The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Tag: Privacy & Security
According to the U.S. Department of Health & Human Services’ Breach Portal, sometimes called the “Wall of Shame,” 418 breaches of HIPAA were reported in 2019. Some 34.9 million Americans had their protected health information (PHI) compromised. How is this still happening?
Healthcare companies and practices make the biggest mistake by believing human behavior can be perfect all the time. … [R]esulting from this assumption about human behavior, healthcare providers cheap out and refuse to pay for sufficient security measures for their network. A cheap security system may not contain proper firewalls and leave devices vulnerable, while wholly unencrypted devices can be a nightmare. Healthcare employees leave their cell phones, laptops, or iPads in their vehicles while they run out for coffee or to the grocery. And what happens next? The vehicles are broken into, and PHI is at risk.
I think there is another erroneous assumption that employers make: they assume their business model will continue to be the same.
It is so easy when putting a deal together, to come up with workflows and policies that make the deal compliant. But as time goes on, the business model shifts, even slightly, in a way that makes the previously workflow and policy no longer compliant.
As a result, as part of their ongoing Compliance Program, Covered Entities should routinely audit their HIPAA Privacy and Security standards to ensure they are evolving with their business.
Source: Ways your Healthcare Company is Breaking the Law — Without Realizing it
In an effort to provide additional relief to a health care system strained by the COVID-19 pandemic, the Office of the National Coordinator for Health IT (“ONC”) released an Interim Final Rule with Comment Period (“IFC”) on October 29, 2020 that extends the compliance dates under the 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) and offers some technical corrections and clarifications.
Of particular interest to health care providers, health IT developers and health information networks and exchanges, the IFC extends for five months (from November 2, 2020 to April 5, 2020) the deadline to comply with the Final Rule’s information blocking provisions. The Final Rule also extends the compliance timeframes to meet the updated 2015 Edition Health IT certification criteria, and the Conditions and Maintenance of Certification requirements under ONC’s Health IT Certification Program.
Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.
OCR received a complaint from a patient alleging that RPMG failed to provide her a copy of her medical records despite multiple requests to RPMG beginning in February 2019. Shortly after receiving the complaint, OCR provided RPMG with technical assistance on how to comply with the HIPAA Right of Access requirements and closed the matter. In April 2019, however, OCR received a second complaint alleging that RPMG still had not provided the complainant with access to her medical records.
“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino.
Source: OCR Settles Tenth Investigation in HIPAA Right of Access Initiative
My wife works as an Administrative Assistant at a local private school. As you might expect, they take very seriously their responsibility to help stop the spread of COVID-19 in the community. As part of their efforts, they require students who were in direct contact with persons diagnosed with COVID-19 to quarantine at home, away from the other students.
The school does a good job of communicating with parents. They send out regular email with statistics on the number of students or faculty diagnosed with COVID-19 and the numbers currently quarantining. Of course, they don’t disclose any names or other identifying information because of privacy concerns.
As a school, are they legally not allowed to disclose that kind of information, or are they refraining because of a more general concept of privacy?
That question is not so easy to answer because it depends on the interplay of two federal statutes — HIPAA and FERPA. Most people know that HIPAA covers the privacy of medical records. The Family Educational Rights and Privacy Act (FERPA), on the other hand, protects the privacy of student educational records. One or the other, or neither, apply to schools.
As a general rule, HIPAA does not apply to schools. HIPAA applies to health care providers who exchange electronic information, health plans, and health information clearinghouse. Even if the school has a nurse on-site, it is usually not considered a health care provider. There are certain exceptions, but they are not common. For instance, a school that provides health care to students in the normal course of business, such as through its health clinic, is also a “health care provider” under HIPAA. However, many schools that meet the definition of a HIPAA covered entity do not have to comply with the requirements of the HIPAA Rules because the school’s only health records are considered “education records” or “treatment records” under FERPA.
FERPA is a Federal law that protects the privacy of students’ “education records.” FERPA affords parents certain rights regarding their children’s education records maintained by educational agencies and institutions and their agents to which FERPA applies. These include the right to access their children’s education records, the right to seek to have these records amended, and the right to provide consent for the disclosure of personally identifiable information (PII) from these records, unless an exception to consent applies.
FERPA applies to educational agencies and institutions that receive Federal funds under any program administered by the U.S. Department of Education. An educational agency or institution subject to FERPA may not disclose the education records, or PII from education records, of a student without the prior written consent of a parent or the student, unless an exception applies.
Private and religious schools at the elementary and secondary levels generally do not receive funds from the U.S. Department of Education and are, therefore, not subject to FERPA. Neither will HIPAA apply unless one of the uncommon exceptions exists. Of course, private schools should still be mindful of the privacy of their students and just because HIPAA or FERPA does not apply does not mean the school should make those disclosures. However, private schools do have more flexibility in handling these situations than do most public institutions.
Source: Joint Guidance on the Application of FERPA and HIPAA to Student Health Records
Regulatory bodies continue to impose severe penalties on covered entities who fail to protect patient data from unauthorized disclosure.
Community Health Systems, Inc. recently settled claims with HHS Office of Civil rights resulting from a 2014 data breach that exposed personal information of approximately 6.1 million patients for $2.3 million.
But settlement with the federal government does not necessarily end the matter as such large-scale data breaches likely implicated state law.
On October 8, 2020, the New Jersey Attorney General announced a multi-state settlement involving 28 participating states for a total of $5 million.
These cases are in contrast to penalties imposed on providers who fail to give patients access to their own records, such as the recent $160,000 fine imposed on Dignity Health.
Sources: Community Health Systems, Inc. Settles for $5 M in Multi-State Settlement; Dignity Health Settles with OCR for $160,000 for Failing to Provide Access to Records