Department of Health & Human Services Upgrades Security Risk Assessment Tool

/in ,

By Kim Stanger, Steven Lau, and Romaine Marshall

Under the Health Information Privacy and Portability Act (HIPAA), “covered entities” (generally speaking health care providers and their business associates) must all complete a risk assessment to identify and mitigate potential security risks (45 C.F.R. 164.308(a)(1)(ii)(A)). As many companies and providers have discovered, completing a risk assessment is time and resource-intensive and can be an overwhelming and expensive undertaking. Read more

Handling HIPAA Breaches: Investigating, Mitigating and Reporting

/in

by Kim Stanger

HIPAA privacy and security violations can result in fines of $110 to $55,100 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $11,002 to $55,100. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in mandatory fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help identify and timely respond to HIPAA breaches. Read more

Producing Records of Other Providers

/in , , , ,

by Kim Stanger

There is a common misunderstanding that healthcare providers may not or should not produce medical records that were created by another healthcare provider.

Under HIPAA, patients have a right to access all records that a provider maintains in a designated record set, i.e., documents the provider uses to make decisions about a patient’s healthcare or payment for healthcare. (45 CFR 164.524). This would generally include records the provider obtains or receives from other providers relating to the patient’s care. Thus, providers generally must produce such records in response to the patient’s request; failure to do so would violate HIPAA. The OCR published the following FAQ relevant to this issue:

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. Read more

Idaho Fraud and Abuse Statutes: Requirements, Penalties and Repayments

/in , ,

By Kim Stanger

Most Idaho healthcare providers are—or should be—aware of federal fraud and abuse laws, including the False Claims Act, Anti-Kickback Statute, Ethics in Patient Referrals Act (“Stark”), and the Civil Monetary Penalties Law, but they may not realize that Idaho has its own fraud and abuse laws that also apply. Violations may result in criminal, civil, and administrative penalties in addition to the obligation to repay amounts received in violation of the rules and provider agreement.

1. Idaho Anti-Kickback Statute. It is illegal for a health care provider to engage in the following misconduct:

(1)(a) Knowing that the payment is for the referral of a claimant to a service provider, either to accept payment from a [healthcare] provider or, being a [healthcare] provider, to pay another; or

(b) To provide or claim or represent to have provided services to a claimant, knowing the claimant was referred in violation of paragraph (a); [or]

(2) [E]ngage in a regular practice of waiving, rebating, giving, paying, or offering to waive, rebate, give or pay all or part of a claimant’s deductible or claim for casualty, disability insurance, worker’s compensation insurance, health insurance or property insurance.

(Idaho Code § 41-348). The statute applies to referrals for “health care services”, which are defined as “a service provided to a claimant for treatment of physical or mental illness or injury arising in whole or substantial part from trauma.” (Id. at § 41-348(2)). Violations may result in civil monetary penalties of up to $5,000. (Id. at §§ 41-348(4) and 41-347(1)). Significantly, the Idaho statute is broader than its federal counterpart: it applies to services payable by private payers as well as government programs. Read more