PHI Breach Penalty Dollars Rolling in for Healthcare Enforcement

PHI Breach

PHI BreachBy: Dave Davidson

It has been a busy autumn for the enforcement of health care privacy rights.  Recent activities range from settling the claim for the largest HIPAA violation in US history, to penalties imposed for filming TV shows, to actions initiated by state governments.  All of these actions confirm the serious position taken by regulators nationwide to protect the privacy of protected health information (PHI).

The Big One

On October 15, 2018, Anthem, Inc., an independent licensee of Blue Cross, paid $16 million to settle its claim with the HHS Office of Civil Rights (OCR), for a breach that compromised the PHI of 79 million people.  This was the largest reported breach in history.  The PHI breach occurred in 2015, when hackers initiated a “spearfishing” attack via fraudulent emails.  The government found that Anthem lacked appropriate information system procedures to identify and respond to security breaches, and minimum access controls to stop these kinds of attacks.

In addition to the financial penalty, Anthem agreed to a corrective action plan, in which it agreed to perform a risk analysis, and incorporate the results of the analysis into its existing processes, in order to achieve a “reasonable and appropriate level” of HIPAA compliance.

This settlement is in addition to the $115 million settlement Anthem reached last year with the victims of the breach.Continue reading

GDPR Compliance: Has Your Company Prepared for the Heightened Data Privacy Regulations?

litigation lawyer in Florida

“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple

General Data Protection Regulation

By: Shobha Lizaso

We are in the age of electronic data and heightened data privacy. New laws to strengthen individuals’ privacy rights and to strengthen data protection are evolving worldwide. The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data about residents of the European Union. This new law affects US healthcare providers and organizations that provide services to residents of any of the EU countries, that collect data from EU residents or monitors EU residents through the use of cookies and the like, and practitioners involved in medical tourism programs and other clinical activities. GDPR imposes more restrictions on the collection, use, processing, storage, disclosure, and disposition of patient data than HIPAA.

GDPR became effective on May 25, 2018, and there will not be a compliance grace period, so healthcare providers should meet with their healthcare technology attorney to determine whether they are subject to the GDPR, to update their online Terms of Use & Privacy Policies, and to audit internal data handling procedures to prevent any violations.Continue reading

So, You Want to Be in the Pharmacy Business? Building from scratch, acquisitions & other considerations.

pharmacy businessBy: Michael Silverman

Like many entrepreneurial endeavors, owning a pharmacy requires careful planning and an astute risk versus reward analysis. However, unlike other industries, venturing into a healthcare business brings with it an entire new world of regulations, and rightly so. Pharmacies don’t sell widgets they sell prescription drugs, and to people whose well-being depends on it being done correctly. As such, there’s a host of state and federal laws a pharmacy must abide by, intended to safeguard patients and the healthcare system as a whole. Don’t let regulatory hurdles alone serve as an insurmountable deterrent from entering into what can be a profitable and fulfilling profession; proactive compliance is the key to success! Here’s an overview of the general steps necessary to become a pharmacy owner, be it from scratch or by acquiring an existing practice. For the purposes of this article, let’s assume it’s a community/retail pharmacy that will be located in Florida.

So what’s better – building from scratch or buying something that’s already out there? Typical lawyer answer – it depends! But I won’t stop there; here are some considerations that must be taken into account to make a proper decision: (1) how quickly does the business need to be up and running? It’s typically a faster process to commence business by acquiring an existing pharmacy rather than buying one, but that depends on (2) what is out there in the current marketplace? If a stock acquisition, all of the known and unknown liabilities will be inherited by the new owner; proper due diligence on the pharmacy’s past is essential.Continue reading

New HIPAA Guidance for Substance Abuse and Mental Health Information

HIPAA PHIBy: Dave Davidson

In December 2016, the US Congress passed the 21st Century Cures Act, which, among other things, provided for increased funding for treatment and research of mental health and substance abuse disorders.  That law also required the HHS Office of Civil Rights (OCR) to provide guidance in regards to HIPAA compliance in regards to those types of treatment.  In October 2017, President Donald Trump declared the opioid addiction epidemic to be a public health emergency, which will also result in additional resources being allocated to addressing the crisis.

In connection with both the new law and the President’s declaration, OCR published its HIPAA guidance in December 2017.  The guidance is intended to clarify how and when protected health information (PHI) can be shared in regards to patients in substance abuse and mental health treatment.  According to OCR Director Roger Severino, “HHS is using every tool at its disposal to help communities devastated by opioids, including educating families and doctors on how they can share information to help save the lives of loved ones.”Continue reading

HIPAA Security Basics: Keeping your Medical Web-Based Business Compliant

HIPAA Security Basics

By: Shobha Lizaso

Medical web-based businesses have been on the rise, while the number of HIPAA enforcement actions by the US Department of Health and Human Services (HHS) has risen exponentially as well. Since the beginning of this year, HHS has announced several large settlements with companies that failed to comply with HIPAA Compliance requirements. For example, in January, HHS announced a $2.2 million settlement with a health insurance company when a breach resulted from a stolen portable USB device containing PHI. Also, In February, HHS announced a penalty of $3.2 million against a medical center for a breach that arose from a theft of an unencrypted laptop containing PHI. This enforcement activity is becoming the norm, so it is best to ensure that your medical website is legally compliant.

If you are handling any PHI on or through your website, you must ensure that your website is up to speed with HIPAA compliance. Here are some recommendations to address the security and privacy of PHI that your website may manage (please note that this is not a comprehensive list):Continue reading

Healthcare Trade Secrets: How to Protect Your Practice’s Trade Secrets

Healthcare Trade Secrets

dreamstimemaximum_51887081-flipBy: Shobha Lizaso

“Prevention is better than cure” is a maxim that has reigned in the healthcare industry for thousands of years; however, this phrase echoes through the halls of the legal profession as well.

Healthcare practices often neglect to appreciate the value of their confidential information as assets and the need to protect these assets. Although HIPAA and HITECH compliance aids in maintaining the confidentiality of patient records, it does not protect a provider’s trade secrets.

Trade secrets of a healthcare practice may include any of the following: patient lists, financial information, contract rates, contract terms client lists, collection rates, marketing tactics, pricing/discount information, and methods of doing business. If leaked, this information may be used by competitors to secure advantages over a healthcare practice. For example, patient lists could be used to solicit a practice’s patients or contract rates and terms can be used by a competitor to undercut the rates of a practice.Continue reading

HIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point:Continue reading

What is FIPA and How Is FIPA Different From HIPAA?

By: Jackie Bain

FIPA is the Florida Information Protection Act of 2014.  It became elective on July 1, 2014.  Many people consider FIPA to be Florida’s state law counterpart to the Federal Government’s Health Information Protection and Administration Act of 1996 (“HIPAA).  However, FIPA is, in many respects, more far reaching than HIPAA.  Those who transact business in the State of Florida are well-served to be knowledgeable about FIPA.

FIPA affects more than just health care providers and those in the healthcare industry.  Under FIPA, any business that acquires, stores, maintains or uses personal information must take reasonable measures to safeguard that information.  “Personal information” includes the use of a person’s first and last name (or first initial and last name) in conjunction with his or her social security number, driver’s license or other government identification number, bank account number, credit or debit card number and password or pin, medical history, or health insurance policy number.  A convenience store that might have access to a person’s name and credit card number is just as accountable under FIPA as a hospital who might store that person’s medical history and insurance information.Continue reading

Physician Communications: Considerations for Using Text Messages and Social Media

doctor mobile

doctors textingBy: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients.  And although open communication is generally thought of as positive, the medical profession should proceed with caution.  Patients and consulting physicians rely heavily on their communications with their treating physicians.  Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media:Continue reading

Fall 2014 HIPAA Audits: Is Your Business Ready?

HIPAA Audits

hipaa-audits-imageFile-3-a-7296By: Jackie Bain

Section 13411 of the HITECH Act authorizes and requires the Department of Health & Human Services Office for Civil Rights (“OCR”) to provide for periodic audits to ensure that covered entities and business associates comply with the HIPAA Privacy and Security Rules. OCR conducted its first round of those audits in 2011 and 2012, and has announced that it will begin a second phase.  Unlike the first phase of audits, which were limited to covered entities, both covered entities and business associates are intended to be audited during this second phase.

How will audited businesses be selected?

This fall, OCR will deliver pre-audit surveys to between 550 and 800 covered entities.  OCR is attempting to obtain a fair snapshot of all covered entities, so these pre-audit surveys will be sent to health care providers, health plans, and health clearinghouses. Moreover, the audits will span the gamut of business sizes, from large corporations to solo practitioners. After pre-audit surveys are returned, OCR will randomly select 350 of those covered entities for a full audit.  As a part of these full audits, covered entities will be asked to identify their business associates.  OCR will then select 50 business associates to participate.Continue reading