RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘HIPAA’

HHS Waives Some HIPAA Sanctions During the Coronavirus Pandemic

Posted on: March 20th, 2020

By: David Cole

The HHS Office for Civil Rights (OCR) issued two important bulletins this week in response to the coronavirus pandemic. Each one announced that OCR will temporarily waive certain sanctions and penalties for noncompliance with HIPAA Rules to help deliver care to people in need.

Limited Waiver for Privacy Rule Requirements

First, OCR issued a Limited Waiver of HIPAA Sanctions and Penalties for not complying with certain parts of the Privacy Rule. Specifically, the Waiver says that healthcare providers will not be sanctioned or penalized for not complying with the following usual requirements:

  • The requirement to obtain a patient’s consent before speaking with family members or friends involved in the patient’s care;
  • The requirement to honor a request to opt-out of the facility directory;
  • The requirement to distribute a Notice of Privacy Practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The Waiver became effective on March 15, 2020, but currently only applies (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. It is unclear if OCR will extend the time for this Waiver given the widespread and potentially prolonged nature of the coronavirus outbreak. A copy of the bulletin is available here.

Video Technology Allowed for Telemedicine

Second, OCR issued a Notification of Enforcement Discretion allowing healthcare providers to use “any non-public facing remote communication product that is available” to communicate with patients to provide telehealth during the coronavirus national emergency. As examples, OCR said it will allow healthcare providers to use video chat application like Apple FaceTime, Facebook Messenger, Google Hangouts, or Skype, to provide telehealth without risk of penalty for noncompliance with HIPAA Rules. However, Facebook Live, Twitch, TikTok, and other similar public-facing video applications are not allowed. Healthcare providers are still expected to enter into Business Associate Agreements with the technology companies providing the video communication services, but OCR says it will not impose penalties for failing to do so during the time of the national emergency. A copy of the Notice is available here.

Additional information: 

The FMG Coronavirus Task Team will be conducting a series of webinars on Coronavirus issues every day for the next week. We will discuss the impact of Coronavirus for companies in general, but also for business in insurance, healthcare, California specific issues, cybersecurity, and tort. Click here to register.

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the Coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.** 

OCR Casts a Wider Net on HIPAA Breaches

Posted on: August 29th, 2016

By: Agne Krutules

Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities and their business associates have duties under the Privacy Rule and the Security Rule to protect patient health information. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) regional offices are required to investigate all reported breaches involving the protected health information (PHI) of 500 or more individuals. With regard to smaller breaches, however, OCR has discretion whether to conduct an investigation.

From 2003 through May 31, 2016, OCR received more than 134,246 HIPAA-related complaints and investigated and resolved more than 24,241 cases. The vast majority of these investigations involved larger breaches of unsecured PHI affecting 500 or more individuals. That is typically what most people have grown to expect—more attention to large-scale breaches, with smaller breaches under 500 individuals typically not receiving as much scrutiny. However, these traditional expectations are about to change due to a recent announcement from OCR about its plans to increase efforts to investigate smaller breaches more frequently.

Through an August 18, 2016 email, OCR announced that it is launching an initiative “to more widely investigate the root causes” of HIPAA breaches affecting fewer than 500 individuals. According to the announcement, OCR’s regional offices have ramped up their efforts to identify and obtain corrective action to address “entity and systemic noncompliance” related to these smaller scale breaches. While not every HIPAA breach will be the subject of investigation due to limitations on resources, OCR says that the following factors will be considered in determining whether to pursue such investigations:

  1. The size of the breach;
  2. Theft of or improper disposal of unencrypted PHI;
  3. Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
  4. The amount, nature, and sensitivity of the PHI involved; and
  5. Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

OCR’s announcement also states that “Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.” This is the first time OCR has ever specifically announced that it would consider the factor of underreporting when determining whether to investigate a data breach. Thus, covered entities and business associates should use this message to focus on their breach investigation techniques and breach reporting processes.

Although the investigations of the smaller scale breaches will remain discretionary, more investigations affecting less than 500 individuals are certain. Accordingly, covered entities and business associates should not become complacent when dealing with smaller or “routine” incidents, and they should take proactive steps to review their HIPAA compliance obligations and update safeguards to protect against breaches. Becoming an object of an OCR investigation can be time-consuming and expensive, even without considering the potential costs of civil monetary penalties if HIPAA non-compliance is uncovered.

A Solution to Medical Professional Texting And HIPAA Compliance

Posted on: August 26th, 2014


By: J. Scott Rees

Everyone texts today – your kids, your friends, your doctors.  With electronic health records (EHR) going from a trend to the mandated standard, digital and electronic technologies have become fully integrated into nearly every aspect of the field of medicine.  Medicine is not just the equipment that is used, the tests that are done, the medications that are provided.  Also critical to the medical practice is communication and storage of information.  Texting is particularly useful in the fast paced and information rich world of medicine.  For a physician on call, a text can be more efficient than a call and provide an incredible amount of necessary information.  Texts can also be useful in communicating with patients – reminders of appointments, lab results, and care plans.  This type of simple prompt or reminder may be very important in helping maintain a patient’s health.

The problem, however, is that traditional text messaging is not compliant with the requirements for transmitting ePHI (electronic private health information) under the HIPAA Privacy Rule.  Traditional text messages are not encrypted, the data banks where the information is actually stored are not particularly secure, there is no way to verify receipt of the text by the intended party, and spotty archiving can make an information audit nearly impossible.  That means that outside of transmitting the most basic information, traditional texting is not a safe or even legal option—especially not when the fees for violation can be as much as $50,000 for unsecured communication.

Where there is a need, there is typically a solution; HIPAA compliant text messaging is no different.  Companies like Mediprocity and others have developed services that are specifically tailored to the needs of medical professionals and are designed to allow you to communicate via text messaging in a way that is fully compliant.  Many of these services are more than just texting solutions, rather they involved solutions for faxing, emailing, and other social media outlets.  They integrate with your electronic medical records (EMR), and allow you to attach files, send to multiple recipients, forward, etc.  This means that ePHI can be kept within a closed loop of your EMR system and your compliant communication system.  All your data is secure and is shared easily without any fear of straying outside of compliance.

The services typically require you download an app to your phone and/or tablet, and they often offer a web based version as well for using the service from your desktop or laptop.  So this means that you have access across all of your devices to a single, unified method of communication that works seamlessly with your compliant EMR system to keep you protected whether you are sending or receiving ePHI.

Given the potential cost of HIPAA non-compliance, coupled with the efficiency and usefulness of text messaging, it would be worth looking into the various companies offering HIPAA text messaging solutions.

New HIPAA Rule Brings Sweeping Changes

Posted on: May 2nd, 2013

By: David Cole

The wait is over. The new HIPAA omnibus rule that the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued in January officially took effect on March 22, 2013. The deadline for compliance with most provisions is 180 days later on September 23, 2013. This means that covered entities, business associates, and subcontractors have limited time to ensure compliance. As discussed below, taking proper steps now is important, because the new rules implement a number of significant changes to HIPAA that expand the types of entities responsible for protecting patient data and reporting data breaches.

Extension to Business Associates

One of the biggest changes is that business associates are now directly responsible for complying with the Privacy Rule and Security Rule of HIPAA. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (“PHI”) on behalf of, or provides services to, a covered entity. These functions and activities include claims processing, data analysis, billing, benefit management, or services such as legal, actuarial, accounting, and financial.

In addition, the new rule adds “subcontractors” to the definition of “business associate,” which means that subcontractors that perform functions for or provide services to a business associate are also deemed business associates when they create, receive, maintain or transmit PHI on behalf of the business associate.  This broad, new definition means that any subcontractor, no matter how far removed from the original contractor, is considered a HIPAA “business associate” if it handles PHI.

Because the new rule applies the HIPAA Privacy Rule directly to business associates, both business associates and their subcontractors must now make “reasonable efforts” to limit their use, disclosure, and request for PHI to the “minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” This will likely change the flow of PHI from business associates and subcontractors by making these organizations focus on the specific PHI they need to use, disclose, or request in order to perform their services.

The new rule also makes business associates and their subcontractors directly responsible for the HIPAA Security Rule. As a result, business associates and their subcontractors must develop comprehensive, written HIPAA security policies and procedures. They also must implement the specific administrative, physical, and technical safeguards of the data that is required by the Security Rule. In addition, business associates must now enter into written contracts with subcontractors that contain specific provisions required by the HIPAA Privacy and Security Rules, whereas they previously were only required to “ensure” that subcontractors agree to the same restrictions on the use and disclosure of PHI.

Breach Notification

The new rule also changes the requirements for breach notifications. Previously, the rules defined a “breach” as occurring only when the compromise of PHI presented a “significant risk of financial, reputational, or other harm to the individual.” This harm threshold will remain in effect until the interim compliance period ends on September 23, 2013. After that time, a new definition of breach will come into play.

Under the new rules, HHS eliminated the harm threshold and replaced it with a standard under which any use or disclosure of PHI that is not allowed by the Privacy Rule is presumed to be a reportable breach unless the covered entity or business associate can demonstrate, through a documented risk assessment, that there is a “low probability” that the PHI has been compromised. This risk assessment must include consideration of the following four factors: (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

Enforcement and Penalties

Under the new rule, HHS has retained the high penalty structure currently in effect, meaning that penalties can range anywhere from $100 to $50,000 per violation, depending on culpability, up to an annual maximum cap of $1.5 million on a per provision basis. The difference is that business associates and subcontractors are now directly liable for their violations. Of course, covered entities still can be penalized for their violations as well. In addition, HHS is now required to conduct compliance reviews if willful negligence is indicated following a preliminary review of the facts.

These are just a few of the changes made by the new HIPAA rule. In addition, the new rule includes “genetic information” as a new type of health information subject to HIPAA rules, and thus imposes restrictions prohibiting health plans from using genetic information for underwriting purposes. The new rule addresses multiple privacy issues related to uses and disclosures of PHI, such as communications for marketing or fundraising, exchanging PHI for remuneration, disclosures of PHI to persons involved in a patient’s care or payment for care, and disclosures of student immunization records.

D&O Insurance Policies Now Tailored to Health Care Organizations

Posted on: October 12th, 2012

By: Kelly Morrison

The new wave of insurance policies explicitly addresses antitrust and HIPAA concerns unique to the medical industry.

Please visit the following link for more information: D&O Insurance for Healthcare Organizations: Our Prescription for Better Coverage.