healthcarecompliance101

Healthcare Compliance 101

Archive for the category “HIPAA Privacy”

Phase Two HIPAA Audits Have Begun

July 12, 2016

OCR’s Phase Two HIPAA Audits Have Begun

Phase Two of OCR’s HIPAA audit program, which officially began a couple of months ago, has officially kicked into high gear.   Selected covered entities have now received notification letters regarding their inclusion in the desk audit portion of the audit program.  Letters were delivered on Monday, July 11, 2016 via email to 167 health plans, health care providers and health care clearinghouses (covered entities).  The desk audits will examine the selected entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules.

The desk audits are focused examinations of documentation of entity compliance with certain requirements of the HIPAA Rules (see table below).  OCR selected these provisions for focus during the desk audits because our pilot audits, as well as our enforcement activities, have surfaced these provisions as frequent areas of noncompliance.  Entities received two email communications, which were sent to the contact information confirmed by the entity during the pre-audit phase of the program. Nevertheless, these emails may be incorrectly classified as spam in the recipient’s email service.  Covered entities should monitor their spam filtering and junk mail folders for emails from OSOCRAudit@hhs.gov.   One e-mail includes a notification letter providing instructions for responding to the desk audit document request, the timeline for response, and a unique link for each organization to submit documents via OCR’s secure online portal. A second email contains an additional request to provide a listing of the entity’s business associates and also provides information about an upcoming webinar, where OCR will explain the desk audit process for auditees and take their questions.    Entities have 10 business days, until July 22, 2016, to respond to the document requests. Desk audits of business associates will follow this fall.

For more information, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

Requirements Selected for Desk Audit Review

Privacy Rule Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]
Provision of Notice – Electronic Notice   [§164.520(c)(3)]
Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]
Breach Notification Rule Timeliness of Notification  [§164.404(b)]
Content of Notification  [§164.404(c)(1)]
Security Rule Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]
Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Advertisements

New Guidance on Ransomware – Protect ePHI

Your Money or Your PHI:  New Guidance on Ransomware

One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyber-attacks on electronic health information systems, such as through ransomware.  The FBI has reported an increase in ransomware attacks and media have reported a number of ransomware attacks on hospitals. In recognition of the threat that ransomware poses to critical healthcare infrastructure, the Secretary of HHS recently sent the attached letter to chief executive officers (CEOs) of companies in the health care sector.  This letter highlights the importance of robust security compliance to combat ransomware attacks.

To help health care entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights today released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats, including:

  • Conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and establishing a plan to mitigate or remediate those identified risks;
  • Implementing procedures to safeguard against malicious software;
  • Training authorized users on detecting malicious software and report such detections;
  • Limiting access to ePHI to only those persons or software programs requiring access; and
  • Maintaining an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.

 

Some of the other topics covered in the guidance include: understanding ransomware and how it works; spotting the signs of ransomware; implementing security incident responses; mitigating the consequences of ransomware; and the importance of contingency planning and data backup.  The guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule.  Under the Rule, and as noted in the guidance, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach, HHS, and, in some cases, the media, unless the entity can demonstrate (and document) that there is a “low probability” that the information was compromised.

Ransomware is a type of malware (malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data. Ransomware frequently infects devices and systems through spam, phishing messages, websites, and email attachments and enters the computer when a user clicks on the malicious link or opens the attachment.

Organizations need to take steps to safeguard their data from ransomware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents.

The guidance can be found at: http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Please feel free to share the attached letter, and the link to the new HIPAA guidance, with interested colleagues.

Unauthorized Filming of Your Patient Could Result in HIPAA Violation

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

 

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.

 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

 

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these.

 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.

What Every Healthcare Provider Needs To Do To Avoid Damages Under The TCPA

Memorandum re Liability to Dental Practice under the Telephone & Consumer Protection Act – (TCPA)  – September 28, 2015.

 

Disclaimer: This material is for general reference purposes only and does not constitute legal advice.

 

Note: Even though the TCPA only covers phone calls and text messaging, we also included emails as part of the consent that patients give in the event that future regulations or laws are passed involving email communications.

 

The purpose of this memorandum is to discuss the changes to a Practice’s1) Notice of Privacy Practices and 2) Acknowledgement of Receipt of Notice of Privacy Practices & Consent for Use and Disclosure of Health Information (Acknowledgement). These changes are necessary in order to protect the practice from potential lawsuits and damages resulting from violations of the Telephone and Consumer Protection Act which stemmed from the class action suit against Walgreens where Walgreens settled for $11,000,000 for alleged violations of the TCPA.  The final approval hearing for this settlement was held on Aug. 5, 2015.

 

How come we need to make these changes when Healthcare Compliance Consulting, Inc. set up our HIPAA Privacy and Compliance programs for us and we already have our patients sign our Acknowledgement form ?

The problem is that even though a dental practice is a covered entity (just the same as Walgreens is a covered entity) and is subject to comply with the HIPAA regulations, the class action suit against Walgreens was not brought against it for violation of the HIPAA regulations but for violation of the TCPA, which is a federal act that is completely separate from the HIPAA regulations. The nature of the infraction and violation against Walgreens was such that this type of incident should have been covered under the HIPAA regulations, but there are no HIPAA regulations that discuss or govern this. Thus, a similar lawsuit could be brought against a dental practice on the grounds that the dental practice violated the TCPA.

 

The nature of the lawsuit against Walgreens was that it placed prerecorded prescription reminder calls to the cell phones of prior Walgreen consumers or customers without their consent. The court made a distinction between phone calls made by Walgreens to Pharmacy patients with a current prescription which were due to be picked with prior Walgreen Pharmacy patients that had no current prescriptions due to be picked up. The court said that the reminder calls to prior Walgreen patients that did not have a current prescription due to be picked up could not be made by Walgreens without that patient’s prior consent. Without prior consent, the court said that these cell phone calls were unauthorized because Walgreen did not get the patients consent first, and thus this constituted a violation of the TCPA and made Walgreens subject to damages.

 

Lawsuits can be brought under the TCPA against any dentist for sending out any kind of reminder message to patients (i.e.-to schedule recall appointments and unscheduled treatment) that are transmitted either by phone or text that are made without the prior consent of that patient.

 

How a violation of the TCPA could occur in a dental office is 1) where a phone call or text notice is sent or given to the patient where the patient is requested to call the dental office and set up an appointment for future treatment based on a prior recommendation from the dentist to have this unscheduled dental work done in the future or, 2) where the dental office calls or texts a recall notice to the patient to set up an appointment (such as a 3 month or 6 month, etc. recall appointment reminder) stating that it has been 3, 6, 9 months, etc. since you last treatment or visit and it is time to set up another dental appointment, and that patient has not given the practice his/her consent to send out such notices.

 

To be safe and to prevent the dental practice from having liability and subject to a lawsuit and damages for violation of the TCPA is for the dental practice to have language on its NPP and Acknowledgement form where the patient gives the dental practice his/her consent to send out such notices by either phone or text. We have revised the NPP and Acknowledgement form with language that gives the dental practice consent of the patients to send out such notices.

 

Special problems involving Recall Notices

When a dental office makes a phone call or sends a text message to a patient reminding them that it has been 3 months, 6 months, 9 months, 12 months, etc. and requests the patient to call and set up an appointment, this is a violation of the TCPA unless the patient gives consent to the practice to call or text him/her. The problem is that it has been a common practice for dental practices to make these kind of recall notices in order to keep business coming into the practice. To stop making these kinds of recall notices could cause the dental practice to lose a substantial amount of business. So, on one hand, based on the current litigation with Walgreens, it definitely is a violation of the TCPA to make these kinds of phone calls or text messages without the patients’ consent. On the other hand, the practice will lose business if it does not contact patients that it has previously treated to notify them that they have not been in for 3 months, 6 months, etc. and that they should set up an appointment. To further complicate the situation or problem is that if the dental practice does not contact its patients for recall appointments, it is possible that it could be cited for abandonment of treatment. Once a dentist begins treating a patient, the dentist may not abandon the patient without incurring liability for damages unless the dentist follows certain steps and procedures for terminating the dentist/patient relationship. So, the dentist is really in catch 22 situation. So a dental practice will have to decide how it wants to handle this situation because there will be risk involved no matter what it does.  If the dentist contacts the patient by phone or text in order to set up a recall appointment without the patients’ consent, it is in violation of the TCPA. If it does not make a recall phone call or recall text, it could be subject to liability under abandonment of treatment.  So the dentist will have to decide whether to take the risk and continue making recall phone and/or text messages and have the patient sign the consent form when they come in for treatment.

 

We have recommended that all dental practices have their existing and new patients sign their Acknowledgement form with the new consent language on it because 1)anyone can file a lawsuit against the practice under the TCPA  for failure of the practice to obtain consent from the patient (it doesn’t just have to be the patient that could file a lawsuit against the practice) and, 2) because of recent Walgreens settlement for violation of the TCPA (Aug. 5, 2015), lawyers may be more aggressive in searching out clients that would be willing to bring a lawsuit against any covered entity (such as a dental practice either large or small). There already are lawyers that are pursuing opportunities to solicit people that they can represent to bring lawsuits against healthcare providers for violations of the TCPA. If you Google Telephone Consumer Protection Act, there already are Minneapolis law firms whose names will appear on the side bar advertising their consumer protection services for violations of the TCPA.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

Over 70% of Healthcare Providers Suffered Privacy Breaches

Over 70% of Healthcare Providers Suffered Privacy Breaches.

The HITECH Act – Little-Noticed Provision

Remember the HIPAA violation charge against the Alabama woman who stole PHI from more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama.  This case marked the first time that the DOJ has charged someone with a HIPAA violation who is not connected in any way to a covered entity.  In this case the woman is alleged to have been visiting a hospital when she took the documents.

The HIPAA charge against the Alabama woman, prior to the HITECH Act may not have occurred or may have been substantially more difficult to file.  individuals.  If convicted, this woman could be jailed for 10 years and fined $250,000 for just the HIPAA charge.  However, under the June 28 indictment there are added charges of “possessing stolen mail, attempting to commit bank fraud, misusing someone else’s Social Security number, and aggravated identity theft.” 

Prior to the HITECH Act, Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)), “Wrongful disclosure of individually identifiable health information,” read:

(a) Offense, – “A person who knowingly and in violation of this part–(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided” in later sections.

“Sec. 13409. Clarification of Application of Wrongful Disclosures Criminal Penalties,” which applied criminal penalties to individuals.  It states:

“Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: ‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.”

Prior to this change, only CEs and certain individuals working for them were directly liable for criminal charges.  The expansion not only means the outsiders can be liable, but low-level employees now can be subject to direct prosecution.

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits.

OCR Settles HIPAA Privacy and Security Case With UCLA

OCR Settles HIPAA Privacy and Security Case With UCLA.

Celebrity snooping  by employees results in stiff civil monetary penalties and a resolution agreement to University of California Los Angeles Health Services (UCLAHS).

HIPAA Notice of Privacy Practices

FREE OFFER

HIPAA Notice of Privacy Practices.

Post Navigation