HIPAA | The Health Law Firm Blog

Alleged HIPAA Privacy Violations at the Center of a Recent Physician Group Settlement with HHS

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A small physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).

The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Against PCS Stemmed from Internet Calendar Postings

OCR’s investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.

Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA’s privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Medical Practices Should Use Caution When Working With Electronic Health Information

This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice’s risk of violating HIPAA’s Privacy Rule and Security Rule.

All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA’s violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. “HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards.” U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From
http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. “Online Calendar Mistakes Cost Doctors Group $100,000.” Information Week. (Apr. 23, 2012). From
http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. “HHS Settlement for Lack of HIPAA Safeguards.” Proskauer Privacy Law Blog. (Apr. 25, 2012). From
http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By The Health Law Firm|2024-03-14T10:00:30-04:00June 1, 2018|Categories: HIPAA, The Health Law Firm Blog|Tags: cap, corrective action plan, Department of Health and Human Services, EHR, electronic health records, electronic protected health information, hhs, hipaa, HIPAA privacy complaint defense, HIPAA violation, hitech, IT security, ocr, Office for Civil Rights, privacy and security rules|Comments Off

HIPAA Fines, Mobile Devices and Risk Assessments: Follow the Steps or Pay the Price

By Lance O. Leider, J.D., The Health Law Firm

Two separate entities have agreed to pay the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1,975,220 in fines collectively. The settlements resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules involving stolen, unencrypted laptops. These two actions shine a light on the significant risk unencrypted laptops and other mobile devices pose to the security of patient information.

To read the press release from the HHS OCR, published on April 22, 2014, click here.

Concentra Received Risk Assessments, But Did Not Act on Findings.

According to the OCR, an investigation of Concentra Health Services, a subsidiary of Humana, was conducted after a laptop was stolen from a Missouri physician therapy center. This investigation revealed that Concentra had previously received multiple risk analyses that stated the company lacked encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information. Concentra’s efforts to remedy the risk were incomplete and inconsistent, leaving patients’ health information vulnerable. Concentra agreed to pay $1,725,220 to settle potential security violations and adopt a corrective action plan.

QCA Investigation.

The QCA Health Plan, Inc., investigation began in February 2012, after an unencrypted laptop containing the medical records of 148 individuals was stolen from an employee’s car. The investigation revealed that QCA failed to comply with multiple requirements of the HIPAA privacy and security rules. According to Modern Healthcare, the company is required to pay $250,000, as well as provide HHS with an updated risk analysis and corresponding risk-management plan.

Click here to read the entire article from Modern Healthcare.

Encrypt Laptops and Other Equipment or Pay the Price.

Encryption is one of your best defenses against incidents. These two settlements highlight the need for all entities to encrypt their laptops and other devices. Failing to do so may put that entity at risk for paying a large fine to the OCR and possible fines for state law violations.

HIPAA-covered entities are responsible for making sure all personal information is protected.

The following are some practical tips to use when handling protected health information. Share them with others in your organization:

1. Ensure that all types of electronic media by which you transfer patient health information of any kind are encrypted. This includes thumb drives, CD ROMs, DVDs, backup tapes, mini hard drives and anything else.
2. Try not to remove any patient information from your work site. If you need to work on it remotely, use a secure, encrypted internet connection to access your work database. Avoid saving the work or data onto your laptop hard drive or other removable media.
3. Never leave your laptop or other media in a car you are having worked on by a mechanic, having an oil change, having the car washed, or while you run into a store. Thieves stake out such locations and are waiting for careless individuals to do this.
4. Never leave your laptop, thumb drive or other electronic media from work in your car. What can be worse than having your car stolen? Having your car stolen with your laptop in it with patient information on it.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

Are the laptops and other mobile devices at your practice encrypted? Does your practice regularly perform HIPAA risk assessments? Please leave any thoughtful comments below.

Sources:

Conn, Joseph. “Unencrypted-Laptop Thefts at Center of Recent HIPAA Settlements.” Modern Healthcare. (April 23, 2014). From: http://www.modernhealthcare.com/article/20140423/NEWS/304239945/unencrypted-laptop-thefts-at-center-of-recent-hipaa-settlements

U.S. Department of Health and Human Services Press Office. “Stolen Laptops Lead to Important HIPAA Settlements.” U.S. Department of Health and Human Services. (April 22, 2014). From: http://www.hhs.gov/news/press/2014pres/04/20140422b.html

About the Author: Lance O. Leider is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:56-04:00June 1, 2018|Categories: HIPAA, Hitech Act, The Health Law Firm Blog|Tags: corrective action plan (CAP), data security, defense attorney, defense lawyer, encrypted laptop, Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Insurance Portability and Accountability Act (HIPAA), health law firm, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA lawyer, HIPAA risk assessment, HIPAA violation, medical history, medical records, Office of Civil Rights (OCR), Omnibus Rule, Omnibus rule compliance deadline, Patient privacy, patient records, privacy, protected health information (PHI), the health law firm, U.S. Department of Health and Human Services (HHS)|Comments Off

OCR Releases Results From First Round of HIPAA Audits

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office for Civil Rights’ (OCR) has release information on the initial round of mandated audits of Health Insurance Portability and Accountability Act (HIPAA) covered entities. The OCR announced official details concerning the audits at an OCR and National Institute of Standards and Technology (NIST) conference held June 6, 2012.

Initial HIPAA Audits Started November 2011.

As required by the HITECH Act, the OCR began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations in November 2011. The OCR selected 150 covered entities to be audited in the pilot phase by KPMG LLP (KPMG). KPMG is the audit contractor chosen by the OCR to perform HIPAA audits. The first 20 audits concluded in March 2012. More audits will continue to occur this year.

HIPAA Audit Process.

The HIPAA audit process was drafted by the OCR and KPMG in November 2011. Entities selected for an audit receive a notification letter from OCR and are asked to provide documentation to the auditor. Every audit includes a site visit. After the site visit and initial investigation, KPMG recommends suggested modifications for the entity to meet compliance standards in a draft audit report. The entity will have an opportunity to respond to the draft audit report, citing any findings made by KPMG that may be incorrect. KPMG then summarizes final results in a final audit report. The final audit report details how the audit was conducted; what the findings were and; what actions the covered entity is taking in response to those findings.

HIPAA Audit Results.

The results of the initial round of audits revealed that small covered entities had a lot more issues than large ones. Six of the 20 audited entities were small entities (e.g., $50 million or less in revenue). However, these small entities represented 66% of the deficiency findings. Additionally, the OCR reported that health care providers had more problems than plans or clearinghouses. A disproportionate number of the deficiencies were by health care providers. While providers represented 50% of the 20 audited entities, they were responsible for 81% of the deficiency findings.

The OCR also announced that the majority of the findings were related to the Security Rule. OCR indicated that this is partially attributable to more of the audit protocol focusing on security than privacy or breach notification.

To view the OCR’s presentation on HIPAA audit findings, click here.

To view the HIPAA Privacy Rule, click here.

To view the HIPAA Security Regulation, click here.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Sources Include:

Greene, Adam H. and Rebecca L. Williams. “HIPAA Audits Results Released: We Still Have Work to Do.” JD Supra. (June 13, 2012). From: http://www.jdsupra.com/post/documentViewer.aspx?fid=dca67d93-c84d-4331-a327-fc394407d125

Sanches, Linda. “2012 HIPAA Privacy and Security Audits.” National Institute of Standards and Technology. (June 7, 2012). From: http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf

Saul, H. Carol. “Update on OCR HIPAA Audits.” Lexology. (May 29, 2012). From: http://www.lexology.com/library/detail.aspx?g=e5a886a7-1d24-4f90-a1a6-6a367e9fc3ba

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By The Health Law Firm|2024-03-14T10:00:32-04:00June 1, 2018|Categories: HIPAA, The Health Law Firm Blog|Tags: audit attorneys, defense attorneys, health care audits, Health Insurance Portability and Accountability Act, hipaa, HIPAA audits, HIPAA compliance, hitech, lawyers, legal representation, medical practice audit, medical records, ocr, OCR audits, Office of Civil Rights, records request|Comments Off

Cyber Attack at Community Health Systems Affects 4.5 Million Patients-Could This be a New Trend?

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On August 18, 2014, Community Health Systems, a Tennessee-based hospital chain that has 206 hospitals in 29 states, announced that its computer system was hacked. According to a number of news reports, an outside group of hackers, originating in China, used highly sophisticated malware and technology to steal 4.5 million patients’ non-medical data. The hackers were able to obtain patients’ names, Social Security numbers, addresses, birth dates, and telephone numbers.

According to the Orlando Sentinel, in Florida, St. Cloud Surgical Associates, St. Cloud Medical Group, and Urology Associates of St. Cloud were among the practices where medical data was stolen. The article did not mention how many patients in Florida were affected. Click here to read the story from the Orlando Sentinel.

How Community Health Systems will Handle Being Hacked.

According to The New York Times, Community Health Systems believes the attacks happened from April to June 2014. The company will be notifying affected patients and agencies under the Health Insurance Portability and Accountability Act (HIPAA).

The hospital system is now working with a security company to investigate the incident and help prevent future attacks. Federal law enforcement agents are also investigating the incident. Click here to read the entire article from The New York Times.

Because this breach affected more than 500 individuals, it will soon be posted on the Office for Civil Rights (OCR) Department of Health and Human Services’ (HHS) Wall of Shame. The law requires that any breach involving 500 or more individuals be publicly posted. To learn more on the Wall of Shame, click here for my previous blog.

Protect Your Practice As Best You Can From Cyber Attacks.

Cyber hacking in the medical community appears to be a crime of opportunity. Quickly there are becoming two types of companies: those that have been hacked and those that will be hacked.

While there is no way to guarantee protection from extrusion and external sources, there are steps that can be taken. For medical practices, many of these are required as part of a HIPAA risk assessment. Some areas to focus on include:

–   Background checks;
–   Comprehensive policies and procedures;
–   Vigilance when it comes to monitoring and data-leakage prevention tools; and
–   Employee education.

Medical practices are going to become bigger targets as the health care industry transitions to electronic health records. In addition, the hacking community is figuring out it is easier to hack a hospital or private practice, than it is a bank and you get the same information. To learn more on HIPAA risk assessments, click here.

Comments?

How do you protect your medical practice from hackers? Do you have regular risk assessments? Why or why not? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Perlroth, Nicole. “Hack of Community Health Systems Affects 4.5 Million Patients.” The New York Times. (August 18, 2014). From: http://nyti.ms/1pFpujC

Kutscher, Beth. “Chinese Hackers Hit Community Health Systems; Other Vulnerable.” Modern Healthcare. (August 18, 2014). From: http://bit.ly/1BxsLqH

Jacobson, Susan. “St. Cloud Medical Patients’ Information Among Millions Stolen in Cyber Attack.” (August 18, 2014). From: http://www.orlandosentinel.com/business/os-hospital-data-breach-st-cloud-20140818,0,3157319.story

Rose, Rachel. “Protecting Your Medical Practices From Cyber Threats.” Physicians Practice. (July 17, 2014). From: http://www.physicianspractice.com/blog/protecting-your-medical-practice-cyberthreats

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:58-04:00June 1, 2018|Categories: Health Care Industry, HIPAA, Hitech Act, In the News, The Health Law Firm Blog|Tags: Community Health Systems, cyber attack, data breach, data security, defense attorney, defense lawyer, Department of Health and Human Services, electronic health records security, Health Insurance Portability and Accountability Act, health law firm, hhs, hipaa, HIPAA attorney, HIPAA Breach, HIPAA lawyer, hospital cyber attack, ocr, Officer for Civil Rights, patient data, personal data, personal health information, PHI, securing EHR, securing patient data, Security and Exchange Commission, the health law firm, Wall of Shame|Comments Off

Preparing for HIPAA Audits

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

The Office of Civil Rights (OCR) has recently released the initial results for the first round of HIPAA audits, as well as the HIPAA audit protocol. Covered entities need to review both the audit results and audit protocol to assist in preparing for the possibility of a HIPAA audit.

Tips to Prepare for a HIPAA Audit.

Although the first round of audits has concluded, HIPAA audits will continue to be conducted through December 2012. Covered entities that avoided the first round of HIPAA audits can learn from the results released by OCR. The OCR is also expected to release an audit protocol which will further assist covered entities in learning how to prepare for a HIPAA audit. The following tips should assist covered entities in preparing for and responding to a HIPAA audit.

To see a previous blog post regarding health care audits, click here.

Before the Audit:

All policies and procedures required by the HIPAA Privacy, Breach Notice, and Security Rules should be finalized and regulator-ready.
Assign individuals in your organization that can speak to each aspect of HIPAA implementation. Be sure they are aware of questions that may be asked by the OCR concerning compliance.
HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis. The OCR recently released guidance on conducting such an analysis. This risk analysis guidance can be found here. The results of your risk analysis will likely be among the documents requested for review during an audit. If you have not conducted a risk analysis in the last year, do so now. Evaluate the results and determine how to handle identified risks. Be sure to carefully document each step of the risk analysis process.
Train employees on compliance. Maintain documentation that every relevant employee has been trained.
Identify all of your vendors that handle protected health information. Negotiate business associate agreements with all such vendors.

During the Audit:

Respond to every notice provided by the OCR in a timely manner. All relevant personnel should receive copies of the OCR’s written notice of its intent to audit.
Appropriately respond to the draft audit report with any findings that you believe were unfair or inaccurate before the report is finalized. According to the OCR you should have ten days to respond.

After the Audit:

When audit is over, enforce compliance measures suggested by the OCR. To avoid further action taken by the OCR.

To view the HIPAA Privacy Rule, click here.

To view the HIPAA Security Regulation, click here.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

By The Health Law Firm|2024-03-14T10:00:32-04:00June 1, 2018|Categories: HIPAA, The Health Law Firm Blog|Tags: audit attorneys, defense attorneys, health care audits, Health Insurance Portability and Accountability Act, hipaa, HIPAA audits, HIPAA compliance, hitech, lawyers, legal representation, medical practice audit, medical records, ocr, OCR audits, Office of Civil Rights, records request|Comments Off

Don’t Ring in the New Year with a HIPAA Audit – Safeguard Yourself Now

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

Here’s a scary reminder: There are people attempting to hack into electronic health systems every second of every day. Thankfully, most of these attempts are unsuccessful due to the preventive technologies in place to safeguard such information. However, electronic data will never be 100 percent secure.

Electronic health records promised was intended to be a tool for doctors to share patient data, reduce prescription drug errors, and allow patients convenient access to their records. However, since the transition to digital medical records, there have been concerns from patients about privacy, security and identity theft.

Recently, the Office for Civil Rights (OCR) announced that the agency will ramp up its Health Insurance Portability and Accountability Act (HIPAA) privacy and security audit program in 2015 for covered entities and business associates. These audits will focus on device encryptions, media controls, data transmission security protocols, and staff training on HIPAA policies and procedures.

Now is the time to ensure compliance.

Real World Privacy Breaches Happen All the Time.

On December 2, 2014, OCR and Anchorage Community Mental Health Services, Inc. (ACMHS), settled alleged violations of the HIPAA Security Rule. OCR started an investigation into ACMHS’s compliance with HIPAA after receiving a notification about a breach of unsecured electronic patient information affecting 2,743 individuals. The breach resulted from malware that compromised ACMHS’s information technology resources. According to the settlement, ACMHS must pay a $150,000 fine and enter into a resolution agreement and corrective action plan (CAP).

In November 2014, Beth Israel Deaconess Medical Center in Massachusetts agreed to a $100,000 settlement after a physician’s laptop was stolen from the hospital. The computer was not issued by the hospital and had not been encrypted in accordance with the hospital’s policies. However, the hospital was aware that the physician used the device. The laptop contained the health information and personal information, including Social Security numbers, of nearly 4,000 individuals. It’s alleged the hospital took three months to notify affected patients about the breach, which is a violation of HIPAA. (HIPAA requires such notifications to take place within 60 days.)

Tips to Protect Yourself and Your Business.

Again, the HIPAA audit program will be resuming after the first of the year. Accordingly, hundreds of covered entities and business associates will be receiving inquiries that could lead to an onsite audit. The audit requirements will be very difficult for organizations that have not planned in advance. Here are three easy-to-implement steps to prepare your practice.

1. Review the latest HIPAA policies and procedures. Make sure your office is meeting the latest privacy and security criteria. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to document your educational efforts. Click here for a link to the latest policies and procedures.

2. Contact your business associates. Ask each of them to provide your practice with an updated Business Associate Agreement and list of all subcontractors they use. For business associates, the 2015 HIPAA audits will focus on risk analysis, risk management and updated policies and procedures for breach notification.

3. Have a risk assessment performed on your practice. To learn more about risk assessments, click here for a previous blog.

Also, a violation of the HIPAA privacy and security provisions does carry civil and criminal penalties. Anyone who is a health care professional or facility, should be aware of these legal provisions. Click here to read my previous blog.

HIPAA is Not One Size Fits All.

Protecting patient data is not a one-size-fits-all method, meaning that security measures and access to electronic records should not necessarily be uniform. There needs to be processes and check points in place at practices to ensure that the electronic health record system and its many users consistently meet HIPAA policies and procedures. Health care practices must be vigilant that when they integrate other medical practices and facilities into their organization that they extend these measures to incorporate new employees, new sites and locations, and various technologies.

As demonstrated throughout this blog, the risks of non-compliance simply outweigh the costs of sound preparation. If you’d like more information, contact a health law attorney experienced in these matters.

Comments?

Are you worried about the next round of HIPAA audits? Are you concerned about HIPAA violations? How are you ensuring compliance within your practice? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other health care providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources:

Van Terheyden, Nick and Faix, Rob. “Digital Health Records: Pain and Gain.” Orlando Sentinel. (December 12, 2014). From: The Orlando Sentinel News Section on page A20.

“Beth Israel Agrees To Pay $100K To Settle 2012 Data Breach Case.” iHealthBeat. (November 25, 2014). From: http://www.ihealthbeat.org/articles/2014/11/25/beth-israel-agrees-to-pay-100k-to-settle-2012-data-breach-case?view=print

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2014 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:58-04:00June 1, 2018|Categories: Electronic Health Record, HIPAA, The Health Law Firm Blog|Tags: civil penalties for HIPAA violation, compliance plans, criminal penalties for HIPAA violation, data security, defense attorney, defense lawyer, digital health records, EHR, electronic health records, electronic medical records, EMR, hacking medical records, Health Insurance Portability and Accountability Act, health law firm, hipaa, HIPAA attorney, HIPAA compliance, HIPAA compliance audit, HIPAA defense attorney, HIPAA lawyer, HIPAA violation, HIPAA violation help, identity theft, medical data, medical records, Patient privacy, patients record, penalties for HIPAA violation, privacy, protected health information (PHI), The Health Law|Comments Off

Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality – Part 1

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

I receive many questions and e-mails about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information. I will attempt to explain and clarify this issue a little in this short blog.

More detailed information on HIPAA Privacy Regulations and Security Regulations, can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations. This means you do not have a right to sue based on a violation of HIPAA by itself. However, you may have a right to sue based on state law. See below.

1. File a HIPAA Privacy Complaint with the Office of Civil Rights (OCR).

As a first step, you may desire to file a HIPAA Privacy Complaint with the federal government. These are usually required to be filed within 180 days of the event (there are limited exceptions). They are usually all taken and fully investigated. If it is an egregious or a repeat violation, it may even result in an investigation by the Federal Bureau of Investigation (FBI) and criminal charges being filed against those responsible. However, in most cases if there is a valid complaint, the federal government will assess administrative fines against those responsible. In almost all cases, a report will be made back to you of what is found and what actions have been taken.

If you decide to file a HIPAA Privacy Complaint, this is done with the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (DHHS). You may do this online. The Complaint form is found at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html

If you follow this process and receive a finding that verifies the violation, you may find it easier to retain an attorney to take your case. Please note, there is only a very short period of time in which you are allowed to file such a complaint after you have discovered it. So be sure to do this right away.

2. File a Complaint Against the Physician Involved with the Florida Department of Health (DOH).

The Florida Department of Health (DOH) licenses all physicians, nurses and health professionals in the state of Florida. It is also responsible for investigating complaints against them. The various professional boards (Board of Medicine, Board of Nursing, etc.) are under the DOH.

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality. This is true in most states, not just Florida.

If there was a violation or breach of patient confidentiality by a licensed health care professional, you may also file a complaint with the appropriate state licensing board or agency about this, as well. In Florida, for example, if a licensed health professional did this, you may decide to report this to the Florida DOH. If they are licensed in a different state, you may have to follow that state’s procedure for filing a complaint.

For Florida, you may call the Florida DOH at (888) 419-3456 or (850) 245-4339, or you may use the online complaint form found at: http://www.doh.state.fl.us/mqa/enforcement/enforce_csu.html

The Florida DOH will investigate the complaint and will usually have an expert witness review it. If there is a finding against the physician (or other licensed health professional) you can ask for a copy of the DOH expert’s report. This may result in your obtaining a free expert witness review of the case. The expert witness might even agree later to testify as an expert witness if there is a civil lawsuit filed (however, this is something your attorney would have to work out with the expert witness).

3. File Grievance or Report to Third Party Payer (Medicare, Tricare, VA, Insurance Co.).

If you are a Medicare patient, TRICARE/CHAMPUS patient, Veterans Administration (VA) patient, Public Health Service patient, or military patient, you may also report this to the Office of the Inspector General (OIG) of that specific agency.

If you are a member of a managed care plan or have health insurance, you may desire to file a member grievance or complaint with the insurance company. Every physician who accepts Medicare is subject to the Medicare Program’s peer review system. You may file a complaint directly with Medicare and ask for it to be reviewed by the Medicare peer review program.

More on HIPPA Violations to Come.

In a future blog, I will continue to explain and clarify HIPPA violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:37-04:00June 1, 2018|Categories: HIPAA, In the Know, The Health Law Firm Blog|Tags: audit attorneys, breach of patient confidentiality, defense attorneys, health care audits, Health Insurance Portability and Accountability Act, hipaa, HIPAA audit protocol, HIPAA audits, HIPAA compliance, lawyers, legal representation, medical practice audit, medical records, records request|2 Comments

Remedies for Violation of HIPAA Privacy Rights and Medical Confidentiality – Part 2

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

I receive many questions and e-mails about possible violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Regulations and Security Regulations, and breaches of confidentiality of medical records and medical information.

More detailed information on HIPAA Privacy Regulations and Security Regulations, can be found at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations. This means you do not have a right to sue based on a violation of HIPAA by itself. However, you may have a right to sue based on state law.

To read the first part of this blog, click here. To continue learning more on HIPAA Privacy Rights and Medical Confidentiality, see below.

4. State Laws and Law Suits (Civil Recovery).

If there was a violation or breach of patient confidentiality or medical records confidentiality, this may also be a violation of the state’s laws on patient or medical records confidentiality. In most states this would give you a legal cause of action for invasion of privacy or for negligence.

The biggest problem usually encountered in this type of case and the reason most attorneys will not even consider taking one is the lack of documented provable damages (again, I emphasize the words “documented” and “provable”).

5. The Key is Documented, Provable Damages.

Unless you have actual bills and receipts, you don’t have this. In most cases, unless you can prove that you have suffered actual damages by proof such as:

a. Doctors’ bills you have paid

b. Mental health counseling fees you have paid

c. The purchase of credit protection insurance

d. The purchase of identification theft insurance

e. The costs you have paid because your identity was stolen

f. Lost pay from time off (with the pay stubs, W-2 forms, etc., to prove the amount)

g. Lost pay from a lost job (with the pay stubs, W-2 forms, etc., to prove the pay lost)

h. Attorney’s fees paid as a direct result of the breach of privacy (key word being “direct result”)

i. Other actual out-of-pocket expenses, you may have a difficult time proving a case in a court of law

If you have these keep good, detailed documentation. Obtain good, legible receipts for everything.

Unless you have these, you will have great difficulty in finding a plaintiff’s attorney to take such a case. It is doubtful that you would have a provable case, as well. There are exceptions to every case, however.

If you do feel that you have a valid case with documented damages, we urge you to contact and retain a plaintiff’s attorney to file suit on your behalf as soon as possible. You have only a short period of time to bring up such a case, after which your rights to do so will be extinguished forever.

We would urge you to consider carrying out actions #1, #2 and #3 in Part 1. If these organizations do not find in your favor, then it is even less likely that a judge or jury would find in your favor.

The Difference Between Hourly Attorney vs. Contingency Fee Attorney.

Our statements above hold true mainly because most attorneys who would take such a case are plaintiff’s attorneys who take cases for a contingency fee (a percentage of the amount they win). In such a case, if an attorney spends 100 hours preparing for trial (actually a low number), wins your case, and you only have $500 worth of provable damages (if the contingency fee agreement is for 40%, a fairly standard amount) then that attorney only gets $200, or $2.00 per hour. I don’t know any attorney who will work for that amount. (This is a very simplistic illustration to make the point; it does not even take into account the legal costs involved, which the client is usually responsible for paying.)

An attorney who charges by the hour may be more likely to take the case (but he/she may also be hard to find for this type of case), and may require a retainer fee of $5,000 to $15,000 paid up front just to get started.

If you have a civil case for liability, you only have a short, limited time to file it. You must do so within the applicable time period or you will lose the right to do so forever.

Remember, there is only a short time in which to take any action that may be necessary and if you fail to do so, your rights may be lost forever.

Again, this is not legal advice, just general information.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.Copyright © 1996-2012 The Health Law Firm. All rights reserved.

By The Health Law Firm|2024-03-14T10:00:37-04:00June 1, 2018|Categories: HIPAA, In the Know, The Health Law Firm Blog|Tags: audit attorneys, breach of patient confidentiality, defense attorneys, health care audits, Health Insurance Portability and Accountability Act, hipaa, HIPAA audit protocol, HIPAA audits, HIPAA compliance, lawyers, legal representation, medical practice audit, medical records, records request|Comments Off

Do You Need A HIPAA Risk Assessment?

By Danielle M. Murray, J.D.

As a health care provider or owner of a health facility, you know about the Health Insurance Portability and Accountability Act (HIPAA) of 1996. You know that you must safeguard and protect confidential patient medical information to avoid civil and criminal penalties against you and your practice. Did you know that you may need a HIPAA Risk Assessment?

If You Are A Health Care Provider You Face an Audit Risk.

The Office for Civil Rights (OCR) is stepping up enforcement around the country of “covered entities” and business associates. OCR auditors will send a letter informing you that within 30 days, they will be in your office reviewing your organization and interviewing your key staff members. If the auditor finds flaws with your office, you will be made aware of them, and then re-reviewed later, if you are not first fined or otherwise sanctioned. It is a very real and likely situation that many practices, facilities, and their business associates will be faced with in the coming months and years.

Frequently, an investigation into HIPAA violations is started due to disgruntled employees, patient complaints, theft or loss of records, security breaches, and improper disclosure.

A HIPAA Risk Assessment is Mandatory by Law.

A HIPAA Risk Assessment is a thorough review and analysis of areas where you may have risk of violating the HIPAA laws. Federal regulations require that covered entities have this assessment done. Specifically, the regulation says that covered entities must:

[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

To see this regulation in full, go to http://law.justia.com/cfr/title45/45-1.0.1.3.70.3.33.4.html.

Practices Big and Small Can Be Audited.

Large and small practices have been targeted by HIPAA Compliance Audits. UCLA was fined $865,000 because some of its employees improperly peeked into hospitalized celebrities’ medical records. The Alaska Department of Health and Social Services was fined $1,700,000 when a USB hard drive full of protected health information was stolen from an employee’s car. In another case, a specialty physician practice in Arizona was fined $100,000 because it used a public internet calendar to post clinical and surgical appointments.

All of these stories had something in common: they did not conduct a HIPAA risk assessment, they did not implement administrative safeguards, and they were fined a lot of money. Could your practice afford that sort of cost? Not to mention the potential criminal liability that comes with privacy violations.

HIPAA Risk Assessments Are A Pre-Emptive Measure to Limit Sanctions.

A HIPAA risk assessment can significantly reduce, if not entirely eliminate, your exposure to regulatory and litigation sanctions. It will identify areas for improvement and allow them to be corrected before an auditor finds the issue and causes unwanted problems for you and your practice.

HIPAA laws have likely changed since you last edited your privacy forms and procedures. Many health providers simply don’t have the time to re-review their policies and revise documents. In a perfect practice, this would be done every 6 months.

When the OCR auditor comes to visit your office to check for HIPAA compliance, they will ask for your Risk Assessment. Do you have one? Does your staff know who your HIPAA compliance officer is? Call an experienced health law attorney to complete a risk assessment of your practice today.

For more on HIPAA, read our two-part blog. Click here for part one and here for part two.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Comments?

What are your thoughts? Is HIPAA working? Not working? Has HIPAA increased the protection of your health information? What could be done to improve it? Please leave any thoughtful comments below.

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:38-04:00June 1, 2018|Categories: HIPAA, In the Know, The Health Law Firm Blog|Tags: administrative, civil, compliance, criminal, defense attorney, defense lawyer, doctor, fines, Health Insurance Portability and Accountability Act, hipaa, HIPAA audit protocol, HIPAA compliance, HIPPA audits, license, licensed clinical social worker, licensed mental health counselor, mental health, physician, policy, practice, privacy, psychologist, psychology, risk assessment, sanctions, security|Comments Off

Patients Like to Read Doctors’ Notes Online

By Danielle M. Murray, J.D.

According to the Orlando Sentinel, a study published in the Annals of Internal Medicine shows that patients like to read their doctors’ notes. In the study, published in April of 2012, doctors put their notes online, and gave patients online access to the file. While some patients had privacy concerns, ninety-nine percent (99%) of them requested to keep access to the file after the study was over.

To read the entire article from the Orlando Sentinel, click here.

Doctors Did Not Feel Overwhelmed by Having to Put Notes in Computer.

Patients interviewed for the study felt that the notes reiterated important points that they had discussed with their doctors. Study participants were able to be reminded of key information, and many said they felt that they were more compliant with the doctors’ recommendations.

Doctors didn’t report feeling limited or overwhelmed by having to take notes in the computer system used for the study, and they continued to allow access to the notes following the study.

Non-Electronic Options for Doctors’ Offices.

If a doctor does not feel comfortable using an online system, or simply does not have the time or money to convert to an electronic system, the article suggests that doctors can simply add a new procedure to their current, handwritten record-keeping system. Doctors can have staff routinely make a copy of the patient’s notes and mail the notes, or have the notes picked up by the patient, within a set time after the visit.

Keep in Mind Your Responsibilities as A Doctor.

As a health attorney advising physicians, medical groups and medical facilities, I have to look at the legal risks of such arrangements.

While putting records online or even creating an app for patients to access records is convenient, such an arrangement can inadvertently allow the records to fall into the hands of third parties. I don’t know of many doctors’ offices with in-house staff to manage their document server and online secure servers for such an undertaking. Even so, streamlining the process generally requires special software, which was created by and likely monitored by a third-party software developer.

I would first suggest that any health professional looking to digitize or allow remote access to records have a contract ready for their technology associate to sign. The contract should clearly state the obligations of each party, and it should incorporate all Health Insurance Portability and Accountability Act (HIPAA) privacy and security responsibilities. I would not suggest piecing something like this together on your own; seek counsel, such as experienced health law attorneys, to do this for you.

If you are unsure about HIPAA privacy rights, click here for part one and click here for part two of a blog series on possible violations.

Contact Health Law Attorneys Experienced with Investigations of Health Professionals and Providers.
The attorneys of The Health Law Firm provide legal representation to physicians, nurses, nurse practitioners, CRNAs, dentists, pharmacists, psychologists, health facilities and other health providers in Department of Health (DOH) investigations, OCR HIPAA audits, breach of privacy investigations, HIPAA risk assessments, Drug Enforcement Administration (DEA) investigations, FBI investigations, Medicare investigations, Medicaid investigations and other types of investigations of health professionals and providers.

To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Comments?

As a health professional, do you make notes available to your patients? Does putting such notes online worry you? Please leave any thoughtful comments below.

Source:

Pittman, Genevra. “Patients Like Reading Their Doctors’ Notes: Study.” Orlando Sentinel. (October 1, 2012). From: http://www.orlandosentinel.com/health/sns-rt-us-patients-like-reading-their-doctors-notes-stbre-20121001,0,925182.story

About the Author: Danielle M. Murray is an attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714

“The Health Law Firm” is a registered fictitious business name of George F. Indest III, P.A. – The Health Law Firm, a Florida professional service corporation, since 1999.

By The Health Law Firm|2024-03-14T10:00:38-04:00June 1, 2018|Categories: HIPAA, In the Know, The Health Law Firm Blog|Tags: audit attorneys, breach of patient confidentiality, defense attorneys, defense lawyers, health care audits, Health Insurance Portability and Accountability Act (HIPAA), HIPAA audit protocol, HIPAA audits, HIPAA compliance, HIPAA risk assessments, legal representation, medical practice audit, medical records, records request|Comments Off