Archives: HIPAA/HITECH

The First Rule of How to Survive a HIPAA Audit:  Be Prepared

2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules.   It is anticipated that 300-400 business associates will be the subject of a desk audit and an undisclosed number of lucky business associates and covered entities will be chosen for intensive, on-site audits.  Remember, if your business provides services to a healthcare entity covered by HIPAA, you are likely a business associate.

So, here’s the question:  are you audit-ready?  

In a free webinar, Mintz Levin’s Dianne Bourque will walk you through how to prepare now in the event that you are one of the chosen.

Save the date:   Wednesday, January 28, 2015   1:00 PM ET/10:00 AM PT

Registration information will follow!

 

 

……………..a cumbersome C-A-P

Written by Dianne Bourque 

The U.S Department of Health and Human Services Office for Civil Rights has received tremendous publicity in recent years for its upward-trending fines and aggressive enforcement of HIPAA violations.  Seven-figure fines are becoming the norm for serious violations, for example, in May of this year, OCR fined a hospital and university a combined total of $4.8 million dollars for their separate HIPAA violations.  While the risk of steep fines and bad publicity should be sufficient motivation for regulated entities to maintain a robust HIPAA compliance program, there is another aspect of HIPAA enforcement that receives far less media attention but can be just as onerous: the corrective action plan, or “CAP.”  

Much like a year-long membership in the Jelly of the Month Club, the CAP is the gift that keeps on giving – the whole year.  Actually, most CAPS spread the cheer for at least three years following an initial OCR settlement.  For the 10th Day of Privacy, we take a closer look at the CAP.   Continue Reading On the Tenth Day of Privacy, OCR Gave to Me…..

When is “sharing” too much of a good thing?  And will it get worse for health care systems in 2015?  Read on…..

Written by Stephanie D. Willis

Data sharing has become a point of sharp focus in the efforts to improve the quality and efficiency of health services in the United States.  Given all that has happened in health care privacy (e.g., higher than ever penalties under the Health Insurance Portability and Accountability Act (HIPAA) and the involvement of more government agencies in the enforcement of privacy violations), next year promises to be an important one for health care and privacy, particularly for integrated health care systems.

So what are the challenges that integrated health care systems should anticipate in 2015 and beyond as they try to streamline the fragmented care model that has dominated for so long in the United States?   Continue Reading On The Eighth Day of Privacy, Health Care Systems (Over)Shared Data

Written by Stephanie Willis  

This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.” 

The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake of the United States’ recent experience with disclosing information about patients diagnosed with and treated for Ebola and enterovirus-d68.  Because the HIPAA Privacy Rule only provides a very limited waiver of sanctions and penalties against a covered hospital for acts during a public health or other emergency under the Project Bioshield Act and section 1135(b)(7) of the Social Security Act (and only if the U.S. President declares a public health emergency or disaster and the Secretary of HHS declares a public health emergency), covered entities and business associates cannot afford to abandon HIPAA’s privacy and security mandates. Continue Reading OCR Issues New Bulletin on Ensuring Privacy in Public Health Emergencies

Written by:  Dianne Bourque, Kimberly Gold, Kate Stewart, and Stephanie D. Willis 

(original post in Mintz Levin’s Health Law & Policy Matters blog)
As a service to our readers, we have distilled last week’s joint HHS Office of Civil Rights (OCR) and National Institute of Standards in Technology (NIST) conference, “Safeguarding Health Information: Building Assurance through HIPAA Security” into three phrases:  (i) risk assessment, (ii) workforce training, and (iii) adequate encryption.  For those of you willing to read on, we elaborate on them below and provide our view on the important takeaways from the conference. Continue Reading Notes from the Joint OCR/NIST HIPAA Security Conference

Happy autumnal equinox — http://www.skyandtelescope.com/astronomy-news/observing-news/autumnal-equinox-2014-arrives-09222014/

Home Depot Breach – By the Numbers

56 million cards at risk (compare to Target = 40 million)

$62 million in estimated costs (compare to Target  =$146 million and counting)

$27 million insurance coverage (compare to Target = $100 million in cover)

Lawsuits filed – at least 1 in US and 1 in Canada

Filed 8-K with Securities and Exchange Commission on September 8 (Took Target 2 months to file)

Continue Reading Privacy Monday – September 22, 2014

Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque

Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals. The Company operates 206 general acute care hospitals in 29 states with approximately 31,100 licensed beds.

According to the Report, the Company and its forensic expert, Mandiant, confirmed last month that the Company’s computer network was attacked in April and June, 2014 by an “Advanced Persistent Threat” group that was traced back to China.  Using highly sophisticated malware and technology, the attacker bypassed the Company’s security measures and copied and transferred outside the Company protected health information (“PHI”) including  names, addresses, birthdates, telephone numbers and social security numbers of individuals referred to or treated at hospitals operated by the Company in the last five years. The Company disclosed in the Report that it is providing the notifications required under state breach notification laws and HIPAA to the individuals affected by the attack and to the applicable regulatory agencies and will offer identity theft protection services to affected individuals. The Company also disclosed that immediately prior to the filing of the Report, it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”

The Company’s announcement of the breach, posted on its website in accordance with HITECH requirements, (the “Posting”) locates the breach at Community Health Systems Professional Services Corporation (“CHSPSC”), a Tennessee company that provides management, consulting and information technology services to clinics and hospital-based physicians.  CHSPSC may be a business associate of the Company, although neither the Report nor the Posting confirmed CHSPSC’s status.  The Posting provided additional information regarding breach remediation efforts which also include, audit and surveillance technology to detect unauthorized intrusions, the adoption of advanced encryption technologies, and requiring users to change access passwords.  If these security measures were lacking prior to the breach, it will be an important fact in any ensuing enforcement by the Office for Civil Rights in connection with the breach.

This data breach ranks as the 2nd largest breach of medical data in the country to date, when compared to breaches of medical data affecting more than 500 individuals reported by the U.S. Department of Health & Human Services.

 

 

Reposted from Mintz Levin’s Health Law & Policy Matters blog

The American Bar Association Health Law Section’s July 2014 eSource publication includes an article by Dianne Bourque, Kimberly Gold, and Stephanie Willis that provides examples of how risk assessments under the Breach Notification Rule have changed since the HIPAA Omnibus Rule went into effect in September 2013.   The examples analyzed in this article involve two situations that often stymie health care providers:  1) appropriate disclosures to law enforcement and 2) sending appointment reminders to patients.

Covered entities and business associates having difficulty distinguishing the old “harm standard” and the new Omnibus Rule analysis should understand that the latter clearly imposes a rebuttable presumption that a breach of protected health information will require notification to affected individuals and the government, except under narrow circumstances.  As the article concludes, “striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address” for years to come.

Mintz Levin’s Privacy team constantly monitors the HHS Office of Civil Rights’ enforcement and monitoring activities and writes posts noting trends in the area of HIPAA compliance, so keep checking the blog for current health care privacy and security news.

Written by Kevin McGinty

It’s an ancient conundrum; if a tree falls in the forest, and no one is there to hear it, does it make a sound?  Privacy litigation may well offer the closest jurisprudential equivalent; if data is stolen, but no one does anything with it, has there been an injury?  A recent Illinois state court decision is the latest to answer the latter question in the negative. Continue Reading Even in Privacy Cases, Risk of Injury Does not Always Equal Injury

Written by  Dianne J. Bourque  (reprinted from Mintz Levin’s Health Law Policy Matters blog)

The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway.  The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services.  In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice.  In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area. Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice.  Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes.  Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form.  Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards.  Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards.  Records in electronic form must be protected in accordance with the HIPAA Security Rule.  Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur.  Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.