Archive for the ‘HIPAA / HITECH Enforcement’ Category

Did You Know?

Posted: December 14, 2016 by RISC in Education, HIPAA / HITECH Enforcement, Tip of the Week

The Office for Civil Rights (OCR) has teamed up with the Office of the National Coordinator for Health Information Technology and created information to help you understand your rights under HIPAA.

Through the federal civil rights laws and Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, OCR protects your fundamental nondiscrimination and health information privacy rights by:

  • Teaching health and social service workers about civil rights, health information privacy, and patient safety confidentiality laws
  • Educating communities about civil rights and health information privacy rights
  • Investigating civil rights, health information privacy, and patient safety confidentiality complaints to identify discrimination or violation of the law and take action to correct problems.

The Office of the National Coordinator for Health Information Technology (ONC) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care. ONC is organizationally located within the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).

ONC is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information. The position of National Coordinator was created in 2004, through an Executive Order, and legislatively mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009.

For more information visit: www.HHS.gov  and www.healthit.gov/

 

 

 

Fast Facts for Covered Entities (CEs)

The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The Privacy Rule does not require you to obtain a signed consent form before sharing information for treatment purposes.  Health care providers can freely share information for treatment purposes without a signed patient authorization.

The Privacy Rule does not require you to eliminate all incidental disclosures.  The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures.  In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.

The Privacy Rule does not cut off all communications between you and the families and friends of patients. As long as the patient does not object, The Privacy Rule permits you to:

  • share needed information with family, friends, or anyone else a patient identifies as involved in his or her care;
  • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition;
  • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.

 

The Privacy Rule does not stop calls or visits to hospitals by family, friends, clergy or anyone else.  Unless the patient objects, basic information such as phone number, room number and general condition can:

  • be listed in the hospital directory;
  • be given to people who call or visit and ask for the patient;
  • be given to clergy along with religious affiliation–when provided by the patient–even if the patient is not asked for by name.

The Privacy Rule does not prevent child abuse reporting.  You may continue to report child abuse or neglect to appropriate government authorities.

The Privacy Rule is not anti-electronic.  You can communicate with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of appropriate safeguards to protect patient privacy.

 

Source: Fast Facts for Covered Entities

Did You Know?

Posted: December 14, 2016 by RISC in Education, HIPAA / HITECH Enforcement, Tip of the Week

The Privacy Rule does not require you to eliminate all incidental disclosures. The Privacy Rule recognizes that it is not practicable to eliminate all risk of incidental disclosures. In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information is used and disclosed.

The Office for Civil Rights (OCR) has assessed the largest settlement amount to date against Advocate Health Care Network . The OCR fined Advocate $ 5.55 Million for multiple potential violations of the HIPAA Security Rule.

The investigations that eventually led to the fine were initiated in 2013 after three successive self-reported data breaches by Advocate. Two of the three were related to a Business Associate of Advocate. OCR stated, “This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.”

The press release and a link to the settlement agreement can be found here. Note that the link to the source document, the settlement agreement itself, stopped functioning a few hours after the press release went out. Please see: http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html 

This settlement reinforces the importance of including all of an organization’s PHI in its risk analysis process, and a review and inclusion of all Business Associates and Business Associate Agreements.

Readers, please make sure you read all the way to the end because this article points out a significant part of the Corrective Action Plan in this settlement, and the previous one.

March 17, 2016

From the HHS Press Office media@hhs.gov

Improper Disclosure of Research Participants’ Protected Health Information Results in $3.9 million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation and is sponsored by Northwell Health, Inc., formerly known as North Shore Long Island Jewish Health System, a large health system headquartered in Manhasset, New York that is comprised of twenty one hospitals and over 450 patient facilities and physician practices.

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” said OCR Director Jocelyn Samuels.  “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

The resolution agreement may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Feinstein/index.html

A notable and consistent theme present in the Corrective Action Plan (Appendix A) of both of the recent settlement agreements is the following section, “As a part of this process, [ENTITY] shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store [ENTITY] ePHI, including personally owned devices, if any, which will then be incorporated in its risk analysis.”  This is of significant note for two reasons:

  1. As consultants in the performance of risk analysis activities, we have seen that accurate inventory of data, systems, and applications is a Unicorn. It is both a beautiful thing, and non-existent.
  2. The requirement of the CAP includes personally owned devices which will then be incorporated into its risk analysis. Wow! This is a huge scope change for a risk analysis, and requires Physicians, APNs, Therapists, Executives, and others to allow their devices’ security to be assessed.

Hopefully the OCR will offer some clarification on this point either in presentations or through other methods as this small phrase in one sentence has huge implications!

Sponsored by: RISC Management and Consulting, LLC http://www.riscsecurity.com/

Appendix A

Corrective Action Plan Between The Department Of Health And Human Services And The Feinstein Institute For Medical Research may be found on the OCR website at http://www.hhs.gov/sites/default/files/FIMR%20Resolution%20Agreement%20and%20Corrective%20Action%20Plan.pdf