Archive for category: HIPAA

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others.

E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.

(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Read more

by Kim C. Stanger, Holland & Hart LLP

If they have not already done so, the deadline for covered entities and business associates to update their HIPAA business associate agreements to comply with Omnibus Rule requirements is September 22, 2014.

BAA Requirements. HIPAA requires that covered entities and business associates execute contracts (called “business associate agreements” or “BAAs”) which require that business associates comply with certain portions of the HIPAA Privacy, Security and Breach Notification Rules. (45 CFR 164.314(a)), 164.502(e), and 164.504(e)). The HIPAA Omnibus Rule changed BAA requirements. Under the Omnibus Rule, covered entities and business associates must modify their BAAs to require business associates to:

• comply with the HIPAA Security Rule;
• execute BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate;
• report security incidents, including breaches of unsecured health information; and
• comply with the Privacy Rule requirements applicable to covered entities if and to the extent the business associate is to carry out a covered entity’s obligations under the Privacy Rule.

(45 CFR 164.314(a) and 164.502(e)). For a checklist of all required BAA terms, click here. The Office for Civil Rights (“OCR”) has also published sample BAA provisions, although the OCR sample may not include additional terms that covered entities or business associates may want to include in their BAAs. Read more