HHS Releases Bulletin: HIPAA Privacy in Emergency Situations

Generally, when you visit a healthcare facility or receive any health treatments, you expect a certain level of privacy. Patient privacy is protected by HIPAA, or the Health Insurance Portability and Accountability Act. However, the Department of Health and Human Services released a bulletin this month outlining situations when the privacy rules are not applicable.

Private health information is not protected when public health is at risk, treatment of the individual patient so requires, and other moments that may be necessary. As an example, in the middle of a public health crisis, a healthcare provider may disclose critical information “to prevent or control the disease, injury, or disability.”

Although a provider must still be extremely careful to not over-disclose private information, the release will generally be protected if they comply with requests from Federal entities, such as the Centers for Disease Control. The provider can disclose to other health providers for coordination of care efforts, family and friends who are involved in the treatment, relief organizations such as Red Cross, and potentially media outlets.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

Medical Providers Should Use Caution on Continued Use of Windows XP

Microsoft’s recent announcement that it will stop providing support for its Windows XP operating system could cause an increased HIPAA risk to certain medical providers. HIPAA generally requires medical providers to adequately safeguard its protected health information.  One effect of Microsoft’s decision is that it will no longer be helping to ensure that users of XP are secure from new forms of hacking and malware.  Therefore, medical providers using XP are at an increased risk of being attacked and possibly violating HIPAA.  To help prevent this, medical providers using Microsoft XP should ensure that their anti-virus software and firewalls are current while beginning to look into upgrading its operating systems.

© 2014 Parsonage Vandenack Williams LLC

For more information, Contact Us

How Does HIPAA Affect My Business?

HIPAA was enacted to protect the privacy of an individual’s health information. The vast majority of HIPAA requirements apply to covered entities and business associates. A covered entity is an organization that transmits or produces protected health information. A business associate is an organization that carries out the functions of covered entities or otherwise receives health information from covered entities, for example, a billing company.

If you are a covered entity or business associate then you are subject to the HIPAA Privacy Rule which governs the use and disclosure of protected health information. You are also subject to the HIPAA Security Rule which governs how health information should be safeguarded.

Even if your company is not a covered entity or business associate there are certain aspects of HIPAA that you should be aware of. If your company offers employment benefit plans or health plans or otherwise has health information on your employees, then you should make sure that this information is not disclosed without the express permission of the employee. You should also make sure that this information is safeguarded and not allowed to be accessed by unauthorized personnel.

Finally, you should check state law as states are allowed to supersede certain parts of HIPAA and apply them towards your business.

© 2014 Parsonage Vandenack Williams LLC

For more information, contact us

Final HIPAA/HITECH Rule Released

HHS has recently released final rules modifying HIPAA under the HITECH Act. The rules make several changes for both providers and business associates. First, the regulations expand the definition of business associate. Thus, businesses need to figure out whether they are now subject to HIPAA. Business associates may face up to $1.5 million in fines per year if they do not comply with the new rules.

Providers will have to make several changes as well. The new rules give providers less flexibility to decide when to report a breach and restrict when PHI can be used for marketing. Providers must provide patients with records in electronic form on request. Also, they must revise their Notices of Privacy Practices. If providers do not comply, they will face harsher fines and new enforcement tools. Providers should start revising their business associate agreements, NPPs, and other policies to comply by September 23.

© 2013 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

Mobile Access to Health Documents Guide Published for Comment

Earlier this month, the Technical Committee of Integrating the Healthcare Enterprise released a guide to implementing access to health records via mobile devices.  IHE is a group of healthcare professionals with more than 500 member organizations worldwide focused on technological issues in healthcare practice.  The goal of the guide, titled Mobile Access to Health Documents, is to provide developers with an application programming interface designed to ensure secure access to health records on mobile platforms.  IHE is currently soliciting public comment on the guide.

Mobile Access to Health Documents may be a valuable tool for healthcare professionals in ensuring compliance with federal law.  The Security Rule of the Health Insurance Portability and Accountability Act requires healthcare providers to meet a number of criteria to evaluate and implement safeguards on access to electronic protected health information.  Since the risk of security breaches for mobile technology which is used to access health documents is rapidly increasing, it is important for healthcare professionals to keep these developments in mind.  Healthcare professionals should also review their technical safeguards to ensure compliance with HIPAA.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

Reviewing Procedures for Breach of PHI

Despite clear compliance plans, annual training, and limiting access, there is still a chance your practice could experience a breach of protected health information (“PHI”).  A “breach” means the use or disclosure of unprotected information that is not permitted by HIPAA and compromises the security and/or privacy of the PHI.  Most practices allocate considerable resources towards preventing breaches, but it is a good idea to review procedures in case a PHI breach should occurs.

  •  When a breach occurs, first gather information.  Determine what type of PHI was disclosed, who accessed it without authorization, and the number of patients exposed.
  •  Next, make every attempt to mitigate the damage.  Can you ensure that the breached PHI has been destroyed or will be returned?
  •  Third, provide the necessary notifications.  Patients must be notified no later than 60 days from when your practice knew or reasonably should have known of the breach.  To help expedite the notification process, make sure that your patient contact information remains current.
  •  Finally, review your practice’s compliance plan, training schedules, and access to PHI to help prevent a similar breach from occurring again.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact info@pvwlaw.com

HIPAA Business Associate Audits May Be On The Way

Business Associates (“BA’s”) may be audited, in addition to covered entities, in 2012 audits by the Office for Civil Rights (“OCR”).  OCR has a three step audit program in progress. If the initial program “goes well” (whatever that means), then OCR will implement a full range of onsite audits and an evaluation process. BA’s come into contact with significant amounts of protected health information.  Because approximately 20% of HIPAA breaches involve BA’s, consideration is being given to including BA’s as audit targets.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Hospital to Pay $1 Million to Settle HIPAA Privacy Claims

The federal government has made clear that it is serious about enforcing the HIPAA Privacy and Security Rules.  Before HITECH’s data breach notification requirements were in place and being enforced, a Massachusetts General Hospital employee took documents containing protected health information (“PHI”) from her bag and placed them on the seat beside her while commuting on the subway. The documents were left on the subway and never recovered.  Unfortunately, the documents included PHI of 192 patients who had been treated in the hospital’s infectious disease practice, including HIV/AIDS patients. 

The hospital and its physicians’ organization have agreed to pay the federal government $1 million in fines related to the subway incident. The hospital has also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, which includes providing training to workers. The hospital is required to remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost.

Source: Donnelly, Julie M. Boston Business Journal. 24 Feb. 2011.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com

Records Requests: Know What’s Legal

Mary Vandenack’s client advice regarding the HIPAA rules and medical records requests was recently featured in an article in Physician’s Practice by Keith Martin. 

The full article can be viewed at:


© 2010 Parsonage Vandenack Williams LLC

  For more information, contact info@pvwlaw.com