By Robert Ayers
On June 10, OSHA announced two significant developments in the ongoing saga of COVID-19 restrictions in the workplace. First, OSHA issued an emergency temporary standard (ETS) applicable to healthcare settings. Second, OSHA updated its COVID-19 guidance for all other non-healthcare settings. Read more
By Kim Stanger
Idaho has joined several other states in revamping requirements for physician assistants (aka physician associates) effective July 1, 2021. The new law removes the requirement for individually identified supervising physicians and delegation of services agreements in favor of general oversight and/or collaborative practice agreements. Read more
by Kim Stanger
This week, the Office for Civil Rights (“OCR”) announced a $3,000,000 HIPAA settlement arising from a medical center’s loss of an unencrypted laptop and flash drive. (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html). This is simply the latest of many HIPAA settlements based on the failure to encrypt mobile devices. Similar settlements have arisen from lost or stolen smartphones, computers, hard drives, or other electronic media that were not properly encrypted.
Encryption is an addressable standard under the HIPAA Security Rule, which generally requires covered entities and business associates to “[i]mplement a mechanism to encrypt and decrypt electronic protected health information” and, for such data transmitted over a network, to “[i]mplement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii)). The OCR explained the standard in a FAQ:
By Kim Stanger
Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare providers to use or disclose protected health information for purposes of obtaining payment without the patient’s consent or authorization unless the provider has agreed otherwise with the patient. (45 CFR §§164.506(a), (c) and 164.524(a)). The Office for Civil Rights (“OCR”) published the following FAQ discussing this rule:
Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?
By Kim Stanger
Hospitals—especially rural hospitals—may want to divert inbound ambulances to other facilities, especially when the patient requires services that the hospital may be unable to provide. However, improper diversions may violate the Emergency Medical Treatment and Active Labor Act (“EMTALA”), 42 USC § 1395dd. EMTALA violations may result in penalties of $53,484 to $106,965, depending on the number of beds at the hospital. (42 CFR § 1003.510 and 45 CFR § 102).
EMTALA generally applies to individuals who come to the hospital’s emergency department. In addition to those persons who actually arrive at the hospital, “comes to the emergency department” is defined to include an individual who:
(3) Is in a ground or air ambulance owned and operated by the hospital for purposes of examination and treatment for a medical condition at a hospital’s dedicated emergency department, even if the ambulance is not on hospital grounds1 … [or]
(4) Is in a ground or air nonhospital-owned ambulance on hospital property for presentation for examination and treatment for a medical condition at a hospital’s dedicated emergency department. However, an individual in a nonhospital-owned ambulance off hospital property is not considered to have come to the hospital’s emergency department, even if a member of the ambulance staff contacts the hospital by telephone or telemetry communications and informs the hospital that they want to transport the individual to the hospital for examination and treatment. The hospital may direct the ambulance to another facility if it is in “diversionary status,” that is, it does not have the staff or facilities to accept any additional emergency patients. If, however, the ambulance staff disregards the hospital’s diversion instructions and transports the individual onto hospital property, the individual is considered to have come to the emergency department.
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
View our privacy policy.