Healthcare Entities Required to Post New Non-Discrimination Notice

The Patient Protection and Affordable Care Act (ACA) prohibits health care entities from discriminating on the basis of race, color, national origin, sex, age, or disability. The ACA prohibition on discrimination applies to covered entities, which means those healthcare entities that receive federal financial assistance through the Department of Health and Human Services (HHS). For example, a covered entity includes a physician or pharmacy that accepts Medicare or Medicaid, health insurers that offer a plan on the healthcare exchange, and any entity that offers a Medicare part D plan.

In an effort to enforce the non-discrimination law, HHS issued a new rule in May of 2016 that requires all covered entities to post new non-discrimination notices. Although the rule was finalized in May of 2016, health care entities had until October 16, 2016 to post a new notice of non-discrimination. The new notice must state that the health care entity does not discriminate, that language assistance for the patient is available, and delineate how an individual can file a discrimination complaint with HHS. The new notice is intended to decrease discrimination by helping consumers become more aware of their rights.

For further information or to find example HHS non-discrimination notices, visit the following link:
http://www.hhs.gov/civil-rights/for-individuals/section-1557/translated-resources/index.html

© 2016 Vandenack Weaver LLC
For more information, Contact Us

New HIPAA Rule Allows Mental Health Reporting to Federal Firearm Background Check System

by Matthew J. Effken

The Department of Health and Human Services is relaxing Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) to allow some covered entities to notify the National Instant Criminal Background Check System (NICS) about individuals who are prohibited from having a firearm for mental health reasons.  The NICS is a national database maintained by the FBI and used to conduct background checks for gun purchases.  Under the new rule, the only information that can be reported is the minimum necessary to identify persons who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.

The new rule applies only to those HIPAA covered entities with lawful authority to make mental health determinations that disqualify an individual from having a firearm, or are designated NICS reporting entities under state law.  The only information that can be reported is limited identifying information, not diagnostic or clinical information.  The new rule does not apply to most treating providers.  The rule will primarily impact state agencies, boards and commissions outside the court system in states that do not already require that such information be provided to the NICS.

The new rule is effective February 5, 2016.  The text of the rule is available at       https://federalregister.gov/a/2015-33181.

© 2015 Vandenack Williams LLC
For more information, Contact Us

$750,000 HIPAA Settlement Highlights the Importance of Risk Assessments under HIPAA

By Matthew J. Effken

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) and The University of Washington Medicine (UW Medicine) recently announced an agreement to settle an OCR investigation into a self-reported HIPAA breach involving UW Medicine patient records.  The breach occurred when a UW Medicine staff member opened an e-mail attachment that contained malicious code, allowing outsiders to gain potential access to confidential patient information.  The information compromised included treatment and demographic information such as addresses, dates of birth and social security numbers for over 90,000 UW Medicine patients.

The settlement agreement states that UW Medicine had adopted HIPAA security policies and procedures, but had not assured that its affiliated entities had implemented such procedures.  UW Medicine also failed to conduct comprehensive risk assessments to identify and respond to potential security vulnerabilities.  The result was a $750,000 monetary penalty, plus a Resolution Agreement that requires at least two years of enhanced reporting to OCR.  UW Medicine also agreed to a reorganization of its compliance program.  Failure to comply with the Resolution Agreement may result in the imposition of additional monetary penalties.

OCR Director Jocelyn Samuels commented: “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.  All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The Resolution Agreement is available on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html.

© 2015 Vandenack Williams LLC
For more information, Contact Us

Ensuring Compliance with the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) requires physicians, healthcare providers, and all others that qualify as “covered entities”  or “business associates” to comply with regimented patient privacy and security standards. Failure to fully comply with the law can result in an investigation by the Office for Civil Rights, leading to fines, penalties, and potential damages. This means the best solution for a covered healthcare entity is proactively auditing HIPAA compliance. The following are some key topics that are important for HIPAA compliance.

Risk Assessments.  All covered entities and business associates must conduct periodic risk assessments to identify potential risks to protected health information from a variety of threats, including threats from the environment, such as long-term power loss, chemicals, or pollution. Other threats that must be included in the assessment are intentional and unintentional human data breaches, human error, and natural disasters, such as floods, tornadoes, and earthquakes. The risk assessment must include a variety of information and clearly delineate the risk and potential impact from specific threats. In conjunction with the identification of threats, the risk assessment must demonstrate and outline safeguards implemented to mitigate the potential risk from the identified threats.

Privacy and Security Standards.  An easily overlooked issue pertains to the different standards between the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule.  The HIPAA Privacy Rule requires a covered healthcare provider to have specific policies and procedures for health information disclosure and to distribute a Notice of Privacy Policy to patients.  These requirements are separate from the policies and procedures required by the HIPAA Security Rule.  Policies and procedures under the Security Rule relate to physical premises security, data encryption, and other electronic protection measures. The HIPAA Security Rule and the Privacy Rule require separate and distinct policies and procedures and should be evaluated individually.

On-Going Compliance. After HIPAA policies and procedures are adopted, on-going compliance requirements must not be overlooked.  For example, HIPAA compliance activities must be recorded, and records demonstrating implementation must be kept. Compliance with the Security Rule and the Privacy Rule must be periodically reviewed, with policies and procedures updated as circumstances warrant.

HIPAA has many pitfalls that a healthcare provider may fall victim to, even when that healthcare provider is attempting to comply with the law. This underscores the importance of taking proactive steps to audit HIPAA compliance and even seek outside counsel where appropriate to prevent unintentional miscues.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Federal HIPAA Audits Set to Resume in Early 2016

By Matthew J. Effken

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced its intent to move forward with new HIPAA compliance audits in early 2016. The so-called “Phase 2” audits were originally scheduled to commence in 2014, but have been repeatedly delayed.  The OCR reportedly sent preliminary pre-screening surveys to several hundred potential audit targets earlier this year, but there has been no apparent activity since that time.

The upcoming round of audits will include both covered entities and business associates.  There will be a combination of on-site visits and desk audits.  Before the audits can begin, however, the OCR still needs to revise its HIPAA audit protocol and update its information systems to support the audit program.

The OCR’s announcement came in the wake of a highly critical report from the HHS Office of Inspector General (OIG)  that highlighted various deficiencies in the OCR’s execution of its HIPAA oversight responsibilities.  Among the shortfalls noted in the report was the OCR’s failure to implement a permanent program of proactive HIPAA audits, as required by federal law. The OCR cited various obstacles, including limited resources, as having delayed the audit program.

The OIG report and the OCR response are available at the following link: http://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Potential Employer Requirements Due to Anthem, Inc. Data Breach

On February 4, 2015, Anthem Inc., one of the largest U.S. health insurers, notified the public that their data systems were breached. This breach potentially left customer names, social security numbers, and other personal information vulnerable. Subsequently, Anthem Inc. has already seen a customer lawsuit filed in California over the breach, with many more expected.

Health plan participants that have been affected will be notified in compliance with federal law. However, as this investigation continues, this may place additional burdens on employers. Depending upon the nature of the breach, of which further details are expected soon, employers may have to issue breach notifications under the Health Insurance Portability and Accountability (HIPAA). Until it becomes clear what information was taken, specific notification requirements are unclear. For example, a key question is whether protected health information was taken.

Depending upon the type of health plan an employer offers, it will have a varying impact upon the obligations for each company. The requirements will become clearer once further information is released. Beyond the federal HIPAA requirements, 47 states have unique breach notification laws that may impose obligations.

If you have questions pertaining how this may impact your requirements under the law, please contact Houghton Vandenack Williams for further information.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

HHS Releases Bulletin: HIPAA Privacy in Emergency Situations

Generally, when you visit a healthcare facility or receive any health treatments, you expect a certain level of privacy. Patient privacy is protected by HIPAA, or the Health Insurance Portability and Accountability Act. However, the Department of Health and Human Services released a bulletin this month outlining situations when the privacy rules are not applicable.

Private health information is not protected when public health is at risk, treatment of the individual patient so requires, and other moments that may be necessary. As an example, in the middle of a public health crisis, a healthcare provider may disclose critical information “to prevent or control the disease, injury, or disability.”

Although a provider must still be extremely careful to not over-disclose private information, the release will generally be protected if they comply with requests from Federal entities, such as the Centers for Disease Control. The provider can disclose to other health providers for coordination of care efforts, family and friends who are involved in the treatment, relief organizations such as Red Cross, and potentially media outlets.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Provider Preparation for Infectious Diseases

Most hospitals and health-care providers have protocols and procedures for contending with infectious diseases, including those creating public-panic, such as the Ebola outbreak. However, when a new crisis hits, many of these protocols may have been forgotten or ignored. This was seen with the Nebraska Medical Center firing two health workers that treated an Ebola patient because they violated the Health Information Portability and Accountability Act (HIPAA). In light of a public health scare, maintaining current policy standards will help limit liability.

 

Beyond existing rules and regulations, with each specific outbreak, both federal and state agencies may update protocols and guidance to contend with the unique nature of that disease. As an example of outbreak specific guidance, in response to Ebola, the Center for Disease Control and Prevention (CDC) issued new guidance on personal protection equipment (PPE) for use in connection with the disease. Other guidance includes new Occupational Safety and Health Act (OSHA) standards, designed to protect the healthcare worker. This was seen at Texas Health Presbyterian Hospital in Dallas, when two nurses were infected with the disease. Failure to properly comply with newly issued, as well as existing, OSHA and CDC regulations may result in significant potential liability both to patients and workers.

 

Although many providers may believe they are properly equipped to handle potential Ebola patients, careful consideration must be paid to the newest guidance and regulations, without forgetting existing policy. Failure to do so could result in significant civil liability. As the examples in Texas and Nebraska teach us, hospital and health-care providers should take extra steps to limit their potential liability.

 

*CDC Guidance: http://www.cdc.gov/vhf/ebola/hcp/procedures-for-ppe.html ; http://www.cdc.gov/vhf/ebola/pdf/hospital-checklist-ebola-preparedness.pdf

*OSHA Guidance: https://www.osha.gov/Publications/OSHA_FS-3756.pdf 

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

OCR Offers Advice in Advance of Upcoming Audits

By M. Thomas Langan II.

A senior advisor for the Office for Civil Rights (OCR) recently gave health care providers advice on how to prepare for an OCR audit.  Speaking at a HIPAA conference, the advisor said that a provider’s top obligation when audited is to prove that its facility has the proper privacy and security systems in place.  The main way to show this is by previously conducting a comprehensive risk analysis and correcting any shortcomings the analysis might find. The advisor did not provide any updates on when the audits will begin.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us