A look over the Office for Civil Rights’ recent HIPAA actions reveal why privacy and security safeguards are a must for medical practices.
It is difficult to believe that another year is about to end. Given the emphasis by Office for Civil Rights (OCR) on HIPAA items, it is only fitting that the year is closed out with some recent HIPAA highlights.
The Department of Health and Human Services (HHS) OCR published a Request for Information (RFI) in the Federal Register (83 Fed. Reg. 64302) on Dec. 14. Specifically, HHS is opening up the floor to the public on various aspects of the HIPAA Privacy Rule and Security Rule, which may impede the coordination of care. This request is a bit perplexing, as 45 CFR § 164.506 expressly defines “uses and disclosures to carry out treatment, payment, or healthcare operations.” Specifically, Section 164.506(c), which was last modified in the Omnibus Rule (78 Fed. Reg. 5566, 5698) states the following:
Implementation specifications: Treatment, payment, or healthcare operations.
Physicians should also take note that a covered entity may be a business associate of another covered entity. However, just because information is shared between two separate covered entity does not mean that the obligation to comply with the Privacy Rule and Security Rule ceases to exist. In fact, it is imperative that due diligence is conducted and that a BAA, Data Use Agreement or Privacy and Security Agreement is executed. Failing to take these measures could be costly in the event of a breach.
The breach brings us to another recent action at the OCR: a settlement with Advanced Care Hospitalists PL (ACH), an entity that provides contracted internal medicine physicians to hospitals and nursing homes in Florida. ACH contracted with an individual who represented himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. However, the individual who provided medical billing services to ACH using First Choice’s name and website did so without knowledge or permission.
A local hospital eventually notified ACH that PHI was available on a website. OCR fined ACH $500,000 after discovering that it had never entered into a BAA or implemented the requisite technical, administrative, and physical safeguards as outlined by the Security Rule.
In sum, HIPAA is a topic to continue to watch. Physicians and other entities alike should put the required annual risk assessment on the top of their 2019 New Years’ resolutions.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.