Health care providers and health insurance companies are generally aware that when protected health information (“PHI”) is disclosed to a vendor, such as an attorney, consultant or cloud data storage firm, a business associate agreement is necessary to comply with HIPAA and to safeguard the information disclosed. However, not all vendors will be business associates, even when such vendors may have potential access to PHI, and health care providers and insurers often struggle with how to manage risks to PHI in these relationships. The following FAQs address these issues and my solutions for managing and mitigating risk in an efficient and cost-effective manner. Who are non-business associate vendors? Generally, a…
Categories Uncategorized15 Comments
HIPAA Breach: Who You Gonna Call?
Everyone knows that you call a plumber for a leaking pipe, a mason for a cracked stonewall, and an electrician to fix faulty wiring. However, when faced with an actual or suspected HIPAA data breach, many folks struggle with determining whom to call. Failure to have contacts lined up ahead of time may pose more than an inconvenience–any delay in bringing in experienced advisors to assist with breach investigation, response and mitigation may result in significant financial and legal consequences. HIPAA covered entities and business associates should have a written breach response policy and protocol. The policy and protocol should provide clear guidance to the covered entity’s or business associate’s…
Categories HIPAA Law32 Comments
Can I Be Sued for a HIPAA Violation?
I am asked that question almost weekly. While the answer has traditionally been “no,” the legal landscape is shifting and the risk of being sued continues to increase. Let’s first start with some background. As some of you may know, HIPAA does not include a “private right of action.” This means that an individual may not file a claim against a covered entity or a business associate in order to enforce HIPAA or seek damages in response to a HIPAA violation. For example, a patient is not able to sue a dentist if the dentist fails to distribute a Notice of Privacy Practices or enter into a business associate agreement….
Categories HIPAA Law121 Comments
Business Associate Agreements – a First Look at Indemnification
A party’s responsibilities under HIPAA generally come from two sources – the law itself and the business associate agreement entered into between the covered entity (the health care provider or health plan) and the business associate (its vendor). While all parts of a business associate agreement are important, there are certain terms that are most likely to affect the parties’ liability and obligations. One of these key terms is , and it is often the section of the business associate agreement that lawyers most often fight over. Folks often wonder why lawyers tend to focus so much on this section, and the short answer is that when things go wrong–such…
Categories HIPAA Law1 Comment
Gmail, Google Apps for Business HIPAA Business Associate Agreements
The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are…
Categories HIPAA Law6 Comments
The Reality of HIPAA Violations and Enforcement
Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law. The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code…
Categories HIPAA Law68 Comments
Five Steps to HIPAA Security Compliance
The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include: Run a complete risk assessment of the medical practice Some medical practices adopted electronic health recording…
Categories HIPAA Law2 Comments
Dentists: Don’t Forget HIPAA Compliance
Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements? Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013? Compared to the ever-growing size of medical practices today, most dental offices are still rather small with…
Categories HIPAA Law4 Comments
HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules
June 7, 2013. Today, HHS published in the Federal Register “Technical Corrections to the HIPAA Privacy, Security, and Enforcement Rules” that were published on January 25, 2013, as the Final Rule: “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules.” According to the “Summary“ in today’s Corrections Final Rule: “These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164. The effective date of the Corrections Final…
Categories HIPAA Law4 CommentsHIPAA Final Rule: Today is Effective Date–Covered Entities and Business Associates Have 180 Days to Comply
March 26, 2013. Today is the first big milestone since the January 25, 2013, publication in the Federal Register of the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules. Today is the effective date of the Final Rule, and covered entities and business associates must comply by September 23, 2013. “Significant rules (defined by Executive Order 12866) and major rules (defined by the Small Business Regulatory Enforcement Fairness Act) are required to have a 60 day delayed effective date,” which…
Categories HIPAA Law3 Comments