HIPAA – Page 8 – Holland & Hart's Health Law Blog

Report HIPAA Breaches Without Delay

January 19, 2017/in HIPAA

If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here. Read more

Responding to Negative Internet Reviews: Beware HIPAA

November 23, 2016/in HIPAA

By Kim Stanger, Holland & Hart LLP

As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines

October 26, 2016/in HIPAA

by Kim Stanger, Romaine Marshall, and C. Matt Sorensen, Holland & Hart LLP

St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.

In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.

In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers. Read more

Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA

October 4, 2016/in HIPAA

By Kim Stanger, Holland & Hart LLP

The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Read more

Charging Patients for Copies of Their Records: OCR Guidance

May 23, 2016/in HIPAA

by Kim C. Stanger, Holland & Hart LLP

HIPAA generally gives patients or their personal representative the right to access or obtain copies of the patient’s protected health information (“PHI”) in their designated record set¹, and limits the amount that providers may charge patients for PHI to a reasonable cost-based fee. (45 CFR 164.524). In February 2016, the OCR issued guidance (“Guidance”) which clarifies allowable fees and identifies additional actions providers should take when charging fees. The OCR’s Guidance may be accessed here.

Allowable Charges. The OCR confirmed that a provider may only charge the patient or personal representative for the following:

1. Labor for copying the requested PHI, whether in paper or electronic form. This includes only the labor for actually creating and delivering the paper or electronic copy in the form and format requested or agreed upon by the patient once the responsive information has been identified, retrieved, collected, compiled and/or collated. For example, allowable costs may include photocopying paper PHI; scanning paper PHI into an electronic format; converting electronic PHI in one format to the format requested by or agreed to by the patient; creating and executing a mailing or e-mail with the responsive PHI; and/or uploading, downloading, attaching, burning, or otherwise transferring electronic PHI from a provider’s system to portable media, e-mail, app, personal health record, web-based portal (where the PHI is not already maintained in or accessible through the portal), or other manner of delivery of the PHI. (See also 78 FR 5636). Labor for copying does not include costs associated with reviewing the patient’s request; searching for, reviewing, retrieving, segregating, collecting, compiling, or otherwise preparing the responsive information for copying; verifying that only information about the requested patient is included; complying with HIPAA; updating or maintaining record systems; etc. (See also 78 FR 5636). Likewise, it does not include administrative or other costs associated with outsourcing record functions to business associates or others beyond the business associate’s labor costs described above. Read more