HIPAA Law

HIPAA Breach: Who You Gonna Call?

Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences.

HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s staff regarding how to respond to an actual or suspected breach. Among other things, the policy and protocol should include a roster of resources staff persons may rely upon, including legal counsel, forensic and IT consultants, public relations/marketing professionals, and human resources advisors. Given the necessity of responding to a breach promptly, covered entities and business associates should not wait for a breach to occur in order to start assembling a team.

In light of the risk of lawsuits or government enforcement, the first call to make should be to an attorney experienced in data privacy matters. The value in contacting an experienced attorney, aside from expertise in the legal requirements imposed by HIPAA and other state and federal laws that may apply, is that bringing in an attorney at the start may allow the covered entity or business associate to protect the subsequent breach investigation and response under attorney-client privilege. By doing so, the covered entity or business associate may be able to protect the confidentiality of damaging facts (such as investigatory reports citing failures in the covered entity’s or business associate’s privacy safeguards) from plaintiff’s counsel seeking to sue for damages. While there is no guarantee that asserting attorney-client privilege will be successful in all instances, having an attorney involved and directing the investigation from the start is often the only chance a covered entity or business associate has at protecting damaging information from litigants and the public.

Aside from legal counsel, covered entities and business associates should have a list of trusted forensic and IT consultants. When electronic protected health information (ePHI) is involved, consultants experienced in HIPAA matters are necessary. They may be needed to investigate a hack or ransom-ware attack; audit the online activities of a rogue employee; report on what information may have been on a lost or stolen mobile device; or recover data from a damaged hard drive.

Data breaches often result in considerable media attention, particularly when notice to the media is required. Protection of an entity’s reputation is crucial to retain customer and public trust and the service of a media relations professional is often invaluable. If employees are involved in the breach, seek advice from an HR professional prior to conducting employee interviews, sanctions or termination – particularly if a unionized workforce is involved.

A HIPAA breach is like a fire drill – you need to respond quickly and cannot ignore the warnings. Having the right team in place ahead of time will ensure a timely, appropriate and cost-effective response to the breach.

The post HIPAA Breach: Who You Gonna Call? appeared first on HIPAA.com.

Can I Be Sued for a HIPAA Violation?

I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase.

Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement. The sole remedy of an aggrieved individual is to file a complaint with the United States Department of Health and Human Services Office for Civil Rights (“OCR”) or, more recently, with a state Attorney General. In addition, in some states, individuals have been able to file complaints regarding generalized privacy concerns with various state regulatory agencies, such as a state health or consumer protection department. With respect to OCR, notification of the right to file a complaint and the process for doing so is generally set forth in a covered entity’s Notice of Privacy Practices.

Since HIPAA was enacted, the lack of a private right of action has provided solace to covered entities and business associates, particularly since complaints tend to be few in number. Moreover, OCR investigations of complaints have often resulted in compliance agreements and consent orders, rather than court actions or civil damages, both of which would require the covered entity or business associate to expend considerable sums on attorney fees, court costs and payment of damages.

While there is no hint at this time that Congress is contemplating including a private right of action in HIPAA (i.e. allowing individuals to sue to enforce HIPAA), aggrieved patients and their counsel have been finding other ways to file claims for HIPAA violations and use HIPAA violations as the basis for seeking monetary damages. For example, in some states, patients have filed suit against health care providers on the grounds of negligence – claiming that the provider was negligent when violating HIPAA and thus must be held liable for damages. A recent example from Connecticut illustrates the way these lawsuits operate:

A physician received a subpoena for medical records. The physician supplied the medical records as requested by the subpoena; however, the subpoena did not comply with HIPAA. The subject of the medical records sued, alleging that HIPAA creates a “standard of care” for all health care providers and that the failure of the physician to adhere to that standard of care was “negligent.” The physician sought to block the suit but the Connecticut Supreme Court allowed it to continue. As of this date, the lawsuit is making its way through the Connecticut state courts. In addition, lawsuits are currently being prepared and filed in response to the recent Anthem breach and many will be claiming negligence or violation of various state privacy or insurance regulations.

These types of lawsuits would have been unheard of even just a few years ago. However, while still not widespread or common, the emergence of these suits poses significant risk management and liability concerns for any health care provider, health insurance company or vendor subject to HIPAA. The risk of a lawsuit is most pertinent to HIPAA violations which may cause financial, reputational or other harm to a party. Hypothetical examples, based upon real life incidents, include:

  • Inappropriate disclosure of medical records in response to a subpoena, which causes a former patient to lose custody of her children.
  • Inappropriate disclosure of a child’s medical record to an estranged parent after the health care provider failed to verify the estranged parent’s authority to access records, which leads to the estranged parent to discover where the child now resides.
  • Inappropriate use of medical records by hospital staff as part of a “hot or not” game which causes severe embarrassment and distress to certain patients. A negligent attorney and an angry patient could potentially make a claim based upon any of the above and may seek a significant financial settlement or payout.

In light of the potential for such lawsuits and the significant damages that may be awarded, covered entities and business associates should consider reviewing their HIPAA compliance programs to identify weaknesses and institute safeguards and protocols to reduce the likelihood of inappropriate disclosures that may lead to a patient filing suit. Such safeguards may include, based upon the above examples, a subpoena review checklist, verification procedures, a reliable reporting protocol or other procedures to allow the entity or its staff to verify that information is being used and disclosed appropriately.

 

The post Can I Be Sued for a HIPAA Violation? appeared first on HIPAA.com.

Business Associate Agreements – a First Look at Indemnification

A party’s responsibilities under HIPAA generally come from two sources – the law itself and the business associate agreement entered into between the covered entity (the health care provider or health plan) and the business associate (its vendor). While all parts of a business associate agreement are important, there are certain terms that are most likely to affect the parties’ liability and obligations.

One of these key terms is indemnification, and it is often the section of the business associate agreement that lawyers most often fight over. Folks often wonder why lawyers tend to focus so much on this section, and the short answer is that when things go wrong–such as a data breach or HIPAA violation–indemnification is the clause which that determines who pays, when they must pay, and how much they owe. In other words, it’s the money clause.

Indemnification is the concept through which the party at fault makes the other party whole; in other words, the party at fault will pay the costs, expenses, fines, and losses that the other party incurs.

While many underlying agreements will address indemnification (such as a service agreement or consulting agreement), it is often best to address indemnification in the business associate agreement and how it specifically applies to the use and disclosure of protected health information (PHI). Your goal is to not incur costs or damages due to the act or omission of the other party, or to at least limit your exposure to such costs. The costs and damages a party is typically most worried about are those incurred due to a data breach or HIPAA violation by the other party, such as attorney fees, notification costs, credit monitoring, or fines.

Let’s take an example of a typical data breach to demonstrate the importance of indemnification:

City Hospital hires a consulting firm to provide it guidance with improving patient outcomes. As part of the engagement, a consultant downloads a list of patient records to a laptop. Unbeknownst to the consultant, IT mistakenly failed to encrypt the laptop. While in an airport, the laptop is stolen. The consultant reports the breach to her employer and the hospital is notified.

When notice of the stolen laptop reaches a hospital executive or executive director of the consulting firm, one of the first questions asked will be: “what is this going to cost us?” When faced with a data breach that can easily cost a health care facility six figures, the first place the facility and its attorneys will look is to the indemnification clause. This paragraph will tell them who is responsible to pay the costs of the data breach (does the hospital pay or the consultant?), how much the obligated party must pay (if the consultant must pay, is there a cap?), and which costs the obligated must pay (if the consultant must pay, does the consultant need to pay the hospital’s attorney fees?)

Moreover, what if the business associate lacks an indemnification clause? In that case, someone will need to inform the hospital’s CEO that the hospital may be unable to recover its costs, or may attempt to do so only at considerable expense. No one wants to be in the position of breaking such news to the CEO.

In a future post, we will look at the most important issues to keep in mind when drafting indemnification clauses in order to appropriately protect your organization.

 

The post Business Associate Agreements – a First Look at Indemnification appeared first on HIPAA.com.

Gmail, Google Apps for Business HIPAA Business Associate Agreements

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are necessary. Google’s Business Associate Agreement, introduced in September 2013, offers HIPAA compliant online services for covered entities.

Online Security: Google’s Business Associate Agreement

Many healthcare businesses use Google Business Apps. Google Business Apps are cloud-based software-as-service (SaaS) where small businesses have access to a suite of Google services such as Gmail, Google Calendar, Docs, Drive (storage), Apps etc. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication. But despite these foundational precautions, not all components of GBA have a level of security necessary for HIPAA compliance.

Enter Google’s Business Associate Agreement (BAA). Google’s Business Associate Agreement provides an additional layer of online safety by offering HIPAA compliant security for users of Google Apps Vault, Gmail, Google Calendar, and Google Drive. Businesses that opt for this agreement are precluded from using any of the other services in the Google Business Apps package (such as Google Docs, Hangouts, Marketplace, websites, etc), under the domain registered with and covered by Google’s Business Associate Agreement. Google’s BAA guidelines state “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.” The agreement requires that HIPAA covered businesses sign up for a Google Apps for Business Administrator account.

Training Reduces Human Errors

In addition to having the best online security, complete compliance requires implementation of solid procedures and policies, which includes training for staff members to prevent human errors. The Privacy and Security Rules require that healthcare businesses educate and train workers regarding policies and procedures for HIPAA compliance. Training requires experience and specialized knowledge that even the most advanced healthcare executive may not have.

When evaluating HIPAA training services, make sure the company you choose provides a complete HIPAA training package and is knowledgeable about online security strategies. Training should be affordable, but also useful in other ways. For example, HIPAA training that offers CME and CEU credits is a good way to maintain compliance with HIPAA law while helping your employees maintain valuable credentials.

The post Gmail, Google Apps for Business HIPAA Business Associate Agreements appeared first on HIPAA.com.

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.

The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.

The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:

  • The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
  • The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
  • The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.

However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.

A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.

Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.

The post The Reality of HIPAA Violations and Enforcement appeared first on HIPAA.com.

Five Steps to HIPAA Security Compliance

The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:
Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.
Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.
Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.
Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.
Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The Health Insurance Portability and Accountability Act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:

Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.

Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.

Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.

Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice-versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.

Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The post Five Steps to HIPAA Security Compliance appeared first on HIPAA.com.

Don’t Overthink HIPAA Privacy Rules

Ever since HIPAA Privacy Rules became finalized law in 2003, many healthcare practices have been anxious and fearful of penalties should they interpret the law incorrectly and be out of compliance. Non-compliance fines can be hefty, so it is understandable why many providers practice with apprehension.

HIPAA rules have brought a needed awareness for patient privacy, but at the same time much of the law is hazy with areas often needing legal interpretation.  According to Ronald B. Sterling, MBA, a health technology consultant, “A lot of people overthink HIPAA and take it to extremes.” (1)  When the law is unclear and healthcare professionals are worried about self-protection, staff members tend to go overboard when interpreting the rules.  And the office philosophy becomes if we want to be safe and stay compliant, we can’t tell anyone anything!  Hospitals also have this mindset created by overzealous risk managers and lawyers. The doctors with privileges at these institutions take this viewpoint back to their practice as the safe hospital-endorsed thing to do.

Interpretation errors, even when on side of caution, aren’t necessarily good for the patients and can actually infringe upon their rights.  And, the “don’t tell anyone anything” concept is keeping information from people who need and deserve to be informed.

Medcape reported that at a congressional subcommittee hearing on HIPAA last April, Carol Levine from the United Hospital Fund testified that when she took her sister to the emergency room with severe abdominal pain, even though her sister asked her to stay with her in the room, a triage nurse said, “You can’t come with her.  It’s a HIPAA rule.”  When her sister replied, “But I want her with me,” the nurse responded, “no way.” (1) Congressman Tim Murphy also testified at that hearing and spoke of provider anxiety by saying, “Fearful of new penalties for violating HIPAA, doctors and nurses were refusing to even talk about a patient’s illness with caretakers, all of whom were [professional] caretakers, spouses, siblings, or those managing the affairs of their elderly parent.” (1)

These are examples of how incorrect versions of this law can actually work against the people it was designed to protect, the patients.  Withholding information does not protect anyone and is a violation of the patient’s rights.  There are numerous resources available to help healthcare professionals understand this law.  While some questions can be answered quickly by accessing the U.S. Department of Health and Human Service’s website, the best protection comes from thorough HIPAA training. (2)

Sources:
1. www.medscape.com/viewarticle/810648 (requires registration)
2. www.hhs.gov/ocr/privacy/hipaa/

Dentists: Don’t Forget HIPAA Compliance

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?
Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.
Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?
Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.
The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online training programs, such as HIPAA School that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.
Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?

Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.

Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?

Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.

The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online HIPAA training programs that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.

Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

The post Dentists: Don’t Forget HIPAA Compliance appeared first on HIPAA.com.

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

June 7, 2013.  Today, HHS published in the Federal RegisterTechnical Corrections to the HIPAA Privacy, Security, and Enforcement Rules” that were published on January 25, 2013, as the Final Rule:Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules.”

According to the Summary in today’s Corrections Final Rule:  “These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164.

The effective date of the Corrections Final Rule is June 7, 2013.

The post HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules appeared first on HIPAA.com.