4 Ways That HIPAA Encourages the Disclosure of Health Information

What’s the first word that comes to mind when you see the term “HIPAA”?

For many individuals in the healthcare market, the word is “NO.”

“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.

But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?

One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information.  Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.

Disclosures for Treatment Purposes

Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.

A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.

This is not true.

I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.

This is not true.

In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.

The third party does not even have to be a health care provider!

For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription.  The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.

Patient Access

One common idea is that patients do not have an unfettered right to access their entire medical record.

Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.

This opinion has lead to more than one Office of Civil Rights investigation.

In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.

With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.

But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.

Denial of such access could constitute a HIPAA violation.

Disclosures to minimize an imminent danger or assist law enforcement

Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.

HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.

In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:

  • An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
  • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.

There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.

However, these are important exceptions that can prevent danger to members of the community.

Disclosures Required By Law State

Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:

  • Reporting cases of child abuse
  • Reporting cases of vulnerable adult abuse
  • Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).

The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.

Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.

Conclusion

HIPAA does not always mean “no.”

Of course, it is easy for healthcare market participants to believe this stereotype.  The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.

However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.

Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.

For more information about HIPAA, please contact Casey Moriarty.

You’ve Been Sued: 4 Non-HIPAA Claims in Data Breach Cases

“There is no private right of action under HIPAA.”  This oft-repeated rule is a source of comfort for many health care entities.

Of course, patients can file complaints with the Office of Civil Rights or State Attorneys General, but a “HIPAA cause of action” does not exist.

So what is the basis for the many different class action lawsuits against health care entities that have been hit with data breaches? The recent class action lawsuit filed against Premera sheds some light on strategies of class action attorneys.

The Complaint alleges seven different causes of action.  This article will focus on four of the claims.

The Four Causes of Action in the Premera Complaint

  • Negligence: The first cause of action is negligence. To establish a claim for negligence, the plaintiff must show that an entity: (1) had a duty to the plaintiff, (2) the entity breached the duty, (3) the plaintiff suffered damages, and (4) the entity’s acts caused the damage.

    The Complaint states that Premera had a “duty” to keep the plaintiffs personal information secure as the provider of health coverage to the plaintiffs.  Premera breached this duty by failing to secure its IT systems and this failure directly caused the plaintiff’s damages related to improper disclosure of health information.

  • Bailment: The second cause of action is Bailment. A “bailment” arises when personal property is delivered to another for some particular purpose with an express or implied contract to redeliver when the purpose has been fulfilled.

    In other words, “I’m giving you my stuff with the expectation that I’ll get it back in the same condition.”

    The Complaint alleges that the plaintiffs provided Premera with their personal information with the understanding that Premera would adequately safeguard it.  Premera breached its bailment by failing to protect the information which resulted in the data breach.

  • Breach of Contract: The third cause of action is breach of contract. My first question concerning this claim is: “Did Premera actually state in its beneficiary agreements that it would keep all data secure?”

    Based on the allegations in the Complaint, the answer appears to be no.

    However, the Complaint alleges that Premera’s Notice of Privacy Practices (NPP) states that Premera must take measures to protect each beneficiary’s health information. Whether or not an NPP is actually a contract between a covered entity and individuals, this allegation should motivate health care entities to be careful in drafting their NPPs.

  • Washington State Data Breach Claim: In emphasizing the “no private right of action under HIPAA” mantra. Many entities fail to take understand state laws concerning data breaches.

    In the Complaint, the plaintiffs allege that Premera violated the Washington State data breach notification requirements of RCW 19.255.010. Unlike HIPAA, affected individuals may bring claims for violations of this statute.

    Among the requirements of RCW 19.255.010 is to disclose data breaches in the most “expedient” time possible and without “unreasonable delay.” The Complaint alleges that Premera took far too long to notify beneficiaries of the data breach.

Conclusion

In light of these claims (and others) in the Premera breach complaint, the warning for health care entities is clear: You can be sued by your customers for data breaches.

Although HIPAA may not provide for a private right of action, there are many other ways for plaintiffs to recover compensation for the failure to keep health information secure.

For more information about data breaches, please contact Casey Moriarty.

BAAs and Beyond: Meeting the 9-22 HIPAA Deadline

Reprinted blog post from DocuSign. Interview between Jennifer Royer of DocuSign and Dave Schoolcraft.

In under two weeks, Covered Entities and Business Associates are required to complete renewed Business Associate Agreements (BAA) to comply with more stringent HIPAA regulations for BAAs that were in place prior to January 2013. We sat down with Dave Schoolcraft, who leads the healthcare law practice at Ogden Murphy Wallace, to help our healthcare and technology partners navigate HIPAA legislation and complete these BAA renewals on time. As Dave explains, digital workflow solutions transform the task at hand from a daunting ordeal to a manageable process, all while reducing time, money and fear associated with 11th hour deadline blues.

What is the significance of the September 22nd BAA deadline?

Simply put, the BAA invokes business operations where Protected Health Information (PHI) is handed over to an outside vendor. For example, say I am the managing physician in a small medical clinic and I decide to hire a consultant and help us figure out how we can efficiently manage billing and reimbursement. I provide this consultant with a spreadsheet of PHI (protected health information). This act requires a BAA, which protects the PHI and the medical clinic against any liabilities. Without the updated BAA, the medical clinic and the consultant directly violate HIPAA. Even if I have longstanding relationship, I still need to sign an updated agreement.

The process – an additional 6 or 7 different paragraphs — is admittedly an administrative burden as most BAAs span multiple pages. If the agreement only covers what HIPAA requires, the process is fairly straightforward. However, BAAs are heavily negotiated and include indemnification provisions. Therefore, manually executing all updated agreements slows down the process as each existing vendor contract must be signed and completed.

What is the most common inquiry you receive from clients regarding the updated BAA requirements?

With the deadline a blink away, I consistently hear, “Do we really have to update all our BAA contracts?”

The answer is a resounding “yes,” because our digital habits and business environment led to an updated and strengthened HIPAA (let’s call this HIPAA 2.0) back in 2009. With the release of the new HIPAA rules in January 2013, healthcare providers have had ample time to coordinate new BAAs with outside vendors whose services involve PHI.

As we inch closer towards September 22nd, it is important to remember that even if a healthcare provider has a longstanding relationship with a vendor, the new BAA, as part of HIPAA 2.0, offers enhanced language that strengthens risk management against ‘cyber-spillage.’ Specifically, the new HIPAA language requires that the Business Associate comply with the HIPAA Security Rule and provide notice of a breach of unsecured PHI. In short, this is smart business.

Risk management sounds like a great idea. Would you explain what you mean by “smart business?”

Sure, let’s use a common situation as our example. When a healthcare provider engages with an outside vendor – perhaps a SaaS company – that analyzes or works with PHI, there is risk of mishandling or ‘spillage.’ If you handed over 10,000 records of patient data to a digital marketing vendor, you need to both protect the data and yourself from the probability that the marketing vendor will send the PHI to sub-contractors for portions of the scope of work.

The new BAA is a bulwark against unforeseen security breaches: you add armor to the trust you place in vendors and their teams. While you may deem renewing all BAAs a hassle, consider this an opportunity to audit all your vendors and evaluate the risks and value from that relationship.

If you do not follow this approach, then you honestly proceed at your own peril.

What happens if healthcare providers don’t comply with the new BAA requirements and fail to update their BAA contracts on time?

That is actually the second most frequently asked question that we field. Technically a healthcare practice faces statutory penalties for any improperly used or leaked PHI. For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI. And with the data breaches in the news recently, you really don’t want to take that risk.

Let’s look closer at a data breach scenario. Say a vendor lost a thumb drive containing a high volume of PHI. Per HIPAA 2.0, it is now the vendor’s responsibility to notify the healthcare provider. A vendor needs to self-confess the data breach, regardless of who is at fault, per the new BAA standards. When the government officials arrive to investigate, they will ask if an updated BAA was in place. Healthcare providers shouldn’t rely on trust with vendors. Mistakes happen. And if a bad one occurs, like the theft of an unencrypted laptop containing thousands of patient records, the healthcare provider and the vendor will be held responsible by the government for both the data breach and the failure to comply with the BAA requirements.

Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the Cloud – an increasing trend for providers and payers. The previous HIPAA requirements for a BAA didn’t place direct liability and responsibility on the vendor for failure to sufficiently secure and protect the patient data. With the proliferation of Cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur. Renewal of these BAAs also give healthcare providers the opportunity to ensure that there are sufficient indemnification and insurance provisions in place so that if a breach does occur the healthcare provider can expect reimbursement and defense from the responsible party.

How Can DocuSign assist in the process of updating all BAAs?

There is an administrative burden to getting these documents signed. When we talk about redoing all existing BAAs, that’s the classic e-mail/print/sign/scan/fax headache. Multiply one process by the number of vendors. That’s an unreasonable burden, and an expensive one if you think about the time and money that one might spend overnighting documents.

For all businesses handling such an exceptional volume of paperwork, a Digital Transaction Management platform, like DocuSign’s, simplifies the process by automating the retrieval of signatures and storing all documents in a single, secure Cloud-based portal. Furthermore, it is crucial to be able to access compliance documents, like BAAs and provider agreements, within a click of a mouse, should there be an audit. The alternative is hiring lawyers to spend a month in your document basement – we have been there with clients, and that is an expensive, tedious, and stressful process for all parties involved.

Any final words or digital best practices for providers and payers?

It’s important to remember that HIPAA dates all the way back to the mid ‘90s – think about the evolution and revolution that has occurred in terms of digital platforms! There has been a great acceleration – on the clinical data side – in moving from paper to digital. The rules that led to the updated BAAs were passed in conjunction with approximately $20billion in stimulus funds directed towards health information technology. Those funds are being used to incentivize healthcare providers’ digital adoption, as part of the “Meaningful Use” regulations. A large portion of these funds have also been earmarked to enforce the new and more stringent HIPAA regulations that were put in place when the government recognized additional risks posed by digital adoption.

In essence, the government decided to add more teeth to HIPAA enforcement. They have hired additional enforcement agents, and as such, more healthcare providers have inquiries and audits – a striking evolution from the old days of HIPAA 1.0. Offenders now face more serious penalties: now, more than ever, it is crucial to comply with the renewed HIPAA regulations. What was once a slap on the wrist is now quite serious – around the $1 million mark depending on the egregiousness of the incident.

Essentially, you don’t want to be out of HIPAA compliance should there be an incident or a proactive audit – and one of the first questions HIPAA enforcement agents ask is whether you have an updated BAA with your vendors.

If you face an administrative burden or are losing sleep over getting your BAAs completed on time, consider Digital Transaction Management to simplify the process now and moving forward.

Thank you, Dave for explaining the implications of the updated HIPAA legislation and offering tips for beating the BAA deadline.

For more information about the September 22 deadline and Digital Transaction Management contact Elana Zana or Dave Schoolcraft or:

Large Data Breach Highlights Risks from Foreign Hackers

Community Health Systems (CHS) has announced that the personal information of approximately 4.5 million patients has been breached.  According to CHS, the information includes patient names, addresses, social security numbers, telephone numbers, and birthdates.

Although the breached records do not contain the details of the patients’ treatment at CHS’ hospitals, the identifying information in the records still meets the HIPAA definition of “protected health information.”  Therefore, CHS will have to follow the HIPAA breach notification requirements.

According to CHS’ filing with the Securities and Exchange Commission, CHS has hired the data security firm, Mandiant, to investigate the breach.  Mandiant has pointed blame at a group originating from China who apparently orchestrated the breach through the use of sophisticated malware.

This large breach should be another reminder for health care providers to safeguard their electronic systems and educate staff members on security policies and procedures.  The type of malware that contributed to the CHS breach can often be installed by a staff member who clicks on a link in an e-mail, or responds to an e-mail from hackers who pose as security personnel.  In addition, health care providers should consider the use of encryption technology that meets the HIPAA breach safe harbor standards.

When in doubt about a suspicious e-mail, phone call, or other communication, staff members should always check with the provider’s information technology personnel and the HIPAA Privacy Officer before taking any action.

If you have any questions about the HIPAA breach notification requirements, please contact Casey Moriarty.

Meaningful Use EP Hardship Exception Deadline – July 1, 2014

Not able to meet meaningful use this year?  You may qualify for a hardship exception.  Eligible professionals that qualify for certain hardship exceptions can avoid the meaningful use payment adjustments in 2015 by submitting to CMS the 2015 Hardship Exception Application.  CMS has permitted the EPs to apply for a hardship exception based on the following reasons:

  • Infrastructure: Eligible professionals must demonstrate that they are in an area without sufficient internet access or face insurmountable barriers to obtaining infrastructure (e.g., lack of broadband).
  • New Eligible Professionals: Newly practicing eligible professionals who would not have had time to become meaningful users can apply for a 2-year limited exception to payment adjustments. Thus eligible professionals who begin practice in calendar year 2015 would receive an exception to the penalties in 2015 and 2016, but would have to begin demonstrating meaningful use in calendar year 2016 to avoid payment adjustments in 2017.
  • Unforeseen Circumstances: Examples may include a natural disaster or other unforeseeable barrier.
  • Patient Interaction: Lack of face-to-face or telemedicine interaction with patient or lack of follow-up need with patients.
  • Practice at Multiple Locations: Lack of control over availability of CEHRT for more than 50% of patient encounters.
  • 2014 EHR Vendor Issues: The eligible professional’s EHR vendor was unable to obtain 2014 certification or the eligible professional was unable to implement meaningful use due to 2014 EHR certification delays. (Note that CMS has published a proposed rule regarding lack of availability of 2014 CEHRT proposing to permit EPs in certain situations to attest to Stage 1, click here for further information).

Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals.  This tip sheet further describes the payment adjustments and includes frequently asked questions.

The following categories of EPs do not have to apply for a hardship exception but will automatically be granted one based on their status with CMS:

  • New providers in their first year (both eligible professionals and eligible hospitals).
  • Eligible professionals who are hospital-based: a provider is considered hospital-based if he or she provides more than 90% of their covered professional services in either an inpatient (Place of Service 21) or emergency department (Place of Service 23) of a hospital.
  • Eligible professionals with certain PECOS specialties (Anesthesiology-05, Pathology-22, Diagnostic Radiology-30, Nuclear Medicine-36, Interventional Radiology-94).

Eligible professionals that have not participated in the EHR Incentive Program in the past have the option of avoiding the 2015 payment adjustment if they successfully attest to meaningful use by October 1, 2014.  Those eligible professionals that qualify for any of the above hardship exceptions and will not be able to attest to meaningful use by October 1, 2014 may still apply for a hardship exception, but must do so by July 1, 2014.

For more information about the EHR Incentive Programs and meaningful use please contact Elana Zana.

 

 

$4.8 Million HIPAA Settlement – Patient Data on the Web

On May 7, 2014, HHS announced that New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million in the largest HIPAA settlement to date. The organizations settled charges that they potentially violated the HIPAA Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (“ePHI”).

NYP and CU operate a shared data network that links patient information systems containing ePHI. On September 27, 2010, the two entities submitted a joint breach report following the discovery that the ePHI of 6,800 individuals had been impermissibly disclosed due to a deactivated server, resulting in ePHI being accessible on internet search engines. The ePHI included patient statuses, vital signs, medications, and laboratory results.

HHS Office for Civil Rights’ (“OCR”) subsequent investigation determined that neither entity had conducted an accurate and thorough risk analysis or developed an adequate risk management plan to address potential threats and hazards to ePHI security. Further, OCR found that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with internal policies on information access management.

NYP agreed to pay $3.3 million and CU agreed to pay $1.5 million. In addition, both entities agreed to Corrective Action Plans that require each entity to:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise policies and procedures on information access management and device and media controls;
  • Develop an enhanced privacy and security awareness training program; and
  • Provide progress reports.

Additionally, CU must also “develop a process to evaluate any environmental or operational changes” that impact the security of ePHI it maintains.

This settlement again highlights the necessity for healthcare organizations and business associates to create and implement Security policies and procedures, and to engage in a security management process that ensures the security of patient data.

For assistance on the HIPAA Security Rule requirements, drafting and implementing Security policies and procedures, or general HIPAA assistance please contact Elana Zana or Jefferson Lin.

 

HHS Releases Security Risk Assessment Tool

Need help performing your HIPAA/Meaningful Use Security Risk Assessment?  Good news, HHS has released a tool to help!  In partnership with the Office of the National Coordinator, HHS created a tool, user guide, software, tutorial, videos and even an iOS App to help HIPAA covered entities and business associates perform the required HIPAA Risk Analysis.

The HIPAA Security Rule specifically requires (this is not an addressable specification) a Security Risk Analysis:

“Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”  45 CFR 164.308(a)(1)

In addition, those hospitals and eligible professionals seeking to meet meaningful use in order to receive the EHR Incentive dollars or avoid the Medicare payment adjustments must fulfill a HIPAA Security Risk Assessment.

Stage 1

Stage 2

Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Objective. Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities.Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data stored in Certified EHR Technology in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process.

For those hospitals and eligible professionals looking to meet meaningful use, the Security Risk Assessment tool will generate a report that can be provided to auditors.  However, the report alone is likely insufficient because both the auditors and the  meaningful use requirements (above) require the correction of security deficiencies – so merely running a Security Risk Assessment without taking actions to remedy the problem will not suffice.  To read more about meaningful use audits and security risk assessments click here

In addition to releasing the Security Risk Assessment tool, HHS has created a helpful true/false statement with the Top 10 Myths of Security Risk Analysis.  This document highlights the misconceptions regarding the risk assessment requirements, including that all covered entities and business associates (regardless of the size) must conduct a risk assessment pursuant to HIPAA.  Importantly, though only eligible professionals & hospitals are eligible for meaningful use incentives and Medicare payment adjustments, business associates must also comply with the HIPAA Security Rule pursuant to the HITECH Act.  Therefore, business associates must also conduct security risk assessments, and per recent guidance from HHS, business associates are likely part of the next round of HIPAA audits.

For more information about HIPAA, security risk assessments, and meaningful use please contact Elana Zana.

HHS Deadline for HIPAA Breach Notification Reporting

As part of the HITECH revisions to HIPAA, providers are required to report all HIPAA breaches, regardless of the number of individuals affected to HHS on an annual basis.  The deadline for this report is Saturday, March 1st, 2014.  This reporting requirement is pursuant to the Omnibus HIPAA Rule published in January of 2013.  Providers who have had breaches affecting less than 500 individuals can report the HIPAA breaches here.  This report needs to be filled out for each breach that occurred during the 2013 calendar year.  For example, if a covered entity had a breach in April of 2013 affecting three individuals and another breach in December 2013 affecting two individuals the report must be submitted for each breach but not for each individual (a total of two reports would be submitted in this example).  To fill out this form covered entities will need to submit the following information about the breach:

  • General information regarding the covered entity
  • Whether the breach occurred at or by a Business Associate and the associated contact information for that Business Associate
  • Date of the Breach
  • Date of Discovery
  • Approximate number of individuals affected by the Breach
  • Type of Breach (i.e. theft, loss, unauthorized access, etc.)
  • Location of breached information (i.e. laptop, e-mail, etc.)
  • Type of Protected Health Information involved in the Breach (i.e. demographic, financial, etc.)
  • Description of the Breach
  • Safeguards in place prior to the Breach (i.e. firewalls, physical security, etc.)
  • Date individuals were notified of the Breach
  • Whether substitute notice was required (this requirement is described in the rule)
  • Whether media notice was required (this requirement is described in the rule)
  • Actions taken in response to the Breach (sanctions, mitigation, etc.)
  • Any additional actions taken
  • Attestation

For those covered entities that have had a breach which affected more than 500 individuals, this report should have been submitted no later than 60 days following discovery of the breach in accordance with the Breach Notification Rule.

If you have questions regarding filling out this report or on Breach Notification in general please contact Elana Zana or Dave Schoolcraft.

Stolen Thumb Drive Proves Costly for Dermatology Practice

The Department of Health and Human Services (HHS) recently announced a $150,000 settlement with a dermatology practice in Massachusetts that arose out of a stolen thumb drive.  The unencrypted drive, which contained the health information of approximately 2,200 individuals, was stolen from a vehicle of one of the practice’s staff members.

Although HHS was concerned with the staff member’s failure to safeguard the health information, the large settlement amount resulted primarily from the practice’s lack of HIPAA policies and procedures.  Specifically, HHS determined that the practice: (1) had no breach notification policies, (2) had not conducted risk assessments for potential security vulnerabilities, and (3) did not adequately perform HIPAA training for its workforce.

This case provides an important warning to health care providers who do not have comprehensive HIPAA and HITECH policies and procedures.  Although the risk of being selected for an HHS HIPAA audit is still relatively low, it only takes one breach of health information for HHS to open an investigation that can result in costly penalties.

For more information about HIPAA and HITECH policies and procedures, please contact Casey Moriarty.

 

Reducing the Risks of Third-Party Access to EHR Systems

UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information.  UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.

The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system  While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.

For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.

Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach.  Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.

If you would like more information about HIPAA compliance, please contact Casey Moriarty.