Healthcare Law Blog

Wellness Programs and the EEOC, Part One

On May 29, 2013, the U.S. Department of Labor, the U.S. Department of the Treasury, and the U.S. Department for Health and Human Services finalized rules regarding wellness programs offered in conjunction with group health plans. These changes were made in light of the Affordable Care Act (“ACA”). Prior to the enactment of the ACA, HIPAA provisions generally prohibited group health plans and group health insurance issuers from discriminating against individual participants and beneficiaries in eligibility, benefits, or premiums based on a health factor. The exception to the general rule allows premium discounts, rebates, or modifications to otherwise applicable cost-sharing systems (including copayments, deductibles, or coinsurance) in return for adherence to certain programs promoting health or preventing disease. More >

HIPAA Rules and Procedures in the Event of a Data Breach, Part Two

My last post focused on the discovery and investigation of a data security breach to determine if breach notification is needed. Today’s post now turns to the requirements of breach notification triggered by a data security breach. More >

HIPAA Rules and Procedures in the Event of a Data Breach, Part One

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach. More >

Lessons Learned from Recent Data Security Breaches, Part Two

In Tuesday’s post, I discussed how the recent data breaches at Anthem, Inc. and Target occurred. Today’s post will turn to the implications of these breaches under HIPAA/HITECH rules and what health providers can learn from them. More >

Lessons Learned from Recent Data Security Breaches, Part One

The recent series of security breaches at Target, Sony, Home Depot, and Anthem Inc. serve as stark reminders that all organizations, even the ones with most secure networks, face significant cybersecurity threats and challenges that could cause substantial financial costs and reputational damage. The Anthem security breach, in particular, should sound alarms about the need to improve the security of protected health information (“PHI”) for every covered entity. This week’s posts will discuss what health care providers can learn about preventing data breaches based on the breaches at Anthem and Target. More >

HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare

As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen. More >

What the Anthem Cyberattack Means for the Health Care Industry

Unfortunately, account hacks and data breaches are nothing new. Every day, we hear reports of hackers compromising networks and their protected data. When it happens on a massive scale to a powerful player in the health insurance industry, however, all health care entities should sit up and take note. On February 4, 2015, Anthem Inc. (“Anthem”), the second largest health insurance company in America, admitted that hackers compromised the company’s network and stole the information of up to 80 million customers. This may be the largest health-related data breach in history. More >

Reminder: Update Your “Grandfathered” HIPAA Business Associate Agreements Now!

In January 2013, the Department of Health and Human Services (“HHS”) published its Final Rule, which significantly increased the privacy and security responsibilities for the “business associates” of “covered entities,” as those terms are defined by HIPAA. A provision within the Final Rule mandated that all covered entities and their business associates revise their business associate agreements to reflect the new responsibilities. Specifically, a business associate must now, among other things: More >

Health Care Industry Familiar with HIPAA Breaches, Not So Much Hackers

Community Health Systems (“Community”), which operates 206 hospitals in 29 states, recently notified 4.5 million of its patients that online hackers had stolen personal data information from its systems in a period between April and June 2014. The data included names, addresses, birthdates, telephone numbers and Social Security numbers—all of which are protected under HIPAA. According to Community, the data did not include financial or medical information.

It has been reported that the hackers responsible for the attack are a group of cybercriminals from China that traditionally go after intellectual property, including medical device and equipment development data.  They used malicious software to obtain the data, which has since been removed by Community from the network. Further remedial efforts are already underway, including notifying affected patients and offering them identity theft protection services.

Hospitals should be accustomed to protecting data against privacy breaches as part of their HIPAA obligations, but outright cybertheft is a threat that many providers have not likely considered. The FBI, which is now investigating the Community incident, said in April that health care providers typically do not use the same high levels of security technology as companies in other industries (such as banking or retail). This makes providers an easy target for hackers. If a leading hospital system like Community can be breached, then hospitals of every size are at risk.

It is crucial that HIPAA-covered entities (and their business associates) understand and identify potential threats to their secured information. The importance of HIPAA risk analysis cannot be stressed enough; in fact, a risk analysis is required as the first step in HIPAA Security Rule compliance. While it may be impossible to build an impenetrable fortress of secured online information, it is evident that health care providers must continue to make it a top priority to protect patient records – both from HIPAA breaches and hackers.

Christopher J. Shaughnessy is a member at McBrayer law.  Mr. Shaughnessy concentrates his practice area in healthcare law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251. 

Services may be performed by others.

This article does not constitute legal advice.

Preparing for Round Two, Continued

Earlier this week, information about OCR Phase 2 HIPAA audits was provided. Today, let’s take a look at how to prepare if your entity is selected for an audit:

• Confirm that a recent comprehensive Risk Assessment has been completed and documented.
• Confirm that all action items identified in the Risk Assessment have received attention and have been completed (or are in the process of being completed).
• Verify that policies are up-to-date, including breach notification procedures, notice of privacy practices, and responses to patient requests.
• Ensure that a current list of business associates (and their contact information) is readily available.

Because Phase 2 does not consist of on-site visits, there will not be an opportunity for dialogue with auditors. Therefore, it is crucial to ensure that documentation alone shows a complete picture of an entity’s compliance efforts. All documents should be carefully reviewed, dated, and signed before turned over to an auditor. While providing extraneous information is not recommended, it is important to double-check that all requested and necessary information is submitted.

Phase 2 audits set to occur in 2016 will focus on the Security Standard’s encryption and decryption requirements, facility access controls, breach reports and complaints. It is never too early to start considering what protocols, training, and procedures will need to be implemented in anticipation of a possible audit related to these items.

In the event you are selected for a Phase 2 audit and have any questions about your responsibilities or what you can do to ensure a smooth process, contact a McBrayer healthcare attorney today.

Services may be performed by others.

This article does not constitute legal advice.