The Puget Sound Business Journal issued an article today on HIPAA and the impact on business associates. The article interviewed Ogden Murphy Wallace Attorney David Schoolcraft because of his expertise in healthcare privacy law and health information technology. The article focuses on the impact HIPAA has on health IT start-ups and their relationships with HIPAA covered entities. To read the article click here (subscription required).
Increase in Costs for Copies – But Don’t Forget HIPAA (Updated)
July 11, 2013 By Leave a Comment
Effective July 1, 2013, medical providers in Washington may increase their charges for searching and duplicating medical records. The Department of Health (“DOH”) recently released the updated fee schedule for providers. The revised charges are as follows:
|
|
Current Fee Schedule |
Fee Schedule Effective |
|
Copying for First 30 Pages |
$1.04/page |
$1.09/page |
|
Additional Pages |
$0.79/page |
$0.82/page |
|
Clerical Fees |
$23.00 |
$24.00 |
Providers who personally edit confidential information from the record are allowed to charge their usual fee for a basic office visit. Pursuant to HIPAA, this fee may be charged when the medical record is validly requested by someone other than the individual.
HIPAA Limitations Relating to Medical Record Requests by Patients
Though the WAC allows certain charges, HIPAA limits these charges when a patient requests duplication of his/her medical record. Fees charged by providers may only include:
- Labor for copying the protected health information (whether electronic or paper form);
- Supplies for creating the paper copy or electronic media;
- Postage fees (when the individual has requested the copy by mail); and
- If, agreed to in advance by the patient, the cost of preparing an explanation or summary of the protected health information.
Applying both the WAC and HIPAA in combination, the clerical fee of $24.00 cannot be charged to a patient requesting a copy of his/her medical record; but a reasonable clerical fee for the labor of copying the medical record may be assessed. Providers may not charge a fee equal to a basic office visit to the patient, but may charge a reasonable fee if a summary is provided. Copying fees up to the maximum allowed by the WAC are permissible. In addition, the HITECH Act amends HIPAA to allow a provider to impose a fee for the labor costs associated with copying an electronic medical record.
Stolen Laptop Leads to Stanford’s Fifth HIPAA Breach
June 26, 2013 By 3 Comments
Earlier this month Stanford reported its 5th HIPAA breach since 2009. This is Stanford’s third largest breach, affecting nearly 13,000 patients. A broken laptop containing protected health information of pediatric patients was stolen from a restricted area of the Lucile Packard Children’s Hospital at Stanford. The laptop was un-encrypted and contained patient information including: name, medical record number, age telephone numbers, surgical procedures and treating physicians. Though the laptop had a broken screen, there is still the possibility of extracting the data from the computer.
Stanford’s other breaches include a disclosure of 20,000 patient records when a subcontractor of a business associate placed patient information on the web seeking assistance with using Excel, the data was left on the website for nearly a year. This breach has resulted in a $20 Million class action law suit under California law.
Earlier this year, Stanford announced its largest breach, affecting 57,000 patient records when an unencrypted laptop with patient information was stolen from a physician’s car. In addition, Stanford reported a breach in 2012 of 2,500 patient records following the theft of an unencrypted laptop from a physician’s office. Lastly, in 2010, Stanford was hit with a fine after failing to notify the state of California of the theft of a laptop by an employee containing over 500 patient records.
Considering Stanford’s previous breaches, encryption of its laptops would be a good course of action to prevent future HIPAA data breaches. Stanford has reported that it now encrypts its laptops, but the one that was most recently stolen was unencrypted because the screen was broken.
Lessons learned from Stanford’s misfortunes: encrypt all PHI and destroy broken devices (remember though broken, the data is still valuable to thieves).
For assistance with HIPAA and/or the breach notification rules please contact Elana Zana.
Recent HIPAA Settlement Illustrates the Importance of Performing Risk Assessments.
June 7, 2013 By Leave a Comment
Last month, the Department of Health and Human Services (HHS) entered into a resolution agreement with Idaho State University (ISU) to settle HIPAA violations related to ISU’s electronic health records system. Under the agreement, ISU agreed to pay $400,000 to HHS to settle the claims. ISU’s HIPAA violations resulted from its failure to detect disabled firewalls in its electronic system. The disabled firewalls left the health information of over 17,000 patients unsecured for ten months.
After investigating ISU’s security policies and procedures, HHS discovered multiple HIPAA violations in addition to the disabled firewalls, including the following:
- From 2007 to 2012, ISU failed to conduct any risk assessments related to its electronic health information;
- From 2007 to 2012, ISU failed to implement any measures to address vulnerabilities in its health information security; and
- From 2007 to 2012, ISU failed to implement policies and procedures to review activity on its electronic health records system to discover any improper access.
The ISU case illustrates the importance of closely following the HIPAA Security Rule’s requirements to safeguard electronic health information. Perhaps the most important of these requirements is the obligation to conduct a thorough risk assessment. If ISU had performed a proper self-analysis of its health information security risks, it is possible that it could have detected and addressed the risks from a disabled firewall before the incident occurred.
To learn more about HIPAA or for assistance on conducting HIPAA risk assessments please contact Casey Moriarty.
The HITECH Act Final Rule’s GINA-Related Modifications to HIPAA
April 12, 2013 By Leave a Comment
The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits health insurers and health plans from discriminating against beneficiaries on the basis of genetic information. The HITECH Act Final Rule makes some important GINA-related changes to HIPAA.
In general, the changes related to genetic information are solely of interest to health insurers and health plans. With that said, the Final Rule’s amendment to the definition of “health information” to include genetic information is relevant to all covered entities. Under this new definition, all HIPAA covered entities must ensure that the following information is protected and secured under the HIPAA Privacy and Security Rules:
1. Any information related to genetic tests of an individual.
2. The genetic tests of family members of an individual.
3. The manifestation of a disease or disorder in family members of an individual. “Manifestation” means a disease, disorder, or pathological condition that an individual has been or could reasonably be diagnosed with by a health care professional with appropriate training and expertise in the field of medicine involved.
4. Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by an individual or any family member of the individual.
Additional GINA-related changes to HIPAA under the Final Rule include an explicit prohibition on the use or disclosure of genetic information for a health insurer’s or health plan’s underwriting purposes. There is an exception for underwriting performed by issuers of long-term care policies.
The Final Rule also requires a health plan or health insurer to include a statement in its notice of privacy practices that it will not use or disclose genetic information of an individual for underwriting purposes. Again, there is an exception for issuers of long-term care policies.
If you would like more information about the Final Rule’s GINA-related modifications to HIPAA, please contact Casey Moriarty.
The HITECH Act Final Rule’s Requirements for Using Health Information for Fundraising Purposes
April 4, 2013 By Leave a Comment
With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes. The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities. Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.
One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes. This list now includes:
1. Demographic information, including name, address, other contact information, age, gender, and date of birth;
2. Dates of healthcare provided to an individual;
3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);
4. Treating physician;
5. Outcome information (including death or sub-optimal treatment); and
6. Health insurance status.
Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications. For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.
While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:
1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.
2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials. The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”. Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards. If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).
3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.
Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.
HIPAA Final Rules Eliminates Covered Entities’ Discretion to Comply with Individuals’ Requests for Restriction of PHI Disclosure in Certain Cases
March 21, 2013 By Leave a Comment
This article marks our first in a series of articles pertaining to the new HIPAA Final Rules implementing the HITECH Act.
Before the Final Rule, covered entities were required under HIPAA to permit individuals to request that covered entities restrict the use or disclosure of protected health information (PHI) for treatment, payment and health care operations purposes. Covered entities were not, however, required to agree to any such requests. The Final Rule, which was released by HHS on January 17, 2013, eliminated covered entities’ discretion as to whether to comply with an individual’s request for restriction on disclosure of PHI to a health plan provided certain requirements are met. Under the Final Rule, a covered entity must agree to an individual’s request to restrict disclosure of PHI if: (a) the disclosure is for payment or health care operations and is not otherwise required by law, and (b) the PHI pertains solely to a health care item or service for which the individual or other person on behalf of the patient (other than a health plan) has paid the covered entity in full.
To ward off concern that providers would need to create separate medical records to segregate PHI subject to a restricted item or service, HHS commented that covered entities only need to employ some method to flag the restricted PHI or to make a notation in the record regarding the PHI that is restricted.
In cases where an individual requests a restriction with respect to only one of several health care items or services in a single patient encounter, HHS imposed upon providers the expectation that they counsel the patient on their ability to unbundle the items or services and the impact of doing so. For example, even if an item or service is unbundled, providers should warn the patient that it is possible that the context may allow the health plan to determine the service performed and that unbundling the service may cost the patient more.
HHS fell short of requiring providers to notify downstream providers of the fact that an individual has requested a restriction to a health plan, however it encouraged providers to counsel patients that it is the patient’s obligation to request a restriction and to pay out of pocket with other providers in order for the restriction to apply to the disclosures by such providers.
In addition, HHS encourages covered entities to engage in an “open dialogue” with patients to ensure they are aware that any previously restricted PHI may be disclosed to the patient’s health plan for follow-up care unless the patient requests an additional restriction and pays out of pocket for the follow-up care.
Please contact Carrie Soli if you have any questions about HIPAA’s requirements regarding individuals’ requests for restrictions on disclosure of PHI.
OMW Hosting Webinar on HIPAA Changes
March 13, 2013 By Leave a Comment
2013 – HIPAA Readiness Program |
||||||||||||||||
|
Deadline to Report HIPAA Breach to HHS is Friday, March 1st
February 25, 2013 By Leave a Comment
As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis. The deadline for this report is Friday, March 1st. This reporting requirement is pursuant to the interim final rule on Breach Notification, the Omnibus HIPAA rule published in January does not impose any new requirements related to reporting of 2012 HIPAA breaches. Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here. This report needs to be filled out for each breach that occurred during the 2012 calendar year. For example, if a covered entity had a breach in March of 2012 affecting five individuals and another breach in August 2012 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example). To fill out this form covered entities will need to submit the following information about the breach:
- General information regarding the covered entity
- Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
- Date of the Breach
- Date of Discovery
- Approximate number of individuals affected by the Breach
- Type of Breach (i.e. theft, loss, unauthorized access, etc.)
- Location of breached information (i.e. laptop, e-mail, etc.)
- Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
- Description of the Breach
- Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
- Date individuals were notified of the Breach
- Whether substitute notice was required (this requirement is described in the rule)
- Whether media notice was required (this requirement is described in the rule)
- Actions taken in response to the Breach (sanctions, mitigation, etc.)
- Any additional actions taken
- Attestation
For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the interim final rule on Breach Notification Rule.
If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.
HHS Releases Updates to HIPAA Rules
January 17, 2013 By Leave a Comment
Today HHS released the long-awaited modifications to the HIPAA privacy, security, enforcement and breach notification rules. A full copy of the rule can be found here.
In a related press release HHS described the impact of the rule as follows:
“The changes in the final rule making provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured heath information must be reported to HHS.”
If you have questions related to the new HIPAA rules please contact Dave Schoolcraft or Elana Zana.
