Provider Preparation for Infectious Diseases

Most hospitals and health-care providers have protocols and procedures for contending with infectious diseases, including those creating public-panic, such as the Ebola outbreak. However, when a new crisis hits, many of these protocols may have been forgotten or ignored. This was seen with the Nebraska Medical Center firing two health workers that treated an Ebola patient because they violated the Health Information Portability and Accountability Act (HIPAA). In light of a public health scare, maintaining current policy standards will help limit liability.


Beyond existing rules and regulations, with each specific outbreak, both federal and state agencies may update protocols and guidance to contend with the unique nature of that disease. As an example of outbreak specific guidance, in response to Ebola, the Center for Disease Control and Prevention (CDC) issued new guidance on personal protection equipment (PPE) for use in connection with the disease. Other guidance includes new Occupational Safety and Health Act (OSHA) standards, designed to protect the healthcare worker. This was seen at Texas Health Presbyterian Hospital in Dallas, when two nurses were infected with the disease. Failure to properly comply with newly issued, as well as existing, OSHA and CDC regulations may result in significant potential liability both to patients and workers.


Although many providers may believe they are properly equipped to handle potential Ebola patients, careful consideration must be paid to the newest guidance and regulations, without forgetting existing policy. Failure to do so could result in significant civil liability. As the examples in Texas and Nebraska teach us, hospital and health-care providers should take extra steps to limit their potential liability.


*CDC Guidance: ;

*OSHA Guidance: 

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Hospital to Pay $1 Million to Settle HIPAA Privacy Claims

The federal government has made clear that it is serious about enforcing the HIPAA Privacy and Security Rules.  Before HITECH’s data breach notification requirements were in place and being enforced, a Massachusetts General Hospital employee took documents containing protected health information (“PHI”) from her bag and placed them on the seat beside her while commuting on the subway. The documents were left on the subway and never recovered.  Unfortunately, the documents included PHI of 192 patients who had been treated in the hospital’s infectious disease practice, including HIV/AIDS patients. 

The hospital and its physicians’ organization have agreed to pay the federal government $1 million in fines related to the subway incident. The hospital has also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, which includes providing training to workers. The hospital is required to remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost.

Source: Donnelly, Julie M. Boston Business Journal. 24 Feb. 2011.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact