GDPR Compliance: Has Your Company Prepared for the Heightened Data Privacy Regulations?

litigation lawyer in Florida

“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple

General Data Protection Regulation

By: Shobha Lizaso

We are in the age of electronic data and heightened data privacy. New laws to strengthen individuals’ privacy rights and to strengthen data protection are evolving worldwide. The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data about residents of the European Union. This new law affects US healthcare providers and organizations that provide services to residents of any of the EU countries, that collect data from EU residents or monitors EU residents through the use of cookies and the like, and practitioners involved in medical tourism programs and other clinical activities. GDPR imposes more restrictions on the collection, use, processing, storage, disclosure, and disposition of patient data than HIPAA.

GDPR became effective on May 25, 2018, and there will not be a compliance grace period, so healthcare providers should meet with their healthcare technology attorney to determine whether they are subject to the GDPR, to update their online Terms of Use & Privacy Policies, and to audit internal data handling procedures to prevent any violations.Continue reading

New HIPAA Guidance for Substance Abuse and Mental Health Information

HIPAA PHIBy: Dave Davidson

In December 2016, the US Congress passed the 21st Century Cures Act, which, among other things, provided for increased funding for treatment and research of mental health and substance abuse disorders.  That law also required the HHS Office of Civil Rights (OCR) to provide guidance in regards to HIPAA compliance in regards to those types of treatment.  In October 2017, President Donald Trump declared the opioid addiction epidemic to be a public health emergency, which will also result in additional resources being allocated to addressing the crisis.

In connection with both the new law and the President’s declaration, OCR published its HIPAA guidance in December 2017.  The guidance is intended to clarify how and when protected health information (PHI) can be shared in regards to patients in substance abuse and mental health treatment.  According to OCR Director Roger Severino, “HHS is using every tool at its disposal to help communities devastated by opioids, including educating families and doctors on how they can share information to help save the lives of loved ones.”Continue reading

Healthcare Trade Secrets: How to Protect Your Practice’s Trade Secrets

dreamstimemaximum_51887081-flipBy: Shobha Lizaso

“Prevention is better than cure” is a maxim that has reigned in the healthcare industry for thousands of years; however, this phrase echoes through the halls of the legal profession as well.

Healthcare practices often neglect to appreciate the value of their confidential information as assets and the need to protect these assets. Although HIPAA and HITECH compliance aids in maintaining the confidentiality of patient records, it does not protect a provider’s trade secrets.

Trade secrets of a healthcare practice may include any of the following: patient lists, financial information, contract rates, contract terms client lists, collection rates, marketing tactics, pricing/discount information, and methods of doing business. If leaked, this information may be used by competitors to secure advantages over a healthcare practice. For example, patient lists could be used to solicit a practice’s patients or contract rates and terms can be used by a competitor to undercut the rates of a practice.Continue reading

HIPAA Compliance: Docs, You’ve Been Hacked. What’s Next?

HIPAABy: Jacqueline Bain

Healthcare providers have heard the HIPAA disaster stories: a laptop containing patient information is left on the counter at the coffee shop; a thumb drive with patient files goes missing; a rogue employee accesses patient information she has no business accessing; hackers get into a practice’s server and hold the patient information for ransom.

HIPAA is a federal law designed for safe disclosure of patient’s protected health information.  The news headlines showcase giant penalties for violations.  However, Florida healthcare providers should also know that Florida has its own consumer protection statute, called the Florida Information Protection Act.  So while you’re busy worrying about your HIPAA exposure in any of these situations, remember that there is potential State exposure as well.

So what should a healthcare provider do if it believes there has been a hack or some other unauthorized disclosure?  Responses vary based on the situation presented, but below is a good jumping off point:Continue reading

Out of Network VOB Process Hits a Speedbump

VOBBy: Urgent Medical Billing, Guest Contributor

The verification process is an important step in the billing cycle. When done correctly the patient’s “VOB” will allow a healthcare provider to quickly determine if they can accept the patient for treatment or not. A good verification will tell a provider the general information about a patient’s insurance policy such as the deductible, the co-insurance and the out of pocket maximum. A very good verification will also include accreditation requirements, information on who would receive the payment for services, correct claims addresses for professional and facility charges and more. The quicker a verification is done, the sooner a patient can be brought into treatment. Speed and accuracy is the name of the game when it comes to insurance verification and United Healthcare, until very recently, was one of the quickest policies for an Insurance Verification Specialist to work with. Continue reading

What is FIPA and How Is FIPA Different From HIPAA?

By: Jackie Bain

FIPA is the Florida Information Protection Act of 2014.  It became elective on July 1, 2014.  Many people consider FIPA to be Florida’s state law counterpart to the Federal Government’s Health Information Protection and Administration Act of 1996 (“HIPAA).  However, FIPA is, in many respects, more far reaching than HIPAA.  Those who transact business in the State of Florida are well-served to be knowledgeable about FIPA.

FIPA affects more than just health care providers and those in the healthcare industry.  Under FIPA, any business that acquires, stores, maintains or uses personal information must take reasonable measures to safeguard that information.  “Personal information” includes the use of a person’s first and last name (or first initial and last name) in conjunction with his or her social security number, driver’s license or other government identification number, bank account number, credit or debit card number and password or pin, medical history, or health insurance policy number.  A convenience store that might have access to a person’s name and credit card number is just as accountable under FIPA as a hospital who might store that person’s medical history and insurance information.Continue reading

Physician Communications: Considerations for Using Text Messages and Social Media

doctor mobile

doctors textingBy: Jackie Bain

It is becoming easier and easier for physicians to communicate with each other and their patients.  And although open communication is generally thought of as positive, the medical profession should proceed with caution.  Patients and consulting physicians rely heavily on their communications with their treating physicians.  Thus, communications which do not require the thought of focus that a physician would otherwise give to a situation may result in disaster. While there are many potential ways a physician might use text messaging and social media both professionally and personally, we will focus generally on physician interactions with other physicians, and physician interactions with patients.

To start, physicians should be aware that, in 2011, the American Medical Association issued guidelines in its Code of Ethics for physicians who use social media:Continue reading

Florida Clinical Labs Must Now Give Patients Direct Access to Their Laboratory Test Results

laboratory marketer

lab testingBy: David Hirshfeld 

In an effort to help individuals access their health information so that they can become more actively involved in managing their own health care, several agencies within the Department of Health and Human Services promulgated a rule that modifies the Clinical Laboratory Improvement Amendments (“CLIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”) in a way that supersedes Florida State laws governing the disclosure of laboratory test results directly to patients.

Continue reading

HIPAA Omnibus Final Rules and Penalties

On Friday January 25, 2013, the Department of Health and Human Services published the Final Rule modifying the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the Genetic Information Non-Discrimination Act (“GINA”) as well as other modifications to the HIPAA rules. (See 45 CFR Parts 160 and 164, Federal Register Volume 78 Number 17.)

The omnibus rule actually contains four final rules. The first final modifications to HIPAA which were mandated by “HITECH” include modifications intended to improve the Rules which were issued as a proposed rule on July 14, 2010 include six modifications.

The first omnibus final rule includes direct liability modifications for business associates of covered entities for compliance with certain HIPAA privacy and security rule requirements. Strengthening of limitations on the use and disclosure of protected health information, expanded individuals’ rights to receive electronic copies of their health information, modification and redistribution of entities privacy practices protocols, modification of individual authorization forms and other requirements to facilitate research and disclosure of child immunization proof to schools as well as to enable access to decedent information and lastly the enforcement rules have been modified to address violations such as non-compliance with HIPAA rules due to willful neglect.

The second omnibus final rule adopts changes to the HIPAA enforcement rule that increase the civil monetary penalties in a tiered manner.

The third omnibus final rule involves the breach notification for unsecured protected health information under the “HITECH” act. This rule replaces the prior rules “harm” threshold with a more objective standard.

Finally, the fourth rule prohibits most health plans from using or disclosing genetic information for underwriting purposes.

These final rules take effect this month on March 26, 2013. Covered business entities and business associates must comply with the applicable requirements by September 23, 2013. The penalties for violating the final rules are now as follows:

TABLE 2 – CATEGORIES OF VIOLATIONS AND RESPECTIVE PENTALTY AMOUNTS AVAILABLE

Violation Category – Section 1176 (a)(1)

Each Violation

All such violations of an identical provision in a calendar year

(A)  Did Not Know(B)   Reasonable Cause

(C)   (i)Willful Neglect-Corrected

(C) (ii) Willful Neglect-Not Corrected

$100-$50,0001,000-50,000

10,000-50,000

50,000

$1,500,0001,500,000

1,500,000

1,500,000

Providers need to be aware of the penalties for violating the rules as we most recently reported to you the office of civil rights will not hesitate in sanctioning providers for violating the Act in amounts in excess of $1.5 million.