AXEL.org

Blog

Who’s Covered by HIPAA?

Our previous HIPAA entry exposed you to some of the basics of HIPAA.   One of the things we did was to identify who was covered by the HIPAA rules.  Entities or individuals that are Covered Entities (remember: Health Care Plans, Health Care Clearinghouses, or Health Care Providers) are certainly subject to HIPAA.

But, effective February 17, 2010 under the HITECH Act, Business Associates (BA) became subject to HIPAA privacy and security rules as well.  What this means is that a company that is not in the healthcare industry, per se, but deals with medical records as part of their job duties, COULD be subject to HIPAA rules.

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a Covered Entity; attorneys, accountants, consultants, and others are some possible examples.  But there is not a list in HIPAA which defines who is a BA by trade.  Thus, the following test is used:

  • a party who is performing a function for a Covered Entity;
  • that has access to PHI;
  • but is not an employee of the Covered Entity.

Now that you have had a chance to determine if you are or are not a BA, what are your HIPAA requirements?  Well, you must comply with HIPAA of course.  But generally you must secure the PHI, and use it only for the same purpose it was given to the Covered Entity.

Where it sometimes gets tricky is, you must make the PHI “accessible” to the individual to whom the PHI belongs; most often the patient.  So you cannot just lock it up and throw away the key.  You must also perform risk assessments of your security and mitigate determined risks.  Finally, you have notice obligations should there be a breach.

Next we will talk about what a breach is, your reporting requirements, and the related fines and penalties for a breach.

What is HIPAA?

Since our previous HIPAA entry exposed you to some of the shock value of the recent HIPAA violations, I assume you are checking back because you’re interested in how HIPAA may apply to your company.  With this article, I wanted to provide a little foundation for HIPAA.

HIPAA is the acronym for The Health Insurance Portability and Accountability Act which was legislation passed in 1996.  For you legislative purists, HIPAA was initially known as the Kennedy–Kassebaum Bill.   But, yes, HIPAA has been around since 1996!  I bet that, if polled, most medical or insurance privacy officers would tell you that HIPAA was enacted in the last few years.

Not only is HIPAA not new, it was also not written solely to provide punishment to medical practices that get lazy with their record keeping.   It’s made up of five sections, of which only one, Title II, addresses items such as patient’s access, security, and privacy.  Perhaps another day I will talk about the coding, automation, coverage, and standardization requirements of HIPAA, but not today.

The Department of Health and Human Services (HHS) enforces HIPAA, and its Office for Civil Rights (OCR) performs all the audits.   Interestingly, in 2009 then-President Obama signed the American Recovery and Reinvestment Act of 2009.  Contained therein, was the HITECH Act, which enabled the OCR to be funded by the very fines it levies and collects.  Thus, there is little doubt that HIPAA investigations, enforcement, and fines are here to stay.

Understanding that HIPAA and its enforcement is here to stay, the next question is:  “does it apply to us?”  Most certainly, HIPAA does not apply to anyone who holds a medical record in their hand.  But it does apply to Covered Entities such as:  Health Care Plans and Clearinghouses (some may just call them the insurance side) and Health Care Providers (doctors, nurses, hospitals, those trained and licensed to provide medical care, etc.).  And finally HIPAA applies to Business Associates (BA) (a party who is performing a function for a covered entity that has access to PHI, but is not their employee).  So, if you are one of those folks, the HIPAA rules apply to you.

Who is, or may be, a BA will be the subject of the next HIPAA blog.

Keeping Up in Court

It’s the day before the big hearing.  The Motion was perfect; Opposition just ok – no surprises, and your Reply crushed it.  This is the second time you will be arguing your Summary Judgment Motion.  A Rule 56(f) Opposition carried the day six months ago; but it’s more than ripe this time around.

You sit down to download all three pleadings to your iPad; with exhibits they total about a foot-thick of paper.  But, in PDF format, the files are too big for the storage left on the device.  To make matters worse, you wanted to download a few other things for the hearing as well – their Opposition from the last hearing (since it makes a few arguments that help you this time around), the latest round of discovery responses (a perfect Interrogatory answer from their CIO exists), and a bunch of photos of your client’s product and their infringing product that your expert just testified to at his deposition last week.

The next two hours are spent deciding if you really need all the exhibits to the pleadings, what else you really need, and considering what you could take off your iPad.  WASTED TIME and ADDED STRESS.   As if you need either of those on the day before the hearing.  Finally, you decide to leave the Opposition exhibits and the new expert photos off the download, and remove a few unrelated things from the iPad and off you go.

Let’s take the worst-case scenario, and play it out.  During argument opposing counsel brings up a document from her exhibits – that you did not think was important enough to address in your outline – and it’s not on your iPad.  She also talks for a while about your expert’s deposition and two of his photos – which you don’t have either.

As prepared and articulate as you may be, you simply cannot address the nuances of her arguments on those three pieces of evidence since they are not right in front of you.  Motion DENIED.

I understand that in this hypothetical you could have hand-carried the documents to court.  But the point is, even when we carry twelve inches of material to court and/or download all the related pleadings, every now-and-then a question is asked or argument made related to a document we just did not have.  Sure, sometimes the judge will give us more time to address the evidence, but would it not be better to just have access to your entire case file – no matter how big?

This scenario happened to me a few times in my 18 years of litigation.  Sure, there was more than one time where I simply forgot to grab part of the file on the way to court.  But far more often, opposing counsel would bring up something completely unrelated to the issue, or from a prior hearing or long-ago completed discovery.  Every now and then, a judge would ask for something very specific or something silly like a date of service on Interrogatory packet #3.  In these instances the ability to access all your documents can be the difference between winning or losing your case. It’s important for any attorney to do their research on finding the best file management tools to ensure they have the important information on hand at all times.

HIPAA Violations – An Open Discussion

An open Discussion on HIPAA.

First, its HIPAA, not “HIPPA” which you see a lot as you navigate an internet search about HIPAA.  If you Google HIPPA, you will find plenty of articles, discussing HIPAA, but spelling it as HIPPA.  You can even find professionally appearing and academic articles spelling it incorrectly.  Second, HIPAA is more than just a privacy law, it deals with document access, insurance coverage, pre-existing conditions, and many other things.  Finally, HIPAA compliance is not impossible or some secret for experts only… it is attainable.  But, first things first, why should you worry about HIPAA?

Look we are all busy, none of us want to read a bunch of legislation written by attorneys which makes almost no sense to non-attorneys; I get it.   When it comes to legal issues, I always find it important to know the real reasons why I should take notice of something.  Large monetary fines and possible prison time seem to get my focus.  The Federal Government issued almost $11.4 million in HIPAA fines before March 1, 2017; paying attention yet?   How about knowing that you can face Federal jail time for wrongful disclosures?  Now that you realize HIPAA is serious, let’s look at the governments’ enforcement activity in 2017.

Just to get your ears perked up, here are some examples of the fines issued by the Federal Government before the end of February 2017:

January 9, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Presence Health agreed to settle potential violations of the HIPAA Breach Notification Rule by paying $475,000.00.

Presence Health discovered that paper-based operating room schedules, which contained the PHI (Protected Health Information) of 836 individuals, were missing from the Presence Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois.  Making matters worse, Presence Health failed to timely notify each of the 836 individuals affected by the breach, prominent media outlets (as required for breaches affecting 500 or more individuals), and the OCR.  This case is a great first case to take notice of, as it addresses both the loss of the medical information and the failure to report the breach.

January 18, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.2 million.

MAPFRE filed a breach report with the OCR indicating that a USB data storage device containing ePHI (electronic Protected Health Information) for 2,209 patients was stolen from its IT department, where the device was left without safeguards. MAPFRE also failed to conduct proper risk analysis, implement risk management plans, and failed to deploy encryption or an equivalent alternative measure on its laptops and removable storages.  This investigation revealed many breaches, across many levels of HIPAA.  Yet, one of its teaching points is about laptop and USB drive security.  Many offices use laptops and USB drives on a daily basis to access and transfer information.  If they contain PHI, they must secure them.

February 1, 2017 – The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a civil money penalty of $3.2 million to Children’s Medical Center of Dallas (Children’s), who paid the fine in full.

Children’s filed a breach report with the OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport.  The device contained the ePHI of approximately 3,800 individuals.  Later, Children’s filed a separate HIPAA Breach Notification Report with the OCR, reporting the theft of an unencrypted laptop from its premises which contained the ePHI of 2,462 individuals.  Again, we see issues with remote devices being compromised.  In a review of OCR violation history, remote device compromises appear to be a majority violator.  Probably a good time to determine if your office had PHI on any remote or removable devices.

February 16, 2017 – Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI.  This final case shows that your password protocols must be established and followed.  Of course, the hardest part of protecting your company is protecting it from its employees.  However, there is no excuse for allowing former employees to retain access rights to your data.

These four fines are just the tip of the iceberg when dealing with HIPAA, but together they do shed some light on the many different types of violations your company can face.  Many states now can assert similar level fines upon a party in breach.  Some states even allow private causes of action for damages caused by a breach.  And then, there can be criminal consequences as well.  Now that I have your attention, be sure to check back soon for more on HIPAA.