Privacy Rule

OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

Posted by Gregory M. Fliszar on May 04, 2015
HHS, HIPAA, OCR / No Comments

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations. As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies. OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publically accessible dumpster. The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences.

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Gregory M. Fliszar

Gregory M. Fliszar

Greg Fliszar is member in the firm’s Health Law Group. Greg’s practice focuses on health law litigation and regulatory and compliance matters, as well as compliance with the Medicare Secondary Payer Act and HIPAA. Greg is also a licensed doctoral level clinical psychologist and was a clinical instructor of psychiatry at the MCP-Hahnemann School of Medicine.

More Posts - Website

Tags: , , , , , , , , , , , ,

OCR Publishes Bulletin Regarding Privacy in Light of Ebola Outbreak

Posted by J. Nicole Martin on November 18, 2014
CDC, HHS, OCR / No Comments

In response to the recent Ebola outbreak in West Africa and in light of patients being treated in several hospitals in the U.S., the HHS, OCR (OCR) recently issued a HIPAA Bulletin to remind us that HIPAA covered entities and business associates must maintain the privacy of protected health information (PHI) even in emergency situations (“Guidance”). According to the OCR, the Guidance serves as a reminder “that the protections of the [HIPAA] Privacy Rule are not set aside during an emergency.”

The OCR explains that the HIPAA Privacy Rule requires a balance between the protection of the privacy of PHI against the necessary uses and disclosures of such information “to treat a patient, to protect the nation’s public health, and for other critical purposes” during emergency situations.  Although the OCR introduces no new requirements under the HIPAA Privacy Rule, the Guidance lays out the circumstances under which patient information may be shared in emergencies, such as for/due to:

  •  Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
  • Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
  • Imminent Danger
  • Public Health Activities (i.e., to a public health authority; at the direction of a public health authority, to a foreign government agency; and to persons at risk)
  • Treatment

The OCR reminds us that most disclosures require covered entities to make “reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary.’” Further, covered entities are also required to: (i) implement “reasonable” safeguards necessary to protect PHI from intentional/unintentional uses and disclosures that are impermissible under HIPAA; and (ii) continue to apply administrative, physical and technical safeguards to protect e-PHI under the HIPAA Security Rule.

Further, according to the OCR, under the Project Bioshield Act of 2004 and Section 1135(b)(7) of the Social Security Act, the Secretary of HHS may waive certain HIPAA Privacy Rule provisions during public health or other emergencies. Such limited waivers require both the President to declare an emergency or disaster and the Secretary of HHS to declare a public health emergency. Additional information regarding the limited waivers appears in the Guidance.

As Ebola remains an emergency of both national and international concern, it not surprising that federal agencies continue to publish updated Ebola guidance. This Guidance reminds all of us, especially covered entities and business associates, that even in emergency situations, patient privacy must be protected, unless the limited waiver is invoked, and if not, covered entities and business associates will face consequences for violating the HIPAA Privacy Rule. For additional information regarding the HIPAA Privacy Rule in the context of emergency situations, see the HHS website.  Also see similar guidance (Bulletin and Bulletin  published by HHS in 2005 in response to Hurricane Katrina.

 

J. Nicole Martin

J. Nicole Martin

J. Nicole Martin is an associate and practices in the Health Care Practice Group. Nicole assists accountable care organizations, health care systems, long term care providers, behavioral and mental health providers, medical device manufacturers, physician practices and pharmacies with their compliance, regulatory and transactional needs. Nicole’s practice includes providing clients with counsel regarding HIPAA/HITECH and state privacy and security laws, data breaches, business associate and covered entity obligations, licensure laws, Medicare, Medicaid and third-party payer matters, medical staff issues, and fraud and abuse laws. Nicole also represents clients undergoing changes of ownership and changes of control, and assists them with the transactional, regulatory and compliance requirements necessary to finalize the transactions.

More Posts - Website

Tags: , , , , , , , , , , , ,

“LoProCo”, 12,915 Complaints, and Other Lessons from OCR/NIST

Posted by Ryan Blaney on September 26, 2014
ACA, CMS, HHS, HIPAA, HITECH, Privacy / No Comments

 

12,915 complaints were reported in 2013 to the Department of Health and Human Services Office of Civil Rights (“OCR”) according to Illiana L. Peters, Senior Adviser for HIPAA Compliance and Enforcement.  Cozen O’Connor attended Ms. Peters’ presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security conference on September 22-23, 2014.  The conference was hosted jointly by OCR and the National Institute of Standards and Technology (“NIST”).  Below are a few discussion points worth mentioning from the conference:

  • Between September 2009 and August 31, 2014, OCR investigated 1176 reports involving breach of Protected Health Information (“PHI”) where more than 500 individuals were affected and approximately 122,000 reports affecting less than 500 individuals.
  • According to Ms. Peters, 60% of the large breaches could have been prevented by encrypting the covered entities and business associates’ laptops and mobile devices.
  • Theft and loss continues to be the most common cause of breaches but OCR expects that IT hacking will continue to rise as a significant breach risk.
  • Since 2009, consumer complaints regarding HIPAA violations continue to rise.
  • Covered entities and business associates should already have in place business associate agreements that have been updated for the Omnibus Rule.
  • Business associates must comply with all of the HIPAA Security Rules applicable to covered entities, “PERIOD.”
  • Given the known risks of hacking, theft and loss and the direct guidance from OCR, covered entities and business associates must recognize that inadequate security, inadequate physical and technical safeguards is not acceptable.
  • OCR expects that covered entities and business associates will be familiar with recent corrective actions, resolution agreements such as Parkview, NYP/Columbia, Concentra, QCA, Skaget County, Adult & Pediatric Dermatology, P.C., and Affinity Health Plan, Inc.

Continue reading…

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , , ,

Recent OCR Reports Illustrate Past and Future Compliance and Enforcement Efforts

Posted by Ryan Blaney on July 29, 2014
HIPAA, HITECH / No Comments

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

Ryan Blaney

Ryan Blaney

Ryan Blaney joined Cozen O'Connor as a member of the firm's Health Law group. Ryan practices in the firm's Washington, D.C., office. He focuses his practice on representing clients in the health care and life sciences industries in a wide range of matters, including health care fraud and abuse, civil and criminal government investigations, qui tam and whistle-blower disputes under the False Claims Act and other federal and state laws and regulations, HIPAA privacy and data security, compliance and transactional services, and antitrust matters.

More Posts - Website

Tags: , , , , , , , ,

Highlights of the Omnibus HIPAA/HITECH Final Rule

Posted by Kate Layman on March 12, 2013
Affordable Care Act, HIPAA, HITECH / No Comments

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

Kate Layman

Kate Layman

Kate Layman is a member of the firm and practices in the Health Law Group. Her practice includes compliance and regulatory advice, often in connection with ongoing litigation or transactions. Kate has significant experience in HIPAA and related privacy issues as well as application of the Medicare Secondary Payer Act with respect to non-group health plans.

More Posts - Website

Tags: , , , , , ,