014, the Massachusetts attorney general announced a settlement with Women & Infants Hospital of Rhode Island (WIH) over the loss of unencrypted backup tapes. WIH agreed to pay $150,000 and undertake numerous compliance measures, including hiring an independent auditor, to resolve allegations that it failed to protect the personal information (PI) and protected health information (PHI) of more than 12,000 Massachusetts patients under HIPAA and Massachusetts’ data security law. The attorney general also alleged that WIH engaged in unfair or deceptive acts or practices by not properly protecting the PI and PHI. This marks the third settlement by the Massachusetts attorney general’s office for allegations that an entity failed to secure its residents’ PHI and PI under HIPAA and state data security laws. This case serves as a good reminder to organizations to know where their identifiable information resides and to properly secure electronic portable media.

Read more here.... Continue Reading

Advisory: Appellate Court Rules Medical Information Must Actually Have Been Viewed by an Unauthorized Person for a Plaintiff to Recover Under the California Confidentiality of Medical Information Act

Posted in Data Protection, Healthcare

The California Court of Appeal recently held that in order to recover under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code §§ 56 et seq., a plaintiff must plead and prove that the “stolen medical information was actually viewed by an unauthorized person.” Sutter Health et al. v. The Superior Court of Sacramento County (Atkins), Case No. C072591 (Cal. Ct. App. July 21, 2014). The court held that mere possession of medical information or records by an unauthorized person was insufficient to establish a breach of confidentiality if the unauthorized person has not viewed the records. This case is very good news for California health care providers, because it substantially increases the burden on plaintiffs in health information breach cases, and brings California more in line with other states—where courts often dismiss security breach actions on the distinct but similar basis of a lack of demonstrated harm.

Read more here.... Continue Reading

DWT Advisory: New HIPAA Reports to Congress Shed Light on OCR Enforcement

Posted in Healthcare

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued two reports to Congress, as required by the HITECH Act. The compliance report details OCR’s enforcement activities for 2011 and 2012 and sheds light on what covered entities and business associates can expect from OCR going forward. This is not the first signal that OCR’s enforcement efforts are shifting and accelerating. The breach report summarizes the breaches affecting 500 or more individuals and offers a glimpse of what OCR is seeing for breaches affecting less than 500 individuals.

HIGHLIGHTS

OCR’s compliance report for 2011-2012

OCR has received approximately 77,000 complaints since the Privacy Rule compliance date (April 14, 2003) as of the end of 2012 and has closed 91% of these complaints. More than half of the complaints OCR receives are closed after a determination that OCR does not have jurisdiction to investigate the matter.

OCR clarifies that it opens compliance reviews for all breaches affecting 500 or more individuals. Additionally, OCR may open compliance reviews in response to notifications of breaches affecting fewer than 500 individuals or as it becomes aware of potential non-compliance (such as through media reports). Unlike complaints, OCR does not provide ... Continue Reading

Stolen Patient Information on Hospital Computer Not Considered “Medical Information” by California Appellate Court

Posted in Healthcare

The California Court of Appeal recently held that the release of an index identifying hospital patients did not constitute the release of medical information under California’s Confidentiality of Medical Information Act (CMIA), Civ. Code, § 56 et seq., because the index contained only demographic information and nothing “regarding a patient’s medical history, mental or physical condition, or treatment.”Eisenhower Medical Center v. Superior Court (Malanche), Case No. E058378 (Cal. Ct. App. May 21, 2014). The Court held that “a health care provider cannot be held liable under the relevant portions of the CMIA for the release of an individual’s personal identifying information that is not coupled with that individual’s medical history, mental or physical condition, or treatment.”

CONTINUE READING …... Continue Reading

$4.8 Million – Largest HIPAA Settlement to Date

Posted in Healthcare

On May 7, 2014, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) issued a press release announcing that two health care organizations—New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”)—agreed to resolve charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy and security rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”) on their network. The monetary payments total $4.8 million, which is the largest HIPAA settlement to date. This settlement suggests that OCR is increasing its settlement amounts and expects entities to know where their ePHI is located and how it is being accessed.

CONTINUE READING …... Continue Reading

New Advisory Examining HHS’s HIPAA Guidance on Mental Health Information

Posted in Healthcare

Be sure to check out at our recent advisory discussing the latest HIPAA guidance on mental health information. It discusses how the Department of Health and Human Services addresses frequently asked questions about when it is appropriate for providers to share protected health information of a patient who is being treated for a mental health condition with family, friends, or others involved in the patient’s care. The guidance was issued in order to clarify how the HIPAA Privacy Rule operates to strike a balance between protecting individuals’ privacy of mental health information with the need to communicate information to others in order to enhance treatment and assure safety.  You can read the advisory here.... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading

It’s Not Enough to Notify: Don’t Forget the Policies, Risk Analyses, and Training

Posted in Healthcare

HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.... Continue Reading

HHS Issues Model Privacy Notices: The Good, the Bad, and the Ugly

Posted in Healthcare

By Adam Greene

Just in time for the September 23, 2013, deadline for compliance with the HIPAA Omnibus Rule, the U.S. Department of Health and Human Services (“HHS”) issued a set of model notices of privacy practices for health care providers and group health plans, available at http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.  HIPAA requires covered health care providers and health plans to post, distribute to enrollees and new patients, and make available to everyone such a notice.  Business associates of covered entities, who are subject to certain HIPAA privacy and security requirements, are not required to maintain a notice of privacy practices.  The new model notices reflect changes required by the Omnibus Rule, but their use is not required and covered entities are free to use notices that they have drafted, so long as they have been updated with changes that the Omnibus Rule requires.... Continue Reading

New Advisory Highlights How HIPAA Restricts Covered Entities’ Freedom in Responding to Media Requests and Public Complaints

Posted in Healthcare

Adam Greene has posted a new advisory discussing Shasta Regional Medical Center’s HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights, arising out of the Center’s use and disclosure of protected health information in attempting to rebut media reports of alleged Medicare fraud.  The advisory spotlights the limits that covered entities face in responding to media requests and public patient complaints.  You can access the advisory here.... Continue Reading

HHS Releases HIPAA Regulations with Updates Incorporating Omnibus Rule Changes

Posted in Healthcare

By:  Adam H. Greene

In January 2013, The U.S. Department of Health and Human Services released the HIPAA Omnibus Rule in the Federal Register, the most significant changes to the HIPAA regulations since they were first promulgated.  These changes, however, are not yet reflected in the Code of Federal Regulations.  For those of you who have been jumping back and forth between the prior codifications of the HIPAA regulations and the more recent HIPAA Omnibus Rule, there is good news.  HHS has released an updated version of the HIPAA regulations, which incorporates the recent changes from the Omnibus Rule.  The updated regulations are available here, which is the “unofficial version.”  The official version will not be available until title 45 of the Code of Federal Regulations is updated, likely in October.... Continue Reading

Analysis of New HIPAA “Omnibus Rule”

Posted in Healthcare

Be sure to spend some time with our advisory summarizing and providing guidance on the long-awaited “Omnibus Rule” amendments to the administrative simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA), which the Department of Health and Human Services (HHS) published today in the Federal Register.  The advisory explains how the Omnibus Rule implements many privacy and security provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act and significantly extends HIPAA’s reach and limits.  It expands certain HIPAA obligations to business associates and their subcontractors, modifies the breach notification standard, expands patient rights to access and to restrict disclosure of their protected health information (PHI), imposes new rules governing uses and disclosures of PHI, clarifies enforcement approaches, and addresses obligations under the Genetic Information Nondiscrimination Act of 2008 (GINA).  The advisory also offers recommendations for steps covered entities should consider in the wake of the Omnibus Rule, and discusses the steps business associates and their affiliates must now take under HIPAA.  You can access the advisory here.
 ... Continue Reading

HIPAA Omnibus Rule Released

Posted in Healthcare

By Adam Greene and Becky Williams

At long last, after much delay and speculation, the HIPAA Omnibus Rule has been placed on display at the Federal Register in preparation for formal publication.  Clocking in at 563 pages, we have to admit that we have not yet fully analyzed it, but it is expected to address:

• The breach notification harm threshold
• Direct liability for business associates
• Covered entity liability for business associates who are agents
• Sale of “protected health information” or “PHI”
• Use and disclosure of PHI for marketing purposes
• Use and disclosure of PHI for fundraising
• Enforcement where noncompliance is due to “willful neglect”
• Use of compound authorizations for research and authorization of future research
• Restrictions on disclosure of PHI to health plans when patient pays out of pocket
• Use and disclosure of genetic information for underwriting purposes by health plans
• Disclosure of student immunization records to schools

We will provide more information in a DWT alert and can address your particular issues after we have had an opportunity to review and analyze the rule.
 ... Continue Reading

Small Data Breach Leads to $50,000 HHS Settlement for Hospice

Posted in Healthcare

By Adam H. Greene, JD, MPH

In what HHS declares as “the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals,” the Office for Civil Rights (OCR) reached a $50,000 settlement and two-year corrective action plan with the Hospice of Northern Idaho regarding the theft of a hospice laptop containing health information of 441 patients. (Only in the world of HIPAA can you have “unprotected … protected” information.) OCR’s press release, continuing a recent trend, emphasized the importance of encrypting mobile devices, conducting a risk analysis, and implementing policies and procedures to address mobile device security.

The press release also emphasizes that OCR is willing to take aggressive actions against entities of any size that fail to safeguard patient information. The $50,000 resolution amount, though, is far below the average of approximately $900,000, suggesting that the size of the organization will play a much larger role than the nature of the incident when determining settlement amounts. For example, OCR recently reached a settlement of $100,000 with a small physician practice for an allegedly widespread lack of information security safeguards, while it reached a $1.5 million settlement with a larger hospital over a ... Continue Reading

HHS Creates Mobile Device Privacy and Security Website: High Expectations for Mobile Device Security

Posted in Healthcare

By Adam H. Greene, JD, MPH

The U.S. Department of Health and Human Services recently posted a website focusing on mobile devices and health information privacy and security at http://www.healthit.gov/mobiledevices.  The website includes five videos on mobile device security, tip sheets and frequently asked questions and answers on mobile device security, a five-step process for addressing mobile devices within a healthcare organization, and downloadable posters promoting mobile security.... Continue Reading

New Advisory on HIPAA De-Identification Guidance

Posted in Healthcare

Check out our recent advisory describing the New HIPAA Guidance on De-Identifying Health Information.  In it, Adam Greene explains that the HHS Office for Civil Rights released guidance on how health information may be de-identified, which allows covered entities and business associates to reduce their exposure to HIPAA and expand their use of health data.  The guidance teaches two key lessons – specifically, that health information generally is considered individually identifiable unless certain stringent requirements are met, and that using an appropriate expert can provide ways to de-identify information while retaining important properties that otherwise might be lost through other methods of de-identification.  The advisory can be accessed here.... Continue Reading

Three New Major HIPAA Announcements

Posted in Healthcare

By Adam Greene

The past week has brought a number of developments with respect to HIPAA.  The long-awaited finalization of a number of modifications to HIPAA remains on hold as the Office of Management and Budget posted that it has extended its review of the draft regulations.  The HHS Office for Civil Rights (“OCR”), which administers and enforces HIPAA, published the audit protocol that is being used in OCR’s current privacy and security audits.  The protocol includes the key areas of the audits, the types of questions that will be asked, and the types of documentation that will be reviewed.  The protocol leaves a lot of ambiguity, however, by failing to provide much detail about the standards against which audited entities are judged.  Finally, OCR announced a $1.7 million settlement against Alaska’s Medicaid agency.  The investigation was triggered by the theft of a portable hard drive that may have contained protected health information, but led to OCR finding allegedly widespread noncompliance with the Security Rule.  It shows that no covered entities are immune from a sizable settlement under HIPAA, and that relatively small breaches may unearth large HIPAA problems during the subsequent investigation.  More information about these developments are available ... Continue Reading