Department of Health & Human Services Upgrades Security Risk Assessment Tool

By Kim Stanger, Steven Lau, and Romaine Marshall

Under the Health Information Privacy and Portability Act (HIPAA), “covered entities” (generally speaking health care providers and their business associates) must all complete a risk assessment to identify and mitigate potential security risks (45 C.F.R. 164.308(a)(1)(ii)(A)). As many companies and providers have discovered, completing a risk assessment is time and resource-intensive and can be an overwhelming and expensive undertaking. Read more

Handling HIPAA Breaches: Investigating, Mitigating and Reporting

by Kim Stanger

HIPAA privacy and security violations can result in fines of $110 to $55,100 to covered entities (including healthcare providers and health plans) and their business associates. (45 CFR 160.404). If the violation resulted from “willful neglect”, the Office for Civil Rights (“OCR”) must impose a mandatory fine of $11,002 to $55,100. (45 CFR 160.404). To make matters worse, covered entities and their business associates must self-report breaches of unsecured protected health information (“PHI”) to the affected individual and to HHS (45 CFR 164.400); failure to do so may constitute “willful neglect” resulting in mandatory fines. The good news is that the OCR may not impose a fine so long as the covered entity or business associate did not act with “willful neglect” and corrected the problem within 30 days. (45 CFR 160.410(b)).

Responding to Possible Breaches. Given the potential consequences, it is critical that covered entities and business associates respond appropriately to potential HIPAA breaches to avoid or minimize their liability. Below are steps that you may follow to help identify and timely respond to HIPAA breaches. Read more

Producing Records of Other Providers

by Kim Stanger

There is a common misunderstanding that healthcare providers may not or should not produce medical records that were created by another healthcare provider.

Under HIPAA, patients have a right to access all records that a provider maintains in a designated record set, i.e., documents the provider uses to make decisions about a patient’s healthcare or payment for healthcare. (45 CFR 164.524). This would generally include records the provider obtains or receives from other providers relating to the patient’s care. Thus, providers generally must produce such records in response to the patient’s request; failure to do so would violate HIPAA. The OCR published the following FAQ relevant to this issue:

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment. Read more

Minimizing Liability For Business Associate Misconduct

By Kim Stanger

Republished with permission from AHLA’s Physicians and Hospitals Law Institute. Original article appeared Feb. 5, 2018. 

Healthcare providers, health plans and healthcare clearinghouses (“covered entities”) and business associates are subject to significant penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules. To make matters worse, covered entities may be liable for their business associates’ misconduct, and business associates may be liable for their subcontractors’ violations. Covered entities and business associates must take appropriate steps to minimize exposure for their business associates’ or subcontractors’ violations. Read more

Producing Patient Records: The “Designated Record Set,” the “Legal Health Record,” and Records Created by Other Providers

Healthcare providers often misunderstand their obligation to provide patient records in response to a request from a patient or third party.

1. Patient Requests and the “Designated Record Set.” With very limited exceptions,[1] patients and their personal representatives generally have a right to access and/or require the disclosure of protected health information in the patient’s designated record set. (45 CFR § 164.524(a)). HIPAA defines “designated record set” as:

A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(45 CFR § 164.501). As the OCR recently summarized:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

Read more