Archive for category: HIPAA

Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA

/in

By Kim Stanger, Holland & Hart LLP

The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Read more

Charging Patients for Copies of Their Records: OCR Guidance

/in

by Kim C. Stanger, Holland & Hart LLP

HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient’s protected health information (“PHI”) in their designated record set1, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance (“Guidance”) which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR’s Guidance may be accessed here.

Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following:

1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider’s system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient’s request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate’s labor costs described above. Read more

HIPAA Privacy Rule Modified to Permit Covered Entities to Make Certain Limited Disclosures to the National Instant Criminal Background System

/in

by Teresa Locke, Holland & Hart LLP

On Tuesday, January 6, 2016, the U.S. Department of Health and Human Services (the Department) issued a final rule, effective February 5, modifying the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to expressly permit – but not require – certain HIPAA covered entities to disclose to the National Instant Criminal Background System (NICS) certain personal health information (PHI) related to individuals who are subject to a Federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. Among the persons subject to the Federal mental health prohibitor established under the Gun Control Act of 1968 and implementing regulations issued by the U.S. Department of Justice are individuals who have been: (a) involuntarily committed to a mental institution; (b) found incompetent to stand trial or not guilty by reason of insanity; or (c) otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease. Fearing that States might not be fully reporting relevant information to the NCIS because of actual or perceived barriers related to HIPAA, the Department enacted the revision to the Privacy Rule by adding a new category of permitted disclosures to 45 CFR 164.512(k). The new rule is narrowly tailored to appropriately balance public safety goals with important patient privacy interests to ensure that individuals are not discouraged from seeking voluntary treatment for mental health issues.

The new category of permitted disclosures is very limited in scope, applying only to a specific subset of HIPAA covered entities who, under narrow circumstances, may provide discrete personal health information to the NICS. Specifically, the new rule is limited in three ways. First, it applies only to covered entities involved in ordering involuntary commitments or other adjudications that make an individual subject to the Federal mental health prohibitor. It does not apply to disclosures about individuals who are subject to state-only mental health prohibitors. Moreover, the Federal mental health prohibitor does not apply to individuals in a psychiatric facility for observation or who have been admitted voluntarily. Thus, the new rule does not create a permission for most treating providers to disclose PHI about their own patients for these purposes. The Department recognized that encouraging voluntary treatment is critical to ensuring positive outcomes for individuals’ health as well as the public’s safety. The new rule was designed to balance that goal with public safety interests served by the NICS. Read more

Responding to HIPAA Breaches

/in

by Kim C. Stanger, Holland & Hart LLP

HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $10,000 to $50,000. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in additional fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help you identify and timely respond to HIPAA breaches. Read more

Complying With HIPAA: A Checklist for Business Associates

/in

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy, Security, and Breach Notification Rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains, or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; and malpractice insurers).1 With very limited exceptions, a subcontractor or other entity that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate.2 To determine if you are a business associate, see the attached Business Associate Decision Tree.

Business associates must comply with HIPAA for the following reasons: Read more