In a statement released on April 24, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown once again the level of expectations that exist for covered entities and business associates. As discussed below, OCR has shown that it will not just limit its review to a particular alleged violation of the HIPAA Privacy and Security Rules but rather will take an enterprise wide view of the compliance efforts of covered entities and business associates. Continue Reading →
In a statement released on April 12, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown that it expects covered entities of all sizes to adhere to the HIPAA privacy and security rules. While many of the fines levied by OCR in the past have involved large covered entities such as hospitals and health plans, OCR’s most recent enforcement action resulted in a $400,000 settlement to be paid by a federally qualified health center in Colorado. Continue Reading →
Late in August of 2013 the Federal Trade Commission filed a complaint against medical testing company LabMD, Inc., alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. In November of 2013, LabMD filed a Motion to Dismiss the complaint, arguing, among other things, that the FTC did not have the authority to regulate a private company’s data security practices as “unfair…acts or practices” under the FTC Act (15 U.S.C. §45(a)(1)). Included in LabMD’s argument was the contention that Congress, by enacting HIPAA, stripped the FTC of any authority that the FTCA over data security. The FTC Commissioners found LabMD’s arguments unpersuasive and in a January 16, 2014 order denied the Motion to Dismiss.
Health care providers and business associates should take heed that, while such enforcement has been rare, the FTC does have the authority to take action to protect consumers in data security matters that would normally be considered within the exclusive province of the Office of Civil Rights. HIPAA covered entities and business associates that handle patient information should remain vigilant in their efforts to maintain appropriate safeguards for patient information.
Board Certified in Health Law
On December 24, 2013 the HHS Office of Civil Rights (“OCR”) and Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts entered into a Resolution Agreement whereby the practice agreed to settle potential violations of the HIPAA privacy and security rules. The potential violations of HIPAA resulted from the theft of an unencrypted thumb drive, containing the ePHI of approximately 2,200 patients, from the car of a practice employee.
Upon being notified of the breach the OCR conducted an investigation and determined that the practice had failed to conduct and accurate and thorough analysis of potential risks to ePHI in the care of the practice. The OCR further determined that the practice did not have adequate written policies and procedures and did not adequately train employees.
The Resolution Agreement entered into between the practice and the OCR requires the practice to make a $150,000.00 payment to the OCR as well as implement a corrective action plan. The Resolution Agreement is not an admission of liability by the practice.
A copy of the Resolution Agreement may be found at:
Physician practices should view this settlement as clear indication that OCR expects the compliance of all covered entities and not just large entities such as hospitals, universities and managed care entities. Physician practices that are not yet in compliance with the HIPAA privacy and security rules should take the appropriate steps to come into compliance.
In an order issued on September 25, 2013, Judge Robert Hinkle of the United States District Court for the Northern District of Florida has ruled that a 2013 legislative change to the presuit process for pursing a medical-negligence claim is preempted by HIPAA.
In 2013, the Florida legislature added a new requirement to Florida’s medical-negligence claim presuit process whereby an individual who was considering pursuing a malpractice claim against a health care provider would be required to sign an authorization that would allow the defendant or the defendants attorney to conduct ex parte interviews of the plaintiff’s other health care providers, limited to matters pertinent to the potential malpractice claim. The Court held, among other things, that the mandatory authorization requirement was contrary to both the judicial and administrative protections of HIPAA, which allow an individual to object to a disclosure of medical information, as well as the authorization of requirements of HIPAA. Speaking to the authorization issue, the Court stated that “An authorization signed under duress-a gun to the head, for example-is not valid.”
Case Information: Murphy v. Dulay, Case No.: 4:13cv378-RH/CAS Northern District of Florida
By: William Dillon, Board Certified in Health Law
With the September 23, 2013 HIPAA compliance deadline just days away, the Department of Health and Human Services, Office of Civil Rights has published guidance to assist covered entities in complying with the new requirements under the Omnibus Rule. Below is a link to the OCR guidance and Model Notice.
William Dillon, Board Certified in Health Law
On January 25, 2013 the Department of Health and Human Services issued a final rule modifying the HIPAA Privacy, Security and Enforcement rules. The effective date of the final rule was March 26, 2013, however, covered entities and business associates have been given until September 23, 2013 to comply with the final rule. This Health Law update is the first in a series of updates to discuss the new compliance requirements of covered entities and business associates.
On April 9, 2013 the United States Court of Appeals for the Eleventh Circuit issued an opinion regarding HIPAA preemption in the case of Opis Management Resources, LLC v. Florida Agency for Care Administration. Opis Management, an operator of skilled nursing facilities in Florida was cited by the Agency for Health Care Administration (AHCA) for failing to provide medical records of deceased patients to spouses and attorneys-in-fact of the deceased patients. The AHCA citations were based on a violation of 400.145(1), Fla. Stat., which requires facilities such as those operated by Opis to release medical records of deceased patients to the spouse, guardian, surrogate , or attorney-in-fact of any such resident. Opis disputed the citations arguing that the individuals requesting the patient records were not “personal representatives” under the relevant provisions of HIPAA.