The New Security Breach Notification Rule

On August 24, 2009, the Department of Health and Human Services (“HHS”) published in the Federal Register interim final regulations and accompanying commentary with regard to breach notification requirements for unsecured protected health information (“PHI”) under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

This HHS publication triggers two key deadlines, one commencing September 23, 2009, when employers and health care providers (“covered entities”) will be required to comply with the Act’s security breach notification requirements; and, the other, is February 22, 2010, the 180 day enforcement grace period announced by HHS. Accordingly, during this 180 day grace period, covered entities need to digest the new requirements, revise existing HIPAA policies and procedures and develop new ones, put in place a security incident response plan, train employees, confer with business associates about security breach response and negotiate modifications to existing business associate agreements. Employers and health care providers who discover a security breach after that date and fail to provide the required notices may be targeted for an enforcement action.

A security breach notification will only apply to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

Continue reading »

Kicking the Habit and Getting Fit Helps Employers’ Bottom Lines

Employee costs are the bottom line

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

Continue reading »

George Clooney and HIPAA

A recent entertainment news story involving celebrity medical records is an example of the problems associated with employee activities and reminds us of the need for continuous vigilance in protecting sensitive medical data. This story highlights that it is a good time for additional training of workforce members on these issues.

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

Continue reading »

Recent Cases Involving Patient Privacy—How Far Does the Duty Go for Employees?

On May 24, 2006, the Illinois Supreme Court granted an appeal for a defendant hospital’s petition for leave. A decision in this case concerns the extent of an employer’s liability for an employee’s off-site and off-duty breach of a patient’s privacy.

The case alleged that plaintiff was a patient at a particular medical group. Blood samples and/or records were sent to a hospital and examined by a phlebotomist. The phlebotomist revealed the results of those records at a public tavern to the plaintiff’s twin sister. The hospital admitted the phlebotomist had revealed one fact about the plaintiff, discovered from her medical records, to the plaintiff’s sister at a tavern, but also alleged that when the phlebotomist revealed the information, she was not acting within the scope of her employment with hospital. Although HIPAA does not provide a private cause of action, in Illinois a common-law right-of privacy cause of action existed for the doctor’s violation of plaintiff’s right to privacy.

Continue reading »

Physician Practices and Records Transfer in the HIPAA Era

In the current environment, it seems that businesses are constantly changing hands, merging or dissolving. The question then is what happens with a patient’s medical records when a medically-based business is bought, sold or dissolved? State laws and HIPAA inform the answer.

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

Continue reading »

Employer-Sponsored Group Health Plans & HIPAA’s Third Installment

If small business employers think that the Health Insurance Portability and Accountability Act—or what we fondly refer to as “HIPAA”—only applies to health care providers, they need to think again. Small business owners need to get hip to HIPAA because those that offer employer-sponsored health plans (as most do) must also protect the privacy of employees’ medical information.

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Continue reading »