Health Law Blog - Healthcare Legal Issues

Archive for the ‘HIPAA Health Information privacy’ Category

Denial of Access to Deadbeat Patients

Wednesday, May 2nd, 2018

Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance

A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

Health Care Compliance Resource Portal Launched by OIG

Tuesday, May 1st, 2018

Office Inspector General Launches New Compliance Resource Portal

by John H. Fisher, II, JD, CHC, CCEP

At a recent Health Care Compliance Association (HCCA) compliance institute, the Office of Inspector General announced it had launched a new resource portal focused on compliance issues.  A trip to the OIG’s web site, and sure enough, there is a brand spankin’ new compliance portal.  You can check out the portal at OIG Portal.

On first brush through the portal, it appears most of the items that are accessible already existed prior to the launch of the portal.  The portal creates some organization that did not previously exist to guide providers to various compliance resources the OIG has made available.

 

Contents  Listing of the OIG Compliance Portal

  • Toolkits
  • Provider Compliance Resource and Training
  • Advisory opinions
  • Voluntary Compliance and Exclusions Resources
  • Special Fraud Alerts, Other Guidance, and Safe Harbors
  • Resources for Health Care Boards
  • Resources for Physicians
  • Accountable Care Organizations

This is a site that compliance officers will want to have bookmarked in their browser.  We are likely to see new developments in compliance posted on the portal.  For example, it already references a toolkit on identification of opioid misuse risk will be coming soon to the portal.

When you get a chance, check out the new OIG resource and the tools that are available on the site.  It is definitely something with which people in compliance should have familiarity.  As usual, if you have any questions regarding compliance or other health care legal issues, please don’t hesitate to contact your Ruder Ware health care attorney.

Health Law Firm Opens Green Bay Office

Tuesday, May 1st, 2018

Green Bay Health Care Lawyer – Opening Office in Green Bay Wisconsin

I just wanted to let readers of our health care blog know that Ruder Ware will be opening a Green Bay office and that three Green Bay attorneys will be joining our firm. This will provide us with a presence in the Green Bay/Appleton Markets that will enhance our community presence and enable us to better serve our client in eastern Wisconsin. Our health care and compliance practice with be greatly enhanced as a result of this move.

This move will provide a local platform through which we can better serve our health care clients.

Health Care Law Practice – Green Bay Health Lawyers Ruder Ware

Ruder Ware has a long history of representing health care clients.  The firm recognizes that the highly regulated and complex nature of the industry demands the attention of a team of attorneys who, as a group, monitor constantly evolving laws and regulations and their impact on our health care clients.  At Ruder Ware, we offer a full-service solution to clients as our focus team consists of health care, business, employment, and litigation attorneys with knowledge of the health care industry.   As a result, we are able to take best practices from other industries and apply them to the health care industry, thereby increasing the ability to respond promptly to the rapidly changing health care environment.

Members of the focus team have served on the governing bodies of various health care organizations.  This service has provided our attorneys with the opportunity to counsel the health care community.  

Our dedicated team of attorneys represents health care providers in various matters including:

 Health Care Business Transactions and Corporate Law

Our attorneys have substantial expertise representing various health care providers such as:

Below is the official press release:

Media Contact:
Jamie Schaefer
COO
Ruder Ware, L.L.S.C.
P: 715.845.4336
E: jschaefer@ruderware.com

For Immediate Release

Attorneys Ronald Metzler, Christopher Pahl, and Chad Levanetz to join
Ruder Ware at its new Green Bay Office

WAUSAU, WI – April 27, 2018 – Ruder Ware is pleased to announce the opening of its Green Bay office and that Attorneys Ronald Metzler, Christopher Pahl, and Chad Levanetz will be joining the firm. The new office will be located at 222 Cherry Street, Green Bay, Wisconsin, which is the current location of Metzler, Timm, Treleven, S.C.

Attorney Ron Metzler – Having practiced law for over 30 years, Ron is a well-respected and well-known commercial attorney with close ties to the banking industry.

Attorney Chris Pahl – With his strong ties to the Green Bay community, Chris has built his practice around real estate development and condominium law as well as commercial transactions and estate planning.

Attorney Chad Levanetz – A seasoned litigation attorney, Chad counsels clients in the areas of real estate, construction, and general business disputes.

Stew Etten, Ruder Ware managing partner, stated, “Ruder Ware is always looking for outstanding attorneys to join our firm. With the opportunity to add Attorneys Metzler, Pahl, and Levanetz, the time was right to open a Green Bay office. We’re very excited to have attorneys of their caliber join our team of professionals.”

About Ruder Ware
Founded in 1920, Ruder Ware is the largest law firm headquartered north of Madison. With offices in Wausau, Eau Claire, and Green Bay over 40 attorneys provide legal and business advice to clients with operations of all sizes. Areas of practice include: Employment, Benefits & Labor Relations, Litigation & Dispute Resolution, Business Transactions, Trusts & Estates, and Fiduciary Services. Ruder Ware, Business Attorneys for Business Success. www.ruderware.com

Media Contact:
Jamie Schaefer
COO
Ruder Ware, L.L.S.C.
P: 715.845.4336
E: jschaefer@ruderware.com

Faxing Patient Health Information to Wrong Number – Compliance Risk Area

Tuesday, March 13th, 2018

Physician Revises Faxing Procedures to Safeguard PHI After Faxing PHI to Employer  by Mistake

faxing phi wrong numberA medical office recently settled with OCR after it allegedly disclosed a patient’s HIV status when the office mistakenly faxed medical records to the patient’s place of employment instead of to the patient’s new health care provider.  The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient.  To resolve this matter, OCR also required the practice to revise the office’s fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Two things pop about about this instance.  First, this was clearly a privacy violation.  The patient’s protected health information, which incidentally revealed his or her HIV status, we sent to the employer.  Secondly, it was evident from the facts that this was a mistake.  We aren’t told exactly how this mistake was made.  Was the fax number written down in the wrong box on the patient’s records?  Did the employee who faxed the records put the incorrect number on the fax cover sheet?  We may never know.  But this does raise the importance of being precise at all stages of the patient encounter to assure that no inadvertent violations occur.  Care you should be taken when information about the patient is initially entered into the system.  Individuals at all levels who may be responsible for transmitting PHI must be deliberate about their actions.  How many people have called or faxed something to the wrong person before?  How many people have written down the wrong telephone or fax number before?  Everyone?

This OCR settlement just illustrates that sometimes these small errors can have big implications.  It does not appear to have been any significant fines or loss of employment in this situation.  But we cannot downplay the potential embarrassment or other negative consequences of mistakes like these.  It is one thing to text your friend Bob rather than your friend Bobbie, and weirdly from Bob’s perspective say how wonderful last night was and how you can’t wait to see him again.  Telling a patient’s employer about their health condition can have consequences that are much harder to laugh off.

Patient Access to Medical Records Created by Another Provider

Wednesday, March 7th, 2018

Private Practice Provides Access to All Records, Regardless of Source

A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual’s request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.

Medical Alerts – HIPAA Implications of Flagging Patient Records

Tuesday, February 27th, 2018

Identification of AIDS Status Through Medical Alert System

Dentist Revises Process to Safeguard Medical Alert PHI

AIDS identification external alert HIPAAA recent OCR investigation of a dental practice’s flagging of patients records highlights a potential HIPAA violation.  The OCR investigation confirmed allegations that the dental practice flagged some of its medical records with a red sticker with the word “AIDS” on the outside cover.   Records were handled so that other patients and staff without need to know could read the sticker.  A patient complaint commenced an OCR investigation into whether the practice potentially identified the AIDS status of patients within the office.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant’s file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity’s Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

The lesson here is not to place special medical alerts on the outside of physical patient records.  This is a particularly bad practice in a dental office where the typical office setup can result in visual identification by other patients.  If a patient is being escorted by staff and is seen by other patients, the identification on the outside of the patient’s chart can easily be connected to the patient.  This creates a very sensitive potential violation of HIPAA and other laws protecting against disclosure of the AIDS status of individuals.

Providing Protected Health Information in Response to Subpoena

Thursday, February 22nd, 2018

OCR Citation for Improper Disclosure of PHI in Response to a Subpoena

unauthorized release phi subpoenaA health care provider or other covered entity under HIPAA is permitted to disclose protected health information if it receives a lawful order from a court or administrative tribunal.  this does not mean that a provider can simply release everything it has in a patient record when it receives a court order.  Some records, such as mental health or substance abuse records might have special protections or limitations that apply.  Additionally a provider should closely review the relevant order and only disclose the information that is specifically required by the order.

The ability to release information in response to a subpoena, as opposed to an order of a court, is subject to different rules.  Patient information can only be provided under subpoena if certain notification requirements of the Privacy Rule are met. The notification requirements require the provider who received the subpoena to obtain evidence that there were reasonable efforts to notify the person who is the subject of the information about the request.  This is intended to give the individual an opportunity to object to the disclosure, or obtain a protective order from the court.

The application of these rules are illustrated by a relatively recent OCR settlement involving a hospital that was accused of improperly disclosing PHI in response to a subpoena.  The hospital apparently failed to determine that reasonable efforts had been made to notify that individual whose PHI was being sought under the subpoena.  This had the effect of denying the individual the right to object or seek a protective order.

As part of the settlement with the Hospital, OCR required the hospital to revise its subpoena processing procedures. The new policies adopted by the offending hospital hold a lesson for all covered entities.  If a subpoena does not meet the requirements of the Privacy Rule, policy should require the covered entity to reach out to the party who issued the subpoena to explain the notification requirements.  Until those requirements are complied with, the information cannot be released.

Court Orders and Subpoenas – Release of Protected Health Information

Mental Health Center Settlement for Failure to Provide Patient Record Copies

Tuesday, February 20th, 2018

OCR Sanction for Failing to Provide Patient Access to Protected Health Information

OCR Settlements Illustrate Area of HIPAA Risk

Access to Medical RecordsIn this case that was settled with the Office of Civil rights, the provider was a mental health center that was accused of refusing to provide a patient with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist.  However, the provider failed to provide the patient with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement if they are separately maintained by the covered entity. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

The regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protect the privacy and security of individuals’ identifiable health information and establish an array of individual rights with respect to health information, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.  Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.

In addition, two categories of information are expressly excluded from the right of access:

  1. Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).

Written Agreement Requirement for Disclosure of Part 2 Records

Wednesday, January 31st, 2018

Disclosure of Part 2 Records for Payment or Health Care Operations Requires Written Agreement

Regulations issued by SAMHSA in January of 2018, permit a lawful holder of Part 2 Records (relating to alcohol or substance abuse treatment) to disclose those records, with written consent of the patient, to its contractors, subcontractors, or legal representatives to carry out payment or healthcare operations on behalf of the lawful holder. The regulations list 17 examples of situations where a release may be considered appropriate. Disclosures to contractors, subcontractors, and legal representatives to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment are not permitted under the new rule.

In order to take advantage of the rule permitting disclosure for payment and/or health care operations, the lawful holder of the information is required to have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor, or voluntary legal representative is fully bound by the provisions of part 2 upon receipt of the patient identifying information.

In addition to having a proper contract in place, when making any such disclosures, the lawful holder must take the following further steps:

  • furnish such recipients with the notice required under § 2.32 of the regulations;
  • require such recipients to implement appropriate safeguards to prevent unauthorized uses and disclosures; and
  • require such recipients to report any unauthorized uses, disclosures, or breaches of patient identifying information to the lawful holder.

The lawful holder may only disclose information to the contractor or subcontractor or voluntary legal representative that is necessary for the contractor or subcontractor or voluntary legal representative to perform its duties under the contract or comparable legal instrument. Contracts may not permit a contractor or subcontractor or voluntary legal representative to re-disclose information to a third party unless that third party is a contract agent of the contractor or subcontractor, helping them provide services described in the contract, and only as long as the agent only further discloses the information back to the contractor or lawful holder from which the information originated.

17 Examples SAMHSA Payment and Health Care Operations

Wednesday, January 31st, 2018

Examples of Disclosures of Part 2 Records for Payment and Health Care Operations

In regulations released in January of 2018, SAMHSA included a list of 17 specific types of payment and health care operations in the regulatory text that would be the basis for further disclosures by a lawful holder of patient identifying information. SAMHSA did not include this list of 17 items in the regulations.  Rather, these items were contained in the preamble reflecting that additional reasons for release for payment and health care operations may be permissible.  Examples of permissible activities under § 2.33(b) that SAMHSA considers to be payment and health care operations activities include:

  • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data processing;
  • Clinical professional support services (e.g., quality assessment and improvement initiatives; utilization review and management services);
  • Patient safety activities;
  • Activities pertaining to:
  • The training of student trainees and health care professionals;
  • The assessment of practitioner competencies;
  • The assessment of provider and/or health plan performance; and
  • Training of non-health care professionals;
  • Accreditation, certification, licensing, or credentialing activities;
  • Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care;
  • Third-party liability coverage;
  • Activities related to addressing fraud, waste and abuse;
  • Conducting or arranging for medical review, legal services, and auditing functions;
  • Business planning and development, such as conducting cost management and planning-related analyses related to managing and
    operating, including formulary development and administration, development or improvement of methods of payment or coverage
    policies;
  • Business management and general administrative activities, including management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
  • Customer services, including the provision of data analyses for policy holders, plan sponsors, or other customers;
  • Resolution of internal grievances;
  • The sale, transfer, merger, consolidation, or dissolution of an organization;
  • Determinations of eligibility or coverage (e.g. coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics;
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges.

SAMHSA believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact. For this reason, the final provision in § 2.33(b) does not cover care coordination or case management and disclosures to contractors, subcontractors, and legal representatives to carry out such purposes are not permitted under this section. In addition, SAMHSA added language to the regulatory text in § 2.33(b) to clarify that disclosures to contractors, subcontractors and legal representatives are not permitted for activities related to a patient’s diagnosis, treatment, or referral for treatment.

John H. Fisher

Health Care Counsel
Ruder Ware, L.L.S.C.
500 First Street, Suite 8000
P.O. Box 8050
Wausau, WI 54402-8050

Tel 715.845.4336
Fax 715.845.2718

Ruder Ware is a member of Meritas Law Firms Worldwide

Search
Disclaimer
The Health Care Law Blog is made available by Ruder Ware for educational purposes and to provide a general understanding of some of the legal issues relating to the health care industry. This site does not provide specific legal advice and you should not use the information contained on this site to address your specific situation without consulting with legal counsel that is well versed in health care law and regulation. By using the Health Care Law Blog site you understand that there is no attorney client relationship between you and Ruder Ware or any individual attorney. Postings on this site do not represent the views of our clients. This site links to other information resources on the Internet; these sites are not endorsed or supported by Ruder Ware, and Ruder Ware does not vouch for the accuracy or reliability of any information provided therein. For further information regarding the articles on this blog, contact Ruder Ware through our primary website.