PHI

All posts tagged PHI

Genetic Testing HIPAA Warning: Legal Considerations

by admin on January 14, 2019 No comments

genetic testing hipaaBy: Jacqueline Bain

You might have recently received a holiday gift of a direct-to-consumer genetic testing kit from Ancestry.com or 23andMe.com (or any other number of companies). So exciting! In our melting pot society, one can’t help but be curious about where they come from and if they are more likely than any other person to be subject to any number of ailments.

Not so fast though! Before you swab yourself and send away your genes for testing, you might consider what you’re exposing yourself to. Direct-to-consumer genetic testing companies, which provide genetic testing directly to consumers without any intervening healthcare provider, are not bound by HIPAA. They are not considered “covered entities”, and therefore not required to use the same protections for genetic information the way a hospital or your doctor would.

read more
adminGenetic Testing HIPAA Warning: Legal Considerations

GDPR Compliance: Has Your Company Prepared for the Heightened Data Privacy Regulations?

by admin on June 6, 2018 No comments

“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple

General Data Protection Regulation

By: Shobha Lizaso

We are in the age of electronic data and heightened data privacy. New laws to strengthen individuals’ privacy rights and to strengthen data protection are evolving worldwide. The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data about residents of the European Union. This new law affects US healthcare providers and organizations that provide services to residents of any of the EU countries, that collect data from EU residents or monitors EU residents through the use of cookies and the like, and practitioners involved in medical tourism programs and other clinical activities. GDPR imposes more restrictions on the collection, use, processing, storage, disclosure, and disposition of patient data than HIPAA.

GDPR became effective on May 25, 2018, and there will not be a compliance grace period, so healthcare providers should meet with their healthcare technology attorney to determine whether they are subject to the GDPR, to update their online Terms of Use & Privacy Policies, and to audit internal data handling procedures to prevent any violations.

read more
adminGDPR Compliance: Has Your Company Prepared for the Heightened Data Privacy Regulations?

New HIPAA Guidance for Substance Abuse and Mental Health Information

by admin on January 5, 2018 No comments

HIPAA PHIBy: Dave Davidson

In December 2016, the US Congress passed the 21st Century Cures Act, which, among other things, provided for increased funding for treatment and research of mental health and substance abuse disorders.  That law also required the HHS Office of Civil Rights (OCR) to provide guidance in regards to HIPAA compliance in regards to those types of treatment.  In October 2017, President Donald Trump declared the opioid addiction epidemic to be a public health emergency, which will also result in additional resources being allocated to addressing the crisis.

In connection with both the new law and the President’s declaration, OCR published its HIPAA guidance in December 2017.  The guidance is intended to clarify how and when protected health information (PHI) can be shared in regards to patients in substance abuse and mental health treatment.  According to OCR Director Roger Severino, “HHS is using every tool at its disposal to help communities devastated by opioids, including educating families and doctors on how they can share information to help save the lives of loved ones.”

read more
adminNew HIPAA Guidance for Substance Abuse and Mental Health Information

Recent Settlements Show that not Understanding HIPAA Compliance Creates Risk for Breach

by admin on May 17, 2017 No comments

By: Susan St. John

In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA compliance breach violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.

The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.

read more
adminRecent Settlements Show that not Understanding HIPAA Compliance Creates Risk for Breach

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

by admin on May 16, 2017 No comments

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):

read more
adminHIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

HIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

by admin on August 11, 2016 No comments

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point:

read more
adminHIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

HIPAA Stings Dermatology Practice

by admin on January 8, 2014 No comments

HIPAAThe US Department of Health and Human Services, Office of Civil Rights is the chief enforcer of HIPAA.  The Office’s recent enforcement of HIPAA with respect to a Massachusetts derm practice is illustrative of how the government views HIPAA and how vulnerable medical practices are. 

read more
adminHIPAA Stings Dermatology Practice

Final Privacy Rule Affects Clinical Research Organizations

by admin on February 13, 2013 No comments

The final HITECH Act rule was published on January 25th, and it includes revisions to HIPAA.  The two things affected by the new rule are (1) compound authorizations, and (2) authorizations for future research.

Compound authorizations are basically authorizations for two separate uses of protected health information (PHI).  The new rule allows combining an authorization for a research study with any other written permission for the same study, such as authorization to participate in the research.  The core elements of a valid authorization remain in place.  The intent is just to provide some flexibility in clinical research settings.

Traditionally, authorizations had to be study specific.  The new rule allows authorizations not to be study specific, but they have to describe future uses or disclosures in a way that patients will understand that their PHI could be used in future research.

read more
adminFinal Privacy Rule Affects Clinical Research Organizations