Healthcare Law Blog

An Analysis of Urine Toxicology — Considerations for Health Providers

Urine toxicology, also referred to as urine drug screening, is an important procedure that health providers use for several reasons: to monitor patients’ medication compliance, detect drug abuse, or identify the presence of disease. There are numerous implications that accompany a urine toxicology examination though, and health providers are sometimes left wondering if they should hand over the cup to patients. More >

Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.” More >

Issues Concerning Substance Abuse Patient Confidentiality Laws

It was with the best of intentions that Congress passed the Federal Confidentiality of Alcohol and Drug Abuse Patient Records Law over forty years ago. The patient privacy regulations (“Part 2”) spawned by this law reflected a sensitivity to the stigma that can accompany substance abuse, preventing highly vulnerable patients in need from seeking appropriate treatment.[1] In the interim, however, the field of behavioral health care has experienced seismic shifts in coordinated patient care while the regulations concerning these patient records have failed to adapt to changing standards such as electronic health records or health information exchanges. Due to this inflexibility, providers and patients are now facing a host of impediments in the provision of behavioral healthcare. More >

HIPAA Rules and Procedures in the Event of a Data Breach, Part Two

My last post focused on the discovery and investigation of a data security breach to determine if breach notification is needed. Today’s post now turns to the requirements of breach notification triggered by a data security breach. More >

HIPAA Rules and Procedures in the Event of a Data Breach, Part One

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach. More >

HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare

As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen. More >

Reminder: Update Your “Grandfathered” HIPAA Business Associate Agreements Now!

In January 2013, the Department of Health and Human Services (“HHS”) published its Final Rule, which significantly increased the privacy and security responsibilities for the “business associates” of “covered entities,” as those terms are defined by HIPAA. A provision within the Final Rule mandated that all covered entities and their business associates revise their business associate agreements to reflect the new responsibilities. Specifically, a business associate must now, among other things: More >

Health Care Industry Familiar with HIPAA Breaches, Not So Much Hackers

Community Health Systems (“Community”), which operates 206 hospitals in 29 states, recently notified 4.5 million of its patients that online hackers had stolen personal data information from its systems in a period between April and June 2014. The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under HIPAA. According to Community, the data did not include financial or medical information.

It has been reported that the hackers responsible for the attack are a group of cybercriminals from China that traditionally go after intellectual property, including medical device and equipment development data.  They used malicious software to obtain the data, which has since been removed by Community from the network. Further remedial efforts are already underway, including notifying affected patients and offering them identity theft protection services.

Hospitals should be accustomed to protecting data against privacy breaches as part of their HIPAA obligations, but outright cybertheft is a threat that many providers have not likely considered. The FBI, which is now investigating the Community incident, said in April that health care providers typically do not use the same high levels of security technology as companies in other industries (such as banking or retail). This makes providers an easy target for hackers. If a leading hospital system like Community can be breached, then hospitals of every size are at risk.

It is crucial that HIPAA-covered entities (and their business associates) understand and identify potential threats to their secured information. The importance of HIPAA risk analysis cannot be stressed enough; in fact, a risk analysis is required as the first step in HIPAA Security Rule compliance. While it may be impossible to build an impenetrable fortress of secured online information, it is evident that health care providers must continue to make it a top priority to protect patient records – both from HIPAA breaches and hackers.

Services may be performed by others.

This article does not constitute legal advice.

Have You Reviewed Your Existing Business Associate Agreements?

Pursuant to the HIPAA Final Omnibus Rule (“Final Rule”), covered entities and their business associates were required to enter into new business associate agreements (“BAAs”) or modify existing BAAs by Sept. 23, 2013. However, existing BAAs that (i) were entered into on or before Jan. 25, 2013; (ii) met the requirements that were applicable prior to the promulgation of the Final Rule; and (iii) were not modified after March 26, 2013, have until Sept. 23, 2014 to be updated. That deadline is quickly approaching. More >

Small Devices & Big Consequences: Why Medical Practices Need Encryption

On Tuesday, I shared information about the U.S. Health and Human Services (“HHS”) Office of Civil Rights’ (“OCR”) first settlement with a medical practice for alleged violations of the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The $150,000 settlement was made with Adult & Pediatric Dermatology, P.C., (“the Practice”) after the entity reported a stolen jump drive that contained PHI of approximately 2,200 patients. More >