Category Archives: HIPAA

October 26, 2020

HIPAA Enforcement: Lessons from the OCR’s Recent Settlements

The OCR has announced a surprising number of HIPAA settlements in the past few months with penalties ranging from $10,000 to $6.5 million. Here are some of the key takeaways for healthcare providers:

1. Protect against cyberattacks. Healthcare entities remain a prime target for healthcare entities with disastrous effects for victims, including providers and patients whose information is compromised or destroyed. The HIPAA security rule is intended to ensure that healthcare entities maintain the integrity, availability and confidentiality of electronic protected heath information; successful cyberattacks often expose security rule violations. Premera Blue Cross agreed to pay $6.85 million after a phishing scam deployed malware that affected the information of 10.4 million persons. Another entity agreed to pay $2.3 million after a hacker accessed records of 6.1 million persons. Per the OCR, “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by HIPAA Rules …. is inexcusable.” https://www.hhs.gov/about/news/2020/09/23/hipaa-business-associate-pays-2.3-million-settle-breach.html. Cybersecurity is a major focus for HHS. In December 2018, the federal government published a guide to help healthcare providers of all sizes protect against cyberthreats, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx. In July 2020, HHS launched its Health Sector Cybersecurity Coordination Center (“HC3”) website, https://www.hhs.gov/about/agencies/asa/ocio/hc3/index.html, to offer additional support for healthcare providers. Cybersecurity is vital not only for regulatory compliance; it is essential to protect patients and ensure continued operation of the provider. Continue reading →

March 17, 2020

HIPAA Tips: Information for Covered Entities and Employers

By Kristy M. Kimball and Lisa Carlson

What’s the Issue?

Covered entities, such as hospitals and other healthcare providers, may be asked by unrelated third-parties for information relating to a patient’s diagnosis or presumed diagnosis of COVID-19.

The information below outlines how the Health Insurance Portability & Accountability Act (“HIPAA”) applies to health information obtained or maintained by those subject to HIPAA (e.g., covered entities or business associates of covered entities), but does not cover state-specific privacy laws or employment-specific confidentiality laws. For example, the ADA, FMLA, and workers compensation laws all have confidentiality aspects that will impact employers. Continue reading →

March 11, 2020

Beware Laws Affecting Healthcare Transactions

By Kim Stanger

Republished with permission, this article originally appeared in the online edition of Idaho State Bar’s The Advocate on March 11, 2020.

Attorneys risk substantial fines, malpractice claims, and even jail time for violating any of several laws implicated in even simple healthcare transactions. Federal and state healthcare laws potentially affect any financial transaction involving healthcare providers, including employment or service contracts, group compensation structures, investment interests and joint ventures, leases for space or equipment, marketing programs, and patient billing practices. Failure to comply may result in significant fines and penalties for clients as well as malpractice claims—or worse—against their lawyers. This article describes several statutes and regulations that can be traps for the unwary in healthcare transactions. Continue reading →

February 19, 2020

Use of PHI for Non-Patient Purposes

By Kim Stanger

In an era of decreasing reimbursement and rapidly expanding opportunities associated with “big data”, healthcare entities may be looking for ways to monetize protected health information (“PHI”)¹ for their own, non-patient purposes. With limited exceptions, however, HIPAA restricts the use of PHI for non-treatment purposes without the patient’s consent. Failure to comply may subject HIPAA covered entities, business associates, and third parties to significant civil, administrative, and criminal penalties. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).

Continue reading →

February 7, 2020

Modified HIPAA Rules for Sending Records to Third Parties

By Kim Stanger

Thanks to a federal judge, the Office for Civil Rights has modified its rules for sending records to third parties. Covered entities are no longer required by HIPAA to send non-electronic protected health information (“PHI”) to a third party at the patient’s request. In addition, covered entities are no longer limited to charging a reasonable cost-based fee when sending records to a third party.

The Third-Party Directive. In 2009, the Health Information Technology for Economic and Clinical Health (“HITECH”) Act modified HIPAA to simplify the process for producing ePHI:

In the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual … the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.

(42 U.S.C. §17935(e)(1)).

Continue reading →

January 28, 2020

HIPAA, Psychotherapy Notes, and Other Mental Health Records

By Kim Stanger

The HIPAA privacy rules give special protection to “psychotherapy notes,” but providers often misunderstand what are and are not covered and how they differ from other mental health records.

I. “Psychotherapy Notes” Defined.

Contrary to popular belief, HIPAA does not provide special protection to mental health records in general, but it does give added protection to “psychotherapy notes”. As defined by HIPAA,

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

Continue reading →

September 6, 2019

Business Associates’ Use of Information for Their Own Purposes

by Kim Stanger

Business associates may want to use a covered entity’s protected health information (“PHI”) for the business associates’ own purposes, e.g., for their own product development, data aggregation, marketing, etc. However, with very limited exceptions, HIPAA prohibits business associates from doing so without the patient’s written authorization. Misusing PHI may expose the business associate to HIPAA fines, criminal penalties, breach of contract claims by the covered entity, and perhaps civil liability to individuals whose PHI was improperly used. (See, e.g., 42 U.S.C. § 1320d-6; 45 C.F.R. § 160.404).

Limits on Use or Disclosure of PHI.

The business associate’s authority to use or disclose PHI derives from the covered entity’s authority. The covered entity may only use the patient’s PHI for certain purposes without the patient’s authorization, e.g., for the covered entity’s own treatment, payment or healthcare operations. (45 C.F.R. § 164.502). HIPAA allows covered entities to share PHI with business associates to assist the covered entity in performing authorized activities for or on behalf of the covered entity, but with very limited exceptions, the same limits that apply to the covered entity also apply to the business associate, e.g., absent the patient’s written authorization, it may only use the information for purposes of the covered entity’s treatment, payment, healthcare operations or other permitted use. (Id.). The business associate agreement (“BAA”) between the covered entity and business associate must specify the permissible uses of PHI. 45 C.F.R. § 164.502(e) states:

Continue reading →

August 22, 2019

IMGMA Q/A: Sharing PHI for Treatment Purposes

by Kim Stanger

Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.

Question: May I share records with another healthcare provider without the patient’s authorization?

Answer: It depends on the purpose. If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient. (See 45 CFR 164.522(a)). The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.” (45 CFR 164.506(c)(2)).

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Continue reading →

May 29, 2019

Liability of Business Associates for HIPAA Penalties

The HITECH Act extended certain HIPAA obligations to business associates, including those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of covered entities. Business associates who fail to comply with their HIPAA obligations may be directly liable for HIPAA penalties ranging from $114 to $57,051¹ per violation.

Continue reading →

May 9, 2019

Despite Increased Awareness and Employee Training, Ransomware Is Still the Healthcare Industry’s No. 1 Threat

By Claire Rosston

Ransomware accounted for more than 1 in 10 healthcare data breaches reported to the government during the last three years, according to analysis by Bloomberg Law. Cybercriminals capitalize on lack of employee training by sending emails with malicious attachments to gain access to healthcare providers’ and business partners’ networks. With this access, the ransomware typically encrypts all of the data within the organization’s network that cannot be recovered until the ransom is paid for the decryption key. Continue reading →