It is no secret that the Health Insurance Portability and Accountability Act (HIPAA) is a trap for the unwary. A recent study by the non-profit ProPublica has uncovered that the online review site Yelp (as well as other rating sites) are making it easier for covered entities to be ensnared.  With the cooperation of Yelp and the use of analytical tools developed by NYU, ProPublica analyzed over 1.7 million Yelp reviews and identified over 3,500 one-star reviews in which patients mention privacy or HIPAA. ProPublica found that in dozens of instances, responses to patient complaints about care spiraled into disputes over patient privacy.

In one example, a chiropractor in California replied to a mother’s claim that he misdiagnosed her daughter with scoliosis, stating in his reply to her one star review that “You brought your daughter in for the exam in early March 2014…The exam identified one or more of the signs I mentioned above for scoliosis. I absolutely recommended an x-ray to determine if this condition existed; this x-ray was at no additional cost to you.” HIPAA applies to covered entities, business associates and healthcare clearinghouses, and protects information that those entities maintain that is related to an individual’s past, present or future health condition provided that there is a reasonable basis to believe the information can be used to identify the individual.  Since Yelp reviews display the reviewer’s first name and the initial of their last name, it is reasonable to believe that the information in the chiropractor’s reply, which includes a discussion of a potential medical condition, could be used to identify the mother and in turn the daughter. (For purposes of HIPAA, it is irrelevant that the mother’s initial review already identified herself and her daughter.) A violation is even more likely when the response pertains to the reviewer and not a family member. Continue Reading Study Finds Widespread HIPAA Violations Occurring on Yelp

shutterstock_189432983_sz

Covered Entities need to continue to check their inboxes for emails from the HHS Office for Civil Rights (“OCR”) requesting verification of contact information in connection with Phase 2 of the HIPAA Audit Program. OCR previously indicated that Covered Entities would begin to receive verification emails in May.  We understand that Covered Entities continue to receive emails requesting contact information verification this week.

Emails are sent from OSOCRAudit@hhs.gov and request a response from the entity verifying its information within five days.  A sample copy of the email is available from OCR’s website.  The receipt of an email requesting contact verification does not necessarily mean that an entity will ultimately be selected for an audit.  Covered Entities can begin to prepare for the next step in the audit process by reviewing OCR’s audit pre-screening questionnaire.

For the time being, Business Associates are not being contacted.  OCR will request a list of Business Associates from Covered Entities and plans to begin contacting Business Associates selected for audit this summer.  Business Associates should use this extra time to ensure that they are ready for an audit should they be selected.   OCR has provided a sample template for Covered Entities to use to list their Business Associates.

For further information on the Phase 2 Audits, please see our prior posts detailing the Phase 2 Audit program and discussing the audit protocol and other audit-related materials from OCR.  In order to assist covered entities and business associates with their HIPAA compliance efforts, we have repackaged the audit protocol into a more user-friendly format that can be downloaded here.

 

Earlier this month the Department of Health and Human Services Office for Civil Rights (OCR) released a revamped audit protocol that now addresses the requirements of the 2013 Omnibus Final Rule. OCR will be using the audit protocol for its impending Phase 2 audits of covered entities and business associates, which are set to begin next month.

The protocol covers the following subject areas:

  • Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  • Security Rule requirements for administrative, physical, and technical safeguards.
  • Breach Notification Rule requirements.

Continue Reading OCR Releases New HIPAA Audit Protocol and Other Audit-Related Materials

On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.

What’s Happening This Time Around?

OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.

For those entities subject to on-site audits, auditors will spend between three and five days on-site with the organization. OCR describes the on-site audits as “more comprehensive” and “covering a wider range of requirements from the HIPAA Rules.” Since OCR recently released guidance on patient rights to access their health information and on the fees that providers may charge for such access (previously covered by our blog here), access issues appear ripe for a broader audit.

Finally, audits that uncover serious issues may trigger an OCR compliance review in addition to the audit. Continue Reading Ready or Not, It’s Time For Phase 2 HIPAA Audits

As we have repeatedly emphasized on this blog, HIPAA Covered Entities must ensure that they have compliant business associate agreements (“BAAs”) in place with all of their business associates and must ensure that they have performed a comprehensive risk assessment. A $1.55 million settlement between North Memorial Health Care of Minnesota (“NMHC”) and the Office for Civil Rights (“OCR”) announced this week emphasizes the seriousness of these requirements.

NMHC came under investigation by OCR after a September 2011 breach involving the theft of an unencrypted laptop from a business associate’s employee’s car. The laptop contained the electronic protected health information of nearly 10,000 individuals. The investigation uncovered that NMHC had not entered into a BAA with the business associate, Accretive Health, when it engaged Accretive in March 2011 and did not enter into a BAA until October 2011. During this interim period, Accretive had access to the protected health information of more than 250,000 individuals. Additionally, OCR found that NMHC had not conducted an accurate and thorough enterprise-wide risk analysis. Continue Reading Don’t Neglect Your Business Associate Agreements!

Recent enforcement actions by the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) have highlighted that, not surprisingly, Covered Entities should not leave medical records in a physician’s driveway and should not dispose of protected health information (“PHI”) in a dumpster. From an action against a home health care provider announced yesterday, we can now add to that list the fact that PHI should not be stored under an employee’s bed or in a kitchen drawer.

Yesterday OCR announced a January 13, 2016 decision by an HHS Administrative Law Judge (“ALJ”) upholding the imposition of $239,800 in civil monetary penalties (“CMP”) against Lincare, Inc. (“Lincare”). Lincare is a home health care company that provides respiratory care, infusion therapy, and medical equipment from centers located throughout the United States. The enforcement action stems from a December 2008 complaint by the estranged husband of a Lincare employee. The husband reported to OCR that his wife, a center manager for a Lincare center in Arkansas, had moved out of the home they shared in August 2008. In November 2008, the husband found PHI of 278 Lincare patients in the home, specifically “under a bed and in a kitchen drawer.” Further investigation by OCR revealed that the employee continuously stored PHI in her car and in her home. The investigation also uncovered the fact that Lincare’s privacy policy did not include policies or instructions to employees for protecting PHI taken offsite or any type of logging systems for tracking PHI taken offsite. Continue Reading Latest OCR Enforcement Action: Underbed Storage is Not Appropriate for PHI

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015.    Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information.  We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response.  We waited for commencement of the second round of HITECH-mandated audits, but it never came.  As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016. Continue Reading HIPAA and Health Care Data Privacy – 2015 Year in Review

As HIPAA-regulated entities anxiously await the commencement of the Phase II HIPAA audit program, the Office of the Inspector General (OIG) for the Department of Health and Human Services (HHS) has issued a report critical of the Office for Civil Rights’ (OCR) HIPAA enforcement performance, effectively giving OCR “something to prove.”

The report, released on September 28, 2015, examines whether OCR — the office within HHS charged with enforcing HIPAA — is sufficiently exercising its oversight responsibilities. The OIG specifically focused on whether OCR is sufficiently overseeing covered entities’ compliance with HIPAA’s Privacy Rule.  The OIG found a number of areas where OCR’s oversight is lacking. Continue Reading Just in Time for the Phase II Audits: OIG Criticizes OCR’s Enforcement Efforts

A tip from a local Denver news outlet lead to a compliance review, investigation and ultimately a resolution agreement between the Department of Health and Human Services’ Office for Civil Rights (“OCR”) and Denver-based Cornell Prescription Pharmacy (“CPP”). On January 11, 2012, 9 News, the Denver NBC news affiliate, reported to OCR that certain patient information was being disposed of in a dumpster that was accessible to the public. The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is the primary Federal regulation governing the security and privacy of certain personally identifiable health information or “PHI.”  Under HIPAA’s Privacy Rule, pharmacies such as CPP are required to implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI, in any form. See 45 CFR 164.530(c). The disposal of paper records containing PHI in a publicly-accessible dumpster is, of course, unreasonable by any measure.

Just two days after receiving the report, OCR initiated a compliance review and investigation of CPP. OCR’s investigation found that CPP had failed to:

  1. reasonably safeguard their PHI, as required by the Privacy Rule;
  2. implement written policies and procedures to comply with the Privacy Rule;  and
  3. document and train its workforce on its Privacy Rule policies and procedures.

Under the terms of the resolution agreement (a copy of which can be found here), CPP is required to pay HHS $125,000 and agree to a corrective action plan (“CAP”). CPP will not be required to admit wrongdoing under the terms of the resolution agreement. Under the CAP, CPP is required to develop written policies and procedures to comply with HIPAA, provide those policies and procedures to HHS by May 22, 2015, and implement said procedures within 30 days of receiving HHS’ final approval.  CPP is also required to produce an implementation report as well as annual reports for the next two years.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

While not as easily transferable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market. It has been estimated that your medical data can fetch as much as 10 times the value of your credit card number. Understandably, health care providers and others covered by HIPAA will face increasing scrutiny given this lucrative black market as well as the recent high profile breaches at various health insurance companies across the United States. Notwithstanding a recent delay, OCR is planning to conduct a new round of audits to prevent the situations discussed above. “We are committed to implementing a robust audit program,” Samuels said. ” I can’t promise you the specific date, but it’s happening.” As OCR readies its Phase II audit program, regulated entities can be assured that NBC news and others, will be watching for evidence of non-compliance.

Written by: Kate Stewart

A recently announced settlement between Anchorage Community Mental Health (“ACMHS”) and the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) emphasizes, once again, the importance of compliance with the Security Rule and keeping IT infrastructure up to date.  ACMHS, a five-facility nonprofit organization based in Anchorage, agreed to pay $150,000 and adopt a corrective action plan to address compliance with the HIPAA Security Rule. 

OCR began investigating ACMHS after ACMHS reported a breach of unsecured electronic protected health information (e-PHI) caused by malware involving 2,700 individuals in March 2012.  In its investigation, OCR concluded that ACMHS failed to conduct a thorough risk assessment, failed to implement Security Rule policies and procedures, and failed to implement technical security measures to protect e-PHI through the use of firewalls and regularly supported and updated software.  OCR’s bulletin announcing the settlement noted that though ACMHS had adopted sample Security Rule policies and procedures, it failed to follow those policies and procedures. 

OCR has repeatedly emphasized the importance of conducting risk assessments and continuing to update and revise risk assessments based on new threats.  This emphasis was a key takeaway from the September Joint OCR/NIST HIPAA Security Conference, which we previously profiled, and was highlighted by OCR’s release of a Security Risk Assessment Tool earlier this year.  The ACMHS settlement underscores that Security Rule compliance cannot be accomplished with a one-size-fits-all, “check the box” approach.  Instead, compliance requires entities to undertake a thorough and tailored risk assessment and to routinely assess new threats and vulnerabilities. 

The resolution agreement and a copy of the corrective action plan are available on OCR’s website.