The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced another large HIPAA-related settlement last week with Memorial Hermann Health System (Memorial Hermann), the largest not-for-profit health system in southeast Texas. Memorial Hermann agreed to pay $2.4 million and to comply with a corrective action plan after publicly disclosing a patient’s name in the title of a press release regarding an incident at one of its clinics. In a week that has been filled with high-tech cybersecurity issues (see our recent blog posts on the WannaCry attack here and here), this settlement is a good reminder of HIPAA obligations unrelated to technology.
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.
Although National Cyber Security Month isn’t until October, September has brought plenty of privacy and security updates that health care companies need to be aware of. In this post, we review guidance from the Office for Civil Rights (OCR) on cyberattacks, describe new state breach notification laws, and highlight the upcoming NIST/OCR security conference. Continue Reading September Privacy and Security Updates
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services has been busy lately, issuing three news releases on the HIPAA Privacy and Security Rules.
On February 24th, OCR published a crosswalk between the HIPAA Security Rule and the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). The document outlines the safeguards required by the Security Rule and maps them to the applicable subcategory in the Cybersecurity Framework and other commonly used frameworks. The Security Rule does not require healthcare organizations to follow the Cybersecurity Framework, but OCR points out that many organizations already follow the Cybersecurity Framework and that the crosswalk can help organizations discover gaps in their security policies. OCR released the crosswalk less than a week after Hollywood Presbyterian reported that it paid hackers to end a malware attack on the hospital’s computer systems. Continue Reading Recent HIPAA Updates from OCR
Last Friday, the U.S. Department of Health and Human Services Office of the National Coordinator for Health IT (“ONC”) and the Office for Civil Rights (“OCR”) released two fact sheets regarding permitted uses and disclosures of protected health information (“PHI”) among health care providers and other entities covered by HIPAA. ONC and OCR developed these fact sheets after health care providers expressed confusion over if and when PHI can be shared without the patient’s prior written consent under the HIPAA Privacy Rule (the “Privacy Rule”). Additionally, as ONC has been actively pushing health care providers toward interoperability of electronic health recordkeeping systems, many view the lack of clarity and understanding around the Rules a hindrance to achieving this goal.
Written By: Kimberly Gold
With the September 23, 2013 compliance date for the HIPAA Omnibus Rule only one week away, the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have developed model Notices of Privacy Practices (“NPP”) to help health care providers and health plans ensure compliance with the HIPAA Privacy Rule and recent changes implemented under the Omnibus Rule.
It is crucial that covered entities update their NPPs no later than September 23, 2013. Health care providers must make the updated NPP available upon request and must have the revised NPP available at the practice location and posted in a clear and prominent location. Health plans must post the updated NPP on their website no later than September 23, 2013, and must distribute a summary of changes or copies of updated NPP in the next annual mailing.
The model NPP implements several new requirements, including the necessary statement of the uses and disclosures of protected health information (“PHI”) that require an authorization, including a statement that most uses and disclosures of psychotherapy notes and of PHI for marketing purposes and the sale of PHI require an authorization.
OCR and ONC created the model NPP in response to covered entities’ requests for additional guidance on how to create a clear, accessible notice that their patients or plan members can understand. The following models were created for use by health plans and health care providers:
- Notice in the form of a booklet;
- A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
- A notice with the design elements found in the booklet, but formatted for full page presentation; and
- A text only version of the notice.
The agencies indicated that the models can serve as the baseline for covered entities working to come into compliance with the new requirements. While they may be a helpful baseline, it is important to remember that the NPPs must be tailored for each covered entity’s particular practices.
Understanding the complexities of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules is often a challenge for health care providers and consumers. Recognizing the widespread confusion surrounding the interpretation of the rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new tools to educate providers and consumers about HIPAA. Continue Reading OCR Publishes HIPAA Guides for Providers and Consumers
Gun violence is a hot topic in the wake of the Newtown shootings and the aftermath of last week’s Boston Marathon bombings, and now health privacy has joined the debate.
Among President Obama’s 23 Executive Actions aimed at curbing gun violence across the nation is an initiative to improve the National Instant Criminal Background Check System (“NICS”) to “[a]ddress unnecessary legal barriers, particularly relating to the Health Insurance Portability and Accountability Act [HIPAA], that may prevent states from making information available to the background check system.”
The NICS maintains a database of individuals who are prohibited from possessing or receiving firearms, including individuals with specific mental health issues. Concerns have arisen that the HIPAA Privacy Rule’s restrictions on disclosure of protected health information may discourage some states from reporting information from mental health records to the NICS.
Recognizing this inconsistency and the dangers that may arise when information is not reported to the NICS, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued an advance notice of proposed rulemaking to solicit public comments on barriers to reporting created by HIPAA and how to best address these barriers.
OCR is considering an express permission that would allow covered entities holding information relevant to the NICS to report this information, including certain mental health information, to the NICS. In developing an express permission, OCR may limit the disclosed information to the minimum data necessary for NICS purposes. The disclosure of an individual’s medical record or other clinical or diagnostic information would not be permitted.
“Through the public comment process, we will use the data and information provided by states, health providers, patient advocates and others to determine how best to remove unnecessary barriers to NICS reporting while protecting patient privacy,” said OCR Director Leon Rodriguez.
Comments can be submitted to http://www.regulations.gov/ and will be due 45 days following publication of the notice in the Federal Register, or approximately early June. Covered entities, members of law enforcement, state agencies, individuals, and consumer and advocacy groups should all consider commenting on this advance notice of proposed rulemaking.