Category:

Facility Visitors, Religious Freedom, and COVID-19

November 6th, 2020 by

fhlf hospital visiting rights during covidBy: David Davidson

The COVID-19 pandemic has presented hospitals and health care facilities with challenges that go beyond providing comprehensive care to patients suffering from the virus.  One of the most common challenges is how to handle patient visitors.  Denying or limiting visitors could be seen as a violation of patient rights, and denying access to a visit by clergy could rise to the level of religious discrimination.  After receiving a number of complaints in this regard, the HHS Office of Civil Rights (OCR) recently provided some technical assistance to two hospitals that faced this issue.

In the first case, a COVID-positive patient in a Maryland hospital was separated from her newborn son.  Shaken by the separation, the patient requested that a priest be permitted to visit the baby, so he could baptize the child. But the hospital had instituted a ban on all hospital visitation in response to the pandemic, so the request was denied. read more

The Top 5 Legal Concerns When Developing a Healthcare App

June 10th, 2020 by

creating a healthcare appBy: Steven Boyne

Today no one can live without a smart phone, and we interact with the rest of the world through a series of apps that reside on our handheld devices.  From the healthcare perspective many large healthcare institutions and private companies have developed a myriad of healthcare related apps that currently reside in Apple’s App Store and  Googles Play Store.  You can measure your heart rate, get clinical advice, view your records, check on your health insurance coverage, make appointments and virtually interact with many different types of healthcare providers.  But even in today’s hyper-electronic society it took COVID-19 to really cause an explosion in telehealth, so what does that tell us?  There is a lot more room for expanding electronic interactions with patients and clients through Apps.  So, here are the top five legal concerns should you address when you develop a Healthcare App: read more

Avoiding HIPAA Violations During COVID-19

May 27th, 2020 by

telehealth laws after covid-19By: Steven Boyne

The COVID-19 virus has and will probably continue to change the way healthcare providers and business associates interact and help their patients. As many providers are aware, a HIPAA violation is a serious issue, and can cost a healthcare entity large amounts of time and money to respond to any regulatory investigation. Recognizing that the COVID-19 pandemic has strained every corner of the economy and is THE MOST IMPORTANT issue for almost every industry, the federal government has rolled back some HIPAA protections. It is unclear how long these rollbacks will last, and it is possible that some of them may be permanent, but for now healthcare providers and their business associates can take some comfort that they can focus on delivering care and not dealing with overly burdensome regulations and investigations. The major changes include:

  • Telehealth. Changes include allowing physicians and other healthcare providers to offer telehealth services across State lines, so State licensing issues should not be a concern. Additionally, Providers are essentially free to choose almost any app to interact with their patients, even if it does not fully comply with the HIPAA rules. The HHS allows the provider to use their business judgment, but of course, such communications should NOT be public facing – which means DO NOT allow the public to watch or participate in the visit!
  • Disclosures of Protected Health Information (PHI). A good faith disclosure of such information will not be prosecuted. Examples include allowing a provider or business associate to share PHI for such purposes as controlling the spread of COVID-19, providing COVID-19 care, and even notifying the media, even if the patient has not, or will not grant his or her permission.
  • Business Associate Agreement (BAA). As most healthcare providers know, a BAA agreement between a provider and an entity that may have access to PHI is required by law. During the COVID-19 pandemic, the lack of a BAA is not an automatic violation.

read more

The Risk Of Not Paying Attention to HIPAA Violations

October 30th, 2019 by

HIPAA, HIPAA violations, HIPAA compliance

By Jacqueline Bain

On October 23, 2019, the U.S. Department of Health and Human Services has imposed a civil money penalty of over $2 million against Jackson Health System in Florida for repeated HIPAA violations.

The HIPAA violations mentioned in the HHS Press Release include:
1-Loss of paper patient records in December 2012;
2-Loss of additional paper patient records in January 2013;
3-A media report containing patient information (a photo shared on social media);
4-Employees accessing the information of one patient without a job related purpose;
5- An employee’s improper access and sale of patient records in 2011.

“OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years,” said OCR Director Roger Severino. The state of the compliance program allowed for the failure of several HIPAA requirements, including provision of timely and accurate HIPAA breach notifications, performance of regular risk assessments, investigation of identified risks, audits of system activity records, and imposing appropriate restrictions on workforce members’ access to patient information. The government’s final determination is available here.

When a HIPAA breach is discovered and reported, the government will often take the time to review a covered entity’s history of compliance or non-compliance. This may include an investigation into prior issues, effectiveness of policies and procedures, and employee issues. Overlooking one suspected breach may result in the imposition of sanctions on any later breach. This is why it’s so important for a healthcare business to understand its HIPAA obligations and take them seriously.

When was the last time your business conducted a security risk assessment to understand its potential risk areas for security breaches? If you’ve never had one, or haven’t had one recently, the time is now to conduct one. “When was your last security risk assessment?” is often the first thing that the government will ask in response to a breach.

Federal fines for noncompliance with HIPAA are based on the level of negligence perceived by the Federal government at the time of the breach. Fines and penalties range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million. Simply put, your healthcare business can’t afford to bury its head and hope that it won’t be hit.

Genetic Testing HIPAA Warning: Legal Considerations

January 14th, 2019 by

genetic testing hipaaBy: Jacqueline Bain

You might have recently received a holiday gift of a direct-to-consumer genetic testing kit from Ancestry.com or 23andMe.com (or any other number of companies). So exciting! In our melting pot society, one can’t help but be curious about where they come from and if they are more likely than any other person to be subject to any number of ailments.

Not so fast though! Before you swab yourself and send away your genes for testing, you might consider what you’re exposing yourself to. Direct-to-consumer genetic testing companies, which provide genetic testing directly to consumers without any intervening healthcare provider, are not bound by HIPAA. They are not considered “covered entities”, and therefore not required to use the same protections for genetic information the way a hospital or your doctor would. read more

GDPR Compliance: Has Your Company Prepared for the Heightened Data Privacy Regulations?

June 6th, 2018 by

“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple

General Data Protection Regulation

By: Shobha Lizaso

We are in the age of electronic data and heightened data privacy. New laws to strengthen individuals’ privacy rights and to strengthen data protection are evolving worldwide. The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data about residents of the European Union. This new law affects US healthcare providers and organizations that provide services to residents of any of the EU countries, that collect data from EU residents or monitors EU residents through the use of cookies and the like, and practitioners involved in medical tourism programs and other clinical activities. GDPR imposes more restrictions on the collection, use, processing, storage, disclosure, and disposition of patient data than HIPAA.

GDPR became effective on May 25, 2018, and there will not be a compliance grace period, so healthcare providers should meet with their healthcare technology attorney to determine whether they are subject to the GDPR, to update their online Terms of Use & Privacy Policies, and to audit internal data handling procedures to prevent any violations. read more

New HIPAA Guidance for Substance Abuse and Mental Health Information

January 5th, 2018 by

HIPAA PHIBy: Dave Davidson

In December 2016, the US Congress passed the 21st Century Cures Act, which, among other things, provided for increased funding for treatment and research of mental health and substance abuse disorders.  That law also required the HHS Office of Civil Rights (OCR) to provide guidance in regards to HIPAA compliance in regards to those types of treatment.  In October 2017, President Donald Trump declared the opioid addiction epidemic to be a public health emergency, which will also result in additional resources being allocated to addressing the crisis.

In connection with both the new law and the President’s declaration, OCR published its HIPAA guidance in December 2017.  The guidance is intended to clarify how and when protected health information (PHI) can be shared in regards to patients in substance abuse and mental health treatment.  According to OCR Director Roger Severino, “HHS is using every tool at its disposal to help communities devastated by opioids, including educating families and doctors on how they can share information to help save the lives of loved ones.” read more

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

May 16th, 2017 by

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list): read more

Healthcare Trade Secrets: How to Protect Your Practice’s Trade Secrets

November 8th, 2016 by

dreamstimemaximum_51887081-flipBy: Shobha Lizaso

“Prevention is better than cure” is a maxim that has reigned in the healthcare industry for thousands of years; however, this phrase echoes through the halls of the legal profession as well.

Healthcare practices often neglect to appreciate the value of their confidential information as assets and the need to protect these assets. Although HIPAA and HITECH compliance aids in maintaining the confidentiality of patient records, it does not protect a provider’s trade secrets.

Trade secrets of a healthcare practice may include any of the following: patient lists, financial information, contract rates, contract terms client lists, collection rates, marketing tactics, pricing/discount information, and methods of doing business. If leaked, this information may be used by competitors to secure advantages over a healthcare practice. For example, patient lists could be used to solicit a practice’s patients or contract rates and terms can be used by a competitor to undercut the rates of a practice. read more

HIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

August 11th, 2016 by

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point: read more