HIPAA: Should You Ask Patients for Consent to Disclose Information?

/in

by Kim Stanger

Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:

  • Tell the patient that the provider will only disclose the patient’s information to those persons identified by the patient, thereby precluding disclosures to others who are not identified.
  • Ask the patient to list those to whom the provider may disclose information, thereby expressly or impliedly suggesting that they will not disclose information to others.
  • Ask that the patient authorize disclosures to payers and/or other providers, thereby expressly or impliedly agreeing that they will not disclose information to payers or providers if not authorized by the patient.

They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability. Read more

Report HIPAA Breaches Without Delay

/in

by Kim Stanger

If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here. Read more

Responding to Negative Internet Reviews: Beware HIPAA

/in

By Kim Stanger, Holland & Hart LLP

As a healthcare provider, you may log onto the internet one day only to discover a negative review from a disgruntled patient or family member. Undoubtedly, the review contains inaccurate, incomplete, or downright defamatory information. Your first impulse may be to post a response online, but doing so may subject you to HIPAA fines, adverse licensure action, or privacy lawsuits.

HIPAA generally prohibits healthcare providers from using or disclosing a patient’s protected health information without the patient’s authorization. (45 CFR 164.502). “Protected health information” includes information that “[r]elates to the past, present, or future physical or mental health or condition of an individual [or] the provision of health care to an individual, and … that [i]dentifies the individual, or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual.” (45 CFR 160.103). Thus, posting any information that identifies the individual as a patient likely violates HIPAA even if specific medical information is not disclosed; a patient does not waive their HIPAA rights by posting his or her own information, and there is no HIPAA exception that allows a healthcare provider to disclose information in response to a negative review. In 2013, Shasta Regional Medical Center paid $275,000 to settle claims that it violated HIPAA when it disclosed a patient’s health information to the media in response to a negative newspaper article. (See Press Release). ProPublica recently published a report identifying numerous HIPAA violations resulting from providers’ ill-considered responses to negative internet reviews. (See article).

Read more

Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines

/in

by Kim Stanger, Romaine Marshall, and C. Matt Sorensen, Holland & Hart LLP

St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.

In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.

In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers. Read more

Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA

/in

By Kim Stanger, Holland & Hart LLP

The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,

This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Read more