Tag Archive for: HIPAA

, ,

Data breaches still HIPAA compliance concern for healthcare providers

cyber breach artworkHIPAA concerns, established in 1996 and evolving ever since, continue to be a very real compliance concern for healthcare providers. As an example, last year HHS collected $28.7 million from providers of healthcare services and payers for responses to HIPAA data breaches that HHS considered inadequate.

According to Modern Healthcare, this is $5.2 million over the prior high for settlement and penalties reported in 2016.  The data for 2018 may be skewed by the $16 million settlement by Anthem for a breach involving approximately 79 million people. That breach occurred in 2015, and the settlement was record-setting for the Office of Civil Rights.

Changes being discussed by HHS include the possibility of sharing a percentage of civil monetary penalties or monetary settlements with affected individuals; revisions to HIPAA rules that facilitate the additional information demanded by coordinated care, outcome-focused care and value-based payments; and reconciliation of behavioral health care’s 42 CFR Part 2 rules with HIPAA.

/by

GDPR in America: Businesses react to newly enforced EU Privacy Law

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses GDPR, a newly enforced EU privacy law, and what it means for businesses in America.

Q: What is the General Data Protection Regulation (GDPR)?

A: It’s a law regulating data protection and privacy for all individuals within the European Union (EU). It gives control to individuals over their personally identifiable information. It both standardizes the requirements throughout the EU and bolsters protections available to individuals amid well-publicized, costly data breaches in Europe. It’s a regulation rather than a directive, which means national governments within the EU don’t have to pass enabling legislation for these requirements to be effective. Rather, the regulation is directly binding on the members of the EU. The spirit of the General Data Protection Regulation also is embodied in recent legislation in the United Kingdom, providing consistency across Europe even though the U.K. withdrew from the EU effective in March. The regulation, passed two years ago, became effective May 22. Because of the length of time between passage and enforcement, there’s no transitional or grace period before compliance is required.

Q: How is this relevant to American businesses?

A: In certain circumstances, the GDPR also applies to organizations and other businesses based outside of the EU if they collect and/or process personally identifiable information located within the EU. For example, U.S. companies offering a website to market their products or services to individuals within the European Community or scientific concerns actively engaged in recruiting individuals within the European Community to be subjects in clinical trials are required to comply. It’s important for such commercial concerns to act quickly to determine if they are covered by the General Data Protection Regulation as processors of data or collectors of such data from individuals within the EU. Concerned about the potential burden of compliance on foreign businesses, some international websites have taken steps to block EU users on the effective date, thereby removing the need to comply and ensuring against potential liability under the regulation. USA Today’s international website redirected users to simplified sites limited in scope. Other U.S. newspapers with European editions made them temporarily unavailable to readers in the EU. In another example of responses by U.S. companies, Instapaper, a read-it-later app, temporarily shut off access to European users to allow sufficient time for compliance.

Q: What type of data is protected by the General Data Protection Regulation and how’s it protected?

A: Personally identifiable information is anything that allows a living person to be identified directly or indirectly. Such data elements include name, email and home addresses, medical information, bank or other financial information, computer IP address and photos. A data processing officer must be appointed by businesses involved in processing or collecting data who is similar to a compliance officer with special information technology proficiency in managing and securing personal and sensitive data as well as a local representative for the company. Individuals have the right to the portability (access) of their stored data, erasure of data in certain circumstances, the right to file complaints with the data processing authority and the right to contract automated decision-making made on a solely algorithmic basis. Data breaches must be reported in a manner similar to the Health Information Portability and Accountability Act of 1996 and its amendments (HIPAA).

Q: You mentioned HIPAA. Is informed consent required for American businesses engaged in business in Europe similar to that required for HIPAA?

A: Personally identifiable information may be lawfully processed under the General Data Protection Regulation with informed consent or with a legal basis for doing so which ranges from legitimate interests of the entity collecting the data or a third party performing a task under official authority in the public’s interest, in compliance with the controller’s legal obligation, in fulfillment of a contract with a data subject, and to protect vital interests of a data subject or another person. There are some similarities to the HIPAA informed consent and the various exceptions to the consent requirement including the requirements of clarity and the opportunity to withdraw consent. As with HIPAA, individuals must be apprised of their privacy rights and their ability to withdraw consent at any time under the General Data Protection Regulation.

Q: Are there exceptions or limitations to an individual’s right of access to information?

A: Limitations to disclosure and the individual’s right of access to protected data exist for overriding interests such as national security. Further, in recognition of the importance of providing health care across country boundaries and clinical research to fight disease, the General Data Protection Regulation doesn’t apply to statistical and scientific analyses. A recognition of the need to maintain the integrity of clinical research resulted in the limitation of the erasure right of the individual. The strengthened data protections of the General Data Protection Regulation are limited in the face of requirements of good science although companies engaging in clinical research, including patient recruitment in the EU, will need to evaluate their data compliance plans considering the requirements of the newly enforced law. In addition, the General Data Protection Regulation doesn’t apply to data related to employer-employee relationships.

Published: 7/20/18;

/by

The HIPAA Employee Rules Needed to Protect Your Company

In this article, Oklahoma City healthcare attorney Mary Holloway Richard discusses how safeguarding patients’ electronic health information is an employment matter and how companies can enact HIPAA rules with their employees.

Q: In preparation for an employee or other members of a health care company’s workforce quitting, what preventive steps can be taken to ensure that patients’ health information is protected?

A: Two particular measures are critical to health care providers, in their role as employers, to protect the private patient information. Those are preparation and training. First, advance preparation is essential. Administrative, technical and physical safeguards are mandated by HIPAA (the Health Insurance Portability and Accountability Act) and its amendments, and just as we recommend with regard to all types of health care compliance and regulations, a compliance plan should be in place to provide security for protected health information electronically maintained. The person responsible for a health care practice or company’s IT should perform periodic risk assessments, and sufficient access termination procedures should also be in place. Second, an important part of prevention is proper training. Just as we recommend preparation to respond to identity theft, employers must identify the individuals responsible for safeguarding electronically maintained protected health information and responding to a breach, and provide them with appropriate training. Since health care is such a labor-intensive industry, a high rate of personnel turnover requires proportionate re-training and monitoring of employees regarding compliance with privacy and other regulatory requirements.

Q: You mentioned termination procedures — what procedures provide effective deterrents to unauthorized use or access to electronically maintained protected health information in such situations?

A: As a part of an overall separation procedure, there are some critical checkpoints along the way. Health care providers/employers are advised to standardize the process and create a checklist of steps to be taken when an individual leaves. Document that these steps have been taken, including the return of any company equipment. Next, if the company or practice is large enough to have departments, it is important to quickly alert the department or staff members responsible for changing access to electronically maintained protected health information, deactivating or deleting user accounts and monitoring access. Also, after these and other important steps are carried out, I recommend a post-termination audit to verify that all necessary steps to cut off access to electronically maintained protected health information have been taken.

Q: What steps must be taken to terminate access to electronically maintained protected health information?

A: Such steps, in addition to terminating user accounts and reclaiming computers, laptops, iPads and cellphones, should include terminating access to the physical space, which may require changing locks, access codes, and authorized individuals lists. Obviously, keys, fobs, ID badges, card keys and other items by which the former employee gained access to the physician space must be reclaimed or reprogrammed so that access by the former employee or other former member of your company’s workforce to secure areas with electronically maintained protected health information is no longer possible. For all former employees, and particularly for those with remote access, deactivation of any remote accounts and accessibility should reach all levels of access so that portals, web access and email services are no longer accessible.

 

Published: 5/9/18; by Paula Burkes
Original article: http://newsok.com/for-health-care-providers-safeguarding-patients-electronic-health-information-is-also-an-employment-matter/article/5593919

/by
, ,

(UPDATE) A look at the controversial Affordable Care Act on its fifth anniversary

By Mary Holloway Richard.

(Updated 4/7/15)
President Obama has taken the occasion of the fifth anniversary of the signing of the Affordable Care Act (“ACA”) to characterize continued activities on the Hill to repeal it as renegade special interest activities. The ACA continues to be a subject of debate both in terms of its accomplishments—how many are newly covered and how much will be saved—and in terms of its public support.

While the Associated Press reported on March 23, 2015, that public support was down 5% since its passage, as one who daily writes and advises health care clients on matters related to the ACA, I can say with certainty that the depth and breadth of increased regulation spawned by the ACA are changing the nature of the system.

Those changes include responsive movement toward integrated health systems, mergers and affiliations; transition from quantity- to quality-based reimbursement; the relaxation of HIPAA standards in some respects and its tightening in others in the context of EHR transformation; and increased direct and indirect costs to employers as a result of new responsibilities.

Nearly fifty changes have been made to the ACA as of March 2, 2015, and this suggests a continuing need for providers, employers and business owners to remain informed and responsive to the moving regulatory compliance target.

On Monday, March 30 the Supreme Court rejected a new challenge to the Affordable Care Act (“ACA”)  that targeted the Independent Payment Advisory Board (“IPAB”), a 15-member government panel which has been characterized as a “death panel” because of its intended role in cutting Medicare costs.   The IPAB was to convene when the target growth rate for Medicare (3.03%) is exceeded.  However, the growth rate is 1.15% according to CMS, and so the administration has not nominated any panel members.  In declining to take up the case, the Supreme Court left undisturbed the 9th US Circuit Court of Appeals in San Francisco dismissal of the lawsuit. The proponents of the ACA are calling this a win.  Coons v. Lew, No. 14-525.   Certiorari was denied by the United States Supreme Court on March 30, 2015.

/by