by Kim C. Stanger, Holland & Hart LLP

HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $10,000 to $50,000. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in additional fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help you identify and timely respond to HIPAA breaches. Continue reading →

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy, Security, and Breach Notification Rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains, or transmits” protected health information (PHI) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; and malpractice insurers).¹ With very limited exceptions, a subcontractor or other entity that creates, receives, maintains, or transmits PHI on behalf of a business associate is also a business associate.² To determine if you are a business associate, see the attached Business Associate Decision Tree.

Business associates must comply with HIPAA for the following reasons: Continue reading →

by Kim C. Stanger, Holland & Hart LLP

The HIPAA privacy and security rules generally apply to protected health information of deceased persons as well as the living. Providers may generally use or disclose such information as follows:

1. Treatment, Payment, or Operations. As with living persons, HIPAA allows providers to use or disclose protected health information of deceased persons for purposes of treatment, payment, or the provider’s healthcare operations, unless the provider has agreed otherwise. (See 45 CFR 164.506 and 164.522(a)). This may include treatment of other living relatives. As the Office for Civil Rights (OCR) explained, “disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.” (OCR FAQ, available here). Continue reading →

Physicians and other providers are often paid by employers to conduct drug tests, fitness-for-duty or return-to-work exams, or employment physicals for employees. In such circumstances, the physician may mistakenly assume that they may disclose the test and exam results to the employer without the patient’s authorization, but that is not correct.

As with any other protected health information, physicians and other providers generally need the patient’s written, HIPAA-compliant authorization to disclose exam results to the employer. (45 CFR 164.508(a); see also 65 FR 82592 and 82640). However, unlike other treatment situations, a provider may condition the performance of an employee physical or test on the patient’s provision of an authorization, i.e., the provider may refuse to perform the exam unless the patient executes a valid authorization. (45 CFR 164.508(b)(4)(iii); 65 FR 82516 and 82658). In addition, the employer may condition the employee’s continued employment on the provision of the exam results (at least under HIPAA), thereby creating an incentive for the employee to execute the authorization. (65 FR 82592 and 82640). The foregoing rules also apply when the health care provider is the employer, e.g., when a hospital employee receives treatment or tests at the hospital. In those situations, the hospital/employer generally may not access or use the patient/employee’s health information for employment-related purposes without the patient’s written authorization. (67 FR 53191-92). Continue reading →

by Kim C. Stanger, Holland & Hart LLP

The HIPAA Privacy and Security Rules require covered entities (including healthcare providers and health plans) and their business associates to implement certain safeguards when e-mailing or texting electronic protected health information (“e-PHI”) to patients or others.

E-mails and Texts to Patients. The HIPAA Privacy Rule not only allows but requires covered entities to communicate with patients via e-mail or text if requested by the patient. (See 45 CFR 164.522(b)). However, the Privacy Rule requires covered entities to implement appropriate safeguards when e-mailing or texting e-PHI to patients. The Office for Civil Rights (“OCR”) explained:

The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. (See 45 CFR 164.530(c)). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 CFR Part 164, Subpart C.

(OCR FAQ dated 12/15/08, available at http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html). Continue reading →

by Kim C. Stanger, Holland & Hart LLP

The HIPAA privacy rules generally prohibit healthcare providers and their business associates from using or disclosing protected health information (“PHI”) unless (1) they have a valid written HIPAA authorization signed by the patient or the patient’s personal representative, or (2) a specific regulatory exception applies.¹ Many if not most authorizations received by providers are invalid. To be valid, a HIPAA authorization must satisfy the following²: Continue reading →

by Kim C. Stanger, Holland & Hart LLP

If they have not already done so, the deadline for covered entities and business associates to update their HIPAA business associate agreements to comply with Omnibus Rule requirements is September 22, 2014.

BAA Requirements. HIPAA requires that covered entities and business associates execute contracts (called “business associate agreements” or “BAAs”) which require that business associates comply with certain portions of the HIPAA Privacy, Security and Breach Notification Rules. (45 CFR 164.314(a)), 164.502(e), and 164.504(e)). The HIPAA Omnibus Rule changed BAA requirements. Under the Omnibus Rule, covered entities and business associates must modify their BAAs to require business associates to:

• comply with the HIPAA Security Rule;
• execute BAAs with any of their subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate;
• report security incidents, including breaches of unsecured health information; and
• comply with the Privacy Rule requirements applicable to covered entities if and to the extent the business associate is to carry out a covered entity’s obligations under the Privacy Rule.

(45 CFR 164.314(a) and 164.502(e)). For a checklist of all required BAA terms, click here. The Office for Civil Rights (“OCR”) has also published sample BAA provisions, although the OCR sample may not include additional terms that covered entities or business associates may want to include in their BAAs. Continue reading →

by Kim Stanger, Holland & Hart LLP

The HIPAA privacy rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. A “business associate” is generally a person or entity who “creates, receives, maintains or transmits” protected health information (“PHI”) in the course of performing services on behalf of the covered entity (e.g., consultants; management, billing, coding, transcription or marketing companies; information technology contractors; data storage or document destruction companies; data transmission companies or vendors who routinely access PHI; third party administrators; personal health record vendors; lawyers; accountants; malpractice insurers; etc.) (See 45 CFR 160.103). “A covered entity may be a business associate of another covered entity.” (Id.). Also, with very limited exceptions, a subcontractor or other entity that creates, receives, maintains or transmits PHI on behalf of a business associate is also a business associate. (Id.; 78 FR 5572). To determine if an entity is a business associate, see the attached Business Associate Decision Tree. Continue reading →

by Kim Stanger, Holland & Hart LLP

As with others, the HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers (“Providers”) from disclosing protected health information to police or other law enforcement officials without the patient’s written authorization unless certain conditions are met. HIPAA allows disclosures to law enforcement in the following cases: Continue reading →

by Kim Stanger, Holland & Hart LLP

The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers (“Providers”) from disclosing protected health information pursuant to subpoenas and other government demands unless certain conditions are satisfied. This outline summarizes HIPAA rules for responding to such demands. To the extent there is a more restrictive state or federal law that applies in a particular case, the more restrictive law will usually control.

SUBPOENA, COURT ORDER, WARRANT, OR ADMINISTRATIVE DEMAND. If a Provider receives a subpoena, court order, or warrant that requires the disclosure of protected health information, the Provider should do the following: Continue reading →