HIPAA AUDITS COMING IN 2015

January 6, 2015 at 1:42 pm | Posted in Department of Public Health, ePHI, Health and Human Services, HIPAA | Leave a comment
Tags: , , , ,

The Office of Civil Rights  in the Department of Health and Human Services has announced that, among other entities such as healthcare providers, it will audit approximately 100 employer sponsored health plans and 50 business associates in 2015. It is reported that:

  • Covered entities and business associates will have two weeks following receipt to respond to the initial data requests. OCR will not consider data submitted late.
  • OCR will conduct audits remotely through “desk audits.” Desk audits will be made using an updated audit protocol which OCR has not yet made available.
  • Audit participants will not have an opportunity to provide clarifications or supplemental information after responding to the initial data request.

Within 60 days following their submissions, audit participants will be presented with a draft version of OCR’s final report for review prior to publication. If your health plan has access to an employee’s protected health information (PHI), at a minimum, the following should be done:

  • Adopt written HIPAA policies and procedures addressing the HIPAA privacy, security, and breach notification rules;
  • Designate a HIPAA privacy official and a HIPAA security official;
  • Conduct a detailed analysis of the risks and vulnerabilities of electronic PHI;
  • Train those members of your workforce who have access to PHI.
  • Identify any HIPAA Business Associates, make sure you have a HIPAA Business Associate agreement with them and alert them to your expectations of them in regards to safekeeping your plan’s PHI

 

 

HHS Provides Guidance on HIPAA Privacy Rule and Same Sex Marriages

September 18, 2014 at 8:57 am | Posted in Defense of Marriage Act (DOMA), HIPAA, Marriage, Same Sex Marriage | Leave a comment
Tags: , , , , , , ,

On September 17th HHS formally announced that in light of the Supreme court’s decision in United States v. Windsor. HIPAA privacy protection rights and privileges were expanded to same sex married couples regardless of where they live. The announcement follows:

The HIPAA Privacy Rule contains several provisions that recognize the integral role that family members, such as spouses, often play in a patient’s health care.  For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances.  In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which includes certain information about family members of the individual, for underwriting purposes.  This guidance addresses the effect of the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) on these provisions.

In United States v. Windsor, the Supreme Court held section 3 of DOMA to be unconstitutional. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages.  In light of the Windsor ruling, covered entities (and business associates, as applicable) must consider the following regarding lawfully married same-sex spouses and same-sex marriage.

At 45 CFR 160.103, the Privacy Rule includes the terms spouse and marriage in the definition of family member.  Consistent with the Windsor decision, the term spouse includes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage).  The term marriage includes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages.  All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.

  • The definition of a family member is relevant to the application of §164.510(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes.  Under certain circumstances, covered entities are permitted to share an individual’s protected health information with a family member of the individual.  Legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying this provision.
  • The definition of a family member is also relevant to the application of §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes.  This provision prohibits health plans, other than issuers of long-term care policies, from using or disclosing genetic information for underwriting purposes. For example, such plans may not use information regarding the genetic tests of a family member of the individual, or the manifestation of a disease or disorder in a family member of the individual, in making underwriting decisions about the individual.  This includes the genetic tests of a same-sex spouse of the individual, or the manifestation of a disease or disorder in the same-sex spouse of the individual.

This guidance was developed to assist covered entities in understanding how the Windsor decision may affect certain of their Privacy Rule obligations.  In the coming months, the Office of Civil Rights (OCR) intends to issue additional clarifications through guidance or to initiate rulemaking to address same-sex spouses as personal representatives under the Privacy Rule.

HHS Releases Report on HIPAA Security, Breach Notification and Enforcement

June 12, 2014 at 9:16 am | Posted in Health and Human Services, HIPAA | Leave a comment
Tags: , , , , , , , , ,

Earlier this week the Office of Civil Rights for HHS submitted to Congress its most recent reports on HIPAA security, breach notification and enforcement. In regards to “lessons learned”, the following summary from the compliance report will underscore to health plans and those responsible for securing PHI of all of the steps they need to take:

  • Risk Analysis and Risk Management. Ensure the organization’s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ePHI in the environment, regardless of location or media. This includes, for example, ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ePHI transmitted across networks.
  • Security Evaluation. Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware, and websites or other changes to information systems to ensure PHI will not be at risk when the changes are implemented.
  • Security and Control of Portable Electronic Devices. Ensure PHI that is stored and transported on portable electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.
  • Proper Disposal. Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third-party, such as a leasing agent.
  • Physical Access Controls. Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI.
  • Training. Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

A copy of the HHS HIPAA reports can be found here:

2011 – 2012 Report to Congress on the Breach Notification Program

Report to Congress on Privacy Rule and Security Rule Compliance

Failure to Secure PHI and Two Stolen Laptops Results in $1,975,220 in HIPAA Violation Fines

April 23, 2014 at 1:25 pm | Posted in Compliance, ePHI, Health and Human Services, HIPAA, Regulations | Leave a comment
Tags: , , , , ,

The HHS Office of Civil Rights (OCR) announced that is has levied $1,975,220 in HIPAA fines against Concentra Health Services and QCA Health Plan Inc. for their failure to encrypt PHI stored on two laptops that were stolen.

Both Concentra and QCA, who self reported the stolen laptops, had undergone a HIPAA risk analysis and were aware…but did nothing…to secure the PHI stored on the laptops. The Concentra laptop was stolen from an employee’s office. The QCA laptop was stolen from an employee’s car. Concentra was fined $1,725,220 and QCA was fined $250,000.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

A copy of the HHS OCR press release is here:
http://www.hhs.gov/news/press/2014pres/04/20140422b.html

HHS Announces New Round of 2014 HIPAA Compliance Audits: Are You Ready?

March 25, 2014 at 9:18 am | Posted in Compliance, Federal Laws, Health and Human Services, Health Care, HIPAA, Medical, Regulations | Leave a comment
Tags: , , , , , ,

Last month, the HHS Office of Civil Rights (OCR) announced that there will be a more vigorous HIPAA audit effort in 2014 of HIPAA covered entities, including health plans, and their business associates. Speaking at a February 24th health care technology conference, Susan McAndrew, OCR deputy director for health information privacy said: “Hopefully in coming months you’ll see actual activity that will start up on the audit process.” OCR soon will launch a survey of 1,200 organizations as a first step toward selecting those to be audited. McAndrew also stated that the organizations to be surveyed were selected from “a large database,” and the survey seeks to verify if the entity is a suitable candidate for a HIPAA audit.

In a February 24th notice published in the Federal Register, OCR announced that it will survey “up to 1,200 HIPAA covered entities, including health plans, healthcare clearinghouses and certain healthcare providers, and business associates, to determine suitability for the OCR HIPAA audit program.” According to the notice, the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.” An OCR spokesperson says the survey will target approximately 800 covered entities and 400 business associates.

If you have not done so already, at a minimum, a plan sponsor should start to self assess: (1) whether it is a HIPAA covered entity; (2) whether it receives protected health information (PHI); and (3) assuming it receives PHI, has it taken timely and reasonable steps to secure the PHI in a manner consistent with HIPAA’s regulations?

Dermatology Clinic Pays $150,000 HIPAA Fine for Lost Thumb Drive with Unencrypted Patient Information

December 30, 2013 at 10:26 am | Posted in Compliance, ePHI, Federal Laws, Health and Human Services, Health Care, HIPAA, Regulations | Leave a comment
Tags: , , , , , , , , , , , ,

The HHS Office of Civil Rights (OCR) reports that a Concord, MA, dermatology clinic has agreed to pay a $150,000 fine as a settlement of  alleged violations of HIPAA privacy, security, and breach notification provisions. OCR announced that: “This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).” The clinic lost, and never recovered, an unencrypted thumb drive with protected health information for approximately 2,200 patients.

The OCR investigation concluded that the clinic did not (1) conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process; and (2) did not fully comply with requirements of the breach notification rule to have in place written policies and procedures and train workforce members. In addition to paying the $150,000 fine, the clinic also agreed to create a corrective action plan consisting of a risk analysis and risk management components to address and mitigate any additional potential security risks and vulnerabilities.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html

HHS Announces $400,000 Settlement for HIPAA Violations Relating to Protected Health Information

May 22, 2013 at 1:42 pm | Posted in Federal Laws, Health and Human Services, HIPAA, Regulations | Leave a comment
Tags: , , , , , ,

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.

The Office for Civil Rights (OCR) opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled. OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures in place for routine review of information system activity, which could have detected the breach in the firewall much sooner. Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics.

The press release can be found on the HHS News page: http://www.hhs.gov/news/ and the Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.html

Create a free website or blog at WordPress.com.
Entries and comments feeds.