Tag Archive for: HIPAA

HIPAA Safe Harbor Bill | Tahlia Clement

The HIPAA Safe Harbor Bill: A New Incentive for Organizations to Prioritize Security

/in /by
HIPAA Safe Harbor Bill | Tahlia Clement

On January 5, 2021, the President signed H.R. 7898, The HIPAA Safe Harbor Bill, into law. This new legislation amends the HITECH act to require the Department of Health and Human Services (HHS) to incentivize best-practice cybersecurity for meeting HIPAA requirements.

Previously, organizations that experienced cyberattacks were subject to HIPAA enforcement actions that included severe penalties and fines despite such organization’s cybersecurity practices.  Now, H.R. 7898 specifically requires that HHS evaluate whether the organization is using recognized security practices by reviewing the previous 12 months when calculating fines or penalties based on a cyberattack. However, the law also expressly states that it does not give HHS the authority to increase fines or even the extent of an audit when an organization is found to be out of compliance with recognized security practices.

According to the law, “the Term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under…the NIST Act, the approaches promulgated under… the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

This new law is important since the healthcare industry continues to be the most impacted sector when it comes to cyberattacks. The healthcare industry accounted for 79 percent of all reported data breaches from January to November 2020, and attacks against healthcare organizations increased overall by 45 percent between November 2020 and January 2021. In addition, HIPAA violation fines can range from $100 per violation all the way up to $59,522 per violation. Since these fines are calculated on a “per violation” basis, in 2020 the fines imposed ranged from $3,500 to $6,850,000, with multiple fines imposed totaling over $1,000,000.

A recent example is when University of Texas M.D. Anderson Cancer Center was fined $4,300,000 for violations of the HIPAA and HITECH Act. However, on January 14, 2021 the United States Court of Appeals for the Fifth Circuit vacated the fine stating that it was “arbitrary, capricious, and otherwise unlawful.” The Court held that HIPAA does not require entities to use “bulletproof protection” and instead held that M.D. Anderson had adopted sufficient security practices. This case shows that even courts are now looking at security practices when determining if a HIPAA violation fine is reasonable.

For more information about your entity’s cybersecurity risks and HIPAA compliance, reach out to one of FGHW’s healthcare attorneys. Our attorneys have extensive experience with reviewing and analyzing HIPAA and cybersecurity practices to determine if they comply with recognized security practices under the new law. If your cybersecurity practices are not up to the new standards, FGHW’s attorneys can assist in implementing practices that are compliant.

Dallas Attorney Tahlia Clement

Tahlia Clement’s primary practice areas are marketing, advertising and promotions law, health law, internet law, and general business transactions. Tahlia graduated from SMU Dedman School of Law and holds a B.A. in journalism and mass communications from Arizona State University.

HIPAA and COVID-19

The HIPAA-Potamus in the Room: HIPAA During the COVID-19 Pandemic

/in /by
HIPAA and COVID-19

In light of the novel COVID-19 pandemic, it is now more important than ever to make sure you are complying with patient privacy matters. HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records. The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored Protected Health Information in a manner that maintains the records’ confidentiality, integrity, and availability. Even during the pandemic, covered health care providers must do the following:

  • Carefully identify potential risks and vulnerabilities;
  • Protect against reasonably-anticipated threats or hazards to the security of confidential information;
  • Protect against reasonably-anticipated impermissible uses or disclosures;
  • Ensure compliance by their employees; and
  • Provide access to usable electronically-stored Protected Health Information to authorized persons on demand. 

However, on March 15, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) waived certain provisions of the HIPAA Privacy Rule. HHS will waive sanctions and penalties arising from a hospital’s noncompliance with the following:

  • The requirement to obtain a patient’s agreement to speak with family members or friends;
  • The requirement to honor a patient’s request to opt out of the facility directory;
  • The requirement to distribute a notice of privacy practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The waiver applies only to hospitals in an emergency area as identified in a public health emergency declaration, that have instituted a disaster protocol. In addition, the waiver only lasts for seventy-two hours after the disaster protocol is initiated.

Moreover, under a public health emergency, like the current COVID-19 pandemic, the HIPAA Security Rule does allow covered entities and business associates to disclose Protected Health Information in the following certain situations, even if the covered entity or business associate does not apply for the recent waiver:

  • Protected Health Information about the patient as necessary to treat the patient or to treat a different patient;
  • To a public health authority that is authorized by law to collect or receive such information;
  • To persons at risk of contracting or spreading a disease if other law authorizes it to prevent or control the spread of the disease or carry out public health activities;
  • To a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care;
  • To a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death; or
  • With anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.

It is also important to remember that HIPAA requires a risk analysis and security assessment if the following has occurred:

  • When an entity has experienced a security incident;
  • A change in ownership;
  • Turnover in key staff; or
  • When the entity is planning to incorporate new technology.

Healthcare activities are being affected by the current COVID-19 crisis and one or more of the aforementioned actions may occur.  If so, risk analysis may be called for.

During this pandemic, HIPAA, HITECH, and state medical privacy laws are still applicable and, even with waivers, care should be exercised in all patient privacy matters.

For more information, contact Board Certified health care attorney Scott Chase.

Scott Chase, JD, has practiced health law, corporate law, and intellectual property law for more than 40 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization. Mr. Chase is a partner at Farrow-Gillespie Heath Witter, LLP. His primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues, such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Legal Documents for Your College Checklist

/in /by

While shopping for extra-long twin sheets and plush mattress pads for your soon-to-be college freshman, consider adding these items to your checklist:

  1. Financial Power of Attorney (POA)
  2. Medical Power of Attorney (MPOA)
  3. Health Insurance Portability & Accountability Act (HIPAA) Authorization

You are probably wondering why your barely-an-adult child needs these documents. Most high school grads have already turned or are about to turn eighteen. When a child turns eighteen, he or she becomes a legal adult. The law considers adult children capable of making their own decisions and permits them full legal privacy. Your rights as legal guardian have ended.

This new legal independence can create hurdles for you and your ability to provide assistance to your adult child. For example, imagine if your child needs medical attention but the doctor refuses to speak to you about your child’s condition because of HIPAA concerns. With a HIPAA authorization, the doctor is allowed to inform you of your child’s condition. Furthermore, what if there are immediate medical decisions that need to be made, but your child is unconscious? If you are the appointed agent under a Medical Power of Attorney, you are able to make those critical and important medical decisions. These documents can be a part of the ultimate care package for your newly-minted young adult.      

Financial Power of Attorney

The first document to add to your college student’s shopping cart is the financial power of attorney (“POA”). In a POA, the principal (your child) appoints an agent (you) to make financial and related decisions or actions on behalf of him or her in the event of need. For example, the POA gives you the authority to continue signing for your child for banking and tax purposes.

Medical Power of Attorney

An MPOA appoints an agent to make medical related decisions on behalf of or for the principal.

HIPAA Authorization

A HIPAA authorization permits doctors and healthcare providers to share health information with a list of individuals authorized by the principal. Otherwise, HIPAA law generally prohibits medical personnel from discussing your adult child’s health information with you.  

Customization Options

Each document can be customized to fit your child’s needs. The powers and decisions given to an agent under the POA and MPOA can be as broad or as limited as the principal specifies. For example, the power to handle tax matters can be granted under the POA while the power to handle digital assets and the content of electronic communications can be withheld. Under the HIPAA authorization, the information authorized to be provided to individuals can be as limited as the principal prefers. Each one of these documents can be drafted to be effective only for a certain period of time, such as for the four years of your child’s college career.

There are countless scenarios in which these documents can be of great help during your child’s journey through adulthood. Without these documents, you may be denied the ability to help your child and be forced to get court approval when time is of the essence. The estate planning attorneys at Farrow-Gillespie Heath Witter LLP can help you check these important documents off your to-do list at an affordable fixed fee. Please contact us for further information.

Amanda Brenner | Farrow-Gillespie & Heath LLP | Estate Planning

Attorney Amanda Brenner’s primary practice areas are estate planning, business formations, and nonprofit organizations. Ms. Brenner graduated from University of Pittsburgh School of Law in 2015.

Farrow-Gillespie Heath Witter

The CCPA: California’s Follow-up to the GDPR

/in /by

Farrow-Gillespie Heath Witter

Illustration by legal assistant Charles Jackson

Following the enactment of the European Union’s GDPR, California has passed the California Consumer Privacy Act of 2018 (CCPA) that will go into effect January 1, 2020. The CCPA is intended to protect California residents’ personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes identifiers such as name or email address, commercial information, personal property records or purchase history, biometric information, search history, professional information and educational information. However, the CCPA does not apply to information already regulated under HIPAA, the Graham-Leach Bliley Act, the FCRA, or the Drivers’ Privacy Protection Act.

The CCPA applies to companies that:

  • Conduct business in California
  • Collect the personal information of California residents
  • Satisfy at least one of the following:
    • Produce annual gross revenues in excess of $25,000,000
    • Buy, receive, sell, share, or a combination thereof, the personal information of 50,000 or more consumers, households, or devices for commercial purposes
    • Obtain 50% or more of their annual revenue from selling, releasing, or renting consumer personal information to a third party for monetary consideration

Under the CCPA, California residents will know what information companies are collecting about them, why the data is being collected, and with whom they are sharing the data.  California residents will have the power to demand that their data is deleted and not stored, and that their data cannot be sold or shared with any third parties.  Further, California residents can opt out a company’s terms of service without losing access to its offerings.  The CCPA also restricts companies from selling the data of anyone under the age of 16 without explicit consent.

To hold companies accountable for consumer data, California residents will be able to sue companies subject to the CCPA for up to $750 for each data breach violation. In addition, the California attorney general can sue for $7,500 for each intentional violation of privacy.

The CCPA also requires the expansion of privacy disclosures that companies provide when collecting or using consumers’ personal information.  The disclosures must include a description of the rights California residents have about their personal information, how they can exercise such rights, as well as information on how the companies will collect, use, and share their data.  In addition, the company must provide a link to a “Do Not Sell My Personal Information” page that allow consumers to opt-out and is accessible on all relevant platforms.

For companies that are subject to CCPA, more requirements may be coming, as the law gives the California Attorney General the authority to implement new regulations.  If you believe you are subject to the CCPA, consult an attorney familiar with data privacy to ensure compliance.

For full documentation of the CCPA, please visit the website of the California legislature.

 

Tahlia Grassie | Farrow-Gillespie & Heath LLP | Dallas, TXTahlia Clement is a clerk at FGHW. Ms. Clement is a 2019 candidate for a Juris Doctor at SMU Dedman School of Law, where she is the Editor-in-Chief for SMU’s Science and Technology Law Review. She holds a B.A. in journalism and mass communications from Arizona State University.

Health Law | Farrow-Gillespie & Heath LLP | Dallas, Texas

$2.5M Settlement Shows that not Understanding HIPAA requirements Creates Financial Risk

/in , /by

Health Law | Farrow-Gillespie & Heath LLP | Dallas, TexasThe U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced a Health Insurance Portability and Accountability Act (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI).  In 2012, CardioNet, a company that remotely monitors patients at risk for cardiac arrhythmias, reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home.  The laptop contained the ePHI of 1,391 individuals.  The settlement was not reached until 2017, indicating the length of time that some HIPAA investigations can take, with its attendant costs.

CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.  This settlement is the first involving a wireless health services provider, based, in part, on CardioNet’s failure to comply with basic HIPAA rules that are applicable to all “covered entities” and “business associates”. Thus, the compliance steps outlined below for mobile devices are applicable to any device used to store PHI or ePHI.

OCR’s investigation into the impermissible disclosure revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft.  Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.  Further, the organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

HHS and OCR have published a very helpful 5-step guideline for establishing compliance with HIPAA.  While the following actions relate specifically to mobile devices, these five steps are applicable to all PHI.

Decide

Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or used as part of your organization’s internal networks or systems (e.g., your EHR system).

Understand the risks to your organization before you decide to allow the use of mobile devices. Risks (threats and vulnerabilities) can vary based on the mobile device and its use. Some risks may be:

  1. A lost or stolen mobile device
  2. Inadvertent downloading of viruses or other malware
  3. Unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers
  4. Use of an unsecured Wi-Fi network.

Assess

Assess how mobile devices affect the risks (threats and vulnerabilities) to the PHI your organization holds.

Conduct a risk analysis to identify the risks to your organization. If you are a solo provider, you may conduct this risk analysis yourself. If you work in a larger organization, the organization may conduct the risk analysis.

A risk analysis will help determine the safeguards, policies, and procedures your organization needs. It should include reviewing risks created by all mobile devices used to communicate with your internal networks or systems, regardless whether the devices are personally owned or provided by the organization.

Perform a risk analysis periodically and whenever there is a new mobile device, a lost or stolen device, or suspected compromised health information.

After conducting a risk analysis, document, in writing:

  1. Which mobile devices are being used to communicate with your organization’s internal networks or system (g., the EHR system or Health Information Exchange (HIE)), and
  2. What information is accessed, received, stored, and transmitted by or with the mobile device.

Identify

Identify your organization’s mobile device risk management strategy, including privacy and security safeguards.

The purpose of a mobile device risk management strategy is to develop and implement mobile device safeguards to reduce risks (threats and vulnerabilities) identified in the risk analysis. The risk management strategy should include evaluation and maintenance of the mobile device safeguards you put in place.

Develop, Document, and Implement

Develop, document, and implement the organization’s mobile device policies and procedures to safeguard health information.

Organizations should develop and implement reasonable and appropriate policies and procedures to safeguard health information, including those specific to mobile devices. Here are some topics and questions to consider when developing mobile device policies and procedures:

  1. Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
  2. Should the organization let providers and professionals use their personally owned mobile devices within the organization?
  3. Should providers and professionals be able to connect to the organization’s internal network or system with their personally owned mobile devices, either remotely or on site?
  4. Does the organization restrict how providers and professionals can use mobile devices?
  5. Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
  6. Are there restrictions on the type of information providers and professionals can store on mobile devices?
  7. Does the organization have written procedures for addressing misuse of mobile devices?
  8. Does the organization have procedures to wipe or disable a mobile device that is lost or stolen or when providers and professionals end their employment or association with the organization?
  9. How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures and holding them accountable?

Train

Train and conduct mobile device privacy and security awareness and training for providers and professionals.

Providers and professionals who use mobile devices must have privacy and security awareness and training, on an annual basis, to avoid costly mistakes that can result in loss of patient trust.

Privacy and security awareness and training should include a discussion of the following topics:

  1. How to assess risks (threats and vulnerabilities) when using mobile devices for work;
  2. How to secure mobile devices;
  3. How to protect and secure health information;
  4. How to avoid mistakes when using mobile devices.

Finally, the organization should train its workforce so that they understand the organization’s mobile device policies and procedures and how to follow them.

Jennifer Snow | Farrow-Gillespie & Heath LLP | Dallas, TX

Jennifer Snow practices in the areas of health care law and business litigation. She is the author of numerous articles on health care law. Jennifer represents physicians and physician groups in health law matters, and she represents companies and executives in business litigation.

Ms. Snow has been named to the list of “Rising Stars” by Texas Monthly Magazine and Texas Super Lawyers (a Thomson Reuters service) in every year since 2014.

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase has practiced health law, corporate law, and intellectual property law for over 35 years. Mr. Chase is Board Certified in Health Law by the Texas Board of Legal Specialization.

Scott’s primary practice focus is business transactions for physicians and healthcare facilities, as well as healthcare regulatory issues such as the Affordable Care Act, HIPAA and peer review. Mr. Chase handles general corporate matters and trademark/copyright issues for physicians and also for a variety of non-healthcare clients.

Health Care Law | Farrow-Gillespie & Heaht LLP

Healthcare Providers’ Risk of Data Breach

/in /by

Health Care Law | Farrow-Gillespie & Heaht LLPBy Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks. Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured. The new EMR systems make sharing PHI easy. Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records. Many  providers’ network systems have been pieced together over time, leaving vulnerabilities and  inconsistencies. At the same time, online attackers are getting increasingly complex and sophisticated. Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA). If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs. One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures. It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs:

  • In response to environmental and operational changes, such as implementation of new technology or changed office operations
  • Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation.  In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs.  For more information on the available services, contact board-certified health care attorney Scott Chase.

Read More

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization.  Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).

More on Scott Chase

More on health law

Health Law | Farrow-Gillespie & Heath LLP

HIPAA Violation May Spark Lawsuit

/in /by

While HIPAA does not in and of itself create a private cause of action, a growing body of cases in both federal and state courts outside of Texas suggests that a HIPAA violation causing clear harm to a plaintiff may support a lawsuit by providing grounds for some other private claim. Plaintiffs who have shown intentional breaches or especially private disclosures have had recent notable success in persuading courts to treat their health care providers’ HIPAA-based duties as an applicable standard of care to support their claims.

At least two such claims were recognized in November 2014 alone. In Byrne v. Avery Center for Obstetrics and Gynecology, the Connecticut Supreme Court held that a plaintiff’s negligence claims were not preempted by HIPAA and that HIPAA may inform the standard of care for a common-law negligence claim. There, the plaintiff’s claim was based on her obstetrician’s having produced her medical records to her ex-boyfriend in response to a subpoena. Despite the plaintiff’s having expressly instructed the obstetrician not to share her records, the obstetrician responded to the subpoena without notifying the plaintiff, filing a motion to quash, or objecting. The plaintiff sued the obstetrician for breach of contract, based on the violation of its privacy policy; negligence in failing to use proper care in protecting her medical file, including violations of its own regulations implementing HIPAA; negligent misrepresentation; and negligent infliction of emotional distress. On appeal, the court overturned the lower court’s preemption holding and found that HIPAA could inform the applicable standard of care.

An Indiana court of appeals also recognized a claim factually predicated on a HIPAA violation in Hinchy v. Walgreen Co. There, the court did not expressly discuss whether HIPAA violations can give rise to other private claims; instead, the court admonished the defendant’s pharmacist employee for breaching “one of her most sacred duties” by purposefully divulging the plaintiff’s birth control prescription records to her husband, the plaintiff’s ex-boyfriend. The court affirmed a $1.8 million award to the plaintiff, whose claims against Walgreens included negligent retention and supervision as well as Indiana statutory claims of negligence by professional malpractice and public disclosure of private facts.

These cases differ significantly from the more typical data security breach. They illustrate, however, that courts may be increasingly willing to use HIPAA violations to support common law or state statutory claims, at least where the violation and harm to a plaintiff are clear.

Scott Chase | Farrow-Gillespie & Heath LLP

What is HIPAA?

/in /by

HIPAA, HITECH, and state laws all impact the responsibilities of health care providers and their business associates regarding the treatment and disclosure of confidential medical and health records.

The HIPAA Security Rule, in particular, requires that covered entities must keep electronically-stored protected health information in a manner that maintains the records’ confidentiality, integrity, and availability. Covered health care providers must carefully identify potential risks and vulnerabilities and protect against reasonably-anticipated threats or hazards to the security of confidential information. They must protect against reasonably anticipated impermissible uses or disclosures and ensure compliance by their employees. The Security Rule requires covered entities to provide access to usable electronically-stored protected health information to authorized persons on demand. Business associates of HIPAA-covered entities, who are not covered entities themselves, also face increased responsibility under the HITECH Act of 2009 to securely maintain and handle protected health information. To avoid steep fines and the growing possibility of civil liability, covered entities and their business associates should be informed and proactive regarding their evolving responsibilities with respect to protected health information.

The Security Rule does not dictate specific protection measures, but instead allows each covered entity to develop its own measures considering its size, complexity, and capabilities; its technical infrastructure; costs; and the likelihood and possible impact of inadvertent disclosures of protected health information. Entities must properly document their chosen safety measure. Importantly, however, it is not enough for an entity to adopt security standards; instead, those standards must actually be assessed, implemented, and followed. The Security Rule requires that security measures be updated and documented “as needed.” While the Rule does not state how frequently risk analysis must be performed, regular review and modification of security measures is undoubtedly key in ensuring HIPAA compliance. Security assessments and training should take place on an ongoing basis, and legal audits in compliance are advisable on a periodic basis or when an entity has experienced a security incident, a change in ownership, or a turnover in key staff, or when the entity is planning to incorporate new technology.

For more information, contact board-certified health care attorney Scott Chase.

Scott Chase | Farrow-Gillespie & Heath LLP

$150,000 Penalty for HIPAA Violation

/in /by

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule. The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis. In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years. The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI). The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated. Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol. No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures. Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented. Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA. All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.

For more information, please contact board-certified health law attorney Scott Chase.

Jennifer Snow | Farrow-Gillespie & Heath | Dallas, TX

HIPAA Law and Business Associates

/in /by

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information. A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For more information, contact board-certified healthcare attorney Scott Chase.