HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Health System’s Good Deed Leads To Data Breach

Health System’s Good Deed Leads To Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

Philanthropy is a good thing, but if you’re not careful it can land you in hot water. This was the lesson learned by the Virginia Commonwealth University Health System when it recently found itself facing a breach of PHI when it donated a series of CDs to an art program for children, according to PHIprivacy.net.

VCUHS officials said notifications were being sent out to patients regarding the security of certain patient information. According to the notice, between January 2012 and October 2014, a series of compact discs that were no longer necessary for VCUHS services were donated for children’s art projects, and some of those CDs contained sensitive patient health information for approximately 1,000 medical records.

The CDs were ones that had been provided by patients who had been referred to VCU Health Systems for treatment, and included full names, medical diagnoses, medication information, and social security numbers for the involved patients.

Becker’s Hospital Review reports the CDs were accidentally donated by an employee. According to the Richmond Times-Dispatch, any potential disciplinary action involving the incident would remain confidential. VCU spokeswoman Anne Buckley asserted that no evidence of misuse of the PHI has been detected, and the notice was being sent out as a required precaution.

“The population that we are concerned about are folks that brought their information in the form of CDs that were referred to us,” John Duval, CEO of MCV Hospitals and Clinics told the Richmond Times-Dispatch. “Any breach of this type has to presume that there might be individual discs out there that are still readable, so we have the duty to both investigate this to the limits of our ability and then to notify the folks of the risk that their personal health information might have been compromised.”

“What began as a well-intentioned philanthropic effort by a staff member wanting to help turned into a serious mistake that we are working very hard to remedy,” Duval said in the press release. “This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients.”

According to Duval, rules regarding CDs and their disposal have been tightened to prevent any future breaches. “Large data breaches are happening across many industries, including health care, and are very concerning to all,” Duval said in the release. “The VCU Health System has revised its protocols regarding media destruction and will redouble its efforts to protect all sensitive information.”

more...
No comment yet.
Scoop.it!

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States

Recent HIPAA Decisions Suggest State Courts May Look to Federal Regulations to Define Negligence in the Data-Security Context - Data Protection - United States | HIPAA Compliance for Medical Practices | Scoop.it

A recent decision of the Connecticut Supreme Court signals a growing trend in Health Insurance Portability and Accountability Act (HIPAA) jurisprudence that could prove significant in the broader data-security context. 

Although HIPAA contains no private right of action and preempts contrary state laws, several courts have held the HIPAA does not preempt state-law negligence claims for improper disclosure of private patient information and—importantly—that HIPAA regulations may inform the state-law duty of care. This trend and the most recent case, Byrne v. Avery Center for Obstetrics & Gynecology, P.C., should be of interest not only to health care providers, but also to all companies collecting or disseminating sensitive customer information.  Courts have yet to address the contours of any common-law duty to protect consumer data in the data-security context, but Byrne suggests that courts could look to federal regulations and standards, even if the federal-law sources do not provide private rights of action.
While certainly not new, data-breach lawsuits have become more common after numerous high-profile breaches within the past year.  But most of the litigation to-date has centered on a plaintiff's ability to state a cause of action. Plaintiffs have tried numerous common-law theories: breach of contract, unjust enrichment, invasion of privacy, misrepresentation and negligence. Courts generally reject contract, unjust enrichment and misrepresentation claims unless the defendants undertook some specific security obligations in their contracts or privacy policies.  Invasion of privacy claims frequently fail for lack of "publication," and negligence claims fail for lack of actual injury—e.g., identity theft—under either the economic loss doctrine or Article III standing. 

Few cases have gone beyond the pleadings, and fewer still have reached the question of what a state-law negligence duty entails in the context of data breach.  In the HIPAA context, however, courts have begun to look to federal regulations for guidance, a trend that could inform courts in data-breach cases that survive the pleadings.

The plaintiff in Byrne received treatment in connection with her pregnancy from the defendant obstetrics center, which agreed in its privacy policy not to disclose her health information without authorization. But after the child's father filed paternity actions and served a subpoena, the obstetrics center mailed a copy of the plaintiff's medical records to the family law court without informing Byrne. Before Byrne could seal the records, the father reviewed them and allegedly harassed and threatened her.  Byrne sued the obstetrics center, alleging, in pertinent part, statutory negligence, common-law negligence and negligent infliction of emotional distress. 

The trial court dismissed the statutory and common-law negligence claims and the negligent infliction of emotional distress count, reasoning that they were essentially HIPAA claims in disguise. More specifically, addressing the state statutory negligence claim, the court wrote that "[t]o the extent that [the statute] permits disclosure of protected medical records pursuant to a subpoena without the safeguards provided by HIPAA, it is both contrary to and less stringent than HIPAA and therefore superseded by HIPAA." Similarly, the trial court opined that if "common law negligence permits a private right of action for claims that amount to HIPAA violations, it is a contrary provision of law and subject to HIPAA's preemption rule" and "[b]ecause it is not more stringent [than HIPAA], the preemption exception does not apply." The court further ruled that insofar as the doctrine of negligent infliction of emotional distress "permits a private right of action for HIPAA claims" it is also is preempted by HIPAA.

The Connecticut Supreme Court reversed the trial court's decision, holding that HIPAA does not preempt state-law negligence actions for breach of patient confidentiality, as such actions are not "contrary" to HIPAA, but either complementary or "more stringent." Of interest in the broader data-security context, Connecticut joined courts in North Carolina, Kentucky, Delaware and Maine by ruling that "HIPAA and its implementing regulations may be utilized to inform the standard of care applicable" in state-law negligence actions. In addition, district courts in Tennessee and Missouri have remanded negligence claims predicated on HIPAA regulations to the respective state courts, implying that such claims are proper under state law.

These rulings apply only in the HIPAA context and only in those specific states. Even so, the cases bear watching from a data-security perspective, as courts could employ similar reasoning in data-breach actions, looking to regulations or pronouncements by the Federal Trade Commission, Federal Communications Commission, or other federal regulatory entities that have entered or might yet enter the data-security fray. 

It is important to note that the Connecticut Supreme Court in Byrne assumed, without holding, that Connecticut's common law recognizes a negligence action for breach of patient confidentiality, so state courts could still hold that companies owe no data-security duties beyond those assumed in contract or imposed by statute.  Moreover, the court noted that HIPAA regulations are relevant to the negligence standard of care to the extent they have become "common practice" for Connecticut health care providers. On this reasoning, only those standards that achieve frequent use within an industry or locale would inform a negligence duty. 

Given the increase in data-breach lawsuits and the trend in HIPAA cases, companies should pay close attention to federal regulatory efforts, especially those that gain common use, even if those standards do not carry penalty provisions or private rights of action.


more...
No comment yet.
Scoop.it!

How HIPAA applies to the burgeoning world of mobile health

How HIPAA applies to the burgeoning world of mobile health | HIPAA Compliance for Medical Practices | Scoop.it

The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.

 

 

To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."

 

 

"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.

When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.

"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."

 

 

Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:

 

  • A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.

 

  • An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.

 

  • A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.

 

  • A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."

 

  • Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.

 

 

"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."

 

 

Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

No Pre-Existing Condition Exclusions Means HIPAA Certificates No Longer Required | JD Supra

Earlier this year, the Departments of Health and Human Services, Labor and the Treasury issued a final rule implementing the Affordable Care Act (ACA) and revising the requirements of other healthcare laws and regulations affected by the ACA. One of the most significant changes made was to prohibit group health plans and issuers from imposing pre-existing condition exclusions on any enrollees in plans beginning on or after January 1, 2014. Consequently, as of December 31, 2014, health plans and issuers will no longer be required to issue the Certificates of Creditable Coverage previously required under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA guarantees continuous healthcare coverage for employees who change policies or jobs, or who retire and take advantage of the Consolidated Omnibus Budget Reconciliation Act (COBRA). These portability provisions required health plan and COBRA administrators to ease the burden of transitioning between healthcare policies by providing a Certificate of Continuous Coverage 30 days before the expiration of the plan's coverage or before the insured leaves employment to helpoffset a preexisting condition exclusion period under a new health plan.

The ACA’s prohibition on pre-existing condition exclusions for plan years beginning on or after January 1, 2014 makes these HIPAA Certificates unnecessary — and are therefore no longer required — for plans beginning in 2015 and later. For plans beginning before January 1, 2014, plans and issuers may place limited exclusions on pre-existing conditions and must still automatically provide HIPAA Certificates to individuals when they lose coverage or upon request for a period of 24 months following termination of coverage.

This is only one of many obligations imposed on employers and health care organizations under a law aimed at protecting individual health information. HIPAA violations can have serious consequences, from employment discipline or termination for employees to criminal prosecution and civil penalties up to $250,000 for healthcare professionals. The most effective way to prevent such violations is to provide employees with HIPAA training to keep protected health information confidential and follow proper security practices when handling such information.


more...
No comment yet.
Scoop.it!

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology

State law may provide a remedy for breach of HIPAA’s privacy rules | Lexology | HIPAA Compliance for Medical Practices | Scoop.it

When a woman received extortion threats and other forms of harassment from an ex-lover, she sued her medical provider for unauthorized disclosure of her medical records. Byrne v. Avery Center for Obstetrics and Gynecology, P.C., 314 Conn. 433 (2014). She further alleged that the threats and harassment directly resulted from a breach of the defendant’s duty of confidentiality under the Health Insurance Portability and Accountability Act (“HIPAA”). During her course of treatment, the defendant provided her with a copy of its notice of privacy practices that expressly stated it would not disclose medical records without obtaining authorization from the patient. Additionally, the plaintiff specifically instructed the defendant not to disclose her medical records to her ex-lover. But, when her ex-lover filed a paternity suit against her and served the defendant with a subpoena requesting a copy of her medical records, the defendant failed to notify her of the subpoena, to file a motion to quash the subpoena, or to appear in court. Instead, the defendant mailed a copy of her medical records to him.

As a result, the plaintiff filed four claims against the defendant. First, the plaintiff alleged that the defendant breached its contract when it disclosed her protected health information (“PHI”) in violation of its notice of privacy practices. Second, she claimed that the defendant was negligent when it failed to care for her PHI and disclosed her PHI without her authorization. Her third and fourth claims were for negligent misrepresentation and negligent infliction of emotional distress.

Since HIPAA does not create a private right of action for breach of its privacy provisions, the trial court interpreted common law claims for negligence and negligent infliction of emotional distress that relate to a breach of HIPAA’s privacy rules as inconsistent with HIPAA. Thus, in reliance on HIPAA’s preemption provision, the trial court granted the defendant’s motion for summary judgment on the claims for negligence and negligent infliction of emotional distress. Notably, the claims for breach of contract and negligent misrepresentation were not dismissed by the trial court, thus these claims were not reviewed on appeal.

On November 11, 2014, the Supreme Court of Connecticut held that HIPAA does not preempt a private cause of action arising from the unauthorized disclosure of PHI based on state common law, thereby reversing the trial court’s dismissal of the plaintiff’s claims for negligence and negligent infliction of emotional distress. Specifically, the Court found that if state law provides a plaintiff with a remedy for a medical provider’s breach of its duty of confidentiality, HIPAA does not preempt the plaintiff’s state law remedies for negligence or negligent infliction of emotional distress. Rather, a state law will be preempted by HIPAA only if it is impossible for a medical provider to comply with both the federal and state laws. Furthermore, a state law is not preempted by HIPAA if it relates to the privacy of PHI and provides an individual with greater privacy protection than HIPAA.

The Court did not analyze whether Connecticut law provides a remedy for a medical provider’s breach of its duty of confidentiality, it only determined that HIPAA would not preempt an available remedy under state law. Thus, the Court did not decide whether the plaintiff was successful in her claims for negligence and negligent infliction of emotional distress. The Court did, however, find that HIPAA may be used to determine the applicable standard of care for such state law claims.



more...
No comment yet.