RECOVERY AUDIT CONTRACTOR (RAC)
We have extensive experience with RAC audits and appeals, working directly with healthcare entities subject to RAC audits.
STARK ANDANTI-KICKBACK
We have represented Independent Diagnostic Testing Facilities (“IDTFs”), mobile leasing entities, radiology group practices, and other imaging providers.
STAFF PRIVILEGES & LICENSING MATTERS
We provide assistance and guidance through the legal process focused on the goal of resolving your matter successfully and efficiently.

Articles Posted in HIPAA

Published on:

The HHS Office for Civil Rights (“OCR”) has begun issuing notices for Phase 2 HIPAA Audits applicable to covered entities and their business associates. In Phase 2, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to satisfy standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Phase 2 audits will primarily be desk audits, however, some on site audits will occur.

Please be sure to check your spam filters and junk email folders because notices for Phase 2 HIPAA Audits are sent via email. The initial email notice for a Phase 2 HIPAA Audit seeks to confirm an entity’s address and contact information. Following confirmation of this contact information OCR will send a pre-audit questionnaire.

We have a number of clients who are undergoing Phase 2 HIPAA Audits and our experience in responding to these audits will minimize any potential disruption to your healthcare operations. Contact Clinton Mikel, Esq., at cmikel@thehlp.com, or at 248-996-8510, for guidance and counsel on how best to respond to any Phase 2 HIPAA Audit notice that you have received.

Published on:

On Tuesday, May 10, 2016, Clinton Mikel, a Partner at The Health Law Partners and Chairman of the eHealth, Privacy and Security Interest Group of the American Bar Association Health Law Section, will be a guest speaker at Politico’s “Outside, In: Unhealthy Hacking: Medical Privacy in the Age of Cyber Attacks,” a live event featuring leading voices in health care, technology, and policy discussing privacy and cybersecurity in the healthcare sector.

In addition to Clinton Mikel, panelists include Texas Representative Will Hurd, Leslie Krigstein, VP of CHIME (College of Healthcare Information Management Executives), and Deven McGraw, Deputy Director for Health Information Privacy, HHS Office for Civil Rights, among others.

Among the issues the panelists will address are the following: Can health care providers afford security? Is the cyber-kidnapping of hospitals the new normal? Is greater health information exchange going to lead expanded, dangers/hacks? Is the need to secure records another driver toward consolidation in health care, because of the costs? Do we need more congressional or regulatory action to assure our records are safe and secure?

Politico will live stream the May 10 event at http://www.POLITICO.com/live beginning at 5:30 p.m. EST.
Continue reading →

Published on:

The HHS Office for Civil Rights (“OCR”) has announced that it will begin the 2016 Phase 2 HIPAA Audit Program, the next phase of audits of covered entities and their business associates. In Phase 2, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to satisfy standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Phase 2 audits will primarily be desk audits, however, some on site audits will occur. OCR will evaluate the results and procedures used in the Phase 2 audits to develop a permanent audit program.
The Phase 2 audit process begins with OCR sending an email to covered entities and business associates requesting verification of an entity’s address and contact information. OCR will then send pre-audit questionnaires to obtain information about the size, type, and operations of covered entities and business associates. This information will be used in conjunction with other information to create potential audit subject pools.
If a covered entity or business associate does not respond to OCR’s email request to verify contact information or the pre-audit questionnaire, OCR will use publically available information to verify contact information or respond to the questionnaire. Thus, covered entities and business associates should be aware that ignoring OCR’s emails will not keep them from being part of potential audit subject pools.
OCR will post updated audit protocols on its website closer to when it will begin to conduct the 2016 audits. The audit protocol will be updated to reflect HIPAA Omnibus Rulemaking.
Continue reading →

Published on:

At the American Bar Association’s Physician Legal Issues Conference, Celeste Davis, Esq., of the Office for Civil Rights announced that, effective Monday, June 15, 2015, the Kansas City branch of the Office for Civil Rights will consolidate with the Chicago branch to form the new Department of Health and Human Services, Office for Civil Rights, Midwest Region. The new Midwest Region will still maintain offices in both Chicago and Kansas City. This will be the first consolidation in the history of the Office for Civil Rights. Ms. Davis stated that the consolidation will allow the agency to work quicker, smarter, and to be more available to covered entities to assist with compliance.

For more information about this announcement or HIPAA compliance, please contact Adrienne Dresevic, Esq., (adresevic@thehlp.com), or Clinton Mikel, Esq., (cmikel@thehlp.com) at (248) 996-8510.

Published on:

On May 7, 2014, the Department of Health and Human Services (“HHS”), New York-Presbyterian Hospital (“NYP”) and Columbia University (“CU”) agreed to collectively pay $4.8 million to settle charges of alleged violations of the HIPAA Privacy and Security Rule marking the largest HIPAA settlement to date.

OCR initiated an investigation of NYP and CU after receiving a joint breach report in September 2010 regarding the disclosure of the electronic protected health information (“ePHI”) of 6,800 individuals. Due to a lack of technical safeguards, protected health information including patient status, vital signs, medications, and laboratory results were made publically accessible using Internet search engines.

At the close of the investigation, OCR determined that neither NYP nor CU had conducted an accurate and thorough risk analysis or developed an adequate risk management pan. OCR further determined that NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

In addition the $4.8 million settlement (NYP to pay $3.3 million and CU to pay $1.5 million), both parties will also be required to implement a substantive corrective action plan to correct deficiencies in their HIPAA compliance programs including:

• Undertaking a thorough risk analysis;
• Developing and implementing a risk management plan;
• Reviewing and revising policies and procedures on information access management and device and media controls;
• Training staff that have access to ePHI; and • Providing progress reports
Notably, this settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities and business associates proactively review the mandatory requirements under HIPAA and carefully evaluate and monitor to compliance.
Continue reading →

Published on:

On April 30, 2013, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced the availability of new tools to educate health care providers and consumers about the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules. Specifically for health care providers, three HIPAA education modules (offering free CME credits) have been made available with a free account through Medscape. These include:

• Patient Privacy: A Guide for Providers

• HIPAA and You: Building a Culture of Compliance
• Examining Compliance with the HIPAA Privacy Rule

The OCR has also produced a video, entitled “HIPAA Security Rule”, designed for providers in small practices. Additional videos and materials related to consumer education about HIPAA are available through the OCR’s YouTube site and the OCR Consumer Guidance website.
Continue reading →

Published on:

Stay tuned for many further developments – The Health Law Partners will be providing numerous valuable educational resources for its clients.

The announcement and links are below.

January 17, 2013
The U.S. Department of Health and Human Services (HHS) has announced a new rule to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.

The changes in the final rulemaking provide the public with increased protection and control of personal health information. The changes announced today expand many of the privacy and security requirements to business associates that receive protected health information, such as contractors and subcontractors. Business associates may also be liable for the increased penalties for noncompliance based on the level of negligence up to a maximum penalty of $1.5 million. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes, and prohibits the sale of an individual’s health information without their permission.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

The Rulemaking announced today may be viewed in the Federal Register at https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf.

The HHS Press Release can be found on the HHS News page: http://www.hhs.gov/news/.
Continue reading →

Published on:

A press release from the U.S. Department of Health and Human Services (“HHS”) published on January 2, 2013 announced that the Department had reached its first settlement with a covered entity for a breach of the Health and Information Portability and Accountability Act (“HIPAA”) Privacy Rule affecting fewer than 500 individuals. The settlement agreement with the Hospice of North Idaho (“HONI”) was the result of an investigation into HONI’s privacy practices initiated after the entity self-reported to the HHS Office of Civil Rights (“OCR”) that a laptop containing the unencrypted electronic protected health information (“ePHI”) of 441 individuals was stolen in June of 2010.

During its investigation, OCR found that HONI had failed:

• To conduct an adequate risk analysis of the unencrypted ePHI on portable devices that HONI used for the entity’s field work;
• To subsequently adopt, implement, and maintain appropriate security measures to ensure the confidentiality of the ePHI on the portable devices that it used to create, maintain, and transmit the ePHI; and
• To document the decisions it made with regards to security measures.

As a result of the settlement, HONI agreed to pay HHS $50,000 and enter into a Correct Action Plan. While the settlement resolves the investigation under the privacy and security rule, it does not absolve HONI of liability under other provisions that may apply such as section 1177 of the Social Security Act for knowing or intentional releases of PHI.

For breaches involving 500 or more individuals, the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report the breach within 60 days after the discovery. Smaller breaches under 500 individuals, such as the one involving the settlement with HONI, must be reported to the Secretary on an annual basis.

Given the increased enforcement activity in the HIPAA area, providers are well advised to ensure that they have appropriate HIPAA privacy and security measures in place.
Continue reading →

Published on:

The Massachusetts Attorney General’s Office announced Thursday that it has settled, for $750,000, a data breach lawsuit filed against South Shore Hospital under the Massachusetts Consumer Protection Act and the federal Health Insurance Portability and Accountability Act (HIPAA).

The alleged HIPAA violation arose from unencrypted back-up tapes that South Shore sent offsite to a data archiving company to be erased and re-sold as blank media. However, the hospital did not inform the data company that the tapes contained protected health information (PHI), did not determine whether the data company had appropriate safeguards in place to protect the PHI, and did not enter into a business associate agreement with the company. In shipment, two of three boxes containing the PHI were lost and have not been recovered.

The lawsuit, brought by the Massachusetts Attorney General’s Office, is only the third of its kind. Through the Health Information Technology for Economic and Clinical Health (HITECH), passed in 2009, Congress: (i) dramatically increased the HIPAA monetary penalties that could be levied against providers; (ii) granted authority to state attorneys general to prosecute HIPAA privacy and security violations; and (iii) perhaps most importantly, allows state attorney generals to share in any monetary penalties that they are able to collect (e.g., a “bounty sharing” provision). The changes were in response to a perceived lack of enforcement of the HIPAA regulations by the Office for Civil Rights of the Department of Health and Human Services (HHS).

While only the Vermont and Connecticut Attorneys General have initiated lawsuits under HITECH, the legislation is expected to add serious teeth to healthcare privacy laws. Under HITECH, an attorney general receiving a complaint from a resident may sue in federal district court for an injunction and monetary damages. In all three cases, the attorneys general have brought suit under both HIPAA and state privacy laws, and HHS has actively supported the initiative by offering in-person and computer-based training to state attorneys generals nationwide, and even assisting the Connecticut Attorney General’s Office in its prosecution.

South Shore Hospital, which settled for $750,000, was the largest of the three AG-initiated lawsuits. As the size of HIPAA violation settlements continue to grow, so too will the interest of states in exercising their new-found authority. Attorneys general may also be more inclined to initiate HIPAA lawsuits because of the positive impression such actions will make on constituents.

As the HITECH incentives catalyze the shift toward electronic health records, privacy issues will be at the forefront, attracting much greater attention than in the past. Hospitals, physicians, health care providers, Business Associates, and all other parties subject to HIPAA regulations are well advised to ensure that they have appropriate HIPAA policies, procedures, and safeguards in place to protect patient privacy, avoid violating HIPAA, and avoid attracting the attention of a much more aggressive, financially incentivized, state attorneys general corps.
Continue reading →

Contact Information