Disclaimer
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.
Privacy Policy
View our privacy policy.
Conduct a Thorough HIPAA Risk Analysis or Pay Big Fines
/in HIPAAby Kim Stanger, Romaine Marshall, and C. Matt Sorensen, Holland & Hart LLP
St. Joseph Health recently agreed to pay $2.14 million to settle allegations by the Department of Health and Human Services Office for Civil Rights Office (“OCR”) that its data security was inadequate.
In its investigation of St. Joseph’s handling of a 2012 data breach that exposed 31,800 patient medical records, OCR claimed St. Joseph did not change the default settings on a new server, which allowed members of the public to access via search engines the personal health information of 31,800 patients for a full year. By failing to switch off its servers’ default setting, St. Joseph potentially violated the HIPAA Security Rule’s requirement to conduct a technical and nontechnical evaluation of any operational changes that might affect the security of ePHI.
In addition to paying $2.14 million, St. Joseph Health agreed to implement a corrective action plan that requires it to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff on these policies and procedures. St. Joseph had conducted an enterprise-wide risk analysis in 2010, but the OCR deemed that to be inadequate because the analysis did not include an evaluation of the technical specifications of St. Joseph’s servers. Read more
Office of the National Coordinator for Health Information Technology Issues Formal Guidance for Selecting and Negotiating Contracts with Electronic Health Record Vendors
/in Health Informationby Teresa Locke, Holland & Hart LLP
On September 26, 2016, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) released a practical and straightforward tool to assist health care providers as they select and negotiate the acquisition of an electronic health record system (EHR). The document’s title accurately encapsulates the content of the 53-page guide: “EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print.” The guide can be found at https://www.healthit.gov/sites/default/files/EHR_Contracts_Untangled.pdf. The new contract guide explains important concepts in EHR contracts and includes example contract language to help providers and health administrators in planning to acquire an EHR system and negotiating contract terms with vendors. Read more
Resources for ACA Notice of Nondiscrimination: Beware October 16 Deadline
/in ACA, Nondiscrimination, Interpreters and TranslatorsBy Kim Stanger, Holland & Hart LLP
For those healthcare providers who have postponed creating the mandatory Notice and Statements of Nondiscrimination required by Section 1557 of the ACA, HHS has made it relatively easy for you to comply with the October 16 deadline by providing helpful resources: Read more
Check Your Business Associate Agreements: OCR Tags Health System for Outdated BAA
/in HIPAABy Kim Stanger, Holland & Hart LLP
The Office for Civil Rights (“OCR”) continues to emphasize the need for covered entities and business associates to have compliant business associate agreements (“BAAs”). Last week, the OCR announced a $400,000 settlement with a hospital system for failing to update its BAAs to include terms required by the 2013 HIPAA Omnibus Rule. In a press release, OCR Director Jocelyn Samuels stated,
This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule …. The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”
See Press Release here. Earlier this year, the OCR entered settlement agreements of $1,550,000 and $750,000 based on the covered entity’s failure to execute BAAs where the business associate had experienced a data breach. See reported settlements at https://www.hhs.gov/hipaa/newsroom/index.html. The lesson is clear: covered entities must have BAAs, and those BAAs must contain the required terms; failure to do so may subject the covered entity to liability for the business associate’s breach. Read more
Idaho Board of Medicine Disavows the Corporate Practice of Medicine Doctrine
/in Hospitals & Health Systems, Physician PracticesBy Kim Stanger, Holland & Hart LLP
For decades, the Idaho Board of Medicine took the position that, with limited exceptions, the Idaho Medical Practice Act “prohibits unlicensed corporations and entities from hiring physicians as employees to provide medical services to patients.” Memo from J. Uranga to Idaho State Bd. of Medicine dated 2/26/07. This “corporate practice of medicine doctrine” had its Idaho foundation in a 1952 Idaho Supreme Court case which held that:
[n]o unlicensed person or entity may engage in the practice of the medical profession though licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.
Worlton v. Davis, 73 Idaho 217, 221 (1952). The Board of Medicine warned that violations of the doctrine may result in disciplinary action against physicians and, more recently, physician assistants. Entities that improperly employed physicians or physician assistants risked the possibility of criminal action for the unauthorized practice of medicine.
Over the years, the corporate practice of medicine doctrine has been criticized as anachronistic and inconsistent with recent legislative action. See, e.g., M. Gustavson and N. Taylor, At Death’s Door—Idaho’s Corporate Practice of Medicine Doctrine, 47 Idaho L. Rev. 480 (2011). Read more