Practice Group Pays $125k to Settle HIPAA Claim

A Connecticut physician group recently agreed to pay $125,000 to settle a claim of “reckless disregard” for a patient’s privacy rights. The group contacted the local television station to give a statement about a dispute between its patient and one of its doctors. A reporter contacted the doctor, who “impermissibly disclosed the patient’s protected health information.” The Office of Civil Rights investigated and concluded that the doctor had shown “reckless disregard” after the doctor was instructed by the group’s privacy officer to respond with “no comment.” The group failed to discipline the doctor or take corrective action.

Take-home: while a patient has an unfettered right to disclose their private health information in public and to the media, a covered entity does not. There is no “media exception” to the Privacy Rule.

To read the report and corrective action plan, please click here.

Office of Civil Rights Issues Phishing Email Alert

On November 28, 2016, the Office of Civil Rights of the Department of Health and Human Services, the entity responsible for HIPAA administration, issued an alert about a potential “phishing” email scam. The email purports to come from OCR’s Director, Jocelyn Samuels, and targets employees of covered entities and business associates. The email appears legitimate and includes a link concerning the audit program. By clicking on the link, the user is redirected to a cybersecurity firm marketing website.

For those who may not be familiar with the term, “phishing” refers to an email that looks official or legitimate, but then redirects the person to an unaffiliated website. Common “phishing” emails mimic requests from credit card companies for personal information, auction sites for login information, and banks for updated privacy information. As always, if you have received an email that you did not expect and have questions about it, contact the alleged source directly to verify before opening.

FTC Issues New Guidance on HIPAA and FTC Act

On October 22, 2016, the FTC issued new guidance to all those subject to the HIPAA Privacy Rule, including “downstream” business associates. “Once you’ve drafted a HIPAA authorization, you can’t forget the FTC Act,” which prohibits deceptive or unfair acts or practices affecting commerce. According to the FTC, this includes the duty to avoid misleading others about what is happening with their health information. “Your business must consider all of your statements to consumers to make sure that, taken together, they don’t create a deceptive or misleading impression.” The FTC includes a “.com Disclosures report” for guidance on creating effective privacy practices disclosures. The FTC warns against inconsistent language in privacy practices disclosures and contradictions regarding when information may be displayed publicly.

Please click this link for more information:

The OCR Issues Guidance on Business Associates’ Blocking PHI

The Office of Civil Rights has issued a FAQ on this question: “May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?” In answering “no,” the OCR explained that the business associate is limited to using the PHI in its possession by the terms of its agreement with the covered entity. In addition, the business associate cannot block the covered entity’s access to the PHI. For example, a business associate cannot use an embedded software “kill switch” to block access to electronic PHI because of a billing dispute with a covered entity.

Moreover, business associates are required under the Privacy Rule to ensure the integrity and availability of PHI in their possession. This includes on demand access by the covered entity. There is an exception for business associate arrangements that include data aggregation or combinations that ultimately destroy the source data in the possession of the business associates.

Bottom-line – business associates do not own the PHI in their possession. The PHI belongs to the individual but the business associate is responsible to the covered entity for maintaining the PHI in its possession or custody.

Please click here for more frequently asked questions.

Florida Outpatient Clinic Notifies Patients After Paper Records Fall Out of Truck

You can’t make this stuff up.

On December 19, 2015, Radiology Regional Center, an outpatient diagnostic facility, sent paper records of 480,000 to the incinerator for disposal. Apparently, the driver of the truck failed to lock the storage department door adequately before leaving. Along the way, the door opened and the patient records fell out of the truck. According to news sources, employees and physicians of Radiology Regional attempted to gather up all of the records. The employees returned to the scene two more times to look for any remaining records. Although it was believed the staff recovered all of the records, Radiology Regional notified 480,000 patients of the breach. In remediation, Radiology Regional moved its records disposal business to a different contractor.

Although the focus of most news reports is on electronic data privacy, this story is a good reminder of the importance of maintaining the privacy of tangible items as well. Visit our web page for more information about how we can help you.

For more information on Copeland, Stair, Kingma & Lovell’s Health Law & Regulation Update Blog, please click here.

Comprehensive Policies and Procedures and a Robust Response Mechanism Help to Protect Against Privacy Rule Violations

On January 13, 2016, an administrative law judge ordered physical therapy provider Lincare, Inc. to pay a civil monetary penalty of $239,800 for violating the Privacy Rule. The Office of Civil Rights claimed that a Lincare therapist put patient records and an emergency procedures manual containing private health information in her car. In general, given the nature of Lincare’s outpatient practice, this was not a problem. However, the therapist separated from her spouse and left the PHI in her car. Her estranged husband had access to the car. The husband reported that he had opened the car and found the PHI. Neither the therapist nor Lincare took any remedial measures.

The Office of Civil Rights brought an enforcement action and Lincare opposed. On cross-motions for summary judgment, the ALJ ruled that Lincare had violated the Privacy Rule and failed to respond and remediate. Please click here for the link to the ALJ ruling.

For all dealing with private health information, this case is an important reminder that even permissible uses of PHI can become Privacy Rule violations without comprehensive policies and procedures and a robust response mechanism. Visit our web page for more information about how we can help you.

For more information on Copeland, Stair, Kingma & Lovell’s Health Law & Regulation Update Blog, please click here.

Carlock Copeland Health Law and Regulation Update

logoHealth Law and Regulation Update

Copeland, Stair, Kingma & Lovell, a civil litigation firm, has a reputation for forceful, creative and cost-effective advocacy on behalf of its clients. Formed in 1970 with five attorneys operating out of a downtown Atlanta office, we now have over 80 civil litigation attorneys handling legal matters across the Southeast from offices in Atlanta, GA, Charleston, SC and Chattanooga, TN.