HIPAA Breach: Who You Gonna Call?

Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences. HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s…

READ MORE

Categories HIPAA LawTags , , 2 Comments

Can I Be Sued for a HIPAA Violation?

I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase. Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement….

READ MORE

Categories HIPAA LawTags , , 4 Comments

Business Associate Agreements – a First Look at Indemnification

A party’s responsibilities under HIPAA generally come from two sources – the law itself and the business associate agreement entered into between the covered entity (the health care provider or health plan) and the business associate (its vendor). While all parts of a business associate agreement are important, there are certain terms that are most likely to affect the parties’ liability and obligations. One of these key terms is , and it is often the section of the business associate agreement that lawyers most often fight over. Folks often wonder why lawyers tend to focus so much on this section, and the short answer is that when things go wrong–such…

READ MORE

Categories HIPAA LawTags , Leave a comment

Gmail, Google Apps for Business HIPAA Business Associate Agreements

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are…

READ MORE

Categories HIPAA LawTags , , , , 1 Comment

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law. The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code…

READ MORE

Categories HIPAA LawTags , , , , , , 2 Comments

Five Steps to HIPAA Security Compliance

The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include: Run a complete risk assessment of the medical practice Some medical practices adopted electronic health recording…

READ MORE

Categories HIPAA LawTags , , , , , Leave a comment

Dentists: Don’t Forget HIPAA Compliance

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013? Compared to the ever-growing size of medical practices today, most dental offices are still rather small with…

READ MORE

Categories HIPAA LawTags , , , , , , , Leave a comment

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

June 7, 2013.  Today, HHS published in the Federal Register “Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules” that were published on January 25, 2013, as the Final Rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules.” According to the “Summary“ in today’s Corrections Final Rule:  “These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164. The effective date of the Corrections Final…

READ MORE

Categories HIPAA LawTags , , , , , , , , , , , , , , , Leave a comment

HIPAA Final Rule: Today is Effective Date–Covered Entities and Business Associates Have 180 Days to Comply

March 26, 2013.  Today is the first big milestone since the January 25, 2013, publication in the Federal Register of the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules. Today is the effective date of the Final Rule, and covered entities and business associates must comply by September 23, 2013. “Significant rules (defined by Executive Order 12866) and major rules (defined by the Small Business Regulatory Enforcement Fairness Act) are required to have a 60 day delayed effective date,” which…

READ MORE

Categories HIPAA LawTags , , , Leave a comment

HIPAA Final Rule: Notice of Privacy Practices for Protected Health Information: Provision of Notice (2)

March 25, 2013.  Today, we continue going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013. We began a two-day examination of the modifications pertaining to 45 CFR 164.520:  Notice of Privacy Practices for Protected…

READ MORE

Categories HIPAA LawTags , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Leave a comment