Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Medical Record Retention Guidelines
/in ProvidersBy Melissa Lou, Kim Stanger, and Christopher Mack
Clients frequently ask us how long they should retain medical records and related business records. The answer depends on various factors, including the type of record, applicable regulatory and contract requirements, and the provider’s risk tolerance and resources. Nevertheless, state record retention guides may be valuable to clients as they consider their internal policies. The Idaho, Utah, and Wyoming state charts below are intended as a guideline. Providers should confirm laws that may apply in their particular state, or that may apply to their particular situation. Read more
Identifying Business Associates: Make Sure You Have BAAs in Place
/in HIPAAby Kim Stanger
Failing to have HIPAA business associate agreements (“BAAs”) can result in significant penalties for healthcare providers and business associates. Last month, the OCR imposed a $500,000 settlement and robust corrective action plan against a physician group that failed to have a BAA with its billing company. After the billing company improperly allowed access to protected health information on its website, the OCR looked to the physician group to pay the price. (See https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html).
Under HIPAA, “business associates” are essentially those entities who create, access, maintain or transmit PHI on behalf of a healthcare provider. (45 CFR § 160.103, definition of “business associate”). HIPAA requires healthcare providers to execute a BAA before disclosing protected health information (“PHI”) to their business associate. (45 CFR § 164.502(e)). It also requires business associates to execute a BAA with their subcontractors who handle PHI on behalf of the business associate. (Id.). The BAA must contain certain required terms. As recent settlements confirm, healthcare providers who fail to execute a BAA are subject to HIPAA penalties and may be vicariously liable for their business associate’s misconduct.
Read moreHIPAA Breach Notification: When and How to Self-Report
/in HIPAAby Kim Stanger
So you just discovered that protected health information (“PHI”) from your organization was improperly accessed or disclosed. Are you required to self-report the violation to the affected individual and HHS?
HIPAA Breach Notification Rule. Not all HIPAA violations are required to be reported to the relevant patient or HHS. Under the breach notification rule, covered entities are only required to self-report if there is a “breach” of “unsecured” PHI. (45 CFR § 164.400 et seq.).
Read moreEMTALA: Guide for Exams, Treatment and Transfers
/in EMTALAby Kim Stanger
The Emergency Medical Treatment and Active Labor Act (“EMTALA”) generally requires hospitals to provide emergency care to patients who come to the hospital; violations may result in penalties of $53,000 to $105,000; private lawsuits; and/or termination of the hospital’s Medicare provider agreement. To help hospitals and providers comply, Holland & Hart has published it’s EMTALA Guide, which is available here. Among other things, the Guide addresses:
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Department of Health & Human Services Upgrades Security Risk Assessment Tool
/in HIPAA, OCRBy Kim Stanger, Steven Lau, and Romaine Marshall
Under the Health Information Privacy and Portability Act (HIPAA), “covered entities” (generally speaking health care providers and their business associates) must all complete a risk assessment to identify and mitigate potential security risks (45 C.F.R. 164.308(a)(1)(ii)(A)). As many companies and providers have discovered, completing a risk assessment is time and resource-intensive and can be an overwhelming and expensive undertaking. Read more