Posts Tagged PHI

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at Samarria@dunsongroup.com.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

What’s the Biggest Threat to Your Medical Practice? Your Staff!

What’s the Biggest Threat to Your Medical Practice? Your Staff!

Many of us are aware of recent attacks impacting health care entities large and small. As ransomware and other cybersecurity-related crimes are being reported daily, there is a tremendous focus on the “dark web” and how to decrease the likelihood your entity will be impacted by hackers. But as we put systems in place to deal with those security issues, we must not forget about the threat of other malicious actors. These individuals are not strangers who only interact with our computer systems remotely. This threat is much closer. We’re referring to your staff members who may inappropriately access and utilize patient data for personal gain.

Employers generally believe they hire the best candidates. In most instances that is correct. After combing over résumés and doing countless interviews, it is determined the selected individual is a person you can trust and respect. As these individuals prove themselves to be competent and dependable, many of us will place a high level of confidence not only in that person’s ability to perform the job, but also in their character.

As time passes we learn a lot about our colleagues. We learn about each other’s families, interests and life goals. We become invested in our co-workers, and we share in moments of success and disappointment. These events endear us to one another and become the fabric of our working relationships. However, just as this bonding is reflective of our human desire to find commonalities, these relationships can also blind us to a very serious threat. This threat is the impact that these very individuals can have on our entities if they intentionally or inadvertently compromise a patient’s protected health information (PHI). We must constantly remind ourselves good people can do bad things depending on that individual’s circumstances at the time they make a compromising decision.

“Insider threat” is a term used to describe the threat to an entity’s systems or data that originates from within the entity. These “insiders” can be current or former employees, contractors, or business associates who have or has had authorized access to an entity’s systems or data and misuse that access.

Red Flag Behavioral Indicators

When entities endure a significant data breach, they are often in disbelief the incident occurred. Then as they begin the investigation phase, they realize there were behaviors exhibited by the bad actor that should have drawn suspicion.

Here are some behaviors entities should be watchful of:1

  • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules which may result in them being able to carry out their illicit activities privately.
  • Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Interest in matters outside the scope of their duties, particularly where patient data may be stored and how that information may be accessed.
  • Unexplained affluence; buys things they cannot afford on their household income.
  • Without need or authorization, takes proprietary or other material like patient information home, via paper records, thumb drives or by emailing information to their personal email accounts.
  • Overwhelmed by life crisis or career disappointments.
  • Paranoia about being investigated; believes there are listening devices or cameras in their homes or workplaces.
  • Disregarding computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

How to Reduce Your Risk

  • Appropriately manage your employees. Entities should pay particular attention to individuals who are disgruntled or who may be undergoing financial hardship. Also, be watchful of employees who show up to work very early or leave very late with no work product to show for the extra time they’ve worked. Additionally, background checks can be very telling. This is especially true for employees whose records identify financial issues like issuing bad checks.
  • Be mindful of security access privilege designations. Only provide employees with the security access privileges they need to perform their job functions. The less access they have to patient data that does not involve them, the less likely they will be able to create large data breaches.
  • Proactively audit user access. Perform audits of user actions to determine who has been remoting into your entity’s computer network or who has been accessing your systems after normal business hours. Review reports of failed log-in attempts to determine whether employees are trying to log into systems they have not been officially granted access to view.
  • Develop and adhere to effective termination procedures. Once you become aware an employee will need to be terminated, make plans to disable their physical and system access such that the terminated employee does not have the opportunity to negatively impact your entity or systems. During the exit interview, make it clear to the terminated employee your entity will not tolerate inappropriate data access and will seek criminal prosecution if it discovers any employees are engaging in such activity.
  • Effective training programs. Ensure your employees are aware of your entity’s privacy and security policies and procedures. Reiterate these principals in training and inform them of the consequences of not adhering to these requirements. Additionally, train employees to be particularly watchful of co-workers who exhibit the behavioral indicators described above. Ensure they know the warning signs and to whom to report their concerns.
  • All insiders are not necessarily in your building. Be mindful that Business Associates and contractors may also have access to your systems
    and data. The activities of these users should be monitored as well. Individuals within those entities should be signing confidentiality agreements at a minimum and Business Associate Agreements, when applicable.

 

Your entity’s designated Security Officer can play a key role in monitoring the electronic behavior of staff members, Business Associates and contractors. Ensure this individual is knowledgeable about your entity’s HIPAA security policies and procedures, and they are following up on audits that identify behaviors that may be placing your patient data at risk. If your entity does not have updated HIPAA security policies and procedures, consider hiring a health care compliance professional to ensure regulatory compliance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.

References
1 “The Insider Threat”, U.S. Department of Justice Federal Bureau of Investigation; https://www.fbi.gov/file-repository/insider_threat_brochure.pdf
2 “Insider Threats: What every government agency should know and do,” Deloitte Dbriefs, March 2016.

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

In the aftermath of one of the deadliest school shootings in U.S. history, many health care organizations are revisiting their HIPAA policies and procedures to determine exactly what information they are allowed to share and to whom they may share information. 

FAMILY AND FRIENDS

A health care entity may share a patient’s location, general condition or death with a patient’s family, guardian, or friend who is involved in the patient’s care or who may be responsible for payment of the patient’s treatment. This may occur in a variety of circumstances including, but not limited to, the following:

  • If the patient is present and able to consent to the disclosure, the health care provider must obtain the patient’s consent, provide the patient with the opportunity to object to the disclosure, or based on the professional judgment of the health care professional, they may reasonably conclude that the individual would not object to the disclosure being made.
  • If the patient is not present or unable to consent due to incapacity or emergency, the health care professional may in the exercise of professional judgment determine whether the disclosure to the family, friend or guardian is in the best interest of the patient.
  • If the patient is deceased, the health care provider may disclose information about the patient to the family member, friend or guardian unless the health care professional is specifically aware that the patient expressed that the disclosure not be made prior to their death.
  • Health care providers may also share information about a patient with police, media outlets or the general public when attempting to identify, locate or notify family members, guardians or personal representatives of a patient. Information that may be shared include the patient’s location, general health status or death.
  • PHI may be shared with disaster relief organizations that are legally responsible for assisting with disasters if doing so will assist in the notification of family members or other individuals responsible for the patient’s care. [1]

MEDIA OUTLETS

Hospitals and health care entities may share general information about a patient with media outlets in an effort to identify, locate or notify individuals responsible for the patient’s care. However, if the request is initiated by the media, you must consider the following:

  • If the patient is conscious and does not specifically object, limited facility directory information may be shared as long as the requestor identifies the patient by name. This information includes whether the patient is indeed seeking treatment at the facility, whether they are in critical or stable condition, and whether they sought treatment and are now released.
  • If the patient is unable to consent, the health care provider can determine based on their professional judgment whether notifying the media or general public of the patient’s status or death is in the best interest of the patient.

Specific information about a patient’s care, such as x-rays, tests performed and test results, or details of a patient’s diagnosis may not be disclosed without either the patient’s authorization or the authorization of their personal representative.

LAW ENFORCEMENT

Health care entities can provide information to law enforcement with a signed HIPAA authorization from the patient or the patient’s personal representative. However, there are instances in which PHI may be shared with law enforcement without patient consent. Those instances include:

  • When the health care professional reasonably believes that the report would prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
  • The entity believes in good faith that it is sharing information that may be evidence of a crime that occurred on the premises of the entity;
  • Alerting law enforcement of the death of an individual when there is a suspicion that the death resulted from criminal conduct;
  • When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
  • When it is required by law to make reports to law enforcement, like in instances of treating gunshot or stab wounds;
  • In compliance with court orders, warrants, subpoenas or summons;
  • In response to a request by law enforcement to identify or locate a suspect, fugitive, material witness or missing person (the information must be limited to basic demographic and identifying information about the person); and
  • Instances of child abuse or neglect reporting when the entity receiving the report is officially authorized by law to receive the report[2].

WHAT ABOUT THE SUSPECT?

When law enforcement needs assistance with identifying and locating a suspect, fugitive or material witness to a crime, health care entities are encouraged to cooperate with these requests.  However, those disclosures must be limited to the following information:

  • Name and Address,
  • Date and Place of Birth,
  • Social Security Number,
  • ABO Blood Type and RH Factor,
  • Type of Injury,
  • Date and Time of Treatment,
  • Date and Time of Death, and
  • Description of Distinguishing Physical Characteristics[3] (Ex. Tattoos, mustache, beard).

Any additional disclosures about a suspect’s medical information, such as DNA tests or body fluid analysis, can only be disclosed upon the presentation of a signed authorization, court order, warrant or documented administrative request.

WHAT IS A HIPAA WAIVER, AND WHEN DOES IT APPLY?

There is no lack of confusion regarding what a HIPAA waiver is and when it may be utilized. Waivers of HIPAA sanctions and penalties occur when the President declares an emergency or disaster and the Secretary of the Department of Health and Human Services (HHS) waives provisions of the Privacy Rule during the emergency or disaster.

If the Secretary issues such a waiver, it only applies:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol. The waiver would only apply to patients at such hospital; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.[4] Once the limited waiver terminates, health care entities are required to comply with the HIPAA Privacy Rule.

It is important to know under what circumstances you can disclose information and to whom those disclosures can be offered. Failure to understand these requirements may place you at risk for HIPAA violations and sanctions. If you have specific questions about disclosures of PHI, please contact a health care compliance professional.

[1] 45 CFR 164.510(b)

[2] 45 CFR 164.512

[3] 45 CFR 164.512(f)(2)

[4] 45 CFR 164.510(b)(4)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA and the Holidays

HIPAA and the Holidays

As the holiday season builds momentum we are faced with numerous distractions like holiday decorations, taking advantage of online sales and soaking in the traditions that we look forward to each year. But this season of joy and giving should also be met with a heightened sense of awareness and adherence to HIPAA policies and procedures. You’re likely thinking to yourself, “How can Christmas, Hanukkah, Kwanza or the New Year impact HIPAA?” Well, those holidays can’t, but your employees’ behavior sure can.

Electronic Protected Health Information (ePHI)

This busy season will cause some employees to take advantage of online shopping while at work. While that seems relatively harmless, and in most cases it is, this also invites the possibility of introducing viruses into your system from unprotected and/or unapproved sites. It is important to have a clear policy and procedure regarding internet access on your entity’s equipment and it is equally important to ensure that your entity is enforcing compliance. Likewise, the threats of ransomware are ever increasing. A distracted employee is more likely to click a suspicious link or open a questionable email that could introduce ransomware into your computer system or electronic medical records. This is a great time to remind staff of their responsibilities to protect ePHI.

Physical Security

Unfortunately, the season of “giving” for some means a season of “taking” for others. Generally, criminal activity like property theft and break-ins rise during the shopping season. This makes it extremely important for your entity to adhere to mandatory HIPAA Physical Safeguards. The HIPAA Security Rule requires entities to have a documented Facility Security Plan, which memorializes the use of physical access controls. Specifically, entities are required to “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”[1] The entity’s designated HIPAA Security Officer should be reminding employees of the policy of not providing keys or swipe access to individuals who are not employees or staff members of the entity. Additionally, HIPAA Security Officers should review and document the use of cameras, alarm systems, keys and swipe cards to assess whether any changes need to be made to address any areas of vulnerability.

This is also particularly important for employees and staff who travel with PHI or ePHI. Whether it is paper records or a laptop, employees and staff should ensure they are not leaving these items in their vehicles in plain view. We advise our clients to have a policy that requires employees to leave any PHI or ePHI in the trunk of their vehicle where it is not visible or inviting for a would-be-thief. This can significantly reduce the entity’s risk of HIPAA breaches, as well as property loss.

Workstation Security

Many health care providers will experience an increase in patient activity as people clamber to make their end of the year appointments to take advantage of any cost savings before the new year begins. Combine that with flu-season and the prevalence of winter illnesses and all of a sudden the waiting room just became standing room only. The euphoric nature of the season, coupled with a dramatic increase in patient activity can be a recipe for HIPAA violations. While employees struggle to keep up with the demand, they are more likely to be careless about workstation security. They become less likely to lock their computers when they walk away from their station and more likely to share usernames and passwords in order to accomplish certain tasks more quickly. While these activities seem relatively harmless, these are violations that can cost the entity greatly if it leads to breaches of PHI or ePHI.

Visitors and Guests

The holidays aren’t nearly as fun without office holiday parties. These parties generally include catered meals, outside delivery services and even invited guests. Entities should ensure that they have a documented visitor/guest policy and procedure and that their employees follow that procedure. This includes a visitor/guest sign-in. Depending on the layout of the facility, these visitor/guests should be escorted to their destination so that they don’t have an opportunity to view documents or lab reports that may be left unattended in the facility.

Delivery personnel and vendors are not the only individuals subject to that policy. Family members and friends who present to the facility to visit with staff members and employees must also adhere to the entities visitation policies. Just because the person may be a relative or close friend does not earn them the right to overhear conversations about patient PHI or the right to view PHI that may be on someone’s desk or workstation.

Tone of Voice

One of the biggest complaints that our office receives regarding patient privacy is the tone of voice used by employees and staff as they discuss their health conditions. During the holiday season, many entities play festive music in their waiting areas which automatically cause employees and staff to raise their voices as they converse with patients or other providers. Entities should pay particular attention to the location of their waiting rooms and the position of their reception desk. Employees and staff should be advised of this concern and reminded of the importance of using a professional tone that would not give rise to unauthorized or inappropriate disclosures of PHI.

This is without argument “the most wonderful time of the year.” It’s a time to enjoy family, get reacquainted with friends, and provide for the health and well-being of patients. As the activity of the season builds, it is important to make every effort to ensure that your entity is in compliance with HIPAA regulations. Adhering to appropriate policies and procedures will not only ensure that you provide appropriate patient care, it will also reduce the likelihood of liability for violations which is a great way to start the New Year.

[1] § 164.310(a)(2)(ii)

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com  Read other articles from Dunson Group here.

Posted in: HIPAA

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Posted in: Liability

Leave a Comment (0) →