Holland & Hart's Health Law Blog
  • Publications
  • Webinar Recordings
    • 2024 Webinar Recordings
    • 2023 Webinar Recordings
    • 2022 Webinar Recordings
    • 2021 Webinar Recordings
    • 2020 Webinar Recordings
    • 2019 Webinar Recordings
    • 2018 Webinar Recordings
    • 2017 Webinar Recordings
    • 2016 Webinar Recordings
  • Compliance Bootcamps
  • Attorneys
  • Healthcare Law
  • Employers’ Lawyers Blog
  • Search
  • Menu Menu

IMGMA Q/A: Producing Records

February 6, 2018/in Governance

By Kim Stanger

Ed. note: This article also appears in an issue of the Idaho MGMA monthly newsletter.

Question:  What is the difference between a “designated record set” and “legal health record,” and what must we provide when we receive a request for “records”?

Answer:  HIPAA defines “designated record set” as:

A group of records maintained by or for a covered entity that is:

(i)        The medical records and billing records about individuals maintained by or for a covered health care provider; [or]

(iii)      Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(45 CFR 164.501).  With very limited exceptions, patients and their personal representatives generally have a right to access protected health information in their designated record set.  (45 CFR 164.524).  As the OCR recently summarized: Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2018-02-06 23:32:532018-02-06 23:32:53IMGMA Q/A: Producing Records

Reporting HIPAA Breaches: Annual Deadline Approaches

January 9, 2018/in HIPAA

By Kim Stanger

The HIPAA breach notification rule requires covered entities to report breaches of unsecured protected health information (“PHI”) to affected individuals, HHS and, in some cases, local media. (45 CFR § 164.400 et seq.). The notice must be sent to individuals as soon as reasonably possible but no later than 60 days after it was discovered. (45 CFR § 164.404). The timing of notice to HHS depends on the number of persons affected by the breach: if the breach involves 500 or more persons, the covered entity must notify HHS at the same time it notifies the individual; if the breach involves less than 500 persons, the covered entity must report the breach to HHS until no later than 60 days after the end of the calendar year, i.e., by March 1. (45 CFR § 164.408(b)-(c)).

Is Your HIPAA Breach Reportable? Under the breach notification rule, covered entities are only required to self-report if there is a “breach” of “unsecured” PHI. (45 CFR § 164.400 et seq.). Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2018-01-09 22:27:012018-01-09 22:27:01Reporting HIPAA Breaches: Annual Deadline Approaches

Non-Physicians Owning or Investing in Medical Practices in Idaho

November 8, 2017/in Physician Practices

By Kim Stanger

The Idaho Board of Medicine’s recent disavowal of the corporate practice of medicine doctrine has made it easier for corporations and non-physician individuals to invest in or own medical practices in Idaho.

The Corporate Practice of Medicine. For decades, the Idaho Board of Medicine took the position that, with limited exceptions, the Idaho Medical Practice Act “prohibits unlicensed corporations and entities from hiring physicians as employees to provide medical services to patients.” (Memo from J. Uranga to Idaho State Bd. of Medicine dated 2/26/07). This “corporate practice of medicine” doctrine (“CPOM”) had its foundation in a 1952 Idaho Supreme Court case which held that:

[n]o unlicensed person or entity may engage in the practice of the medical profession though licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.

(Worlton v. Davis, 73 Idaho 217, 221 (1952)). The Board of Medicine warned that violations of the doctrine may result in disciplinary action against physicians and, more recently, physician assistants. Entities that improperly employed physicians or physician assistants risked the possibility of criminal action for the unauthorized practice of medicine. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2017-11-08 21:06:062017-11-08 21:06:06Non-Physicians Owning or Investing in Medical Practices in Idaho

Marketing Traps for Healthcare Providers

October 12, 2017/in Providers

By Kim Stanger

Common marketing practices in other industries may be illegal in the healthcare sector. Healthcare providers should beware the following practices when marketing their services:

1. Offering gifts, rewards, or free or discounted items or services to patients. The federal Anti-Kickback Statute (“AKS”) and Civil Monetary Penalties Law (“CMPL”) generally prohibit offering anything of value to induce patients to order or receive services payable by federal healthcare programs unless the arrangement fits a regulatory safe harbor.1 Violations may result in criminal, civil and administrative penalties.2 Common marketing programs that may implicate the laws include but are not limited to: Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2017-10-12 22:44:212017-10-12 22:44:21Marketing Traps for Healthcare Providers

Police, Providers, Patients and HIPAA

September 26, 2017/in HIPAA

By Kim Stanger

Recent cases have highlighted the conflict that may occur when police seek access to patients or patient information. Here are some general guidelines for physicians and other healthcare providers when facing demands from police or other law enforcement officials.

Disclosing Patient Information. The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers from disclosing protected health information to law enforcement officials without the patient’s written authorization unless certain conditions are met. HIPAA allows disclosures for law enforcement purposes in the following cases:

  1. Court Order, Warrant, Subpoena, or Administrative Process. A provider may disclose information in response to a court order, warrant, subpoena or other administrative process if certain conditions are satisfied. (45 CFR § 164.512(f)(1)(ii)). These situations are discussed more fully in our separate client alert here.
  2. Avert Harm. A provider may disclose information to law enforcement to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. (45 CFR § 164.512(j)(1)(i)). Many states have specific statutes authorizing or requiring providers to make disclosures when credible threats are made against third parties.
  3. Required by Law. A provider may disclose information to law enforcement when a law requires the disclosure, e.g., to report child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. Providers should comply with the strict terms of the law, and not disclose more than is required by the law. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult abuse)).
  4. Facility Directory. HIPAA generally allows, but does not require, providers to disclose limited information to persons who ask for a patient by name unless the patient has objected to such disclosures or the provider believes that the disclosure is not in the patient’s best interests. (See 45 CFR § 164.510). The provider may only disclose the patient’s name, general condition, and location in the facility. (Id.).
  5. Identify Person. If law enforcement requests information to help identify or locate a suspect, fugitive, material witness or missing person, a provider may disclose the following limited information: name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request. (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  6. Victim of a Crime. If law enforcement requests information about a person who is suspected of being a victim of a crime, a provider may disclose information if: (a) the individual agrees to the disclosure, or (b) the officer represents that the information is necessary to determine whether someone other than the victim has committed a crime, the information will not be used against the victim, the information is needed immediately and the law enforcement activity would be adversely affected by waiting to obtain the victim’s agreement, and the provider determines it is in the victim’s best interest to disclose the information. (45 CFR § 164.512(f)(3)).
  7. Death. A provider may disclose information to notify law enforcement about the death of an individual if the provider believes the death may have resulted from a crime.
  8. Crime on Premises. A provider may disclose information to law enforcement if the provider believes the information evidences criminal conduct on the provider’s premises. (45 CFR § 164.512(f)(5)).
  9. Crime Away from Premises. If, in the course of responding to an off-site medical emergency, providers become aware of criminal activity, they may disclose certain information to police as necessary to alert law enforcement to the criminal activity, including information about the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime. (45 CFR § 164.512(f)(6)).
  10. Report by Victim. If a person affiliated with the provider is the victim of a crime, the person may disclose information necessary to report the crime to law enforcement; however, the person may only disclose the limited information listed in 45 CFR § 164.512(f)(2)(i). (45 CFR § 164.502(j)(2)).
  11. Admission of Violent Crime. If a person has admitted participation in a violent crime that a provider reasonably believes may have caused serious physical harm to a victim, a provider may disclose information to law enforcement necessary to identify or apprehend the person, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act. (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  12. Fugitive. A provider may disclose information to law enforcement to identify or apprehend an individual who appears to have escaped from lawful custody. (45 CFR § 164.512(j)(1)(ii)(B)).
  13. Prisoners. If law enforcement or a correctional institution requests protected health information about an inmate or person in lawful custody, a provider may disclose information if police represents such information is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including police on the premises of the facility. (45 CFR § 164.512(k)(5)).
  14. Medical Examiners and Coroners. A provider may disclose information about a decedent to medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties. (45 CFR § 164.512(g)(1)).

Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2017-09-26 19:44:582017-09-26 19:44:58Police, Providers, Patients and HIPAA
Page 28 of 46«‹2627282930›»

Idaho Patient Act Timeline


View our Idaho Patient Act Timeline Guide

Holland & Hart

This blog is maintained by the Health Law practice group of Holland & Hart LLP. Visit the Holland & Hart website.

Subscribe to Email Updates

Enter your Email:

Contact

If you have any questions, please contact Kim Stanger.

More COVID-19 Articles


View more COVID-related articles on our Labor & Employment Blog

Categories

Archives

Disclaimer

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Privacy Policy

View our privacy policy.

© Copyright 2024 | Holland & Hart LLP - Enfold WordPress Theme by Kriesi
Scroll to top