HIPAA Privacy Rule

The beginning of 2017 has brought a number of HIPAA enforcement actions involving covered entities. These enforcement actions indicate that HHS is continuing recent efforts to step up HIPAA enforcement and levy significant penalties for non-compliance.

  • In January, HHS announced that it had reached a $475,000 settlement with a large health care network for failure to make timely required breach notifications as required by the HIPAA Breach Notification Rule. This is the first settlement HHS has reached based on the untimely reporting or notification of a breach. HHS found that the network failed to notify HHS, the affected individuals, and the media within the required 60-day timeframe. Instead, the network made these notifications over 100 days after discovery of the breach. HHS found that the delay was a result of “miscommunications between . . . workforce members.” Under the regulation, each day on which the network failed to make the required notifications could be penalized as a separate violation of HIPAA.
  • In January, HHS announced a $2.2 million settlement with a health insurance company after the company filed a breach report indicating that a portable USB device, which contained the PHI of over 2,000 individuals, had been stolen. An HHS investigation found that the company had not conducted a risk analysis, as required by the HIPAA Security Rule, and had not implemented appropriate risk management to safeguard electronic PHI. Furthermore, the company lacked adequate encryption on its laptops and removable storage media.

Continue Reading HHS Announces More HIPAA Enforcement Actions

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.
Continue Reading OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

On January 6, as part of President Obama’s executive action to combat gun violence, HHS promulgated a final regulation modifying the HIPAA Privacy Rule to allow certain HIPAA covered entities to disclose limited information to the National Instant Criminal Background Check System (NICS).  We previously discussed the proposed rule here.

Background:  The NICS, maintained by the Federal Bureau of Investigation (FBI), is the national database used to conduct background checks on persons who may be disqualified from receiving firearms based on federal or state law.  Federal law identifies several categories of potential disqualifiers, known as “prohibitors” including a federal mental health prohibitor.  By statute, the federal mental health prohibitor applies to individuals who have been committed to a mental institution or adjudicated as a mental defective.  The Department of Justice has promulgated regulations that defines these categories to include the following individuals:

  • individuals committed to a mental institution for reasons such as mental illness or drug use;
  • individuals found incompetent to stand trial or not guilty by reason of insanity, or
  • individuals who have been otherwise determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease.

However, there is currently no federal law that requires state agencies to report data to the NICS, including the identity of individuals who are subject to the mental health prohibitor.  HHS believes that HIPAA poses a potential barrier to such reporting. Under current law, HIPAA only permits covered entities (e.g., state mental health agencies) to disclose such information to the NICS in limited circumstances: when the entity is a “hybrid” entity under HIPAA (and the Privacy Rule does not apply to these functions) or when state law otherwise requires disclosure, and thus disclosure is permitted under HIPAA’s “required by law” category.
Continue Reading HHS Issues Final Rule on HIPAA and Firearm Background Check Reporting

A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA.

According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from a local news station that the pharmacy disposed of paper records with protected health information (PHI) in a dumpster that was accessible to the public.  The Resolution Agreement also alleges that the pharmacy failed to implement written policies and procedures to comply with HIPAA, nor did the pharmacy train its workforce as to proper HIPAA protocols and procedures for handling of PHI.
Continue Reading HIPAA Settlement Follows Unsecured Paper Records Disposal

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient.

Background

In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under the HITECH Act.  The new rules modified how and when covered entities and business associates may receive financial remuneration from a third party for making communications about a drug or biologic currently prescribed to an individual (i.e., “the refill reminder exception” to the marketing prohibition).  We previously discussed the new restrictions here.  In short, the new rules prohibit any financial remuneration above and beyond what is reasonable.  HHS indicated that reasonable remuneration would include  the costs of labor, supplies, and postage to make the communication.  These restrictions appeared to prohibit a covered entity or business associate from generating a profit to make these subsidized communications.

As we discussed earlier, these new restrictions were challenged in a lawsuit filed earlier this month by Adheris, Inc..  Since the filing of the complaint, HHS announced that it would promulgate additional guidance on the refill reminder exception.

HHS Guidance

The new guidance describes both the scope of communications that fall within the exception and what third party payments are considered “reasonable” under the statute and regulations for making such communications. 

What communications are included in the exception?

HHS explains that the following communications are permitted under the exception:

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  • Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

Continue Reading HHS Issues Guidance on Refill Reminders under HIPAA

On July 11, the Department of Health and Human Services (HHS) announced that WellPoint, a managed care company, paid HHS $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules. 

Like other recent enforcement actions, HHS initiated its investigation into WellPoint after the company provided notification of a breach of unsecured protected health information (PHI).  WellPoint’s breach report, submitted in June 2010, indicated that security weaknesses in an online application database had left the electronic PHI of approximately 612,402 individuals accessible to unauthorized individuals online. 

HHS’s investigation indicated that:

  • From October 2009 to March 2010, WellPoint did not adequately implement policies and procedures for authorizing access to electronic PHI in the online application consistent with the HIPAA Security Rule;
  • WellPoint did not perform a sufficient technical evaluation following a software upgrade related to authentication safeguards for the online application;
  • For the same five-month period, WellPoint did not implement technology to verify that persons or entities seeking access to the application were who they claimed to be; and
  • For that same period, WellPoint impermissibly disclosed the electronic PHI (including names, dates of birth, Social Security numbers, and health information) of approximately 612,402 individuals whose information was maintained in the application.

Continue Reading HHS Announces $1.7 Million HIPAA Settlement With WellPoint

On June 11, the Department of Health and Human Services released an unofficial version of all of the HIPAA regulatory standards in one document.  The combined regulation text includes the following HIPAA standards:

  • Transactions and Code Set Standards
  • Identifier Standards
  • Privacy Rule
  • Security Rule
  • Enforcement Rule
  • Breach Notification Rule

The document reflects the changes in

By Anna Kraus

The Department of Health and Human Services (HHS) announced on June 14 that it reached a settlement with Shasta Regional Medical Center (SRMC) in California over potential violations of the HIPAA Privacy Rule.  Under the settlement, SRMC agreed to pay $275,000 and implement a comprehensive corrective action plan (CAP).

HHS’s investigation was prompted by an article in the Los Angeles Times published in January 2012, which indicated that two of SRMC’s senior leaders met with the media to discuss the medical services provided to a particular patient without first obtaining a valid written authorization.  The investigation further revealed that:

  • SRMC impermissibly disclosed the patient’s protected health information to different media outlets on at least three occasions, without obtaining the patient’s authorization;
  • SRMC senior management sent an e-mail to the entire workforce that included details about the patient’s medical condition, diagnosis, and treatment; and
  • SRMC failed to sanction its workforce members for the impermissible disclosures pursuant to SRMC’s internal sanctions policy.

Continue Reading HHS Settles HIPAA Privacy Case With California Medical Center

This post is part of our series on key aspects of the final HITECH omnibus rule published by the U.S. Department of Health and Human Services (HHS) in the Federal Register on January 25, 2013. Previous posts are available here. The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final rule implements Section 13405(d) of the HITECH Act, which generally prohibits a covered entity or a business associate from engaging in a “sale” of an individual’s PHI without authorization.

Definition of Sale of PHI.  In response to requests from commenters, HHS amended its proposed rule to provide a definition of “sale of PHI.”  Section 164.502(a)(5)(ii)(B)(1) defines “sale of PHI” to mean a disclosure of PHI when the covered entity or business associate “directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI.”  HHS expressly refused to limit this definition to instances where there is a transfer of ownership of PHI.  Furthermore, HHS included a broad interpretation of “remuneration.”  In contrast to the marketing provision where remuneration must be financial, HHS will consider nonfinancial benefits received in exchange for PHI as falling within the scope of the rule.

However, payments a covered entity may receive in the form of grants, contracts, or other arrangements to perform programs or activities using PHI (i.e., a research study) will not be considered sale of PHI because “any provision of PHI to the payer is a byproduct of the service being provided.”  Rather, a sale of PHI occurs when the covered entity or business associate is being compensated “primarily” for supplying PHI.Continue Reading HITECH UPDATE #11: New Restrictions on “Sale” of Personal Health Information