Health Law Blog - Healthcare Legal Issues

Archive for the ‘HIPAA Health Information privacy’ Category

Malware Infection Causes Breach – Lack of Firewall – Hybrid Entity

Friday, January 27th, 2017

Malware Infection and Lack of Firewall Protection Causes Breach

In yet another significant settlement by OCR, the University of Massachusetts Amherst (UMass) agreed to a monetary penalty of $650,000 resulting from a workstation that was contaminated with a malware program and resulted in impermissible disclosure of electronic health information.  This disclosure involved information about 1,670 individuals and included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.  The provider had determined that the malware was a generic remote access Trojan that was able to infiltrate their system because a proper firewall was not in place.

Central to OCR’s analysis was that the provider had failed to identify the components located in its hearing center as being part of covered components.  This resulted in the provider failing to apply and ensure compliance with HIPAA privacy and security rules at that location.  HIPAA permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.  It was the failure to proper follow the hybrid entity rules that left the components at the applicable site vulnerable to outside malware attack.

UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the applicable location.  This settlement stresses the need to assure that all protected information is properly secured and that firewalls are used when needed.  It is also instructional regarding the proper application of the rules relating to hybrid status.

HIPAA Breach Notification Settlement – First Case of Untimely Notice of Breach

Wednesday, January 25th, 2017

Failing to Provide Breach Notification on Time

An OCR settlement with Presence Health is heralded as the first OCR settlement that resulted from a failure to report a breach of unsecured un-secured protected health information (PHI) within the time-frames required under applicable HIPAA regulations.  Failing to meet applicable time-frames cost Presence $475,000 to settle with OCR.

The case arose when paper-based operating schedules, which contain PHI of 836 individuals, were found to be missing from the surgery center at one of the provider’s medical centers.  The operating schedules were discovered to have been missing on October 22, 2013 but breach notification was not provided to OCR until January 31, 2014.  The notification was not provided in time to meet the requirement that a covered entity notify OCR of a breach without unreasonable delay and within 60 days of discovery.  The breach disclosure rules that are applicable to breaches affecting 500 or more individuals were applicable.  These rules required notification to prominent media outlets, the affected individuals, and OCR.

In its press release covering this settlement, the OCR stressed that “Covered entities need to have a clear policy and procedures in place to respond to the Breach Notification Rule’s timeliness requirements…Individuals need prompt notice of a breach of their unsecured PHI so they can take action that could help mitigate any potential harm caused by the breach.”

It is unclear exactly why the provider failed to meet the regulatory requirements in this case.  The settlement is a good example of why it is necessary for covered entities to have clear policies describing the process to be followed when faced with a potential breach situation.  This is also an area of OCR audit under the Stage II OCR audit program.  Providers should be certain that their breach disclosure policies and procedures are in place.  There have been changes to the breach disclosure regulations over the years, so policies should be reviewed to be certain that they are in compliance with current law and have been properly updated.

Don’t Overlook Special Status of Behavioral Health Records

Monday, January 9th, 2017

Most health care providers have implemented HIPAA compliant policies and procedures and have made them operational.  We often see providers who have not given appropriate levels of thought to behavioral health records.  HIPAA and state laws generally provide different levels of protection for patient information that relates to mental health issues or alcohol and drug treatment.  This requires providers to have policies and procedures in place that help employees identify these types of records and which describes appropriate precautions and special rules that apply.

Generally, Federal law treats general mental health records in the same way it treats other types of health information.  Many state statutes require more protection over confidentiality of mental health records than general health information.  Further distinction is made between general mental health/behavioral health records and the subset of those records that include psychotherapy notes.   Psychotherapy notes are rarely subject to disclosure to third parties.  In many cases even the subject patient can be denied access to psychotherapy notes.

It is important that policies and procedures clearly define mental health records and psychotherapy notes and describe the special restrictions that are applicable to both.  Clearly, the special restrictions on psychotherapy notes must be honored.  It is also important that healthcare providers do not apply the broader restrictions that are applicable psychotherapy notes to more general mental health records. Failing to understand the distinction between the various types of records can have adverse consequences under applicable laws and can even put patient care at risk.

This issue is further complicated because State and Federal protections can be different and even conflicting.  This requires providers to perform a preemption analysis to determine which law to follow.  That analysis can be different depending on the type of record involved and the purpose and nature of the contemplated release.

Psychotherapy notes are given special treatment under Federal law.  Psychotherapy notes are defined under Federal law as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.  Psychotherapy notes can rarely be released to a third party and often even the patient can be denied access to these records.  Certain information is not included within the definition of psychotherapy notes such as medical prescriptions, session start and stop times, frequency of treatment, results of clinical tests, summaries of diagnosis, symptoms, prognosis, etc.  This information is considered to be mental health records but does not receive the same special protection as psychotherapy notes.

Organizations should read and understand the distinction between general mental health records and psychotherapy notes.  Separation is key to complying with restrictions that are applicable to psychotherapy notes.  Psychotherapy notes should be stored separately from the patient’s medical records (which includes behavioral and mental health records).

Organizations that use electronic medical records (EMR) system must devise ways to separate psychotherapy notes from other types of medical records.  This might include integration of special naming and filing standards into the electronic record. Staff training is required to assure that the differences between psychotherapy notes and mental health records is maintained.

Some state laws complicate the analysis even further by provided additional restrictions on general mental health records.  Depending on your state, this analysis can become quite complicated and dependent on the purpose and nature of the contemplated release, application of preemption rules, and interpretation of state and Federal statutes and regulations.

What Does the HIPPA Phase2 Audit Program Mean for Providers

Tuesday, April 19th, 2016

HIPAA Phase 2 Audit Program Announced by OCR

HIPAA Phase 2 Audit ProgramThe HHS Office for Civil Rights (“OCR”) has Officially announced The commencement of its 2016 Phase 2 HIPAA Audit. In Phase 2, OCR Will be reviewing the policies and procedures of covered entities and their business associates. This phase of audits is intended to determine whether providers have properly implemented and satisfy standards and implementation specifications of the privacy, security, and breach notification rules. For the most part, Phase 2 audits will  include only document review to determine compliance with policy and procedure requirements. In cases of noncompliance, the initial document review may turn into a formal site visit and more complete HIPAA audit.

The OCR will be sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. This will be followed by transmission of a pre-audit questionnaire asking for information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools. It is critical that providers respond to the request for information within the specified timeframes. Failure to respond may increase the chances of further audit and scrutiny. More details will be forthcoming from OCR regarding audit protocols in the near future.

A provider’s chance of audit are much greater under the phase 2 audit program than under the prior phase.  Not all providers will be subject to audit. OCR is using the increased risk of audit to assure that providers make preparations and enhance their policies, procedures, business associates agreements and other compliance documentation and practices.  Given the public nature and time that providers have been given to get their ship in order, audits are likely to be less forgiving that the previous phase.

What does this mean to providers? Now is the time to make certain that HIPAA practices, policies and procedures are in compliance with legal requirements. Providers may consider performing an effectiveness audit  of their HIPAA policies and process to identify any gaps in policy and practice that could lead to further investigation under the phase 2 program.  Providers assure that their information privacy program includes all necessary elements and would withstand and audit.  Even though no specific provider is certain to be audited, some certainly will be.  Every provider needs to be ready for this possibility.

Is your EHR Donation Agreement in Compliance?

Friday, May 23rd, 2014

The EHR donation regulations allow certain qualified entities to provide nonmonetary remuneration to physicians and other health care providers to obtain electronic health information systems without violating the Anti-Kickback Statute or the physician self referral laws.  Hospitals and other organizations have structured EHR donation programs around the existing exception.  The regulations that permitted hospitals to make payments on behalf of physicians for EHR technology was set to expire on December 31, 2013.

The Center for Medicare and Medicaid Services released final regulations on December 27, 2013, which extended the protections of the EHR donation regulations through December 31, 2021.  However, it is important that providers examine their EHR donation agreements to determine whether continued payments under the agreement comply with federal law.  Many EHR donation contracts contain automatic expiration clauses that terminated the agreement on December 31, 2013.  If those agreements have not been properly extended, payments that may have occurred under those agreements following expiration may raise compliance issues.

Providers should not assume the continued payments are protected under the extended EHR donation expiration date.  In many instances, entering a new agreement or amendment of existing agreements will be required in order to continue to qualify donation amounts under the application exceptions.

Model Patient Privacy Notice Forms Privacy Rule Compliance

Thursday, September 19th, 2013

Patient Privacy Notice Forms

patient privacy notice formsThe HIPAA Privacy Rule gives individuals a fundamental right to be informed of the privacy practices of the health care providers and their privacy rights with respect to their personal health information. Providers are obligated to provide patients with a clear and concise description of their rights.

The HHS Office for Civil Rights and Office of the National Coordinator for Health Information Technology have released model Notices of Privacy Practices for health care providers and health plans. The model was created by collaboration between the two agencies with jurisdiction over patient privacy issues. The models express the views of these agencies concerning what health care providers should be communicating to their patients.

The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

It is notable that the model Notices of Privacy are not as in depth as the forms that have been used by many health care providers in the past. There is a simplicity to the model which seems to be directed toward communicating basic information to patients as opposed to an approach that includes “everything under the sun” in order to protect the provider. The less complicated approach seems to be more consistent with the regulatory requirement that providers develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.

The model released by the agencies provides a variety of formats that providers can consider depending on the context and their personal preference. The optional format include:

  • Notice in the form of a booklet
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages
  • A notice with the design elements found in the booklet, but formatted for full page presentation
  • A text only version of the notice

The models integrate the regulatory changes contained in the Omnibus Rule. Providers may use these models to serve as the baseline for compliance with the new requirements. For example, relatively new changes to patient access rights to information that is held in an electronic health record is covered. Providers who have not recently updated their notices may not include this information in their disclosure form.

The provided forms are set up so that providers can simply enter their specific information in the model forms. They can then be printed, posted, and otherwise used in connection with their practices.

The agencies seem to be actively encouraging providers to use these standard forms. Providers should take the opportunity to review their Notice of Privacy Policies and consider updating them to conform with the government provided standard forms unless the provider has a compelling reason to be more inclusive in its disclosure.


The Model Notices can be found at the following page of the HHS web site. Model Privacy Notices

OCR HIPAA Audit Resources For Healthcare Providers

Monday, July 30th, 2012

 HIPAA Audit Resources for OCR Audit of Health Care Providers

 HIPAA Information For Covered Entities

 HIPAA Audit Protocol

 Office of Civil Rights (OCR) HIPAA Notification Page

HIPAA New Archives

Patient Safety Confidentiality (PSQIA)

Sample Business Associates Contract

 Things To Do Before a HIPAA Audit is announced

Before you even have notice that you may be the subject of a HIPAA audits, you should be certain that your HIPAA “ducks” are in a row.  Taking last minute action when an audit is announced will not be nearly as effective as demonstrating that you have had a long term committment to HIPAA compliance.  Here are a few things that you should do now, before you are the subject of an audit.  This list is not meant to me all inclusive.

  • Review all policies and procedures that are required in order to comply with HIPAA. Consider an external review by an independent party.
  • Document a plan of correction if deficiencies are identified and document the correction process.
  • Designate departmental individuals who are responsible for HIPAA issues and prepare them to address the process of implementation in their area of responsibility.
  • Conduct a thourough risk analysis in accordance with OCR risk assessment guidance (referenced below).
  • Assure that your compliance training program is up to date and that employees have signed off on receiving required training.  Corret any discovered deficiencies in training.
  • Audit every outside vendor and contracting party and make certain that there is an appropriate Business Associates Agreement in place.

Major Issues Arising In First Round of HIPAA Audits

  • Patient record request review process, specifically denial process;
  • Providers failing to provide patients with access to their records;
  • Insufficient or non-existant policies and procedures;
  • Inproper use of information relating to decedents;
  • Disclosure of intformation to personal representatives;
  • Risk Assessment process; and
  • Difficulties with Business Associate Agreements.

HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR has issued guidance on conducting such an analysis.  In the event of an audit, the results of your audit are likely to be requested. A review of your HIPAA policies should be conducted on an annual basis.  Any deficiencies should be identified and addressed in a corrective action plan.  Carefully document your review and the process you use to correct any identified deficiencies.  OCR Audist Guidelines

Anti-kickback Statutes Safe Harbor Regulations

Thursday, December 8th, 2011

Anti-kickback Statutes and Safe Harbor Regulations

Medicare Antikickback Statute Safe HarborsOverview: On the books since 1972, the federal anti-kickback law’s main purpose is to protect patients and the federal health care programs from fraud and abuse by curtailing the corrupting influence of money on health care decisions. Straightforward but broad, the law states that anyone who knowingly and willfully receives or pays anything of value to influence the referral of federal health care program business, including Medicare and Medicaid, can be held accountable for a felony. Violations of the law are punishable by up to five years in prison, criminal fines up to $25,000, administrative civil money penalties up to $50,000, and exclusion from participation in federal health care programs.

Because the law is broad on its face, concerns arose among health care providers that some relatively innocuous — and in some cases even beneficial — commercial arrangements are prohibited by the anti-kickback law. Responding to these concerns, Congress in 1987 authorized the Department to issue regulations designating specific “safe harbors” for various payment and business practices that, while potentially prohibited by the law, would not be prosecuted.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.