A Full Service Employee Benefit and Compliance Solution for Employers

From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer
Advanced Benefit Consulting & Insurance Services, Inc.

Because Marilyn Monahan addressed HIPAA specifics regarding business associates, which all agents are to their employer clients, I am not going to provide as detailed a HIPAA enforcement report as usual.  I will, instead, provide details on one recent settlement, plus remind you of one I previously reported in the COIN regarding a recent settlement for failure to have an up-to-date (post 2013 final regs) BA Agreement, then discuss some recent educational information and tools released by HHS and OCR to assist covered entities and business associates.

In early September, I will be attending the annual NIST/HHS HIPAA Privacy & Security Conference for two days, to hear directly from the sources, recent case settlements and new information provided by the National Institute for Standards and Technology (NIST) and HHS/OCR.  I’ll report on valuable information received in the next issue of the COIN.

First, to compliment Marilyn Monahan’s feature article (HIPAA Compliance for Business Associates, COIN Sept-Oct. 201), I wanted to remind you of a recent settlement (April 20, 2017) with The Center for Children’s Digestive Health (CCDH), in which CCDH paid a $31,000 fine to settle a HIPAA violation case, involving CCDH’s business associate, FileFax, Inc., where records containing PHI were held, could not produce a signed Business Associate Agreement.  This settlement also included a corrective action plan.  It should serve to remind us all that we need to be sure to have all client and other vendor BA Agreements up to date.  Again, be sure they include the new provisions added in the final regs in 2013.  There was another case and vendor which there was a business associate agreement in place, but it had not been updated after HITECH, and therefore did not include the required language for breaches, etc., and a substantial penalty was given by OCR.

Both of these cases emphasize that you need signed BA agreements, and that they must be updated to include the final regulations language.  Keep in mind, as Marilyn mentioned in her feature article this issue, that the government model is only a starting point.  It is not a contract.  You must have your contracts up to date, and be legitimate, legal and binding contracts.  It is recommended that you seek the assistance of a qualified HIPAA Privacy & Security consultant or an attorney to be sure your contracts are valid and provide both Federal and California provisions.

In a recent settlement, careless handling of HIV information jeopardized a patient’s privacy and resulted in a settlement fine of $387,200.  St. Luke’s-Roosevelt Hospital Center (St. Luke’s), paid the US Department of Health & Human Services (HHS) to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan.  St. Luke’s provides comprehensive services to persons living with HIV or AIDS and other chronic diseases.  It is one of 7 hospitals that comprise the Mount Sinai Health System.

The investigation revealed that staff had impermissibly faxed the patient’s PHI to his employer rather than to the requested personal post office box.

New Training and Education Tools

HHS and OCR launched a new training video module for health care providers on patients’ right of access under HIPAA, which provides an in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be involved in their own care.  The module provides helpful suggestions about how health care providers can integrate aspects of the HIPAA access right into medical practice.  Participants will receive free Continuing Medical Education (CME) credit for physicians and Continuing Education credit (CE) for health care professionals.

The module is available at Medscape at: http://www.medscape.org/viewarticle/876110 or via OCR’s Training and Resources webpage at https://hhs.gov/hipaa/for-professionals/training/index.html .

HHS also unveiled a web tool this summer to highlight recent breaches of health information.  This revised web tool puts important information into the hands of individuals, empowering them to better identify recent breaches of health information and to learn how all breaches of health information are investigated and successfully resolved.  The HIPAA Breach Reporting Tool (HBRT) features improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.  The tool also helps educate industry on the types of breaches that are occurring, industry-wide or within particular sectors, and how breaches are commonly resolved following investigations launched by OCR, which can help industry improve the security posture of their organizations.

The HBRT can be found at:  https://ocrportal.hhs.gov/ocr/breach report.jsf . For additional information on HIPAA breach notification, visit:  http://www.hhs.gov/hipaa/for-professionals/breach-notification .

##

Source:  US Department of Health and Human Services, HHS and  Office of Civil Rights, website and notice distributions.