Header graphic for print

HealtHITech Law

HIPAA, HITECH and Beyond

OCR Enforcement Results In Three HIPAA Settlements

Posted in Breach, Enforcement, OCR Audits

Many thanks to our colleagues Jonathan Ishee and Shannon Majoras for authoring this post.

Recently the Department of Health and Human Services Office for Civil Rights (OCR) announced three settlements to resolve investigations into potential violations of the Health Insurance Portability and Accountability Act (HIPAA).

OCR reached settlements with two academic medical centers, the Lahey Hospital and Medical Center and University of Washington Medicine (UWM), and one insurance holding company, Triple-S Management Company. Each entity will be subject to a corrective action plan and civil monetary penalties that range from $750,000 to $3.5 million. Continue Reading

Largest HIPAA Settlement Announced by HHS

Posted in Breach, Enforcement

Many thanks once again to our colleague, Robin Canowitz, for authoring this post.

In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients.  New York Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report in September of 2010, indicating that the disclosure of ePHI of 6,800 individuals included patient status, vital signs, medications and laboratory results.  The organizations are separate entities for HIPAA purposes, but operated a shared data network which was administered by employees of both entities.

According to the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the breach was caused when a physician employed by both entities attempted to deactivate a personally owned computer server on a network containing ePHI from NYP.  Due to a lack of technical safeguards, the deactivation of the server resulted in ePHI being accessible on internet search engines.  OCR noted that its investigation also revealed that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and contained appropriate protections.  Further, OCR determined that neither entity had conducted an accurate and thorough risk analysis of their systems which accessed ePHI.

NYP agreed to pay a monetary settlement of $3.3 million, while CU agreed to pay $1.5 million.  Both entities have also agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.

You can read the corrective action plans here.

Unencrypted Laptops Result In Significant HIPAA Fines

Posted in Breach, Enforcement

In April 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) continued to emphasize the importance of encryption in maintaining the confidentiality and security of protected health information (“PHI”), especially in addressing and mitigating the significant risk to PHI posed by unencrypted laptops and other mobile devices.

On April 22, 2014, OCR announced that it had resolved potential HIPAA violations arising out of the theft of unencrypted laptops with two different covered entities, Concentra Health Services (“Concentra”) and QCA Health Plan, Inc. of Arkansas (“QCA”). The collective settlement with both covered entities totaled $1,975,220.00.

Concentra agreed to pay OCR $1,725,220 to settle potential HIPAA violations, and will adopt a corrective action plan to evidence the remediation of OCR’s findings.  OCR’s investigation of Concentra began following its receipt of a breach report that an unencrypted laptop was stolen from its Springfield, Missouri facility.  OCR’s investigation revealed that Concentra had previously recognized, in multiple risk analyses, that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk.  OCR found that while  Concentra took steps to begin encryption, its efforts were incomplete and inconsistent which left patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard PHI.

Similarly, OCR received a breach notice in February 2012 from QCA reporting that an unencrypted laptop containing the ePHI of 148 individuals was stolen from a workforce member’s car.  While QCA encrypted their devices following discovery of the breach, OCR’s investigation revealed that QCA failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, beginning from the compliance date of the Security Rule in April 2005 and ending in June 2012.  QCA agreed to pay a $250,000 monetary settlement, and is required to provide HHS with an updated risk analysis and corresponding risk management plan that includes specific security measures to reduce the risks to and vulnerabilities of its ePHI.  QCA is also required to re-train its workforce and document its ongoing compliance efforts.

Susan McAndrew, OCR’s deputy director of health information privacy, stated that “Covered entities and business associates must understand that mobile device security is their obligation.  Our message to these organizations is simple:  encryption is your best defense against these incidents.”

The Resolution Agreements can be found on the OCR website at:  http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html.


HHS HIPAA Security Risk Assessment Tool Now Available

Posted in Security

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post.

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), recently released a security risk asessment tool (SRA Tool) to assist entities in complying with the HIPAA Security Rule. 

As we have discussed previously (most recently here and here), the Security Rule requires entities (both covered entities and business associates) to conduct a risk assessment of their administrative, physical, and technical safeguards on a regular basis.  To facilitate this risk assessment, the SRA Tool walks the user through each HIPAA requirement by presenting 156 questions targeted at the entity’s security practices.  An affirmative or negative answer will prompt a response from the SRA Tool indicating whether the entity needs to take corrective action for that particular item.  The SRA Tool contains resources to help the entity assess the potential impact to its PHI if a requirement is not met.

 The tool was developed as a self-contained, operating system independent application that can be run on various environments, such as laptops, desktops and tablets.  Although users may document responses and risk remediation plans directly into the SRA Tool, the SRA Tool does not transmit the data outside of the tool’s environment.  Paper copies of the SRA Tool are also available.  Entities can learn more about the SRA Tool by watching a video of how it operates.

Entities should note that the SRA Tool does not do away with or otherwise limit any HIPAA compliance obligation, and HHS does not guarantee that use of the tool will ensure compliance with the law.  HHS’ intent in releasing this tool is to provide an additional resource to help entities assess the security practices of their organizations.  Therefore, entities should view the SRA Tool as an another arrow in its HIPAA compliance quiver that can be used in identifying and correcting organizational security risks.  Depending on the complexity of the risk, legal counsel should be consulted, as the penalties for non-compliance are significant.


Posted in Enforcement, OCR Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year.  The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security, and Breach Notification Rules.  While this next round of audits will be narrower in scope than OCR’s 2012 pilot audit program, OCR will include business associates as well as covered entities.

In a February 24, 2014 Notice in the Federal Register (“Notice”) [1], OCR announced that it will soon launch a survey of 1,200 organizations – 800 covered entities and 400 business associates — as a first step toward selecting those organizations to be audited.  In a presentation that same day at the 2014HIMSS Annual Conference, Susan McAndrew, OCR Deputy Director, explained that the survey will seek to verify if the entity, which has been chosen from a large OCR database, is a suitable candidate for a HIPAA audit by asking questions, such as “Is the organization still in business?” and “Is the organization the healthcare entity indicated by the database?”

OCR stated that the survey “will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit.”  Among other things, OCR intends to collect “recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations.”[2] Not all organizations that are surveyed will be audited.

OCR’s 2012 HIPAA pilot audit program uncovered a wide variety of HIPAA compliance failures, including Privacy Rule failures (such as a lack of NPPs, use and disclosure violations, and minimum necessary violations), Security Rule failures (such as incomplete risk analyses, improper media disposal, and inadequate access controls), and administrative failures (such as lack of training  and failure to update policies and procedures).[3]  In fact, OCR’s analysis of the 2012 pilot audit data revealed that two-thirds of the entities audited did not have a complete and accurate risk assessment.

Thus, one of the primary areas of focus in the 2014 audits likely will be whether covered entities and business associates alike have conducted timely and thorough security risk assessments as required by HIPAA.  Indeed, on September 23, 2013, OCR Director Leon Rodriguez reported at the HIMSS Privacy and Security Forum in Boston that the covered entities audited in the pilot program often had conducted a “shallow risk analysis” that was not properly updated as circumstances changed, such as the when the entities developed new business strategies or implemented new information systems. Director Rodriguez observed, “With any business change, an entity must review its risk analysis; yet, two-thirds of pilot participants – including 80 percent of providers – did not have a complete and accurate risk analysis.”

Another issue which is expected to be a focus of the 2014 audit program is the use of data encryption and an organization’s underlying risk analysis in deciding whether to encrypt or not encrypt. Under the Security Rule, encryption is an “addressable” requirement.  Therefore, an organization which fails to encrypt must, through documentation, justify its decision and then select and implement a reasonable alternative. At the May 2013 OCR/NIST 6th Annual Conference on Safeguarding Health Information, Director Rodriguez reported that OCR’s pilot audit program revealed that encryption was not always implemented (or even considered) by organizations.  He observed that organizations either implemented encryption or did nothing at all in justifying and documenting reasonable alternatives. Thus, Director Rodriguez stressed the importance of conducting a risk analysis related to encryption implementation in which an organization must weigh the pros and cons of encryption in making the final decision to encrypt or not to encrypt.

Finally, OCR also has stated that it is revising its audit protocol for the HIPAA Audit Program to reflect the changes included in the HIPAA Omnibus Rule that became effective on September 23, 2013.

[1] 79 Fed. Reg 10158 (Feb. 27, 2014).

[2] Id.

[3] See OCR Senior Advisor Linda Sanches’s “HIPAA Privacy, Security and Breach Notification Audits Program Overview and Initial Analysis” (April 23, 2013).

New HHS Guidance on HIPAA Privacy Rule and Sharing Mental Health Information

Posted in Access Rights, Behavioral Health

Many thanks to our colleague Robin Canowitz for assisting us in drafting this post.

The U.S. Department of Health & Human Services (“HHS”) issued new guidance regarding the HIPAA Privacy Rule and its relationship to mental health information disclosures (“Guidance”).  The Guidance addresses when providers may appropriately share the protected health information (“PHI”) of their mental health patients and provides important reminders about HIPAA Privacy Rule issues surrounding mental health records. 

The Guidance also advises that the disclosure of mental health information, like all PHI, must comply with both HIPAA and all other federal, state, and local laws that regulate such disclosures (e.g., 42 C.F.R Part 2 Substance Abuse Program and the Family Educational Rights and Privacy Act rules).

Communications With Family and Friends

Under 45 C.F.R. § 164.510(b), health care providers may communicate with a patient’s family members and friends when the patient does not object and the disclosures are directly relevant to that person’s involvement in the patient’s care or payment for care.  A provider may have permission to disclose PHI (or permission may be inferred) when a family member or friend is present in the treatment room at the patient’s invitation.  HHS confirms that if a patient is incapacitated, a provider may share information with family and friends when that provider determines, based upon professional judgment, that the disclosure is in the patient’s best interest.  The Guidance provides clear examples permitting disclosure when the patient does not object:

  • A psychiatrist may discuss the drugs a patient needs to take with the patient’s sister who is present with the patient at a mental health care appointment.
  • A therapist may give information to a patient’s spouse about warning signs that may signal a developing emergency.

The Guidance examines 45 C.F.R. § 164.510(b)(3), which permits a provider to disclose mental health information to friends or family when a patient is not present or is unable to agree or object due to incapacity or emergency circumstances and the provider believes it is in the patient’s best interests.  Again, the disclosure must be directly relevant to the person’s involvement in the patient’s care or payment for care.  In making these determinations, the provider should consider a patient’s prior expressed preferences and offer the patient who regains capacity the chance to agree or object to future disclosures. 

The Guidance emphasizes that providers must abide by the wishes of their adult mental health patients who object to disclosures to friends and family.  Nevertheless, HHS reiterates that HIPAA permits providers to warn family members or law enforcement if the provider perceives a serious and imminent threat to the health or safety of the patient or others and the disclosure may reasonably prevent or lessen the risk of harm. 

State laws also may impose an affirmative “duty to warn” on mental health professionals when a patient poses an imminent threat.  Providers regulated under Part 2 may have additional duties. 

Psychotherapy Notes           

The Guidance emphasizes that HIPAA provides extra protection to psychotherapy notes maintained separately since the therapist’s personal notes are not required for treatment, payment or healthcare operations.  With few exceptions, providers must obtain a separate authorization to disclose psychotherapy notes.

Minor Mental Health Records

HHS also discusses 45 C.F.R. § 164.502(g), which contains several exceptions to the general rule that a provider may disclose PHI to a parent or guardian as the personal representative of a minor child:

A parent is not treated as a minor’s personal representative when: (1) State or other law does not require the consent of a parent before a minor can obtain a particular health care service, the minor consents to the service, and the minor has not requested the parent be the personal representative; (2) someone besides the parent is authorized by law to consent to the service and provides such consent; or (3) a parent agrees to a confidential relationship between the minor and provider with respect to the service.

The Guidance also states that parents do not have a right to a minor’s psychotherapy notes, although providers have discretion under HIPAA to disclose an individual’s PHI (including psychotherapy notes) to the individual’s personal representative.  HHS advises providers to consult State or local law for any restrictions on such disclosures.

Ohio Medicaid to Cover Telemedicine

Posted in Legislation, Rulemaking, Telehealth/Telemedicine

Many thanks once again to our colleague, Sylvia Brown, for her assistance in authoring this post.

Last week, Ohio Governor John R. Kasich signed into law H.B. 123 (Gonzales, Watchmann), a bill to provide Medicaid coverage for telehealth services.  The law requires the state’s Medicaid department to establish standards for covering services that are provided through telehealth. 

The Department of Medicaid released its proposed standards quickly after the bill was signed into law.  The proposed rule, 5160-1-18, defines “telemedicine” as the direct delivery of services to a patient provided through synchronous, interactive and real-time electronic communication that includes both audio and video components.  The proposed rule excludes other means of electronic communication from this definition, such as electronic mail and telephone. 

The proposed rule would require that the physical location of the patient at which the telemedical service is provided (the “originating site”) be limited to one of five types of locations:  (1) the office of a medical doctor, doctor or osteopathic medicine, optometrist, or podiatrist; (2) a federally qualified health center (FQHC), rural health center (RHC), or comprehensive primary clinic; (3) an outpatient hospital; (4) an inpatient hospital; or (5) for services not included in the nursing facility per diem payment, a nursing facility.  The proposed rule prescribes no restrictions on the physicial location of the practitioner (the “distant site”) other than that it be located not less than five miles away from the originating site. 

Notably, only medical doctors, doctors of osteopathic medicine or licensed psychologists will be able to provide and receive reimbursement for providing eligible services if the department’s rule, as proposed, is adopted.  This is much narrower than Medicare  telehealth services, which may be provided by various types of practitioners, including physician assistants, nurse practitioners, and clinical social workers.

The proposed rule also provides that Medicaid will cover only evaluation and management services and psychiatry services provided through telehealth.  Claims for originating fees also may be submitted for payment by originating site providers but only by providers other than inpatient hospitals and nursing facilities.  For providers seeking payment for originating fees, the department will not also reimburse the provider for evaluative or management services provided to the patient on the same day.

The department’s proposed rule is available for public comment until March 4, 2014 and will be reviewed through the administrative rule review process.  If you would like to comment on the proposed rule, we are happy to assist.  We have experience advising providers on telehealth reimbursement, as well as the unique, complex, and evolving scope of practice issues related to telehealth.

New Access Rights to Lab Test Reports

Posted in Access Rights, Rulemaking

In an effort to further eliminate barriers to the exchange of health information and encourage a more active patient role in personal health care decisions, federal regulators have once again expanded HIPAA patient rights provisions. 

Last week, the U.S. Department of Health & Human Services Centers for Medicare & Medicaid Services (“CMS”), Centers for Disease Control and Prevention (“CDC”), and Office for Civil Rights (“OCR”) jointly published a final rule that will give patients or their personal representatives direct access to the patient’s completed laboratory test reports.  The final rule amends both the Clinical Laboratory Improvement Amendments of 1988 (“CLIA”) regulations and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to allow individuals and their personal representatives the right to access test reports directly from laboratories.

Current Access Rights to Lab Test Reports

CLIA regulations permit a CLIA laboratory to disclose laboratory test results to three categories of individuals or entities:  (1) the “authorized person,” (2) the person responsible for using the test results in the treatment context, and (3) the laboratory that initially requested the test.  “Authorized person” is defined as the individual authorized under state law to order or receive test results, or both.  In states that do not allow individuals to access their own test results, the individuals must receive their test results through their health care providers.

The Privacy Rule provides individuals and their personal representatives with a right of access to inspect and obtain a copy of protected health information (“PHI”) about the individual in a designated record set.  Laboratory reports maintained by or for a laboratory are part of the designated record set.  However, while individuals and personal representatives have the right to inspect and obtain a copy of their PHI in a designated record set, the current Privacy Rule includes exceptions related to CLIA.  Specifically, the access rights do not apply to PHI maintained by a covered entity that is (1) subject to CLIA to the extent the provision of access to the individual would be prohibited by law, or (2) exempt from CLIA.  These exceptions apply to test reports and other PHI only at CLIA and CLIA-exempt laboratories.

Expanded Access Provisions

Individuals and their personal representatives now will have the right to access their PHI directly from laboratories subject to HIPAA.  The final rule also removes federal barriers to direct access for laboratories not subject to HIPAA.

With respect to the CLIA regulations, the final rule permits laboratories subject to CLIA, upon the request of a patient or the patient’s personal representative, to provide access to completed test reports belonging to the patient.  The final rule retains the CLIA provision that requires the release of test reports only to “authorized persons,” the persons responsible for using the test reports, and to the laboratory that initially requested the test.  These CLIA modifications take effect April 7, 2014.

The final rule amends the Privacy Rule by removing the exceptions to an individual’s right of access related to CLIA and CLIA-exempt laboratories.  As a result, upon request, laboratories subject to HIPAA will be required to provide an individual or the individual’s personal representative with the individual’s competed test reports, as well as other information maintained in a designated record set, in accordance with the right of access provisions in the Privacy Rule. 

Because this change in an individual’s access rights constitutes a material change to the privacy practices of HIPAA-covered laboratories, these laboratories must promptly revise their notice of privacy practices (“NPPs”).  Thus, by the compliance date of this final rule, HIPAA-covered laboratories must revise their NPPs to inform individuals of this expanded right, include a brief description of how to exercise this right, and remove any statements to the contrary.  In addition, HIPAA-covered laboratories must make their revised NPPs available in accordance with the Privacy Rule.

The compliance date of the final rule is October 4, 2014.



Dermatology Practice Hit With $150,000 HIPAA Penalty

Posted in Breach, Enforcement

2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance.  On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach.   See Resolution Agreement.

In October 2011, Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts notified OCR that an unencrypted thumb drive containing the PHI of approximately 2,200 patients was stolen from the vehicle of a staff member.  The thumb drive was never recovered.

OCR’s investigation revealed multiple HIPAA violations by the practice including (1) failure to perform an accurate and thorough risk analysis related to the potential risks and vulnerabilities of its ePHI, (2) failure to implement written HIPAA policies and procedures, and (3) failure to train workforce members on breach notification.

OCR Director Leon Rodriguez remarked: “As we say in health care, an ounce of prevention is worth a pound of cure.  That is what good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

This most recent OCR enforcement action should serve as a reminder to all covered entities to take the following breach prevention precautions:

  • Conduct a thorough and accurate risk analysis that includes all mobile devices and media.
  • Encrypt all mobile devices and media which contain PHI.
  • Implement written HIPAA policies and procedures.
  • Train staff members on HIPAA compliance.


OIG Report Criticizes HIPAA Oversight

Posted in OCR Audits, Security

The HHS Office of Civil Rights (“OCR”) has failed to comply with the HITECH Act’s mandate to audit HIPAA covered entities and business associates, according to a recent report published by the HHS Office of Inspector General (“OIG”). The OIG said that OCR “had not assessed the risks, established priorities, or implemented controls for its HITECH requirement to provide for periodic audits . . . as a result, OCR had limited assurance that covered entities complied with the SecurityRule[.]”  HIPAA compliance audits are here to stay, according to the OIG, whether OCR (and especially covered entities) like it or not.

Pilot Program

We previously reported on the HITECH Audit Program established in 2011.  At the time of that post, 20 audits had been completed, with another 95 covered entities to be audited by the end of 2012.  These 115 audits have been the only HITECH-mandated audits conducted by OCR .  47 health plans, 61 health care providers, and 7 clearinghouses were audited.  Several clear trends emerged from the Pilot Program, notably, that health care providers had greater compliance gaps than health plans and clearing houses, and audits revelaed proportionally more findings of noncompliance at smaller providers.

Although the Pilot Program seems to have been a relative success, its momentum has stalled.  According to OCR, budgetary constraints are to blame.  In its comments to the preliminary OIG report, OCR noted that the funding for the Pilot Program expired in 2012, preventing it from undertaking any more audits.

Looking Ahead

Notwithstanding the expiration of funds designated for audits, the Report recommends OCR to provide for periodic audits in accordance with HITECH to ensure Security Rule compliance at covered entities.  The Pilot Program was a nice start, but it is not enough, according to OIG.  As a result, it seems likely that OCR will be forced to re-prioritize auditing internally, and possibly use this Report as a vehicle to obtain additional funding.  The law requires the audits to be on-going.  As HIPAA covered entities continue to work toward establishing an environment of HIPAA compliance, this Report serves as another reminder that procecting the privacy and security of health information must be a priority.