Search results for: hipaa

A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA.

According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from a local news station that the pharmacy disposed of paper records with protected health information (PHI) in a dumpster that was accessible to the public.  The Resolution Agreement also alleges that the pharmacy failed to implement written policies and procedures to comply with HIPAA, nor did the pharmacy train its workforce as to proper HIPAA protocols and procedures for handling of PHI.
Continue Reading HIPAA Settlement Follows Unsecured Paper Records Disposal

On January 13, 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services, briefed reporters on the agency’s HIPAA enforcement priorities, noting a focus on threats to electronic health information, or ePHI.  For more information about the briefing, visit Covington’s
Continue Reading HIPAA 2015 Enforcement Priorities Highlight Cyber Threats, But Timing of HIPAA Compliance Audits Still Uncertain

In response to the recent Ebola outbreak and other events, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance regarding the use and sharing of patient information in emergency situations.  The guidance emphasizes that HIPAA requirements are not suspended during an emergency.  However, the Privacy Rule includes several provisions that affect the use and disclosure of patient information in emergencies.  Additionally, the Secretary of HHS may temporarily waive certain Privacy Rule provisions during emergencies, such as sanctions or penalties against providers that fail to comply with particular requirements.  OCR has created an interactive, online decision-support tool to assist covered entities, business associates, and others in determining how information may be accessed, used, or disclosed consistent with the HIPAA Privacy Rule in emergency situations.


Continue Reading HHS Releases Guidance Regarding Application of HIPAA Privacy Rule in Emergency Situations

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.Continue Reading Two HIPAA Settlements Follow Stolen Laptops

On March 28, HHS released new resources on risk analysis requirements under the HIPAA Security Rule.  The HIPAA Security Rule governs how electronic individually identifiable health information is maintained by covered entities and business associates.  In short, it requires covered entities and business associates to implement certain physical, administrative, and technical safeguards to protect the confidentiality and integrity of electronic protected health information (e-PHI).

A provision of the Security Rule requires covered entities and business associates to conduct a risk assessment, in which they review the safeguards currently in place and identify potential vulnerabilities in security policies, processes, and systems.  To help organizations comply with this sometimes onerous requirement, HHS has released an online template that will walk users step-by-step through the questions that must be asked as part of a required risk assessment.  HHS notes that the tool will help entities document the current state of their security system as well as develop proper risk remediation plans. Continue Reading HHS Releases New Tool to Assist with HIPAA Risk Assessments

Recently, the Workgroup for Electronic Data Interchange (WEDI) published a Breach Risk Assessment Issue Brief for stakeholders to use in analyzing whether a breach of  protected health information (PHI) has occurred under the Health Insurance Portability and Accountability Act (HIPAA). 

Background

Under HIPAA’s breach notification rule, covered entities and business associates are required to notify affected individuals, HHS, and, sometimes, the media when they determine that a breach of unsecured PHI has occurred.Continue Reading WEDI Issues Guidance for Assessment of Potential Breaches under HIPAA

By Anna Kraus

On January 7, 2014, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking to modify the HIPAA Privacy Rule to expressly allow certain disclosures to the National Instant Criminal Background Check System (NICS).  As we previously reported, this was one of the executive actions in President Obama’s plan to reduce gun violence, which was released in January 2013.

Background:  The NICS is the federal government’s system for conducting background checks on individuals who may be disqualified from receiving firearms under federal law (i.e., subject to a federal “mental health prohibitor”).  This includes individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise determined, through a formal adjudication process, to have a severe mental condition that results in the individual’s presenting a danger to themselves or others or being incapable of managing their own affairs.

In April 2013, HHS released an advance notice of proposed rulemaking (ANPRM) requesting public comment on whether HIPAA creates a barrier to States reporting mental health prohibitor information to the NICS.  (See our previous post on the ANRPM here.)  After receiving over 2,050 comments in response to the ANPRM, HHS elected to proceed with creating an express permission in the HIPAA Privacy Rule for NICS reporting.Continue Reading HHS Issues Proposed Rule on HIPAA and Firearm Background Check Reporting

By Anna Kraus

On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire.  According to HHS, this is the first settlement based on a covered entity not having policies and procedures in place to address the breach notification requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Like other HIPAA investigations, this one began after HHS received notification of a breach of unsecured protected health information (PHI).  In October 2011, APDerm notified HHS that an unencrypted thumb drive, which contained electronic PHI relating to the surgeries of approximately 2,200 patients, was stolen from an employee’s vehicle and not recovered.  HHS found through its investigation that APDerm:

  • Did not conduct a proper risk assessment under the HIPAA Security Rule until one year later (October 2012);
  • Did not fully comply with the HIPAA Breach Notification Rule requirements to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures, until February 2012; and
  • Committed an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule, when it gave an unauthorized individual access to the unencrypted thumb drive that was later stolen.

Continue Reading HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR).  Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate.  The OIG’s findings may lead to increased enforcement efforts by OCR. 

Continue Reading HHS OIG Releases Report on HIPAA Enforcement Efforts

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient.

Background

In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under the HITECH Act.  The new rules modified how and when covered entities and business associates may receive financial remuneration from a third party for making communications about a drug or biologic currently prescribed to an individual (i.e., “the refill reminder exception” to the marketing prohibition).  We previously discussed the new restrictions here.  In short, the new rules prohibit any financial remuneration above and beyond what is reasonable.  HHS indicated that reasonable remuneration would include  the costs of labor, supplies, and postage to make the communication.  These restrictions appeared to prohibit a covered entity or business associate from generating a profit to make these subsidized communications.

As we discussed earlier, these new restrictions were challenged in a lawsuit filed earlier this month by Adheris, Inc..  Since the filing of the complaint, HHS announced that it would promulgate additional guidance on the refill reminder exception.

HHS Guidance

The new guidance describes both the scope of communications that fall within the exception and what third party payments are considered “reasonable” under the statute and regulations for making such communications. 

What communications are included in the exception?

HHS explains that the following communications are permitted under the exception:

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  • Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

Continue Reading HHS Issues Guidance on Refill Reminders under HIPAA