Articles Posted in HIPAA

On Wednesday, New York Presbyterian Hospital and Columbia University agreed to settle claims with the Department of Health and Human Services (HHS) Office for Civil Rights for a collective $4.8 million stemming from a data breach in 2010. This matter, along with other similar cases, should serve as an important warning to healthcare providers and other HIPAA covered entities that personal health information (PHI) of patients must be protected, especially in the electronic age. If a data network is breached and PHI is made available, HHS will use its enforcement powers to assess punitive penalties and institute corrective actions in order to achieve compliance.

Under the terms of the settlement, New York Presbyterian will pay $3.3 million while Columbia University will pay $1.5 million. Both entities must also institute corrective action plans. The settlement represents the highest combined total financial penalty issued to an entity covered by HIPPA. As part of the settlement, the entities must undergo a risk analysis, develop a risk management plan, revise policies and procedures, train staff and provide progress reports.

The investigation and subsequent settlement were brought on by a data breach incident in 2010 where the shared data system for New York Presbyterian and Columbia University was breached and the records of 6,800 patients were made available on the internet. The data breach occurred when a physician attempted to deactivate a personally owned computer server on the network. The Office for Civil Rights alleged that that due to a lack of technical safeguards, deactivation of the server resulted in PHI being accessible via internet search engines.

On February 24, 2014, the Department of Health and Human Services’ (HHS) Office for Civil Rights (“OCR”) announced in the Federal Register that it plans to survey up to 1,200 organizations to identify candidates for audits under the Health Insurance Portability and Accountability Act (HIPAA) Audit Program. In accordance with the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, OCR is required to schedule periodic audits to ensure that covered entities and business associates are in compliance with HIPAA Privacy, Security, and Breach Notification Rules.

According to the notice, the survey will assess covered entities and business associates’ “suitability” (e.g., size, complexity and fitness) for an audit by collecting information from these respondents such as “number of patient visits or insured lives, use of electronic information, revenue, and business locations.” Although the total number of entities to be audited in 2014 is unclear, HHS expects that expanding the audit program to up to 1,200 organizations will provide a more accurate depiction of covered entities and business associates’ compliance with HIPAA. HHS will be accepting comments regarding this pre-audit survey until April 25, 2014.

Since the inception of the HIPAA Privacy and Security Rules in 1996, Wachler & Associates has counseled providers and other covered entities of all sizes in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. In addition, all employees should receive ongoing training in HIPAA compliance. If your entity does not already have these procedures in place, Wachler & Associates can help you implement these important compliance measures. If you have any questions or require assistance developing and implementing a HIPAA compliance plan for your organization, please contact an experienced healthcare attorney at 248-544-0888 or at wapc@wachler.com.

On January 16, 2014 the Federal Trade Commission (FTC) unanimously reaffirmed its broad authority to regulate a healthcare provider’s data security program deemed inadequate by the FTC in protecting consumers from identity theft or misuse of personal information. The FTC held that a provider’s program is inadequate if it fails to provide reasonable and appropriate data security measures. A company’s failure to provide reasonable and appropriate data security measures falls within the purview of Section 5(a) of the FTC Act’s prohibition of “unfair … acts or practices.” Further, the FTC held that HIPAA, HITECH, and other statutes do not restrict the FTC’s authority under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), to challenge data security measures that it has reason to believe are unfair acts or practices.

The impetus for this ruling comes from an August 2013 complaint filed against LabMD, a clinical laboratory, alleging that LabMD failed to employ reasonable and appropriate measures to prevent unauthorized access to consumers’ personal information, constituting an unfair act or practice in violation of Section 5(a) of the Act. LabMD moved to dismiss the FTC’s complaint, arguing that the FTC had no authority to address private companies’ data security programs under the Act, and that by enacting Health Insurance Portability and Accountability Act (“HIPPA”) and other statutes, Congress implicitly restricted the FTC’s authority to enforce the Section 5 of the Act in the field of data security. In denying LabMD’s motion to dismiss, the FTC determined that nothing in the federal statutes reflected a ‘clear and manifest’ intent of Congress to restrict the FTC’s authority over unfair data and security practices. Furthermore, the FTC held that “so long as the requirements of those statues do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.”

As the FTC reasserts its broad authority under the Act, healthcare providers should reexamine their data security programs to ensure that they adequately protect consumers’ personal information in the event of an investigation by the FTC.

The Department of Health and Human Services (HHS) has issued a letter to health care providers to ensure that they are aware of their ability under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to take action, consistent with their ethical standards or other legal obligations, to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when they believe the patient presents a serious danger to himself or other people.

In the letter, HHS describes the HIPPA Privacy Rule as requiring a careful balance between protecting the patients’ privacy and ensuring the safety of the patient and others. In general, the Privacy Rule requires providers to protect the privacy of the patients’ health information. However, an exception is created when a health care provider believes in good faith that a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. A provider is presumed to have a good faith belief if his or her belief is based on the provider’s actual knowledge, such as through the provider’s interactions with the patient, or when the provider is relying on a credible representation by a person with apparent knowledge or authority, such as a credible family member of the patient.

If a health care provider does believe in good faith that a warning is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, then the Privacy Rule allows the provider to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. In alerting such persons, the provider may disclose patient information, including information from mental health records, if necessary. Furthermore, persons “reasonably able to prevent or lessen the threat” may include police officers, the patient’s family members, or even campus security or administration.
Continue reading