Archive for category: HIPAA

IMGMA Q/A: Sharing PHI for Treatment Purposes

/in ,

by Kim Stanger

Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.

Question:  May I share records with another healthcare provider without the patient’s authorization?

Answer:  It depends on the purpose.  If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient.  (See 45 CFR 164.522(a)).  The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.”  (45 CFR 164.506(c)(2)). 

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Read more

Liability of Business Associates for HIPAA Penalties

/in , ,

The HITECH Act extended certain HIPAA obligations to business associates, including those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of covered entities. Business associates who fail to comply with their HIPAA obligations may be directly liable for HIPAA penalties ranging from $114 to $57,0511 per violation.

Read more

Despite Increased Awareness and Employee Training, Ransomware Is Still the Healthcare Industry’s No. 1 Threat

/in

By Claire Rosston

Ransomware accounted for more than 1 in 10 healthcare data breaches reported to the government during the last three years, according to analysis by Bloomberg Law. Cybercriminals capitalize on lack of employee training by sending emails with malicious attachments to gain access to healthcare providers’ and business partners’ networks. With this access, the ransomware typically encrypts all of the data within the organization’s network that cannot be recovered until the ransom is paid for the decryption key. Read more

HHS Reduces the Annual Cap for Most HIPAA Penalties

/in

by Kim Stanger

HIPAA penalties vary depending on the type of conduct involved. (45 CFR § 160.404). Under HHS’s prior interpretation, the types of violations were all subject to an annual maximum penalty of $1,500,000 for identical types of violations. (Id.).

Read more

Identifying Business Associates: Make Sure You Have BAAs in Place

/in

by Kim Stanger

Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action plan against a physician group that failed to have a BAA with its billing company. After the billing company improperly allowed access to protected health information on its website, the OCR looked to the physician group to pay the price. (See https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html).

Under HIPAA, “business associates” are essentially those entities who create, access, maintain or transmit PHI on behalf of a healthcare provider. (45 CFR § 160.103, definition of “business associate”). HIPAA requires healthcare providers to execute a BAA before disclosing protected health information (“PHI”) to their business associate. (45 CFR § 164.502(e)). It also requires business associates to execute a BAA with their subcontractors who handle PHI on behalf of the business associate. (Id.). The BAA must contain certain required terms. As recent settlements confirm, healthcare providers who fail to execute a BAA are subject to HIPAA penalties and may be vicariously liable for their business associate’s misconduct.

Read more