Tag Archive for: office for civil rights (OCR)

Preventing HIPAA Violations

/in /by

The Office for Civil Rights has highlighted recent enforcement actions.  An often-asked question from clients is – what are common HIPAA violations and how can they be avoided?  Because there are numerous requirements and unique situations for practices, the solution to avoiding HIPAA violations cannot be found in any one action.  It is critical to implement, monitor, and maintain compliance–which is easier stated than accomplished.

Use Available Tools and Resources – As a client of Eagle Associates you may have tools available to make the process of monitoring and maintaining compliance easier (policy manuals, forms, training materials, audit plans/checklists). One of the most important resources is Live Support, available at no additional cost. The following three examples are recent enforcement actions that could have been avoided by monitoring compliance activities (see Preventive Measures, at the end of each example in this article to identify Eagle resources that may help prevent such violations).

1 – Business Associate Problem – A Florida physicians group shared protected health information (PHI) with an unknown vendor without a business associate agreement.

The physicians group agreed to pay $500,000 to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. The group provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.

Between November 2011 and June 2012, the group engaged the services of an individual that represented himself to be a representative of a Florida-based billing company. The individual provided medical billing services to the physician group using the billing company’s name and website, but allegedly without any knowledge or permission of the billing company owner. 

On February 11, 2014, a local hospital notified the physician group that patient information was viewable on the billing company’s website, including name, date of birth and social security number. In response, the physician group was able to identify at least 400 affected individuals and asked the billing company to remove the PHI from its website. Recognizing this as a privacy breach, the group filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, the group filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

OCR’s investigation revealed that the group never entered into a business associate agreement with the individual providing medical billing services, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014. Although the group had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerability to the confidentiality, integrity, and availability of its electronic protected health information (EPHI).

This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

In addition to the monetary settlement, the physician group will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

Preventive Measures – The violation could have been avoided by:

  • having written policies and procedures regarding business associates
    • see Section 3.17 of your HIPAA Policy Manual 
  • establishing Business Associate Agreements
    • see Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template
  • conducting regular Security Risk Analyses
    • see Section 4.06 of your HIPAA Policy Manual and the Security Risk Analysis tool in the Member Services area of our web site. 

2 – Access Problem – A Colorado hospital failed to terminate a former employee’s access to EPHI.

The hospital agreed to pay $111,400 to the OCR and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The hospital is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.

The settlement resolves a complaint alleging that a former hospital employee continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that the hospital impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

Under the two-year corrective action plan, the hospital has agreed to update its security management and business associate agreements, policies and procedures, and provide security training to its workforce.

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all entities that qualify as business associates before disclosing protected health information.

Preventive Measures – The violations could have been prevented by:

  • implementing termination policies as required by HIPAA’s Security Rule 
    • See Section 4.08c of your HIPAA Policy Manual for termination policies.
  • following policies for establishing a business associate relationship 
    • See Section 3.17 of your HIPAA Policy Manual for policies regarding business associates.
  • obtaining a Business Associate Agreement 
    • See Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template.

3 – Unauthorized Disclosure of PHI – An allergy practice made an unauthorized disclosure of PHI to a news reporter.

The allergy practice agreed to pay $125,000 to the OCR and to adopt a corrective action plan to settle potential violations of HIPAA’s Privacy Rule. The practice is a health care practice that specializes in treating individuals with allergies and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of the practice contacted a local television station to speak about a dispute that had occurred between the patient and one of the practice’s doctors. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter. 

OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by the practice’s Privacy Officer to either not respond to the media or respond with “no comment.”

Additionally, OCR’s investigation revealed that the practice failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media. 

In addition to the monetary settlement, the practice will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Preventive Measures – The violations could have been prevented by: 

  • ensuring that workforce members are trained on HIPAA requirements and follow guidance provided by compliance staff
    • See the Employee HIPAA Orientation Handbook and annual HIPAA Privacy Rule training module in the April issue of the Advisor®.
  • enforcing sanctions when workforce members violate policies
    • See Section 1.14 of your HIPAA Policy Manual for sanction policies.

Not all potential HIPAA violations are easily identified and solved.  A good rule to follow is when in doubt use caution, ask questions and get advice.  Again, as a client of Eagle Associates, you have great resources available to help you avoid such problems. We invite you to call or email us with questions.

HIPAA Privacy and the Opioid Crisis

/in /by

The Office for Civil Rights has issued new guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose.

The following information will explain how a practice can share patient information (without patient authorization) with family members or designated friends during certain crisis situations, such as the opioid situation.

  1. Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care.  For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
  1. Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.  For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.

For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above. 

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law.  If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.

For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care.  If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

While HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, and under state law, a personal representative designation generally authorizes the person to make healthcare decisions for the patient, there may be conflict with existing state laws regarding information related to substance abuse treatment.  If a state’s law is more restrictive regarding the communication of patient information (for example, state law might state that substance abuse treatment information can only be shared with treatment personnel involved in treatment), then your practice should rely on the requirements of the more restrictive law (in this example state law).

Phishing Scam

/in /by

On November 28, 2016, the Office for Civil Rights (OCR) released a bulletin alerting covered entities and business associates of a phishing email scam that is circulating. Please read the contents of the notice below, and be alert for a possible phishing email that you could receive.

It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. 

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. 

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.” 

OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs‑gov.us  and directs individuals to a URL at http://www.hhs‑gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

If you receive an email, and are unsure whether it is from OCR, check the sending email address. If the email is legitimately from OCR, the sending email address will end with @hhs.gov.  Email notices from OCR regarding its audit program have generally come from the OSOCRAudit@hhs.gov email address. Contact Eagle Associates, Inc. at (800) 777-2337 or via email at info@eagleassociates.net if you have any questions.

OCR Enforcing Limits on Medical Records Fees

/in /by

The Office for Civil Rights (OCR) has published new information emphasizing patient right of access to records, along with fees that may be charged for printed and electronic copies.  It stresses that medical records fees must be cost-based and reasonable.

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage as outlined below in a direct quotation of the OCR:

A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

  • Photocopying paper PHI.
  • Scanning paper PHI into an electronic format.
  • Converting electronic information in one format to the format requested by or agreed to by the individual.
  • Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from a covered entity’s system to a web-based portal (where the PHI is not already maintained in or accessible through the portal), portable media, e-mail, app, personal health record, or other manner of delivery of the PHI.
  • Creating and executing a mailing or e-mail with the responsive PHI

While we allow labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.

In contrast, labor for copying does not include labor costs associated with:

  • Reviewing the request for access.
  • Searching for, retrieving, and otherwise preparing the responsive information for copying.  This includes labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying.

Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.  While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee.  Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.

For complete information regarding limits on medical records fees, refer to the article on page two of the July issue of the American Practice Advisor® titled “OCR Emphasizes Limits on Medical Records Fees.”

How to Respond to OCR Audit Requests

/in /by

Eagle Associates has prepared an article and a short video, both of which provide instruction on responding to communications from OCR regarding the audit program. You can either read the article, or watch the video.  You do not need to view both, as the content is the same.  Contact our office at (800) 777-2337 if you have any questions regarding the audit process.

Watch the video:

Preparing for a HIPAA Audit

 

Read the text:

HIPAA Audit Notices

Many practices have received an email from the Office for Civil Rights (OCR) asking to verify the practice information and contact.  The notice indicates that the practice is being entered into a pool of potential auditees for the HIPAA Privacy, Security and Breach Notification audit program.

It is important for your practice to respond to the notice in the time frame specified.  Failure to respond will not protect you from being audited, as OCR has indicated that it will use publicly available information to obtain the data it needs.  Responding to the notice does NOT mean you have been selected for an audit.

Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR.

Once your contact information has been verified, you will receive an email to complete a screening questionnaire.  Again, it is very important for you to complete the questionnaire in the specified time frame.  As with responding to the contact notice, receiving a questionnaire does NOT mean you have been selected for an audit as of yet.

Notice Content

The content of the verification email from OCR is as follows:

“According to our records, you are the primary contact OCR should use to reach Associated Surgeons and Physicians regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address.

Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information.

If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded.

If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded.

Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.”

Screening Questionnaire

The screening questionnaire is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program. The data will be used with other information to help OCR select entities that reflect a variety of types, sizes, and locations for the next phase of the Audit Program.

Audit Selection

Covered entities and business associates will be notified of their selection for an audit on a rolling basis.

Please be aware that if your entity is selected for an audit, you will have ten (10) business days to respond with the requested documentation.

Business Associates List

When selected for an audit, selected entities must submit a list of all current business associates, with up to date contact information, within the 10-day response period.  OCR will use this information to compile a list of potential business associate subjects to audit.  OCR encourages entities to develop the business associate listing in advance to be able to meet the submission requirements.  The business associate listing should be submitted as a spreadsheet with columns that contain the name of the entity, type of service(s) provided, primary and secondary contact names, titles, emails, phone numbers, address, and website, if any.

A template for the spreadsheet is available at this link.

Desk/On-Site Audits

If you are selected for an audit, OCR will either:

  1. conduct a focused desk audit (an OCR review of submitted documentation) to determine evidence of your compliance with selected provisions of the Rules; or
  2. conduct a comprehensive on-site review of your compliance with applicable requirements of the HIPAA Rules, or
  3. follow up a desk audit with an on-site audit.

The audit protocols, which contain criteria the auditors will use, are available for review at this link.

OCR will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues or where a covered entity or business associate fails to cooperate with an audit.

Preparing for a Potential Audit

There are four major elements to demonstrating that you have made a reasonable effort to comply with HIPAA requirements:

  • Ensure that you have written policies addressing all of the requirements listed in HIPAA’s Privacy, Security, and Breach Notification Rules.
  • Document a self-auditing or other process that will prove your policies have been implemented (i.e., they are followed by members of the workforce) and that you maintain them in accordance with published updates for each Rule.
  • Ensure that you have documented training (content and participation) for new hire and annual training with the Privacy, Security, and Breach Notification Rules.
  • Ensure that you have documentation of annual Security Risk Analysis as required by the Security Rule.

Resources Available from Eagle Associates

Eagle Associates provides a complete solution for ensuring compliance with HIPAA requirements.  Our HIPAA Compliance System includes:

  • A completely written HIPAA policy manual with a full complement of HIPAA forms– this is not a fill-in-the-blank workbook.  We update the policy manual each year to ensure compliance with changes in regulations and new interpretations.
  • Eagle Associates is currently reviewing the OCR Audit Protocol to determine whether any policy revisions are necessary in advance of the audits.
  • An annual audit plan tool is available for completion to provide proof of policy implementation and regulatory updates.
  • Clients enrolled in Eagle’s Management Consulting Program will have documentation using monthly compliance activities instead of the annual audit plan.
  • Training materials and documentation for new hire and annual training for workforce members.
  • The HIPAA Compliance System includes a complete Security Risk Analysis tool for your use, and is updated each year.
  • Eagle provides Live Support for subscribing clients– this provides unlimited support at no additional cost for a practice.  Clients can call or email as often as needed with questions, problems, or incidents.

If you already subscribe to the HIPAA Compliance System, you will be notified of any necessary policy revisions in the coming weeks.  Remember that the above-mentioned resources are available in the Member Services area of our web site.  In the front of your HIPAA Policy manual, there is instruction on how to log in to Member Services.

Please contact our office at (800) 777-2337 if you have any questions, or need assistance.