HIPAA Compliance News

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When deciding on an appropriate settlement, OCR took the size of the organization and several other factors into account.  In addition to paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to adopt a robust corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation penalty to be imposed on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 financial penalty in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

The post Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance appeared first on HIPAA Journal.

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

Posted by HIPAA Journal

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.

Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.

To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.

There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.

In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.

An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.

The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.

Safe Partner Inc. Confirmed as HIPAA Compliant

Posted by HIPAA Journal

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process.

Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules.

To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. The company also conducted a comprehensive risk analysis to identify all potential risks to the confidentiality, integrity, and availability of protected health information, and ensured risks were effectively mitigated in accordance with the requirements of the HIPAA Security Rule.

After demonstrating to Compliancy Group that its policies and procedures met the minimum standards required by HIPAA, the company’s good faith effort toward HIPAA compliance was recognized and the company was awarded the Compliancy Group HIPAA Seal of Compliance.

The HIPAA Seal of Compliance helps the company differentiate its services and demonstrates to current and future clients that Safe Partner Inc. is committed to ensuring the privacy and security of any healthcare data provided to the company or accessible through its software solutions.

The post Safe Partner Inc. Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Posted by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed.

No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital.

This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2019, when the hospital learned that a former employee accessed the medical records of patients without authorization between September 2018 and September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Mercy Health has also recently taken action against an employee for alleged violations of the HIPAA Privacy Rule. A nurse at Hackley Hospital in Muskegon, MI was terminated on April 3, 2020. The termination came shortly after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse contacted the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also filed a charge with the National Labor Relations Board.

“Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic,” said the Labor Union in an April 21, 2020 press release.

10 days after the nurse was fired, and one day after the press release was issued by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple violations of HIPAA Rules. Mercy Health said it does not usually share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health claims the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a period of several days. The records were for not for patients receiving treatment at the campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for improper medical record access.

According to Mercy Health’s press release, “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

The post Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations appeared first on HIPAA Journal.

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

Posted by HIPAA Journal

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.

HHS Delays Enforcement of New Interoperability and Information Sharing Rules

Posted by HIPAA Journal

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020.

The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules.

The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic.

“ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic,” said Donald Rucker, MD, National Coordinator for Health Information Technology. “To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

The compliance dates and ONC’s enforcement discretion dates and timeframes can be viewed on this link.

The CMS is giving healthcare organizations an additional 6 months to comply with its rule. “Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care,” said CMS Administrator, Seema Verma. “Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.”

The CMS, ONC, and OIG will continue to monitor the implementation landscape to determine if any further action is needed.

The post HHS Delays Enforcement of New Interoperability and Information Sharing Rules appeared first on HIPAA Journal.

HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking

Posted by HIPAA Journal

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking.

“When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General.

OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin.

OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the earliest date for enforcement is the compliance date of the ONC Final Rule published on March 9, 2020 but has proposed a 60-day delay to enforcement due to the COVID-19 pandemic.

The proposed rule does not introduce any new requirements concerning information blocking, instead OIG will be incorporating the regulations published by the National Coordinator for Health Information Technology (ONC) in March, and will be using that rule as the basis for enforcing information blocking CMPs.

OIG said civil monetary penalties will only be imposed on entities and individuals when there have been intentional information blocking violations. OIG will not impose civil monetary penalties on entities and individuals in cases where innocent mistakes have been made. In order to determine intent, OIG will work closely with both the ONC and the HHS’ Office for Civil Rights. The proposed rule also explains the basis for determining whether there have been single or multiple violations of information blocking provisions of the ONC rule.

ONC explained that it will prioritize investigations where conduct has or has potential to cause harm, when information blocking has significantly impacted a provider’s ability to provide care for patients, cases involving information blocking over a long period of time, deliberate information blocking, and when conduct has caused financial loss to Federal healthcare programs or other government or private entities.

The proposed rule also makes changes in two other areas. There are new authorities for civil monetary penalties, assessments, and exclusions related to HHS grants, contracts and other agreements in relation to fraud, and the maximum penalties for certain violations will be increased in accordance with changes made by the Bipartisan Budget Act of 2018.

The OIG proposed rule has been published in the federal register and can be viewed on this link. Comments on proposed rule will be accepted for 60 days from the date of publication in the federal register.

The post HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking appeared first on HIPAA Journal.

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

Posted by HIPAA Journal

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis.

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.”

While the disclosures are permissible, the County Health department said on Friday it will not disclose that information as it violates the privacy of patients and creates a false sense of security for first responders, who must assume that every home they visit could house a person who has contracted COVID-19 and could transmit the coronavirus. The Country Health Department recommended first responders should take the same precautions with all interactions with the community.

“In MCDH’s professional public health opinion, given what we know about how this disease spreads, the general lack of testing, epidemiological data and the stay-at-home order, providing the personal names of cases exceeds the minimum information needed to protect law enforcement,” explained MCDH.

Several law enforcement agencies in McHenry County took legal action to force the County Health Department to disclose the information to better protect first responders. Two lawsuits were filed, one on behalf of four police departments in the County and the other by the County Sheriff’s office. The police department lawsuit requested information be released to the the McHenry County Emergency Telephone System Board. That would ensure that any officers responding to incidents would be made aware if they need to take extra precautions. The County Sheriff argued in its lawsuit that it was not possible for officers to take the same precautions with every interaction with a member of the public as there was not enough personal protective equipment available.

On Friday evening, a temporary court order was issued requiring MCDH to disclose the information. In the ruling, it was explained that “The availability of the names at issue best enables police officers to do their job and protect the community to the fullest extent of their ability.”

As a result of the court order, MCDH will start providing the names of patients, on request, but only to dispatchers on a call-by-call basis. MCDH has requested the “tightest control” of any information that is disclosed, to protect the privacy of its patients.

The post Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers appeared first on HIPAA Journal.