HHS

The  Office of the National Coordinator for Health Information (ONC) recently released an updated Guide to Privacy and Security of Electronic Health Information.  The guide aims to help individuals, providers, and the health IT community understand the role of HIPAA for interoperability of health information.

This guide updates the
Continue Reading HHS Updates Health Data Privacy and Security Guide

Recently, HHS Office of Civil Rights (OCR) announced that it has entered into settlement agreements with two entities following enforcement actions, both arising from stolen laptops that were not encrypted in accordance with the Security Rule. 

According to HHS, an unencrypted laptop was stolen from a physical therapy center in Springfield, Missouri.  The center was part of a larger health system, Concentra Health Services.  Through conducting required HIPAA risk analyses, Concentra had previously recognized that the lack of encryption on its devices posed a security risk.  However, HHS found that Concentra’s efforts to address this risk were “incomplete and inconsistent over time.”  Concentra has agreed to pay over $1.7 million to settle potential violations, as well as to submit a corrective action plan.  This significant monetary penalty suggests HHS will not look favorably upon violations of the Security Rule that the covered entity has documented but not taken reasonable efforts to correct.Continue Reading Two HIPAA Settlements Follow Stolen Laptops

By Anna Kraus

On January 7, 2014, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking to modify the HIPAA Privacy Rule to expressly allow certain disclosures to the National Instant Criminal Background Check System (NICS).  As we previously reported, this was one of the executive actions in President Obama’s plan to reduce gun violence, which was released in January 2013.

Background:  The NICS is the federal government’s system for conducting background checks on individuals who may be disqualified from receiving firearms under federal law (i.e., subject to a federal “mental health prohibitor”).  This includes individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise determined, through a formal adjudication process, to have a severe mental condition that results in the individual’s presenting a danger to themselves or others or being incapable of managing their own affairs.

In April 2013, HHS released an advance notice of proposed rulemaking (ANPRM) requesting public comment on whether HIPAA creates a barrier to States reporting mental health prohibitor information to the NICS.  (See our previous post on the ANRPM here.)  After receiving over 2,050 comments in response to the ANPRM, HHS elected to proceed with creating an express permission in the HIPAA Privacy Rule for NICS reporting.Continue Reading HHS Issues Proposed Rule on HIPAA and Firearm Background Check Reporting

By Anna Kraus

On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire.  According to HHS, this is the first settlement based on a covered entity not having policies and procedures in place to address the breach notification requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Like other HIPAA investigations, this one began after HHS received notification of a breach of unsecured protected health information (PHI).  In October 2011, APDerm notified HHS that an unencrypted thumb drive, which contained electronic PHI relating to the surgeries of approximately 2,200 patients, was stolen from an employee’s vehicle and not recovered.  HHS found through its investigation that APDerm:

  • Did not conduct a proper risk assessment under the HIPAA Security Rule until one year later (October 2012);
  • Did not fully comply with the HIPAA Breach Notification Rule requirements to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures, until February 2012; and
  • Committed an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule, when it gave an unauthorized individual access to the unencrypted thumb drive that was later stolen.

Continue Reading HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

Recently, the Office of Inspector General (OIG) at HHS released a report on the HIPAA enforcement efforts of HHS’s Office for Civil Rights (OCR).  Specifically, the OIG looked at whether OCR’s efforts to enforce HIPAA’s Security Rule were adequate.  The OIG’s findings may lead to increased enforcement efforts by OCR. 

Continue Reading HHS OIG Releases Report on HIPAA Enforcement Efforts

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient.

Background

In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under the HITECH Act.  The new rules modified how and when covered entities and business associates may receive financial remuneration from a third party for making communications about a drug or biologic currently prescribed to an individual (i.e., “the refill reminder exception” to the marketing prohibition).  We previously discussed the new restrictions here.  In short, the new rules prohibit any financial remuneration above and beyond what is reasonable.  HHS indicated that reasonable remuneration would include  the costs of labor, supplies, and postage to make the communication.  These restrictions appeared to prohibit a covered entity or business associate from generating a profit to make these subsidized communications.

As we discussed earlier, these new restrictions were challenged in a lawsuit filed earlier this month by Adheris, Inc..  Since the filing of the complaint, HHS announced that it would promulgate additional guidance on the refill reminder exception.

HHS Guidance

The new guidance describes both the scope of communications that fall within the exception and what third party payments are considered “reasonable” under the statute and regulations for making such communications. 

What communications are included in the exception?

HHS explains that the following communications are permitted under the exception:

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  • Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

Continue Reading HHS Issues Guidance on Refill Reminders under HIPAA

On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules. 

Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI).  WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online. 

HHS’s investigation indicated that:

  • From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
  • WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
  • For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
  • For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.

Continue Reading HHS Announces $1.7 Million HIPAA Settlement With WellPoint

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards:

  • Transactions and Code Set Standards
  • Identifier Standards
  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Breach Notification Rule

The

Continue Reading HHS Releases Unofficial Set of Combined HIPAA Regulations

By Anna Kraus

The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP).

HHS’s investigation was prompted by an article in the Los Angeles Times published in January 2012, which indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a particular patient without first obtaining a valid written authorization.  The investigation further revealed that:

  • SRMC impermissibly disclosed the patient’s protected health information to different media outlets on at least three occasions, without obtaining the patient’s authorization;
  • SRMC senior management sent an e-mail to the entire workforce that included details about the patient’s medical condition, diagnosis, and treatment; and
  • SRMC failed to sanction its workforce members for the impermissible disclosures pursuant to SRMC’s internal sanctions policy.

Continue Reading HHS Settles HIPAA Privacy Case With California Medical Center

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule adopts a number of modifications to Subparts C and D of Part 160 (HIPAA Enforcement Rule) to implement Section 13410 of the HITECH Act. Most significantly, the rule includes modifications to implement Section 13410(a) of the HITECH Act, which requires HHS to formally investigate a complaint if a preliminary investigation indicates a possible violation due to willful neglect, and to impose a civil money penalty for a violation due to willful neglect.Continue Reading HITECH Update #12: HHS Modifies HIPAA Enforcement Provisions